Discusses issues that arise in organizations when faced with a privacy breach. Compares attitude and approach of organizations with those of privacy regulators.
Strategies for Landing an Oracle DBA Job as a Fresher
Privacy Breaches - The Private Sector Perspective
1. Privacy Breaches –
The Private Sector Perspective
Mark S. Hayes
Blake, Cassels & Graydon LLP
PIPA Conference 2008
Calgary, Alberta
November 17, 2008
2. Summary
• Privacy breaches are messy
• Organization responses to privacy
breaches are not models of efficiency and
logic
• IPCs can assist organizations, but only if
assistance is not viewed as a threat
• If in doubt, do no (more) harm!
3. Breach Guidelines
• Current guidelines are useful and
reasonably practical
• Four step response plan is a good general
guide
• Completely agree with Catherine’s “Thing’s
You Wish You’d Done”
– Everything is much easier if proper steps taken
in advance
4. Breach Notification
• Similarly, advice in documents like B.C.’s
“Key Steps For Responding To Privacy
Breaches” is of assistance in deciding
whether and how to notify
• With minor exceptions, latest Industry
Canada Breach Notification Model has
struck right balance between protection of
public and knee-jerk reactions that cause
more harm than good
5. However……..
• All of these guidelines can’t tell people in
the trenches what they should do when
dealing with a real-life data breach
• Reality of organizations
• Nature of breaches
• Nature of internal responsibilities and
responses
6. A Case Study
• Famous Harvard Business Review case study
– Medium-sized retailer told by police it appears to be
common point of purchase for large number of
fraudulent credit card transactions
– Not clear if company and its (less than airtight) IT
systems are cause of apparent data breach
– Customers have come to respect firm for its straight
talk and square deals
– Law enforcement wants them to stay quiet for now
– Reputation at stake; path to preserving it difficult to
see
7. Experts' Advice
• James E. Lee, ChoicePoint
– Advises early and frank external and internal communications, elimination
of security weaknesses, and development of a brand-restoration strategy
• Bill Boni, Motorola
– Stresses prevention: comprehensive risk management, full compliance
with PCI standards, putting digital experts on staff, consulting established
model response plan and making preserving firm's reputation
• John Philip Coghlan, formerly of Visa USA
– Recommends swift disclosure to empower consumers to protect
themselves against further fraud; might even enhance company's
reputation for honesty
• Jay Foley, Identity Theft Resource Center
– Recommends quality of communication over speed of delivery; cautious
management to prevent data thefts and long-term negative consequences
8. The Conundrum
• All of this may be good advice, but not
identical and sometimes conflicting
– Typical when an organization discovers that it
might have experienced a data breach
– Organization often gets much advice and
guidance, but no clear answers
• Want to discuss responses to data
breaches in real world
9. The Real World – Pre-Breach
• Privacy often seen as a small and relatively
unimportant compliance requirement
– Not core to organization
– Handled at a middle management level with periodic
reporting to senior management
– Compliance with privacy requirements is focus
• Most organizations only have none or one
serious data breach
– Only breach focuses senior management on privacy
10. The Real World – Dealing With A Breach
• Data breaches are really, really messy
– Incomplete or incorrect information
– Time and resource pressures
– Confusing and contradictory internal and
external priorities and policies
– Poor internal coordination of response
– Poor communications
• Often no organized response team or list of
internal and external contacts and back-ups
• Fear!
11. The Real World – Dealing With A Breach
• Multiple risk management priorities
– While organizations have concerns about
individuals affected by data breaches, also
concerned about organizational risk
– Many other risk management priorities in
addition to privacy and damage to individuals
– Risk emphasis may depend on locus of
privacy compliance management
• Personal view of the elephant
12. The Real World – Dealing With A Breach
• Lack of authority (or interest) to respond without
senior management approval
• Confusion about responsibility for security as
opposed to privacy
– Especially true for IT security
– CPO may have little knowledge of, or influence on, IT
security procedures, even in urgent situation
• Most often internal resources not sufficient
– Obtaining expert assistance takes time and money;
often both in short supply
13. The Real World – Dealing With A Breach
• Many data breaches involve >1 organization
• Ability to investigate and respond to breach not
solely in control of organization
– Service providers
– Subsidiaries and affiliates
– Business partners (e.g. credit card issuers)
• Contracts may not allow organization to control
how to deal with breach, even though it may
have most of the risk and responsibility
• Internal resources and priorities at other
organizations may conflict
14. Why Does This Matter?
• Policy makers and regulators should be
sensitive to organizational dynamics
– Organizations are not monoliths, but individuals who
are sometimes struggling
• Guidelines are useful, but as a starting point only
– “Take reasonable steps” does not provide much
assistance in middle of tornado
• Each situation must be understood on the basis
of dynamics of organization
15. Why Does This Matter?
• Regulators must often try to support CPO
• Usually friend of privacy but often caught
amongst many competing interests
– Board of directors
– Senior management
– Other employees
– Customers
– Investors
– Outside advisors
– Media
16. Why Does This Matter?
• Regulators must understand role fear and
distrust play in relationship with organizations
– New people often involved in data breach response
• Especially applicable to decision to notify
regulator about data breaches
– Concern that disclosure will create liability
– Concern about access to information requests
• If compulsory notification is instituted,
organizations must have assurances about
potential uses of information
17. Do No (More) Harm
• Bottom line for organizations and regulators
• While quick action is required, any action before
facts are known can make things worse
– Must avoid making response to privacy breaches part
of the problem
• Understanding of risks resulting from breach is
crucial, but can take some time
• While guidelines are useful, very few “hard and
fast” rules that will apply in all situations