Is there a real risk of significant harm?

Exploring the Meaning of “ Real Risk of

Significant Harm ” - 2011 Report on the

AccessPrivacy Breach Notification Workshops

Results of the AccessPrivacy CPO Forum Workshops held on September 27, 2011 and

October 12, 2011, Exploring the Meaning of the “Real Risk of Significant Harm” breach notification threshold under the Personal Information Protection Act (Alberta)

Adam Kardash

Partner, Privacy and Information Management, Heenan Blaikie LLP, and

Managing Director & Head, AccessPrivacy

Pamela Snively

Managing Director, AccessPrivacy

AccessPrivacy HB is a division of HB Global Advisors Corp., a Heenan Blaikie company.

Report Contents

About AccessPrivacy

Overview of the Workshops

Sample Workshop Hypothetical Scenario

Workshop Results and Findings

Appendix A – Raw Workshop Data

- Aggregated Participant Responses to Hypothetical

Scenarios

2

About AccessPrivacy

AccessPrivacy is an integrated information governance service, complementary to the Heenan Blaikie LLP national Privacy & Information Management and

Access to Information Law practices

We provide privacy and information management consulting and information services to organizations in the private and broader public sectors

Our information management services also include our CPO Forum , a thought leadership program designed to maximize bench-marking and information sharing among Chief Privacy Officers, senior compliance professionals and in-house counsel

3

Overview of The Workshops

Workshop Sponsors

Two Breach Notification Workshops were conducted by AccessPrivacy, and moderated by

Adam Kardash and Pamela Snively. They were held on:

September 27 th , 2011, in Toronto; and

October 12 th , 2011, in Vancouver.

The workshops were co-sponsored by the Office of the Information and Privacy Commissioner of

Alberta (OIPC Alberta).

4


Workshop Attendees

Attendees included:

Representatives from the OIPC Alberta, the Office of the

Privacy Commissioner of Canada, and the Office of the

Information and Privacy Commissioner (BC)

60+ chief privacy officers, senior compliance professionals, senior in-house attorneys, industry association representatives

Sector representatives included financial services (38%), service providers (18%), retail (7%), healthcare (10%), industry associations (4%), and telecommunications (2%).

5


Statutory Context

Organizations subject to PIPA (Alberta) are required to notify the OIPC Alberta when a privacy/security breach (“loss of or unauthorized access to or disclosure of the personal information”) results in a “ real risk of significant harm ”. ( PIPA (Alberta), s.31.1

)

Where there is a real risk of significant harm, the

Commissioner may require organizations to notify affected individuals of the incident in a manner set out in the Regulations ( PIPA (Alberta) Regulation, s.19.1

).

6

Background

Workshop Objectives

The workshop objectives were to:

Explore the precise meaning of PIPA Alberta’s privacy/security incident notification trigger;

Discuss the practical impact of the reporting/notification requirement; and

Offer participants the opportunity to provide meaningful feedback to privacy regulatory authorities.

7


Workshop Format

33 hypothetical security incidents were posed to participants

The participants were provided with a brief description of the incident, a list of the personal information involved and the number of affected individuals

Participants answered 2 questions in respect of each scenario via audience response technology, immediately registering their opinion in an anonymous fashion, and seeing instantaneous feedback

The scenarios often built on one another, with small factual changes only, providing an opportunity to assess the significance of these changes and allowing for nuanced results

8


Workshop Scenarios

The hypothetical security incident scenarios were developed from several sources:

Fact scenarios from selected security breach notification orders published by the OIPC

Alberta

Scenarios submitted in advance by workshop participants

Heenan Blaikie/AccessPrivacy client experience

9


Workshop Questions

Participants were asked the following two questions in respect of each scenario:

1.

Is there a “real risk of significant harm?”

2.

Would your organization notify affected individuals regardless of privacy regulatory requirements?

10

Sample Hypothetical: Scenario A1

Description of incident :

John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John Wilson. Wilson returns Smith’s laptop within a few days and explains the error.

Personal information :

According to Smith, it has “a great deal of personal information, including tax, business and personal accounting information.”

