one page assignment on ITIL with zero plagiarism

profilemanpreetk
4.PrivacyIntro2021.pdf

ISSM 561 - Privacy and Security Martin Kratz, QC

© 2021

1

Agenda Introduction to Privacy law

The international context

Which law applies?

Elements of Canada’s privacy law

Focus on the security obligation

Privacy complaints and access requests

2

Privacy in an increasing issue

In the first classes we have seen privacy as a key issue affecting information systems security

We studied search and seizure of devices and information in light of S. 8 of the Charter of Rights and Freedoms

Note the importance of “an expectation of privacy”

Increasingly, Courts are elevating privacy issues as a significant right

3

Privacy in an increasing issue Many countries have mandatory privacy legislation for the private sector

In these laws there is a positive enforceable legal duty to provide adequate security for personal information that is collected, used or retained

The level of security depends on the sensitivity of the information

Privacy concerns are higher when personal information is in digital form

Computer security professionals are in high demand to work closely with privacy professionals on these issues

4

A brief history OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 1980

Federal Privacy Act

Provincial Privacy and Freedom of Information Legislation

Private sector - model codes - voluntary compliance

European Union Privacy Directive, 1995

Fundamental ‘right to privacy with respect to the processing of personal data’

Transfer to non-EU countries only if country “ensures an adequate level of protection”

Implementation in 1998

EU begins to assess the “adequacy” of other countries laws 5

A brief history USA – 1995-2000, diplomatic efforts to avoid trade war

1998 USA pressures private sector for voluntary compliance

Safe Harbor Agreement with EU, 2000

Safe Harbor found “adequate”

2001 Canada implements PIPEDA

PIPEDA found “adequate”

6

A brief history

EU, General Data Protection Regulation 2015

Shrems I - US-EU Safe Harbor struck down 2017

US - EU Privacy Shield Agreement 2017 (replaces Safe Harbour)

EU, General Data Protection Regulation in force 2018

Schrems II - US-EU Privacy Shield struck down 2020

7

Canada’s response

Various Industry Guidelines had been previously developed

CSA Model Code for the Protection of Personal Information

Federal: Personal Information Protection and Electronic Documents Act (‘PIPEDA’), 2001

EU Working Group finds PIPEDA “adequate”

8

Canada’s response

Provincial Mandatory Private Sector Privacy Legislation:

Quebec (1994)

Alberta (2004) Personal Information Protection Act (“PIPA”)

BC (2004) Personal Information Protection Act

Ontario [health only] (2005)

Manitoba [private bill] (2006)

9

Federal Privacy Law

10

Federal Privacy Legislation

Public Sector Legislation

Applies to all Federal works and undertakings under Federal jurisdiction

Privacy Act

Access to Information Act

11

Federal Privacy Legislation Private Sector Legislation

Personal Information Protection and Electronic Documents Act (PIPEDA)

Applies to all Federal works and undertakings under Federal jurisdiction

Applies to provincial business unless displaced by “substantially similar” law

Applies to organizations engaged in commercial activities

Regulates external and employee information for federal businesses

Does not regulate employee information in provincial businesses

12

Substantially similar laws

PIPEDA permits Provinces to enact “substantially similar” legislation or PIPEDA applies in Province

“Substantially Similar” means:

Ten privacy principles (details to follow)

Independent oversight and redress mechanism with power to investigate

Restrict collection, use and disclosure to purposes that are appropriate

13

Substantially similar laws

Substantially similar provincial Legislation:

Quebec (1994)

Alberta (2004) Personal Information Protection Act (“PIPA”)

BC (2004) Personal Information Protection Act

14

Provincial Privacy Law

15

Alberta Privacy Legislation

Public Sector Privacy Legislation

Applies to provincially regulated entities

Freedom of Information and Protection of Privacy Act

Health Information Act

16

Alberta Privacy Legislation

Private Sector Privacy Legislation

Applies to organizations engaged in commercial activities

Personal Information Protection Act (“PIPA”)

Includes regulation of employee information

17

Which law applies? Each Organization needs to determine:

Public or Private sector?

Federal or Provincial regulated activity?

What kind of information the organization collects, uses and discloses?

Is it health information?

Is it employee personal information?

Is it information collected, used or disclosed on behalf of another party (are they Public or Private?)

Is the information collected, used or disclosed by a third party on behalf of the organization?

18

19

Federal: Personal Information Protection and Electronic Documents Act

BC: Personal Information

Protection Act

Man: Personal Information Protection and Identity Theft Prevention Act

Sask: PIPEDA

Alberta: Personal Information

Protection Act

Ontario: PIPEDA

Private Sector Legislative Overlap

Activities Matter Legislation is activity based Nature and location of the activity (not the organization) dictates applicable legislation Consider all applicable jurisdictions Consider scope of obligations

20

Which laws apply? Businesses doing business in multiple jurisdictions need to be aware of the applicable law in each jurisdiction

Businesses with operations and customers solely located in a province - likely look to the law of that province

Alberta, BC – Personal Information Protection Act

Quebec - Loi sur la protection des renseignements personnels dans le secteur privé Quebec

Manitoba – Personal Information Protection and Identity Theft Prevention Act

Other - PIPEDA

Need to consider inter-provincial transfers of personal information

Common to have blended multi-jurisdictional privacy compliance programs

21

Privacy

Any questions on the history or which laws apply?

