exploring the meaning of real risk of significant …...8 overview of the workshops workshop format...
TRANSCRIPT
AccessPrivacyHB is a division of HB Global Advisors Corp., a Heenan Blaikie company.
Exploring the Meaning of “Real Risk of Significant Harm” - 2011 Report on the AccessPrivacy Breach Notification Workshops
Results of the AccessPrivacy CPO Forum Workshops held on September 27, 2011 and October 12, 2011, Exploring the Meaning of the “Real Risk of Significant Harm” breach notification threshold under the Personal Information Protection Act (Alberta)
Adam KardashPartner, Privacy and Information Management, Heenan Blaikie LLP, andManaging Director & Head, AccessPrivacy
Pamela SnivelyManaging Director, AccessPrivacy
accessprivacy.com November 15, 2011
2
Report Contents
About AccessPrivacyOverview of the WorkshopsSample Workshop Hypothetical ScenarioWorkshop Results and FindingsAppendix A – Raw Workshop Data- Aggregated Participant Responses to Hypothetical
Scenarios
3
About AccessPrivacy
AccessPrivacy is an integrated information governance service, complementary to the Heenan Blaikie LLP national Privacy & Information Management and Access to Information Law practices We provide privacy and information management consulting and information services to organizations in the private and broader public sectorsOur information management services also include our CPO Forum, a thought leadership program designed to maximize bench-marking and information sharing among Chief Privacy Officers, senior compliance professionals and in-house counsel
4
Overview of The Workshops
Workshop Sponsors
Two Breach Notification Workshops were conducted by AccessPrivacy, and moderated by Adam Kardash and Pamela Snively. They were held on:
September 27th, 2011, in Toronto; andOctober 12th, 2011, in Vancouver.
The workshops were co-sponsored by the Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta).
5
Overview of The Workshops
Workshop Attendees
Attendees included:Representatives from the OIPC Alberta, the Office of the Privacy Commissioner of Canada, and the Office of the Information and Privacy Commissioner (BC)60+ chief privacy officers, senior compliance professionals, senior in-house attorneys, industry association representatives
Sector representatives included financial services (38%), service providers (18%), retail (7%), healthcare (10%), industry associations (4%), and telecommunications (2%).
6
Overview of The Workshops
Statutory Context
Organizations subject to PIPA (Alberta) are required to notify the OIPC Alberta when a privacy/security breach (“loss of or unauthorized access to or disclosure of the personal information”) results in a “real risk of significant harm”. (PIPA (Alberta), s.31.1)
Where there is a real risk of significant harm, the Commissioner may require organizations to notify affected individuals of the incident in a manner set out in the Regulations (PIPA (Alberta) Regulation, s.19.1).
7
Background
Workshop Objectives
The workshop objectives were to:Explore the precise meaning of PIPA Alberta’sprivacy/security incident notification trigger; Discuss the practical impact of the reporting/notification requirement; and Offer participants the opportunity to provide meaningful feedback to privacy regulatory authorities.
8
Overview of The Workshops
Workshop Format
33 hypothetical security incidents were posed to participantsThe participants were provided with a brief description of the incident, a list of the personal information involved and the number of affected individualsParticipants answered 2 questions in respect of each scenario via audience response technology, immediately registering their opinion in an anonymous fashion, and seeing instantaneous feedbackThe scenarios often built on one another, with small factual changes only, providing an opportunity to assess the significance of these changes and allowing for nuanced results
9
Overview of The Workshops
Workshop Scenarios
The hypothetical security incident scenarios were developed from several sources:
Fact scenarios from selected security breach notification orders published by the OIPC AlbertaScenarios submitted in advance by workshop participantsHeenan Blaikie/AccessPrivacy client experience
10
Overview of The Workshops
Workshop Questions
Participants were asked the following two questions in respect of each scenario:
1.Is there a “real risk of significant harm?”
2.Would your organization notify affected
individuals regardless of privacy
regulatory requirements?
11
Sample Hypothetical: Scenario A1
Description of incident:
John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John Wilson. Wilson returns Smith’s laptop within a few days and explains the error.
Personal information:According to Smith, it has “a great deal of personal information, including tax, business and personal accounting information.”
Number of affected individuals: 1
12
Scenario A1: Responses
Is there a real risk of significant harm?
