2. Privacy Breaches in Canada Page |2
Not surprisingly, the answers to each of these questions will in many instances be quite
specific to the organization and its business, as well as the nature of the privacy breach
itself. In addition, the law in this area is developing quickly, and the answers outlined
below will be quite different from what a client would have been told a year ago, and
quite likely the answers in a year from now will likely again have changed. Nevertheless,
there are some fundamental principles at work that will continue to be useful even as
some of the details and relevant legislation changes over time.
2. Do I Have To Tell Anyone About This?
Privacy breach notification is a hot button issue. A relatively large number of high profile
privacy breaches have quickly made privacy breach notification one of the first issues
that organizations look to resolve once the possibility of a breach is raised.
Many studies and papers have questioned whether there is any rational basis for
compulsory consumer notification requirements, citing problems with over-notification,
“notice fatigue,” excessive costs of notification compared with relatively small benefits to
consumers, and other issues.6 Most justifications for compulsory notice requirements
concentrate on increasing consumer choice, the comfort that notices allegedly give
consumers and the impact that a requirement to provide consumer notice on
organizations, generally leading to increased security measures for personal
information.7 The limited empirical evidence that exists about the impact of compulsory
privacy breach notification seems to show that notice does little to prevent or ameliorate
identity theft. A 2008 study by three professors at Carnegie Mellon University found “no
statistically significant effect that [compulsory notification] laws reduce identity theft, even
after considering income, urbanization, strictness of law and interstate commerce” and
that the “maximum effectiveness [of such laws] is inherently limited.”8
Notwithstanding the lack of clear evidence that compulsory breach notification laws have
any real world benefits, most US states have now passed legislation requiring
6
An extensive discussion of these issues is beyond the scope of this paper. Some papers of interest
include Lenard and Rubin, “An Economic Analysis of Notification Requirements for Data Security
Breaches,” http://papers.ssrn.com/sol3/papers.cfm?abstract_id=765845 (visited May 23, 2007) and
Turner, “Towards A Rational Personal Data Breach Notification Regime,”
http://www.infopolicy.org/pdf/data-breach.pdf (visited May 23, 2007).
7
See, for example, the Canadian Internet Policy and Public Interest Clinic‟s publication “Approaches
To Security Breach Notification,” http://www.cippic.ca/en/bulletin/BreachNotification_9jan07-
web.pdf (visited May 23, 2007; the “CIPPIC White Paper”), which argues, without any empirical
evidence, that “There can be no question that, if they are legally obligated to report security
breaches and thus to incur related reputational and business costs, organizations will be more
inclined to ensure better security measures and thus to prevent breaches from occurring in the first
place.” (at page 23). This conclusion ignores the fact that the costs, inconvenience and reputational
damage to an organization will occur whether or not an organization has been fully diligent in
providing security for personal information records. Many privacy breaches occur due to
happenstance and bad luck rather than negligence, but identical costs and risks are visited on
organizations which take reasonable and appropriate security measures and those that do not.
8
Sasha Romanosky, Rahul Telang, Alessandro Acquisti, “Do Data Breach Disclosure Laws Reduce
Identity Theft?”, http://weis2008.econinfosec.org/papers/Romanosky.pdf (visited April 19, 2009)
3. Privacy Breaches in Canada Page |3
organizations to notify individuals and/or privacy regulators following an unauthorized
disclosure of personal information.9 Canada has not moved as quickly to require
compulsory notification, although, as is discussed below, changes are likely to be on the
way.
(a) Ontario PHIPA
To date, the only Canadian privacy statute that explicitly requires breach notification is
the Ontario Personal Health Information Protection Act (“PHIPA”),10 which states as
follows:
Notice of loss, etc.
12 (2) Subject to subsection (3) and subject to the exceptions and additional
requirements, if any, that are prescribed, a health information custodian that has
custody or control of personal health information about an individual shall notify
the individual at the first reasonable opportunity if the information is stolen, lost,
or accessed by unauthorized persons. ...
There have been no regulations promulgated that limit the extent of the notification
requirement in section 12(2), but the Ontario Information and Privacy Commissioner
(OIPC) has issued three formal Orders and thirty reports dealing with the section 12(2)
obligations, and these resources have somewhat sharpened the contours of the
notification obligation.
In Order HO-004,11 the OIPC dealt with a laptop computer that was stolen from the car of
a physician at the Toronto Hospital for Sick Children. The laptop contained personal
health information of former and current patients of the hospital. The amount of
information relating to each patient varied widely, but some of it was of a very sensitive
nature. The laptop had an 8 digit alphanumeric password, but the data was not
encrypted.
The hospital proactively took the following notification steps:
All active patients, that is, those who have been seen at the hospital within
the last two years, and for which the hospital had current contact information,
were notified of the incident by way of a written letter from the hospital.
9
See the Perkins Coie “Security Breach Notification Chart,” available at
http://www.digestiblelaw.com/files/upload/securitybreach.pdf (visited April 19, 2009) for a summary
of the current U.S. state laws. As of June 24, 2008, the chart shows that 46 states have enacted
some type of privacy breach notification law. These laws vary widely in their details.
10
S.O. 2004, c. 3, Sch. A.
11
http://www.ipc.on.ca/images/Findings/up-3ho_004.pdf (visited May 24, 2007).
4. Privacy Breaches in Canada Page |4
Where the information contained on the laptop computer was of a sensitive
nature, active patients and their families are being notified of the theft in
person, at clinic appointments.
The hospital issued a press release, which was also posted on its Internet
site.
The OIPC found that the notification steps taken by the hospital satisfied section 12(2).
The OIPC noted that it was probably not advisable in these circumstances to send
notifications to addresses that were more than two years old, since this might cause a
further privacy breach. In addition, when the hospital was aware that an individual whose
personal health information had been on the laptop was deceased, there was no need to
provide notification.
Order HO-00512 involved a situation where the CBC was contacted by an individual who,
much to his surprise, had viewed an image of a toilet in a washroom on their vehicle‟s
back up camera monitor while driving by a methadone clinic. A CBC reporter returned to
the area after consulting a security expert and was able, through a wireless connection,
to view a female patient at the clinic while in the washroom. On investigation, the OIPC
determined that the clinic wirelessly monitored patients providing urine samples to
ensure that the samples provided for drug testing emanate from the correct source and
are not tampered with. This practice is in accordance with the Methadone Maintenance
Guidelines published by the College of Physicians and Surgeons of Ontario and other
related guidelines. Patients also provide informed consent by entering into a written
agreement with the Clinic, in which the patient agrees to provide supervised urine
samples for drug screening purposes. After learning of the actual and potential
interception of the images from the washroom, the clinic posted a notice in its waiting
room notifying current patients of the incident and identifying the steps taken to contain
the damage and to prevent this type of incident from occurring again. The OIPC found
that no additional notice was required. Even though former clients may not have become
aware of the waiting room notice, the OIPC was satisfied that, because of the extensive
media coverage of the incident, it was likely that former clients would have become
aware of the incident by way of the media.
The PHIPA decisions on notification of affected individuals are obviously of great interest
generally. However, because the notification provision of PHIPA is compulsory, there is
little discussion in the OIPC PHIPA decisions about whether or not to notify affected
individuals, and far more analysis about what type of notification should be made. As a
result, an organization not subject to compulsory notification requirements must examine
those decisions that have been made in a jurisdiction in which there is no notification
obligation in order to understand the factors to be considered in deciding whether to
notify.
12
http://www.ipc.on.ca/images/Findings/up-ho_005.pdf (visited April 19, 2009)
5. Privacy Breaches in Canada Page |5
(b) Notification as a Required Component of General Security
Obligations
As is discussed in more detail in section 4(a) below, all private sector privacy statutes
contain some general obligation to keep personal information secure and prevent
unauthorized disclosure, alteration or destruction. For example, the federal Personal
Information Protection and Electronic Documents Act13 (“PIPEDA”) states that “personal
information shall be protected by security safeguards appropriate to the sensitivity of the
information,”14 but provides little else by way of guidance as to how this standard is to be
met.
In January 2006, the Privacy Commissioner of the Australian State of Victoria decided
that, even though Victoria‟s privacy statute does not contain any explicit notification
obligation, its general security obligation (which was similar to that in PIPEDA) created
an obligation, except in extraordinary circumstances, to notify individuals of a privacy
breach. The Commissioner stated:
9.3.1 The presumption is that privacy breaches ought to be notified to those
whom they potentially affect.
9.3.2 The starting point is the objects section of the Information Privacy Act, in
which Parliament made it clear that the collection and handling of personal
information is to be responsible and transparent.3 Part of being open about the
handling of people‟s personal information is to tell them when something goes
wrong and to explain to them what has been done to try to avoid or remedy any
actual or potential harm. Where there is a reasonably foreseeable risk of harm,
notification gives people an opportunity to take steps themselves to avoid or
mitigate harm.
9.3.3 In exceptional circumstances, notification may be neither necessary nor
desirable.15
This decision has been cited by many privacy advocates, who have argued that even the
general security obligations contained in PIPEDA or the provincial private sector
personal information privacy statutes will, in appropriate circumstances, obligate an
organization to notify affected individuals.16
13
S.C. 2000, c. 5.
14
Principle 4.7.
15
Privacy Commissioner, State of Victoria Report 01.06: “Jenny's case: Report of an investigation
into the Office of Police Integrity pursuant to Part 6 of the Information Privacy Act 2000” (February
2006),
http://www.privacy.vic.gov.au/dir100/priweb.nsf/download/27DAEE1EBC21E085CA257123000A36
88/$FILE/OVPC_Report_0106.pdf (visited May 23, 2007), at 65.
16
For example, the CIPPIC White Paper cited the decision of the Victoria Privacy Commissioner as
one of the justifications for recommending an explicit notification requirement in proposed
amendments to PIPEDA (at page 21).
6. Privacy Breaches in Canada Page |6
Canadian regulators have taken a cautious approach to the notification issue thus far. In
a decision involving computer tapes containing personal information that was left on
used computer tapes sold at a B.C. government auction,17 the B.C. IPC declined to
decide that the general security obligation in B.C.‟s public sector privacy legislation18
implied an obligation to notify affected individuals in all but exceptional cases, but did
find that notification should be considered by government bodies as one way to minimize
the impact of a privacy breach on affected individuals.
Since the release of BC Report F06-01, there appears to be almost universal support for
the proposition that, although private sector privacy statutes do not contain a compulsory
breach notification requirement, they do imply an obligation to at least consider the
appropriateness of notification of individuals affected by a privacy breach. In December,
2006, the B.C. and Ontario IPCs published a “Breach Notification Assessment Tool” (the
“Tool”)19 that sets out a number of steps to be taken by an organization in deciding
whether to notify individuals or regulators about a privacy breach, and presumes that
notification will be required in some, but not all, circumstances.20 The federal
Commissioner and several other provinces have since published their own breach
notification guidelines.21
Notwithstanding all of these developments, the House of Commons Committee studying
potential reforms to PIPEDA concluded, apparently based on submissions from the
federal Commissioner, that under PIPEDA “notification is voluntary,” although
organizations “for the most part, feel that they already have a duty to notify individuals in
instances of significant security breaches involving personal information.” 22
Despite the lack of an explicit obligation to notify in any of the Canadian private sector
privacy laws of general application, it now appears clear that there likely will be implied in
at least some situations an obligation to make such notification as part of a general
obligation to keep personal information secure. While not stating that breach notification
17
B.C. Investigation Report F06-01, “Sale Of Provincial Government Computer Tapes Containing
Personal Information,” March 31, 2006,
http://www.oipc.bc.ca/orders/investigation_reports/InvestigationReportF06-01.pdf (visited May 23,
2007; “BC Report F06-01”).
18
Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165 (“B.C. FIPPA”).
19
http://www.ipc.on.ca/images/Resources/up-ipc_bc_breach.pdf (visited May 23, 2007).
20
The specifics of the Tool are discussed in detail in section 2(f) below.
21
See the federal Privacy Breach Checklist,
http://www.privcom.gc.ca/information/guide/2007/gl_070801_checklist_e.pdf. Provincial tools
include the Newfoundland and Labrador Privacy Breach Notification Assessment Tool (January
2008), http://www.justice.gov.nl.ca/just/civil/atipp/PrivacyBreachNotificationAssessmentTool.pdf;
Saskatchewan Privacy Breach Guidelines,
http://www.oipc.sk.ca/Resources/Privacy%20Breach%20Guidelines1%20(3).pdf; Alberta Key Steps
in Responding to Privacy Breaches,
http://www.oipc.ab.ca/ims/client/upload/Key%20Steps%20in%20Responding%20to%20a%20Priva
cy%20Breach%202007.pdf (all visited April 19, 2009).
22
See section 2(d) below for a full discussion of the Committee‟s recommendation for instituting a
form of voluntary breach notification.
7. Privacy Breaches in Canada Page |7
is required, recent case summary reports by the federal Commissioner seem to imply
that organizations will be taken to task if such notification is not made within a
reasonable time after the breach is discovered.23
(c) Other Potential Obligations to Notify
In addition to any obligations that may arguably be imposed by private sector privacy
statutes, organizations have to consider whether they may be otherwise required to
make disclosure to affected individuals after a privacy breach. For example:
specific laws, regulations, industry codes of conduct or other rules applicable
to an organization may require disclosure
the organization may be subject to contractual requirements that require
disclosure
the nature of the relationship between the organization and the individual
whose personal information has been the subject of the security breach may
mandate disclosure, such as where the organization is a fiduciary or agent for
the individual.
(d) Proposals for Reform
Like many other federal statutes, PIPEDA mandates a five-year review process. From
November 2006 through February 2007, the House of Commons Standing Committee
on Access to Information, Privacy and Ethics (the “Committee”) heard submissions on
potential amendments to PIPEDA, and in May 2007 its report was presented to the
House.24
One of the most contentious issues dealt with by the Committee was that of breach
notification. The main submissions referred to by the Committee in its Report made a
number of disparate proposals:
Most business organizations argued that there was no need for the addition
of compulsory breach notification requirements since organizations “for the
most part, feel that they already have a duty to notify individuals in instances
of significant security breaches involving personal information.”25 They were
supportive of discretionary notification tools such as the Privacy Breach
Notification Tool created by the Ontario and B.C. IPCs.26
23
See, for example, PIPEDA Case Summary #393, Laptop theft at bank and long delay before
informing victims were both avoidable, http://www.privcom.gc.ca/cf-dc/2008/393_20080611_e.asp.
24
See
http://cmte.parl.gc.ca/cmte/CommitteePublication.aspx?COM=10473&Lang=1&SourceId=204322
for a copy of the Committee‟s Report.
25
Committee Report, page 41.
26
This Tool is discussed in detail in section 2(f) below.
8. Privacy Breaches in Canada Page |8
At the other end of the spectrum, a number of privacy advocacy groups
argued that PIPEDA should be amended to add strict breach notification
requirements modelled on those introduced by California and other U.S.
states. In particular, these groups argued that organizations should not have
any discretion in deciding whether a privacy breach was significant enough to
justify notifying affected individuals, but that decisions about what steps to
take in the face of a real or potential privacy breach should be up to the
affected individual after receiving notification.
Several commentators urged the Committee to take a cautious approach to
any recommendation that notification be made compulsory. The B.C. IPC
noted that “there is no evidence available yet to demonstrate that mandatory
notification is actually a cost-effective way to reduce the risk of identity theft
related to security breaches.”27
The federal Commissioner was somewhat equivocal in her position about
compulsory breach notification. While she was generally supportive of some
form of breach notification requirement, she at first told the Committee that
compulsory notification did not fit well into the structure of PIPEDA and that
there was no easy way to penalize organizations that did not provide required
notifications. At a later appearance before the Committee, however, the
Commissioner expressed the view that, in light of a number of recent serious
privacy breaches, she would recommend the addition of a breach notification
requirement, even though she did not think that such a provision would
change greatly the present practice of organizations subject to PIPEDA.
In its Report, the Committee preferred a model that would require notification to the
federal Commissioner of some, but not all, privacy breaches, and the Commissioner
would then have discretion to determine whether individuals notices were warranted and
what their form should be.28 The Committee noted that requiring notification to the
Commissioner of each and every privacy breach, no matter how trivial or uncertain,
would place a great strain on the already over-taxed resources of the Commissioner‟s
office, but nevertheless suggested that this was the appropriate model.
