Privacy Breaches in Canada – Some Legal and Practical Considerations

Mark S. Hayes1

1. Introduction

It would be largely redundant to expound at length on the increasing prevalence of real and potential breaches of personal information security.2 Everyone reading this is likely more than aware that rarely does a week go by where there is not a new story in the media about a tape going missing, a laptop being stolen or a server being hacked into. In each case, the personal information of many thousand, or even many million, individuals is or could be compromised and potentially used for a wide variety of nefarious purposes, including fraud, identity theft, harassment and stalking.3

Similarly, most readers will be very familiar with the potential damage that a privacy breach can cause to the reputation and business of an organization, not to mention the costs that can be incurred in investigating and remedying the problem.4

Rather than rehashing the dire warnings that always accompany any discussion about privacy breaches, this paper will try to summarize the current answers that a legal advisor might provide to the three questions almost inevitably asked by an organization that has just suffered a privacy breach. These questions are, in no order of importance:

Do we have to tell anyone about this?

What the heck5 should I do about this?

Can we be liable for this?

1 Partner, Hayes eLaw LLP, Toronto. © Mark S. Hayes, 2009. This article is intended to be a general review of law and should not be considered to be legal advice or to create a solicitor-client relationship between the author and/or Hayes eLaw LLP and any reader. If you wish further information about any of the topics discussed in this article, please consult a lawyer. Any opinions expressed in this article are solely those of the author and do not necessarily represent the position of Hayes eLaw LLP or any of its clients.

2 Although the terminology is subject to various permutations, this paper will interchangeably use the terms “privacy breach,” security breach” and “data breach” to refer to unauthorized access to or alteration of personal information in the possession or control of an organization.

3 See “A Chronology of Data Breaches” compiled by the Privacy Rights Clearinghouse, http://www.privacyrights.org/ar/ChronDataBreaches.htm, for a somewhat subjective listing of the major privacy breaches that have taken place worldwide.

4 The most recent U.S. estimates of the financial costs to organizations of data breaches found that in 2008 the average total cost of a data breach was $6.65 million, up from $6.35 million in 2007 and $4.54 in 2005. In 2008, the per-victim cost of a data breach was $202, up from $197 in 2007, and from $138 when the study was launched in 2005: see “Costs of a Data Breach: Can You Afford $6.65 Million?”, Computerworld, February 4, 2009, http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127376 (visited April 19, 2009).

5 Other exclamatory words and/or phrases are sometimes substituted.

Privacy Breaches in Canada P a g e | 2

Not surprisingly, the answers to each of these questions will in many instances be quite specific to the organization and its business, as well as the nature of the privacy breach itself. In addition, the law in this area is developing quickly, and the answers outlined below will be quite different from what a client would have been told a year ago, and quite likely the answers in a year from now will likely again have changed. Nevertheless, there are some fundamental principles at work that will continue to be useful even as some of the details and relevant legislation changes over time.

2. Do I Have To Tell Anyone About This?

Privacy breach notification is a hot button issue. A relatively large number of high profile privacy breaches have quickly made privacy breach notification one of the first issues that organizations look to resolve once the possibility of a breach is raised.

Many studies and papers have questioned whether there is any rational basis for compulsory consumer notification requirements, citing problems with over-notification, “notice fatigue,” excessive costs of notification compared with relatively small benefits to consumers, and other issues.6 Most justifications for compulsory notice requirements concentrate on increasing consumer choice, the comfort that notices allegedly give consumers and the impact that a requirement to provide consumer notice on organizations, generally leading to increased security measures for personal information.7 The limited empirical evidence that exists about the impact of compulsory privacy breach notification seems to show that notice does little to prevent or ameliorate identity theft. A 2008 study by three professors at Carnegie Mellon University found “no statistically significant effect that [compulsory notification] laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce” and that the “maximum effectiveness [of such laws] is inherently limited.”8

Notwithstanding the lack of clear evidence that compulsory breach notification laws have any real world benefits, most US states have now passed legislation requiring organizations to notify individuals and/or privacy regulators following an unauthorized disclosure of personal information.9 Canada has not moved as quickly to require

6 An extensive discussion of these issues is beyond the scope of this paper. Some papers of interest include Lenard and Rubin, “An Economic Analysis of Notification Requirements for Data Security Breaches,” http://papers.ssrn.com/sol3/papers.cfm?abstract_id=765845 (visited May 23, 2007) and Turner, “Towards A Rational Personal Data Breach Notification Regime,” http://www.infopolicy.org/pdf/data-breach.pdf (visited May 23, 2007).

7 See, for example, the Canadian Internet Policy and Public Interest Clinic’s publication “Approaches To Security Breach Notification,” http://www.cippic.ca/en/bulletin/BreachNotification_9jan07-web.pdf (visited May 23, 2007; the “CIPPIC White Paper”), which argues, without any empirical evidence, that “There can be no question that, if they are legally obligated to report security breaches and thus to incur related reputational and business costs, organizations will be more inclined to ensure better security measures and thus to prevent breaches from occurring in the first place.” (at page 23). This conclusion ignores the fact that the costs, inconvenience and reputational damage to an organization will occur whether or not an organization has been fully diligent in providing security for personal information records. Many privacy breaches occur due to happenstance and bad luck rather than negligence, but identical costs and risks are visited on organizations which take reasonable and appropriate security measures and those that do not.

8 Sasha Romanosky, Rahul Telang, Alessandro Acquisti, “Do Data Breach Disclosure Laws Reduce Identity Theft?”, http://weis2008.econinfosec.org/papers/Romanosky.pdf (visited April 19, 2009)

Privacy Breaches in Canada P a g e | 3

compulsory notification, although, as is discussed below, changes are likely to be on the way.

(a) Ontario PHIPA

To date, the only Canadian privacy statute that explicitly requires breach notification is the Ontario Personal Health Information Protection Act (“PHIPA”),10 which states as follows:

Notice of loss, etc.

12 (2) Subject to subsection (3) and subject to the exceptions and additional requirements, if any, that are prescribed, a health information custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost, or accessed by unauthorized persons. ...

There have been no regulations promulgated that limit the extent of the notification requirement in section 12(2), but the Ontario Information and Privacy Commissioner (OIPC) has issued three formal Orders and thirty reports dealing with the section 12(2) obligations, and these resources have somewhat sharpened the contours of the notification obligation.

In Order HO-004,11 the OIPC dealt with a laptop computer that was stolen from the car of a physician at the Toronto Hospital for Sick Children. The laptop contained personal health information of former and current patients of the hospital. The amount of information relating to each patient varied widely, but some of it was of a very sensitive nature. The laptop had an 8 digit alphanumeric password, but the data was not encrypted.

The hospital proactively took the following notification steps:

All active patients, that is, those who have been seen at the hospital within the last two years, and for which the hospital had current contact information, were notified of the incident by way of a written letter from the hospital.

Where the information contained on the laptop computer was of a sensitive nature, active patients and their families are being notified of the theft in person, at clinic appointments.

The hospital issued a press release, which was also posted on its Internet site.

9 See the Perkins Coie “Security Breach Notification Chart,” available at http://www.digestiblelaw.com/files/upload/securitybreach.pdf (visited April 19, 2009) for a summary of the current U.S. state laws. As of June 24, 2008, the chart shows that 46 states have enacted some type of privacy breach notification law. These laws vary widely in their details.

10 S.O. 2004, c. 3, Sch. A.

11 http://www.ipc.on.ca/images/Findings/up-3ho_004.pdf (visited May 24, 2007).

Privacy Breaches in Canada P a g e | 4

The OIPC found that the notification steps taken by the hospital satisfied section 12(2). The OIPC noted that it was probably not advisable in these circumstances to send notifications to addresses that were more than two years old, since this might cause a further privacy breach. In addition, when the hospital was aware that an individual whose personal health information had been on the laptop was deceased, there was no need to provide notification.