Number of affected individuals : 1

11

Scenario A1: Responses

Is there a real risk of significant harm?

6 2 % 1. Yes

2. No

3. Don’t know

1

30 %

2

8 %

3

12

Example: Variations on Scenario A1

The next 3 slides show responses to the following variations in the scenario posed in

A1

1. Same facts as A1, but this time Wilson gives a verbal assurance that no laptop data was copied, retained or distributed

2. Same facts as above but Wilson’s assurance is written

3. Same facts as A1, but this time Wilson takes one month to return the laptop

13

Scenario A3

Variation: Verbal assurance given


1. Yes

2. No

3. Don’t know

52%

44%

2

4%

3 1

14

Scenario A2

Variation: Written assurance given


62%

1. Yes

2. No

3. Don’t know

29%

2

9%

3 1

15

Scenario A5

Variation: With one month lag


79%

1. Yes

2. No

3. Don’t know

15%

6%

3 1 2

16

Sample Hypothetical: Scenario D1


A men’s clothing retailer operates a customer loyalty program. It outsources email communications for the loyalty program to a service provider, who emails the members with offers and rewards on behalf of the organization. The service provider’s new update software accidentally sends out an email to the loyalty members without blind carbon copying the recipients. All recipients can view the email addresses of all other recipients. (Please note factual variation in Scenario D2 on slide 18.)


Name and email address

Number of affected individuals : Approx. 10,000

17

Scenario D1


1. Yes

2. No

3. Don’t know

43%

52%

1 2

5%

3

18

Scenario D2

Variation: same as D1 but a soft-porn magazine not a men’s clothing retailer


97%

1. Yes

2. No

3. Don’t know

3%

2

0%

3 1

19

Workshop Results and

Findings

Workshop Findings

Results and Findings

Workshop results and findings are set out in the following two parts of this report:

1. Overview of workshop Results and Discussion

(slides 4 to 34)

Summary of certain workshop responses

Observations about results

Highlights of workshop discussion

Participant feedback about workshop

2. Raw Workshop Data - Appendix A

(slides 35 to 141)

Participant Demographics

Responses to preliminary questions about organizational culture, incident response plans, and incident tracking

Response to 33 hypothetical incident responses

21

Workshop Findings

Readiness

State of the industry:

78% of participants described their organization as having an open and honest culture of reporting privacy breaches

80% of participants indicated that their organization had a data breach response plan, yet only 51% were confident that their organization's privacy breach response plan would be sufficient to respond to a public, large scale security incident

57% of participants indicated that their organization had an incident tracking program in place that facilitates tracking and reporting of privacy breaches

22

Workshop Findings

General Observations

Attendees collectively had a very high level of experience in dealing with security incidents, yet the discussion during the workshops reflected a high level of variability in understanding and/or application of the key elements of the

"real risk of significant harm" trigger.

There were differences particularly with respect to the understanding and application of the concepts of "harm" and "risk".

Scenarios highlighted the highly fact-specific nature of the notification trigger analysis. In many instances, the change of a single fact altered the determination of whether there was a "real risk of significant harm" in the circumstances.

23

Workshop Findings

Notification to Affected Individuals

Notification Practices:

Respondents who felt a scenario presented a “real risk of significant harm” consistently indicated that they would notify affected individuals in such circumstances, even if not required to do so by a regulator

In many cases, up to 30 % of organizations that did not perceive a “real risk of significant harm” in a given incident still indicated that they would notify affected individuals for other business reasons

24

Workshop Findings

Summary of factors that impact determinations of a “real risk of significant harm”

Participant responses and discussions consistently reflected that the following factors influence determinations of whether there is a real risk of significant harm:

Number of affected individuals

The greater the number of affected individuals, the greater the likelihood of a “real risk of significant harm” determination

Time lag from incident to discovery or from loss of data to recovery

The longer the time lag, the greater the likelihood of a

“real risk of significant harm” determination

25

Workshop Findings

Summary of factors that impact determinations of a

“real risk of significant harm” (cont’d)