On October 17, 2007, the Government of Canada tabled in Parliament its response to
the Committee‟s Report.29 The Government proposed that the Privacy Commissioner be
notified of any major breach of personal information, and that affected individuals and
organizations be notified when there is a high risk of significant harm resulting from the
breach. Industry Canada subsequently sought public comment on the breach notification
issue.30 In June 2008, Industry Canada released a Model for Data Breach Reporting and
Notification under PIPEDA, which was presented as a working model to provide
27
Committee Report, page 43.
28
Committee Report, pages 44-45.
29
http://www.ic.gc.ca/eic/site/ic1.nsf/eng/00317.html
30
http://www.gazette.gc.ca/archives/p1/2007/2007-10-27/html/notice-avis-eng.html
9. Privacy Breaches in Canada Page |9
additional background to assist in framing and considering the proposed legislative
amendments to PIPEDA. As a result of the intervening election and the focus of the
Government on economic issues, there has been no further activity on the
implementation of PIPEDA reforms since June 2008.
(e) Encryption and Passwords
Generally, the use of strong encryption (currently a minimum of 128 bit) of data
containing personal information (or some other appropriate security methodology that
prevents unauthorized access to personal information) will prevent any notification
obligation from arising even if the media containing the data is lost or stolen. This
exemption is explicit in many (but not all) of the U.S. state laws that mandate privacy
breach notification, and has been implied in situation where there is an otherwise
unqualified obligation to notify. For example, in Order HO-004, the OIPC stated as
follows:
[T]o the extent that personal health information on a mobile computing device
has been encrypted to protect it from unauthorized access, I would not consider
the theft or loss of that device to be a loss or theft of PHI. [PHIPA] requires
custodians to notify an individual at the first reasonable opportunity if [personal
health information] is stolen, lost or accessed by unauthorized persons. If the
case can be made that the [personal health information] was not stolen, lost or
accessed by unauthorized persons as a result of the loss or theft of a mobile
computing device because the data were encrypted (and encrypted data does
not relate to identifiable individuals), the custodian would not be required to notify
individuals under [PHIPA].31
In the same Order, the OIPC stated that an acceptable alternative to the use of laptops
computers or other mobile devices containing copies of personal information files is the
use of secure Internet access methods or virtual private networks, provided that
temporary copies of the personal information is not inadvertently cached or otherwise
stored on the device after the connection to the central data storage facility is
terminated.
On the other hand, Canadian privacy regulators have unanimously rejected the use of
passwords (whether applied to entire devices such as laptops or individual files
containing personal information) as a sufficient protection for personal information that is
located on electronic media that becomes subject to unauthorized access.32
It therefore seems clear that one of the prevention strategies that can be used by
organizations to minimize the likelihood that they will be required to notify affected
individuals about a data breach is to ensure that all data that contains personal
31
Order HO-004, note 11 above, at page 20.
32
See, for example, Order HO-004 at pages 8 and 19; Alberta IPC “Report of an Investigation into the
Security of Personal Information”, September 26, 2006, MD Management Ltd., Investigation Report
P2006-IR-005 (“MD Management”), http://www.oipc.ab.ca/ims/client/upload/ACFAB50.pdf (visited
May 24, 2007).
10. Privacy Breaches in Canada P a g e | 10
information is encrypted, especially if any of that information will at any time be stored on
a mobile device or otherwise removed from the organization‟s premises or made
available by some type of remote access.
(f) Strategies Surrounding Notification
Even if there is no clear legal obligation to notify either individual consumers or privacy
regulators, an organization that has suffered a data breach must consider very carefully
whether the best course is to try to keep the breach secret in the hope that nothing will
happen.
While there are a number of estimates by commentators that only a small percentage of
personal information security breaches actually result in identity theft, fraud or some
other damage to consumers, the unexpected public revelation of a previously-unreported
data breach will usually have a negative impact on the organization that far exceeds the
impact of a carefully managed disclosure, whether by way of press release,
advertisement or notice to affected individuals. While it is unlikely that such unexpected
public disclosure will result from consumers suffering losses, tracing the breach back to
the organization and then reporting the breach to the media or a privacy regulator, there
are many other ways that an unexpected disclosure of a privacy breach can occur,
including periodic financial audit and reporting requirements, internal “whistleblowers”33
and unrelated regulatory audits or investigations. As a result, an organization would
generally be well-advised not to rely solely on continuing secrecy as a strategy for
avoiding the potential negative impact of the publicity surrounding a privacy breach.
The decision to disclose a data breach and/or to notify affected individuals therefore
becomes a risk-management exercise in which an organization must assess the
potential risks to the organization (including both reputational risks and potential financial
risks) and to affected individuals. Fortunately, there are a number of templates that have
been developed by regulators and others to provide a framework for this analysis.
The B.C. and Ontario Tool sets out a number of steps to be taken by an organization in
deciding whether to notify individuals or regulators about a privacy breach. The Tool
recommends that organizations follow four steps:
Step 1: Notifying Affected Individuals
Step 2: When and How to Notify
Step 3: What to Include in the Notification
Step 4: Others to Contact
33
Most Canadian private sector privacy statutes contain prohibitions on taking any retaliatory action
against employees or others who report breaches of the statute. See, for example, sections 27,
27.1 and 28 of PIPEDA, which make retaliatory action against a whistleblower a criminal offence.
11. Privacy Breaches in Canada P a g e | 11
In Step 1, unless the organization is required to notify individuals due to statutory,
regulatory or contractual requirements, the Tool suggests a contextual approach to
determining whether notification should be made. The notification decision involves a
consideration of various risks to affected individuals, including the risk of identity theft,
the risk of physical harm to an individual (e.g. stalking), the risk of “hurt, humiliation,
damage to reputation,” and the risk of loss to the individual of business or employment
opportunities. Perhaps not surprisingly, the Tool does not explicitly weigh the potential
risks and costs to the organization of providing notification into the decision whether or
not to provide notice. Obviously, an organization should take into account the potential
loss of reputation, embarrassment, financial cost and other damage that may be suffered
if the organization notifies a large number of individuals about a privacy breach.
In Step 2, the Tool advises that notification should be made as soon as possible
following a breach, unless there are reasons for delaying, such as avoiding
compromising a criminal investigation. While not specifically mentioned in the Tool, it is
often advisable to wait until there is reasonably reliable information that indicates that a
data breach has in fact occurred. In many cases, data files or media are temporarily lost
or simply cannot be located, but there is no evidence that there has been unauthorized
access to the information. There is little incentive for an organization to prematurely
notify individuals about a potential privacy breach until it is clear that a breach has in fact
occurred, and sending notices to individuals prematurely may in fact cause more harm
than good, especially if it turns out that the personal information was not in fact accessed
by any unauthorized individuals.34
This issue has recently been demonstrated in PIPEDA Case Summary #395,35 which
dealt with a well publicized incident in which CIBC reported that it had lost track of a
computer tape that was being couriered from Montreal to a suburb of Toronto. The tape
contained personal information about more than 400,000 current and former clients of
CIBC‟s subsidiary Talvest Mutual Funds (Talvest). As is summarized in the
Commissioner‟s report, CIBC and Talvest conducted an exhaustive investigation into the
whereabouts of the tape, and subsequently sent notifications to all of the individuals
whose information was understood to have been on the tape. Unfortunately, after
sending this notification, and suffering a great deal of adverse publicity as a result, CIBC
and the Commissioner concluded after further investigations that it was likely that, due to
lax security and audit procedures, the courier package (which was delivered damaged
and empty to its destination) probably never contained the tape. This incident should
serve as a cautionary tale for organizations who are all too often encouraged to rush to
send consumer notifications before an incident is fully investigated and the scope and
severity of the breach is determined.
34
For example, in BC Report F06-01, the BC IPC was satisfied that no-one had actually accessed or
used the personal information on the government computer tapes that had been purchased at an
auction, and there was therefore no reason to recommend that notice be given to individuals whose
personal information was on the tapes, whether by individual notices or general advertisements.
35
Commissioner initiates safeguards complaint against CIBC, http://www.privcom.gc.ca/cf-
dc/2008/395_20080925_e.asp
12. Privacy Breaches in Canada P a g e | 12
Step 2 of the Tool also provides an analysis of the most appropriate procedure for
providing notification to affected individuals. While direct notification by letter or email is
preferred, other notification methods may be justified where direct notification could
cause further harm,36 is prohibitive in cost,37 or contact information is missing or likely to
be inaccurate.38 Alternatives such as newspaper advertisements and personal visits at
the next scheduled appointment may be employed in appropriate cases.