1 2 3
62%
8%
30%
1. Yes2. No3. Don’t know
13
Example: Variations on Scenario A1
The next 3 slides show responses to the following variations in the scenario posed in A1
1. Same facts as A1, but this time Wilson gives a verbal assurance that no laptop data was copied, retained or distributed
2. Same facts as above but Wilson’s assurance is written
3. Same facts as A1, but this time Wilson takes one month to return the laptop
14
Scenario A3 Variation: Verbal assurance given
Is there a real risk of significant harm?
1 2 3
52%
4%
44%1. Yes2. No3. Don’t know
15
Scenario A2 Variation: Written assurance given
Is there a real risk of significant harm?
1 2 3
29%
9%
62%
1. Yes2. No3. Don’t know
16
Scenario A5 Variation: With one month lag
Is there a real risk of significant harm?
1 2 3
79%
6%15%
1. Yes2. No3. Don’t know
17
Sample Hypothetical: Scenario D1
Description of incident:A men’s clothing retailer operates a customer loyalty program. It outsources email communications for the loyalty program to a service provider, who emails the members with offers and rewards on behalf of the organization. The service provider’s new update software accidentally sends out an email to the loyalty members without blind carbon copying the recipients. All recipients can view the email addresses of all other recipients. (Please note factual variation in Scenario D2 on slide 18.)
Personal information:Name and email address
Number of affected individuals: Approx. 10,000
18
Scenario D1
Is there a real risk of significant harm?
1 2 3
43%
5%
52%1. Yes2. No3. Don’t know
19
Scenario D2 Variation: same as D1 but a soft-porn
magazine not a men’s clothing retailer
Is there a real risk of significant harm?
1 2 3
97%
0%3%
1. Yes2. No3. Don’t know
Workshop Results and Findings
21
Workshop Findings
Results and Findings
Workshop results and findings are set out in the following two parts of this report:
1. Overview of workshop Results and Discussion (slides 4 to 34)
Summary of certain workshop responsesObservations about resultsHighlights of workshop discussionParticipant feedback about workshop
2. Raw Workshop Data - Appendix A (slides 35 to 141)
Participant DemographicsResponses to preliminary questions about organizational culture, incident response plans, and incident trackingResponse to 33 hypothetical incident responses
22
Workshop Findings
Readiness
State of the industry:
78% of participants described their organization as having an open and honest culture of reporting privacy breaches
80% of participants indicated that their organization had a data breach response plan, yet only 51% were confident that their organization's privacy breach response plan would be sufficient to respond to a public, large scale security incident
57% of participants indicated that their organization had an incident tracking program in place that facilitates tracking and reporting of privacy breaches
23
Workshop Findings
General Observations
Attendees collectively had a very high level of experience in dealing with security incidents, yet the discussion during the workshops reflected a high level of variability in understanding and/or application of the key elements of the "real risk of significant harm" trigger.
There were differences particularly with respect to the understanding and application of the concepts of "harm" and "risk".
Scenarios highlighted the highly fact-specific nature of the notification trigger analysis. In many instances, the change of a single fact altered the determination of whether there was a "real risk of significant harm" in the circumstances.
24
Workshop Findings
Notification to Affected Individuals
Notification Practices:
Respondents who felt a scenario presented a “real risk of significant harm” consistently indicated that they would notify affected individuals in such circumstances, even if not required to do so by a regulatorIn many cases, up to 30% of organizations that did notperceive a “real risk of significant harm” in a given incident still indicated that they would notify affected individuals for other business reasons
25
Workshop Findings
Summary of factors that impact determinations of a “real risk of significant harm”
Participant responses and discussions consistently reflected that the following factors influence determinations of whether there is a real risk of significant harm:
Number of affected individualsThe greater the number of affected individuals, the greater the likelihood of a “real risk of significant harm”determination
Time lag from incident to discovery or from loss of data to recovery
The longer the time lag, the greater the likelihood of a “real risk of significant harm” determination
26
Workshop Findings Summary of factors that impact determinations of a “real risk of significant harm” (cont’d)
Whether the organization received confirmation that no disclosure, misuse or duplication of the data occurred
Written confirmation decreased likelihood of a real risk of significant harm determination
Personal circumstances of affected individuals may be relevant, and a case-by-case analysis is required
(Examples – harm experienced by affected individual related to an accidental disclosure to a spouse in the middle of a divorce or if affected individual has suffered identity theft in the past)
Potential “street value” of the dataThe more likely that data in question could be used to commit identity theft (and sold for such purposes), the more likely a “real risk of significant harm” determination
27
Workshop Findings
Respondents’ Agreement with OIPC Alberta Findings
11 hypothetical scenarios used facts from actual OIPC Alberta published findings
Participants often agreed with the OIPC’s determination of whether there was a real risk of significant harm
However, there were three areas of marked disagreement
28
Workshop Findings Areas of Disagreement in the Determination of the Real Risk of Significant Harm
Disagreement between company representatives and OIPC Alberta with respect to:
1. Whether accidental disclosures to a limited number of individuals constituted a “real risk of significant harm” (e.g., Misdirected fax, co-mingled statement, wrong address)
2. “Street value” of certain data elements (i.e., Can such data really be used to commit identity theft?)
