Key Steps for Organizations in Responding to Privacy Breaches

Transcription

1 Key Steps fr Organizatins in Respnding t Privacy Breaches Purpse The purpse f this dcument is t prvide guidance t private sectr rganizatins, bth small and large, when a privacy breach ccurs. Organizatins shuld take preventative steps prir t a breach ccurring by having reasnable plicies and prcedural safeguards in place, and cnducting necessary training. This guideline is intended t help rganizatins take the apprpriate steps in the event f a privacy breach and t prvide guidance in assessing whether ntificatin t affected individuals is required. Nt all steps may be necessary, r sme steps may be cmbined. What is a privacy breach? A privacy breach ccurs when there is unauthrized access t r cllectin, use, r disclsure f persnal infrmatin. Such activity is unauthrized if it ccurs in cntraventin f applicable privacy legislatin, such as PIPEDA, r similar prvincial privacy legislatin. Sme f the mst cmmn privacy breaches happen when persnal infrmatin f custmers, patients, clients r emplyees is stlen, lst r mistakenly disclsed (e.g., a cmputer cntaining persnal infrmatin is stlen r persnal infrmatin is mistakenly ed t the wrng peple). A privacy breach may als be a cnsequence f faulty business prcedure r peratinal break-dwn. Fur key steps in respnding t a privacy breach There are fur key steps t cnsider when respnding t a breach r suspected breach: 1) breach cntainment and preliminary assessment; 2) evaluatin f the risks assciated with the breach; 3) ntificatin; and 4) preventin. Be sure t take each situatin seriusly and mve immediately t investigate the ptential breach. Yu shuld undertake steps 1, 2 and 3 either simultaneusly r in quick successin. Step 4 prvides recmmendatins fr lnger-term slutins and preventin strategies. The decisin n hw t respnd shuld be made n a case-by-case basis. Assciated with this guideline is a checklist that rganizatins can use t help ensure they have made the apprpriate cnsideratins in dealing with a pssible privacy breach.

2 Step 1: Breach Cntainment and Preliminary Assessment Yu shuld take immediate cmmn sense steps t limit the breach: Immediately cntain the breach (e.g., stp the unauthrized practice, recver the recrds, shut dwn the system that was breached, revke r change cmputer access cdes r crrect weaknesses in physical r electrnic security). Designate an apprpriate individual t lead the initial investigatin. This individual shuld have apprpriate scpe within the rganizatin t cnduct the initial investigatin and make initial recmmendatins. If necessary, a mre detailed investigatin may subsequently be required. Determine the need t assemble a team which culd include representatives frm apprpriate parts f the business. Determine wh needs t be made aware f the incident internally, and ptentially externally, at this preliminary stage. Escalate internally as apprpriate, including infrming the persn within yur rganizatin respnsible fr privacy cmpliance. If the breach appears t invlve theft r ther criminal activity, ntify the plice. D nt cmprmise the ability t investigate the breach. Be careful nt t destry evidence that may be valuable in determining the cause r allw yu t take apprpriate crrective actin. Step 2: Evaluate the Risks Assciated with the Breach T determine what ther steps are immediately necessary, yu shuld assess the risks assciated with the breach. Cnsider the fllwing factrs in assessing the risks: (i) Persnal Infrmatin Invlved What data elements have been breached? Hw sensitive is the infrmatin? Generally, the mre sensitive the infrmatin, the higher the risk f harm t individuals. Sme persnal infrmatin is mre sensitive than thers (e.g., health infrmatin, gvernment-issued pieces f identificatin such as scial insurance numbers, driver s licence and health care numbers, and financial accunt numbers such as credit r debit card numbers that culd be used in cmbinatin fr identity theft). A cmbinatin f persnal infrmatin is typically mre sensitive than a single piece f persnal infrmatin. Hwever, sensitivity alne is nt the nly criteria in assessing the risk, as freseeable harm t the individual is als imprtant. What is the cntext f the persnal infrmatin invlved? Fr example, a list f custmers n a newspaper carrier s rute may nt be sensitive. Hwever, the same infrmatin abut custmers wh have requested service interruptin while n vacatin may be mre sensitive. Similarly, publicly available infrmatin such as that fund in a public telephne directry may be less sensitive. 2

