STIKEMAN ELLIOTT LLP www.stikeman.com Privacy Breaches: Legal Risks, Obligations & Best Practices David Elder Stikeman Elliott LLP May 2011
May 26, 2015
STIKEMAN ELLIOTT LLP www.stikeman.com
Privacy Breaches: Legal Risks, Obligations & Best Practices
David Elder
Stikeman Elliott LLP
May 2011
SLIDE 2 STIKEMAN ELLIOTT LLP
Legislative Framework
Patchwork?
Mix of Federal and Provincial Regimes
– Private Sector
– Health Sector
– Public Sector
– Employees
© TinyApartmentCrafts
SLIDE 3 STIKEMAN ELLIOTT LLP
Private Sector Privacy Provincial:
B.C.: Personal Information Protection Act
Alberta: Personal Information Protection Act
Québec: An Act Respecting the Protection of Personal Information in the Private Sector
Federal:
Personal Information Protection and Electronic Documents Act
SLIDE 4 STIKEMAN ELLIOTT LLP
Private Sector Privacy
FederalPersonal Information Protection and Electronic Documents Act
Applies to collection, use and disclosure of personal information by:– Private sector federal works & undertakings, including their
employees– Private sector organizations, in course of commercial
activities, when: Transferred across provincial borders Collected, used or disclosed in province without “substantially
similar” legislation
SLIDE 5 STIKEMAN ELLIOTT LLP
Private Sector Privacy
Provincial
B.C.: Personal Information Protection Act
Alberta: Personal Information Protection Act
Québec: An Act Respecting the Protection of Personal Information in the Private Sector
Apply to collection, use and disclosure of personal information by all private sector organizations in the Province
– Not just in course of commercial activities
– Including employee personal information
– N/A to interprovincial transfers and federal undertakings
SLIDE 6 STIKEMAN ELLIOTT LLP
Health Sector Privacy Provincial:
British Columbia: Personal Information Protection ActAlberta: Health Information ActSaskatchewan: Health Information Protection ActManitoba: Personal Health Information ActOntario: Personal Health Information Protection ActNew Brunswick: Personal Health Information Privacy
and Access ActNova Scotia: Personal Health Information Act*Newfoundland & Labrador: Personal Health
Information Act Federal:
Personal Information Protection and Electronic Documents Act
SLIDE 7 STIKEMAN ELLIOTT LLP
Health Sector Privacy
Provincial health sector privacy laws generally apply to:
Personal health information, held by
Health Information Custodians: persons or organizations with custody or control of PHI in performing duties, including:– Health care practitioners– Hospitals and long-term care facilities– Community health centres– Pharmacies– Laboratories, etc.
SLIDE 8 STIKEMAN ELLIOTT LLP
What is a privacy breach?
Typically refers to unauthorized access, theft or disclosure of personal information
– Hacking, “social engineering”
– Rogue employee or contractor
– Stolen/lost laptop
– Improper disposal of records
Could apply more broadly to unauthorized collection, use or disclosure of personal information
– Unnecessary or illegal collection and/or retention of personal information
– Use for purposes for which consent not obtained
– Accidental or negligent disclosure
SLIDE 9 STIKEMAN ELLIOTT LLP
Consequences – Private Sector Offences:
– B.C. and Alberta: up to $100 K for organizations
– Québec: Up to $10 K, for a 1st offence; Up to $20 K for a 2nd
– Federal: Up to $10 K, summary conviction; Up to $100 K, indictment (only for destroying info under investigation, retribution to whistleblower)
Statutory Damages– B.C. and Alberta: damages available based on final Commissioner finding
or conviction of offence
– Federal: Federal Court can award damages after de novo consideration of Commissioner findings – including for humiliation
Tort Damages?
Brand Damage, Reputational Harm
SLIDE 10 STIKEMAN ELLIOTT LLP
Consequences – Health SectorOffences & Damages
British Columbia: Up to $100 K for organizationsAlberta: Up to $50 KSaskatchewan: UP to $50 K or 1 year imprisonment for
individuals; Up to $500 K for corporations; Up to $50 K officers and directors
Manitoba: Up to $50 K per day offence continues, including directors and officers
Ontario: UP to $50 K for an individual; Up to $250 K for a corporation; statutory damages also available
New Brunswick: Up to $5,125 for a 1st offence; up to $9 K for a 2nd offence (Category F Offence)
Nova Scotia: Up to $10 K, for an individual; up to $50 K for a corporation, officers and employees liable
Nfld & Labrador: Up to $10 K or 6 months imprisonment
Federal: Federal Court can award damages
SLIDE 11 STIKEMAN ELLIOTT LLP
Private Sector Privacy
Breach Notification
Alberta: Personal Information Protection Act Only Canadian jurisdiction to require mandatory privacy
breach notification by private sector organizations
Organizations must, without unreasonable delay, notify Commissioner of any incident involving loss or unauthorized access or disclosure of personal information
“Where a reasonable person would consider that there exists a real risk of significant harm to an individual”
SLIDE 12 STIKEMAN ELLIOTT LLP
Private Sector Privacy
Breach Notification
Alberta: Personal Information Protection Act “A significant harm is a material harm; it has non-trivial
consequences or effects. Examples may include possible financial loss, identity theft, physical harm, humiliation or damage to one’s professional or personal reputation.”