Whether the organization received confirmation that no disclosure, misuse or duplication of the data occurred

Written confirmation decreased likelihood of a real risk of significant harm determination

Personal circumstances of affected individuals may be relevant, and a case-by-case analysis is required

(Examples – harm experienced by affected individual related to an accidental disclosure to a spouse in the middle of a divorce or if affected individual has suffered identity theft in the past)

Potential “street value” of the data

The more likely that data in question could be used to commit identity theft (and sold for such purposes), the more likely a “real risk of significant harm” determination

26

Workshop Findings

Respondents’ Agreement with OIPC

Alberta Findings

11 hypothetical scenarios used facts from actual

OIPC Alberta published findings

Participants often agreed with the OIPC’s determination of whether there was a real risk of significant harm

However, there were three areas of marked disagreement

27

Workshop Findings

Areas of Disagreement in the Determination of the Real Risk of Significant Harm

Disagreement between company representatives and

OIPC Alberta with respect to:

1. Whether accidental disclosures to a limited number of individuals constituted a “real risk of significant harm” (e.g., Misdirected fax, co-mingled statement, wrong address)

2. “Street value” of certain data elements (i.e., Can such data really be used to commit identity theft?)

3. Relevance of post-breach mitigation steps in “real risk of significant harm” determination

28

Workshop Findings

1. Accidental Disclosures to a Limited

Number of Recipients

Contrary to the OIPC Alberta, at least 50% of respondents found no real risk of significant harm where there was an accidental disclosure of personal information to a limited number of individuals, and in particular where the recipients were identified or known to the organization

(e.g., Recipient of accidental / misdirected data is another customer, an employee or co-worker)

See, for example, Scenario K, slides 110-112 in

Appendix A

29

Workshop Findings

2. Street Value of the Data

Participants often disagreed about whether certain data elements had “street value” or could be used to commit identity theft

Examples – Certain participants indicated that there was limited or no “street value” to (i) a list of bank account numbers with no other data; (ii) an endorsed or unendorsed personal cheque (with no other data), and;

(iii) a list of signatures (with no other data)

Discussion on this point focused on participants’ uncertainty about the current technical abilities of hackers/organized crime

30

Workshop Findings

3. Post Breach Mitigation Steps

Participants disagreed with the OIPC Alberta about the relevance of post-breach mitigation steps in the “real risk of significant harm” determination:

The OIPC Alberta has consistently indicated in its orders that an organization’s post breach mitigation steps are not relevant to their findings of whether there is a real risk of significant harm

The majority of participants consistently indicated that an organization’s post breach mitigation steps factor into their consideration when assessing whether there is a real risk of significant harm

(i.e., in certain instances, the prompt implementation of post-mitigation steps would practically result in there being no real risk of significant harm to affected individuals)

31

Workshop Findings

Publication of Decisions / Naming

The OIPC Alberta practice of naming organizations in the publication of real risk of significant harm findings generated substantial discussion among participants

Background

The Commissioner has statutory discretion to “publish any finding or decision in a complete or an abridged form” ( PIPA AB, s.38(6) ).

In practice, where the Commissioner requires that an organization notify individuals to whom there is a real risk of significant harm, the Commissioner’s decision will be published on the OIPC’s website and the organization named. http://www.oipc.ab.ca/pages/OIP/BreachNotificationDecisions.aspx

In the event the Commissioner decides that notification of individuals is not required, an anonymized, abridged version of the decision may be published.

32

Workshop Findings

Publication of Decisions / Naming

Issues raised by participants about the OIPC Alberta’s naming practice include:

Practice of naming organization is perceived as unnecessarily punitive, as organizations who are complying with statutory obligations typically have already notified affected individuals and often have implemented post-mitigating steps to contain the incident and prevent harm

In vast majority of incidents, it is unclear as to what additional public policy purpose is achieved by naming the organization

May create disincentive to report, particularly in cases where it is reasonably unclear as to whether there is a real risk of significant harm

33

Workshop Findings

Feedback

Consensus among participants that the discussion forum, in particular, the involvement of privacy regulatory authorities, greatly enhanced the value of the exercise

Post-session feedback reflected strong support for further sessions, with a continued focus on (i) clarifying legal and practical meaning of notification triggers and (ii) using generic forms of actual security incidents. This is particularly the case given the pending amendments to the

Personal Information Protection and Electronic Documents

Act (PIPEDA) that include a security breach notification requirement that is not identical to the notification trigger under PIPA (Alberta).