Order HO-00512 involved a situation where the CBC was contacted by an individual who, much to his surprise, had viewed an image of a toilet in a washroom on their vehicle’s back up camera monitor while driving by a methadone clinic. A CBC reporter returned to the area after consulting a security expert and was able, through a wireless connection, to view a female patient at the clinic while in the washroom. On investigation, the OIPC determined that the clinic wirelessly monitored patients providing urine samples to ensure that the samples provided for drug testing emanate from the correct source and are not tampered with. This practice is in accordance with the Methadone Maintenance Guidelines published by the College of Physicians and Surgeons of Ontario and other related guidelines. Patients also provide informed consent by entering into a written agreement with the Clinic, in which the patient agrees to provide supervised urine samples for drug screening purposes. After learning of the actual and potential interception of the images from the washroom, the clinic posted a notice in its waiting room notifying current patients of the incident and identifying the steps taken to contain the damage and to prevent this type of incident from occurring again. The OIPC found that no additional notice was required. Even though former clients may not have become aware of the waiting room notice, the OIPC was satisfied that, because of the extensive media coverage of the incident, it was likely that former clients would have become aware of the incident by way of the media.

The PHIPA decisions on notification of affected individuals are obviously of great interest generally. However, because the notification provision of PHIPA is compulsory, there is little discussion in the OIPC PHIPA decisions about whether or not to notify affected individuals, and far more analysis about what type of notification should be made. As a result, an organization not subject to compulsory notification requirements must examine those decisions that have been made in a jurisdiction in which there is no notification obligation in order to understand the factors to be considered in deciding whether to notify.

(b) Notification as a Required Component of General Security Obligations

As is discussed in more detail in section below, all private sector privacy statutes contain some general obligation to keep personal information secure and prevent unauthorized disclosure, alteration or destruction. For example, the federal Personal Information Protection and Electronic Documents Act13 (“PIPEDA”) states that “personal information shall be protected by security safeguards appropriate to the sensitivity of the

12 http://www.ipc.on.ca/images/Findings/up-ho_005.pdf (visited April 19, 2009)

13 S.C. 2000, c. 5.

Privacy Breaches in Canada P a g e | 5

information,”14 but provides little else by way of guidance as to how this standard is to be met.

In January 2006, the Privacy Commissioner of the Australian State of Victoria decided that, even though Victoria’s privacy statute does not contain any explicit notification obligation, its general security obligation (which was similar to that in PIPEDA) created an obligation, except in extraordinary circumstances, to notify individuals of a privacy breach. The Commissioner stated:

9.3.1 The presumption is that privacy breaches ought to be notified to those whom they potentially affect.

9.3.2 The starting point is the objects section of the Information Privacy Act, in which Parliament made it clear that the collection and handling of personal information is to be responsible and transparent.3 Part of being open about the handling of people’s personal information is to tell them when something goes wrong and to explain to them what has been done to try to avoid or remedy any actual or potential harm. Where there is a reasonably foreseeable risk of harm, notification gives people an opportunity to take steps themselves to avoid or mitigate harm.

9.3.3 In exceptional circumstances, notification may be neither necessary nor desirable.15

This decision has been cited by many privacy advocates, who have argued that even the general security obligations contained in PIPEDA or the provincial private sector personal information privacy statutes will, in appropriate circumstances, obligate an organization to notify affected individuals.16

Canadian regulators have taken a cautious approach to the notification issue thus far. In a decision involving computer tapes containing personal information that was left on used computer tapes sold at a B.C. government auction,17 the B.C. IPC declined to decide that the general security obligation in B.C.’s public sector privacy legislation18 implied an obligation to notify affected individuals in all but exceptional cases, but did

14 Principle 4.7.

15 Privacy Commissioner, State of Victoria Report 01.06: “Jenny's case: Report of an investigation into the Office of Police Integrity pursuant to Part 6 of the Information Privacy Act 2000” (February 2006), http://www.privacy.vic.gov.au/dir100/priweb.nsf/download/27DAEE1EBC21E085CA257123000A3688/$FILE/OVPC_Report_0106.pdf (visited May 23, 2007), at 65.

16 For example, the CIPPIC White Paper cited the decision of the Victoria Privacy Commissioner as one of the justifications for recommending an explicit notification requirement in proposed amendments to PIPEDA (at page 21).

17 B.C. Investigation Report F06-01, “Sale Of Provincial Government Computer Tapes Containing Personal Information,” March 31, 2006, http://www.oipc.bc.ca/orders/investigation_reports/InvestigationReportF06-01.pdf (visited May 23, 2007; “BC Report F06-01”).

18 Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165 (“B.C. FIPPA”).

Privacy Breaches in Canada P a g e | 6

find that notification should be considered by government bodies as one way to minimize the impact of a privacy breach on affected individuals.

Since the release of BC Report F06-01, there appears to be almost universal support for the proposition that, although private sector privacy statutes do not contain a compulsory breach notification requirement, they do imply an obligation to at least consider the appropriateness of notification of individuals affected by a privacy breach. In December, 2006, the B.C. and Ontario IPCs published a “Breach Notification Assessment Tool” (the “Tool”)19 that sets out a number of steps to be taken by an organization in deciding whether to notify individuals or regulators about a privacy breach, and presumes that notification will be required in some, but not all, circumstances.20 The federal Commissioner and several other provinces have since published their own breach notification guidelines.21

Notwithstanding all of these developments, the House of Commons Committee studying potential reforms to PIPEDA concluded, apparently based on submissions from the federal Commissioner, that under PIPEDA “notification is voluntary,” although organizations “for the most part, feel that they already have a duty to notify individuals in instances of significant security breaches involving personal information.” 22

Despite the lack of an explicit obligation to notify in any of the Canadian private sector privacy laws of general application, it now appears clear that there likely will be implied in at least some situations an obligation to make such notification as part of a general obligation to keep personal information secure. While not stating that breach notification is required, recent case summary reports by the federal Commissioner seem to imply that organizations will be taken to task if such notification is not made within a reasonable time after the breach is discovered.23

(c) Other Potential Obligations to Notify

In addition to any obligations that may arguably be imposed by private sector privacy statutes, organizations have to consider whether they may be otherwise required to make disclosure to affected individuals after a privacy breach. For example:

19 http://www.ipc.on.ca/images/Resources/up-ipc_bc_breach.pdf (visited May 23, 2007).

20 The specifics of the Tool are discussed in detail in section 2.(f) below.

21 See the federal Privacy Breach Checklist, http://www.privcom.gc.ca/information/guide/2007/gl_070801_checklist_e.pdf. Provincial tools include the Newfoundland and Labrador Privacy Breach Notification Assessment Tool (January 2008), http://www.justice.gov.nl.ca/just/civil/atipp/PrivacyBreachNotificationAssessmentTool.pdf; Saskatchewan Privacy Breach Guidelines, http://www.oipc.sk.ca/Resources/Privacy%20Breach%20Guidelines1%20(3).pdf; Alberta Key Steps in Responding to Privacy Breaches, http://www.oipc.ab.ca/ims/client/upload/Key%20Steps%20in%20Responding%20to%20a%20Privacy%20Breach%202007.pdf (all visited April 19, 2009).

22 See section 2.(d) below for a full discussion of the Committee’s recommendation for instituting a form of voluntary breach notification.

23 See, for example, PIPEDA Case Summary #393, Laptop theft at bank and long delay before informing victims were both avoidable, http://www.privcom.gc.ca/cf-dc/2008/393_20080611_e.asp.

Privacy Breaches in Canada P a g e | 7

specific laws, regulations, industry codes of conduct or other rules applicable to an organization may require disclosure

the organization may be subject to contractual requirements that require disclosure

the nature of the relationship between the organization and the individual whose personal information has been the subject of the security breach may mandate disclosure, such as where the organization is a fiduciary or agent for the individual.

