Personal Information Protection Act Information Sheet 11



Similar documents
Procedure for Managing a Privacy Breach

Personal Information Protection Act ( PIPA ) Privacy-Proofing Your Retail Business Tips for Protecting Customers Personal Information 1

PRIVACY BREACH MANAGEMENT POLICY

Personal Information Protection Act. Information Sheet 12: 1. Service Providers Outside Canada: Notification, Policies and Practices

Guidance on data security breach management

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

Guidance on data security breach management

Protection of Privacy

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Breach Notification Policy

STANDARD ADMINISTRATIVE PROCEDURE

The potential legal consequences of a personal data breach

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Personal Information Protection Policy for Small and Medium-Size Businesses

Personal Information Protection Act (PIPA) Privacy & Landlord - Tenant Matters Frequently Asked Questions

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

DATA AND PAYMENT SECURITY PART 1

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

Helpful Tips. Privacy Breach Guidelines. September 2010

Personal Information Protection Act. Information Sheet 5: 1. Personal Employee Information

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Protecting. Personal Information A Business Guide. Division of Finance and Corporate Securities

SECTION-BY-SECTION ANALYSIS

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Wellesley College Written Information Security Program

PRIVACY BREACH POLICY

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

H 6191 SUBSTITUTE A AS AMENDED ======= LC02663/SUB A/2 ======= STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

American Express. Credit Card Conditions, Financial Services Guide and Credit Guide. December 2010 AU027108E

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

Data Protection Breach Management Policy

Information Security

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Data controllers and data processors: what the difference is and what the governance implications are

HIPAA Breach Notification Policy

HIPAA and Privacy Policy Training

OCR UPDATE Breach Notification Rule & Business Associates (BA)

State of Illinois Department of Central Management Services ACTION PLAN FOR NOTIFICATION OF A SECURITY BREACH

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

KRS Chapter 61. Personal Information Security and Breach Investigations

FINAL May Guideline on Security Systems for Safeguarding Customer Information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Privacy and Electronic Communications Regulations

Terms of Service. Your Information and Privacy

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

S 0134 SUBSTITUTE B ======== LC000486/SUB B/2 ======== S T A T E O F R H O D E I S L A N D

Network Security & Privacy Landscape

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

Authorized. User Agreement

HIPAA Security COMPLIANCE Checklist For Employers

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

Cloud Computing: Privacy and Other Risks

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

STAMP PLACE HERE. PO BOX #4676 Station A. Canada, M5W 6A4. Toronto, Ontario STATE ZIP CODE CITY PROVINCE POSTAL CODE ENGROC(0214) STREET FROM

Data Security Breach Incident Management Policy

Business Contact Information

The ReHabilitation Center Buffalo Street. Olean. NY

Data Breach and Senior Living Communities May 29, 2015

Privacy Breach Protocol

Incident reporting procedure

Online Bill Pay Application

Protect Your Personal Information. Tips and tools to help safeguard you against identity theft

January An Overview of U.S. Security Breach Statutes

David Jones Storecard and David Jones American Express Card Member Agreement, Financial Services Guide and Purchase Protection. Terms and Conditions

BUSINESS ASSOCIATE AGREEMENT

Transcription:

Notification of a Security Breach Personal Information Protection Act Information Sheet 11 Introduction Personal information is used by organizations for a variety of purposes: retail and grocery stores collect information about customer purchases using loyalty cards, delivery services use GPS to track the location of the drivers, and swipe cards are used to restrict access to work spaces to authorized individuals. New uses for personal information are emerging rapidly as technology is advancing. Information can be compiled from a wide range of sources, to offer simplified services to clients, or create a more comprehensive profile of customers. Organizations can also store more information at a lower cost than ever before. Many benefits flow from new ways of using and storing personal information, but there are also downsides. The increased use of databases and other technologies heightens the risk of personal information falling into unauthorized hands. The risks multiply every time the information is improperly disclosed or disposed of. The possibility of unauthorized access to, or disclosure of, personal information is not limited to digital information; paper files are as easy to leave behind in a taxi, or on the table in a restaurant, as a flash-drive or laptop. Although an organization may diligently attempt to protect personal information in its custody and control, a privacy breach may yet occur. Information may be lost, stolen or compromised in a variety of ways, including by computer hackers, a rogue employee or human error. The Personal Information Protection Act (PIPA) requires organizations to protect personal information in its custody or control by making reasonable security arrangements against risks such as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction. The Personal Information Protection Amendment Act, 2009, adds a new requirement for security breach notification; this Amendment Act will come into force on May 1, 2010. This Information Sheet will outline the legislated process for notification to the Commissioner and notification to individuals. The purpose of the requirement to notify individuals of a security breach is to avoid or mitigate harm to individuals that might result from the breach. In some situations this might mean notifying individuals as soon as possible; for this reason, the new notification provisions do not prevent an organization from notifying their customers, clients or employees of a security breach on their own initiative, before or after notifying the Commissioner. In other words, the requirements outlined below are the minimum standards for responding to a security breach. Information Sheet 11: Notification of a Security Breach 1

The notification requirement involves a two-step process: Step one: organizations must notify Alberta s Information and Privacy Commissioner, without delay, of a loss of or unauthorized access to or disclosure of personal information if a reasonable person would consider there exists a real risk of significant harm to an individual as a result of the loss, access or disclosure (section 34.1). It is an offence not to notify the Commissioner of a security breach that poses a real risk of significant harm to individuals (section 59(1)(e.1)). Step two: the Commissioner reviews the information provided by the organization and determines whether individuals need to be notified of the loss, access or disclosure. If so, the Commissioner can direct an organization to notify individuals in the form and manner prescribed by the Regulation (section 37.1(1)). An organization must follow the Commissioner s direction to notify individuals (section 37.1(5)). What is a security breach? The new provisions do not actually refer to a security breach but instead refer to a loss of or unauthorized access to or disclosure of personal information under the control of the organization. Throughout this publication, security breach will be used to refer to a loss of or unauthorized access to or disclosure of personal information. An organization suffers a security breach when the organization loses personal information for example, an employee loses a laptop that contains personal information about clients, personal information in the organization s custody or control is accessed in an unauthorized manner for example, the organization s client database is accessed by hackers or a point-of-sale terminal with stored credit and debit card information is stolen, personal information in the organization s custody or control is disclosed in an unauthorized manner for example, a rogue employee of the organization sells its customers credit card numbers to fraudsters. Step 1: Notifying the Commissioner of a security breach Real risk of significant harm Organizations may notify individuals of any security breach; however, PIPA only requires notification to the Commissioner if a certain threshold is met: a reasonable person would consider there is a real risk of significant harm to individuals as a result of the breach. Significant harm A significant harm is a material harm; it has non-trivial consequences or effects. Examples may include possible financial loss, identity theft, physical harm, humiliation or damage to one s professional or personal reputation. A lost Social Insurance Number might lead to significant harm, since a SIN can be used to commit fraud. A loss of an individual s medical information or credit history could reveal embarrassing information about health status or past bad credit. Generally, the more sensitive the information, the more likely it is that the Information Sheet 11: Notification of a Security Breach 2