22

Personal Information

23

Personal information Personal information is any information about an identifiable individual, other than the person's business title or business contact information when used or disclosed for the purpose of business communications. For example:

Age, income, marital status, dependents and ethnic origin

Social insurance number, drivers license number, credit card numbers,

Employment applications, resumes, reference letters, transcripts

Compensation, financial information

Internet activity and computer usage

Personal information does not include anonymous or non-personal information (i.e., information that cannot be associated with or tracked back to a specific individual).

24

Employee Personal Information

A subset of Personal Information (under PIPA)

Definition of Personal Employee Information is information in respect of an employee or potential employee that is collected, used or disclosed solely for purposes of establishing, managing or terminating an employment relationship, but not personal information unrelated to employment relationship

No such exemption under PIPEDA for federally regulated employees.

PIPEDA does not extend to regulate provincially regulated employees.

25

Personal Information

Questions?

26

10 Fair Information Practices

27

Privacy Fundamentals 10 Fair Information Principles from CSA Guidelines

Accountability

Identifying Purposes

Consent

Limiting Collection

Limiting Use Disclosure & Retention

Accuracy

Safeguards

Openness

Individual Access

Challenging Compliance

28

Accountability

An organization is responsible for personal information under its control.

It must appoint someone to be accountable for its compliance with the fair information principles.

Some one has to be responsible for compliance

That would be a person empowered to receive complaints or discuss the policies or practices of the organization

29

Identifying Purposes

The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.

Must identify the purposes for which personal information is collected, retained, used or disclosed

Those purposes should be capable of being understood, and must be clear.

30

Consent

Basic principle - that a person should consent to the collection, use, retention and disclosure of his or her personal information

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Certain exceptions do apply.

31

Types of Consent Express (oral or written)

Deemed (or ‘Opt Out’)

e.g. “We assume, unless you advise us otherwise, that you have consented to the collection, use or disclosure of your personal information in the manner described in this privacy policy”

Implied (by action)

e.g. request a product or service be delivered to your house, and your consent will be implied to the use of your contact and payment information for the purpose of delivering, billing and collecting for such product or service

32

Limiting Collection

The collection of personal information must be limited to that which is needed for the purposes identified by the organization.

Information must be collected by fair and lawful means.

33

Limiting Use, Disclosure & Retention

Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected.

Personal information must only be kept as long as required to serve those purposes.

34

Accuracy

Personal information must be as accurate, complete, and up-to- date as possible in order to properly satisfy the purposes for which it is to be used.

An individual has a right to challenge the accuracy of the personal information

35

Security

Personal information must be protected by appropriate security relative to the sensitivity of the information.

Legal requirement to maintain the security of the personal information

Level of security depends on the sensitivity of the personal information

We will discuss this is greater detail later

36

Openness

An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.

The organization should disclose its privacy policies and practices

37

Individual Access

An individual has the right to access the personal information collected on them and know for what purposes it is collected, used or disclosed

Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information.

An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

38

Challenging Compliance

An individual has a right to challenge the compliance of an organization in respect of its privacy policy or practices

An individual shall be able to challenge an organization’s compliance with the 10 fair information principles.

Their challenge should be addressed to the person accountable for the organization’s compliance with the privacy law, usually their Chief Privacy Officer.

39

Fundamental Requirements An organization is responsible for personal information that is in its custody or under its control, and is responsible for the compliance of its service providers

An organization must designate one or more individuals to be responsible / accountable for ensuring that the organization complies with its privacy obligations

An organization must develop and follow policies and practices that are reasonable for the organization to meet its obligations / give effect to the principles

40

Fundamental Requirements Except where otherwise permitted or required by law, each organization is obliged to:

Obtain from the individual their consent to the collection, use, and disclosure of their personal information

Use and disclose such information only for the purposes for which the consent was given

Destroy the information after its purpose has been fulfilled

Allow the individual to access and challenge the accuracy of their personal information

41

Minimum Requirements

Appoint a Privacy Officer / Manager

Adopt basic policies (capable of compliance)

Inform the organization of privacy requirements and basic policies

Ensure that privacy matters are referred to Privacy Officer / Manager for handling

Undertake assessment of critical areas / contracts

42

Must be Reasonable

An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

Where an organization collects, use or discloses personal information, it may do so only to the extent that is reasonable for meeting the purposes for which it was collected, used or disclosed.

43

What is reasonable? The CPC has determined that the following purposes would generally be considered inappropriate by a reasonable person (i.e., no-go zones):

collecting, using or disclosing personal information in ways that are otherwise unlawful;

profiling or categorizing individuals in a way that leads to unfair, unethical or discriminatory treatment contrary to human rights law;

collecting, using or disclosing personal information for purposes that may cause significant harm to someone;

publishing personal information with the intent of charging people for its removal;

requiring passwords to social media accounts for the purpose of employee screening;

conducting surveillance on an individual using their own device’s audio or video functions.

44

Privacy Principles

Questions on the basics of privacy?

45

Security Obligation

46

Security Obligation - in more detail

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information, regardless of format

Protection against loss, theft and unauthorized access, disclosure, copying, use or modification

Identify sensitivity of information

Various measures of protection are available

47

Security Obligation - PIPA

“An organization must protect personal information that is in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction.”

Alberta Personal Information Protection Act, S. 34

48

Security Obligation - PIPEDA

“Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.”

Principle 4.7 PIPEDA

The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection.

Principle 4.7.1

49

Security Obligation - PIPEDA The methods of protection should include

(a) physical measures, for example, locked filing cabinets and restricted access to offices;

(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and

(c) technological measures, for example, the use of passwords and encryption. Principle 4.7.2

Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information. Principle 4.7.4

Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information. Principle 4.7.5

50

Joint Recommendation

The privacy commissioners for Alberta, British Columbia and for the Federal Government issued a joint recommendation on meeting the security requirement under privacy law.