3. Relevance of post-breach mitigation steps in “real risk of significant harm” determination
29
Workshop Findings 1. Accidental Disclosures to a Limited Number of Recipients
Contrary to the OIPC Alberta, at least 50% of respondents found no real risk of significant harm where there was an accidental disclosure of personal information to a limited number of individuals, and in particular where the recipients were identified or known to the organization (e.g., Recipient of accidental / misdirected data is another customer, an employee or co-worker)
See, for example, Scenario K, slides 110-112 in Appendix A
30
Workshop Findings
2. Street Value of the Data
Participants often disagreed about whether certain data elements had “street value” or could be used to commit identity theft
Examples – Certain participants indicated that there was limited or no “street value” to (i) a list of bank account numbers with no other data; (ii) an endorsed or unendorsed personal cheque (with no other data), and; (iii) a list of signatures (with no other data)
Discussion on this point focused on participants’uncertainty about the current technical abilities of hackers/organized crime
31
Workshop Findings
3. Post Breach Mitigation Steps
Participants disagreed with the OIPC Alberta about the relevance of post-breach mitigation steps in the “real risk of significant harm” determination:
The OIPC Alberta has consistently indicated in its orders that an organization’s post breach mitigation steps are not relevant to their findings of whether there is a real risk of significant harmThe majority of participants consistently indicated that an organization’s post breach mitigation steps factor into their consideration when assessing whether there is a real risk of significant harm
(i.e., in certain instances, the prompt implementation of post-mitigation steps would practically result in there being no real risk of significant harm to affected individuals)
32
Workshop Findings
Publication of Decisions / Naming
The OIPC Alberta practice of naming organizations in the publication of real risk of significant harm findings generated substantial discussion among participants
BackgroundThe Commissioner has statutory discretion to “publish any finding or decision in a complete or an abridged form” (PIPA AB, s.38(6)). In practice, where the Commissioner requires that an organization notify individuals to whom there is a real risk of significant harm, the Commissioner’s decision will be published on the OIPC’s website and the organization named. http://www.oipc.ab.ca/pages/OIP/BreachNotificationDecisions.aspxIn the event the Commissioner decides that notification of individuals is not required, an anonymized, abridged version of the decision may be published.
33
Workshop Findings
Publication of Decisions / Naming
Issues raised by participants about the OIPC Alberta’s naming practice include:
Practice of naming organization is perceived as unnecessarily punitive, as organizations who are complying with statutory obligations typically have already notified affected individuals and often have implemented post-mitigating steps to contain the incident and prevent harmIn vast majority of incidents, it is unclear as to what additional public policy purpose is achieved by naming the organizationMay create disincentive to report, particularly in cases where it is reasonably unclear as to whether there is a real risk of significant harm
34
Workshop Findings
Feedback
Consensus among participants that the discussion forum, in particular, the involvement of privacy regulatory authorities, greatly enhanced the value of the exercise
Post-session feedback reflected strong support for further sessions, with a continued focus on (i) clarifying legal and practical meaning of notification triggers and (ii) using generic forms of actual security incidents. This is particularly the case given the pending amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) that include a security breach notification requirement that is not identical to the notification trigger under PIPA (Alberta).
