Susan on the Soapbox welcomes her first guest blogger.
Employment and privacy lawyer Brian Thiessen has a few words to say about a privacy breach that impacts 620,000 Albertans. The title says it all.
The Buck Stops Here–Privacy 101 for Minister Horne–Incompetence is not a defence
Like most Albertans, I have been reading, with interest the news of the theft of a laptop containing the information of 620,000 Albertans. Unlike the feigned outrage of Minister Horne, I am genuinely concerned with both the theft and exposure of the sensitive personal information of hundreds of thousands of Albertans, but also with the complete lack of understanding of the privacy law regime in Alberta by a Senior Minister in the Alberta Government and his thinly veiled attempt to pass the buck to the Independent Office of the Legislature (the Office of the Information and Privacy Commissioner of Alberta) tasked with investigating that breach and holding the Alberta Government to account for its’ woefully inadequate security measures, as required by the Personal Information Protection Act (“PIPA”) and the Alberta Health Information Act (“HIA”).
To understand the colossal incompetence involved, you have to start at the basics. You see, unlike the PIPA that governs the collection, use and disclosure of Personal Information by commercial entities and which contains provisions requiring organizations to provide notifications to the Privacy Commissioner in circumstances where the loss, disclosure, or unauthorized access of an individual’s personal information would result in a “real risk of significant harm” to that individual, HIA (which governs the collection use and disclosure of health information and rules for custodians of such health information) does not contain any privacy breach reporting requirement.
Despite the lack of mandatory privacy breach reporting in HIA, the Commissioner has repeatedly encouraged custodians of health information to report privacy breaches. For example, in Investigation Report H2009-IR-007, Alberta Health Services voluntarily contacted the Commissioner to report that one of its computer networks had been infected with malicious software that potentially compromised nearly 12,000 individual’s health information and voluntarily notified those individuals of that breach. The Investigator appointed by the Commissioner stated:
“The HIA does not require custodians to notify individuals whose health information has been disclosed inappropriately. I believe AHS took a prudent and responsible course of action by notifying the patients whose [health information] may have been exposed… The [Commissioner] supports AHS’ decisions to notify staff and affected patients about this breach.”
Similarly, in Investigation Report H2011-IR-003, the University of Calgary voluntarily contacted the Commissioner to report that one of its computer networks had been infected by malicious software that potentially compromised nearly 5000 individuals’ health information and voluntarily notified those individuals of that breach. The Investigator appointed by the Commissioner stated:
“In my opinion, notification is a responsible and prudent response to this kind of breach… health information is inherently sensitive. People deserve to know that their health information may have been exposed… [emphasis added]”
Accordingly, custodians of health information are encouraged and typically inclined to voluntarily report privacy breaches of health information. Custodians who have voluntarily reported privacy breaches to the Commissioner include:
• Alberta Health Services (Investigation Report H2009-IR-007);
• Alberta Health and Wellness (Investigation Report H2005-IR-001);
• The Calgary Health Region – now Alberta Health Services (Investigation Report H2006-IR-002);
• The University of Calgary on behalf of the University of Calgary Medical Clinic (Investigation Report H2011-IR-003); and
• Individual health service providers (Investigation Report H2005-IR-001).
You may have noticed that most of the voluntary disclosures involved governmental agencies, some under the direct responsibility of the Minister of Health. So Minister Horne should have been very well aware that: (a) the HIA (which his government enacted) did not contain a mandatory requirement element (so that should come as no surprise to him); (b) despite this lack of legislative requirement, the Commissioner has consistently taken the position that such breaches should be reported, and (c) most agencies, including Minister Horne’s own department have regularly reported such breaches to the Office of the Information and Privacy Commissioner (the “OIPC”). A simple internal policy in Mr. Horne’s department would require them to tell the Minister.
How bad was the breach and was it the Governments fault?
In short, it was really bad. And yes, the Government, and Minister Horne is directly responsible.
In 2006, in Investigative Report P2006-IR-005 the OIPC considered a remarkably similar fact pattern, although in the context of PIPA. In that decision, the private company involved had a laptop was stolen containing sensitive personal information (names, age, month, year of birth, medical specialty, home and business addresses and fax numbers, and email addresses, and in some cases total financial assets and shareholder information). The OIPC found that the organization did not have adequate security measures in place, noting specifically that such sensitive personal information should not be stored on laptops, and that (as of 2006) commercial encryption was both commercially commonplace and had been available for 10 years (including in Microsoft Windows 2000), and that such encryption measures would compose part of reasonable security for information stored on laptops (along with BIOS passwords) and the common sense solution of having tracking or “phone home” technology installed on laptops so they can be quickly located if stolen. The OIPC noted, in 2006, that encryption had become “a baseline for security” and that the technology is readily available on standard operating systems. The OIPC also made some other common sense suggestions such as keeping laptops with such information under physical lock and key and not letting employees travel around with them. When evaluating the adequacy of an organizations security measures, the OIPC considers the seriousness of the issue and the degree of harm that could result. On the issue of harm, the OIPC stated:
“Phonebusters, a Canadian anti-fraud call centre operated by Ontario police agencies, received between 11,938 and 14,599 complaints of identity theft each year between 2003 and 2005. The total annual financial cost to these consumers reached 20 million dollars. This does not include the time and money spent to rectivy the problems created by identity theft. In March of 2006, an Ipsos Reid survey revealed that one-quarter of Canadian adults (24%) – representing 5.7 million Canadians – have either themselves personally (4%), or known someone who has (20%), been subjected to identity theft.”
Ok, so was it Minister Horne’s Fault, I mean nobody told him right?
Yes. It’s his fault. As you can imagine, one of the first defenses any organization considers when in breach of privacy legislation, is the argument that it wasn’t me my client/law firm/contractor/employees never told me.
Of course, the OIPC has repeatedly rejected this argument and notified organizations that they are responsible for the acts of their agents. In Investigative Report P2005-IR-005, the OIPC considered the argument by a company that they were not responsible for a privacy breach because they had hired a law firm to advise them on privacy law. : The Privacy Commission pointed out section 5(2) of PIPA:
“For the purposes of this Act, where an organization engages the services of a person, whether as agent, by contract or otherwise, the organization is, with respect to those services, responsible for that person’s compliance with this Act.”
Accordingly, the Privacy Commissioner held that, although the organizations demonstrated some diligence in hiring law firms, they did not escape their responsibility for privacy breaches under the PIPA. Similarly, Custodians of Health Information under the HIA have a direct duty to protect such information under Section 60 of the HIA including protecting against any reasonable hazard or threat to the security of that information. Further, any disclosure by an affiliate of a custodian is considered to be a disclosure of the custodian (Section 62(2) of the HIA). So the blame game certainly will not work for Minister Horne in the eyes of the Privacy Commissioner. The fact that Mr. Horne either failed to enact such policy or his department felt comfortable hiding it from him (or perhaps thought they might insulate him from political blowback by keeping it from him) is not a defense, but rather an extreme example of incompetence and a failure to take responsibility at the very top of the organization. Doesn’t the buck stop with the Minister in such a circumstance?
And knowing that the buck stops with Minister Horne, why is he claiming outrage at the Privacy Commissioner not informing him of the privacy breach within his own department, which he failed to monitor or protect? Why blame the independent officer of the Legislature whom your government has legislated could not have reported this to you?
Well, as President Eisenhower once said: “The search for a scapegoat is the easiest of all hunting expeditions.”.
Or perhaps more fitting is Craig Ferguson’s words of wisdom on the blame game: “When in doubt about who’s to blame. Blame the English.”
For the Alberta Conservative Government, the motto seems to be: “When in doubt about who’s to blame. Blame the hard working civil servants.”