(d) Proposals for Reform

Like many other federal statutes, PIPEDA mandates a five-year review process. From November 2006 through February 2007, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “Committee”) heard submissions on potential amendments to PIPEDA, and in May 2007 its report was presented to the House.24

One of the most contentious issues dealt with by the Committee was that of breach notification. The main submissions referred to by the Committee in its Report made a number of disparate proposals:

Most business organizations argued that there was no need for the addition of compulsory breach notification requirements since organizations “for the most part, feel that they already have a duty to notify individuals in instances of significant security breaches involving personal information.”25 They were supportive of discretionary notification tools such as the Privacy Breach Notification Tool created by the Ontario and B.C. IPCs.26

At the other end of the spectrum, a number of privacy advocacy groups argued that PIPEDA should be amended to add strict breach notification requirements modelled on those introduced by California and other U.S. states. In particular, these groups argued that organizations should not have any discretion in deciding whether a privacy breach was significant enough to justify notifying affected individuals, but that decisions about what steps to take in the face of a real or potential privacy breach should be up to the affected individual after receiving notification.

Several commentators urged the Committee to take a cautious approach to any recommendation that notification be made compulsory. The B.C. IPC noted that “there is no evidence available yet to demonstrate that mandatory

24 See http://cmte.parl.gc.ca/cmte/CommitteePublication.aspx?COM=10473&Lang=1&SourceId=204322 for a copy of the Committee’s Report.

25 Committee Report, page 41.

26 This Tool is discussed in detail in section 2.(f) below.

Privacy Breaches in Canada P a g e | 8

notification is actually a cost-effective way to reduce the risk of identity theft related to security breaches.”27

The federal Commissioner was somewhat equivocal in her position about compulsory breach notification. While she was generally supportive of some form of breach notification requirement, she at first told the Committee that compulsory notification did not fit well into the structure of PIPEDA and that there was no easy way to penalize organizations that did not provide required notifications. At a later appearance before the Committee, however, the Commissioner expressed the view that, in light of a number of recent serious privacy breaches, she would recommend the addition of a breach notification requirement, even though she did not think that such a provision would change greatly the present practice of organizations subject to PIPEDA.

In its Report, the Committee preferred a model that would require notification to the federal Commissioner of some, but not all, privacy breaches, and the Commissioner would then have discretion to determine whether individuals notices were warranted and what their form should be.28 The Committee noted that requiring notification to the Commissioner of each and every privacy breach, no matter how trivial or uncertain, would place a great strain on the already over-taxed resources of the Commissioner’s office, but nevertheless suggested that this was the appropriate model.

On October 17, 2007, the Government of Canada tabled in Parliament its response to the Committee’s Report.29 The Government proposed that the Privacy Commissioner be notified of any major breach of personal information, and that affected individuals and organizations be notified when there is a high risk of significant harm resulting from the breach. Industry Canada subsequently sought public comment on the breach notification issue.30 In June 2008, Industry Canada released a Model for Data Breach Reporting and Notification under PIPEDA, which was presented as a working model to provide additional background to assist in framing and considering the proposed legislative amendments to PIPEDA. As a result of the intervening election and the focus of the Government on economic issues, there has been no further activity on the implementation of PIPEDA reforms since June 2008.

(e) Encryption and Passwords

Generally, the use of strong encryption (currently a minimum of 128 bit) of data containing personal information (or some other appropriate security methodology that prevents unauthorized access to personal information) will prevent any notification obligation from arising even if the media containing the data is lost or stolen. This exemption is explicit in many (but not all) of the U.S. state laws that mandate privacy breach notification, and has been implied in situation where there is an otherwise unqualified obligation to notify. For example, in Order HO-004, the OIPC stated as follows:27 Committee Report, page 43.

28 Committee Report, pages 44-45.

29 http://www.ic.gc.ca/eic/site/ic1.nsf/eng/00317.html

30 http://www.gazette.gc.ca/archives/p1/2007/2007-10-27/html/notice-avis-eng.html

Privacy Breaches in Canada P a g e | 9

[T]o the extent that personal health information on a mobile computing device has been encrypted to protect it from unauthorized access, I would not consider the theft or loss of that device to be a loss or theft of PHI. [PHIPA] requires custodians to notify an individual at the first reasonable opportunity if [personal health information] is stolen, lost or accessed by unauthorized persons. If the case can be made that the [personal health information] was not stolen, lost or accessed by unauthorized persons as a result of the loss or theft of a mobile computing device because the data were encrypted (and encrypted data does not relate to identifiable individuals), the custodian would not be required to notify individuals under [PHIPA].31

In the same Order, the OIPC stated that an acceptable alternative to the use of laptops computers or other mobile devices containing copies of personal information files is the use of secure Internet access methods or virtual private networks, provided that temporary copies of the personal information is not inadvertently cached or otherwise stored on the device after the connection to the central data storage facility is terminated.

On the other hand, Canadian privacy regulators have unanimously rejected the use of passwords (whether applied to entire devices such as laptops or individual files containing personal information) as a sufficient protection for personal information that is located on electronic media that becomes subject to unauthorized access.32

It therefore seems clear that one of the prevention strategies that can be used by organizations to minimize the likelihood that they will be required to notify affected individuals about a data breach is to ensure that all data that contains personal information is encrypted, especially if any of that information will at any time be stored on a mobile device or otherwise removed from the organization’s premises or made available by some type of remote access.

(f) Strategies Surrounding Notification

Even if there is no clear legal obligation to notify either individual consumers or privacy regulators, an organization that has suffered a data breach must consider very carefully whether the best course is to try to keep the breach secret in the hope that nothing will happen.

While there are a number of estimates by commentators that only a small percentage of personal information security breaches actually result in identity theft, fraud or some other damage to consumers, the unexpected public revelation of a previously-unreported data breach will usually have a negative impact on the organization that far exceeds the impact of a carefully managed disclosure, whether by way of press release, advertisement or notice to affected individuals. While it is unlikely that such unexpected public disclosure will result from consumers suffering losses, tracing the breach back to

31 Order HO-004, note 11 above, at page 20.

32 See, for example, Order HO-004 at pages 8 and 19; Alberta IPC “Report of an Investigation into the Security of Personal Information”, September 26, 2006, MD Management Ltd., Investigation Report P2006-IR-005 (“MD Management”), http://www.oipc.ab.ca/ims/client/upload/ACFAB50.pdf (visited May 24, 2007).

Privacy Breaches in Canada P a g e | 10

the organization and then reporting the breach to the media or a privacy regulator, there are many other ways that an unexpected disclosure of a privacy breach can occur, including periodic financial audit and reporting requirements, internal “whistleblowers”33 and unrelated regulatory audits or investigations. As a result, an organization would generally be well-advised not to rely solely on continuing secrecy as a strategy for avoiding the potential negative impact of the publicity surrounding a privacy breach.

The decision to disclose a data breach and/or to notify affected individuals therefore becomes a risk-management exercise in which an organization must assess the potential risks to the organization (including both reputational risks and potential financial risks) and to affected individuals. Fortunately, there are a number of templates that have been developed by regulators and others to provide a framework for this analysis.

The B.C. and Ontario Tool sets out a number of steps to be taken by an organization in deciding whether to notify individuals or regulators about a privacy breach. The Tool recommends that organizations follow four steps:

Step 1: Notifying Affected Individuals

Step 2: When and How to Notify

Step 3: What to Include in the Notification

Step 4: Others to Contact

In Step 1, unless the organization is required to notify individuals due to statutory, regulatory or contractual requirements, the Tool suggests a contextual approach to determining whether notification should be made. The notification decision involves a consideration of various risks to affected individuals, including the risk of identity theft, the risk of physical harm to an individual (e.g. stalking), the risk of “hurt, humiliation, damage to reputation,” and the risk of loss to the individual of business or employment opportunities. Perhaps not surprisingly, the Tool does not explicitly weigh the potential risks and costs to the organization of providing notification into the decision whether or not to provide notice. Obviously, an organization should take into account the potential loss of reputation, embarrassment, financial cost and other damage that may be suffered if the organization notifies a large number of individuals about a privacy breach.

In Step 2, the Tool advises that notification should be made as soon as possible following a breach, unless there are reasons for delaying, such as avoiding compromising a criminal investigation. While not specifically mentioned in the Tool, it is often advisable to wait until there is reasonably reliable information that indicates that a data breach has in fact occurred. In many cases, data files or media are temporarily lost or simply cannot be located, but there is no evidence that there has been unauthorized access to the information. There is little incentive for an organization to prematurely notify individuals about a potential privacy breach until it is clear that a breach has in fact occurred, and sending notices to individuals prematurely may in fact cause more harm

33 Most Canadian private sector privacy statutes contain prohibitions on taking any retaliatory action against employees or others who report breaches of the statute. See, for example, sections 27, 27.1 and 28 of PIPEDA, which make retaliatory action against a whistleblower a criminal offence.

Privacy Breaches in Canada P a g e | 11

than good, especially if it turns out that the personal information was not in fact accessed by any unauthorized individuals.34

This issue has recently been demonstrated in PIPEDA Case Summary #395,35 which dealt with a well publicized incident in which CIBC reported that it had lost track of a computer tape that was being couriered from Montreal to a suburb of Toronto. The tape contained personal information about more than 400,000 current and former clients of CIBC’s subsidiary Talvest Mutual Funds (Talvest). As is summarized in the Commissioner’s report, CIBC and Talvest conducted an exhaustive investigation into the whereabouts of the tape, and subsequently sent notifications to all of the individuals whose information was understood to have been on the tape. Unfortunately, after sending this notification, and suffering a great deal of adverse publicity as a result, CIBC and the Commissioner concluded after further investigations that it was likely that, due to lax security and audit procedures, the courier package (which was delivered damaged and empty to its destination) probably never contained the tape. This incident should serve as a cautionary tale for organizations who are all too often encouraged to rush to send consumer notifications before an incident is fully investigated and the scope and severity of the breach is determined.

Step 2 of the Tool also provides an analysis of the most appropriate procedure for providing notification to affected individuals. While direct notification by letter or email is preferred, other notification methods may be justified where direct notification could cause further harm,36 is prohibitive in cost,37 or contact information is missing or likely to be inaccurate.38 Alternatives such as newspaper advertisements and personal visits at the next scheduled appointment may be employed in appropriate cases.

Step 3 of the Tool then provides general guidance about what information to include in the notices sent to individuals, including the date of the breach, a description of the breach and how it happened, a description of the information that was inappropriately accessed, collected, used or disclosed, a summary of the steps taken so far to control or reduce the harm and the future steps planned to prevent further privacy breaches. The Tool also suggests providing information about how individuals can protect themselves (such as how to contact credit reporting agencies in order to set up credit watch and information explaining how to change a personal health number or driver’s licence number), information about how to complain to the appropriate privacy regulator and

34 For example, in BC Report F06-01, the BC IPC was satisfied that no-one had actually accessed or used the personal information on the government computer tapes that had been purchased at an auction, and there was therefore no reason to recommend that notice be given to individuals whose personal information was on the tapes, whether by individual notices or general advertisements.

35 Commissioner initiates safeguards complaint against CIBC, http://www.privcom.gc.ca/cf-dc/2008/395_20080925_e.asp

36 This is often the case for medical information of current health care patients, who may suffer negative consequences as a result of receiving a generic notification letter. It is often recommended that alternatives such as personal visits or providing notification to caregivers be employed to minimize the potential negative results of notification.

37 The example given by the Tool is where there are a “very large number” of affected individuals.

38 In Order HO-004, note 11 above, the OIPC noted that sending notices to potentially outdated addresses might in itself lead to further privacy violations and should therefore be avoided.

Privacy Breaches in Canada P a g e | 12

contact information for someone within the organization who can provide additional information and assistance and answer questions.

Lastly, Step 4 recommends that an organization consider contacting other agencies such as law enforcement (if it appears that the data breach resulted from a criminal act), the relevant Commissioner’s office, and/or appropriate professional or regulatory bodies and technical suppliers (if the breach was as a result of a technical failure or an underlying vulnerability).

The Tool is an excellent starting point for any organization trying to deal with a privacy breach. Several caveats must be noted, however. The Tool is clearly written from the point of view of the IPC, and therefore takes a very pro-privacy stance that ignores many concerns that an organization may have in dealing with these issues, such as how to deal with the media and other stakeholders. The Tool also does not give any guidance about how to draft notification letters or notices in order to make them effective and understandable. Therefore, while generally following the Tool is important for organizations that want to ensure that their notification strategies will likely receive the approval of the IPC, organizations should treat the Tool as a resource only and understand that there will be many additional steps that will have to be taken and decisions that will have to be made in order to successfully deal with a privacy breach.

Other useful resources and guidelines may be obtained from some of the U.S. states that have implemented privacy breach notification obligations. For example, the California Office of Privacy Protection has published “Recommended Practices on Notice of Security Breach Involving Personal Information”39 that includes sample notification letters that may be a useful starting point when notification is to be made.

3. What The Heck Should I Do About This?

There is no simple answer to this question, mainly since each individual situation may require different strategies to move towards the most effective response. As a general rule, however, organizations that handle significant amount of personal information should consider creating a protocol for responding to privacy breaches before an incident occurs. The proactive development of such a protocol prior to the occurrence of a data breach has several advantages for an organization:

The organization will be better able to respond quickly and in a coordinated manner because the breach protocol will have anticipated some or all of the necessary steps to be taken.

The roles and responsibilities of the organization’s employees and service providers will be clarified.

The process by which the organization will conduct its investigation will be clarified.

The organization’s planned response to the privacy breach will be documented and available.

39 http://www.privacyprotection.ca.gov/recommendations/secbreach.pdf (visited May 23, 2007).

Privacy Breaches in Canada P a g e | 13

Effective containment of the privacy breach will be accelerated.

Any remediation efforts will be easier and faster.

The organization will be better prepared for the potential involvement of privacy and other regulators.

The organization will be better able to explain its response to the privacy breach to its managers, directors, shareholders, suppliers, customers and the media.

Although it is difficult to dispute that there is great value in the establishment of a privacy breach protocol, in my experience relatively few organizations that have not already suffered a privacy breach incident ever implement such a protocol. This usually results from a variety of factors, including the cost (or perceived cost) of creating a breach protocol, the lack of a privacy coordinator with the skills or authority to ensure that a protocol is established and implemented, the fact that other organizations in the same industry have not developed their own protocol, and the general attitude that “it won’t happen to us.” The fact is, however, that an organization can significantly improve its level of privacy breach preparedness at little or no cost by taking a few simple steps, such as assembling a team to coordinate the response to a privacy breach (including representatives from such diverse functions as HR, IT, legal, marketing and government relations) and distributing evening and weekend telephone numbers of team members to ensure that everyone can be contacted quickly if an incident occurs.

While there is no blueprint breach protocol that can be used to respond to every privacy breach, there are a number of published guidelines that offer suggestions and assistance that can be used as a starting point. Many of these guidelines are directed to public sector data controllers, but contain recommendations that are useful for private sector organizations faced with a privacy breach. For example, the federal Treasury Board Secretariat has published “Guidelines for Privacy Breaches”40 to assist public sector data managers in dealing with the unauthorized release of personal information in the possession of the federal government, and the OIPC has published brochures entitled “What To Do If A Privacy Breach Occurs: Guidelines For Government Organizations,”41 “What To Do When Faced With A Privacy Breach: Guidelines For The Health Sector”42 and “Key Steps in Responding to Privacy Breaches.”43

Although they differ in their details, all of these Guidelines, and all of the standard advice given to private sector organizations faced with a security breach, suggest following the same general steps, which can be summarized as follows:

Containment

40 http://www.tbs-sct.gc.ca/atip-aiprp/in-ai/in-ai2007/breach-atteint_e.asp (visited May 24, 2007).

41 http://www.ipc.on.ca/images/Resources/up-1prbreach.pdf (visited May 24, 2007).

42 http://www.ipc.on.ca/images/Resources/up-3hprivbreach.pdf (visited May 24, 2007).

43 http://www.oipcbc.org/pdfs/Policy/Key_Steps_Privacy_Breaches_(Dec_2006).pdf (visited May 24, 2007).