Step 3 of the Tool then provides general guidance about what information to include in
the notices sent to individuals, including the date of the breach, a description of the
breach and how it happened, a description of the information that was inappropriately
accessed, collected, used or disclosed, a summary of the steps taken so far to control or
reduce the harm and the future steps planned to prevent further privacy breaches. The
Tool also suggests providing information about how individuals can protect themselves
(such as how to contact credit reporting agencies in order to set up credit watch and
information explaining how to change a personal health number or driver‟s licence
number), information about how to complain to the appropriate privacy regulator and
contact information for someone within the organization who can provide additional
information and assistance and answer questions.
Lastly, Step 4 recommends that an organization consider contacting other agencies
such as law enforcement (if it appears that the data breach resulted from a criminal act),
the relevant Commissioner‟s office, and/or appropriate professional or regulatory bodies
and technical suppliers (if the breach was as a result of a technical failure or an
underlying vulnerability).
The Tool is an excellent starting point for any organization trying to deal with a privacy
breach. Several caveats must be noted, however. The Tool is clearly written from the
point of view of the IPC, and therefore takes a very pro-privacy stance that ignores many
concerns that an organization may have in dealing with these issues, such as how to
deal with the media and other stakeholders. The Tool also does not give any guidance
about how to draft notification letters or notices in order to make them effective and
understandable. Therefore, while generally following the Tool is important for
organizations that want to ensure that their notification strategies will likely receive the
approval of the IPC, organizations should treat the Tool as a resource only and
understand that there will be many additional steps that will have to be taken and
decisions that will have to be made in order to successfully deal with a privacy breach.
Other useful resources and guidelines may be obtained from some of the U.S. states
that have implemented privacy breach notification obligations. For example, the
36
This is often the case for medical information of current health care patients, who may suffer
negative consequences as a result of receiving a generic notification letter. It is often recommended
that alternatives such as personal visits or providing notification to caregivers be employed to
minimize the potential negative results of notification.
37
The example given by the Tool is where there are a “very large number” of affected individuals.
38
In Order HO-004, note 11 above, the OIPC noted that sending notices to potentially outdated
addresses might in itself lead to further privacy violations and should therefore be avoided.
13. Privacy Breaches in Canada P a g e | 13
California Office of Privacy Protection has published “Recommended Practices on Notice
of Security Breach Involving Personal Information”39 that includes sample notification
letters that may be a useful starting point when notification is to be made.
3. What The Heck Should I Do About This?
There is no simple answer to this question, mainly since each individual situation may
require different strategies to move towards the most effective response. As a general
rule, however, organizations that handle significant amount of personal information
should consider creating a protocol for responding to privacy breaches before an
incident occurs. The proactive development of such a protocol prior to the occurrence of
a data breach has several advantages for an organization:
The organization will be better able to respond quickly and in a coordinated
manner because the breach protocol will have anticipated some or all of the
necessary steps to be taken.
The roles and responsibilities of the organization‟s employees and service
providers will be clarified.
The process by which the organization will conduct its investigation will be
clarified.
The organization‟s planned response to the privacy breach will be
documented and available.
Effective containment of the privacy breach will be accelerated.
Any remediation efforts will be easier and faster.
The organization will be better prepared for the potential involvement of
privacy and other regulators.
The organization will be better able to explain its response to the privacy
breach to its managers, directors, shareholders, suppliers, customers and the
media.
Although it is difficult to dispute that there is great value in the establishment of a privacy
breach protocol, in my experience relatively few organizations that have not already
suffered a privacy breach incident ever implement such a protocol. This usually results
from a variety of factors, including the cost (or perceived cost) of creating a breach
protocol, the lack of a privacy coordinator with the skills or authority to ensure that a
protocol is established and implemented, the fact that other organizations in the same
industry have not developed their own protocol, and the general attitude that “it won‟t
happen to us.” The fact is, however, that an organization can significantly improve its
39
http://www.privacyprotection.ca.gov/recommendations/secbreach.pdf (visited May 23, 2007).
14. Privacy Breaches in Canada P a g e | 14
level of privacy breach preparedness at little or no cost by taking a few simple steps,
such as assembling a team to coordinate the response to a privacy breach (including
representatives from such diverse functions as HR, IT, legal, marketing and government
relations) and distributing evening and weekend telephone numbers of team members to
ensure that everyone can be contacted quickly if an incident occurs.
While there is no blueprint breach protocol that can be used to respond to every privacy
breach, there are a number of published guidelines that offer suggestions and
assistance that can be used as a starting point. Many of these guidelines are directed to
public sector data controllers, but contain recommendations that are useful for private
sector organizations faced with a privacy breach. For example, the federal Treasury
Board Secretariat has published “Guidelines for Privacy Breaches”40 to assist public
sector data managers in dealing with the unauthorized release of personal information in
the possession of the federal government, and the OIPC has published brochures
entitled “What To Do If A Privacy Breach Occurs: Guidelines For Government
Organizations,”41 “What To Do When Faced With A Privacy Breach: Guidelines For The
Health Sector”42 and “Key Steps in Responding to Privacy Breaches.”43
Although they differ in their details, all of these Guidelines, and all of the standard advice
given to private sector organizations faced with a security breach, suggest following the
same general steps, which can be summarized as follows:
Containment
Risk Assessment
Notification
Remediation and Review
Not all of these steps will apply in all situations and there may be additional steps that
are necessary in specific situations. For example, data breaches that involve
organizations and information located outside of Canada may require additional
remediation and notification steps.44
40
http://www.tbs-sct.gc.ca/atip-aiprp/in-ai/in-ai2007/breach-atteint_e.asp (visited May 24, 2007).
41
http://www.ipc.on.ca/images/Resources/up-1prbreach.pdf (visited May 24, 2007).
42
http://www.ipc.on.ca/images/Resources/up-3hprivbreach.pdf (visited May 24, 2007).
43
http://www.oipcbc.org/pdfs/Policy/Key_Steps_Privacy_Breaches_(Dec_2006).pdf (visited May 24,
2007).
44
See the brief discussion about international privacy breaches in section 5(b) below.
15. Privacy Breaches in Canada P a g e | 15
(a) Containment
The first step should always be to make sure that the privacy breach is not ongoing. As a
result, immediately after the breach is discovered, the organization should take some or
all of the following steps to ensure that the problem does not get worse.
Immediately contact the organization‟s privacy officer and/or the person
responsible for security in the organization.
Remove, move or segregate exposed information/files.
Determine whether the privacy breach would allow unauthorized access to
any other personal information and take whatever necessary steps are
appropriate (e.g. change passwords, identification numbers and/or
temporarily shut down a system). In some cases, it may be necessary to shut
down a website, application or device temporarily to permit a complete
assessment of the breach and resolve vulnerabilities.
Attempt to retrieve any documents, copies of documents or files that were
wrongfully disclosed or taken by an unauthorized person.
Ensure that no copies of personal information have been made or retained by
any individual who was not authorized to receive the information and obtain
the person‟s contact information in the event that follow-up is required.
Return the documents or files to their original location or to the intended
recipient unless its retention is necessary for evidentiary purposes.
Notify the police if the privacy breach involves theft or other criminal activity.
(b) Risk Assessment
Once the privacy breach has been contained, the organization must assess the risk of
harm arising from the breach. This assessment is necessary to determine what actions
are appropriate in the notification and remediation steps.
What data elements have been breached? Is the information sensitive?
Health information, social insurance numbers and financial information that
could be used for identity theft are examples of sensitive personal
information.
What possible use could be made of the personal information by
unauthorized persons or organizations? Could the information be used for
fraudulent or other harmful purposes?
What is the cause of the breach? Could there be ongoing or further exposure
of the information?
16. Privacy Breaches in Canada P a g e | 16
What was the number of likely unauthorized recipients and what is the risk of
further access, use or disclosure, including in mass media or online?
Is the information encrypted or otherwise not readily accessible?
What steps have already been taken to minimize the harm?
How many individuals might be affected by the breach?
Who is involved or affected by the breach: employees, public, service
providers, clients, service providers, other organizations?
Is there any relationship between the unauthorized recipient(s) and the
individual(s) whose personal information has been disclosed?
What harm to the individual(s) whose personal information has been
disclosed will or could result from the breach? Consider security risks (e.g. an
individual‟s physical safety), identity theft or fraud, loss of business or
employment opportunities and hurt, humiliation, damage to reputation or
relationships.
What harm could result to the organization as a result of the breach?
Consider loss of trust in the organization, loss of assets (exposure of
confidential client or supplier lists, for example) and financial exposure.
What harm could result to the public as a result of the breach? For example,
is there a risk to public health or public safety as a result of the breach?
(c) Notification
As discussed in section 2(f) above, there are a number of factors to be considered in
determining whether and how to notify affected individuals, privacy regulators and/or law
enforcement officials about a privacy breach.
(d) Remediation and Review
Once the immediate steps are taken to mitigate the risks associated with the breach, and
consideration is given to providing appropriate notices, the organization must take the
time to thoroughly investigate the cause of the breach and determine what steps, if any,
are needed to prevent further incidents. The remediation step could include all or some
of the following actions, depending on the state of the organization's preparedness prior
to the breach and the “lessons learned” during the course of the breach containment and
investigation:
Conduct a security audit of the organization‟s physical and technical security.
Conduct a privacy audit that analyzes the personal information that is
collected, used and disclosed by the organization and identify issues of non-
compliance with applicable privacy laws, industry guidelines, contractual
17. Privacy Breaches in Canada P a g e | 17
obligations, etc. If a privacy audit was already performed for the organization,
update it and assess its continuing viability in view of the vulnerabilities
exposed by the breach and subsequent investigation.
Develop or improve, as necessary, adequate long term security and
procedural safeguards against further breaches.
Review and update all privacy policies and procedures to reflect the lessons
learned from the privacy breach investigation.
Plan a scheduled audit to ensure that any changes have been fully
implemented.
Implement a privacy breach protocol. If a protocol was in existence at the
time of the breach, review its effectiveness in dealing with the breach and its
aftermath, and make adjustments as appropriate.
Train the organization‟s employees to ensure that they understand the
organization‟s privacy obligations and have appropriate knowledge of the
privacy breach protocol. If the organization‟s employees have previously
been trained, consider whether refreshers are necessary or whether there
should be changes or additions to the training program.
As can be seen from above checklists, responding to a privacy breach involves a great
deal more than simply finding the problem, sending some notifications and promising not
to let it happen again. A privacy breach necessarily involves a failure of preparation or
implementation of the organization‟s security plans for personal information in its
possession or control, and therefore requires a detailed and careful response that will
involve a large number of disparate resources inside and outside of the organization.
4. Can I Be Liable For This?
A very frequent concern of organizations is whether they will face the type of lawsuits
and large fines that have been visited on several companies in the U.S. and well
publicized in Canada. While to date there have not been any successful actions in
Canada based solely on liability for permitting a privacy breach, there are still a number
of potential sources of liability that organizations should be aware of.
(a) Canadian Private Sector Personal Information Privacy Statutes
None of the Canadian private sector personal information privacy statutes provide for a
private cause of action against organizations where appropriate personal information
safeguards are not maintained. Section 16 of PIPEDA permits the Federal Court, on an
application, to award damages to the complainant, including “damages for any
humiliation that the complainant has suffered”. Thus far there have been no such
damages awarded, and it seems unlikely that there will be significant awards of
damages in the near future.
18. Privacy Breaches in Canada P a g e | 18
Under the Quebec An Act respecting the protection of personal information in the private
sector (the “Quebec Act”),45 the Commission d'accès à l'information (“CAI”) may examine
and decide a dispute relating to access to or rectification of personal information (section
42) and may issue recommendations (following an inquiry) for such remedial measures
as are appropriate to ensure the protection of the personal information. The Quebec Act
does not grant the CAI specific power to award damages for a violation of a duty
imposed on an enterprise with respect to the protection of the personal information. An
enterprise may have damages awarded against it by a court should it collect, retain, use
or disclose personal information in violation of the Quebec Act, or if the enterprise acted
wrongfully, the action resulted in damages to the plaintiff, and there is a causal
relationship between the damages suffered and the wrongful action.46 Damage awards
have been modest in all of these cases and have not exceeded $10,000.00 on any one
occasion.
The B.C. and Alberta legislation47 do not allow for damage awards, but permit fines to be
levied for offences. It does not appear, however, that either BC PIPA or Alberta PIPA
includes failing to provide adequate security for personal information amongst the list of
offences.
(b) General Purpose Privacy Legislation
Apart from the private sector personal information protection legislation discussed
above, four common law provinces provide for a statutory tort of invasion of privacy:
British Columbia,48 Saskatchewan,49 Manitoba,50 and Newfoundland.51 Although there is
some variation, the statutes that create these torts typically make it actionable to wilfully
violate the privacy of another individual. These statutes do not define what is meant by a
violation of privacy, but state that surveillance, interception of communications and use
of an individual‟s likeness for the purposes of advertising will generally be considered to
violate privacy in the absence of consent. Certain exceptions are provided for publication
of matters of public interest and situations involving law enforcement or judicial
proceedings.
45
R.S.Q., c. P-39.1.
46
Demers v. Banque Nationale du Canada, B.E. 97BE-330 (C.Q.); Chartrand v. Corp. du Club de
l'amitié de Plaisance, B.E. 97BE-878 (C.Q.); Boulerice v. Acrofax inc., [2001] R.L. 621 (C.Q.);
Stacey v. Sauvé Plymouth Chrysler (1991) inc., J.E. 2002-1147 (C.Q.); Basque v. GMAC Location
Limitée, 2002 IIJCan 36125 (C.Q.); Roy v. Société sylvicole d'Arthabaska-Drummond, J.E. 2005-
279 (C.Q.); Roy v. Société sylvicole d'Arthabaska-Drummond, J.E. 2005-279 (C.Q.); .
47
Personal Information Protection Act, S.B.C. 2003, c. 63 (“B.C. PIPA”); Personal Information
Protection Act, S.A. 2003, c. P-6.5 (“Alberta PIPA”).
48
Privacy Act, R.S.B.C. 1996, c. 373.
49
Privacy Act, R.S.S. 1978, c. P-24.
50
Privacy Act, C.C.S.M. c. P125.
51
Privacy Act, R.S.N.L. 1990, c. P-22.
19. Privacy Breaches in Canada P a g e | 19
In addition, Articles 35 through 41 of the Quebec Civil Code contain comparable
provisions.52 In particular, Article 35 provides that no one may invade the privacy of a
person without the consent of the person unless authorized by law. In addition, section 5
of the Quebec Charter of Human Rights and Freedoms provides that “Every person has
a right to respect for his private life.”53 This section has been successfully used to ground
a claim for damages for publication of a photograph of an individual in a magazine
without consent.54
There have been no cases where any of these provisions have been applied to negligent
or accidental security breaches involving personal information, and it would appear that
the requirement that the actions of the organization be wilful would in most cases
preclude any claim under these statutes against an organization that has had a privacy
breach.
(c) Common Law
Canadian common law has been hesitant to recognize a cause of action for the tort of
invasion of privacy, although the attitude of Canadian courts to this issue may slowly be
changing. While only a few years ago it would have been possible to say with
reasonable certainty that no common law tort of invasion of privacy existed in Canada,
courts in Ontario and other provinces are now signalling that a common law right to
privacy may in fact exist in some form. A number of Ontario Superior Court decisions
have indicated that recognition of a tort of invasion of privacy is not only likely but
probablyinevitable.55
The contours of any common law tort of invasion of privacy are not at all clear, and
courts in other Commonwealth jurisdictions have taken a variety of approaches to the
concept of a free-standing privacy right. While members of the High Court of Australia, in
a case involving an injunction to restrain broadcast of a video taken surreptitiously inside
a abattoir,56 mused, without deciding, about the possibility that a separate tort of breach
of privacy might be found to exist,57 subsequent Australian decisions have continued to
52
Civil Code of Quebec, S.Q. 1991, c. 64, Articles 35-41.
53
Québec Charter of Human Rights and Freedoms, R.S.Q., c. C-12.
54
Aubry v. Éditions Vice-Versa inc., [1998] 1 S.C.R. 591. In its analysis, the Supreme Court of
Canada held that the right to privacy must be balanced against the right to freedom of expression
and the public interest.
55
See Somwar v. McDonald's Restaurants of Canada Ltd. (2006), 79 O.R. (3d) 172, 263 D.L.R. (4th)
752 (S.C.), Shred-Tech Corp. v. Viveen, 2006 CanLII 41004 (ON S.C.) and Nitsopoulos v. Wong,
2008 CanLII 45407,
http://www.canlii.org/en/on/onsc/doc/2008/2008canlii45407/2008canlii45407.html. By contrast, a
British Columbia Superior Court judge rejected the concept of a common law right to privacy in
Bracken v. Vancouver Police Board, [2006] B.C.S.C. 189 (CanLII), at least partly on the basis that
the existence of the B.C. Privacy Act precluded the development of a similar common law right.
