I had the honour of presenting on cybersecurity oversight today at the Association of Workers’ Compensation Boards of Canada annual Governance Summit. The theme ended up being about leadership and empowerment. I’d like board members to believe that the information security knowledge they require to meet their duties is well within their grasp and to feel a little excited about the learning process. Slides below FYI.
I blogged about Arbitrator Sudykowski’s decision in Providence Health when it was released in 2011 for its ratio – employers are entitled to more than a bare medical certification when an employee is absent from work.
I had occasion to use the case in a matter I argued yesterday, and was pleasantly surprised to re-read what Arbitrator Surdykowski said about data security and the impossibility of “ensuring” data security. The union had made an argument for minimizing the collection of health information that rested on data security risk, to which Mr. Surkyowski replied:
I agree with the Union’s assertion that there is always a possibility that private and confidential medical information may be inadvertently released or used inappropriately. Try as they might, it is impossible for anyone to absolutely guarantee information security. All that anyone can do in that respect is the best they can. There is nothing before me that suggests the extent to which the inadvertent (or intentional) release or misuse of confidential information occurs, either generally or at the workplaces operated by this Employer. More specifically, there is no indication of how often it happens, if at all, or that best efforts are demonstrably “not good enough”.
In a perfect world, the security and proper use of confidential private medical (or other) information could and would be guaranteed. But to be perfect the world would have to be populated by perfect human beings.
This is a nice quote to bring forward in this blog, of course, because it’s always a good to remind ourselves (and others) that the mere happening of a security incident doesn’t mean fault!
It’s a hard point to argue when hindsight bears heavily on a decision-maker, but is indisputable. I once defended on employer in a charge that followed a rather serious industrial accident in which an employee at truck dealership was run over by a tractor. The Court of Appeal held that the tractor wasn’t a “vehicle” for the purposes of the Occupational Health and Safety Act and entered an acquittal. In examining the context for this finding Justice Cronk made the same point as Arbitrator Surdykowski:
That said, consideration of the protective purposes of the legislative scheme is not the only consideration when attempting to ascertain the scope of s. 56 of the Regulation. The Act seeks to achieve “a reasonable level of protection” (emphasis added) for workers in the workplace. For obvious reasons, neither the Act nor the Regulation mandate or seek to achieve the impossible — entirely risk-free work environments.
Every security incident is an opportunity to tell a story about pre-incident due diligence that highlights this basic truth. (If your defence rests our horrendously vague privacy law you’re in trouble, I say.) It’s also reason to hold our tongues and not judge organizations who are victimized, at least before learning ALL the facts. Security incidents are complex. Data security is hard.
Here’s a one hour private presentation my partner Jeff Goodman and I gave to a group of risk management professionals yesterday. I’d be happy to come to your organization and conduct a similar presentation if you’re interested. Please get in touch.