Reaching Out News Article Spring 2013 Data Breaches: Limiting the Risk an !

"nse#uences "$ a Data Breach

In April 2012, Elections Canada lost two unencrypted memory sticks containing personal information of up to 2.4 million voters, including t eir full names, ome addresses, gender, date of !irt and w et er t ey voted in t e last election. "ypically, suc information on memory sticks is password protected and encrypted, !ut was not in t is case. A class action lawsuit was launc ed in #ntario. In $ay 2012, two laptops were stolen from t e Elections %ew &runswick office. #ne laptop contained sensitive personal information a!out every eligi!le voter in t e province, and was password protected. " e data was encoded, and it was linked to a 'overnment of %ew &runswick domain account, w ic re(uires a specific sign)in to access, all in keeping wit government policies for information security. " e second laptop did not contain any voter data In %ovem!er 2012, *uman +esources and ,kills -evelopment Canada discovered t at a ard drive containing t e personal information of some ./0,000 Canadians ad gone missing. " e data included social insurance num!ers and dates of !irt of people w o ad received student loans !etween 2002 and 2001. At least 0 class actions lawsuits ave !een commenced. Also in %ovem!er 2012, *uman +esources and ,kills -evelopment Canada discovered t at a 2,& key containing personal information, including ,ocial Insurance %um!ers, of a!out .,000 Canadians was missing. Incidents of data !reac are increasingly making t e eadlines. Its not clear w et er data !reac es are actually !ecoming more common, or w et er t ey are coming to lig t more fre(uently due to t e increased attention and importance placed on t e protection of personal information. In any case, regardless of t e reasons for w y we are earing more and more a!out data !reac es, it is vital t at organi3ations implement, monitor and enforce proper data security measures. " is is important not only as an employer vis)4)vis your employees, !ut also for organi3ations in t e pu!lic sector, w ic often old ig ly sensitive personal information regarding t eir clientele. " e case of Rowlands v. Durham Region Health 52012 #%,C 064/7 provides an e8ample of t e potential legal ramifications t at can result if proper protection measures are not taken. " is was a class action proceeding seeking damages resulting from t e loss of a 2,& key !y a nurse employed !y t e defendant *ealt -epartment. " e 2,& key eld t e unencrypted personal and confidential information of /0,.24 individuals w o, !etween #cto!er 2006 and -ecem!er 2006, received *I%I immuni3ation s ots at a clinic in -ur am +egion.

" e scope of t e action was (uite !road and included t e following claims9 !reac of duty of care, fiduciary duty, duty to maintain confidence and privacy to t e class mem!ers, !reac of t e Personal Health Information Protection Act, a !reac of section : of t e C arter, and damages for t e !reac of any of t ese duties in t e form of monetary damages for t e purpose of o!taining credit monitoring for a certain period of time, and punitive, aggravated and;or e8emplary damages. " e action was !ased primarily on t e claim t at t e confidential information lost could !e used to facilitate identify t eft. " e action was ultimately settled, w ic settlement was approved !y t e Court in <uly 2012. " e terms of t e settlement provided t at t e defendant would take mitigating steps for class mem!ers w o could demonstrate t at t ey ad suffered economic loss as a result of t e data !reac , wit a claim period up to August 2011. Any suc class mem!er w o remained unsatisfied wit t e steps taken, could t en pursue t eir claim !efore t e Claims Administrators. In approving t e settlement, t e Court commented t at as of t e date of t e settlement, it was =pro!a!ly t at no one as t e missing 2,& key. " is inference comes from t e fact t at no class mem!er as claimed t at information on t e key as !een used to financially damage is or er interests.> 5at para 117 In t e circumstances, t e Court commented t at t e c ances of success of t e class were (uite low. " e personal data on t e 2,& key was descri!ed as =minimal> in t e settlement decision, even t oug it included name, address, telep one num!ers, gender, date of !irt , #ntario ealt card num!er wit e8piry date, name of primary p ysician and some additional personal ealt information. An e8pert witness ad provided evidence t at more information is usually re(uired to commit fraud, w ic is sometimes o!tained from individuals using t e limited information already known a!out t em. %ota!ly, t e settlement also included ?.00,000 in costs to class counsel, in addition to costs already paid, and a furt er 2.@ of any claims paid out in t e future. Alt oug t e action eventually settled and it is not clear w at damages t e Court would ave awarded ad it found lia!ility on t e part of t e defendant, t is case still serves as a reminder of t e potential legal risks associated wit data !reac . *owever, t ere are some relatively simple steps t at can !e taken to limit t e risk of significant data !reac es occurring in t e first instance, and t e conse(uences of a !reac , s ould one occur. " ese include t e following9 Aersonal information on 2,& keys, porta!le ard drives and laptops s ould !e encrypted Implement a password rule Aroper disposal of personal information !y s redding Ensure workplace rules are !eing followed and enforced

" e upfront efforts and costs go a long way towards limiting and mitigating risk down t e road.

It is t erefore advisa!le t at employers undertake regular reviews of t eir relevant policies and practices, and ensure proper measures are applied and in fact used. 5add link to Arivacy and Bitigation C"+ t at furt er ela!orates on t isD7