Privacy Breaches in Canada P a g e | 14

Risk Assessment

Notification

Remediation and Review

Not all of these steps will apply in all situations and there may be additional steps that are necessary in specific situations. For example, data breaches that involve organizations and information located outside of Canada may require additional remediation and notification steps.44

(a) Containment

The first step should always be to make sure that the privacy breach is not ongoing. As a result, immediately after the breach is discovered, the organization should take some or all of the following steps to ensure that the problem does not get worse.

Immediately contact the organization’s privacy officer and/or the person responsible for security in the organization.

Remove, move or segregate exposed information/files.

Determine whether the privacy breach would allow unauthorized access to any other personal information and take whatever necessary steps are appropriate (e.g. change passwords, identification numbers and/or temporarily shut down a system). In some cases, it may be necessary to shut down a website, application or device temporarily to permit a complete assessment of the breach and resolve vulnerabilities.

Attempt to retrieve any documents, copies of documents or files that were wrongfully disclosed or taken by an unauthorized person.

Ensure that no copies of personal information have been made or retained by any individual who was not authorized to receive the information and obtain the person’s contact information in the event that follow-up is required.

Return the documents or files to their original location or to the intended recipient unless its retention is necessary for evidentiary purposes.

Notify the police if the privacy breach involves theft or other criminal activity.

(b) Risk Assessment

Once the privacy breach has been contained, the organization must assess the risk of harm arising from the breach. This assessment is necessary to determine what actions are appropriate in the notification and remediation steps.

44 See the brief discussion about international privacy breaches in section below below.

Privacy Breaches in Canada P a g e | 15

What data elements have been breached? Is the information sensitive? Health information, social insurance numbers and financial information that could be used for identity theft are examples of sensitive personal information.

What possible use could be made of the personal information by unauthorized persons or organizations? Could the information be used for fraudulent or other harmful purposes?

What is the cause of the breach? Could there be ongoing or further exposure of the information?

What was the number of likely unauthorized recipients and what is the risk of further access, use or disclosure, including in mass media or online?

Is the information encrypted or otherwise not readily accessible?

What steps have already been taken to minimize the harm?

How many individuals might be affected by the breach?

Who is involved or affected by the breach: employees, public, service providers, clients, service providers, other organizations?

Is there any relationship between the unauthorized recipient(s) and the individual(s) whose personal information has been disclosed?

What harm to the individual(s) whose personal information has been disclosed will or could result from the breach? Consider security risks (e.g. an individual’s physical safety), identity theft or fraud, loss of business or employment opportunities and hurt, humiliation, damage to reputation or relationships.

What harm could result to the organization as a result of the breach? Consider loss of trust in the organization, loss of assets (exposure of confidential client or supplier lists, for example) and financial exposure.

What harm could result to the public as a result of the breach? For example, is there a risk to public health or public safety as a result of the breach?

(c) Notification

As discussed in section above, there are a number of factors to be considered in determining whether and how to notify affected individuals, privacy regulators and/or law enforcement officials about a privacy breach.

Privacy Breaches in Canada P a g e | 16

(d) Remediation and Review

Once the immediate steps are taken to mitigate the risks associated with the breach, and consideration is given to providing appropriate notices, the organization must take the time to thoroughly investigate the cause of the breach and determine what steps, if any, are needed to prevent further incidents. The remediation step could include all or some of the following actions, depending on the state of the organization's preparedness prior to the breach and the “lessons learned” during the course of the breach containment and investigation:

Conduct a security audit of the organization’s physical and technical security.

Conduct a privacy audit that analyzes the personal information that is collected, used and disclosed by the organization and identify issues of non-compliance with applicable privacy laws, industry guidelines, contractual obligations, etc. If a privacy audit was already performed for the organization, update it and assess its continuing viability in view of the vulnerabilities exposed by the breach and subsequent investigation.

Develop or improve, as necessary, adequate long term security and procedural safeguards against further breaches.

Review and update all privacy policies and procedures to reflect the lessons learned from the privacy breach investigation.

Plan a scheduled audit to ensure that any changes have been fully implemented.

Implement a privacy breach protocol. If a protocol was in existence at the time of the breach, review its effectiveness in dealing with the breach and its aftermath, and make adjustments as appropriate.

Train the organization’s employees to ensure that they understand the organization’s privacy obligations and have appropriate knowledge of the privacy breach protocol. If the organization’s employees have previously been trained, consider whether refreshers are necessary or whether there should be changes or additions to the training program.

As can be seen from above checklists, responding to a privacy breach involves a great deal more than simply finding the problem, sending some notifications and promising not to let it happen again. A privacy breach necessarily involves a failure of preparation or implementation of the organization’s security plans for personal information in its possession or control, and therefore requires a detailed and careful response that will involve a large number of disparate resources inside and outside of the organization.

4. Can I Be Liable For This?

A very frequent concern of organizations is whether they will face the type of lawsuits and large fines that have been visited on several companies in the U.S. and well

Privacy Breaches in Canada P a g e | 17

publicized in Canada. While to date there have not been any successful actions in Canada based solely on liability for permitting a privacy breach, there are still a number of potential sources of liability that organizations should be aware of.

(a) Canadian Private Sector Personal Information Privacy Statutes

None of the Canadian private sector personal information privacy statutes provide for a private cause of action against organizations where appropriate personal information safeguards are not maintained. Section 16 of PIPEDA permits the Federal Court, on an application, to award damages to the complainant, including “damages for any humiliation that the complainant has suffered”. Thus far there have been no such damages awarded, and it seems unlikely that there will be significant awards of damages in the near future.

Under the Quebec An Act respecting the protection of personal information in the private sector (the “Quebec Act”),45 the Commission d'accès à l'information (“CAI”) may examine and decide a dispute relating to access to or rectification of personal information (section 42) and may issue recommendations (following an inquiry) for such remedial measures as are appropriate to ensure the protection of the personal information. The Quebec Act does not grant the CAI specific power to award damages for a violation of a duty imposed on an enterprise with respect to the protection of the personal information. An enterprise may have damages awarded against it by a court should it collect, retain, use or disclose personal information in violation of the Quebec Act, or if the enterprise acted wrongfully, the action resulted in damages to the plaintiff, and there is a causal relationship between the damages suffered and the wrongful action.46 Damage awards have been modest in all of these cases and have not exceeded $10,000.00 on any one occasion.

The B.C. and Alberta legislation47 do not allow for damage awards, but permit fines to be levied for offences. It does not appear, however, that either BC PIPA or Alberta PIPA includes failing to provide adequate security for personal information amongst the list of offences.

(b) General Purpose Privacy Legislation

Apart from the private sector personal information protection legislation discussed above, four common law provinces provide for a statutory tort of invasion of privacy:

45 R.S.Q., c. P-39.1.

46 Demers v. Banque Nationale du Canada, B.E. 97BE-330 (C.Q.); Chartrand v. Corp. du Club de l'amitié de Plaisance, B.E. 97BE-878 (C.Q.); Boulerice v. Acrofax inc., [2001] R.L. 621 (C.Q.); Stacey v. Sauvé Plymouth Chrysler (1991) inc., J.E. 2002-1147 (C.Q.); Basque v. GMAC Location Limitée, 2002 IIJCan 36125 (C.Q.); Roy v. Société sylvicole d'Arthabaska-Drummond, J.E. 2005-279 (C.Q.); Roy v. Société sylvicole d'Arthabaska-Drummond, J.E. 2005-279 (C.Q.); .

47 Personal Information Protection Act, S.B.C. 2003, c. 63 (“B.C. PIPA”); Personal Information Protection Act, S.A. 2003, c. P-6.5 (“Alberta PIPA”).

Privacy Breaches in Canada P a g e | 18

British Columbia,48 Saskatchewan,49 Manitoba,50 and Newfoundland.51 Although there is some variation, the statutes that create these torts typically make it actionable to wilfully violate the privacy of another individual. These statutes do not define what is meant by a violation of privacy, but state that surveillance, interception of communications and use of an individual’s likeness for the purposes of advertising will generally be considered to violate privacy in the absence of consent. Certain exceptions are provided for publication of matters of public interest and situations involving law enforcement or judicial proceedings.