Appendix ARaw Workshop Data
Consolidated Results of AccessPrivacy’s CPO Forum Workshops held in conjunction with the Alberta Office
of the Information and Privacy Commissioner
September 27, 2011 – TorontoOctober 12, 2011 - Vancouver
36
Appendix A – Table of Contents
About the Data Slide 38
Demographics Slide 39
Preliminary Questions Slides 40-43
ScenariosA series – Laptop incidents Slides 44-58
B series – Payroll System Access Slides 59-64
C series – Marketing email to customer list Slides 65-70
D Series – Customer Loyalty Program Email Slides 71-82
E Series – Lost audiometric tests Slides 83-88
F Series – Therapist’s stolen laptop Slides 89-94
G – Sensitive email chain mistakenly forwarded Slides 95-97
H – Husband given wife’s banking information Slides 98-99
I Series – Hotel discloses stay to spouse Slides 100-104
37
Table of Contents (cont’d)
Scenarios (cont’d)
J – Bank robbery Slides 105-109
K – Misdirected mail Slides 110-112
L – Misdirected fax Slides 113-115
M – Credit card numbers stolen from retailer Slides 116-118
N – Comingled statement Slides 119-121
O – Stolen laptop Slides 122-124
P series – Bank bag stolen from courier Slides 125-130
Q – Collections disclosure to father Slides 131-133
R – Stolen customer list/solicitation Slides 134-136
T – Forgotten credit reports Slides 138-140
38
About the Data
There were 68 voting participants in total between the two workshopsParticipants who attended both workshops did not vote a second time at the second workshopParticipants were given 10 seconds to respond and the voting closed regardless of whether every participant had voted in respect of that particular scenario
39
Demographics Appendix A - Raw Workshop Data
1. Identify your sector
10%
10%
2%
7%
11%
4%
38%
18%
1. Financial Services
2. Industry Association
3. Regulator
4. Retail
5. Service Provider
6. Telecommunications
7. Healthcare
8. Other
40
Preliminary Questions Appendix A - Raw Workshop Data
2. Would you describe your organization as having an open and honest culture of reporting incidents of data loss?
1 2 3
78%
12%10%
1. Yes2. No3. Don’t know
41
Preliminary Questions Appendix A - Raw Workshop Data
3. Does your organization have a data breach response plan?
1 2 3
80%
8%12%
1. Yes2. No3. Don’t know
42
Preliminary Questions Appendix A - Raw Workshop Data
4. Are you confident that your organization’s data breach response plan is sufficient to respond to a public, large scale security incident?
1 2 3
51%
25%24%
1. Yes2. No3. Don’t know
43
Preliminary Questions Appendix A - Raw Workshop Data
5. Does your organization have an incident tracking program in place that facilitates tracking and reporting of data breaches?
1 2 3
57%
9%
34%1. Yes2. No3. Don’t know
44
Scenario A1 Appendix A - Raw Workshop Data
Description of incident:
John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John Wilson. Wilson returns Smith’s laptop within a few days and explains the error.
Personal information:According to Smith, it has “a great deal of PI, including tax, business and personal accounting information.”
Number of affected individuals: 1
45
Scenario A1 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
62%
8%
30%
1. Yes2. No3. Don’t know
46
Scenario A1 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
84%
16%
1. No2. Yes
47
Scenario A2 Appendix A - Raw Workshop Data
Description of incident:
John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John Wilson. Wilson returns Smith’s laptop within a few days and explains the error. Wilson confirms in writing that he did not copy, retain or distribute any information from Smith’s laptop.
Personal information:
According to Smith, it has “a great deal of PI, including tax, business and personal accounting information.”
Number of affected individuals: 1
48
1 2 3
29%
9%
62%
1. Yes2. No3. Don’t know
Scenario A2 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
49
Scenario A2 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
81%
19%
1. No2. Yes
50
Scenario A3 Appendix A - Raw Workshop Data
Description of incident:John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John Wilson. Wilson returns Smith’s laptop within a few days and explains the error. Wilson confirms verbally that he did not copy, retain or distribute any information from Smith’s laptop.
Personal information: According to Smith, it has “a great deal of PI, including tax, business and personal accounting information.”
Number of affected individuals: 1
51
Scenario A3 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
52%
4%
44%1. Yes2. No3. Don’t know
52
Scenario A3 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
85%
15%
1. No2. Yes
53
Scenario A4 Appendix A - Raw Workshop Data
Description of incident:
John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John Wilson. Wilson returns Smith’s laptop within a few days and explains the error. Wilson confirms in writing that he did not copy, retain or distribute any information from Smith’s laptop. Wilson is well known to the organization and trusted.