possible harm would be significant. The test is an objective one: whether a reasonable person would consider the harm to be significant. In other words, an organization does not have to consider whether a particular individual (e.g. a particular client) would consider the harm to be significant, only whether the ordinary person would consider the harm to be significant. Although an organization does not need to consider the point of view of each affected individual, the organization needs to consider the general circumstances. For example, if a women s shelter loses its client list, the possible harm might be much more significant than the possible harm if a fitness club loses its membership list. Real risk A real risk of significant harm means a reasonable degree of likelihood that the harm could result. The risk of harm is not hypothetical or theoretical, and it is more than merely speculative. In order to determine whether a real risk exists, an organization should assess the likelihood that the information could be accessed or misused by an unauthorized individual. An example of a security breach that would not pose a real risk of significant harm is a loss where the information is recovered before it could possibly be accessed, or where the information is protected (e.g. encrypted) such that the information could not reasonably be accessed by an unauthorized individual. Like the test for whether the harm is significant, the test for whether the risk of harm is real is an objective test: whether a reasonable person would consider that there is a real risk. Real risk of significant harm Putting these elements together, a security breach may pose a real risk of significant harm if there is a reasonable likelihood that the individuals the personal information is about will suffer non-trivial consequences, such as fraudulent use of their financial information. The aim of notifying individuals is to allow individuals to address this possible harm. For example, in the event of stolen credit card numbers, notifying affected individuals will allow them to request cancellation of their credit cards, and possibly to have their credit history flagged. If an organization s network is hacked, notifying employees will allow them to reset their passwords. Information Sheet 11: Notification of a Security Breach 3

Example A local supermarket, 123 Grocers, keeps a list of customers who have applied for its loyalty program. The list includes the name and postal code for each customer with a loyalty card. The store also keeps a list of customers who receive home delivery. This list includes the name, home address and telephone number for each customer, as well as hours that the customer is not home to accept delivery. The possible harm resulting from the unauthorized access to loyalty card list may be less significant than unauthorized access to the delivery list. Notifying the Commissioner Who must notify The breach notification provisions require organizations with control of the personal information to notify the Commissioner of a security breach that meets the harm threshold discussed above. Control means having the authority to manage the personal information, whether or not the information is in the physical possession of the organization. An organization that stores records containing personal information at other premises (e.g. a rented storage unit, or a database on a server located somewhere else) still has control of those records. Similarly, if an employee of an organization works from home, the workrelated records at the employee s home are in the organization s control. Often, an organization will contract with another business to perform a task on the organization s behalf. In this situation, the principal (contracting) organization is responsible for what happens to the personal information in the custody of the contractor. For example, a retail store may hire a contractor to handle the store s website, including all online orders from customers. The contractor may be collecting the customer s personal information for ordering purposes, but the retail store has control of that customer information, since the online orders are handled by the contractor on behalf of the retail store. If the contractor suffers a security breach that involves the customer information, the retail store, as the principal organization, remains responsible for ensuring that the Commissioner is notified of the breach if necessary (i.e. if the harms threshold is met). It may be advisable for organizations to include in a service contract that the contractor must inform the principal organization of any possible or suspected security breach immediately so that the organization can take the appropriate action as required by PIPA. The Commissioner may require the organization to provide more information about the security breach (this will be discussed further). It is important that an organization has the ability to gather information about the breach from the contractor, in order to properly respond to the Commissioner s request. Contents of notice to the Commissioner A notice to the Commissioner of a security breach that meets the harm threshold must include the information prescribed in the PIPA Regulation. Section 19 of Information Sheet 11: Notification of a Security Breach 4

