Companies will live and die on data breach policies: experts

As criminals appear to be staying one step ahead of those in charge of securing personal data, the best marketing approach a brand could take these days is to promote how secure they make their customer’s data, according to a panel examining recent hack attacks.

In fact Forrester Research shows people choose to give their business to companies with “good data hygiene” and evidence suggests consumers are seeking companies that will protect their information, said David Goodis, director of legal services and general counsel at the Privacy Commissioner of Ontario’s office, speaking as part of a panel hosted last week by Dentons Canada LLP.

“One of [Forrester’s] surveys showed 62 per cent of respondents would not be likely to repeat a purchase with a company that had shared their personal information with a data broker,” Goodis said.

“Largely, this is about poor information management practices by organizations as opposed to poor management by individuals,” he added.

Goodis referenced recent high-profile cases such as Target Corp.’s holiday season breach of its network through a third-party contractor that resulted in a theft of 110 million credit/debit card records and 70 million records containing addresses and phone numbers.

Neiman Marcus also suffered a breach of 1.1 billion customer payment cards that may have been affected in late 2013, and in late January the craft store chain Michaels Stores Inc. also suffered a hack attack involving “hundreds” of customer cards.

Experts predict it could cost Neiman Marcus, Target, and Michaels up to $550 million to replace stolen account numbers, not including any future penalties, credit monitoring expenses, lawsuits, and cyber security infrastructure upgrades.

Bell Canada was also hit recently, suffering a breach of more than 22,000 usernames and passwords. As well, five valid credit card numbers were posted to the Internet after a supplier was hacked. Goodis said Bell declined to answer questions about when it had become aware of the breach but the hacker group NullCrew, which took credit for the attack, tweeted Bell knew about the vulnerable part of its web site for at least two weeks prior to being breached.

Bell has contacted affected customers, disabled all passwords involved, informed credit card companies, and is working with law enforcement to investigate.

As a result of data breaches, consumer identify theft is on the rise, said Equifax Canada legal counsel and chief privacy officer John Russo, who advises companies to report to the privacy regulator as early as they know a breach has occurred. Don’t wait for the press to call first, he remarked.

“At Equifax we have seen over the last three years more than 5,000 people fall victim to identify theft as a result of a breach,” said Russo. “Our call centre get calls from two types of victims — data breach victims who are frustrated and scared looking for help, or the ones who are upset but the organization who suffered the breach was accountable, put an alert on their file or offered credit monitoring to protect them. If you’re an organization you want to be the latter who stepped up and apologized.”

In light of examples like Bell, Target, and others, Goodis says companies should be “stress testing” their data operations and turning their privacy and data policies into a marketing opportunity. Some, like Target, have offered credit monitoring to clients after their data breach.

Corey Fotheringham, a partner and national leader of cybercrime and e-discovery services with Deloitte Canada, said coming up with a communication plan when a data breach incident has occurred is critical.

“Word of a breach will spread like wildfire,” said Fotheringham. “Controlling communication is critical. More planning is required up front. You should also review what happened during that breach to come up with lessons learned.”

Goodis said the privacy commissioner considers things such as what the response was from the organization and results of the investigation.

Every organization should have a privacy breach protocol in place and appropriate staff should receive training and know what their responsibilities are in the event of a breach. Knowing how your data systems control information is crucial, especially if an outsourced service provider is involved.

“You can outsource your services but you cannot outsource your accountability; you always remain accountable as an organization when you outsource your data management,” noted Goodis.

Sometimes, depending on the province the breach occurs in, it is a breach notification law that will prompt particular actions, says Tim Banks, a partner with Dentons in Toronto.

“If we’re dealing with a consumer/individual in Alberta and a real risk of harm there is a breach reporting obligation to the Alberta Information Privacy Commissioner, who will then determine if individual breach notification is required,” said Banks.

There are also different approaches when it comes to health information across the country and standards as to when you have to report and who you have to disclose the breach to when it occurs. Banks also noted breaches in jurisdictions outside Canada may have extraterritorial implications. California, for example, has its own breach notification law.

While there is increasing pressure to have federal data breach notification laws and there have been attempts that didn’t go anywhere, Goodis thinks there will be another attempt to have a national breach notification law brought in under PIPEDA and then provincial statutes might follow.


Tips before a breach occurs:

• Have a breach protocol plan in place;
• How to notify, who, and when? i.e. The regulator, individuals, ASAP;
• Ensure encryption is in place on laptops and other devices;
• Limit access to electronic records to a need-to-know basis and password protect;
• Consult with the regulator when in doubt about systems and privacy policies;
• Are you keeping data too long? Transactions from 20 years ago? Regulators may ask why you kept it so long.

After a breach occurs:

• Containment: Identify the scope of the breach and take steps to contain it.
Retrieve hard copies of personal information disclosed;
• Notification: Identify whose data was breached and contact them by telephone or in writing and apologize, and advise steps taken to address the breach;
• Report: Notify staff such as chief privacy officer, advise appropriate regulatory body. What vulnerabilities were exploited?;
• Investigate: Determine cause and evaluate existing policy and procedures.