34

Appendix A

Raw Workshop Data

Consolidated Results of AccessPrivacy’s CPO Forum

Workshops held in conjunction with the Alberta Office of the Information and Privacy Commissioner

September 27, 2011 – Toronto

October 12, 2011 - Vancouver

Appendix A – Table of Contents

About the Data

Slide 38

Demographics

Slide 39

Preliminary Questions

Slides 40-43

Scenarios

A series – Laptop incidents

Slides 44-58

B series – Payroll System Access

Slides 59-64

C series – Marketing email to customer list

Slides 65-70

D Series – Customer Loyalty Program Email

Slides 71-82

E Series – Lost audiometric tests

Slides 83-88

F Series – Therapist’s stolen laptop

Slides 89-94

G – Sensitive email chain mistakenly forwarded

Slides 95-97

H – Husband given wife’s banking information

Slides 98-99

I Series – Hotel discloses stay to spouse

Slides 100-104

36

Table of Contents

(cont’d)

Scenarios

(cont’d)

J – Bank robbery

Slides 105-109

K – Misdirected mail

Slides 110-112

L – Misdirected fax

Slides 113-115

M – Credit card numbers stolen from retailer

Slides 116-118

N – Comingled statement

Slides 119-121

O – Stolen laptop

Slides 122-124

P series – Bank bag stolen from courier

Slides 125-130

Q – Collections disclosure to father

Slides 131-133

R – Stolen customer list/solicitation

Slides 134-136

T – Forgotten credit reports

Slides 138-140

37

About the Data

There were 68 voting participants in total between the two workshops

Participants who attended both workshops did not vote a second time at the second workshop

Participants were given 10 seconds to respond and the voting closed regardless of whether every participant had voted in respect of that particular scenario

38

Demographics

Appendix A - Raw Workshop Data

1.

Identify your sector

38%

4%

11%

7%

18%

2%

10%

10%

1. Financial Services

2. Industry Association

3. Regulator

4. Retail

5. Service Provider

6. Telecommunications

7. Healthcare

8. Other

39



2.

Would you describe your organization as having an open and honest culture of reporting incidents of data loss?

78 %

1. Yes

2. No

3. Don’t know

1 2%

1 0%

1 2 3

40



3.

Does your organization have a data breach response plan?

80%

1. Yes

2. No

3. Don’t know

12%

8%

1 2 3

41



4.

Are you confident that your organization’s data breach response plan is sufficient to respond to a public, large scale security incident?

5 1 %

1. Yes

2. No

3. Don’t know

2 4 % 2 5 %

1 2 3

42



5.

Does your organization have an incident tracking program in place that facilitates tracking and reporting of data breaches?

5 7 %

1. Yes

2. No

3. Don’t know

3 4 %

9 %

1 2 3

43

Scenario A1



John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John

Wilson. Wilson returns Smith’s laptop within a few days and explains the error .


According to Smith, it has “a great deal of PI, including tax, business and personal accounting information.”


44

Scenario A1



6 2 % 1. Yes

2. No

3. Don’t know

30 %

8 %

3 1 2

45

Scenario A1



8 4%

1. No

2. Yes

16 %

1 2

46

Scenario A2



John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John

Wilson. Wilson returns Smith’s laptop within a few days and explains the error. Wilson confirms in writing that he did not copy, retain or distribute any information from Smith’s laptop.




47

Scenario A2



62%

1. Yes

2. No

3. Don’t know

29%

2

9%

3 1

48

Scenario A2



81 %

1. No

2. Yes

19 %

1 2

49

Scenario A3



John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John Wilson.

