International perspectives and lessons learned, as Canada now starts to deal with breach notification laws. Part of a panel presentation at the IAPP Canadian Privacy Summit, May 26-28, in Toronto, Canada (pre-conference seminar).

1. International Perspective: Lessons LearnedIAPP Canada Privacy Summit Pre-conference Constantine Karbaliotis Data Protection & Privacy Lead

2. US Experiences: Legislative Overview Data or security breach legislation has been a fact of life in the US since 2002: California first in 2002 Subsequently 44 more US states have passed mandatory breach notification legislation Key requirement in HITECH/HIPAA legislation Massachusetts Data Protection Law Lessons Learned: Data Breach 2

3. Common Elements Triggered if there is a breach of a data security; and A consumer’s personal information is implicated Not all breaches trigger notification Consider definition of personal information: Typically is meant to address name plus data such as social insurance/security number, credit card or banking data – what facilitates identity theft or fraud Also includes medical information, as well as health insurance information under certain states laws Some state laws apply even if there is simply a reasonable belief that there was an acquisition of data Direct notice is typically required, though substitute notice is permitted in certain instances Lessons Learned: Data Breach 3

4. Issues to Consider Encryption – is it effective to avoid notice requirement? Electronic v. non-electronic data Alaska, Hawaii, Indiana, Massachusetts, North Carolina, and Wisconsin include non-electronic records loss Who else must notice be given to? Typically the Attorney-General of each state What is form of notice? Is notice required if there is no likelihood of identity theft? Thresholds – size of breach Lessons Learned: Data Breach 4

5. Logistical Issues Managing notification is often beyond the capability of most organizations First challenge: Mailing the notice It may be possible to handle internally if breach is small Mass mailing requirement is difficult to address if numbers affected are significant Even if organizations operate call centres, these are rarely equipped to address the kinds of questions arising from a data breach Scripting responses takes time Must consider experience and nature of inquiries typically handled by your call centre Lessons Learned: Data Breach 5

6. Law Enforcement Must consider whether law enforcement is to be notified – may not be required for ‘loss’ situation, but definitely will be for theft/hack Typically law enforcement is not experienced enough yet to understand gravity (and consequences) of data breach scenarios so it will be important to provide both to investigators Typically will not want notification prior to investigation, so best to in difficult case involve law enforcement and regulator directly and together Sometimes need to chase investigation down – thefts are common occurrence and they tend to all blur together Must consider who needs to involve law enforcement – can get delicate if the breach arises with a vendor in a different country who may be the only one who can file a complaint Lessons Learned: Data Breach 6

7. Notification to Regulator/Attorney General Notification must follow standards set out in regulation Important to be accurate about notification, and timely In US, always leads to public notification even if breach is small Nonetheless, do not overlook jurisdictions merely because only a few individuals from them are involved Lessons Learned: Data Breach 7

8. Response to a Breach It is becoming a truism that it is not that you’ve had a breach – everyone eventually will – it’s how you respond to it Vitally important that you not cut too fine a line in ‘distinguishing’ in treatment of customers simply because of jurisdiction Be careful to ensure accuracy in reporting on the details of what has happened, especially if still investigating Requirement under most laws to describe how you are taking steps to remediate/prevent recurrence Consider what steps you will take to help prevent harm to your customers – credit monitoring or credit protection services for example – as this will tend to colour how people respond to your breach more than the breach itself Lessons Learned: Data Breach 8

9. Organizational Capability Breach experience in US highlights need to have organized response ahead of a breach Must involve multi-disciplinary group: Privacy Information Security Legal Department Public Relations/Communications Human Resources Government Relations Having a documented breach response plan and capability will be one of the critical elements in how regulators assess you in terms of your response Lessons Learned: Data Breach 9

10. Lessons Learned: Data Breach 10 Constantine Karbaliotis, J.D., CIPP/C/IT constantine_karbaliotis@symantec.com 416.402.9873