In addition, Articles 35 through 41 of the Quebec Civil Code contain comparable provisions.52 In particular, Article 35 provides that no one may invade the privacy of a person without the consent of the person unless authorized by law. In addition, section 5 of the Quebec Charter of Human Rights and Freedoms provides that “Every person has a right to respect for his private life.”53 This section has been successfully used to ground a claim for damages for publication of a photograph of an individual in a magazine without consent.54

There have been no cases where any of these provisions have been applied to negligent or accidental security breaches involving personal information, and it would appear that the requirement that the actions of the organization be wilful would in most cases preclude any claim under these statutes against an organization that has had a privacy breach.

(c) Common Law

Canadian common law has been hesitant to recognize a cause of action for the tort of invasion of privacy, although the attitude of Canadian courts to this issue may slowly be changing. While only a few years ago it would have been possible to say with reasonable certainty that no common law tort of invasion of privacy existed in Canada, courts in Ontario and other provinces are now signalling that a common law right to privacy may in fact exist in some form. A number of Ontario Superior Court decisions have indicated that recognition of a tort of invasion of privacy is not only likely but probablyinevitable.55

48 Privacy Act, R.S.B.C. 1996, c. 373.

49 Privacy Act, R.S.S. 1978, c. P-24.

50 Privacy Act, C.C.S.M. c. P125.

51 Privacy Act, R.S.N.L. 1990, c. P-22.

52 Civil Code of Quebec, S.Q. 1991, c. 64, Articles 35-41.

53 Québec Charter of Human Rights and Freedoms, R.S.Q., c. C-12.

54 Aubry v. Éditions Vice-Versa inc., [1998] 1 S.C.R. 591. In its analysis, the Supreme Court of Canada held that the right to privacy must be balanced against the right to freedom of expression and the public interest.

55 See Somwar v. McDonald's Restaurants of Canada Ltd. (2006), 79 O.R. (3d) 172, 263 D.L.R. (4th) 752 (S.C.), Shred-Tech Corp. v. Viveen, 2006 CanLII 41004 (ON S.C.) and Nitsopoulos v. Wong, 2008 CanLII 45407, http://www.canlii.org/en/on/onsc/doc/2008/2008canlii45407/2008canlii45407.html. By contrast, a British Columbia Superior Court judge rejected the concept of a common law right to privacy in Bracken v. Vancouver Police Board, [2006] B.C.S.C. 189 (CanLII), at least partly on the basis that

Privacy Breaches in Canada P a g e | 19

The contours of any common law tort of invasion of privacy are not at all clear, and courts in other Commonwealth jurisdictions have taken a variety of approaches to the concept of a free-standing privacy right. While members of the High Court of Australia, in a case involving an injunction to restrain broadcast of a video taken surreptitiously inside a abattoir,56 mused, without deciding, about the possibility that a separate tort of breach of privacy might be found to exist,57 subsequent Australian decisions have continued to reject the idea.58 New Zealand59 and India60 have recognized at least some form of a common privacy right. The U.K. House of Lords in Campbell v MGN Ltd61 rejected a common law tort of invasion of privacy but morphed the existing tort of breach of confidence into what one Law Lord referred to as “a remedy for the unjustified publication of personal information.”

An alternative to the tort of invasion of privacy is the application of the law of negligence to privacy breaches. In Canada v. Saskatchewan Wheat Pool,62 the Supreme Court of Canada held that while there is no nominate tort of “statutory breach” that will create liability as a result of a government or citizen violating a statutory restriction, proof of statutory breach may be used as evidence of negligence and that the statutory formulation of the duty may afford a specific, and useful, standard of reasonable conduct.63 The Supreme Court subsequently stated:

Legislative standards are relevant to the common law standard of care, but the two are not necessarily co-extensive. The fact that a statute prescribes or prohibits certain activities may constitute evidence of reasonable conduct in a given situation, but it does not extinguish the underlying obligation of reasonableness. … Thus, a statutory breach does not automatically give rise to civil liability; it is merely some evidence of negligence. . .

the existence of the B.C. Privacy Act precluded the development of a similar common law right.

56 Australian Broadcasting Corporation v. Lenah Game Meats Pty. Ltd., [2001] H.C.A. 63.

57 See Taylor, “Why Is There No Common Law Right of Privacy?” (2000) 26 Monash University Law Review 235; “Privacy, Injunctions and Possums: An Analysis of the High Court's Decision in Australian Broadcasting Corporation v Lenah Game Meats”, (2002), 26 Melbourne University Law Review 707; Protecting Privacy, Property, and Possums: Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2002), 30 Federal Law Review 177;

58 See, for example, Giller v Procopets [2004] V.S.C. 113 at 187 - 189; Moore-McQuillan v WorkCover/Vero Workers Compensation (SA) Ltd (Wolf Air and Dive Shop), [2005] SAWCT 3; but see Grosse v Purvis [2003] QDC 151 and “Gross v Purvis: its place in the common law of privacy” (2003), 10 PLPR 66.

59 Hosking v Runting, [2004] NZCA 34 (25 March 2004); P. v. D., [2001] 2 N.Z.L.R. 591; Tobin, “Invasion of Privacy”, [2000] New Zealand Law Journal 216.

60 Govind v. State of Madhya Pradesh (1975), 62 A.I.R. (SC) 1378.

61 [2004] UKHL 22 (6 May 2004).

62 [1983] 1 S.C.R. 205.

63 Ibid., at 244. Where there is a sanction created by the statute it may be enforced in some circumstances by civil proceedings: Whistler Cable Television Ltd. v. Ipec Canada Inc., [1993] 3 W.W.R. 247 (B.C.S.C.) and Canada Post Corporation v. G3 Worldwide (Canada) Inc, 2005 CanLII 46078 (ON S.C.).

Privacy Breaches in Canada P a g e | 20

Where a statute authorizes certain activities and strictly defines the manner of performance and the precautions to be taken, it is more likely to be found that compliance with the statute constitutes reasonable care and that no additional measures are required. By contrast, where a statute is general or permits discretion as to the manner of performance, or where unusual circumstances exist which are not clearly within the scope of the statute, mere compliance is unlikely to exhaust the standard of care.64

While potentially a powerful legal tool, the “statutory negligence” cause of action65 has been rarely used successfully since 1983.66 Subsequent cases have held that a statute will not create a duty of care unless explicitly stated, but statutory restrictions may create a standard of care, although the weight to be accorded to the statutory standard is in the discretion of the trial judge.67

The acceptance of statutory requirements as a standard of reasonable conduct for negligence purposes has been extended to include recognized industry policies, practices, or standards, and the breach of a generally accepted industry standard may constitute evidence of negligence. For example, Zraik v. Levesque Securities Inc.68 confirmed that failing to comply with certain professional duties and internally created guidelines could be used to establish negligence.

As a result, the privacy standards established by federal and provincial statutes, as well as industry standards such as model privacy policies or codes, may create specific and useful benchmarks for negligence purposes of both of reasonable conduct with respect to the collection of personal information and the reasonable expectations of privacy that an individual may have.

While there have been a number of class actions instituted in respect o of privacy breaches, none appear to have reached the certification stage.69 Most of the claims

64 Ryan v. Victoria (City), [1999] 1 S.C.R. 201, at para. 29 and 40.

65 Sometimes referred to as “negligent breach of statute”: see Britton v. Klippenstein, [2004] 10 W.W.R. 397 (Sask. Q.B.).

