1. Privacy Breaches –
The Private Sector Perspective
OBA, June 8, 2009
Mark S. Hayes
Partner, Hayes eLaw LLP
2. Summary
• Privacy breaches are messy
• Organization responses to privacy
breaches are not models of efficiency and
logic
• IPCs can assist organizations, but only if
assistance is not viewed as a threat
• If in doubt, do no (more) harm!
3. Breach Guidelines
• Current guidelines are useful and
reasonably practical
• Four step response plan is a good general
guide
• Everything is much easier if proper steps
taken in advance
4. Breach Notification
• Similarly, advice in documents like B.C.’s
“Key Steps For Responding To Privacy
Breaches” is of assistance in deciding
whether and how to notify
• With minor exceptions, latest Industry
Canada Breach Notification Model has
struck right balance between protection of
public and knee-jerk reactions that cause
more harm than good
5. However……..
• All of these guidelines can’t tell people in
the trenches what they should do when
dealing with a real-life data breach
• Reality of organizations
• Nature of breaches
• Nature of internal responsibilities and
responses
6. A Case Study
• Famous Harvard Business Review case study
– Medium-sized retailer told by police it appears to be
common point of purchase for large number of
fraudulent credit card transactions
– Not clear if company and its (less than airtight) IT
systems are cause of apparent data breach
– Customers have come to respect firm for its straight
talk and square deals
– Law enforcement wants them to stay quiet for now
– Reputation at stake; path to preserving it difficult to
see
7. Experts' Advice
• James E. Lee, ChoicePoint
– Advises early and frank external and internal
communications, elimination of security weaknesses, and
development of a brand-restoration strategy
• Bill Boni, Motorola
– Stresses prevention: comprehensive risk management, full
compliance with PCI standards, putting digital experts on
staff, consulting established model response plan and making
preserving firm's reputation
• John Philip Coghlan, formerly of Visa USA
– Recommends swift disclosure to empower consumers to protect
themselves against further fraud; might even enhance company's
reputation for honesty
• Jay Foley, Identity Theft Resource Center
– Recommends quality of communication over speed of delivery;
cautious management to prevent data thefts and long-term negative
consequences
8. The Conundrum
• All of this may be good advice, but not
identical and sometimes conflicting
– Typical when an organization discovers that it
might have experienced a data breach
– Organization often gets much advice and
guidance, but no clear answers
• Want to discuss responses to data
breaches in real world
9. The Real World – Pre-Breach
• Privacy often seen as a small and relatively
unimportant compliance requirement
– Not core to organization
– Handled at a middle management level with
periodic reporting to senior management
– Compliance with privacy requirements is focus
• Most organizations only have none or one
serious data breach
– Only actual breach focuses senior management
on privacy
10. The Real World – Dealing With A Breach
• Data breaches are really, really messy
– Incomplete or incorrect information
– Time and resource pressures
– Confusing and contradictory internal and
external priorities and policies
– Poor internal coordination of response
– Poor communications
• Often no organized response team or list of
internal and external contacts and back-ups
• Fear!
11. The Real World – Dealing With A Breach
• Multiple risk management priorities
– While organizations have concerns about
individuals affected by data breaches, also
concerned about organizational risk
– Many other risk management priorities in
addition to privacy and damage to individuals
– Risk emphasis may depend on locus of
privacy compliance management
• Personal view of the elephant
12. The Real World – Dealing With A Breach
• Lack of authority (or interest) to respond
without senior management approval
• Confusion about responsibility for security as
opposed to privacy
– Especially true for IT security
– CPO may have little knowledge of, or influence
on, IT security procedures, even in urgent
situation
• Most often internal resources not sufficient
– Obtaining expert assistance takes time and
money; often both in short supply
13. The Real World – Dealing With A Breach
• Many data breaches involve >1 organization
• Ability to investigate and respond to breach
not solely in control of organization
– Service providers
– Subsidiaries and affiliates
– Business partners (e.g. credit card issuers)
• Contracts may not allow organization to
control how to deal with breach, even though
it may have most of risk and responsibility
• Internal resources and priorities at other
organizations may conflict
14. Why Does This Matter?
• Policy makers and regulators should be
sensitive to organizational dynamics
– Organizations are not monoliths, but individuals
who are sometimes struggling
• Guidelines are useful, but starting point only
– “Take reasonable steps” does not provide much
assistance in middle of tornado
• Each situation must be understood on basis
of dynamics of organization
15. Why Does This Matter?
• Regulators must try to support CPO
• Usually friend of privacy but often caught
amongst many competing interests
– Board of directors
– Senior management
– Other employees
– Customers
– Investors
– Outside advisors
– Media
16. Why Does This Matter?
• Regulators must understand role fear and
distrust play in relationship with organizations
– New people often involved in data breach
response
• Especially applicable to decision to notify
regulator about data breaches
– Concern that disclosure will create liability
– Concern about access to information requests
• If compulsory notification is
instituted, organizations must have
assurances about potential uses of
information
17. Do No (More) Harm
• Bottom line for organizations and regulators
• While quick action is required, any action
before facts are known can make things worse
– Must avoid making response to privacy breaches
part of the problem
• Understanding of risks resulting from breach is
crucial, but can take some time
• While guidelines are useful, very few “hard
and fast” rules that will apply in all situations
18. Questions?
For a digital copy of
these slides, just ask!
mark@hayeselaw.com