Good quotes on the impossibility of “ensuring” security and achieving zero risk

I blogged about Arbitrator Sudykowski’s decision in Providence Health when it was released in 2011 for its ratio – employers are entitled to more than a bare medical certification when an employee is absent from work.

I had occasion to use the case in a matter I argued yesterday, and was pleasantly surprised to re-read what Arbitrator Surdykowski said about data security and the impossibility of “ensuring” data security. The union had made an argument for minimizing the collection of health information that rested on data security risk, to which Mr. Surkyowski replied:

I agree with the Union’s assertion that there is always a possibility that private and confidential medical information may be inadvertently released or used inappropriately.  Try as they might, it is impossible for anyone to absolutely guarantee information security.  All that anyone can do in that respect is the best they can.  There is nothing before me that suggests the extent to which the inadvertent (or intentional) release or misuse of confidential information occurs, either generally or at the workplaces operated by this Employer.  More specifically, there is no indication of how often it happens, if at all, or that best efforts are demonstrably “not good enough”.

In a perfect world, the security and proper use of confidential private medical (or other) information could and would be guaranteed.  But to be perfect the world would have to be populated by perfect human beings.

This is a nice quote to bring forward in this blog, of course, because it’s always a good to remind ourselves (and others) that the mere happening of a security incident doesn’t mean fault!

It’s a hard point to argue when hindsight bears heavily on a decision-maker, but is indisputable. I once defended on employer in a charge that followed a rather serious industrial accident in which an employee at truck dealership was run over by a tractor. The Court of Appeal held that the tractor wasn’t a “vehicle” for the purposes of the Occupational Health and Safety Act and entered an acquittal. In examining the context for this finding Justice Cronk made the same point as Arbitrator Surdykowski:

That said, consideration of the protective purposes of the legislative scheme is not the only consideration when attempting to ascertain the scope of s. 56 of the Regulation. The Act seeks to achieve “a reasonable level of protection” (emphasis added) for workers in the workplace. For obvious reasons, neither the Act nor the Regulation mandate or seek to achieve the impossible — entirely risk-free work environments.

Every security incident is an opportunity to tell a story about pre-incident due diligence that highlights this basic truth. (If your defence rests our horrendously vague privacy law you’re in trouble, I say.) It’s also reason to hold our tongues and not judge organizations who are victimized, at least before learning ALL the facts. Security incidents are complex. Data security is hard.

With CASL, a little due diligence goes a long way

Everyone’s talking about Porter Airlines’ recent agreement to pay a $150,000 penalty for various CASL violations. Porter is a sophisticated marketer yet slipped up, so other organizations are now wondering what whether they are similarly exposed. (Perhaps this was the CRTC’s enforcement aim.)

CASL is a regulatory instrument that includes a due diligence defence. In other words, organizations can violate the act without liability if they have taken all reasonable steps to avoid the violation.

Due diligence is about using good, systematic processes to avoid bad things. Here’s a simple process for due diligence that me and my colleagues have employed and continue to employ with our clients:

  • Define your operational units and prioritize them in accordance with risk
  • If you can’t do them all, select key units for review
  • Identify a key individual for each unit, someone with the best knowledge of messaging practices
  • Ask the key individual to complete (in writing) a list-centric survey – a survey that aims to gather some basic information about all formal and informal address lists (It’s easier to identify lists than activities.)
  • Review the survey response and applicable website or sites and follow-up in writing with questions that help close major gaps
  • Have a telephone call to confirm understanding and discuss potential compliance issues
  • Draft a compliance memo – a point-form document that identifies the steps taken in the compliance review, the activities of concern and the compliance advice
  • Conduct any follow-up information gathering in response to the memo
  • Send the memo the the key individual for feedback on completeness
  • Finalize the memo

This is a not a difficult or costly process for review and remediation, though you should also budget for (a) some project management costs for a multi-unit review and (b) some multi-unit training, which is normally an appropriate follow-up to the review and remediation process.

If the Porter agreement is causing you worries, following a process like this is well worth it.