Transcript Dundee Agents' Privacy Breach Presentation

Understanding Privacy
Breach Risk:
Ontario
Universities Risk
Management Symposium
Presented by
Brian Rosenbaum LL.B.
Director, Legal and Research Practice
Financial Services Group
Aon Reed Stenhouse Inc.
25 November 2009
Agenda
•
•
•
•
•
•
•
•
•
•
•
•
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
Introduction
The Unique Exposures of Higher Education Institutions
A Myriad of Legislation
Key Regulatory Issues
Privacy Breach Statistics
Types of Privacy Breaches
Privacy Breach Examples
Privacy Breach Risks
Costs of a Breach
Privacy Governance
Privacy Breach Links/References
Questions
1
1
Introduction
•
•
•
•
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
Universal Exposure
Technological Explosion
Privacy Breaches on the Rise
University’s and College’s Unique Risks
2
2
The Unique Exposures of
Higher Education Institutions
• A Learning and Sharing Environment
– Open information sharing is a higher learning foundation
– Remote access to networks and databases is commonplace
• Universities are Like Little Cities
– PI of many different types of individuals (students, alumni,
employees, applicants, patients)
– Various types of PI (educational records, research information,
financial information, health information)
• Technology Savvy and Sophisticated Internet Users
– Students are first users of new technologies
– Pressure for universities to adopt new platforms and systems
• Outsourcing Issues
– Outsourcing e-mail and data storage may have many
advantages but there are privacy issues
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
3
3
Privacy Law Overview
Ontario
• Freedom of Information and Protection of Privacy Act
(FIPPA)
– June 2006 amendments brings educational institutions under
its jurisdiction
– Regulates use, collection, disclosure and retention of PI by
higher education institutions
• Personal Information Protection and Electronic Documents
Act (PIPEDA)
– Regulates use, collection, disclosure and retention of PI in the
context of university activity that is commercial in nature that is
not “core” to university mandate
– Applies if PI flows outside of province or country
• Personal Health Information Protection Act (PHIPA)
– Regulates the collection, use and disclose of personal health
information
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
4
4
Privacy Law Overview continued
Differences in Applicable Legislation
• Pose challenges in creating one uniform privacy policy
• Examples of differing provisions:
– Disclosure of PI where no consent
– Breach notification
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
5
5
Privacy Breaches and Notification
• Current Law under PIPEDA/FIPPA
– When does the obligation to notify arise?
– Failure to properly notify in timely fashion can lead to civil and
regulatory liability
– Early notification = mitigation
– PIPEDA and FIPPA have no mandatory breach notification obligations
– Guidelines/protocols strongly urge to notify if breach creates a risk of
significant harm
• Industry Canada Proposal
–
–
–
–
–
Mandatory breach notification requirements on the way
Discretion left in hands of organization
Threshold to report is “high risk of significant harm”
Reporting window is “as soon as reasonably possible”
Report “material breaches” to the Privacy Commissioner
• Current Law under PHIPA
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
– Only Canadian legislation with mandatory breach notification
requirements
– First reasonable opportunity threshold
6
6
Privacy Breach Statistics
ESI U.S. University Data Security Breach Study
• 2006
– 83 data security breaches
– 65 affected institutions
– 2.7 million data records
• 2007
– 139 data security breaches
– 112 affected institutions
– 1.25 million data records
• 2008
– 173 data security breaches
– 178 institutions
– 4.9 million data records
• 2009 (so far)
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
– 72 data security breaches
– 66 institutions
7
7
Privacy Breach Statistics continued
ESI U.S. University Data Security Breach Study continued
80
70
Number of Breachs
60
50
2006
2007
2008
40
30
20
10
0
Online
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
Theft
Penetration
Loss
Impersonation
Employee Fraud
Type of Breach
8
8
Privacy Breach Statistics continued
ESI U.S. University Data Security Breach Study continued
180
160
Number of Records
140
120
100
2006
2007
2008
80
60
40
20
0
Personally
Identifiable
Social Security
Numbers
Educational
Financial
Medical
Username /
Password
Type of Information
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
9
9
Types of Privacy Breaches
Ponemon Institute – Primary Source of Breach 2008
Cybercrime / Hacker
5%
Lost Media Backup
5%
Paper Records
7%
Stolen/ Lost Laptop
36%
Other Data Bearing Device
14%
System Failure
33%
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
10
10
Canadian Privacy Breach Examples
•
•
•
•
•
•
•
•
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
Brock University (September 2006)
McGill University (April 2007)
Memorial University (September 2008)
Trent University (February 2009)
Ryerson University (February 2009)
Huron University College (March 2009)
Carleton University (September 2009)
Memorial University (September 2009)
11
11
U.S. University Privacy Breach Examples
•
•
•
•
•
•
•
•
•
•
•
•
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
California State Polytechnic University (15 Nov. 2009)
Chaminade University (6 Nov. 2009)
Bloomsburg University of Pennsylvania (1 Nov. 2009)
California State University (14 Oct. 2009)
University of Wisconsin (12 Oct. 2009)
Roane State Community College (12 Oct. 2009)
University of North Carolina (24 Sep. 2009)
Eastern Kentucky University (24 Sep. 2009)
Boston University (20 Aug. 2009)
University of California (17 Jul. 2009)
Cornell University (23 Jun. 2009)
University of North Dakota (17 Jun. 2009)
12
12
Privacy Breach Risks
• Civil Suits
– From business partners (i.e. financial institutions for credit card
notification and recall expenses)
– From students, faculty, the general public for identity theft
• Regulatory Investigations and Proceedings
– From the Privacy Commissioner of Ontario pursuant to FIPPA or
PHIPA
– From the Privacy Commissioner of Canada pursuant to PIPEDA
• Universities Own Costs
–
–
–
–
–
Damage to data and property
Recovery and restoration expenses
Loss of intellectual property
Business interruption
Loss of business opportunity
• Damage to Reputation
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
– Enrollment
– Future revenues
– Business partnerships
13
13
Cost of a Breach
• Liability
– Compensatory damages
– Regulatory actions
• Direct Damages to Insured
–
–
–
–
–
–
–
Business interruption
Mitigation
Costs to restore information
Internal investigation
Legal fees
Lost customers
Lost employee productivity
• Response Plan
– Public disclosure and notification
– Interaction with regulators/authorities
• Crisis Management Costs
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
– Call centre and website
– Credit monitoring
– Public relations
14
14
Privacy Governance
• Breach Investigated and Assessed
–
–
–
–
–
–
–
What caused the breach?
