An employee's laptop containing information about your clients and your business has been stolen. Perhaps you are able to determine what information was on the laptop. Perhaps not. Either way, you find yourself faced with difficult decisions. Should you notify the affected individuals? Are you legally required to do so? If you do notify them, how do you do so in a way that avoids drawing damaging media attention and losing customers?
If your business hasn't already faced this situation, statistics suggest you are likely to. Mobile devices have become an essential part of the way we do business. As a result, the potential for personal information to fall into the hands of unintended recipients has increased. Businesses need to be sure to take steps to avoid the bad publicity and reputational damage that the loss or theft of a device containing sensitive data can cause.
But when such a loss does happen, it's imperative that a business not only take all legally required steps to address the situation, but also that it does so in a way that minimizes the damage to its reputation and customer base.
Your legal obligations
The potential for security breaches has increased as mobile devices become essentail for business
Related Articles
Upon the loss or theft of a storage device, a business will need to initially consider any legal obligations related to containing the breach.
Canada's privacy laws require that businesses protect personal information in their possession from unauthorized access or disclosure by taking appropriate security measures.
Sensitive personal information such as financial or medical information is subject to a higher level of protection. The loss or theft of a storage device containing personal information can leave a business in breach of these privacy law requirements and potentially also in breach of the business's confidentiality obligations with respect to its clients, employees or others.
If it happens, a decision has to be made as to whether or not to notify the affected individuals. There currently is no legal requirement to notify under Canada's privacy laws, except under Ontario's Personal Health Information Protection Act, which relates specifically to health care practitioners in control of health-related data. But a notification requirement -- already in place in most U.S. states -- is under consideration in the current review of Canada's federal privacy legislation.
Still, although there is no express legal requirement yet, privacy commissioners have suggested that in certain circumstances, notification is appropriate.
Business implications
Regardless of whether there is a legal requirement to notify, businesses must carefully consider the business implications of the loss or theft of personal information and devise a plan to manage the reputational damage that such an event can cause.
A business must decide whether to notify known individuals directly or to make a public announcement (if the affected individuals are unknown) and manage the resulting publicity; or wait in the hope that the breach will blow over with no harm done to the affected individuals, and then manage the resulting adverse publicity only if the breach comes to light.
In making this choice, it is important to bear in mind that if a complaint is filed with a privacy commissioner, further reputational harm can result from the publicity surrounding a privacy commissioner's inquiry and decision.
The federal privacy commissioner only has the power to make recommendations, not binding orders, in her decisions, although her office can name offending organizations in its decision and has been doing so with increasing frequency. If the privacy commissioner determines that an organization deliberately decided not to take steps to notify, this will be an additional basis for criticism and another source of embarrassment for the organization.
In deciding whether or not to notify, a business should consider numerous factors: its ability to identify and contact the individuals to whom the lost or stolen information relates, the sensitivity of the information, the potential for misuse of that information and the ability of the affected individuals to mitigate or avoid the risk of misuse if they are notified. And by giving notification itself, a business has more control over the form, content and timing of the notification than leaving it to a privacy commissioner or the media to break the story.
Being able to exercise some control over the form, content and timing of how individuals are informed of the breach, rather than having it come to their attention through negative publicity, may affect customers reactions to the breach and feelings about the trustworthiness of the business itself.
The decision of whether or not to notify will depend on the particular facts. For example, if a laptop containing credit card information relating to a small number of ascertainable individuals was stolen, notifying the individuals would be possible and would permit them to take steps to notify their credit card companies of the situation in order to mitigate or avoid any risk related to the breach.
In that case, absent other factors, notification seems appropriate. By contrast, if a list of individuals and their salaries was lost, notifying these individuals may be possible, but it is unlikely that they could do anything to stop that information from being used. It's unlikely that the recipient would be able to use that information for illicit purposes anyway, so in that case, the argument in favour of notification is less compelling. Good offence the best defence
A study recently released by the Ponemon Institute concluded that "both business and governmental organizations are not taking appropriate steps to safeguard sensitive or confidential information such as intellectual property, business confidential documents, customer data and employee records."
The study found that 64 per cent of respondents had never conducted an inventory of customer and consumer data. And not knowing where data is complicates decisions that have to be made upon a loss or theft of it.
Physical, organizational and technological measures should be in place and organization-wide training carried out on related policies and procedures.
Simple measures such as policies prohibiting leaving storage devices such as laptops unattended in cars or public places can help prevent theft of the device in the first place.
Policies are, of course, only effective to the extent that they are followed, so using technological measures like passwords and data encryption can reduce the risk of access by a third party if the device is ever lost or stolen. When dealing with a breach of sensitive personal data, any response, however well-intended, will cause concern among those affected.
The safest approach, therefore, is to take appropriate steps to avoid the breach in the first place. Many, if not most, businesses have not yet taken the necessary steps to protect themselves. This should be a priority for those organizations.
There is no sure-fire way to protect against losing devices and the data they contain. But taking steps to avoid the loss or theft of personal information and mitigating the risk upon their occurrencecan help an organization save face in the event that such a loss or theft does occur.
Michelle Kisluk is an associate and Wendy Gross is a partner at McCarthy Tétrault in Toronto. They both work in the firm's technology group.
