Manitoba Ombudsman blesses response to e-mail incident

Manitoba Ombudsman Jill Perron has issued her report into Manitoba Families’ 2020 e-mail incident. The incident involved the inadvertent e-mailing of personal health information belonging to 8,900 children in receipt of disability services to approximately 100 external agencies and community advocates. It is such a common incident that it is worth outlining the Ombudsman’s incident response findings.

Manitoba Families meant to transfer the information to the Manitoba Advocate for Children and Youth to support a program review. It included information about services received. Some records included diagnoses.

Manitoba Families mistakenly blind copied the external agencies and advocates on an e-mail that included the information in an encrypted file and a follow-up e-mail that included the password to the file. It had made the same mistake about a week earlier. Several agencies alerted Manitoba Families to its error, and it began containment within a half hour.

The Ombudsman held that Manitoba Families’ containment effort was reasonable. She described it as follows.

Attempts at recalling the email began minutes later at 8:29 a.m. and continued at various intervals. Also, at 8:35 a.m., CDS sent an email to all unintended recipients noting in bold that they were incorrectly included on a confidential email from Children’s disAbility Services and requested immediate deletion of the email and any attachments. Follow up calls to the unintended recipients by CDS program staff began to occur that morning to request deletion of the emails and a list was created to track these calls and the outcomes. A communication outline was created for these calls which included a request to delete emails, a further request that emails be deleted from the deleted folder and that any emails that went to a junk email folder also be deleted…

In January 2021, we received additional written communication from the program stating that all agency service providers and advocates were contacted and verified deletion of the personal health information received in error. The log form created to track and monitor the name of the organization, the date and details of the contact was provided to our office.

The Ombudsman reached a similar finding regarding Manitoba Families’ notification effort, though she needed to recommend that Manitoba Families identify the agencies and advocates to affected individuals, which Manitoba Families agreed to do upon request.

What’s most significant – especially given class action proceedings have been commenced – is a point the Ombudsman made about evidence that Manitoba Families appears not to have gathered.

In addition to assuring families about the deletion of the email, additional information such as who viewed the email, if the attachment was opened and read, whether it was forwarded to anyone else or printed, whether it was stored in any other network drive or paper file or, conversely, that no records exist – can be helpful information to provide those affected by a privacy breach. It is best practice, therefore, to provide families with as much assurance as possible about the security of their child’s health information.

The question is, what is one to make of an arguable shortcoming in an incident response investigation? I say “arguable” because the probability of any of these actions occurring is very low in the unique circumstances of this incident, which involved trusted individuals receiving a password-protected and encrypted file. Manitoba Families ought to have collected this evidence because they called the e-mail recipients anyway, it is helpful and was probably available for collection. If it did not do so, however, I believe it is perfectly acceptable to for Manitoba Families to stand by the scope of a narrower investigation and and put the plaintiff to proof.

PHIA Case 2020-1304

Cyber insurance and incident response practice

Here’s a deck from a Monday panel presentation that I participated in with some colleagues from the sector. It features a cyber incident scenario and some questions. See if you can answer them, and if you’d like to have a discussion, please comment or get in touch.

How to manage a data security incident – Ten tips from a breach practitioner

Here’s a slide deck (including speaking notes) for a presentation I did today at LegalTech Toronto.

I aimed for something practical on the art of breach response by speaking to these ten tips:

Initiate response ASAP
Don’t rest on assumptions
Keep the ball moving
Don’t rush
Obtain objective input
Obtain technical input
Take a broad view of notification
Put yourself in their shoes
Demonstrate commitment to doing better
Apologize

Enjoy!

Ontario arbitration award addresses remedy for privacy violation

On February 24th the Grievance Settlement Board (Ontario) held that an employer should provide a grievor with three days’ paid vacation as a remedy for the consequences of an (admitted) security breach. The breach apparently allowed other employees to read incident reports involving the grievor, who alleged this caused him psychological distress. The GSB made its finding after conducting an informal med-arb process.

Ontario Public Service Employees Union (Grievor) v Ontario (Liquor Control Board of Ontario), 2015 CanLII 14198 (ON GSB).

Arbitrator dismisses privacy breach grievance based on actions of a snooping employee

On March 15th, the Grievance Settlement Board (Ontario) dismissed a grievance against the government for one employee’s intentional “snooping” into another employee’s employment insurance file.

Intentional unauthorized access to personal information by a trusted agent is a somewhat common scenario that has not yet been addressed by labour arbitrators. While arbitrators have taken jurisdiction over privacy grievances on a number of bases, privacy grievances have typically addressed intentional employer action – e.g. the administration of a drug test or the installation of a surveillance camera. This case raises an issue about an employer’s obligation to secure employee personal information and its liability for intentional access by another person. Can a reasonable safeguards duty arise inferentially out of the terms of a collective agreement? Is there some other source of jurisdiction for such claims? It is not clear.

The GSB ultimately finds jurisdiction in the Municipal Freedom of Information and Protection of Privacy Act, which it finds is an “employment-related statute” that can be the basis of arbitral jurisdiction. This is unfortunate because MFIPPA, in general, excludes employment-related records (and hence employees). There are now a handful of arbitral decisions that neglect to consider and apply the (very important) exclusion.