Wilson returns Smith’s laptop within a few days and explains the error. Wilson confirms verbally that he did not copy, retain or distribute any information from Smith’s laptop.




50

Scenario A3



52%

1. Yes

2. No

3. Don’t know

44%

4%

3 1 2

51

Scenario A3



85 %

1. No

2. Yes

15 %

1 2

52

Scenario A4




Wilson returns Smith’s laptop within a few days and explains the error. Wilson confirms in writing that he did not copy, retain or distribute any information from Smith’s laptop.

Wilson is well known to the organization and trusted.




53

Scenario A4



70%

1. Yes

2. No

3. Don’t know

27%

3%

3 1 2

54

Scenario A4



77 %

1. No

2. Yes

23 %

1 2

55

Scenario A5




Wilson returns Smith’s laptop one month later, before

Smith has returned for his laptop and explains the error. Wilson confirms in writing that he did not copy, retain or distribute any information from Smith’s laptop .




56

Scenario A5



79%

1. Yes

2. No

3. Don’t know

15%

6%

1 2 3

57

Scenario A5



92 %

1. No

2. Yes

8%

1 2

58

Scenario B1



An employer is informed by an employee that payroll information of former and current employees is accessible to all current employees on the company’s computer system.

The electronic folder had an employee name and was buried in a set of subfolders, accessible for a period of 15 months.

There is no evidence of misuse of the data, but the computer system has no audit capability with respect to access.


Name, SIN, bimonthly salary


59

Scenario B1



82%

1. Yes

2. No

3. Don’t know

15%

3%

3 1 2

60

Scenario B1



78 %

1. No

2. Yes

22 %

1 2

61

Scenario B2



An employer is informed by an employee that payroll information of former and current employees is accessible to all current employees. The folder had an employee name and was buried in a set of subfolders, accessible for a period of 15 months. There is no evidence of misuse, but the computer system has no audit capability with respect to access. This is the second time this employer has reported a breach involving sensitive employee PI being accessible on the company system.


Name, SIN, bimonthly salary


62

Scenario B2



95%

1. Yes

2. No

3. Don’t know

5%

2

0%

3 1

63

Scenario B2



92 %

1. No

2. Yes

8%

1 2

64

Scenario C1



A retail organization sends an email to its customer contact list, including those who were on the “do not contact” list. The organization forgets to blind carbon copy the recipients, therefore all recipients are able to view the email addresses of all other recipients.


Name, personal and business email addresses


65

Scenario C1



69%

1. Yes

2. No

3. Don’t know

28%

3%

3 1 2

66

Scenario C1



55 %

45 % 1. No

2. Yes

1 2

67

Scenario C2



A retail organization sends an email to its customer contact list, including those who were on the “do not contact” list. The organization forgets to blind carbon copy the recipients, therefore all recipients are able to view the email addresses of all other recipients.


Name, personal and business email addresses

Number of affected individuals : 2 million

68

Scenario C2



54%

1. Yes

2. No

3. Don’t know

45%

2

1%

3 1

69

Scenario C2



76 %

1. No

2. Yes

24 %

1 2

70

Scenario D1



A men’s clothing retailer operates a customer loyalty program.

It outsources email communications for the loyalty program to a service provider, who emails the members with offers and rewards on behalf of the organization. The service provider’s new update software accidentally sends out an email to the loyalty members without blind carbon copying the recipients.

All recipients can view the email addresses of all other recipients.


Name and email address


71

Scenario D1



52%

1. Yes

2. No

3. Don’t know

43%

5%

3 1 2

72

Scenario D1



66 .5%

1. No

2. Yes

33 .5%

1 2

73

Scenario D2



A soft-porn magazine operates a customer loyalty program.

It outsources email communications for the loyalty program to a service provider, who emails the members with offers and rewards on behalf of the organization. The service provider’s new update software accidentally sends out an email to the loyalty members without blind carbon copying the recipients.

All recipients can view the email addresses all other recipients.