51

Joint Recommendation First step – collect only the personal information needed for the purpose

Reasonable safeguards include several layers of security, including, but not limited to:

risk management,

security policies,

human resources security,

physical security,

technical security,

incident management, and

business continuity planning.

52

Joint Recommendation The reasonableness of security arrangements adopted by an organization must be evaluated in light of a number of factors including:

the sensitivity of the personal information,

the foreseeable risks,

the likelihood of damage occurring,

the medium and format of the record containing the personal information,

the potential harm that could be caused by an incident, and

the cost of preventive measures.

53

Joint Recommendation

Generally accepted or common practices in a particular sector or kind of activity may be relevant to the reasonableness of a security safeguard.

However, generally accepted practices and technical standards must be complemented by elementary caution and common sense.

54

Joint Recommendation Basic Security

Businesses obligated to assess adequacy of existing security measures

where and how is information kept?

who has access to it?

who needs access to it?

how is it retrieved?

industrial security threats?

Businesses need a data governance plan

55

Joint Recommendation Safeguard measures include measures such as:

“clean desk” policy where clients invited in

automatic computer terminal lock-out

restrictions on physical and electronic access

locking offices/filing cabinets/drawers

computer passwords/encryption

segregation of sensitive files

security clearances

encryption

56

Joint Recommendation Safeguard measures include measure such as :

safeguards when transferring information to third parties or between offices

redacting non-essential material prior to transfer

encryption now required?

destruction/disposal

shredding

diskettes/back-up tapes

document retention policy?

systems audits

“hacker-proof” penetration tests?

57

Joint Recommendation Self Assessment Guidance includes:

Risk Management

Policies

Records management

Human Resources Security

Physical Security

Systems Security

Network Security

Wireless Security

Database Security

58

Joint Recommendation Self Assessment Guidance includes:

Operating Systems

Email and Fax Security

Data Integrity and Protection

Access Control

Information Systems Acquisition, Development and Maintenance

Incident Management

Business continuity planning

Compliance

59

PIPA & PIPEDA Security

We will see more security comments and more focus on these elements in the presentation on data breaches

We will see more security comments in the presentation on breach notification requirements

60

PIPA & PIPEDA Security

Questions on the scope of the security obligation?

61

Enforcement of Privacy Obligations

62

Privacy Enforcement Enforcement of privacy obligations arises under several distinct channels

Privacy Commissioner complaints

PIPEDA (federal) Commissioner does not generally have order making power

Can not levy substantial fines for most matters

PIPEDA decisions can be appealed to the Federal Court

Individual can claim damages for humiliation in Court

PIPA has order making power

Can claim damages for breach

Privacy Torts - individuals can sue for breach of the various torts

Competition Commissioner - has begun to pursue enforcement of privacy matters - can levy large fines

63

Privacy Torts Common Law Courts have begun to recognize that a right of privacy is invaded by:

unreasonable intrusion upon the seclusion of another; or

appropriation of the other's name or likeness; or

unreasonable publicity given to the other's private life; or

publicity that unreasonably places the other in a false light before the public.

Individuals can sue for damages due to violation of their privacy rights

We discuss these torts in the Data Breaches lectures.

Note judge made law additional to rights under PIPA and PIPEDA.

64

Competition Law Competition Act prohibits the making of a representation to the public that is false or misleading in a “material respect”.

Competition Bureau has promised to investigate false and misleading statements concerning consumers’ privacy as a violation of the Competition Act

Competition Bureau can issue large penalties

“If it is determined that a business has made false or misleading representations, a variety of remedies may be ordered, including penalties for corporations of up to $10 million on a first offence and up to $15 million for subsequent offences, and/or restitution to purchasers who were affected by the misrepresentation.”

Misrepresentations made knowingly or recklessly can even be prosecuted as criminal offences.

65

Competition Law

The Competition Bureau has the authority to regulate matters where an organization has made representations to a consumer about the collection, use or safeguard of personal information, and then fails to comply with those representations.

The United States Federal Trade Commission (FTC) regularly regulates privacy matters and imposes substantial fines under similar authority to regulate deceptive practices. 

Note that the FTC plays an oversight role in the Privacy Shield program.

66

Competition Law

Competition Bureau has expressed the intention to crack down on the collection of consumers’s data in exchange for “free” online products and services, such as web browsers and apps.

Admonishing “lengthy and complex privacy policies”, the Bureau noted that

consumers may not understand precisely what is happening with their personal information,

how it is being collected, and

by whom it is being collected and used.

67

Competition Law The Competition Bureau has identified the following key topics as being most likely to raise concerns around creating a false or misleading general impression:

whether consumers’ data will be collected;

what data will be collected;

how often data will be collected;

why the data is collected and the purposes for its use;

whether the data will be sold to, or otherwise shared with, third parties;

whether consumer data will be retained, how it will be maintained, where it will be stored, and when it will be deleted; and

the level of control that consumers have as it relates to these issues.

68

Competition Law Facebook has agreed to pay a fine of $9 million under the federal Competition Act stemming from the Cambridge Analytica matter. Terms of the settlement also include:

Facebook will reimburse the cost of the inquiry of $500,000 (without any acknowledgment of wrongdoing).

Facebook agrees not to make representations to the public that are materially false or misleading regarding the disclosure of personal information.

Facebook agrees to implement a program to support compliance with the deceptive marketing provisions of the Competition Act, which must be acknowledged and supported by senior management, and includes ongoing reporting obligations to the Commissioner of Competition.

