Understanding Privacy Breach Risk: Ontario Universities Risk Management Symposium

Understanding Privacy Breach Risk:

OntarioUniversities Risk Management

SymposiumPresented by

Brian Rosenbaum LL.B.Director, Legal and Research Practice

Financial Services GroupAon Reed Stenhouse Inc.

25 November 2009

2 2


CURIE Ontario University Forum

Agenda• Introduction

• The Unique Exposures of Higher Education Institutions

• A Myriad of Legislation

• Key Regulatory Issues

• Privacy Breach Statistics

• Types of Privacy Breaches

• Privacy Breach Examples

• Privacy Breach Risks

• Costs of a Breach

• Privacy Governance

• Privacy Breach Links/References

• Questions

3 3



Introduction• Universal Exposure

• Technological Explosion

• Privacy Breaches on the Rise

• University’s and College’s Unique Risks

4 4



The Unique Exposures ofHigher Education Institutions• A Learning and Sharing Environment

– Open information sharing is a higher learning foundation– Remote access to networks and databases is commonplace

• Universities are Like Little Cities– PI of many different types of individuals (students, alumni,

employees, applicants, patients)– Various types of PI (educational records, research information,

financial information, health information)

• Technology Savvy and Sophisticated Internet Users– Students are first users of new technologies– Pressure for universities to adopt new platforms and systems

• Outsourcing Issues– Outsourcing e-mail and data storage may have many

advantages but there are privacy issues

5 5



Privacy Law OverviewOntario

• Freedom of Information and Protection of Privacy Act (FIPPA)– June 2006 amendments brings educational institutions under

its jurisdiction – Regulates use, collection, disclosure and retention of PI by

higher education institutions

• Personal Information Protection and Electronic Documents Act (PIPEDA)– Regulates use, collection, disclosure and retention of PI in the

context of university activity that is commercial in nature that is not “core” to university mandate

– Applies if PI flows outside of province or country

• Personal Health Information Protection Act (PHIPA)– Regulates the collection, use and disclose of personal health

information

6 6



Privacy Law Overview continued

Differences in Applicable Legislation

• Pose challenges in creating one uniform privacy policy

• Examples of differing provisions:– Disclosure of PI where no consent– Breach notification

7 7



Privacy Breaches and Notification• Current Law under PIPEDA/FIPPA

– When does the obligation to notify arise?– Failure to properly notify in timely fashion can lead to civil and

regulatory liability– Early notification = mitigation– PIPEDA and FIPPA have no mandatory breach notification obligations– Guidelines/protocols strongly urge to notify if breach creates a risk of

significant harm

• Industry Canada Proposal– Mandatory breach notification requirements on the way– Discretion left in hands of organization– Threshold to report is “high risk of significant harm”– Reporting window is “as soon as reasonably possible”– Report “material breaches” to the Privacy Commissioner

• Current Law under PHIPA– Only Canadian legislation with mandatory breach notification

requirements– First reasonable opportunity threshold

8 8



Privacy Breach StatisticsESI U.S. University Data Security Breach Study

• 2006– 83 data security breaches– 65 affected institutions– 2.7 million data records

• 2007– 139 data security breaches– 112 affected institutions– 1.25 million data records

• 2008– 173 data security breaches– 178 institutions – 4.9 million data records

• 2009 (so far)– 72 data security breaches– 66 institutions

9 9



Privacy Breach Statistics continued

ESI U.S. University Data Security Breach Study continued

0

10

20

30

40

50

60

70

80

Online Theft Penetration Loss Impersonation Employee Fraud

Type of Breach

Nu

mb

er o

f B

reac

hs

2006

2007

2008

10 10



Privacy Breach Statistics continued

ESI U.S. University Data Security Breach Study continued

0

20

40

60

80

100

120

140

160

180

PersonallyIdentifiable

Social SecurityNumbers

Educational Financial Medical Username /Password

Type of Information

Nu

mb

er o

f R

eco

rds

2006

2007

2008

11 11



Types of Privacy BreachesPonemon Institute – Primary Source of Breach 2008

12 12



Canadian Privacy Breach Examples• Brock University (September 2006)

• McGill University (April 2007)

• Memorial University (September 2008)

• Trent University (February 2009)

• Ryerson University (February 2009)

• Huron University College (March 2009)

• Carleton University (September 2009)

• Memorial University (September 2009)

13 13



U.S. University Privacy Breach Examples • California State Polytechnic University (15 Nov. 2009)

• Chaminade University (6 Nov. 2009)

• Bloomsburg University of Pennsylvania (1 Nov. 2009)

• California State University (14 Oct. 2009)

• University of Wisconsin (12 Oct. 2009)

• Roane State Community College (12 Oct. 2009)

• University of North Carolina (24 Sep. 2009)

• Eastern Kentucky University (24 Sep. 2009)

• Boston University (20 Aug. 2009)