“A real risk of significant harm means a reasonable degree of likelihood that the harm could result. The risk of harm is not hypothetical or theoretical, and it is more than merely speculative.”
Notification of a Security Breach, PIPA Information Sheet 11
SLIDE 13 STIKEMAN ELLIOTT LLP
Private Sector Privacy
Contents of Notice
Alberta: Personal Information Protection Act
Description of circumstances of loss, access or disclosure
Date or time period on or during which it occurred
Description of the personal information involved
Description of any steps taken to contain, reduce risk of harm, notify affected individuals
Contact information for questions about incident, risks
SLIDE 14 STIKEMAN ELLIOTT LLP
Private Sector Privacy
Breach Notification
Alberta: Personal Information Protection Act Commissioner may require notification of individuals, if a real
risk of significant harm
Can prescribe form, manner and timing
May impose terms and conditions
May require provision of additional info, establish expedited process to determine whether notification required
Failure to notify = fine of up to $100,000
SLIDE 15 STIKEMAN ELLIOTT LLP
Private Sector Privacy
Other Jurisdictions: Committee to review Alberta PIPA recommended clearly defined
breach notification amendment in 2008
PIPEDA amendments in Bill C-29 included mandatory breach notification to Commission for “material” breach
– Factors included sensitivity, number of individuals affected, systemic problem
Also, mandatory breach notification to individuals if “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”
– Factors included sensitivity, probability of misuse of personal info
SLIDE 16 STIKEMAN ELLIOTT LLP
Private Sector Privacy
Other Jurisdictions: Meanwhile, “Voluntary” disclosure “strongly encouraged”
B.C., Federal Commissioners have breach notification forms and processes
Advocate 4 key steps to respond immediately to a data breach:
1. Contain the breach, do preliminary assessment
2. Evaluate the associated risks
3. Notification
4. Prevention
SLIDE 17 STIKEMAN ELLIOTT LLP
Health Sector Privacy
Breach Notification
Ontario: Personal Health Information Protection Act
Requires “health information custodians” to notify affected individuals at the first reasonable opportunity where personal health information is stolen, lost or accessed by unauthorized persons
No threshold: all breaches are notifiable, although some leeway if data encrypted
No obligation to notify Information and Privacy Commissioner, but strongly encouraged
SLIDE 18 STIKEMAN ELLIOTT LLP
Health Sector Privacy
Breach Notification
New Brunswick: Personal Health Information Privacy and Access Act
Requires health information “custodians” to notify affected individuals at the first reasonable opportunity where personal health information is stolen, lost, disposed of (except as permitted by Act) or disclosed to or accessed by unauthorized persons
Not required to notify if custodian reasonably believes that breach will not have an adverse impact on the well-being of the individual or on provision of health care or other benefits, and will not lead to identification of the individual
No obligation to notify the Access to Information and Privacy Commissioner, but strongly encouraged
SLIDE 19 STIKEMAN ELLIOTT LLP
Health Sector PrivacyBreach Notification
Nfld & Labrador: Personal Health Information Act Requires health information “custodians” to notify the Information and
Privacy Commissioner where they reasonably believe that there has been a “material Breach” involving the unauthorized collection, use or disclosure of personal health information
Also requires health information “custodians” to notify affected individuals:
– at the first reasonable opportunity where personal health information is stolen, lost, disposed of (except as permitted by Act) or disclosed to or accessed by unauthorized persons
– where personal health information used or disclosed contrary to requirements of Act and without consent
Unless directed otherwise by Commissioner, needn’t notify individual if custodian reasonably believes that breach will not have an adverse impact on the well-being of the individual or on provision of health care or other benefits, and will not lead to identification of the individual
SLIDE 20 STIKEMAN ELLIOTT LLP
Prepare for the Worst
Have an emergency response team in place, with clearly defined roles – legal, security, communications
Map out a containment strategy
Map out breach notification plan, taking into account legislative requirements, practices in each jurisdiction
Know what you would do, before you have to do it
Consider early and proactive “voluntary” notification, in addition to legally mandated notification