Having found jurisdiction rooted in MFIPPA, oddly, the GSB does not consider whether the government (or the Ministry’s head) failed to meet the MFIPPA “reasonable measures to prevent unauthorized access” security standard. Instead, it applied a vicarious liability analysis and dismissed the grievance. I’ll quote the GSB analysis in full:

41      Being guided by the principles set out in Re Bazley, I am of the view that the Employer is not vicariously liable for actions of Ms. X. Simply put, the “wrongful act” was not sufficiently related to conduct authorized by the Employer. Indeed, the accessing of the grievor’s EI file had nothing to do with the work assigned to employees. Employees were able to and indeed did access EI files but only in those instances where it was necessary to assist their clients.

42      The evidence established that the Employer had clear and sufficient policies regarding the protection of private information. Privacy matters were discussed with employees at the point that they were hired and although those policies could have and perhaps should have been formally reviewed more frequently by management, employees were reminded of their obligations frequently by way of a “pop up” upon entering their computers.

43      Further, Ms. Smith, a co-worker of the grievor, who testified for the Union was very forthright in her cross-examination that she knew that she was not to access the private information of anyone for her own interest. Moreover, this intrusion was the first time that she knew of anyone in the workplace doing such a thing. It might well be argued that this reinforces the view that the policy was known and followed in the workplace. Certainly there was no evidence of any other breach.

44      This intrusion was not an abuse of power. It was not an instance where someone with power over the grievor utilized their authority to carry out the wrong. It was a coworker — indeed I am of the view that it was the action of a rogue employee who, for her own purposes accessed the grievor’s EI file. It was not an action that could be seen to “further the Employer’s aims.” Indeed this activity was done without the sanction or knowledge of the Employer. I accept the Employer’s evidence that it knew nothing of the intrusion until being told by a coworker of the grievor and upon learning took immediate action to investigate and manage the issue and the Ms. X who received a significant suspension.

45      Finally, it must be recalled that this Board dismissed the grievor’s allegations that the Employer and her coworkers were bullying and harassing her in a separate decision. Accordingly it seems to me that it cannot be said that the intrusion into her EI records by Ms. X was “related to friction, confrontation or intimacy inherent in the employer’s enterprise.”

Whether an organization is vicariously liable for an employee’s intentional unauthorized access to personal information is a very significant legal issue. This analysis will receive significant attention.

Ontario and OPSEU, Re, 2015 CarswellOnt 3885.

Newfoundland privacy breach class action moves forward

On November 14th the Supreme Court of Newfoundland and Labrador Trial Division held that the pleadings in a privacy breach class action disclose a reasonable cause of action.

Even for an application of the Hunt v Carey standard, the Court did not probe at the pleadings with any significant force. It:

held that an alleged failure to establish safeguards was enough to found a “willful violation” claim;
held that a question about whether Newfoundland’s statutory privacy tort could operate together with the common law vicarious liability doctrine should be determined at trial;
held that the availability of the common law intrusion upon seclusion tort in Newfoundland should be determined at trial;
allowed a negligence claim for distress and humiliation to proceed even though no specific psychiatric illness or prolonged psychological injury was pleaded because “the threshold of compensable harm will depend on the evidence at trial”; and
held that the availability of contract claim for non-economic loss should be determined at trial.

The Court struck claims for breach of statute, breach of the Charter and breach of fiduciary duty. The Court remains seized of the certification application.

Hynes v Western Regional Integrated Health Authority, 2014 CanLII 67125 (NL SCTD).

Cyber liability issues – risks, prevention and response

Here’s a one hour private presentation my partner Jeff Goodman and I gave to a group of risk management professionals yesterday. I’d be happy to come to your organization and conduct a similar presentation if you’re interested. Please get in touch.

Non-party privacy tips the balance in favour of Anton Piller

On November 23rd of last year the Alberta Court of Queen’s Bench issued an Anton Piller order based significantly on a concern for the privacy interest of customers whose information the plaintiff alleged had been stolen.

The plaintiff is a BMW dealership that was confronted with a regrettable breach of its sales and customer relationship management system when it failed to remove system privileges from a terminated manager. It alleged the manager gained unauthorized access to the system and downloaded the names, e-mail addresses and “other personal details” of about 5000 customers.

I won’t detail the record, but the Court noted that it contained gaps. It seemed to be swayed by the customer privacy interest at stake and stated that a public interest supported making the order:

I am satisfied that even if Beck is innocent of some or all of the allegations being made against him on an ex parte basis, Bavaria has a public interest and duty under the appropriate Privacy Act legislation, to do everything it can to preserve the integrity of information that appears to have gone missing or unaccounted from almost 5,000 of its customers that it had care and custody of, and that this Order is also in the public interest.

This statement does not make clear why the Court felt the preservation of evidence afforded by an Anton Piller would be privacy-protective. In some circumstances retrieving evidence of misuse might help non-parties mitigate, but perhaps this is really about allowing a plaintiff (and custodian) some assurance that lost personal information has been brought under control (without copies being stashed away). For another case in which an employer attempted to use non-party privacy in enjoining competitive conduct by a departed employee see here.

Bavaria Autohaus (1997) Ltd. v Beck, 2011 ABQB 727 (CanLII).