56
Australian Broadcasting Corporation v. Lenah Game Meats Pty. Ltd., [2001] H.C.A. 63.
57
See Taylor, “Why Is There No Common Law Right of Privacy?” (2000) 26 Monash University Law
Review 235; “Privacy, Injunctions and Possums: An Analysis of the High Court's Decision in
Australian Broadcasting Corporation v Lenah Game Meats”, (2002), 26 Melbourne University Law
20. Privacy Breaches in Canada P a g e | 20
reject the idea.58 New Zealand59 and India60 have recognized at least some form of a
common privacy right. The U.K. House of Lords in Campbell v MGN Ltd61 rejected a
common law tort of invasion of privacy but morphed the existing tort of breach of
confidence into what one Law Lord referred to as “a remedy for the unjustified
publication of personal information.”
An alternative to the tort of invasion of privacy is the application of the law of negligence
to privacy breaches. In Canada v. Saskatchewan Wheat Pool,62 the Supreme Court of
Canada held that while there is no nominate tort of “statutory breach” that will create
liability as a result of a government or citizen violating a statutory restriction, proof of
statutory breach may be used as evidence of negligence and that the statutory
formulation of the duty may afford a specific, and useful, standard of reasonable
conduct.63 The Supreme Court subsequently stated:
Legislative standards are relevant to the common law standard of care,
but the two are not necessarily co-extensive. The fact that a statute
prescribes or prohibits certain activities may constitute evidence of
reasonable conduct in a given situation, but it does not extinguish the
underlying obligation of reasonableness. … Thus, a statutory breach does
not automatically give rise to civil liability; it is merely some evidence of
negligence. . .
Where a statute authorizes certain activities and strictly defines the
manner of performance and the precautions to be taken, it is more likely
to be found that compliance with the statute constitutes reasonable care
and that no additional measures are required. By contrast, where a
statute is general or permits discretion as to the manner of performance,
or where unusual circumstances exist which are not clearly within the
Review 707; Protecting Privacy, Property, and Possums: Australian Broadcasting Corporation v
Lenah Game Meats Pty Ltd (2002), 30 Federal Law Review 177;
58
See, for example, Giller v Procopets [2004] V.S.C. 113 at 187 - 189; Moore-McQuillan v
WorkCover/Vero Workers Compensation (SA) Ltd (Wolf Air and Dive Shop), [2005] SAWCT 3; but
see Grosse v Purvis [2003] QDC 151 and “Gross v Purvis: its place in the common law of privacy”
(2003), 10 PLPR 66.
59
Hosking v Runting, [2004] NZCA 34 (25 March 2004); P. v. D., [2001] 2 N.Z.L.R. 591; Tobin,
“Invasion of Privacy”, [2000] New Zealand Law Journal 216.
60
Govind v. State of Madhya Pradesh (1975), 62 A.I.R. (SC) 1378.
61
[2004] UKHL 22 (6 May 2004).
62
[1983] 1 S.C.R. 205.
63
Ibid., at 244. Where there is a sanction created by the statute it may be enforced in some
circumstances by civil proceedings: Whistler Cable Television Ltd. v. Ipec Canada Inc., [1993] 3
W.W.R. 247 (B.C.S.C.) and Canada Post Corporation v. G3 Worldwide (Canada) Inc, 2005 CanLII
46078 (ON S.C.).
21. Privacy Breaches in Canada P a g e | 21
scope of the statute, mere compliance is unlikely to exhaust the standard
of care.64
While potentially a powerful legal tool, the “statutory negligence” cause of action65 has
been rarely used successfully since 1983.66 Subsequent cases have held that a statute
will not create a duty of care unless explicitly stated, but statutory restrictions may create
a standard of care, although the weight to be accorded to the statutory standard is in the
discretion of the trial judge.67
The acceptance of statutory requirements as a standard of reasonable conduct for
negligence purposes has been extended to include recognized industry policies,
practices, or standards, and the breach of a generally accepted industry standard may
constitute evidence of negligence. For example, Zraik v. Levesque Securities Inc.68
confirmed that failing to comply with certain professional duties and internally created
guidelines could be used to establish negligence.
As a result, the privacy standards established by federal and provincial statutes, as well
as industry standards such as model privacy policies or codes, may create specific and
useful benchmarks for negligence purposes of both of reasonable conduct with respect
to the collection of personal information and the reasonable expectations of privacy that
an individual may have.
While there have been a number of class actions instituted in respect o of privacy
breaches, none appear to have reached the certification stage.69 Most of the claims
appear to have been based on a negligence theory, 70 which may make the awarding of
significant damages difficult.71
64
Ryan v. Victoria (City), [1999] 1 S.C.R. 201, at para. 29 and 40.
65
Sometimes referred to as “negligent breach of statute”: see Britton v. Klippenstein, [2004] 10
W.W.R. 397 (Sask. Q.B.).
66
Successful damages claims in which statutory duties were used to establish negligence include
Galaske v. O'Donnell, (1994), 112 D.L.R. (4th) 109 (S.C.C.); Noble v. Bhumper, (1996), 20
B.C.L.R. (3d) 244 (B.C.C.A.); Trango Holdings Ltd. v. Calwest Energy Corp., [2001] 263 A.R. 357
(Alta. Prov. Ct.); Prochazka v. Calwest Energy Corp., [2001] 264 A.R. 104 (Alta. Prov. Ct.);
67
See the discussion in Chong v. Flynn, [1999] 10 W.W.R. 671 (Alta. Q.B.), at paras. 12 – 19.
68
[1999] O.J. No. 2263 (S.C.J.); varied by [2001] O.J. No. 5083 (C.A.).
69
Based on a review of the National Class Action Database maintained by the Canadian Bar
Association at http://www.cba.org/classactions/main/gate/index/default.aspx.
70
See, for example, the claims in Murray Waters v Daimlerchrysler Services Canada Inc.
(Saskatchewan) at http://www.cba.org/classactions/class_2008/saskatchewan/pdf/06-09-
2008_Waters.pdf and Maurice Assor vs. Services DaimlerChrysler Canada Inc. and United Parcel
Service du Canada Ltée (Quebec) at http://www.cba.org/classactions/class_2008/quebec/pdf/2008-
22-04_Assor2.pdf
71
See “Data breaches leading to class actions”, http://www.lawtimesnews.com/Headline-News/Data-
breaches-leading-to-class-actions (visited April 19, 2009) where the author is quoted on this issue.
22. Privacy Breaches in Canada P a g e | 22
The best that can be said today is that it is conceivable that, in appropriate
circumstances, a Canadian court could award damages to an individual against an
organization that negligently allowed unauthorized access to the individual‟s personal
information.
5. International Privacy Breach Issues
Clearly, many privacy breaches involve international issues. The compromised data may
have been accessed in or from multiple jurisdictions, may have been about individuals
residing in multiple jurisdictions, or may have been used in multiple jurisdictions, thereby
potentially causing damage to affected individuals in a number of locations. The
response to such international data breaches may therefore require organizations and
individuals to be aware of, and respond to, the requirements of a number of provincial,
state and national laws.
This section will briefly address the jurisdictional issues that arise concerning the
application of Canadian privacy laws to breaches that take place outside of Canada and
consider some questions a Canadian organization and its advisors have to address
when dealing with a breach that may involve laws and regulators outside of Canada.
(a) Jurisdiction of Canadian Regulators
Historically, most jurisdictional disputes arose in private litigation between parties. These
cases generally revolve around the issues of personal jurisdiction (does a court have
jurisdiction over the defendant?), forum non conveniens (even if the court has personal
jurisdiction, is there a clearly more convenient forum to which the court should defer by
staying the proceeding?) and the enforcement of judgments obtained by a plaintiff in a
foreign court.
The determination of whether a Canadian privacy statute applies to organizations or
activities that takes place outside Canada (or outside a province in the case of provincial
legislation) is called prescriptive jurisdiction rather than personal jurisdiction. Personal
jurisdiction and prescriptive jurisdiction are often confused by both lawyers and courts,
but prescriptive jurisdiction involves a different analysis concerning issues of statutory
interpretation and legislative competence. First, the court must determine whether the
wording of the statute in question in fact applies to the activity that is the subject of the
regulatory proceeding. This will often involve an analysis of the purpose of the statutory
scheme to see if it was intended that the legislation would apply to the impugned activity.