3 Is the persnal infrmatin adequately encrypted, annymized r therwise nt easily accessible? Hw can the persnal infrmatin be used? Can the infrmatin be used fr fraudulent r therwise harmful purpses? The cmbinatin f certain types f sensitive persnal infrmatin alng with name, address and date f birth suggest a higher risk due t the ptential fr identity theft. An assessment f the type f persnal infrmatin invlved will help yu determine hw t respnd t the breach, wh shuld be infrmed, including the apprpriate privacy cmmissiner(s), and what frm f ntificatin t the individuals affected, if any, is apprpriate. Fr example, if a laptp cntaining adequately encrypted infrmatin is stlen, subsequently recvered and investigatins shw that the infrmatin was nt tampered with, ntificatin t individuals may nt be necessary. (ii) Cause and Extent f the Breach T the extent pssible, determine the cause f the breach. Is there a risk f nging breaches r further expsure f the infrmatin? What was the extent f the unauthrized access t r cllectin, use r disclsure f persnal infrmatin, including the number and nature f likely recipients and the risk f further access, use r disclsure, including via mass media r nline? Was the infrmatin lst r was it stlen? If it was stlen, can it be determined whether the infrmatin was the target f the theft r nt? Has the persnal infrmatin been recvered? What steps have already been taken t mitigate the harm? Is this a systemic prblem r an islated incident? (iii) Individuals Affected by the Breach Hw many individuals persnal infrmatin is affected by the breach? Wh is affected by the breach: emplyees, cntractrs, public, clients, service prviders, ther rganizatins? (iv) Freseeable Harm frm the Breach In assessing the pssibility f freseeable harm frm the breach, have yu cnsidered the reasnable expectatins f the individuals? Fr example, many peple wuld cnsider a list f magazine subscribers t a niche publicatin t be ptentially mre harmful than a list f subscribers t a natinal newspaper. Wh is the recipient f the infrmatin? Is there any relatinship between the unauthrized recipients and the data subject? Fr example, was the disclsure t an unknwn party r t a party suspected f being invlved in criminal activity where there is a ptential risk f misuse? Or was the recipient a trusted, knwn entity r persn that wuld reasnably be expected t return the infrmatin withut disclsing r using it?

4 What harm t the individuals culd result frm the breach? Examples include: security risk (e.g., physical safety); identity theft; financial lss; lss f business r emplyment pprtunities; r humiliatin, damage t reputatin r relatinships. What harm t the rganizatin culd result frm the breach? Examples include: lss f trust in the rganizatin; lss f assets; financial expsure; r legal prceedings (i.e., class actin suits). What harm culd cme t the public as a result f ntificatin f the breach? Harm that culd result includes: risk t public health; r risk t public safety. Step 3: Ntificatin Ntificatin can be an imprtant mitigatin strategy that has the ptential t benefit bth the rganizatin and the individuals affected by a breach. If a privacy breach creates a risk f harm t the individual, thse affected shuld be ntified. Prmpt ntificatin t individuals in these cases can help them mitigate the damage by taking steps t prtect themselves. The challenge is t determine when ntices shuld be required. Each incident needs t be cnsidered n a case-by-case basis t determine whether privacy breach ntificatin is required. Organizatins are als encuraged t infrm the apprpriate privacy cmmissiner(s) f material privacy breaches s they are aware f the breach. The key cnsideratin in deciding whether t ntify affected individuals shuld be whether ntificatin is necessary in rder t avid r mitigate harm t an individual whse persnal infrmatin has been inapprpriately accessed, cllected, used r disclsed. Organizatins shuld als take int accunt the ability f the individual t take specific steps t mitigate any such harm. (i) Ntifying Affected Individuals Organizatins shuld cnsider the fllwing factrs when deciding whether t ntify: What are the legal and cntractual bligatins? What is the risk f harm t the individual? Is there a reasnable risk f identity theft r fraud (usually because f the type f infrmatin lst, such as an individual s name and address tgether with gvernmentissued identificatin numbers r date f birth)? Is there a risk f physical harm (if the lss puts an individual at risk f physical harm, stalking r harassment)? 4