This fine is the first issued for a privacy violation in Canada by the Competition Bureau under its authority to regulate deceptive marketing practices.

69

Competition enforcement learnings Need to have a robust Privacy compliance program

1. Map and Characterize Your Data

Develop a clear understanding of the following (among other things):

the specific categories of personal information collected and the sensitivity of that information; 

how you use that information, and whether that use is for a reasonable purpose; 

who within the company can access the data and for what purpose; 

how employees can access the data and to whom can they transfer it; and 

the third-party companies with which the information is shared and for what purpose.

Personal information is broadly defined and includes categories of information beyond the more obvious types such as name, address, government identification numbers, and banking information.

Personal information can include, for example, an individual's preferences (what items the user purchases), habits (frequency of travel and routes), or reactions (what ads the user clicks on).

70

Competition enforcement learnings 2. Review Consent

Analyze the consent obtained from individuals, including the context in which consent is obtained (e.g., is it simply a "click-through" consent), and whether you have obtained valid and meaningful consent. In particular, consider whether it is reasonable to conclude that the individuals understand the following:

the categories of personal information being collected; 

the potential uses you will make of the information; 

the third parties with whom the information will be shared and the uses the third parties may make of the information; and 

the safeguards that will be employed to protect the information by the companies and any third parties.

A consideration of whether the consent is meaningful may require an assessment of the context in which the consent is given in view of the sensitivity of the information involved, and the purpose or potential for repurposing of the collection and use of the information.

71

Competition enforcement learnings

3. Review Third-Party Contracts

Cover transfers of personal information to third parties by written agreements that include:

provisions regarding the permitted uses of the transferred information (which uses correspond to the consent obtained);

controls over the ability of the transferee to process or further transfer the information;

the required safeguards for protection of the information;

audit rights of the transferor; and

obligations of the transferee to notify the company of a potential compromise of the data.

72

Competition enforcement learnings

4. Assess Safeguards

Assess whether the operational, physical and technical safeguards in place, and those of any third parties to which they transfer personal information, are reasonable, in the context of the sensitivity of the information, and the duration of time the information may be kept.

73

Privacy enforcement

Any questions on privacy enforcement?

74

What are the Privacy Commissioner and Courts saying about the security obligation?

75

PIPA Cases … MD Management P2006-IR-005

MD Management offers services to Canadian Medical Association

Laptop with client information is stolen from employee’s car

8,000 individual’s records

Only standard password login security / no encryption

Permits 5 attempts in 24 hour period

Employee notifies police and employer

OIPC Assesses if MD Management made adequate security arrangements

Duty is to provide reasonable security

OIPC Assesses precautions …

76

PIPA Cases … Laptop Policy examined. Requires laptop:

must always be safeguarded from theft

must never be left unattended

must be locked in secure cabinets when leaving the office even if the laptop can be secured to the workstation

must be carried on the plane when traveling

must never be left unattended in a car or hotel room etc.

MD Management trains staff on policy

Also had technical defensive measures in place

Password secure pre-configured by IT Dept.

Users to password protect files – not done in this case

Encryption on part of disk – but not used in this case

Employee found to have violated the policy

77

PIPA Cases … OIPC assess if reasonable security measures were taken considering:

if the security risk was foreseeable

likelihood of damages occurring

Seriousness of the harm

Cost of preventive measures

Relevant standards of practice

78

PIPA Cases … Here OIPC find:

Risk to a laptop in a case is well known

High likelihood of damages

Harm could be fraud or identity theft

Protective measures – minimal cost / encryption / file level passwords

Standards suggest encryption

MD Management responsible for the employee, violated duty to safeguard the personal information in its custody

79

PIPA Cases … Linen’s & Things (LNT) P2005-IR-001

Edmonton Police notify OIPC located retailers documents containing customer information during a police investigation

Found return receipts, names, phone numbers, purchase info, etc.

Some records with credit card numbers, some not

Investigation reveals many receipts found in a dumpster

OIPC assesses if proper safeguards in place

80

PIPA Cases … OIPC review LNT return procedures

Identify flaw that thermal POS receipt printed out credit card number

Copies of receipts locked up, access limited to manager

Manager only can reconcile transactions

Manager only to do return transactions

However, store did not safeguard records through their lifecycle

OIPC conclude that the organization failed to properly dispose of sensitive customer information by permitting them to be placed in a garbage bin without being securely shredded

81

PIPA Cases … Linen’s & Things changes its practices

1. All return receipts are placed in locked cabinets at each day’s end and logged.

2. At each month end, that month’s logged return receipts are segregated and placed in a locked cabinet.

3. At each month end, the records that are 90 days old are placed in a sub-contractor’s secured box for shredding by a secure, bonded shredding company and destroyed. The destruction is also to be logged.

4. Store manager level authorization is required to access any records which are locked in secure storage.

5. At any point in time, the records for a particular day can be accounted for as being either in specific storage or as having been destroyed.

6. LNT formally appointed a Privacy Officer accountable for the personal information handling practices for LNT.

7. LNT has initiated an internal audit of all of its personal information handling practices and will revise its policies and procedures as required.

82

PIPA Cases … Edmonton Public School District F2012-IR-01

USB memory stick used to save files when reimaging a hard drive

USB stick is lost

Records of over 7,000 employee files

2,826 individuals file contained personal information including SIN, drivers license details, etc.

