The new data breach reporting requirements under PIPEDA: If you lose something, say something
It costs less than ten dollars to purchase a USB flash drive. It can cost tens of thousands to lose it.
Lawyers and law firms are entrusted with a substantial amount of financial, medical, and other sensitive or embarrassing personal information. Under both the rules of professional conduct and privacy legislation, lawyers are obligated to secure this potentially sensitive data. But security breaches sometimes occur, either through the accidental disclosure or misplacement of sensitive documents and devices, or through malicious acts, such as computer hacking or theft.
The costs associated with these security breaches can be substantial. In July of 2018, the Ponemon Institute released a study, sponsored by IBM Security, which found that the average cost of a data breach involving between one thousand and one million records had increased to $3.86 million. In Canada, the average cost associated with these data breaches was $202 per compromised record. These are both explicit and implicit costs, arising out of detection and crisis management, notification requirements, reparation, and reputational losses. While almost half of the breaches within the study were caused by malicious and criminal attack, 27 per cent were due to human error, such as negligent storage or transportation of personal information by an employee.
The new PIPEDA amendments
The consequences of a serious loss of sensitive personal information can include potential liability in negligence against a law firm. But even less serious breaches that don’t necessarily lead to quantifiable harm can still create costs for a law firm or organization that must comply with regulatory detection, analysis, and notice requirements.
On November 1, 2018, the most recent regulatory requirements of this kind came into force as the amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), pertaining to mandatory data breach reporting requirements (the PIPEDA Amendments). These amendments increase the obligations and costs imposed on all organizations, including legal practices, when addressing inadvertent disclosure of personal information.
It is a good idea for all lawyers and firm administrators to familiarize themselves with their obligations to protect any personal information in their records and comply with the new notice obligations should a breach occur.
Not just client confidentiality: All personal information
Like other commercial organizations in Ontario, a legal practice must comply with PIPEDA, which governs the collection, retention, and disclosure of personal information. Personal information is any information about an identifiable individual. Employment records documenting information about a client’s coworker, witness statements and interviews, even seemingly benign information about a client’s family members, are all examples of data that could qualify as personal information and must be protected.
Is it safe?
Section 4.7 of Schedule 1 of PIPEDA describes the security safeguards that must be in place to protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification, regardless of format (e.g. hard copies, soft copies, personal notes, emails, etc.) The legislation expects physical documents to be protected by physical measures such as locked cabinets and doors; access to personal information to be limited by organizational measures, such as on a need-to-know basis; and any digital personal information or documents to be protected by passwords and encryption.
More sensitive information is expected to be protected by a higher level of protection. The sensitivity of any given personal information is essentially determined by common sense. As an example, s. 4.3.4 of Schedule 1 of PIPEDA distinguishes the names and address of subscribers to “special-interest magazines” as more sensitive information than the names and addresses of subscribers to a news magazine.
Not just hackers or fraudsters
But while digital and physical security precautions are important, potential compromise of personal information does not just arise out of a computer hack or the actions of a malicious fraudster. Even mere inadvertence on the part of a lawyer or staff member can lead to compromised security. Sometimes an over-reliance on the auto-fill function will result in important documents being emailed to one or more third parties that should not have received them. Sometimes a client picking up documents in person will inadvertently be given the wrong file. Sometimes a laptop containing sensitive information will be left unattended or in an unlocked vehicle, only to quickly go missing. And legal offices are not immune to burglaries.
When these sorts of security failures happen, it may be irrelevant, for the purposes of reporting, whether any actual harm occurs as a result of the loss of personal information. The requirement to report a potential breach is triggered if there is a “real risk of significant harm”. Significant harm is broadly defined in PIPEDA as including bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record, and damage to or loss of property.
When to report, and to whom?
Determining whether there is a real risk of significant harm is, like many elements of PIPEDA, context sensitive. It is a judgment call that must consider both the sensitivity of the personal information and the probability that the information will be misused [see s. 10.1(8)]. Even if it is not known whether any personal information has been compromised, a report may be necessary simply if security safeguards were breached. A lost laptop, flash drive, or unlocked briefcase that is later recovered may still necessitate a report if there is a possibility that personal information was copied or disclosed at any point.
The PIPEDA Amendments require notification of a breach of security safeguards to be provided to any affected individual and must contain:
- A description of the circumstances of the breach and, if known, the cause;
- The day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;
- A description of the personal information that is the subject of the breach to the extent that the information is known;
- A description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
- A description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach; and
- The name and contact information of a person who can answer questions about the breach.
This notification must be provided by telephone, mail, email, or any other form of communication that a reasonable person would consider appropriate in the circumstances. In prescribed circumstances, indirect notification by public communication is permitted.
Additionally, a report must be provided to the Privacy Commissioner in writing and by any secure means of communication. It must contain the above information along with:
- A description of the steps that the organization has taken or intends to take to notify affected individuals of the breach; and
- The number or approximate number of individuals affected by the breach.
An organization must retain a record of every breach of security safeguards for 24 months after the breach occurs, whether or not there is a real risk of significant harm.
What to do
It is important to remember that the loss of personal information could lead to claims of negligence from the affected parties. But even if no serious damages flow from a breach, fines and complaints under PIPEDA can still arise if a legal practice does not comply with its record keeping and reporting requirements.
It is a good idea to have a policy in place to record and keep track of even minor and inadvertent disclosures, such as failing to shred important documents before disposal, or accidentally including an incorrect party in an email. Consider whether any accidental breach creates a real risk of significant harm and, if so, notice of such is expected be provided to affected individuals and the Privacy Commissioner.
And remember, if any breach occurs which could lead to a claim against a lawyer, report the potential claim to LAWPRO immediately.
By Shawn Erker, Legal Writer and Content Manager at LAWPRO