Here’s a deck from a Monday panel presentation that I participated in with some colleagues from the sector. It features a cyber incident scenario and some questions. See if you can answer them, and if you’d like to have a discussion, please comment or get in touch.
Good incident response involves nailing your timing – not going too fast or too slow.
On August 17th the Saskstchewan Information and Privacy Commissioner held that a health authority breached the Saskatchewan Health Information Privacy Act by failing to respond to an incident in a timely manner.
The Commissioner’s report does describe a dilatory response – with a discovery of “snooping” in mid October 2015, an investigation that led to a paid suspension at the end of January 2016, notification to the Commissioner at the end of February 2016, notification to the Commissioner towards the end of March that the breach was bigger than first reported and eventual notification to affected individuals in July 2016.
Think and don’t react, and you can even pause to momentarily to gain confidence in a next critical step, but always keep the ball moving.
Investigation Report 030-2016 (17 August 2016, Sask OIPC).
On June 8th, the Office of the Saskatchewan Information and Privacy Commissioner issued an investigation report in which it held that a regional health authority responded appropriately to a privacy breach. Most notably, the OIPC reinforced a recommendation about notification included in its 2015 publication, Privacy Breach Guidelines. The recommendation:
Unless there is a compelling reason not to, [health information] trustees should always notify affected individuals.
This is a novel and conservative variation on the normal harms-related principle that guides notification. It is simply a recommendation – and one directed only at public agencies and health information trustees in Saskatchewan. It is notable nonetheless, however, in that it reflects an arguably developing public sector norm. Right or wrong, there is a unique pressure on public sector institutions to notify that should always be considered as part of a public sector institution’s careful response to a data handling incident.
There has been some public discussion of the recent arbitration award by Arbitrator Knopf in which she awarded an employee $1,000 in damages for breach of privacy. The following is my view about what organizations should take from Ms. Knopf’s award.
The case is about one employer who shared a medical note with another employer. The other employer also employed the employee and wanted to confirm its understanding of her fitness for work and need for accommodation.
The note the employer disclosed stated, “pt is able to perform the duties of Dietary Aide at St. Pat’s home.” The disclosure was made by a contractor who managed the employee. He also told the other employer that the employee (a) was not currently being accommodated, (b) had no work-related restrictions and (c) was working her regularly scheduled shifts.
The employer admitted liability, and it appears that damages were awarded based only on the disclosure of the medical note. This is notable because it is debatable whether it was wrong for the employer disclose “a” and “c” as noted above. The information I’ve noted as “a” is not received from a health information custodian and therefore is not regulated by statute. The information I’ve noted as “c” is also note received from a health information custodian and is also arguably not personal information. I’m not suggesting the employer was clearly right in disclosing “a” and “c,” but it was also not clearly wrong.
The most important part of the award is the damages analysis, most notably Ms. Knopf’s comments the employer’s delayed apology and lack of corrective action. She said:
This Employer has apologized to the Grievor in the course of these proceedings and affirmed its desire to maintain and to continue a positive relationship with the Grievor. However, this apology was only offered once the Union refined and narrowed the claim for relief in the course of preparation for this hearing, even though the breach of the Confidentiality Policy was apparent from the outset. Therefore almost three (3) years had gone by. The evidence also disclosed that the Employer had not required its contractors to abide by this Policy and there is no evidence to suggest that it has done so to date. Employers often criticize grievors who do not offer timely apologies in situations of wrongdoing. Employers should be held to the same standard. The apology from the Employer is clearly meaningful and significant, but it did come very late and it lacks completion, given the apparently continuing failure to insist on compliance with its Confidentiality Policy by the contractors who serve the residents and interact with the members of this bargaining unit.
The most common and preferred strategy for responding to a loss of data is to conduct a good early assessment and “take lumps” – including by issuing an appropriate apology and committing to corrective action. This case supports the use of that strategy.
Having good investigative capacity is essential to good data breach response. More often than not, a post-incident investigation involves gathering evidence from witnesses. Digital forensics is also a common part of a breach investigation, but digital forensic evidence typically complements other testimonial and documentary evidence. For this reason I’m sharing a presentation I did with student conduct officers at Canadian colleges and universities last week, in which my aim was to prepare the audience to deal with a more challenging “credibility case.” It is relevant to human resources practitioners engaged in an investigative capacity post-incident and is relevant to lawyers and others who act as “breach coaches.”
Today I did short update-style presentation at a session jointly-sponsored by the Canadian Insurance Adjusters Association, the Canadian Defence Lawyers and the Canadian Insurance Claims Managers Association. It includes content on breach notification statutory changes and notable case law. Slides below.
Today, the Office of the Information and Privacy Commissioner for British Columbia held that the District of Saanich breached the British Columbia Freedom of Information and Protection of Privacy Act by installing endpoint monitoring software on employee workstations.
The District’s plan was not well conceived – apparently arising out of a plan to shore up IT security because the District’s new mayor was “experienced in the area of IT.”
The District installed a product called Spector 360 – a product billed as a “comprehensive user activity monitoring solution.” This is software that enables the collection of detailed data from “endpoints” on a network. It is not intrusion detection software or software that helps analyze events across a network (which the OPIC noted is in use at other British Columbia municipalities).
The District enabled the software on 13 workstations of “high profile users” to capture a full range of endpoint data, including screenshots captured at 30 second intervals and data about all keystrokes made. The purported purpose of this implementation was to support incident response, a purpose the OIPC suggested could only support an inadequate, reactive IT security strategy.
The OIPC held that the District collected personal information without the authorization it required under FIPPA and failed to notify employees as required by FIPPA. I’ll save on the details because the OIPC’s application of FIPPA is fairly routine. I will note that the OIPC’s position is balanced and seems to adequately respect institutions’ need to access system information for IT security purposes. It acknowledges, for example, that some limited data collection from endpoints is justifiable to support incident response. Not surprisingly, the OIPC does not endorse taking screen shots or collecting keystroke data.
On December 16th the Information and Privacy Commissioner/Ontario issued its 13th order under the Personal Health Information Protection Act. It contains very detailed prescriptions pertaining to the PHIPA data security standard in section 12. The standard is contextual – i.e., the standard of care is always based on all the “circumstances.” However, given Ontario hospitals face similar foreseeable risks, hospitals should pay very close heed to the prescriptions in HO-013.
I’ll spare you a description of the background and get to the point. Here is a bulleted summary of the data security prescriptions in HO-13. Rather than describe each in detail I will give you very short (synthesized) descriptions and page references.
- Ensure that patient information systems support audits and investigations of system misuse. Collect reliable data on all access, copying, disclosure, modification and disposal of patient records. Retain data for a reasonable period of time. Pages 23 to 29.
- Conduct periodic audits for patient information system misuse: “Audits are essential technical safeguards for electronic information systems.” Conduct random audits on all system activity. Run a special audit program for “high profile” patients. Pages 32 to 34.
- Ensure that patient information systems feature reasonable search controls. Search controls should limit the ability of agents to perform “open-ended” searches. Pages 29 to 32.
- Ensure that patient information systems feature a login notice that appears on its own screen and requires express acknowledgement. Page 22.
- Conduct regular and comprehensive privacy training pursuant to a privacy training program policy. Require pre-authorization training and annual re-training. Training materials should be detailed and contain certain information prescribed in HO-013. Pages 34 to 36.
- Communicate regularly about privacy compliance and compliance duties pursuant to a privacy awareness program policy. Page 36.
- Administer a “pledge of confidentiality” that contains certain information prescribed in HO-013. Require agents to sign pre-authorization and annually. Pages 37 and 38.
- Maintain and administer a privacy breach management policy that meets particular requirements specified in HO-013. Pages 40 and 41.
Most hospitals will already have data security programs that feature many of the elements in the list above. Regardless, there are detailed requirements in HO-013 (not included in the summary above) that invite hospitals to conduct a broad gap analysis. Some gaps are likely to be closed easily and others may require the investment of additional ongoing resources – e.g., gaps with respect to training and communication programming. The most problematic prescriptions in HO-013 are those related to the modification of patient information systems. The prescriptions regarding search controls, for example, seem problematic and may create system usability (search) problems. The responding hospital did raise concerns about usability that the IPC dismissed.
Here’s a one hour private presentation my partner Jeff Goodman and I gave to a group of risk management professionals yesterday. I’d be happy to come to your organization and conduct a similar presentation if you’re interested. Please get in touch.