It’s been quite a start to 2014 hearing all the news about recent privacy breaches in our province. The biggest one involved the theft of a laptop containing personal health information of over 600,000 Albertans who attended Medicentres last year leaving us all asking, “How could this happen?” and “How could they have handled it so badly?” Better questions might be, “How would we handle a breach?” and “How do we prevent this from happening to us?”
Privacy breaches happen when your organization loses personal information stored in a briefcase, on a memory stick or on a laptop; when personal information you hold is accessed in an unauthorized way, maybe by a computer hacker or a nosy employee; or when personal information is disclosed in some way it shouldn’t be, perhaps by an employee who mistakenly emails information to the wrong party, or takes lists of names or credit card numbers and uses them to conduct unrelated business or commit fraud. If you discover there’s been a breach in your organization, no matter what kind, there are things you need to do right away.
The first is just plain common sense – figure out where the breach is happening and contain it. Limit access to or shut down compromised systems, stop offending practices, close physical security gaps, then recover the records if possible. Contact your Privacy Officer and/or the person who handles security. Call the police if you suspect there is a possibility of identity theft or other criminal activity. Do your best to make it stop right away.
Next determine the risk of harm to the people who had their personal information compromised and decide if they need to know what happened. Operating a business in Alberta generally means you’re subject to the Personal Information Protection Act (PIPA) and must report a breach to the Office of the Information and Privacy Commissioner (OIPC) where a “reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the incident (PIPA S. 34.1).” Organizations subject to federal, public sector or health specific privacy legislation may choose to report depending on the overall evaluation of the breach.
Assess the potential risk of harm by considering these things about the disclosed personal information: whether or not it could be used to commit identity theft; the degree of sensitivity (financial or health information, personal health, driver’s license or social insurance numbers); the severity of harm (physical, financial, personal or professional reputation, public health and safety); the number of people affected; and whether or not it was fully recovered.
If you determine the breach created a real risk of significant harm, report it to the OIPC right away. The Commissioner can then compel you to notify those affected. However, you can make that decision yourself in order to avoid causing further harm, to mitigate the damage or to comply with other legislative or contractual obligations requiring notification.
Make your decision and notify people right away. Contact everyone directly – by telephone, letter or in person. To reach large numbers of people provide notice through your website or other media, spreading information quickly and widely. Explain the “who, what, when, where, why and how”. Describe what you did to stop it and prevent further harm. Let people know who, within your organization and at the OIPC, can provide help.
Finally, conduct a thorough investigation to find the source and cause of the breach right away. Was it an honest error made by an employee or contractor, a deliberate act by a rogue employee, a random external theft, a weakness in your IT security practices, a lack of policy or procedure in an operational area, or a general lack of understanding of compliance requirements or best practices for information handling? Was it a combination of things?
Once you’ve found the cause of the breach, help prevent a repeat by doing an assessment of your entire organization looking for gaps in: privacy and security policies; training and awareness at all stages of employment and all staff levels (including contractors and volunteers); compliance monitoring; business continuity; disaster and breach response planning. Revise or add policy, procedure and training in the areas where the breach originated and to fill all gaps. Review all of this regularly. And often.
If your organization has never had a breach and you have confidence in your privacy and security policies, procedures and breach response plans, give yourself a pat on the back!
If not, you should start thinking about privacy breaches right away.