Personal information:
According to Smith, it has “a great deal of PI, including tax, business and personal accounting information.”
Number of affected individuals: 1
54
Scenario A4 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
27%
3%
70%
1. Yes2. No3. Don’t know
55
Scenario A4 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
77%
23%
1. No2. Yes
56
Scenario A5 Appendix A - Raw Workshop Data
Description of incident:
John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John Wilson. Wilson returns Smith’s laptop one month later, before Smith has returned for his laptop and explains the error. Wilson confirms in writing that he did not copy, retain or distribute any information from Smith’s laptop.
Personal information:
According to Smith, it has “a great deal of PI, including tax, business and personal accounting information.”
Number of affected individuals: 1
57
Scenario A5 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
79%
6%15%
1. Yes2. No3. Don’t know
58
Scenario A5 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
92%
8%
1. No2. Yes
59
Scenario B1 Appendix A - Raw Workshop Data
Description of incident:
An employer is informed by an employee that payroll information of former and current employees is accessible to all current employees on the company’s computer system. The electronic folder had an employee name and was buried in a set of subfolders, accessible for a period of 15 months. There is no evidence of misuse of the data, but the computer system has no audit capability with respect to access.
Personal information: Name, SIN, bimonthly salary
Number of affected individuals: 250
60
Scenario B1 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
82%
3%
15%
1. Yes2. No3. Don’t know
61
Scenario B1 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
78%
22%
1. No2. Yes
62
Scenario B2 Appendix A - Raw Workshop Data
Description of incident:An employer is informed by an employee that payroll information of former and current employees is accessible to all current employees. The folder had an employee name and was buried in a set of subfolders, accessible for a period of 15 months. There is no evidence of misuse, but the computer system has no audit capability with respect to access. This is the second time this employer has reported a breach involving sensitive employee PI being accessible on the company system.
Personal information: Name, SIN, bimonthly salary
Number of affected individuals: 250
63
Scenario B2 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
95%
0%5%
1. Yes2. No3. Don’t know
64
Scenario B2 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
92%
8%
1. No2. Yes
65
Scenario C1 Appendix A - Raw Workshop Data
Description of incident:A retail organization sends an email to its customer contact list, including those who were on the “do not contact” list. The organization forgets to blind carbon copy the recipients, therefore all recipients are able to view the email addresses of all other recipients.
Personal information:Name, personal and business email addresses
Number of affected individuals: 300
66
Scenario C1 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
28%
3%
69%
1. Yes2. No3. Don’t know
67
Scenario C1 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
55%
45%1. No2. Yes
68
Scenario C2 Appendix A - Raw Workshop Data
Description of incident:A retail organization sends an email to its customer contact list, including those who were on the “do not contact” list. The organization forgets to blind carbon copy the recipients, therefore all recipients are able to view the email addresses of all other recipients.
Personal information:Name, personal and business email addresses
Number of affected individuals: 2 million
69
Scenario C2 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
45%
1%
54%
1. Yes2. No3. Don’t know
70
Scenario C2 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
76%
24%
1. No2. Yes
71
Scenario D1 Appendix A - Raw Workshop Data
Description of incident:A men’s clothing retailer operates a customer loyalty program. It outsources email communications for the loyalty program to a service provider, who emails the members with offers and rewards on behalf of the organization. The service provider’s new update software accidentally sends out an email to the loyalty members without blind carbon copying the recipients. All recipients can view the email addresses of all other recipients.
Personal information:Name and email address
Number of affected individuals: Approx. 10,000
72
Scenario D1 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
43%
5%
52%1. Yes2. No3. Don’t know
73
Scenario D1 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
66.5%
33.5%
1. No2. Yes
74
Scenario D2 Appendix A - Raw Workshop Data
Description of incident:
A soft-porn magazine operates a customer loyalty program. It outsources email communications for the loyalty program to a service provider, who emails the members with offers and rewards on behalf of the organization. The service provider’s new update software accidentally sends out an email to the loyalty members without blind carbon copying the recipients. All recipients can view the email addresses all other recipients.
Personal information:Name and email address, and reward club name
Number of affected individuals: Approx. 10,000
75
Scenario D2 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
97%
0%3%
1. Yes2. No3. Don’t know
76
Scenario D2 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
90%
10%
1. No2. Yes
77
Scenario D3 Appendix A - Raw Workshop Data
Description of incident:A men’s clothing retailer operates a customer loyalty program. It outsources email communications for the loyalty program to a service provider, who emails its members with offers and rewards on behalf of the organization. The service provider discovers its system has been hacked and PI of account holders has been downloaded to a TFP site in a well-known black market/identity theft economy.
Personal information:Name and email address, and reward club name
Number of affected individuals: 45
78
Scenario D3 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
88.5%
5.0%6.5%
1. Yes2. No3. Don’t know
79
Scenario D3 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
96%
4%
1. No2. Yes
80
Scenario D4 Appendix A - Raw Workshop Data
Description of incident:A men’s clothing retailer operates a customer loyalty program. It outsources email communications for the loyalty program to a service provider, who emails its members with offers and rewards on behalf of the organization. The service provider discovers its system has been hacked and PI of account holders has been downloaded to a TFP site in a well-known black market/identity theft economy.
Personal information:Name and email address, and reward club name
Number of affected individuals: Approx. 2 million
81
Scenario D4 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
98.5%
0%1.5%
1. Yes2. No3. Don’t know
82
Scenario D4 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
93.50%
6.50%
1. No2. Yes
83
Scenario E1 Appendix A - Raw Workshop Data
Description of incident:A construction company retains a third party service provider to conduct audiometric tests on employees. The service provider misplaces the envelope containing the test forms on public transportation vehicle. Despite attempts to retrieve the envelope, the test results are not recovered.
Personal information:Company name, employee occupation, work location and unique employee number (but no name), date employed, home address, age, telephone number, medical history (as it relates to audiometric testing – eg whether employee has cold/flu, head injury, hearing problems, past exposure to environmental noise, etc.), and the test results
Number of affected individuals: 180
84
Scenario E1 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
75%
7%
18%
1. Yes2. No3. Don’t know
85
Scenario E1 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
93%
7%
1. No2. Yes
86
Scenario E2 Appendix A - Raw Workshop Data
Description of incident:A construction company retains a third party service provider to conduct audiometric tests on employees. The service provider misplaces the envelope containing the test forms on public transportation vehicle. Despite attempts to retrieve the envelope, the test results are not recovered.
Personal information:Company name, employee occupation, work location and unique employee number (but no name), date employed, home address, age, telephone number, medical history (as it relates to audiometric testing – e.g., whether employee has cold/flu, head injury, hearing problems, past exposure to environmental noise, etc.), the test results, and date of birth.
Number of affected individuals: 180
87
Scenario E2 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
96%
0%4%
1. Yes2. No3. Don’t know
88
Scenario E2 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
96%
4%
1. No2. Yes
89
Scenario F1 Appendix A - Raw Workshop Data
Description of incident:A therapist working with young special needs children has her home broken into and her laptop is stolen. The laptop, containing PI of patients and their parents, was not password protected and not encrypted.
Personal information:Names of children and parents, child’s date of birth, home address, contact numbers, school name and therapy session notes.
Number of affected individuals: 50
90
Scenario F1 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
98%
0%2%
1. Yes2. No3. Don’t know
91
Scenario F1 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
98%
2%
1. No2. Yes
92
Scenario F2 Appendix A - Raw Workshop Data
Description of incident:A speech therapist working with adults has her home broken into and her laptop is stolen. The laptop, containing PI of patients was not password protected and not encrypted.
Personal information:
Name of patients, date of birth, home address, contact numbers, and therapy session notes
Number of affected individuals: 50
93
Scenario F2 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
94%
1.50%4.5%
1. Yes2. No3. Don’t know
94
Scenario F2 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
94.5%
5.5%
1. No2. Yes
95
Scenario G Appendix A - Raw Workshop Data
Description of incident:A manager emailed a work schedule, copying six employees. The manager did not realize the email contained an email string discussing the possible termination of one of the six employees. One of the employees notified the manager of the error the next day. The employees were instructed via email to delete the email if they had not read it yet or, if they had already read it, to disregard its contents.
Personal information: Name, termination details of one individual
Number of affected individuals: 1
96
Scenario G Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
82.5%
3.5%
14%
1. Yes2. No3. Don’t know
97
Scenario G Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
83%
17%
1. No2. Yes
98
Scenario H Appendix A - Raw Workshop Data
Description of incident:A customer’s husband opened her T5 at her home and then called her FI and was provided with additional information about her accounts. The customer complained. The organization checked its records and determined the husband had called twice – the first time he was denied information because he was not the account holder; the second time he pretended to be the account holder (wife) and provided correct answers to the identity verification questions.
Personal information: Name, address, SIN and account details
Number of affected individuals: 1
99
Scenario H Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
71%
2%
27%
1. Yes2. No3. Don’t know
100
Scenario I1 Appendix A - Raw Workshop Data
Description of incident:
A Hotel Manager overhears one of his front desk staff on the phone, confirming that an individual had stayed two days and booked two rooms. The Manager asks about the call and is advised by the employee that the individual’s wife had called and had wished to confirm details of her husband’s recent travel.
Personal information:
Name, date and length of stay, number of rooms booked
Number of affected individuals: 1
101
Scenario I1 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
70.5%
4.50%
25%
1. Yes2. No3. Don’t know
102
Scenario I1 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
66%
34%
1. No2. Yes
103
Scenario I2 Appendix A - Raw Workshop Data
Description of incident:An individual contacted a hotel, identifying herself as the wife of a guest who had previously stayed at the hotel. Upon request, the hotel employee advised that the husband had stayed two days and booked two rooms. One week later, the hotel guest called and complained about the disclosure of his personal information. The hotel’s internal investigation confirmed the guest’s allegation.
Personal information:Name, date and length of stay, number of rooms booked
Number of affected individuals: 1
104
Scenario I2 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
61%
5.5%
33.5%
1. Yes2. No3. Don’t know
105
Scenario J1 Appendix A - Raw Workshop Data
Description of incident:
A banking branch is robbed of cash and an envelope containing customer PI. The incident was reported to the police.
Personal information:
Customer names, signatures, details of a single transaction and bank account numbers.
Number of affected individuals: 50
106
Scenario J1 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
97%
0%3%
1. Yes2. No3. Don’t know
107
Scenario J1 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
96.5%
3.5%
1. No2. Yes
108
Scenario J2 Appendix A - Raw Workshop Data
Description of incident:
A banking branch is robbed of cash and an envelope containing customer PI. The incident was reported to the police. All of the affected customers were notified and the organization offered to change their account numbers, replace their cheques and monitor their accounts.
Personal information:
Customer names, signatures, details of a single transaction and bank account numbers
Number of affected individuals: 50
109
Scenario J2 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
41.5%
2.0%
56.5%
1. Yes2. No3. Don’t know
110
Scenario K Appendix A - Raw Workshop Data
Description of incident:
A Financial Institution accidentally mailed T4A statements of two retirees to two other retirees. Within days, the two affected retirees were notified and offered monitoring services. The recipients had opened the files, although not addressed to them, and called the FI to advise of the error. The two recipients of the T4A statements were asked to return the information without making copies.
Personal information:
Pension and retirement income information, amount deducted, SIN, name and address
Number of affected individuals: 2
111
Scenario K Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
47.5%
3%
49.5%
1. Yes2. No3. Don’t know
112
Scenario K Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
88%
12%
1. No2. Yes
113
Scenario L Appendix A - Raw Workshop Data
Description of incident:A Financial Institution accidentally faxed RRSP transfer documents to the customer’s fax machine at work at 10:23am rather than on to another financial institution. The customer’s co-worker advised the customer that the document was there and the customer recovered it within the same work day. Co-workers had access to the machine. The customer advised the Financial Institution and accepted their offer of credit monitoring and their apology. She indicated that she was not upset and appreciated the FI’s response.
Personal information: Name, address, SIN, RRSP account number, and client number with a different FI.
Number of affected individuals: 1
114
Scenario L Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
52.5%
1.5%
46%1. Yes2. No3. Don’t know
115
Scenario L Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
33.5%
66.5%
1. No2. Yes
116
Scenario M Appendix A - Raw Workshop Data
Description of incident:
A Retailer discovers that a list of credit card numbers has just been stolen. They immediately ensure that the relevant Financial Institutions and service providers are notified. The FI’s promptly discontinue the credit card numbers and advise the cardholders of what has happened and that their cards will be replaced.
Personal information:Credit card numbers (no other data)
Number of affected individuals: 5,000
117
Scenario M Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
19.5%
3.5%
77%
1. Yes2. No3. Don’t know
118
Scenario M Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
50.5%
49.5%
1. No2. Yes
119
Scenario N Appendix A - Raw Workshop Data
Description of incident:
A financial institution mails the first page of a client monthly credit card statement together with a second page belonging to another client.
Personal information:
Name (but no contact information), credit card account number, monthly transactions on the account, and total credits and debits for the billing period.
Number of affected individuals: 1
120
Scenario N Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
46%
2%
52%1. Yes2. No3. Don’t know
121
Scenario N Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
78%
22%
1. No2. Yes
122
Scenario O Appendix A - Raw Workshop Data
Description of incident:
A laptop belonging to an employee of a healthcare organization is stolen. It contained PI. The laptop was password protected but not encrypted; the files on the laptop were not password protected.
Personal information:
Name , contact information, Date of Birth and health information.
Number of affected individuals: 42
123
Scenario O Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
93.5%
3.5%3%
1. Yes2. No3. Don’t know
124
Scenario O Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
98.5%
1.5%
1. No2. Yes
125
Scenario P1 Appendix A - Raw Workshop Data
Description of incident:
A bank bag of mortgage documents in transit to the processing centre is stolen from the courier. The bag is located by the police 5 days later and all the information appears to be intact and undisturbed.
Personal information:
Mortgage number, client name, property details, DOB, assets/liabilities.
Number of affected individuals: 185
126
Scenario P1 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
66%
7.5%
26.5%
1. Yes2. No3. Don’t know
127
Scenario P1 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
69.5%
30.5%
1. No2. Yes
128
Scenario P2 Appendix A - Raw Workshop Data
Description of incident:A bank bag of mortgage documents in transit to the processing centre is stolen from the courier and never recovered.
Personal information: Personal cheques and cash.
Number of affected individuals: 185
129
Scenario P2 Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
75.5%
0%
24.5%
1. Yes2. No3. Don’t know
130
Scenario P2 Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
90.5%
9.5%
1. No2. Yes
131
Scenario Q Appendix A - Raw Workshop Data
Description of incident:
During a collections call for an outstanding debt, the balance owing and the fact that payments were late are disclosed to the customer’s father.
Personal information:
Name, creditor, type of debt, balance owing, payment history.
Number of affected individuals: 1
132
Scenario Q Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
46.5%
5%
48.5%
1. Yes2. No3. Don’t know
133
Scenario Q Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
85.5%
14.5%
1. No2. Yes
134
Scenario R Appendix A - Raw Workshop Data
Description of incident:
An organization learns that a former employee has stolen a customer list and is using it to solicit customers for a new organization.
Personal information:
Customer names, email addresses and mailing addresses
Number of affected individuals: 350
135
Scenario R Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
29.5%
1.5%
69%
1. Yes2. No3. Don’t know
136
Scenario R Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
72%
28%
1. No2. Yes
137
Scenario S Appendix A - Raw Workshop Data
If you are required to report in Alberta and are also subject to other privacy regulatory authorities, do you report to them voluntarily?
1 2 3
71%
4%
25%
1. Yes2. No3. Not Applicable
138
Scenario T Appendix A - Raw Workshop Data
Description of incident:A collection agent accidentally leaves a folder containing personal audit reports on the court clerk’s counter at the courthouse. The court clerk finds it 1 hour later. It looks undisturbed. The court clerk advises the credit reporting agency, who advises you at the collection agency.
Personal information:Personal financial information, credit bureau reports
Number of affected individuals: 12
139
Scenario T Appendix A - Raw Workshop Data
Is there a real risk of significant harm?
1 2 3
61.5%
6%
32.5%
1. Yes2. No3. Don’t know
140
Scenario T Appendix A - Raw Workshop Data
Would your organization notify affected individuals regardless of privacy regulatory requirements?
1 2
62%
38%
1. No2. Yes
141
1 2
83%
17%
Scenario U Appendix A - Raw Workshop Data
Do you believe that post-breach mitigation steps should impact the assessment of whether there is a RROSH?
1. No2. Yes