Better breach response – how to be good when things go bad

Here’s a presentation my partner Ian Dick and I gave today to an audience of in-house counsel. It’s about the why’s and how’s of breach response planning. The wonderful Karen Gordon of Squeaky Wheel Communications also presented on communicating a data breach, and her slides are attached.

IPC tweaks data security guidance from HO-013

Yesterday the Information & Privacy Commissioner/Ontario issued a paper called “Detecting and Deterring Unauthorized Access to Personal Health Information.” The paper adjusts and augments the detailed guidance on hospital data security the IPC provided in December when it issued HO-013.

In issuing HO-013 the IPC articulated numerous requirements in near checklist form. The IPC adds new requirements in Detecting and Deterring. Hospitals that are currently using HO-013 to conduct a gap analysis should now refer to Detecting and Deterring.

One exception to the augmentation is the IPC’s handing of “search controls” – controls that rest on limiting the search functionality of patient record systems. The IPC has backed off noticeably from HO-013 in Detecting and Deterring, which states:

With respect to search controls, it is important to note that open-ended search functionality may facilitate unauthorized access to personal health information in electronic information systems. For example, in the privacy breach involving the use and disclosure of personal health information for the purpose of selling or marketing RESPs, agents of the hospital were able to obtain lists of women who had recently given birth by performing open-ended searches of a patient index. To prevent this, custodians should ensure that the amount of personal health information that is displayed as a result of a search query is limited, while still enabling agents to carry out their employment, contractual or other duties. Open-ended searches for individuals should be prohibited by the search functionality and search capabilities of electronic information systems containing personal health information. Ideally, electronic information systems should be configured to ensure that search criteria return only one record of personal health information. If that is not feasible, then electronic information systems should be configured so that no more than five records of personal health information are displayed as a result of a search query.

The withdrawal makes sense. Search controls can put patient safety at risk, yet even rigid search controls are a questionable deterrent to intentional unauthorized access. Are bad actors really more likely to engage in unauthorized access because information is easy to find?

Hospitals should beware of the distinction between prescriptions that are recommendatory and prescriptions the IPC has the power to enforce. This is most important in considering the heavily-augmented breach response section of Deterring and Detecting. The IPC, for example, returns to an accountability-related idea it has pressed since making order HO-010 in 2010 by suggesting that hospitals should provide affected individuals with the name of “the agent that caused the privacy breach” in a breach notification letter. The IPC has the power to enforce breach response requirements that are derived from section 12 of PHIPA. A number of the prescriptions it makes on breach response (not necessarily the one I have identified above) have a tenuous connection to section 12 and can reasonably be viewed as recommendatory.

HO, HO, HO-013 – Big order for Ontario hospitals lands just before the holidays

On December 16th the Information and Privacy Commissioner/Ontario issued its 13th order under the Personal Health Information Protection Act. It contains very detailed prescriptions pertaining to the PHIPA data security standard in section 12. The standard is contextual – i.e., the standard of care is always based on all the “circumstances.” However, given Ontario hospitals face similar foreseeable risks, hospitals should pay very close heed to the prescriptions in HO-013.

I’ll spare you a description of the background and get to the point. Here is a bulleted summary of the data security prescriptions in HO-13. Rather than describe each in detail I will give you very short (synthesized) descriptions and page references.

  1. Ensure that patient information systems support audits and investigations of system misuse. Collect reliable data on all access, copying, disclosure, modification and disposal of patient records. Retain data for a reasonable period of time. Pages 23 to 29.
  2. Conduct periodic audits for patient information system misuse: “Audits are essential technical safeguards for electronic information systems.” Conduct random audits on all system activity. Run a special audit program for “high profile” patients. Pages 32 to 34.
  3. Ensure that patient information systems feature reasonable search controls. Search controls should limit the ability of agents to perform “open-ended” searches. Pages 29 to 32.
  4. Ensure that patient information systems feature a login notice that appears on its own screen and requires express acknowledgement. Page 22.
  5. Conduct regular and comprehensive privacy training pursuant to a privacy training program policy. Require pre-authorization training and annual re-training. Training materials should be detailed and contain certain information prescribed in HO-013. Pages 34 to 36.
  6. Communicate regularly about privacy compliance and compliance duties pursuant to a privacy awareness program policy. Page 36.
  7. Administer a “pledge of confidentiality” that contains certain information prescribed in HO-013. Require agents to sign pre-authorization and annually. Pages 37 and 38.
  8. Maintain and administer a privacy breach management policy that meets particular requirements specified in HO-013. Pages 40 and 41.

Most hospitals will already have data security programs that feature many of the elements in the list above. Regardless, there are detailed requirements in HO-013 (not included in the summary above) that invite hospitals to conduct a broad gap analysis. Some gaps are likely to be closed easily and others may require the investment of additional ongoing resources – e.g., gaps with respect to training and communication programming. The most problematic prescriptions in HO-013 are those related to the modification of patient information systems. The prescriptions regarding search controls, for example, seem problematic and may create system usability (search) problems. The responding hospital did raise concerns about usability that the IPC dismissed.

Order HO-013 (IPC Ontario).

Workplace privacy panel at the #CIAJ “Privacy in the Age of Information” conference

I’m mid way through the Canadian Institute for the Administration of Justice “Privacy in the Age of Information” conference in St. John’s Newfoundland. It’s been a great conference so far, with quality presentations on tough administration of justice like issues like cyberbullying, the right to be forgotten and state surveillance.

My contribution was on the workplace privacy panel with Paul MacDonald of Cox & Palmer (as moderator), Emma Phillips of Sack Mitchell and Melanie Beuckert of the Court of Appeal of Manitoba. I started with a short “management perspectives” address and then Emma and I debated a variety issues, including computer access and monitoring, off-duty conduct and the exclusion of surveillance evidence at labour arbitration. Melanie played the “straight person” role wonderfully. It was fun, and I advanced my thinking about these issues significantly.

In preparation I worked up the speaking notes below, which capture some of the ideas I contributed to the discussion.

Scope of employer’s forensic examination criticized by PSLRB

There are a some notable points in a June 6th decision of the Public Service Labour Relations Board that upholds the discharge of a federal public servant for forwarding e-mails to his personal e-mail account.

The employer had discharged the employee for sending home restricted-access documents about internal job competitions, including documents related to a competition in which he had participated and documents containing the personal information of 108 other employees. The Board held that the grievor, who was an HR assistant, had engaged in a serious breach of trust and caused the employer embarrassment: “Progressive discipline does not apply to this case since very serious misconduct occurred.”

Although the Board dismissed the grievance with this strong and favorable employer endorsement, it did express a “concern” about the manner in which the employer conducted its forensic investigation into the grievor’s system usage. It said:

The grievor also raised concerns about the lack of concern that the employer showed for his privacy, specifically that it gave no specific instructions to Mr. Roussel about protecting the grievor’s privacy when Mr. Roussel conducted his investigation. I am also concerned about it. Furthermore, in the absence of such instructions, Mr. Roussel included in his report personal information about the grievor that had nothing to do with the purpose of the investigation, which was to inquire into the grievor conducting personal business using the employer’s network. I did not report on it since it was irrelevant to deciding the four grievances in front of me. However, this lack of respect for the grievor’s privacy does not reduce the seriousness of his misconduct. At this point, I can recommend only that in the future, the employer take employees’ privacy under consideration when conducting that type of investigation.

It’s not clear from the decision how exactly the employer erred given the Board’s limited description. In any event, employers should create and administer a protocol that governs non-routine access to system information and non-routine system monitoring – e.g., access for the purpose of conducting audits and investigations.

Gravelle v Deputy Head (Department of Justice), 2014 PSLRB 61 (CanLII).


Court orders safekeeping of medical records held by departed employee

On March 7th, the Ontario Superior Court of Justice issued an order to secure medical records held by a former employee of an addiction clinic.

The employee had copies of urinalysis reports stored on her personal e-mail account at the time of termination because she had used her personal e-mail account for work purposes. She allegedly used her continuing possession of the e-mails to extort the employer into offering reinstatement and later refused to return the e-mails, arguing they were evidence of the employer’s wrongdoing. (It is not clear from the decision what wrongdoing the employee alleges.)

The Court granted an ex parte order after applying the test for an Anton Piller. Notably, the order required the employee to turn control of her e-mail account to an independent supervising solicitor authorized to copy and retain the e-mails, delete the e-mails on the account and return control of the account to the employee. The Court authorized the employer to serve the order by e-mail.

Garber v Robinson, 2013 ONSC 1427 (CanLII).

The science of breach prevention and the art of breach response

Data loss prevention and response is a big topic now! The HRSDC lost hard drive is about a huge (but seemingly benign) incident that has attracted great attention. We also have the Obama administration’s attention to corporate network security – such attention given at a time in which sacrifices are being made to corporate network security based on trends such as BYOD.

Here is a practical guide that we’ve prepared to address the salient issues. We hope it’s useful to you.

OBA’s “Hot Issues” seminar and employee computer monitoring

I delivered a presentation at the OBA’s “Hot Issues in Privacy Law” seminar this morning called “Employee Computer Monitoring: Wither the most certain management right of all?” Here are the slides:

I prepared a paper for the presentation that I’m trying to re-purpose, and am going to hold off on publishing it for now. I hope I can make it available in one form or another soon. [Addendum: Here’s a copy of my speaking notes, which contain some of the key ideas.]

I enjoyed attending the entire session. The issues kept coming back to data security, which makes sense given the costs and risks of data breaches. Coincidentally, I had a call right after I returned to the office on a breach. For what it’s worth, I don’t find a discussion of costs and risks very helpful in guiding clients through the decision making exercise. Instead, I guide them to make decisions with a view to writing the story that they can cling to however all the external (and uncontrollable) factors play out. But even if I play my role to its best, it still can leave clients with some agonizing decisions. So if there’s one thing I can echo from today’s seminar, investing in prevention is a great idea. Data breaches suck!

You can read what are essentially a copy of my notes for the morning here. Remember to read from the bottom up.