Name and email address, and reward club name


74

Scenario D2



97%

1. Yes

2. No

3. Don’t know

3%

2

0%

3 1

75

Scenario D2



90 %

1. No

2. Yes

10 %

1 2

76

Scenario D3



A men’s clothing retailer operates a customer loyalty program. It outsources email communications for the loyalty program to a service provider, who emails its members with offers and rewards on behalf of the organization. The service provider discovers its system has been hacked and PI of account holders has been downloaded to a

TFP site in a well-known black market/identity theft economy.




77

Scenario D3



88.5%

1. Yes

2. No

3. Don’t know

6.5%

2

5.0%

3 1

78

Scenario D3



96 %

1. No

2. Yes

4%

1 2

79

Scenario D4



A men’s clothing retailer operates a customer loyalty program. It outsources email communications for the loyalty program to a service provider, who emails its members with offers and rewards on behalf of the organization. The service provider discovers its system has been hacked and PI of account holders has been downloaded to a

TFP site in a well-known black market/identity theft economy.



Number of affected individuals : Approx. 2 million

80

Scenario D4



98.5%

1. Yes

2. No

3. Don’t know

1

1.5%

2

0%

3

81

Scenario D4



9 3.50

%

1. No

2. Yes

6.5 0%

1 2

82

Scenario E1



A construction company retains a third party service provider to conduct audiometric tests on employees. The service provider misplaces the envelope containing the test forms on public transportation vehicle. Despite attempts to retrieve the envelope, the test results are not recovered.


Company name, employee occupation, work location and unique employee number (but no name), date employed, home address, age, telephone number, medical history (as it relates to audiometric testing – eg whether employee has cold/flu, head injury, hearing problems, past exposure to environmental noise, etc.), and the test results


83

Scenario E1



75%

1. Yes

2. No

3. Don’t know

18%

7%

3 1 2

84

Scenario E1



93 %

1. No

2. Yes

7%

1 2

85

Scenario E2



A construction company retains a third party service provider to conduct audiometric tests on employees. The service provider misplaces the envelope containing the test forms on public transportation vehicle. Despite attempts to retrieve the envelope, the test results are not recovered.


Company name, employee occupation, work location and unique employee number (but no name), date employed, home address, age, telephone number, medical history (as it relates to audiometric testing – e.g., whether employee has cold/flu, head injury, hearing problems, past exposure to environmental noise, etc.), the test results, and date of birth .


86

Scenario E2



96%

1. Yes

2. No

3. Don’t know

4%

2

0%

3 1

87

Scenario E2



96 %

1. No

2. Yes

4%

1 2

88

Scenario F1



A therapist working with young special needs children has her home broken into and her laptop is stolen. The laptop, containing PI of patients and their parents, was not password protected and not encrypted.


Names of children and parents, child’s date of birth, home address, contact numbers, school name and therapy session notes.


89

Scenario F1



98%

1. Yes

2. No

3. Don’t know

2%

2

0%

3 1

90

Scenario F1



98 %

1. No

2. Yes

2%

1 2

91

Scenario F2



A speech therapist working with adults has her home broken into and her laptop is stolen. The laptop, containing PI of patients was not password protected and not encrypted.


Name of patients, date of birth, home address, contact numbers, and therapy session notes


92

Scenario F2



94%

1. Yes

2. No

3. Don’t know

4.5%

2

1.50%

3 1

93

Scenario F2



94 .5%

1. No

2. Yes

5 .5 %

1 2

94

Scenario G


Description of incident:

A manager emailed a work schedule, copying six employees.

The manager did not realize the email contained an email string discussing the possible termination of one of the six employees. One of the employees notified the manager of the error the next day. The employees were instructed via email to delete the email if they had not read it yet or, if they had already read it, to disregard its contents.

Personal information:

Name, termination details of one individual


95

Scenario G



82.5%

1. Yes

2. No

3. Don’t know

14%

3.5%

3 1 2

96

Scenario G



83 %

1. No

2. Yes

17 %

1 2

97

Scenario H



A customer’s husband opened her T5 at her home and then called her FI and was provided with additional information about her accounts. The customer complained. The organization checked its records and determined the husband had called twice – the first time he was denied information because he was not the account holder; the second time he pretended to be the account holder (wife) and provided correct answers to the identity verification questions.