66 Successful damages claims in which statutory duties were used to establish negligence include Galaske v. O'Donnell, (1994), 112 D.L.R. (4th) 109 (S.C.C.); Noble v. Bhumper, (1996), 20 B.C.L.R. (3d) 244 (B.C.C.A.); Trango Holdings Ltd. v. Calwest Energy Corp., [2001] 263 A.R. 357 (Alta. Prov. Ct.); Prochazka v. Calwest Energy Corp., [2001] 264 A.R. 104 (Alta. Prov. Ct.);

67 See the discussion in Chong v. Flynn, [1999] 10 W.W.R. 671 (Alta. Q.B.), at paras. 12 – 19.

68 [1999] O.J. No. 2263 (S.C.J.); varied by [2001] O.J. No. 5083 (C.A.).

69 Based on a review of the National Class Action Database maintained by the Canadian Bar Association at http://www.cba.org/classactions/main/gate/index/default.aspx.

Privacy Breaches in Canada P a g e | 21

appear to have been based on a negligence theory, 70 which may make the awarding of significant damages difficult.71

The best that can be said today is that it is conceivable that, in appropriate circumstances, a Canadian court could award damages to an individual against an organization that negligently allowed unauthorized access to the individual’s personal information.

5. International Privacy Breach Issues

Clearly, many privacy breaches involve international issues. The compromised data may have been accessed in or from multiple jurisdictions, may have been about individuals residing in multiple jurisdictions, or may have been used in multiple jurisdictions, thereby potentially causing damage to affected individuals in a number of locations. The response to such international data breaches may therefore require organizations and individuals to be aware of, and respond to, the requirements of a number of provincial, state and national laws.

This section will briefly address the jurisdictional issues that arise concerning the application of Canadian privacy laws to breaches that take place outside of Canada and consider some questions a Canadian organization and its advisors have to address when dealing with a breach that may involve laws and regulators outside of Canada.

(a) Jurisdiction of Canadian Regulators

Historically, most jurisdictional disputes arose in private litigation between parties. These cases generally revolve around the issues of personal jurisdiction (does a court have jurisdiction over the defendant?), forum non conveniens (even if the court has personal jurisdiction, is there a clearly more convenient forum to which the court should defer by staying the proceeding?) and the enforcement of judgments obtained by a plaintiff in a foreign court.

The determination of whether a Canadian privacy statute applies to organizations or activities that takes place outside Canada (or outside a province in the case of provincial legislation) is called prescriptive jurisdiction rather than personal jurisdiction. Personal jurisdiction and prescriptive jurisdiction are often confused by both lawyers and courts, but prescriptive jurisdiction involves a different analysis concerning issues of statutory interpretation and legislative competence. First, the court must determine whether the wording of the statute in question in fact applies to the activity that is the subject of the regulatory proceeding. This will often involve an analysis of the purpose of the statutory scheme to see if it was intended that the legislation would apply to the impugned activity. Second, if the statute was in fact intended to apply outside of Canada or provincial

70 See, for example, the claims in Murray Waters v Daimlerchrysler Services Canada Inc. (Saskatchewan) at http://www.cba.org/classactions/class_2008/saskatchewan/pdf/06-09-2008_Waters.pdf and Maurice Assor vs. Services DaimlerChrysler Canada Inc. and United Parcel Service du Canada Ltée (Quebec) at http://www.cba.org/classactions/class_2008/quebec/pdf/2008-22-04_Assor2.pdf

71 See “Data breaches leading to class actions”, http://www.lawtimesnews.com/Headline-News/Data-breaches-leading-to-class-actions (visited April 19, 2009) where the author is quoted on this issue.

Privacy Breaches in Canada P a g e | 22

borders, the court must assess whether the legislature had the constitutional authority to legislate activity taking place outside of its borders.

The federal Parliament has wider powers that the provincial legislatures to pass laws with extra-territorial reach. The Statute of Westminster, 1931, the act of the British Parliament that created Canada as an independent state, provides in section 3 that “It is hereby declared and enacted that the Parliament of a Dominion has full power to make laws having extraterritorial operation”. This provision has been relied on in many subsequent cases to extend the reach of federal laws beyond Canadian borders.72 Similarly, a provincial legislature must have some valid regulatory interest in extending the reach of its laws beyond the boundaries of the province.73

Historically, there has been a legislative presumption against the extra-territorial application of public law statutes, as a matter of statutory interpretation. This is based on a historical concern not to infringe on the sovereignty of other states (or provinces) by purporting to regulate conduct that occurs wholly within the boundaries of another jurisdiction. However, over the years the courts began to relax rigid principles of territoriality. The modern approach recognizes that governmental authorities have a legitimate interest in regulation and enforcement in relation to activities that take place abroad but have an unlawful consequence within their jurisdiction, as well as in activities that take place within their jurisdiction but have unlawful consequences elsewhere. In Libman v. The Queen,74 the Supreme Court of Canada ruled that “it is sufficient that there be a ‘real and substantial link’” between the proscribed conduct and the jurisdiction seeking to apply and enforce its law.

Similarly, Québec’s Civil Code provides detailed conflict of law rules and, in this regard, establishes the general rule that “Québec authorities have jurisdiction when the defendant is domiciled in Québec” and that Québec authorities may hear matters even in the absence of jurisdiction if the matter has a “sufficient connection with Québec” and where proceedings cannot be instituted elsewhere, or it would be unreasonable to require that they be instituted elsewhere (article 3136).

In Citron v. Zundel,75 the Canadian Human Rights Commission determined that a web site set up in the United States by the infamous Holocaust denier Ernst Zundel was subject to the Canadian Human Rights Code, even though that statute was not explicit about its scope of its application. In Society of Composers, Authors and Music Publishers of Canada v. Canadian Assn. of Internet Providers,76 the Supreme Court ruled that an Internet communication that either originates outside of Canada or is received outside of Canada can be an infringement of the “communication to the public by telecommunication” right under Canadian copyright law:

72 See the cases listed in Hogg, Constitutional Law of Canada (4th ed., 1997), at pg. 323.

73 For an in-depth analysis of this issue as it relates to consumer protection laws, see Tassé and Faille, “Online Consumer Protection In Canada: The Problem Of Regulatory Jurisdiction”, Internet & E-Commerce Law in Canada, August 2001.

74 [1985] 2 S.C.R. 178.

75 41 C.H.R.R. D/274, Canadian Human Rights Commission, January 18, 2002.

76 [2004] 2 S.C.R. 427.

Privacy Breaches in Canada P a g e | 23

[60] The [real and substantial connection] test reflects the underlying reality of “the territorial limits of law under the international legal order” and respect for the legitimate actions of other states inherent in the principle of international comity. A real and substantial connection to Canada is sufficient to support the application of our Copyright Act to international Internet transmissions in a way that will accord with international comity and be consistent with the objectives of order and fairness.

[61] In terms of the Internet, relevant connecting factors would include the situs of the content provider, the host server, the intermediaries and the end user. The weight to be given to any particular factor will vary with the circumstances and the nature of the dispute.

While the Supreme Court referred to the need to conduct a textual analysis of the Copyright Act in order to determine whether extra-territorial reach was contemplated, in fact the application of the real and substantial connection test now appears to be the main determinant of whether a federal statute can be applied in respect of persons or activities outside of Canada.

To date, the application of PIPEDA to organizations outside of Canada has been uneven. In the early complaints that were directed to the federal Commissioner concerning organizations located outside of Canada dealing with personal information about Canadians, the Commissioner determined that she did not have jurisdiction to pursue investigations because there is no means by which information can be collected from those organizations. For example, the Commissioner’s office published this response to a complaint about Akiba.com:77

“We contacted Abika.com in Cheyenne, Wyoming to ask the organization to provide us with the contact information of its Canadian-based sources to aid us in pursuing the investigation. Our investigator informed you that Abika.com responded to our letter of notification to indicate that Abika.com acts as a search engine, not a database. Our investigation efforts have been frustrated by the fact that Abika.com would not respond to our request for the names of Canadian-based sources.

As you know, subsection 11(1) of PIPEDA states that:

An individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or for not following a recommendation set out in Schedule 1.

Subsection 12 (1) of PIPEDA states that:

The Commissioner shall conduct an investigation in respect of a complaint…

In order to investigate Abika.com based in Cheyenne, Wyoming, our Office must have the requisite legislative authority to exercise our powers outside Canada.