the Regulation states that the notice must be in writing and include a description of the circumstances of the loss or unauthorized access or disclosure (e.g. a network vulnerability left personal information accessible, an unencrypted laptop containing client files was lost or stolen, or a former employee stole client files); the date on which, or time period during which, the loss or unauthorized access or disclosure occurred (e.g. the laptop was stolen on this day, or the network was vulnerable between these approximate dates); a description of the personal information involved in the loss or unauthorized access or disclosure (e.g. client credit and debit card numbers, personnel files including performance evaluations and information related to disability claims); an assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure (e.g. possible credit card fraud, humiliation, loss of reputation); an estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure; a description of any steps the organization has taken to reduce the risk of harm to individuals (e.g. network vulnerability was patched, or a kill switch on a lost laptop or smartphone was activated to delete information); a description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure (e.g. the organization posted information about the breach on its website or has contacted individuals directly); the name of and contact information for a person who can answer, on behalf of the organization, the Commissioner s questions about the loss or unauthorized access or disclosure (e.g. a privacy officer, or an IT specialist knowledgeable about the network). The Office of the Information and Privacy Commissioner has developed forms for organizations to use when reporting a security breach to the Commissioner (Reporting a Privacy Breach to the Office of the Information and Privacy Commissioner of Alberta). These forms, as well as additional guidance, are available on the Commissioner s website at www.oipc.ab.ca. Timing The fundamental purpose of notifying individuals of a security breach is to allow the individuals to take steps to reduce their risk of harm, or the extent of the harm, if possible. The longer the delay between the breach and notification, the less useful notification will be. An organization must report a security breach to the Commissioner without unreasonable delay. It is reasonable to take enough time to quickly gather information about the breach in order to properly notify the Commissioner. This may include gathering information from a contractor. Information Sheet 11: Notification of a Security Breach 5

If a contractor suffers or discovers a security breach but does not immediately inform the principal organization, the resulting delay would likely not be considered reasonable. For this reason, it is important that contractors are aware of their obligation to inform the principal organization of a real or suspected security breach as soon as possible. In rare circumstances, law enforcement may request a delay before notifying individuals of a security breach if notification would interfere with an investigation. This situation will only affect the timing of notification to individuals about the security breach (step 2), not the initial notification to the Commissioner (step 1). If an organization receives a request from law enforcement to delay notification to individuals, it is important for the organization to inform the Commissioner of the request. Offence It is an offence to fail to notify the Commissioner of a security breach that meets the harms threshold. Information Sheet 11: Notification of a Security Breach 6

Scenario Since 123 Grocers has many stores across the province, it decides to contract with a third party, ITech Storage, to process and store its loyalty card and home delivery information. The home delivery information includes credit card information for its home delivery customers, for automatic payment. ITech keeps the information for all 123 Grocers stores in a single database. An IT analyst working for ITech discovers that the network has been accessed by an unauthorized person, because of a security vulnerability in the network. Fortunately, the databases are encrypted using the latest industry-standard encryption. Who, if anyone, needs to be contacted about this security breach? 123 Grocers made sure to include in its contract with ITech Storage a clause stating that ITech is to inform 123 Grocers of any security breach involving personal information that ITech is processing or storing on behalf of 123 Grocers. So ITech contacts 123 Grocers and tells them about the breach. 123 Grocers must now determine whether the Commissioner needs to be informed of this security breach. The first step is to determine whether the breach poses a real risk of significant harm to customers. Information about the loyalty cards included customer names and postal codes. It is unlikely that this information alone would pose a risk of significant harm to individuals if accessed by an unauthorized person. The credit card information for the home delivery customers could lead to financial fraud if it were accessed, which would be a significant harm to the individuals receiving home delivery. However, the database was encrypted to the highest standards. It would not be impossible for that encryption to be hacked, but it is very unlikely. So 123 Grocers determines that the real risk of significant harm threshold is not met in this case, and the Commissioner does not need to be notified in this case. If 123 Grocers was unsure of their determination, they might decide to notify the Commissioner for guidance. 123 Grocers might also notify its customers of the security breach if they deemed notification to be appropriate. What if the database had not been encrypted or otherwise protected? ITech would still have had to inform 123 Grocers of the security breach, under their contract. 123 Grocers would again have to determine whether the security breach poses a real risk of significant harm to individuals. The analysis used above leads to the conclusion that the breach might pose significant harm to home delivery customers, but not loyalty card customers. Since the information is not encrypted, the risk of harm is much higher than in the first scenario. 123 Grocers determines that it is quite possible that an unauthorized person could use this information for fraudulent purposes. So 123 Grocers decides that there is a real risk of significant harm to its home delivery customers in this case, and the Commissioner needs to be notified. The Commissioner will advise 123 Grocers whether they need to notify affected individuals, or 123 Grocers might decide to notify affected individuals immediately on their own initiative. Although the possible harm for loyalty card customers was low, 123 Grocers might decide to inform the Commissioner of the loss of this information as well, in order to provide a full picture of the breach. Information Sheet 11: Notification of a Security Breach 7