Name, address, SIN and account details


98

Scenario H



71%

1. Yes

2. No

3. Don’t know

27%

2%

3 1 2

99

Scenario I1



A Hotel Manager overhears one of his front desk staff on the phone, confirming that an individual had stayed two days and booked two rooms. The Manager asks about the call and is advised by the employee that the individual’s wife had called and had wished to confirm details of her husband’s recent travel.


Name, date and length of stay, number of rooms booked


100

Scenario I1



70.5%

1. Yes

2. No

3. Don’t know

25%

2

4.50%

3 1

101

Scenario I1



66 %

1. No

2. Yes

34 %

1 2

102

Scenario I2



An individual contacted a hotel, identifying herself as the wife of a guest who had previously stayed at the hotel. Upon request, the hotel employee advised that the husband had stayed two days and booked two rooms. One week later, the hotel guest called and complained about the disclosure of his personal information. The hotel’s internal investigation confirmed the guest’s allegation.


Name, date and length of stay, number of rooms booked


103

Scenario I2



61%

1. Yes

2. No

3. Don’t know 33.5%

2

5.5%

3 1

104

Scenario J1



A banking branch is robbed of cash and an envelope containing customer PI. The incident was reported to the police.


Customer names, signatures, details of a single transaction and bank account numbers.


105

Scenario J1



97%

1. Yes

2. No

3. Don’t know

3%

2

0%

3 1

106

Scenario J1



96 .5%

1. No

2. Yes

3 .5 %

1 2

107

Scenario J2



A banking branch is robbed of cash and an envelope containing customer PI. The incident was reported to the police. All of the affected customers were notified and the organization offered to change their account numbers, replace their cheques and monitor their accounts .


Customer names, signatures, details of a single transaction and bank account numbers


108

Scenario J2



56.5%

1. Yes

2. No

3. Don’t know

41.5%

1 2

2.0%

3

109

Scenario K



A Financial Institution accidentally mailed T4A statements of two retirees to two other retirees. Within days, the two affected retirees were notified and offered monitoring services. The recipients had opened the files, although not addressed to them, and called the FI to advise of the error. The two recipients of the T4A statements were asked to return the information without making copies.


Pension and retirement income information, amount deducted, SIN, name and address


110

Scenario K



49.5%

47.5%

1. Yes

2. No

3. Don’t know

3%

3 1 2

111

Scenario K



88 %

1. No

2. Yes

12 %

1 2

112

Scenario L



A Financial Institution accidentally faxed RRSP transfer documents to the customer’s fax machine at work at 10:23am rather than on to another financial institution. The customer’s co-worker advised the customer that the document was there and the customer recovered it within the same work day. Co-workers had access to the machine.

The customer advised the Financial Institution and accepted their offer of credit monitoring and their apology. She indicated that she was not upset and appreciated the FI’s response.


Name, address, SIN, RRSP account number, and client number with a different FI.


113

Scenario L



52.5%

46%

1. Yes

2. No

3. Don’t know

2

1.5%

3 1

114

Scenario L



66 .5%

1. No

2. Yes

33 .5%

1 2

115

Scenario M



A Retailer discovers that a list of credit card numbers has just been stolen. They immediately ensure that the relevant

Financial Institutions and service providers are notified. The

FI’s promptly discontinue the credit card numbers and advise the cardholders of what has happened and that their cards will be replaced.


Credit card numbers (no other data)

Number of affected individuals : 5,000

116

Scenario M



77%

1. Yes

2. No

3. Don’t know

19.5%

3.5%

3 1 2

117

Scenario M



50 .5%

1. No

2. Yes

49 .5%

1 2

118

Scenario N



A financial institution mails the first page of a client monthly credit card statement together with a second page belonging to another client.


Name (but no contact information), credit card account number, monthly transactions on the account, and total credits and debits for the billing period.