5 Is there a risk f humiliatin r damage t the individual s reputatin (e.g., when the infrmatin lst includes mental health, medical r disciplinary recrds)? What is the ability f the individual t avid r mitigate pssible harm? (ii) When t Ntify, Hw t Ntify and Wh Shuld Ntify At this stage, yu shuld have as cmplete a set f facts as pssible and have cmpleted yur risk assessment in rder t determine whether t ntify individuals. When t ntify: Ntificatin f individuals affected by the breach shuld ccur as sn as reasnably pssible fllwing assessment and evaluatin f the breach. Hwever, if law enfrcement authrities are invlved, check with thse authrities whether ntificatin shuld be delayed t ensure that the investigatin is nt cmprmised. Hw t ntify: The preferred methd f ntificatin is direct by phne, letter, r in persn t affected individuals. Indirect ntificatin website infrmatin, psted ntices, media shuld generally nly ccur where direct ntificatin culd cause further harm, is prhibitive in cst r the cntact infrmatin fr affected individuals is nt knwn. Using multiple methds f ntificatin in certain cases may be apprpriate. Yu shuld als cnsider whether the methd f ntificatin might increase the risk f harm (e.g., by alerting the persn wh stle the laptp f the value f the infrmatin n the cmputer). Wh shuld ntify: Typically, the rganizatin that has a direct relatinship with the custmer, client r emplyee shuld ntify the affected individuals, including when the breach ccurs at a third party service prvider that has been cntracted t maintain r prcess the persnal infrmatin. Hwever, there may be circumstances where ntificatin by a third party is mre apprpriate. Fr example, in the event f a breach by a retail merchant f credit card infrmatin, the credit card issuer may be invlved in prviding the ntice since the merchant may nt have the necessary cntact infrmatin. (iii) What shuld be Included in the Ntificatin? The cntent f ntificatins will vary depending n the particular breach and the methd f ntificatin chsen. Ntificatins shuld include, as apprpriate: Infrmatin abut the incident and its timing in general terms; A descriptin f the persnal infrmatin invlved in the breach; A general accunt f what the rganizatin has dne t cntrl r reduce the harm; What the rganizatin will d t assist individuals and what steps the individual can take t avid r reduce the risk f harm r t further prtect themselves. Pssible actins include arranging fr credit mnitring r ther fraud preventin tls, prviding infrmatin n hw t change a scial insurance number (SIN), persnal health card r driver s licence number. Fr example, t btain a new SIN see Surces f infrmatin designed t assist individuals in prtecting against identity theft (e.g., nline guidance n the Office f the Privacy Cmmissiner s website and Industry Canada website at

6 Prviding cntact infrmatin f a department r individual within yur rganizatin wh can answer questins r prvide further infrmatin; If applicable, indicate whether the rganizatin has ntified a privacy cmmissiner s ffice and that they are aware f the situatin; Additinal cntact infrmatin fr the individual t address any privacy cncerns t the rganizatin; and The cntact infrmatin fr the apprpriate privacy cmmissiner(s). Be careful nt t include unnecessary persnal infrmatin in the ntice t avid pssible further unauthrized disclsure. (iv) Others t Cntact Privacy Cmmissiners: rganizatins are encuraged t reprt material privacy breaches t the apprpriate privacy cmmissiner(s) as this will help them respnd t inquiries made by the public and any cmplaints they may receive. They may als be able t prvide advice r guidance t yur rganizatin that may be helpful in respnding t the breach. Ntifying them may enhance the public s understanding f the incident and cnfidence in yur rganizatin. The fllwing factrs shuld be cnsidered in deciding whether t reprt a breach t privacy cmmissiners ffices: any applicable legislatin that may require ntificatin; whether the persnal infrmatin is subject t privacy legislatin; the type f the persnal infrmatin, including: whether the disclsed infrmatin culd be used t cmmit identity theft; whether there is a reasnable chance f harm frm the disclsure including nn-mnetary lsses; the number f peple affected by the breach; whether the individuals affected have been ntified; and if there is a reasnable expectatin that the privacy cmmissiner s ffice may receive cmplaints r inquiries abut the breach. Regardless f what yu determine yur bligatins t be with respect t ntifying individuals, yu shuld cnsider whether the fllwing authrities r rganizatins shuld als be infrmed f the breach, as lng as such ntificatins wuld be in cmpliance with PIPEDA r similar prvincial privacy legislatin: Plice: if theft r ther crime is suspected. Insurers r thers: if required by cntractual bligatins. Prfessinal r ther regulatry bdies: if prfessinal r regulatry standards require ntificatin f these bdies. Credit card cmpanies, financial institutins r credit reprting agencies: if their assistance is necessary fr cntacting individuals r assisting with mitigating harm. Other internal r external parties nt already ntified: third party cntractrs r ther parties wh may be impacted; internal business units nt previusly advised f the privacy breach, e.g., gvernment relatins, cmmunicatins and media relatins, senir management, etc.; r unin r ther emplyee bargaining units. 6

7 Organizatins shuld cnsider the ptential impact that the breach and ntificatin t individuals may have n third parties and take actins accrdingly. Fr example, third parties may be affected if individuals cancel their credit cards r if financial institutins issue new cards. Step 4: Preventin f Future Breaches Once the immediate steps are taken t mitigate the risks assciated with the breach, rganizatins need t take the time t investigate the cause f the breach and cnsider whether t develp a preventin plan. The level f effrt shuld reflect the significance f the breach and whether it was a systemic breach r an islated instance. This plan may include the fllwing: a security audit f bth physical and technical security; a review f plicies and prcedures and any changes t reflect the lessns learned frm the investigatin and regularly after that (e.g., security plicies, recrd retentin and cllectin plicies, etc.); a review f emplyee training practices; and a review f service delivery partners (e.g., dealers, retailers, etc.). The resulting plan may include a requirement fr an audit at the end f the prcess t ensure that the preventin plan has been fully implemented.