Last week, a multi-state settlement was reached with TD Bank, N.A., resolving an inquiry into a 2012 data breach in which 1.4 million files were compromised. The US$850,000 multi-state settlement also requires the bank to reform its practices to help ensure future incidents do not occur.
The breach occurred when the bank reported the loss of unencrypted backup tapes in Massachusetts. All total, the files contained personal information for 260,000 TD Bank customers. The bank will now have to notify state residents of any future security breaches or other acquisitions of personal information “in a timely manner.”
Unlike the U.S., Canada currently has limited requirements for organizations to proactively notify individuals or the appropriate regulatory bodies of a data breach in such circumstances. The exceptions are Ontario’s Personal Health Information Protection Act, Newfoundland and Labrador’s Personal Health Information Act, New Brunswick’s Personal Health Information Privacy and Access Act, and Alberta’s PIPA, all of which require mandatory data breach notification.
Bill S-4, the digital privacy act, introduced earlier this year in the Senate, would amend the Personal Information and Electronic Documents Act. It was introduced in April and is now before the House of Commons. The bill, which is perhaps better known for concerns some have about what it is attempting to address with respect to online privacy, also contains mandatory breach notification provisions.
It would require organizations to notify both individuals and the privacy commissioner, in the event of a breach of security of personal information and keep a record of every breach. Breaches could also incur fines of up to $100,000.
“On breach notification I think Bill S-4 has it right,” says Chantal Bernier, former interim privacy commissioner of Canada who is now counsel at Dentons LLP. “You need to make breach notification mandatory so the affected individuals can protect themselves.”
Bernier says the way the bill requires notification “as soon as possible,” but not within a specified timeline, is appropriate given organizations need time to properly assess the damage done.
“It clearly imposes diligence but also recognizes the operational reality that it takes a while to define the scope of the breach, and depending on the type of breach, it can take a shorter or longer time period to scope it out and know who exactly should be informed,” says Bernier. “That is a well-thought-through notification obligation.”
Bernier also likes that the notification would occur “only in cases of significant harm,” which includes “physical and moral” harm.
“Making it just for significant harm avoids notifying individuals needlessly and worrying them in the absence of real consequences,” she says. “My experience has been that people can react very acutely to the announcement of a privacy breach. There is such concern with fraud I would want us to be very judicious in when we notify or not. We should notify but only when there is actual potential or significant harm.”
In the absence of breach disclosure now, Mark Hayes, of Hayes e-Law LLP, says he encourages clients to voluntarily disclose if their organization has experienced a breach.
“There’s an awful lot of voluntary disclosure that takes place,” says Hayes. “Certainly with any client I advise and the general advice most people will give today is that while there is no statutory obligation, in most cases you want to disclose to the [privacy] commissioner as soon as you know enough to disclose. That may not be day one because you want to do the investigation first.”
In Canada and Alberta the test is that there is a “reasonable chance” there will be harm done.
“What most often happens is a hard drive disappears and you don’t know if anyone got a hold of it or if it’s being used. So in those cases it’s difficult to assess if [there is] significant harm,” says Hayes. “That is different than with a hacking case like happened with Target and Staples, where it was a targeted invasion to take data and someone was probably looking to do something with it.”
In most cases in Canada, even though there isn’t a statutory obligation to disclose right now, most well-advised companies will go to the authorities as quickly as they can.
“It is prophylactic in terms of limiting the interest the regulator is going to have in nosing through your business,” says Hayes. “The rule of thumb is if the regulator reads about it in the newspaper, they are going to be all over you. If the regulator hears from you first, they will think it’s under control.”
Hayes says he has helped clients who have had some minor breaches but on some occasions when he suggests they should go to the regulator, they push back.
“I convince them to go to the regulator and it’s the last we hear from them because it looks like it’s being taken care of,” he says.
The more stringent U.S.-based policies are a product of what Hayes says was a “knee-jerk reaction” to high-profile data breaches that required compulsory disclosure not only to the regulator but also to the individuals.
“Very often you end up causing people more concern with notice because nothing ever ends up happening,” he says. “The classic is the lost thumb drive but you don’t know where it went and you end up notifying everyone for a risk that is tiny. If you set a low threshold, people end up getting lots of notifications and it becomes wallpaper.”
The actual damage to consumers in Canada has been relatively small, says Hayes, which speaks to why there hasn’t been a huge push in the past for breach disclosure laws here.
“Our banks cover credit card losses and as a result there isn’t a lot of financial damage to consumers so you don’t get the groundswell of political support behind it.”