Not password protected, not encrypted

Lock down drill during period when USB stick is lost

OIPC investigates

School policy not to store data on a local hard drive

School notified employees

83

PIPA Cases … OPIC assesses whether reasonable security measures were taken

Reasonable does not mean perfect

Here sensitivity of the personal information is high

OIPC studies School policy – not followed in this case

School believes USB lost in the secure part of the building

but USB stick is mobile, not password protected, no encryption

Find School failed to protect the personal information as required by law

84

PIPEDA Cases … PIPEDA Case #2003-232

Employee of a nuclear facility complained that his employer was requiring employees to provide personal information of spouses for the purpose of a security clearance check without the spouse's consent e.g. not voluntary

CPC assess if collecting such information is reasonable

Special security concerns of nuclear plant suggest background checks on staff are reasonable

Issue – requirement to get the spouse’s consent?

CPC assumed that spouses have intimate knowledge of each other, share common goals, income and expenses

it would be inappropriate to not conduct an investigation into the background of the current spouse or partner

a reasonable person would likely view the collection of spousal information to be appropriate

85

PIPEDA Cases …

PIPEDA Case #2003-232

CPC found that it would not be appropriate for the company to obtain separate consent

The onus is on the employee to discuss the matter with the spouse or partner and seek consent

Should the spouse not agree, the employee would need to review their options, such as seeking alternative employment

86

PIPEDA Cases … PIPEDA Case #2004-264

Employee complaints about picture on a swipe card & digital cameras in the workplace

Here workplace evidence of health & safety incidents justify enhanced security measures

CPC company has clearly demonstrated a need to enhance the safety and security of staff and visitors to the worksite, to reduce vandalism and damage to property, and to manage the risk of liability claims

Reasonable person would find such appropriate

Company advises & educates staff

Complaint about swipe card not well founded

87

PIPEDA Cases … PIPEDA Case #2004-264

CPC found supervisor showing pictures to other staff unnecessarily

That complaint was upheld

CPC find digital cameras purpose is not to collect personal information

not trained on work areas,

no intent to use cameras to manage the productivity of employees

no reasonable expectation of privacy at entrance/exit areas

not necessary that the company obtain employee consent to the collection of any personal information recorded by the cameras

88

What is adequate security? PIPEDA Report 2019-1 (Equifax)

Equifax Inc. / Equifax Canada Co. hacked in 2017

About 143 million individual’s information compromised

Includes 19,000 Canadian’s credit reports, contact information and SINs

Equifax Inc. and Equifax Canada separately collect personal information from customers

Equifax Inc. collected personal information directly to facilitate delivery of products in Canada

Security frameworks highly integrated

CPC investigates the adequacy of the security safeguards, reports

Attackers gained access from a known vulnerability in the Apache Strut software platform supporting an online dispute portal

Notice of patch March 8, 2017

Attack occurred May 13, 2017 (over 2 month delay)

Attack detected July 29, 2017 and contained the next day

89

What is adequate security?

CPC attack highlights unacceptable deficiencies in Equifax’s security program

1. Inadequate vulnerability management

2. Inadequate network segregation

3. Inadequate basic information security practices

90

Inadequate vulnerability management

Must have adequate systems in place to address known vulnerabilities in all internet facing platforms, operating systems and applications

Must accurately and quickly identify vulnerabilities in need of correction

Must implement fixes to correct vulnerabilities promptly

Must verify that vulnerabilities have been fixed

Here no mechanism to automatically patch known vulnerability

91

Inadequate network segregation

Attackers able to access information in hundreds of databases out side the breached server

CPC: Organizations should institute network segregation that meaningfully segregates databases containing information based on sensitivity and function of the personal information

Here, firewalls between databases were inadequate to separate the databases as they allowed a broad range of data to flow between them

Canadian data should have been fully segregated from the online dispute portal available only for the US

92

Inadequate basic information security practices

Equifax had tripled its spend on IT security between 2014 to 2017

CPC: Clear disconnect between policies and practices in a range of security domains

Clear that Equifax’s security program had critical gaps and that oversight mechanisms were inadequate

Since the attack Equifax took numerous steps to improve its security program

93

Retention … PIPEDA requires that once personal information is no longer required by an organization to fulfill identified purposes, it should be destroyed, erased or made anonymous and all organizations must develop guidelines (and implement actual procedures) to govern the destruction of personal information.

Equifax’s Global Retention Policy required the personal information of 8,000 Canadians should have been deleted either after five years (for account registration information), two years (for other account information), or after one year (for credit reports and alerts contained in the GCS) respectively.

In reality, there was no process in place to delete Canadian personal information in compliance with this policy.

No Canadian personal information had been deleted since at least 2010.

94

Retention …

CPC found that no one at Equifax seemed able to identify who the record owner was for personal information held in the GCS databases or even the name of the person at Equifax responsible for the compliance functions described in the retention policy.

Note the importance of data retention and destruction practices at the corporate level (the less data held, the less will be exposed in the event of a breach), as well emphasizing the need for proper employee training and verified compliance monitoring for policies of this nature.

95

Accountability … PIPEDA’s accountability principle requires an organization remains responsible for personal information under its control (including information that has been transferred to a third party for processing) and must use contractual or other means to provide a comparable level of protection while the information is being processed by the third party.

Equifax handled payments made by Canadians who purchased fraud alert services on their Equifax Canada credit card file and Canadians interested in obtaining direct-to- consumer products were directed to apply to the GCS system, hosted in the U.S.

Both companies tried to argue that Canadian consumers knew that they were contracting separately with ECS, rather than Equifax Canada.

However, the application process took place on the Equifax.ca webpages and Equifax Canada’s terms of use asserted that the products and product features available via its website were provided by Equifax Canada.

96

Accountability … At the time of the breach, the Equifax Canada CPO did not have such controls in place (including any formal written arrangement with Equifax that spelled out the specific rules, regulations and standards that need to be complied with in the handling of personal information, information security obligations, acceptable uses of the information, retention and destruction obligations, or reporting and oversight arrangements) nor were there any basic accountability controls.

CPC identified that “as Equifax Canada is the controller for this personal information,” Equifax Canada’s designed privacy officer is accountable for the personal information, wherever it is held or processed.

CPC expects organizations to take further measures to assess the security of Canadian personal information held by third parties and ensure any necessary corrective measures are undertaken in a timely way.

97

Mitigation … PIPEDA requires organizations to undertake appropriate mitigation measures to protect against future unauthorized use of personal information.

Here the Equifax Canada CPO was not notified by Equifax of the breach until hours before Equifax itself went public on September 7, 2017, despite the involvement of Canadian data.

The companies did not coordinate in the initial breach notification to affected Canadians, with the first letter to them inviting them access credit monitoring through a portal that did not actually allow access and was set up for Equifax customers only.

CPC was unimpressed that initially Canadians were only offered one year of free credit monitoring versus their U.S. counterparts (this was eventually changed to four years in total).

Canadian customers never did receive access to the ‘Lock & Alert’ credit freeze service provided to U.S. consumers that would have allowed them to lock and unlock their credit file on demand.

98

Consent … CPC said that Equifax Canada should have obtained valid express consent of Canadians before disclosing personal information across the border to Equifax (given the sensitive nature of the financial data involved and that individuals would not have reasonably expected their data to be transferred to a third party outside of Canada).

Historically a transfer for processing is a "use" of the information, not a disclosure. If the information is being used for the purpose it was originally collected, additional consent for the transfer is not required; it is sufficient for organizations to be transparent about their personal information handling practices. This includes advising Canadians that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities. 

In this case, presumably due to the active roles of each Equifax and Equifax Canada collecting personal information a higher consent standard was required.

99

Equifax summary learnings

CPC gave specific guidance on the requirements to meet the security standard under PIPEDA.

Security policies must not only be able to address current vulnerabilities and threats but must be implemented.

The case highlights the importance of thoughtful assessment of cross-border arrangements where parties share personal information.

100

Joint investigation of Facebook CPB and BC OIPC investigation - PIPEDA Report of Findings #2019-002

Complaint about Facebook’s disclosure of the personal information of its users to 3rd party application information that was later used by 3rd parties for targeted political messaging.

Three issues:

1. consent of users,

2. safeguards against unauthorized access, use and disclosure, and

3. accountability for the information under Facebook’s control.

101

Joint investigation of Facebook

Consent of users

Facebook relied on apps to provide consent from users for its disclosure to those apps. but Facebook could not demonstrate that:

1. the 3rd party app actually obtained meaningful consent for its purposes, or

2. Facebook made reasonable efforts to ensure that the 3rd party app was obtaining meaningful consent.

102

Joint investigation of Facebook

Safeguard against unauthorized access, use and disclosure

Facebook relied on contractual terms with apps to protect user information

But Facebook’s monitoring of those terms was reactive and ineffective

Facebook could not show any enforcement action on those terms

103

Joint investigation of Facebook

Accountability for the information under Facebook’s control

Facebook did not take responsibility to provide real and meaningful effect to privacy protection of users

Facebook abdicated any responsibility for the personal information under its control

Facebook’s security safeguards were superficial and ineffective

104

PIPA & PIPEDA Cases

We will see more cases in the data breach lecture

Any questions on how the Commissioners review the security obligation?

105

Breach Notification Notification can be an important means of risk mitigation

Effort to communicate to individuals affected by a breach

Empower customers to protect themselves

Can mitigate reputational impact

Important to provide first stage of remediation

Mandatory in Alberta since 2010 under PIPA

Mandatory nationally under PIPEDA as of November 1, 2018

We will examine these notification rules in more detail in the data breaches session

106

Access Requests and Complaints

107

PIPA Complaint Process Mediation

Review & Investigation

Commissioner’s Orders (PIPA)

Access to Records

Correction of Records

Organization to stop collecting, using, or disclosing personal information

Destruction of Records

Audits

Fines for certain activities of up to $10,000 for Individuals, $100,000 for Organizations

108

Complaint escalation … Complaint Handling Process

Internal process

Process by the organization

Verify identity and authority of requesting person

Verify scope of request

Respond as applicable in the circumstances

Escalation

Internal escalation in the organization?

Privacy Commissioner

Court process

109

PIPA Complaint Process

An individual has a right to ask the Commissioner to review an organization’s decisions, conduct or response

Individual has to exhaust other available processes

Complaint of the organization’s decision must be filed with Commissioner within 30 days of decision

Extension is possible

Commissioner may provide copy of complaint to the organization or others

110

PIPA Complaint Process

Commissioner has very broad powers to conduct investigations or inquiries

Power to examine records - even those not subject to PIPA

An organization is obligated to produce any records notwithstanding any other enactment or any privilege of the law of evidence

111

PIPA Complaint Process PIPA provides for mediation to seek to settle the complaint

If not settled, Commissioner may conduct an inquiry

All parties notified of the inquiry may make representations

May be represented by legal counsel

Inquiry to be concluded within 90 days from receipt of complaint

Burden of proof on the organization to justify a refusal to provide access or information on collection, use or disclosure

112

PIPA Complaint Process Commissioner resolves complaint by making an order

The commissioner has broad order making power including, in case of an access request:

require organization to provide access

confirm decision of the organization

require the organization to reconsider its decision

require the organization to refuse access

The order is final.

Judicial review application within 45 days 113

PIPA Complaint Process

Any questions on the complaint process generally?

114

Access Right

115

Access Right

Individuals have a general right to request access to their personal information, subject to some exceptions

Requests for access can also be made by:

Mature minors who understand the consequences of exercising a right of access

Legal guardians of minors

Personal representative of a deceased person, if related to the administration of their estate

116

What can they ask for?

An individual’s personal information that is under the custody or control of the organization – s.24(1)(a)

The purposes for which this information has been and is being used – s.24(1)(b)

The names of the persons to whom and the circumstances in which this information has been and is being disclosed – s.24(1)(c)

Response by the organization must consider what is reasonable

Must provide a written request with sufficient detail to enable the organization, using a reasonable effort, to identify the information pertaining to the request

117

How are requests made? Requests must be in writing – s.26

OIPC expects organizations to reasonably assist applicants who are unable to make a written request

If applicant refuses but is able to put in writing, organization does not have to respond

May respond to a verbal or e-mail request but organizations have an obligation to ensure that any personal information disclosed is disclosed only to a person authorized to request it

Applicant must give enough information to allow the relevant information to be found but is not required to state why they want it.

118

Issues the organization should consider Access issues:

authority of person requesting access

requirement for formal written request

signature/customer account number/password

identification if in person

ease of retrieval of personal information

specificity of the information requested

fee

obligation to retain or destroy/dispose of information

loss of data

119

Can the request be ignored?

Is the request repetitious, frivolous or vexatious in nature?

Is there a mechanism to permit the organization to disregard the request?

PIPA s.37 allows an application to the Commissioner for authority to disregard

What does the organization’s Privacy Policy say?

120

Fees A reasonable fee may be charged to applicant –s.32

No fees allowed for a correction request, or for providing access to personal employee information

Must provide a detailed estimate of fees before providing the service

Reasonable fees can mean:

Flat fee

“Per page” copying fee

Actual cost to retrieve records from off-site storage

Minimum or clerical wage for time taken to retrieve and respond

121

Time to respond? 45 - day time limit to respond from date of receiving the request [PIPEDA: 30 days] (s.31)

Can extend for another 30 days, or longer with Commissioner’s permission, if:

Not enough detail to identify records or personal information

Large amount is requested or must be searched

45 day limit unreasonably interferes with operations

Need to consult with another organization or public body to determine whether or not to give access to requested personal information or record

122

Extensions?

If time period is extended, the applicant must be told:

The reason for the extension

When they can expect a response

That they may ask the Commissioner to review whether the extension is reasonable

Decide quickly how long a response will take you, and be sure you can justify an extended time period if you select it

123

Exceptions to the Access Right Organizations may refuse to provide access to personal information that:

Is subject to a legal privilege

Solicitor-client privilege

Litigation privilege

Reveals confidential commercial information

Was collected for an investigation or legal proceeding

Might result in that kind of information no longer being provided to the organization

Was collected or created in the course of an arbitration or mediation

Relates to or may be used in the exercise of prosecutorial discretion

124

Exceptions to the Access Right Legal privilege” falls into two classes:

relating to direct communications passing between the client and the lawyer (solicitor-client)

concerning confidential communications with third parties relating to an action in place or a prospective action. (litigation)

Solicitor - Client Privilege

Generally speaking, 3 conditions:

1. the communication is intended to be confidential

2. the communication is for the purpose of seeking or giving legal advice

3. the communication is between a lawyer and client

125

Exceptions to the Access Right

Litigation Privilege

Communication with a third party

The person who authorized the creation of the record intended for it to remain confidential

If prepared by a lawyer, then lawyer’s intention governs even if lawyer authorized by another

The dominant purpose for the creation of the record was to submit it to a legal advisor for advice and use in existing or reasonably contemplated prospect of litigation

126

Exceptions to the Access Right

An organization may refuse to give access to a record if the information was collected for an investigation or legal proceeding

Important for security investigations!

127

Practical considerations in an investigation

Document being prepared in respect of an investigation or legal proceeding, existing or contemplated - clearly marked as such on the document

At document creation, investigations of employee / third party behaviour or performance should be clearly stated as the purpose on any document to prevent debate about intention if these documents are the subject of an access request or complaint

128

Exceptions to the Access Right Organizations must refuse to provide access to personal information where:

The disclosure could reasonably be expected to threaten the life or security of another individual

Personal information about another individual would be revealed

The identity of an individual who provided a confidential opinion about another individual would be revealed, and the opinion provider does not consent to the revealing of their identity

129

Exceptions to the Access Right

Records may be stripped of information that an organization cannot or will not disclose

Burden is on the organization to show that the information and records not disclosed meet one of the exceptions.

130

What should be in a response? Whether the applicant is entitled to everything that they requested

Whether or not all or part of the records containing the applicant’s personal information will be provided

When access will be given

Reasons for refusing access to some records, and the sections of PIPA authorizing the refusal

Name of a person in the organization the applicant can speak to about any refusal

Advisory to applicant that they may ask the Commissioner to review the decision of the organization

131

Severing records …

Where part of the information on a record may or must be withheld, an organization may sever that information, and disclose the rest.

Keep a copy of the original unsevered document, as well as a copy of the document as disclosed to the applicant

On the copy of the document as severed, write down the sections of PIPA used as authority to sever

132

Key questions to ask

Which jurisdiction applies? Which of the federal or provincial acts apply?

Does the individual requesting access have a right of access?

Is the information requested “personal information”?

What are the time lines to respond to the request?

133

Responding considerations In what form of record is the information contained (i.e. paper or electronic)? How will the individual be provided access? Will they receive a copy or be able to review the file itself?

Will the information need to be converted into a paper copy or translated?

Why was the information collected? What was the purpose for its use? To whom has the personal information been disclosed and under what circumstances?

Have you removed any information that you must not provide or may not be required to provide? Can you prove that you redacted information meets the criteria?

Does the response from the organization provide the specific information which is required to be provided to the individual under the legislation?

134

Can you prove it? At an inquiry into a decision under which an individual was refused

(a) access to all or part of the personal information about the individual or a record relating to the information, or

(b) information respecting the collection, use or disclosure of personal information about the individual,

it is up to the organization to establish to the satisfaction of the Commissioner that the individual has no right of access to the personal information about the individual or no right to the information requested respecting the collection, use or disclosure of the personal information about the individual.

135

PIPEDA Case #2017-009 The complainant was denied transportation on an airline flight

On the day of departure, officials responsible for screening passengers determined that the complainant was lacking appropriate documentation, and advised the airline to prohibit the complainant from boarding the aircraft.

Some months later, the complainant received a letter from the airline confirming that the airline tickets would not be reimbursed as having the appropriate travel documentation was the responsibility of the passenger.

The airline stated that “officials present at the airport for the purpose of screening passengers determined that [the complainant] was apparently lacking appropriate documentation, and consequently advised the airline to deny [the complainant] boarding.”

The airline advised that it must “strongly consider this expert advice failing which it risks incurring liability for improperly documented arriving passengers.”

136

PIPEDA Case #2017-009 The complainant submitted an access request to the respondent for his complete Passenger Name Record (PNR) and/or PNR history; and documents and/or notes and/or correspondence internally and/or with third parties relating to the airline denying him transportation.

The Airline acknowledged receipt of the request and advised a response would be provided within the next 30 days.

The Airline provided the complainant with a copy of all records under the airline’s booking reference number including an interception report.

The complainant believed the information received to be incomplete and submitted a complaint to the Office of the Privacy Commissioner regarding the airline’s refusal to respond to his access request, specifically pertaining to the access request related to all documents exchanged with third parties on the day of the incident.

137

PIPEDA Case #2017-009 The airline responded to CPC and claimed it would not be able to provide any documents, notes and correspondences internally and/or with third parties relating to the complainant being denied transportation due to s. 7(1)(b) and 7(3)(c.1)(ii) of PIPEDA.

s. 7(1)(b)- an organization may collect personal information without the knowledge or consent of the individual only if it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.

s. 7(3)(c.1)(ii) - an organization is not required to give access to personal information if the information was collected under s. 7(1)(b).

The CPC investigated. 138

PIPEDA Case #2017-009

On the day of the incident, officials determined that the complainant lacked appropriate documentation required for entry into the country.

The information was collected in order to investigate potential non-compliance to the Immigration and Refugee Protection Act and a recommendation by the government provided to the airline to disallow boarding of the complainant.

The airline asked the government agency if they could disclose this information.

The agency said no.

139

PIPEDA Case #2017-009 CPC: The exemption s. 7(1)(b) applied in this case and so the complainant’s consent was not required for the collection.

Since the complainant’s personal information was collected in order to assess his travel status, CPC found it reasonable to expect that if the complainant had known the purpose for which his personal information was to be collected, the true exchange of information between the complainant and the government institution could have been compromised.

Ultimately, international airline organization have a responsibility to ensure the accuracy of all travel information and documents.

There was no disclosure as the airline disclosed the complainant’s personal information within the exemption to consent parameters of s. 7(3)(c.1)(ii).

Specifically, the airline disclosed the complainant’s personal information to a government institution that was investigating and gathering intelligence for the purpose of enforcing the Immigration and Refugee Protection Act.

140

PIPEDA Case #2017-009 S 9(2.1) to 9(2.4) set out a scheme that organizations must respect when individuals seek information regarding disclosures of information made under s.7(3)(c.1)(ii).

The purpose of the scheme is to protect the integrity of lawful investigations.

Accordingly, where an individual seeks either: (a) to be informed about a disclosure to which these provisions apply or the existence of any information that the organization has relating to such a disclosure, or (b) access to such information itself, then the organization has an obligation to follow the process set out under s. 9(2.2).

This provision requires the organization, where it has made a disclosure to a government institution or a part of it, to ask the institution whether it objects to the disclosure of the information sought on certain grounds.

If the government institution objects, then the organization becomes subject to s. 9(2.4), which require refusing the request, informing CPC, and not disclosing any of the information.

CPC finds the airline was limited in the manner it could respond to the complainant’s request for information, in accordance with s. 9(2.4).

Specifically, under s. 9(2.4)(c), all the information the airline had, namely, the complainant’s personal information, was related to the disclosure to the government institution, which it was prevented from disclosing pursuant to s. 9(2.4)(a).

141

Privacy resources Federal Privacy Commissioner’s web site http://www.privcom.gc.ca/ index_e.asp

E-Kit for Business http://www.privcom.gc.ca/ekit/ekit_e.asp

Alberta FOIP web site http://www3.gov.ab.ca/foip/

Alberta Office of the Information and Privacy Commissioner

http://www.oipc.ab.ca/

Alberta PSP web page and resource links http://www.psp.gov.ab.ca/

142

Access Requests and Complaints

Questions?

143

Privacy

Any final questions?

144