77 November 18, 2005; http://www.privcom.gc.ca/legislation/let/let_051118_e.asp

Privacy Breaches in Canada P a g e | 24

However, basic principles of sovereignty and comity under international law state that a country cannot legislate outside its borders. The general convention is that Canada only legislates for Canada and only regulates activities within its borders. While Parliament may legislate with extraterritorial effect, this is rarely done. In the infrequent case that it is, it is for national security purposes or for a limited class of other purposes. In assessing whether a statute is to be applied outside Canada, a court will consider the intention of the legislature when it enacted the statute. There is a strong presumption that, absent an explicit or implicit contrary intention, Canadian legislation will only apply to the persons, property, juridical acts and events that occur within the territorial boundaries of the enacting body’s jurisdiction.

There is nothing explicit in PIPEDA to suggest that it was meant to apply outside of Canada or that the powers of the Commissioner would extend beyond Canada’s borders. According to leading case law, where the language of a statute can be construed so as not to have extraterritorial effect, then that construction must be adopted. It seems clear that this Act should not be construed to have extraterritorial effect. In the absence of any express or implied legislative intent, I must conclude that PIPEDA has no direct application outside of Canada.

While it is clear that the Commissioner may request information from anyone who she believes may have information relevant to an investigation, the formal investigative powers apply only within Canada. Abika.com has not responded to our request for the names of its Canadian-based sources. As such, we have no means of identifying - let alone investigating - those who would represent a Canadian presence for this organization and further, have no ability to compel an American organization to respond. ...

Global e-commerce poses challenges to all national governments that attempt to safeguard privacy and protect consumers. As you are aware from ongoing meetings with our Office, we share your concerns about the indiscriminate, non-consensual collection, use, and disclosure of personal information by profiling and data broker organizations. We agree that this raises serious privacy considerations. To this end, we have asked the Government of Canada to advise us what formal protocols, if any, exist that would allow us to investigate potential privacy breaches which may violate Canadian data protection laws. As important as it is, however, the specific instance you raise cannot be resolved through the complaint mechanism under PIPEDA. ...

In conclusion, we cannot proceed with your complaint as we lack jurisdiction to compel U.S. organizations to produce the evidence necessary for us to conduct the investigation. As a result, I am sorry to say that we have no choice but to close this file. The organization has been so informed. However, you should know that we have just recently launched an investigation in respect of a similar organization where we have been able to identify the Canadian sources of data.”

Privacy Breaches in Canada P a g e | 25

This opinion by the federal Commissioner seems to confuse the ability of a regulatory body to be able to use compulsory investigative techniques with the ability to make a determination when presented with evidence of a breach of a Canadian statute.

The Commissioner’s decision was subsequently overturned by the Federal Court on a judicial review application.78 The Federal Court began by noting the scope of PIPEDA’s application is not universal.

“Parliament cannot have intended that PIPEDA govern the collection and use of personal information worldwide. For instance, if Ms. Lawson were an American working in the United States, PIPEDA would have no application. Regulatory and investigative functions (as opposed to judicial) must have some connection with the state which enacts the underlying legislation.”79

The Court then went on to decide that the Commissioner did have jurisdiction to investigate, based on the scope of PIPEDA, in respect of the use outside of Canada of information about Canadians or information that originated in Canada.

Since the release of the Federal Court’s ruling in February, 2007, the Commissioner has dealt with a number of international privacy breach issues. In the Investigation Report concerning TJX Companies Inc. /Winners Merchant International L.P,80 the Commissioner dealt with a well documented privacy breach in which TJX suffered a network computer intrusion affecting the personal information of an estimated 45 million payment cards in Canada, the United States, Puerto Rico, the United Kingdom and Ireland. Unlike in previous investigations of international breaches, the Commissioner had no difficulty finding that she had jurisdiction to investigate the breach.

“The Office of the Privacy Commissioner of Canada had jurisdiction to investigate because TJX/WMI conducts commercial activities in Canada. The Information and Privacy Commissioner of Alberta had jurisdiction in this case because WMI is an organization, as defined in subsection 1(i) of [Alberta] PIPA, and it operates in Alberta. Some of the personal information in question was collected in the organization’s Alberta stores. The jurisdiction of the two Offices in this joint investigation applies primarily to the personal information collected during purchases made in Canada and subsequently disclosed as part of the data breach, as well as personal information collected during unreceipted return transactions at WMI stores.”81

In the result, the Commissioner concluded that TJX had breached PIPEDA by not employing adequate security steps, and recommended various steps be taken to correct the past problems.

78 Lawson v. Accusearch Inc., [2007] 4 F.C. 314, available online at http://www.canlii.org/en/ca/fct/doc/2007/2007fc125/2007fc125.html

79 At para. 38.

80 http://www.privcom.gc.ca/cf-dc/2007/TJX_rep_070925_e.asp. The investigation was conducted jointly with the Alberta IPC.

81 At para. 8.

Privacy Breaches in Canada P a g e | 26

(b) Dealing With International Privacy Breaches

As the discussion in the previous section makes clear, the federal and provincial Commissioners will have an interest in any privacy breach that involves personal information that originated from a Canadian source or is about Canadians. Organizations would therefore be well advised to involve Canadian regulators at an early stage of the investigation of any data breach.

The concerns of Canadian organizations may extend well beyond the borders of Canada, however. Many jurisdictions outside of Canada enforce privacy laws and regulations that carry penalties (financial and otherwise) that are far more draconian than those applicable under Canadian privacy laws. In some jurisdictions, these penalties can also be applied against officers and directors of organizations. Unless an organizations and its senior staff are certain that they will remain in Canada for the rest of their lives, and are equally certain that orders under foreign statutes will not be enforced in Canada, consideration must be given to actual or potential breaches of foreign laws.

Most jurisdictions have a minimum standard for the application of their laws to foreign individuals and organizations. While the tests are not consistent in all jurisdictions, most are similar to the Canadian test in assessing the contacts between the foreign entities and the jurisdiction in question. In the privacy breach context, it is likely safe to assume that any time an organization suffers a privacy breach involving either personal information about residents or citizens of a foreign jurisdiction or personal information that was accessed in a foreign jurisdiction, the privacy laws of that jurisdiction will apply to the investigation and the response to the breach. Foreign privacy laws may require the organization to undertake specific actions that may not be necessary under Canadian law, such as notification to regulators, consumers and other entities, as well as specific remediation and risk reduction techniques such as offering credit monitoring and counselling services to affected consumers.

Canadian organizations must include in their privacy breach remediation plans both proactive and reactive steps relating to the potential effect of foreign privacy laws. In particular, organizations must assess the nature of the personal information that they have in their possession or control to determine if there is a significant amount of information that is either about foreign residents or citizens and determine whether personal information in its possession or control is stored or processed in a foreign jurisdiction. In either case, the organization should compile a list of the jurisdictions in which it is possible that a privacy breach could engage the application of local privacy laws, and should then have local counsel prepare a summary of the local privacy laws that could be applicable in the event of a privacy breach. The organization’s breach response protocol should then be adjusted to take into account the potential application of foreign privacy laws.

6. Conclusion

While the unauthorized exposure of personal information files is not new, the number and breadth of such data breaches appears to be increasing as a result of a combination of concerted criminal action, larger amounts of data being collected and therefore

Privacy Breaches in Canada P a g e | 27

available to be disclosed, continuing use of vulnerable communication and storage methods and more intense media coverage of privacy breaches and identity theft issues.

Business organizations and their advisors not only must stay abreast of the most recent developments, be aware of the steps being taken internally to prevent privacy breaches and continually influence others in the organization to make privacy security a “top of mind” issue for everyone in the organization. Perhaps most importantly, organizations must be aware of the importance of being prepared for the possibility of a privacy breach. No matter what security measures have been taken, they can only reduce, not eliminate, the chances that a breach will occur. The only effective way to minimize the impact of a breach is to be properly prepared to deal with the worst case scenario, and then hope it never happens.