• University of California (17 Jul. 2009)

• Cornell University (23 Jun. 2009)

• University of North Dakota (17 Jun. 2009)

14 14



Privacy Breach Risks• Civil Suits

– From business partners (i.e. financial institutions for credit card notification and recall expenses)

– From students, faculty, the general public for identity theft

• Regulatory Investigations and Proceedings– From the Privacy Commissioner of Ontario pursuant to FIPPA or

PHIPA– From the Privacy Commissioner of Canada pursuant to PIPEDA

• Universities Own Costs– Damage to data and property– Recovery and restoration expenses– Loss of intellectual property– Business interruption– Loss of business opportunity

• Damage to Reputation– Enrollment – Future revenues– Business partnerships

15 15



Cost of a Breach• Liability

– Compensatory damages– Regulatory actions

• Direct Damages to Insured– Business interruption– Mitigation– Costs to restore information– Internal investigation– Legal fees– Lost customers– Lost employee productivity

• Response Plan – Public disclosure and notification– Interaction with regulators/authorities

• Crisis Management Costs– Call centre and website– Credit monitoring– Public relations

16 16



Privacy Governance• Breach Investigated and Assessed

– What caused the breach? – How was it detected?– What personal information was involved? – How secure was the information (e.g. encryption)?– How many individuals affected? – Does the breach appear to be criminal? – Is there a potential harm for those affected?

• Notification– What notification laws apply?– Should affected individuals be notified?

› What are the reasonable expectations of those affected?› Is there a risk of harm (e.g. humiliation)?› Is there an ability to mitigate?› What are your contractual obligations?› Reputation considerations

17 17



Privacy Governance continued

• Breach Risk Control Considerations – Conceptual

› Have you recognized privacy as a risk for your organization? ▪ Would it cause reputation or financial risk?

› Have you developed a strategy to handle this risk?▪ Is the risk disclosed to investors (e.g. AIF statement)?▪ Have you determined whether you will notify?▪ Have you identified responsibilities within your organization? ▪ Have you identified outside parties to engage if you have a breach?

› How will your strategy be funded?

– Prevention› How are you ensuring the security of your systems?› Operational Consistency – Is your data retention strategy in sync with your

privacy obligations? With your privacy policy? Do you utilize a CRM platform? What information is being collected? How long is the data held for?

› What training is being provided to employees - About your privacy policy? About your privacy obligations? About security? About reporting requirements?

18 18



Privacy Governance• Breach Risk Control Considerations continued

– Assessment› Who is responsible for investigating potential breaches?› What reporting structure is in place?› Has a methodology been created for an assessment/reporting? › What external resources are required in assessing a potential breach?› PIPEDA self-assessment tool http://www.privcom.gc.ca/information/pub/ar-

vr/pipeda_sa_tool_200807_e.pdf

– Notification› Will you notify those affected by a breach? What methodology will be used

to determine? Has a formal plan been created? Has it been communicated?

› Who will be responsible for the notification? What oversight is required?› Who will provide legal advice?› Will you hire a PR firm? Has the firm been identified? Have they been

briefed on your notification plan?› Will the notification include your website and/or customer relations team?› Who will communicate with regulators?

19 19



Privacy Breach Links/ReferencesWebsites

Educational Security Incidents (ESI) http://www.adamdodge.com/esi

Privacy Rights Clearinghouse http://www.privacyrights.org/index.htm

The Ponemon Institute http://www.ponemon.org/index.php

Open Security Foundation Data Loss Database http://www.datalossad.org

Office of Inadequate Security http://www.databreaches.net/

Identity Theft Resource Center http://idtheftcenter.org

Edupage http://www.educause.edu/Resources/ElectronicNewsletters/Edupage/639

Computer Crime & Intellectual Property Section of the United States Department of Justice

http://www.usdoj.gov/criminal/cybercrime/cc.html

SSNBreach http://www.nationalidwatch.org/

Canadian Privacy Law Blog http://www.privacylawyer.ca/blog

Library Boy http://micheladrien.blogspot.com

Reports and Studies

ESI’s 2008 Year in Review http://www.adamdodge.com/esi/files/esi_yir_2008.pdf

Ponemon Institute’s 2008Annual Study: Cost of a Data Breach

http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20US%20Cost%20of%20Data%20Breach%20Report%20Final.pdf

2009 Rotman-Telus Joint Study on Canadian IT Security Practices

http://www.rotman.utoronto.ca/news/detail.asp?ID=490

Breaches in the Academia Sector http://jmcconsulting.wptlite.com/download.asp

Privacy Breach Impact Calculator http://www.informationshield.com/privacybreachcalc.html

Questions and Discussion

Understanding Privacy Breach Risk: Ontario Universities Risk Management Symposium

Documents

Transcript of Understanding Privacy Breach Risk: Ontario Universities Risk Management Symposium