How was it detected?
What personal information was involved?
How secure was the information (e.g. encryption)?
How many individuals affected?
Does the breach appear to be criminal?
Is there a potential harm for those affected?
• Notification
– What notification laws apply?
– Should affected individuals be notified?
›
›
›
›
›
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
What are the reasonable expectations of those affected?
Is there a risk of harm (e.g. humiliation)?
Is there an ability to mitigate?
What are your contractual obligations?
Reputation considerations
15
15
Privacy Governance continued
• Breach Risk Control Considerations
– Conceptual
› Have you recognized privacy as a risk for your organization?
▪ Would it cause reputation or financial risk?
› Have you developed a strategy to handle this risk?
▪
▪
▪
▪
Is the risk disclosed to investors (e.g. AIF statement)?
Have you determined whether you will notify?
Have you identified responsibilities within your organization?
Have you identified outside parties to engage if you have a breach?
› How will your strategy be funded?
– Prevention
› How are you ensuring the security of your systems?
› Operational Consistency – Is your data retention strategy in sync with your
privacy obligations? With your privacy policy? Do you utilize a CRM
platform? What information is being collected? How long is the data held for?
› What training is being provided to employees - About your privacy policy?
About your privacy obligations? About security? About reporting
requirements?
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
16
16
Privacy Governance
• Breach Risk Control Considerations continued
– Assessment
›
›
›
›
›
Who is responsible for investigating potential breaches?
What reporting structure is in place?
Has a methodology been created for an assessment/reporting?
What external resources are required in assessing a potential breach?
PIPEDA self-assessment tool http://www.privcom.gc.ca/information/pub/arvr/pipeda_sa_tool_200807_e.pdf
– Notification
› Will you notify those affected by a breach? What methodology will be used
to determine? Has a formal plan been created? Has it been communicated?
› Who will be responsible for the notification? What oversight is required?
› Who will provide legal advice?
› Will you hire a PR firm? Has the firm been identified? Have they been
briefed on your notification plan?
› Will the notification include your website and/or customer relations team?
› Who will communicate with regulators?
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
17
17
Privacy Breach Links/References
Websites
Educational Security Incidents (ESI)
http://www.adamdodge.com/esi
Privacy Rights Clearinghouse
http://www.privacyrights.org/index.htm
The Ponemon Institute
http://www.ponemon.org/index.php
Open Security Foundation Data Loss Database
http://www.datalossad.org
Office of Inadequate Security
http://www.databreaches.net/
Identity Theft Resource Center
http://idtheftcenter.org
Edupage
http://www.educause.edu/Resources/ElectronicNewsletters/Edupage/
639
Computer Crime & Intellectual Property Section
of the United States Department of Justice
http://www.usdoj.gov/criminal/cybercrime/cc.html
SSNBreach
http://www.nationalidwatch.org/
Canadian Privacy Law Blog
http://www.privacylawyer.ca/blog
Library Boy
http://micheladrien.blogspot.com
Reports and Studies
Understanding Privacy
Breach Risk:
CURIE Ontario
University Forum
ESI’s 2008 Year in Review
http://www.adamdodge.com/esi/files/esi_yir_2008.pdf
Ponemon Institute’s 2008Annual Study: Cost of
a Data Breach
http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/
2008-2009%20US%20Cost%20of%20Data%20Breach%20Report%
20Final.pdf
2009 Rotman-Telus Joint Study on Canadian IT
Security Practices
http://www.rotman.utoronto.ca/news/detail.asp?ID=490
Breaches in the Academia Sector
http://jmcconsulting.wptlite.com/download.asp
Privacy Breach Impact Calculator
http://www.informationshield.com/privacybreachcalc.html
18
18
Questions and
Discussion