Second, if the statute was in fact intended to apply outside of Canada or provincial
borders, the court must assess whether the legislature had the constitutional authority to
legislate activity taking place outside of its borders.
The federal Parliament has wider powers that the provincial legislatures to pass laws
with extra-territorial reach. The Statute of Westminster, 1931, the act of the British
Parliament that created Canada as an independent state, provides in section 3 that “It is
hereby declared and enacted that the Parliament of a Dominion has full power to make
laws having extraterritorial operation”. This provision has been relied on in many
23. Privacy Breaches in Canada P a g e | 23
subsequent cases to extend the reach of federal laws beyond Canadian borders.72
Similarly, a provincial legislature must have some valid regulatory interest in extending
the reach of its laws beyond the boundaries of the province.73
Historically, there has been a legislative presumption against the extra-territorial
application of public law statutes, as a matter of statutory interpretation. This is based on
a historical concern not to infringe on the sovereignty of other states (or provinces) by
purporting to regulate conduct that occurs wholly within the boundaries of another
jurisdiction. However, over the years the courts began to relax rigid principles of
territoriality. The modern approach recognizes that governmental authorities have a
legitimate interest in regulation and enforcement in relation to activities that take place
abroad but have an unlawful consequence within their jurisdiction, as well as in activities
that take place within their jurisdiction but have unlawful consequences elsewhere. In
Libman v. The Queen,74 the Supreme Court of Canada ruled that “it is sufficient that
there be a „real and substantial link‟” between the proscribed conduct and the jurisdiction
seeking to apply and enforce its law.
Similarly, Québec‟s Civil Code provides detailed conflict of law rules and, in this regard,
establishes the general rule that “Québec authorities have jurisdiction when the
defendant is domiciled in Québec” and that Québec authorities may hear matters even in
the absence of jurisdiction if the matter has a “sufficient connection with Québec” and
where proceedings cannot be instituted elsewhere, or it would be unreasonable to
require that they be instituted elsewhere (article 3136).
In Citron v. Zundel,75 the Canadian Human Rights Commission determined that a web
site set up in the United States by the infamous Holocaust denier Ernst Zundel was
subject to the Canadian Human Rights Code, even though that statute was not explicit
about its scope of its application. In Society of Composers, Authors and Music
Publishers of Canada v. Canadian Assn. of Internet Providers,76 the Supreme Court
ruled that an Internet communication that either originates outside of Canada or is
received outside of Canada can be an infringement of the “communication to the public
by telecommunication” right under Canadian copyright law:
[60] The [real and substantial connection] test reflects the underlying reality of
“the territorial limits of law under the international legal order” and respect for the
legitimate actions of other states inherent in the principle of international comity.
A real and substantial connection to Canada is sufficient to support the
application of our Copyright Act to international Internet transmissions in a way
72
See the cases listed in Hogg, Constitutional Law of Canada (4th ed., 1997), at pg. 323.
73
For an in-depth analysis of this issue as it relates to consumer protection laws, see Tassé and
Faille, “Online Consumer Protection In Canada: The Problem Of Regulatory Jurisdiction”, Internet &
E-Commerce Law in Canada, August 2001.
74
[1985] 2 S.C.R. 178.
75
41 C.H.R.R. D/274, Canadian Human Rights Commission, January 18, 2002.
76
[2004] 2 S.C.R. 427.
24. Privacy Breaches in Canada P a g e | 24
that will accord with international comity and be consistent with the objectives of
order and fairness.
[61] In terms of the Internet, relevant connecting factors would include the situs of
the content provider, the host server, the intermediaries and the end user. The
weight to be given to any particular factor will vary with the circumstances and
the nature of the dispute.
While the Supreme Court referred to the need to conduct a textual analysis of the
Copyright Act in order to determine whether extra-territorial reach was contemplated, in
fact the application of the real and substantial connection test now appears to be the
main determinant of whether a federal statute can be applied in respect of persons or
activities outside of Canada.
To date, the application of PIPEDA to organizations outside of Canada has been
uneven. In the early complaints that were directed to the federal Commissioner
concerning organizations located outside of Canada dealing with personal information
about Canadians, the Commissioner determined that she did not have jurisdiction to
pursue investigations because there is no means by which information can be collected
from those organizations. For example, the Commissioner‟s office published this
response to a complaint about Akiba.com:77
“We contacted Abika.com in Cheyenne, Wyoming to ask the organization to
provide us with the contact information of its Canadian-based sources to aid us in
pursuing the investigation. Our investigator informed you that Abika.com
responded to our letter of notification to indicate that Abika.com acts as a search
engine, not a database. Our investigation efforts have been frustrated by the fact
that Abika.com would not respond to our request for the names of Canadian-
based sources.
As you know, subsection 11(1) of PIPEDA states that:
An individual may file with the Commissioner a written complaint against
an organization for contravening a provision of Division 1 or for not
following a recommendation set out in Schedule 1.
Subsection 12 (1) of PIPEDA states that:
The Commissioner shall conduct an investigation in respect of a
complaint…
In order to investigate Abika.com based in Cheyenne, Wyoming, our Office must
have the requisite legislative authority to exercise our powers outside Canada.
However, basic principles of sovereignty and comity under international law state
that a country cannot legislate outside its borders. The general convention is that
Canada only legislates for Canada and only regulates activities within its borders.
77
November 18, 2005; http://www.privcom.gc.ca/legislation/let/let_051118_e.asp
25. Privacy Breaches in Canada P a g e | 25
While Parliament may legislate with extraterritorial effect, this is rarely done. In
the infrequent case that it is, it is for national security purposes or for a limited
class of other purposes. In assessing whether a statute is to be applied outside
Canada, a court will consider the intention of the legislature when it enacted the
statute. There is a strong presumption that, absent an explicit or implicit contrary
intention, Canadian legislation will only apply to the persons, property, juridical
acts and events that occur within the territorial boundaries of the enacting body‟s
jurisdiction.
There is nothing explicit in PIPEDA to suggest that it was meant to apply outside
of Canada or that the powers of the Commissioner would extend beyond
Canada‟s borders. According to leading case law, where the language of a
statute can be construed so as not to have extraterritorial effect, then that
construction must be adopted. It seems clear that this Act should not be
construed to have extraterritorial effect. In the absence of any express or implied
legislative intent, I must conclude that PIPEDA has no direct application outside
of Canada.
While it is clear that the Commissioner may request information from anyone who
she believes may have information relevant to an investigation, the formal
investigative powers apply only within Canada. Abika.com has not responded to
our request for the names of its Canadian-based sources. As such, we have no
means of identifying - let alone investigating - those who would represent a
Canadian presence for this organization and further, have no ability to compel an
American organization to respond. ...
Global e-commerce poses challenges to all national governments that attempt to
safeguard privacy and protect consumers. As you are aware from ongoing
meetings with our Office, we share your concerns about the indiscriminate, non-
consensual collection, use, and disclosure of personal information by profiling
and data broker organizations. We agree that this raises serious privacy
considerations. To this end, we have asked the Government of Canada to advise
us what formal protocols, if any, exist that would allow us to investigate potential
privacy breaches which may violate Canadian data protection laws. As important
as it is, however, the specific instance you raise cannot be resolved through the
complaint mechanism under PIPEDA. ...
In conclusion, we cannot proceed with your complaint as we lack jurisdiction to
compel U.S. organizations to produce the evidence necessary for us to conduct
the investigation. As a result, I am sorry to say that we have no choice but to
close this file. The organization has been so informed. However, you should
know that we have just recently launched an investigation in respect of a similar
organization where we have been able to identify the Canadian sources of data.”
This opinion by the federal Commissioner seems to confuse the ability of a regulatory
body to be able to use compulsory investigative techniques with the ability to make a
determination when presented with evidence of a breach of a Canadian statute.
26. Privacy Breaches in Canada P a g e | 26
The Commissioner‟s decision was subsequently overturned by the Federal Court on a
judicial review application.78 The Federal Court began by noting the scope of PIPEDA‟s
application is not universal.