Step 2: Commissioner s requirement to notify affected individuals When does the Commissioner require an organization to notify individuals? The Commissioner may require an organization that suffers a security breach described in section 34.1 to notify individuals affected by that breach. Even where the organization has not itself notified the Commissioner of the breach (e.g. the breach is brought to the Commissioner s attention by the police or a complainant), the Commissioner may still require that the organization notify affected individuals without first following the process set out in section 34.1 (notifying the Commissioner of a breach). The determination whether affected individuals should be notified under section 37.1 is made by the Commissioner. This does not prevent organizations from notifying individuals on their own initiative. The Commissioner may require an organization to provide further information about the breach, in addition to any information already provided by the organization, in order to determine whether the organization should notify affected individuals. Content of notification to individuals A notice to individuals, as directed by the Commissioner under section 37.1 of the Act, must include the information prescribed in the PIPA Regulation. Section 19.1 of the Regulation states that the notice must be given directly to the individual, and include a description of the circumstances of the loss or unauthorized access or disclosure; the date on which, or time period during which, the loss or unauthorized access or disclosure occurred; a description of the personal information involved in the loss or unauthorized access or disclosure; a description of any steps the organization has taken to reduce the risk of harm to individuals; contact information for a person who can answer, on behalf of the organization, questions about the loss or unauthorized access or disclosure. The Commissioner may permit an organization to notify individuals indirectly (for example, by running an ad in a local newspaper) if direct notification would be unreasonable in the circumstances. The notice must be given within the time period determined by the Commissioner. Commissioner may add terms and conditions The Commissioner can also impose further terms and conditions, in addition to the requirement to notify affected individuals. For example, the Commissioner may require the organization to report back to the Office about steps taken by the organization to reduce the risk of similar incidents, or the Commissioner may require notification to be provided directly by telephone rather than another method (such as when the personal information involved in the security breach is Information Sheet 11: Notification of a Security Breach 8

highly sensitive). The Commissioner may require additional information from the organization in order to determine whether further terms and conditions are appropriate in the circumstances. Duty to follow the Commissioner s requirement to notify An organization must follow a direction from the Commissioner to notify affected individuals, as well as any further terms and conditions and request for further information. A refusal to comply could result in an Order from the Commissioner to comply. It is an offence under the Act to fail to follow an Order from the Commissioner. In addition, once an Order has been issued by the Commissioner against an organization, the Act allows that an individual affected by that Order (e.g. an individual that should have been notified) has a cause of action against that organization for any harm resulting from the matter at issue in the Order. Other resources A Guide for Businesses and Organizations on the Personal Information Protection Act provides an overview of the Act with examples and tips for incorporating good privacy practices in the work place. The Personal Information Protection Act, A Summary for Organizations summarizes of the key obligations of organizations. Publications are available on-line from: Access and Privacy www.pipa.gov.ab.ca The website of the Office of the Information and Privacy Commissioner also contains resources, at www.oipc.ab.ca. Key Steps in Responding to Privacy Breaches provides guidance for organizations for dealing with a security breach. Reporting a Privacy Breach to the Office of the Information and Privacy Commissioner of Alberta is a form for reporting security breaches to the Commissioner. This Information Sheet was prepared to assist organizations that are subject to the Personal Information Protection Act. This document is an administrative tool intended to assist in understanding the Act. It is not intended as, nor is it a substitute for, legal advice. For the exact wording and interpretation of the Act, please read the Act in its entirety. This Information Sheet is not binding on the Office of the Information and Privacy Commissioner of Alberta. Information Sheet 11: Notification of a Security Breach 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information