Managing Privacy Breaches

Globalization, the growth of multinational corporations and the proliferation of Internet technologies as a means of transferring and sharing data, have increased the volume of personal data flowing between businesses. All of this has contributed to an increase in legitimate concerns about the protection of personal information managed by businesses, as well as potential challenges in the evaluation of the risks and damages involved in privacy breaches.

WHAT IS A PRIVACY BREACH?

In Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules for how businesses may collect, use and disclose personal information in the course of commercial activities. The federal government may exempt businesses or activities in provinces that have their own privacy laws if they are substantially similar to the federal law.

The provinces of British Columbia, Alberta and Quebec have enacted provincial privacy legislation that has been recognized as substantially similar to PIPEDA; this legislation operates in place of PIPEDA in those provinces for intra-provincial matters. (Manitoba’s Personal Information Protection and Identity Theft Prevention Act – which received Royal Assent on September 13, 2013, but is still awaiting proclamation – has not yet been confirmed by the Privacy Commission of Canada as being “substantially similar” to PIPEDA).

These Canadian privacy laws, therefore, apply to the collection, use and disclosure of personal information by private sector businesses.

Although a privacy breach is not defined in these Canadian privacy protection laws, in general, a breach takes place in the event that the confidentiality of personal information is compromised. More specifically, a privacy breach would occur when someone collects, uses or discloses personal information in contravention of a privacy law, deliberately or accidentally, such as when personal information is lost, stolen or improperly disposed of, “hacked” into (by third parties or programs that are not authorized to have access), or communicated or sent to third parties who have no legal right or official need to receive it. 

WHAT ARE THE RISKS?

There are many types of risks that may be triggered by a privacy breach, which include direct and indirect types of damages associated with those risks. These are summarized below in three categories: costs to manage and respond to a privacy breach; reputational damages; and the financial exposure of a business exposed to such a breach.

Costs pertaining to the privacy breach response

Businesses subject to a privacy breach, on top of having to deal with the costs associated with the loss of data (i.e., the costs of restoring hard-to-replace information), would have to bear the costs pertaining to responding to the breaches. These costs would include investigative costs (such as forensic experts), outsourcing hotline support and providing free credit monitoring subscriptions (if there is a risk of identity theft or fraud), as well as providing customers discounts for future products and services.

In some Canadian jurisdictions, such as in Alberta, notifying individuals and the Alberta privacy commissioner is mandatory if the incident involves the loss of, or an unauthorized access to or disclosure of, the personal information where a reasonable person would consider there exists “a real risk of significant harm” to an individual as a result.

In other Canadian jurisdictions, breach notification will either soon become mandatory, or it is, until then, strongly recommended by privacy commissioners, including those for Canada, British Columbia and Quebec. Businesses should, therefore, also consider the costs associated with reporting data breaches. These include lawyers’ fees providing assistance in the preparation of the notification letters to affected customers, advising the relevant privacy commissioners and liaising with them and the public, as the case may be.

Reputational damages

A privacy breach may trigger damages to the reputation of a business. These damages would result from bad publicity, loss of trust or public confidence, loss of prestige and loss of current and future business following a privacy breach.

In 2009, privacy academics Sasha Romanosky and Alessandro Acquisti published a paper in the Berkeley Technology Law Journal, entitled Privacy Costs and Personal Data Protection: Economic and Legal Perspectives, in which they share, amongst other things, their findings on the effect of privacy breaches on organizations that have been subject to such breaches.

Also, in May of this year, the Ponemon Institute published benchmark research sponsored by Symantec on the Cost of Data Breach Study: Global Analysis. In order to calculate the average cost of a data breach, the study suggests including both the direct and indirect expenses incurred by the business, which would include damages resulting from reputational damages.

Financial exposure

In order to properly assess the risks triggered by a privacy breach, businesses should take into account the risk of regulatory scrutiny, fines and penalties, as well as possible lawsuits.

• Fines, Penalties and D&O liability: Certain Canadian privacy laws provide for potential fines and director and officer liability following a privacy breach. For example, Manitoba’s recently introduced privacy law provides that certain offences will be subject to a summary conviction, with fines up to $10,000 for an individual and $100,000 for a person other than an individual. In Quebec, An Act Respecting the Protection of Personal Information in the Private Sector provides that every person who collects, holds, communicates to third persons or uses personal information other than in accordance with this law is liable to a fine of $1,000 to $20,000, and any administrator, director or representative of the legal person who ordered or authorized the illegal act or omission is liable to the prescribed penalty. The Quebec act states: “Where an offence under this Act is committed by a legal person, the administrator, director or representative of the legal person who ordered or authorized the act or omission constituting the offence, or who consented thereto, is a party to the offence and is liable to the prescribed penalty.”

• Damages to individuals affected: Individuals whose personal information has been compromised might also be subject to various risks and potential damages. For instance, they might be at risk of identity theft or fraud in situations in which SIN, banking information or other identification numbers have been compromised. They might be subject to physical harm through stalking or harassment, for instance, in the event that certain sensitive information, such as a women’s shelter’s list, has been compromised. They may also be at risk of psychological harm, humiliation or damage to reputation, for example, through medical records revealing a stigmatizing disease or disciplinary records being compromised. Privacy breaches may also trigger financial harm, such as the loss of a business or employment opportunity.

EVALUATION AND RESPONSE

In evaluating the risks triggered by a privacy breach, businesses, therefore, also have to determine what type of damages may be awarded to individuals following a privacy breach. They should take note that while the extent of the privacy invasion usually used to have to be significant for damages to be granted by the Federal Court, it seems that damages are now more easily awarded and that these damages are also on the rise.

In a November 2013 judgment from the Federal Court, Chitrakar v. Bell TV, the Federal Court awarded over $20,000 in damages following a privacy violation by Bell, which conducted a “hard pull” credit check on a customer without his prior consent.

What should also be taken into account in this risk analysis is the fact that privacy c
lass actions also seem to be on the rise. For instance, in Quebec, following the Investment Industry Regulatory Organization’s (IIROC) breach in April 2013, in which an employee lost an unencrypted laptop containing the financial information of more than 52,000 brokerage firm clients, a privacy class action was filed. The amount claimed in this case is $1,000 for each individual affected.

In light of the fact that these privacy class actions in Quebec are often granted at the authorization stage, the damages and risk for a business can be substantial. It can include the legal costs of having to defend itself against a privacy class action, as well as any damages awarded by courts to the potentially large number of affected individuals.

CONCLUSION

The risks and costs for a business that may be incurred following a privacy breach include the costs of investigation and communication (time and resources committed to the breach), as well as resources committed to mitigation, reputational repair and damage control. The risks also include having to deal with claims in damages from affected individuals.

In order to limit these types of risks, businesses managing personal information will want to ensure that privacy-compliant business practices are in place at all times.

For those insuring these risks, they may wish to request privacy compliance legal opinions from their clients, request and ensure that their clients conduct privacy impact assessments prior to launching new products and services, and request annual privacy audits. They may further insist on their clients investing in preventive measures such as conducting privacy training for their the marketing, information technology, human resources and customer service staff who manage employees’ and customers’ personal information.