“Parliament cannot have intended that PIPEDA govern the collection and use of
personal information worldwide. For instance, if Ms. Lawson were an American
working in the United States, PIPEDA would have no application. Regulatory and
investigative functions (as opposed to judicial) must have some connection with
the state which enacts the underlying legislation.”79
The Court then went on to decide that the Commissioner did have jurisdiction to
investigate, based on the scope of PIPEDA, in respect of the use outside of Canada of
information about Canadians or information that originated in Canada.
Since the release of the Federal Court‟s ruling in February, 2007, the Commissioner has
dealt with a number of international privacy breach issues. In the Investigation Report
concerning TJX Companies Inc. /Winners Merchant International L.P,80 the
Commissioner dealt with a well documented privacy breach in which TJX suffered a
network computer intrusion affecting the personal information of an estimated 45
million payment cards in Canada, the United States, Puerto Rico, the United
Kingdom and Ireland. Unlike in previous investigations of international breaches, the
Commissioner had no difficulty finding that she had jurisdiction to investigate the
breach.
“The Office of the Privacy Commissioner of Canada had jurisdiction to investigate
because TJX/WMI conducts commercial activities in Canada. The Information
and Privacy Commissioner of Alberta had jurisdiction in this case because WMI
is an organization, as defined in subsection 1(i) of [Alberta] PIPA, and it operates
in Alberta. Some of the personal information in question was collected in the
organization‟s Alberta stores. The jurisdiction of the two Offices in this joint
investigation applies primarily to the personal information collected during
purchases made in Canada and subsequently disclosed as part of the data
breach, as well as personal information collected during unreceipted return
transactions at WMI stores.”81
In the result, the Commissioner concluded that TJX had breached PIPEDA by not
employing adequate security steps, and recommended various steps be taken to correct
the past problems.
78
Lawson v. Accusearch Inc., [2007] 4 F.C. 314, available online at
http://www.canlii.org/en/ca/fct/doc/2007/2007fc125/2007fc125.html
79
At para. 38.
80
http://www.privcom.gc.ca/cf-dc/2007/TJX_rep_070925_e.asp. The investigation was conducted
jointly with the Alberta IPC.
81
At para. 8.
27. Privacy Breaches in Canada P a g e | 27
(b) Dealing With International Privacy Breaches
As the discussion in the previous section makes clear, the federal and provincial
Commissioners will have an interest in any privacy breach that involves personal
information that originated from a Canadian source or is about Canadians. Organizations
would therefore be well advised to involve Canadian regulators at an early stage of the
investigation of any data breach.
The concerns of Canadian organizations may extend well beyond the borders of
Canada, however. Many jurisdictions outside of Canada enforce privacy laws and
regulations that carry penalties (financial and otherwise) that are far more draconian than
those applicable under Canadian privacy laws. In some jurisdictions, these penalties can
also be applied against officers and directors of organizations. Unless an organizations
and its senior staff are certain that they will remain in Canada for the rest of their lives,
and are equally certain that orders under foreign statutes will not be enforced in Canada,
consideration must be given to actual or potential breaches of foreign laws.
Most jurisdictions have a minimum standard for the application of their laws to foreign
individuals and organizations. While the tests are not consistent in all jurisdictions, most
are similar to the Canadian test in assessing the contacts between the foreign entities
and the jurisdiction in question. In the privacy breach context, it is likely safe to assume
that any time an organization suffers a privacy breach involving either personal
information about residents or citizens of a foreign jurisdiction or personal information
that was accessed in a foreign jurisdiction, the privacy laws of that jurisdiction will apply
to the investigation and the response to the breach. Foreign privacy laws may require
the organization to undertake specific actions that may not be necessary under
Canadian law, such as notification to regulators, consumers and other entities, as well as
specific remediation and risk reduction techniques such as offering credit monitoring and
counselling services to affected consumers.
Canadian organizations must include in their privacy breach remediation plans both
proactive and reactive steps relating to the potential effect of foreign privacy laws. In
particular, organizations must assess the nature of the personal information that they
have in their possession or control to determine if there is a significant amount of
information that is either about foreign residents or citizens and determine whether
personal information in its possession or control is stored or processed in a foreign
jurisdiction. In either case, the organization should compile a list of the jurisdictions in
which it is possible that a privacy breach could engage the application of local privacy
laws, and should then have local counsel prepare a summary of the local privacy laws
that could be applicable in the event of a privacy breach. The organization‟s breach
response protocol should then be adjusted to take into account the potential application
of foreign privacy laws.
6. Conclusion
While the unauthorized exposure of personal information files is not new, the number
and breadth of such data breaches appears to be increasing as a result of a combination
of concerted criminal action, larger amounts of data being collected and therefore
28. Privacy Breaches in Canada P a g e | 28
available to be disclosed, continuing use of vulnerable communication and storage
methods and more intense media coverage of privacy breaches and identity theft issues.
Business organizations and their advisors not only must stay abreast of the most recent
developments, be aware of the steps being taken internally to prevent privacy breaches
and continually influence others in the organization to make privacy security a “top of
mind” issue for everyone in the organization. Perhaps most importantly, organizations
must be aware of the importance of being prepared for the possibility of a privacy
breach. No matter what security measures have been taken, they can only reduce, not
eliminate, the chances that a breach will occur. The only effective way to minimize the
impact of a breach is to be properly prepared to deal with the worst case scenario, and
then hope it never happens.
![Privacy Breaches in Canada Page |2
Not surprisingly, the answers to each of these questions will in many instances be quite
specific to the organization and its business, as well as the nature of the privacy breach
itself. In addition, the law in this area is developing quickly, and the answers outlined
below will be quite different from what a client would have been told a year ago, and
quite likely the answers in a year from now will likely again have changed. Nevertheless,
there are some fundamental principles at work that will continue to be useful even as
some of the details and relevant legislation changes over time.
2. Do I Have To Tell Anyone About This?
Privacy breach notification is a hot button issue. A relatively large number of high profile
privacy breaches have quickly made privacy breach notification one of the first issues
that organizations look to resolve once the possibility of a breach is raised.
Many studies and papers have questioned whether there is any rational basis for
compulsory consumer notification requirements, citing problems with over-notification,
“notice fatigue,” excessive costs of notification compared with relatively small benefits to
consumers, and other issues.6 Most justifications for compulsory notice requirements
concentrate on increasing consumer choice, the comfort that notices allegedly give
consumers and the impact that a requirement to provide consumer notice on
organizations, generally leading to increased security measures for personal
information.7 The limited empirical evidence that exists about the impact of compulsory
privacy breach notification seems to show that notice does little to prevent or ameliorate
identity theft. A 2008 study by three professors at Carnegie Mellon University found “no
statistically significant effect that [compulsory notification] laws reduce identity theft, even
after considering income, urbanization, strictness of law and interstate commerce” and
that the “maximum effectiveness [of such laws] is inherently limited.”8
Notwithstanding the lack of clear evidence that compulsory breach notification laws have
any real world benefits, most US states have now passed legislation requiring
6
An extensive discussion of these issues is beyond the scope of this paper. Some papers of interest
include Lenard and Rubin, “An Economic Analysis of Notification Requirements for Data Security
Breaches,” http://papers.ssrn.com/sol3/papers.cfm?abstract_id=765845 (visited May 23, 2007) and
Turner, “Towards A Rational Personal Data Breach Notification Regime,”
http://www.infopolicy.org/pdf/data-breach.pdf (visited May 23, 2007).
7
See, for example, the Canadian Internet Policy and Public Interest Clinic‟s publication “Approaches
To Security Breach Notification,” http://www.cippic.ca/en/bulletin/BreachNotification_9jan07-
web.pdf (visited May 23, 2007; the “CIPPIC White Paper”), which argues, without any empirical
evidence, that “There can be no question that, if they are legally obligated to report security
breaches and thus to incur related reputational and business costs, organizations will be more
inclined to ensure better security measures and thus to prevent breaches from occurring in the first
place.” (at page 23). This conclusion ignores the fact that the costs, inconvenience and reputational
damage to an organization will occur whether or not an organization has been fully diligent in
providing security for personal information records. Many privacy breaches occur due to
happenstance and bad luck rather than negligence, but identical costs and risks are visited on
organizations which take reasonable and appropriate security measures and those that do not.
8
Sasha Romanosky, Rahul Telang, Alessandro Acquisti, “Do Data Breach Disclosure Laws Reduce
Identity Theft?”, http://weis2008.econinfosec.org/papers/Romanosky.pdf (visited April 19, 2009)](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)