119

Scenario N



46%

52%

1. Yes

2. No

3. Don’t know

2

2%

3 1

120

Scenario N



78 %

1. No

2. Yes

22 %

1 2

121

Scenario O



A laptop belonging to an employee of a healthcare organization is stolen. It contained PI. The laptop was password protected but not encrypted; the files on the laptop were not password protected.


Name , contact information, Date of Birth and health information.


122

Scenario O



93.5%

1. Yes

2. No

3. Don’t know

3%

2

3.5%

3 1

123

Scenario O



98 .5%

1. No

2. Yes

1 .5 %

1 2

124

Scenario P1



A bank bag of mortgage documents in transit to the processing centre is stolen from the courier. The bag is located by the police 5 days later and all the information appears to be intact and undisturbed.


Mortgage number, client name, property details, DOB, assets/liabilities.


125

Scenario P1



66%

1. Yes

2. No

3. Don’t know

26.5%

7.5%

1 2 3

126

Scenario P1



69 .5%

1. No

2. Yes

30 .5%

1 2

127

Scenario P2



A bank bag of mortgage documents in transit to the processing centre is stolen from the courier and never recovered.


Personal cheques and cash.


128

Scenario P2



75.5%

1. Yes

2. No

3. Don’t know

24.5%

0%

3 1 2

129

Scenario P2



90 .5%

1. No

2. Yes

9 .5 %

1 2

130

Scenario Q



During a collections call for an outstanding debt, the balance owing and the fact that payments were late are disclosed to the customer’s father.


Name, creditor, type of debt, balance owing, payment history.


131

Scenario Q



46.5%

48.5%

1. Yes

2. No

3. Don’t know

5%

3 1 2

132

Scenario Q



85 .5%

1. No

2. Yes

14 .5%

1 2

133

Scenario R



An organization learns that a former employee has stolen a customer list and is using it to solicit customers for a new organization.


Customer names, email addresses and mailing addresses


134

Scenario R



69%

1. Yes

2. No

3. Don’t know

29.5%

2

1.5%

3 1

135

Scenario R



72 %

1. No

2. Yes

28 %

1 2

136

Scenario S


If you are required to report in Alberta and are also subject to other privacy regulatory authorities, do you report to them voluntarily?

71%

1. Yes

2. No

3. Not Applicable

25%

4%

3 1 2

137

Scenario T



A collection agent accidentally leaves a folder containing personal audit reports on the court clerk’s counter at the courthouse. The court clerk finds it 1 hour later. It looks undisturbed. The court clerk advises the credit reporting agency, who advises you at the collection agency.


Personal financial information, credit bureau reports


138

Scenario T



61.5%

1. Yes

2. No

3. Don’t know

32.5%

6%

3 1 2

139

Scenario T



62 %

1. No

2. Yes 38 %

1 2

140

Scenario U


Do you believe that post-breach mitigation steps should impact the assessment of whether there is a RROSH?

83 %

1. No

2. Yes

17 %

1 2

141

Is there a real risk of significant harm?

Workshop Objectives

Example: Variations on Scenario A1

Workshop Results and

Findings

Notification to Affected Individuals

Summary of factors that impact determinations of a “real risk of significant harm”

Respondents’ Agreement with OIPC

Alberta Findings

1. Accidental Disclosures to a Limited

Number of Recipients

2. Street Value of the Data

3. Post Breach Mitigation Steps

Publication of Decisions / Naming

Publication of Decisions / Naming

Appendix A

Raw Workshop Data

1.

2.

3.

4.

5.

Scenario A1

Related documents

Products

Support

Is there a real risk of significant harm?

Workshop Objectives

Example: Variations on Scenario A1

Workshop Results and

Findings

Notification to Affected Individuals

Summary of factors that impact determinations of a “real risk of significant harm”

Respondents’ Agreement with OIPC

Alberta Findings

1. Accidental Disclosures to a Limited

Number of Recipients

2. Street Value of the Data

3. Post Breach Mitigation Steps

Publication of Decisions / Naming

Publication of Decisions / Naming

Appendix A

Raw Workshop Data

1.

2.

3.

4.

5.

Scenario A1

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib