Personal Information Protection Act Breach Reporting Guide

Similar documents
Responding to Privacy Breaches

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER P2011-ND-042 PERSONALITY PROFILE SOLUTIONS INC. November 1, (Case File #P2003)

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER P2012-ND-29 BP CANADA ENERGY GROUP ULC. November 8, (Case File #P2157)

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER P2011-ND-039 ZELLERS DRUG STORES (ALTA) LIMITED. November 30, (Case File #P2031)

MANITOBA OMBUDSMAN PRACTICE NOTE

Best Practice: Responding to a Privacy Breach

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

Breach Reporting and Record Keeping under PHIPA

SECURITY SAFEGUARD BREACH GUIDE

Your defence toolkit. How to combat the cyber threat

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

H E A L T H C A R E L A W U P D A T E

Cyber Risks & Insurance

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group

The Wild West Meets the Future: Key Tips for Maximizing Your Cyber and Privacy Insurance Coverage

Legal Compliance Education and Awareness. Privacy Act (Commonwealth)

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Slide 1. Slide 2. Slide 3. Identity Theft Coverage. Today s Agenda. What is Identity Theft? What is Identity Theft?

NZI LIABILITY CYBER. Are you protected?

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

DATA COMPROMISE COVERAGE RESPONSE EXPENSES AND DEFENSE AND LIABILITY

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

ARE YOU HIP WITH HIPAA?

Summary Comparison of Current Senate Data Security and Breach Notification Bills

Understanding Cyber Risk in the Dental Office. Melissa Moore Sanchez, CIC

EXCERPT. Do the Right Thing R1112 P1112

Cyber & Privacy Liability and Technology E&0

UNDERSTANDING HIPAA COMPLIANCE IN 2014: ETHICS, TECHNOLOGY, HEALTHCARE & LIFE

Westpac Banking Corporation Level 16, 275 Kent St Sydney NSW th January Mandatory Data Breach Notification

Public Act No

Privacy & Data Protection Procedure-Box Hill Institute Group

DATA COMPROMISE COVERAGE FORM

Property business interruption Policy wording

At the Heart of Cyber Risk Mitigation

Combined Liability Insurance for Financial Technology Companies Proposal Form

2016 Business Associate Workforce Member HIPAA Training Handbook

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

Cyber Liability & Data Breach Insurance Nikos Georgopoulos Oracle Security Executives Breakfast 23 April Cyber Risks Advisor

Kalo SaaS Terms of Use

HIPAA Breach Notification Case Studies on What to Do and When to Report

Property business interruption (technology) Policy wording

STEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH

MEASURING & PRICING THE COST DRIVERS OF A CYBER SECURITY RISK EVENT

BREACH NOTIFICATION POLICY

«BON COP BAD COP 2» CONTEST AT COUCHE-TARD

ROCHESTER INSTITUTE OF TECHNOLOGY

NEW DATA BREACH RULES HAVE BIG IMPACT

ChicagoLand RIMS Cyber Insurance Coverage Pitfalls and How to Avoid Them

503 SURVIVING A HIPAA BREACH INVESTIGATION

Templeton Municipal Light and Water Plant

SENIOR CARE CYBER-LIABILITY, CRISIS MANAGEMENT AND REPUTATIONAL HARM SUPPLEMENTAL APPLICATION

Cyber Risks & Cyber Insurance

Chapter 3. Identifying Red Flags. 3:1 Overview

Guide to compliance with the Australian Privacy Principles. APP 1 Open and transparent management of personal information

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Privacy and Data Breach Protection Modular application form

Data Breach Financial Protection Program Terms and Conditions

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

Cyber, Data Risk and Media Insurance Application form

Evaluating Your Company s Data Protection & Recovery Plan

PRIVACY AND CYBER SECURITY

Cyber Liability A New Must Have Coverage for Your Soccer Organization

Cyber Risk Management


Interim Date: July 21, 2015 Revised: July 1, 2015

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

AFTER THE OMNIBUS RULE

Recognizing Credit Card Fraud

PRIVACY AND INFORMATION MANAGEMENT A Guideline For Alberta Veterinarians

September 14, Richard F. Smith Chairman and Chief Executive Officer Equifax, Inc Peachtree Street, NE Atlanta, GA Dear Mr.

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

Cyber Risk Mitigation

* Unless otherwise indicated, this policy will still apply beyond the review date.

Australia's new mandatory data breach notification laws

Cyber-Insurance: Fraud, Waste or Abuse?

POLICY: Identity Theft Red Flag Prevention

Attachment to Identity Theft Prevention Service Provider Attestation

UCLA Policy 420: Breaches of Computerized Personal Information

Recognition Criteria for other ancillary health care providers

c» BALANCE C:» Financially Empowering You Identity Theft Podcast [Music plays] Nikki:

Consumer Federation of America Best Practices for Identity Theft Services. March 10, 2011

Deluxe Provent SM : Protecting against expanded threats. Providing for expanded opportunities.

Cyber breaches: are you prepared?

Responding to damage to, or the loss of, objects in your care.

Cyber Risk Proposal Form

ACCOUNT OPENING AGREEMENT ONLINE TRADING

APPLICATION FOR DATA BREACH AND PRIVACY LIABILITY, DATA BREACH LOSS TO INSURED AND ELECTRONIC MEDIA LIABILITY INSURANCE

Effective Date: 4/3/17

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

H 7789 S T A T E O F R H O D E I S L A N D

The Risk-based Approach to Data Breach Response Meeting mounting expectations for effective, relevant solutions

Protecting Against the High Cost of Cyberfraud

Second Annual Survey on Medical Identity Theft

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

Lystable SaaS Terms of Use

Identity thieves use a variety of ways to gain access to your personal information:

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

Transcription:

Personal Information Protection Act Breach Reporting Guide If an organization determines that a real risk of significant harm exists to an individual as a result of a breach of personal information, section 34.1 (1) of the Personal Information Protection Act (PIPA) requires the organization to provide notice to the Commissioner without unreasonable delay of the incident. Section 34.1 (1) also requires the notice to the Commissioner to include the information prescribed in section 19 of Personal Information Protection Act Regulation (the Regulation ) as follows. Notice to the Commissioner 19 A notice provided by an organization to the Commissioner under section 34.1(1) of the Act must be in writing and include the following information: (a) a description of the circumstances of the loss or unauthorized access or disclosure; (b) the date on which or time period during which the loss or unauthorized access or disclosure occurred; (c) a description of the personal information involved in the loss or unauthorized access or disclosure; (d) an assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure; (e) an estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure; (f) a description of any steps the organization has taken to reduce the risk of harm to individuals; (g) a description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure; (h) the name of and contact information for a person who can answer, on behalf of the organization, the Commissioner s questions about the loss or unauthorized access or disclosure. The guidance in this document is designed to assist an organization provide the information required by the Regulations and facilitate timely completion of the investigation. If using the Breach Report Form to report the breach, the table below corresponds to the sections contained in the Form for ease of reference. 1

INCIDENT DESCRIPTION - SECTIONS 19 (a) AND (b) OF THE REGULATION Describe the circumstances of the breach and its cause Provide a written explanation of the cause of the breach, adding as much detail as possible to assist in the determination of whether notification of the individuals is required. A breach means a loss, unauthorized access to, or disclosure of personal information. Some examples of situations where a loss of or unauthorized access to or disclosure of personal information occurred are as follows: A loss may occur where an employee misplaces files or loses a laptop containing personal information. Unauthorized access may occur where an organization s computer system is hacked into by a hacker and personal information is accessed. Unauthorized disclosure may occur where personal information is sent to the wrong person in error. The following are some examples of causes of a breach. Theft personal information in electronic devices, such as a laptop, or in paper files is stolen from a car or premises; personal information in a database is stolen when a hacker hacks into the database and extracts personal information; personal information is taken by an employee without authorization for a use separate from his or her employment responsibilities. Improper disposal personal information intended for the shredder is disposed of in a garbage can and winds up in a dumpster; personal information is sent for recycling rather than shredded. Improper access control personal information in electronic file folders on a network is not segregated and is viewable by employees who do not have authorization to view the personal information; a system glitch causes personal information to become viewable by those not authorized to view the personal information (employees and/or the general public via the Internet). Loss an electronic file or electronic device without encryption is lost by an employee on his/her way home from work or at home and is not recovered; a document sent to another organization does not arrive and is not recovered. Cyber attack a website created by an organization that collects personal information of its customers is redirected to another website designed to collect the personal information entered; a database is hacked into and email addresses are stolen for the purposes of spear phishing. Date of incident or time period during which the incident occurred Provide the actual date of the breach (if known) or the suspected date range of the breach (if known), and the date the breach was discovered. It is helpful to provide a description setting out who discovered the breach and the circumstances associated with discovery. If there has been a delay between discovery of the breach and reporting it to the OIPC, you may also wish to provide an explanation for the delay. It is also helpful to provide the actual location that the breach occurred. This means the address of the breach along with the location within (i.e., the breach occurred at 1234, 5 th Street, in Office 204). If not known, the approximate location should be provided. 2

PERSONAL INFORMATION INVOLVED SECTION 19 (c) OF THE REGULATION Describe the Personal Information involved in the breach Personal information means information about an identifiable individual and includes personal employee information. Personal employee information means in respect of an individual who is a potential, current or former employee of an organization, personal information reasonably required by the organization for the purposes of establishing, managing or terminating an employment or volunteer work relationship, or managing post employment or postvolunteer work relationships between the organization and the individual. Examples of personal information include: a person s name, home phone number, home address, date of birth, social insurance number (SIN), driver s licence number, credit card number, bank account number, email address, and membership information. Examples of personal employee information include: disciplinary records, employment references, performance evaluations, benefits information, and years of service. Information that is NOT about an individual, such as information that is about an organization, is not personal information. The Commissioner has determined that in certain circumstances a corporate credit card issued to an employee for business purposes, even if issued in the employee s name, is not personal information about an individual but is information about an organization. If you completed the Mandatory Breach Reporting Tool, you may wish to insert your answer from Question 1 of the Tool into this section. HARM - SECTION 19 (d) OF THE REGULATION Provide an assessment of the type of harm that may result from the breach Provide the type of harm that could occur as a result of the breach. There are many kinds of harm that could occur to an individual as a result of a breach of the individual s personal information, including bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, fraud, identity theft, negative effects on a credit record, and damage to or loss of property. Some examples of harm that could flow from a breach of personal information are as follows: A breach of an individual s name and credit card number could result in financial fraud. A breach of an individual s name, driver s licence and SIN could result in identity theft and fraud. A breach of an individual s name and magazine subscription to an adult magazine could result in reputational harm. A breach of an individual s disciplinary letter could result in humiliation. If you completed the Mandatory Breach Reporting Tool, you may wish to insert your answer from Question 4, Stage One of the Tool into this section. Provide an assessment of whether you think the harm is significant and why To determine whether harm is significant, it is important to determine the sensitivity of the personal information breached. For example, if the personal information breached includes name and SIN the sensitivity would be high. Although a name is considered to be of low sensitivity, a SIN is considered to be highly sensitive because SINs can be used to commit identity theft or identity fraud. The Commissioner has held the following types of information to be highly sensitive: SIN, date of birth, and a driver s licence number because this information can be used to commit fraud or identity theft, credit card numbers because they are often used to make fraudulent purchases, and certain types of medical information, such as psychiatric or addiction counselling notes, and employee 3

information, such as poor performance or termination information, due to their ability to cause humiliation and harm to reputation. The Commissioner has held names, phone numbers, email addresses, bank account and RRSP account numbers to be less sensitive. Note that in certain circumstances, a name and address can be highly sensitive, such as in cases where there is a risk of domestic violence. For a risk of harm to exist, there must be some risk of damage, detriment or injury that could occur to an individual as a result of the breach. For the harm to be significant, it must be important, meaningful and more than trivial consequences or effects. RISK - SECTION 19 (e) AND (f) OF THE REGULATION Provide an assessment of the likelihood that harm could result Provide why you think there is a real risk that the harm identified will occur to those individuals. You must assess the likelihood that the significant harm will occur to an individual. This harm must be more than mere speculation or conjecture. There must be a cause and effect relationship between the breach and the harm. This means that the harm must flow directly as a result of the breach. For example: A hacker hacks into your computer system and uploads the personal information (name, driver s licence number and credit card number) of your customers. In this scenario, it is likely the harm, identity theft, will occur because the personal information was stolen. The effect of the breach, the theft of personal information, will cause the harm identity theft. Therefore, in this circumstance, there is a real risk that the harm of identity theft will occur to a customer as a result of the theft of the customer s personal information. To determine whether a real risk of significant harm will occur to an individual, you will need to analyze all the circumstances surrounding the breach. Some factors you may wish to consider are as follows: Who obtained or could have obtained access to the information? Were there security measures in place to prevent unauthorized access, such as encryption? Is the information highly sensitive? How long was the information exposed? Is there evidence of malicious intent or purpose, such as theft, hacking, or malware? Could the information be used for criminal purposes, such as for identity theft or fraud? Was the information recovered? How many individuals were affected by the breach? Were there vulnerable individuals involved in the breach, such as youth or seniors? If you completed the Mandatory Breach Reporting Tool, you may wish to insert your answer from Question 4, Stage Two of the Tool into this section. Estimated number of individuals to whom there is a real risk of significant harm as a result of the incident Provide an estimate of the number of individuals that could suffer the harm identified in the prior question. It is helpful to provide the number of affected residents of Alberta (if known) in addition to the total number of affected individuals. It is also helpful to provide the type of individuals, which could include client, customer, patient, employee or other. Describe any steps you have taken to reduce the risk of harm to individuals In describing any steps you have taken to reduce the risk of harm to individuals, it is helpful to list all the actions taken by the organization to reduce the risk of harm. You may also wish to include any actions planned that have not yet been implemented. 4

NOTIFICATION - SECTION 19 (g) OF THE REGULATION Have affected individuals been notified? Indicate if you did or did not notify individuals about the breach. Describe any steps you took to notify individuals of the breach. If you provided notification, it is helpful to provide the date of notification, what the notification contained, and what individuals were notified. A copy of the notification may be provided if in writing or a script if notification was by phone. CONTACT - SECTION 19 (h) OF THE REGULATION Provide the name and contact person who can answer questions about the breach. It is also helpful to provide address, phone, and fax and email address of the contact person. The information on the next page is additional information that is helpful to the Commissioner when investigating a breach and can be included as an addendum to the Breach Report Form. This document was prepared to help organizations implement the Personal Information Protection Act ( PIPA ). The document is an administrative tool intended to assist in understanding PIPA. It is not intended, nor is it a substitute for legal advice. For the exact wording and interpretation of PIPA, please read PIPA in its entirety. This document is not binding on the Information and Privacy Commissioner of Alberta. 5

Office of the Information and Privacy Commissioner of Alberta Addendum to the Breach Report Form (There is no requirement to provide this information to the Information and Privacy Commissioner. However, this information will be useful to the Commissioner in determining whether notification is required. Describe the type of business you are engaged in Provide any additional information not already included that you used to assess whether there is a real risk of significant harm to an individual Identify any authorities (i.e. Police) or other organizations (i.e., other Privacy Commissioners Offices, credit card companies) that were notified about the breach and when. 6

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback