Tag Archives: incident response

Late apology and lack of correction results in increased privacy damages award

14 Mar

There has been some public discussion of the recent arbitration award by Arbitrator Knopf in which she awarded an employee $1,000 in damages for breach of privacy. The following is my view about what organizations should take from Ms. Knopf’s award.

The case is about one employer who shared a medical note with another employer. The other employer also employed the employee and wanted to confirm its understanding of her fitness for work and need for accommodation.

The note the employer disclosed stated, “pt is able to perform the duties of Dietary Aide at St. Pat’s home.” The disclosure was made by a contractor who managed the employee. He also told the other employer that the employee (a) was not currently being accommodated, (b) had no work-related restrictions and (c) was working her regularly scheduled shifts.

The employer admitted liability, and it appears that damages were awarded based only on the disclosure of the medical note. This is notable because it is debatable whether it was wrong for the employer disclose “a” and “c” as noted above. The information I’ve noted as “a” is not received from a health information custodian and therefore is not regulated by statute. The information I’ve noted as “c” is also note received from a health information custodian and is also arguably not personal information. I’m not suggesting the employer was clearly right in disclosing “a” and “c,” but it was also not clearly wrong.

The most important part of the award is the damages analysis, most notably Ms. Knopf’s comments the employer’s delayed apology and lack of corrective action. She said:

This Employer has apologized to the Grievor in the course of these proceedings and affirmed its desire to maintain and to continue a positive relationship with the Grievor. However, this apology was only offered once the Union refined and narrowed the claim for relief in the course of preparation for this hearing, even though the breach of the Confidentiality Policy was apparent from the outset. Therefore almost three (3) years had gone by. The evidence also disclosed that the Employer had not required its contractors to abide by this Policy and there is no evidence to suggest that it has done so to date. Employers often criticize grievors who do not offer timely apologies in situations of wrongdoing. Employers should be held to the same standard. The apology from the Employer is clearly meaningful and significant, but it did come very late and it lacks completion, given the apparently continuing failure to insist on compliance with its Confidentiality Policy by the contractors who serve the residents and interact with the members of this bargaining unit.

The most common and preferred strategy for responding to a loss of data is to conduct a good early assessment and “take lumps” – including by issuing an appropriate apology and committing to corrective action. This case supports the use of that strategy.

St. Patrick’s Home of Ottawa Inc. v Canadian Union of Public Employees, Local 2437, 2016 CanLII 10432 (ON LA).

Advertisements

Data breach response – Examining evidence and determining credibility

14 Mar

Having good investigative capacity is essential to good data breach response. More often than not, a post-incident investigation involves gathering evidence from witnesses. Digital forensics is also a common part of a breach investigation, but digital forensic evidence typically complements other testimonial and documentary evidence. For this reason I’m sharing a presentation I did with student conduct officers at Canadian colleges and universities last week, in which my aim was to prepare the audience to deal with a more challenging “credibility case.” It is relevant to human resources practitioners engaged in an investigative capacity post-incident and is relevant to lawyers and others who act as “breach coaches.”

Privacy incidents, risks and liability – a legal update

7 Oct

Today I did short update-style presentation at a session jointly-sponsored by the Canadian Insurance Adjusters Association, the Canadian Defence Lawyers and the Canadian Insurance Claims Managers Association. It includes content on breach notification statutory changes and notable case law. Slides below.

How to manage a data security incident – Ten tips from a breach practitioner

25 Sep

Here’s a slide deck (including speaking notes) for a presentation I did today at LegalTech Toronto.

I aimed for something practical on the art of breach response by speaking to these ten tips:

  1. Initiate response ASAP
  2. Don’t rest on assumptions
  3. Keep the ball moving
  4. Don’t rush
  5. Obtain objective input
  6. Obtain technical input
  7. Take a broad view of notification
  8. Put yourself in their shoes
  9. Demonstrate commitment to doing better
  10. Apologize

Enjoy!

Better breach response – how to be good when things go bad

25 Mar

Here’s a presentation my partner Ian Dick and I gave today to an audience of in-house counsel. It’s about the why’s and how’s of breach response planning. The wonderful Karen Gordon of Squeaky Wheel Communications also presented on communicating a data breach, and her slides are attached.