Exploring the Meaning of Real Risk of Significant …...8 Overview of The Workshops Workshop Format...

AccessPrivacyHB is a division of HB Global Advisors Corp., a Heenan Blaikie company.

Exploring the Meaning of “Real Risk of Significant Harm” - 2011 Report on the AccessPrivacy Breach Notification Workshops

Results of the AccessPrivacy CPO Forum Workshops held on September 27, 2011 and October 12, 2011, Exploring the Meaning of the “Real Risk of Significant Harm” breach notification threshold under the Personal Information Protection Act (Alberta)

Adam KardashPartner, Privacy and Information Management, Heenan Blaikie LLP, andManaging Director & Head, AccessPrivacy

Pamela SnivelyManaging Director, AccessPrivacy

accessprivacy.com November 15, 2011

2

Report Contents

About AccessPrivacyOverview of the WorkshopsSample Workshop Hypothetical ScenarioWorkshop Results and FindingsAppendix A – Raw Workshop Data- Aggregated Participant Responses to Hypothetical

Scenarios

3

About AccessPrivacy

AccessPrivacy is an integrated information governance service, complementary to the Heenan Blaikie LLP national Privacy & Information Management and Access to Information Law practices We provide privacy and information management consulting and information services to organizations in the private and broader public sectorsOur information management services also include our CPO Forum, a thought leadership program designed to maximize bench-marking and information sharing among Chief Privacy Officers, senior compliance professionals and in-house counsel

4

Overview of The Workshops

Workshop Sponsors

Two Breach Notification Workshops were conducted by AccessPrivacy, and moderated by Adam Kardash and Pamela Snively. They were held on:

September 27th, 2011, in Toronto; andOctober 12th, 2011, in Vancouver.

The workshops were co-sponsored by the Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta).

5


Workshop Attendees

Attendees included:Representatives from the OIPC Alberta, the Office of the Privacy Commissioner of Canada, and the Office of the Information and Privacy Commissioner (BC)60+ chief privacy officers, senior compliance professionals, senior in-house attorneys, industry association representatives

Sector representatives included financial services (38%), service providers (18%), retail (7%), healthcare (10%), industry associations (4%), and telecommunications (2%).

6


Statutory Context

Organizations subject to PIPA (Alberta) are required to notify the OIPC Alberta when a privacy/security breach (“loss of or unauthorized access to or disclosure of the personal information”) results in a “real risk of significant harm”. (PIPA (Alberta), s.31.1)

Where there is a real risk of significant harm, the Commissioner may require organizations to notify affected individuals of the incident in a manner set out in the Regulations (PIPA (Alberta) Regulation, s.19.1).

http://www.canlii.ca/en/ab/laws/stat/sa-2003-c-p-6.5/latest/sa-2003-c-p-6.5.html#sec31subsec1

http://www.canlii.ca/en/ab/laws/regu/alta-reg-366-2003/latest/alta-reg-366-2003.html#sec19.1subsec1

http://www.canlii.ca/en/ab/laws/regu/alta-reg-366-2003/latest/alta-reg-366-2003.html#sec19.1subsec1

7

Background

Workshop Objectives

The workshop objectives were to:Explore the precise meaning of PIPA Alberta’sprivacy/security incident notification trigger; Discuss the practical impact of the reporting/notification requirement; and Offer participants the opportunity to provide meaningful feedback to privacy regulatory authorities.

8


Workshop Format

33 hypothetical security incidents were posed to participantsThe participants were provided with a brief description of the incident, a list of the personal information involved and the number of affected individualsParticipants answered 2 questions in respect of each scenario via audience response technology, immediately registering their opinion in an anonymous fashion, and seeing instantaneous feedbackThe scenarios often built on one another, with small factual changes only, providing an opportunity to assess the significance of these changes and allowing for nuanced results

9


Workshop Scenarios

The hypothetical security incident scenarios were developed from several sources:

Fact scenarios from selected security breach notification orders published by the OIPC AlbertaScenarios submitted in advance by workshop participantsHeenan Blaikie/AccessPrivacy client experience

10


Workshop Questions

Participants were asked the following two questions in respect of each scenario:

1.Is there a “real risk of significant harm?”

2.Would your organization notify affected

individuals regardless of privacy

regulatory requirements?

11

Sample Hypothetical: Scenario A1

Description of incident:

John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John Wilson. Wilson returns Smith’s laptop within a few days and explains the error.

Personal information:According to Smith, it has “a great deal of personal information, including tax, business and personal accounting information.”

Number of affected individuals: 1

12

Scenario A1: Responses

Is there a real risk of significant harm?

1 2 3

62%

8%

30%

1. Yes2. No3. Don’t know

13

Example: Variations on Scenario A1

The next 3 slides show responses to the following variations in the scenario posed in A1

1. Same facts as A1, but this time Wilson gives a verbal assurance that no laptop data was copied, retained or distributed

2. Same facts as above but Wilson’s assurance is written

3. Same facts as A1, but this time Wilson takes one month to return the laptop

14

Scenario A3 Variation: Verbal assurance given


1 2 3

52%

4%

44%1. Yes2. No3. Don’t know

15

Scenario A2 Variation: Written assurance given


1 2 3

29%

9%

62%


16

Scenario A5 Variation: With one month lag


1 2 3

79%

6%15%


17

Sample Hypothetical: Scenario D1

Description of incident:A men’s clothing retailer operates a customer loyalty program. It outsources email communications for the loyalty program to a service provider, who emails the members with offers and rewards on behalf of the organization. The service provider’s new update software accidentally sends out an email to the loyalty members without blind carbon copying the recipients. All recipients can view the email addresses of all other recipients. (Please note factual variation in Scenario D2 on slide 18.)

Personal information:Name and email address

Number of affected individuals: Approx. 10,000

18

Scenario D1


1 2 3

43%

5%


19

Scenario D2 Variation: same as D1 but a soft-porn

magazine not a men’s clothing retailer


1 2 3

97%

0%3%


Workshop Results and Findings

21

Workshop Findings

Results and Findings

Workshop results and findings are set out in the following two parts of this report:

1. Overview of workshop Results and Discussion (slides 4 to 34)

Summary of certain workshop responsesObservations about resultsHighlights of workshop discussionParticipant feedback about workshop

2. Raw Workshop Data - Appendix A (slides 35 to 141)

Participant DemographicsResponses to preliminary questions about organizational culture, incident response plans, and incident trackingResponse to 33 hypothetical incident responses

22

Workshop Findings

Readiness

State of the industry:

78% of participants described their organization as having an open and honest culture of reporting privacy breaches

80% of participants indicated that their organization had a data breach response plan, yet only 51% were confident that their organization's privacy breach response plan would be sufficient to respond to a public, large scale security incident

57% of participants indicated that their organization had an incident tracking program in place that facilitates tracking and reporting of privacy breaches

23

Workshop Findings

General Observations

Attendees collectively had a very high level of experience in dealing with security incidents, yet the discussion during the workshops reflected a high level of variability in understanding and/or application of the key elements of the "real risk of significant harm" trigger.

There were differences particularly with respect to the understanding and application of the concepts of "harm" and "risk".

Scenarios highlighted the highly fact-specific nature of the notification trigger analysis. In many instances, the change of a single fact altered the determination of whether there was a "real risk of significant harm" in the circumstances.

24

Workshop Findings

Notification to Affected Individuals

Notification Practices:

Respondents who felt a scenario presented a “real risk of significant harm” consistently indicated that they would notify affected individuals in such circumstances, even if not required to do so by a regulatorIn many cases, up to 30% of organizations that did notperceive a “real risk of significant harm” in a given incident still indicated that they would notify affected individuals for other business reasons

25

Workshop Findings

Summary of factors that impact determinations of a “real risk of significant harm”

Participant responses and discussions consistently reflected that the following factors influence determinations of whether there is a real risk of significant harm:

Number of affected individualsThe greater the number of affected individuals, the greater the likelihood of a “real risk of significant harm”determination

Time lag from incident to discovery or from loss of data to recovery

The longer the time lag, the greater the likelihood of a “real risk of significant harm” determination

26

Workshop Findings Summary of factors that impact determinations of a “real risk of significant harm” (cont’d)

Whether the organization received confirmation that no disclosure, misuse or duplication of the data occurred

Written confirmation decreased likelihood of a real risk of significant harm determination

Personal circumstances of affected individuals may be relevant, and a case-by-case analysis is required

(Examples – harm experienced by affected individual related to an accidental disclosure to a spouse in the middle of a divorce or if affected individual has suffered identity theft in the past)

Potential “street value” of the dataThe more likely that data in question could be used to commit identity theft (and sold for such purposes), the more likely a “real risk of significant harm” determination

27

Workshop Findings

Respondents’ Agreement with OIPC Alberta Findings

11 hypothetical scenarios used facts from actual OIPC Alberta published findings

Participants often agreed with the OIPC’s determination of whether there was a real risk of significant harm

However, there were three areas of marked disagreement

28

Workshop Findings Areas of Disagreement in the Determination of the Real Risk of Significant Harm

Disagreement between company representatives and OIPC Alberta with respect to:

1. Whether accidental disclosures to a limited number of individuals constituted a “real risk of significant harm” (e.g., Misdirected fax, co-mingled statement, wrong address)

2. “Street value” of certain data elements (i.e., Can such data really be used to commit identity theft?)

3. Relevance of post-breach mitigation steps in “real risk of significant harm” determination

29

Workshop Findings 1. Accidental Disclosures to a Limited Number of Recipients

Contrary to the OIPC Alberta, at least 50% of respondents found no real risk of significant harm where there was an accidental disclosure of personal information to a limited number of individuals, and in particular where the recipients were identified or known to the organization (e.g., Recipient of accidental / misdirected data is another customer, an employee or co-worker)

See, for example, Scenario K, slides 110-112 in Appendix A

30

Workshop Findings

2. Street Value of the Data

Participants often disagreed about whether certain data elements had “street value” or could be used to commit identity theft

Examples – Certain participants indicated that there was limited or no “street value” to (i) a list of bank account numbers with no other data; (ii) an endorsed or unendorsed personal cheque (with no other data), and; (iii) a list of signatures (with no other data)

Discussion on this point focused on participants’uncertainty about the current technical abilities of hackers/organized crime

31

Workshop Findings

3. Post Breach Mitigation Steps

Participants disagreed with the OIPC Alberta about the relevance of post-breach mitigation steps in the “real risk of significant harm” determination:

The OIPC Alberta has consistently indicated in its orders that an organization’s post breach mitigation steps are not relevant to their findings of whether there is a real risk of significant harmThe majority of participants consistently indicated that an organization’s post breach mitigation steps factor into their consideration when assessing whether there is a real risk of significant harm

(i.e., in certain instances, the prompt implementation of post-mitigation steps would practically result in there being no real risk of significant harm to affected individuals)

32

Workshop Findings

Publication of Decisions / Naming

The OIPC Alberta practice of naming organizations in the publication of real risk of significant harm findings generated substantial discussion among participants

BackgroundThe Commissioner has statutory discretion to “publish any finding or decision in a complete or an abridged form” (PIPA AB, s.38(6)). In practice, where the Commissioner requires that an organization notify individuals to whom there is a real risk of significant harm, the Commissioner’s decision will be published on the OIPC’s website and the organization named. http://www.oipc.ab.ca/pages/OIP/BreachNotificationDecisions.aspxIn the event the Commissioner decides that notification of individuals is not required, an anonymized, abridged version of the decision may be published.

http://www.canlii.ca/en/ab/laws/stat/sa-2003-c-p-6.5/latest/sa-2003-c-p-6.5.html#sec38subsec1

http://www.oipc.ab.ca/pages/OIP/BreachNotificationDecisions.aspx

33

Workshop Findings

Publication of Decisions / Naming

Issues raised by participants about the OIPC Alberta’s naming practice include:

Practice of naming organization is perceived as unnecessarily punitive, as organizations who are complying with statutory obligations typically have already notified affected individuals and often have implemented post-mitigating steps to contain the incident and prevent harmIn vast majority of incidents, it is unclear as to what additional public policy purpose is achieved by naming the organizationMay create disincentive to report, particularly in cases where it is reasonably unclear as to whether there is a real risk of significant harm

34

Workshop Findings

Feedback

Consensus among participants that the discussion forum, in particular, the involvement of privacy regulatory authorities, greatly enhanced the value of the exercise

Post-session feedback reflected strong support for further sessions, with a continued focus on (i) clarifying legal and practical meaning of notification triggers and (ii) using generic forms of actual security incidents. This is particularly the case given the pending amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) that include a security breach notification requirement that is not identical to the notification trigger under PIPA (Alberta).

Appendix ARaw Workshop Data

Consolidated Results of AccessPrivacy’s CPO Forum Workshops held in conjunction with the Alberta Office

of the Information and Privacy Commissioner

September 27, 2011 – TorontoOctober 12, 2011 - Vancouver

36

Appendix A – Table of Contents

About the Data Slide 38

Demographics Slide 39

Preliminary Questions Slides 40-43

ScenariosA series – Laptop incidents Slides 44-58

B series – Payroll System Access Slides 59-64

C series – Marketing email to customer list Slides 65-70

D Series – Customer Loyalty Program Email Slides 71-82

E Series – Lost audiometric tests Slides 83-88

F Series – Therapist’s stolen laptop Slides 89-94

G – Sensitive email chain mistakenly forwarded Slides 95-97

H – Husband given wife’s banking information Slides 98-99

I Series – Hotel discloses stay to spouse Slides 100-104

37

Table of Contents (cont’d)

Scenarios (cont’d)

J – Bank robbery Slides 105-109

K – Misdirected mail Slides 110-112

L – Misdirected fax Slides 113-115

M – Credit card numbers stolen from retailer Slides 116-118

N – Comingled statement Slides 119-121

O – Stolen laptop Slides 122-124

P series – Bank bag stolen from courier Slides 125-130

Q – Collections disclosure to father Slides 131-133

R – Stolen customer list/solicitation Slides 134-136

T – Forgotten credit reports Slides 138-140

38

About the Data

There were 68 voting participants in total between the two workshopsParticipants who attended both workshops did not vote a second time at the second workshopParticipants were given 10 seconds to respond and the voting closed regardless of whether every participant had voted in respect of that particular scenario

39

Demographics Appendix A - Raw Workshop Data

1. Identify your sector

10%

10%

2%

7%

11%

4%

38%

18%

1. Financial Services

2. Industry Association

3. Regulator

4. Retail

5. Service Provider

6. Telecommunications

7. Healthcare

8. Other

40

Preliminary Questions Appendix A - Raw Workshop Data

2. Would you describe your organization as having an open and honest culture of reporting incidents of data loss?

1 2 3

78%

12%10%


41


3. Does your organization have a data breach response plan?

1 2 3

80%

8%12%


42


4. Are you confident that your organization’s data breach response plan is sufficient to respond to a public, large scale security incident?

1 2 3

51%

25%24%


43


5. Does your organization have an incident tracking program in place that facilitates tracking and reporting of data breaches?

1 2 3

57%

9%


44

Scenario A1 Appendix A - Raw Workshop Data


John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John Wilson. Wilson returns Smith’s laptop within a few days and explains the error.

Personal information:According to Smith, it has “a great deal of PI, including tax, business and personal accounting information.”


45



1 2 3

62%

8%

30%


46


Would your organization notify affected individuals regardless of privacy regulatory requirements?

1 2

84%

16%

1. No2. Yes

47



John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John Wilson. Wilson returns Smith’s laptop within a few days and explains the error. Wilson confirms in writing that he did not copy, retain or distribute any information from Smith’s laptop.

Personal information:

According to Smith, it has “a great deal of PI, including tax, business and personal accounting information.”


48

1 2 3

29%

9%

62%




49



1 2

81%

19%

1. No2. Yes

50


Description of incident:John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John Wilson. Wilson returns Smith’s laptop within a few days and explains the error. Wilson confirms verbally that he did not copy, retain or distribute any information from Smith’s laptop.

Personal information: According to Smith, it has “a great deal of PI, including tax, business and personal accounting information.”


51



1 2 3

52%

4%


52



1 2

85%

15%

1. No2. Yes

53



John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John Wilson. Wilson returns Smith’s laptop within a few days and explains the error. Wilson confirms in writing that he did not copy, retain or distribute any information from Smith’s laptop. Wilson is well known to the organization and trusted.




54



1 2 3

27%

3%

70%


55



1 2

77%

23%

1. No2. Yes

56



John Smith brings his laptop to a computer repair store where it is accidentally switched with the laptop of John Wilson. Wilson returns Smith’s laptop one month later, before Smith has returned for his laptop and explains the error. Wilson confirms in writing that he did not copy, retain or distribute any information from Smith’s laptop.




57



1 2 3

79%

6%15%


58



1 2

92%

8%

1. No2. Yes

59

Scenario B1 Appendix A - Raw Workshop Data


An employer is informed by an employee that payroll information of former and current employees is accessible to all current employees on the company’s computer system. The electronic folder had an employee name and was buried in a set of subfolders, accessible for a period of 15 months. There is no evidence of misuse of the data, but the computer system has no audit capability with respect to access.

Personal information: Name, SIN, bimonthly salary


60



1 2 3

82%

3%

15%


61



1 2

78%

22%

1. No2. Yes

62


Description of incident:An employer is informed by an employee that payroll information of former and current employees is accessible to all current employees. The folder had an employee name and was buried in a set of subfolders, accessible for a period of 15 months. There is no evidence of misuse, but the computer system has no audit capability with respect to access. This is the second time this employer has reported a breach involving sensitive employee PI being accessible on the company system.

Personal information: Name, SIN, bimonthly salary


63



1 2 3

95%

0%5%


64



1 2

92%

8%

1. No2. Yes

65

Scenario C1 Appendix A - Raw Workshop Data

Description of incident:A retail organization sends an email to its customer contact list, including those who were on the “do not contact” list. The organization forgets to blind carbon copy the recipients, therefore all recipients are able to view the email addresses of all other recipients.

Personal information:Name, personal and business email addresses


66



1 2 3

28%

3%

69%


67



1 2

55%

45%1. No2. Yes

68


Description of incident:A retail organization sends an email to its customer contact list, including those who were on the “do not contact” list. The organization forgets to blind carbon copy the recipients, therefore all recipients are able to view the email addresses of all other recipients.

Personal information:Name, personal and business email addresses

Number of affected individuals: 2 million

69



1 2 3

45%

1%

54%


70



1 2

76%

24%

1. No2. Yes

71

Scenario D1 Appendix A - Raw Workshop Data

Description of incident:A men’s clothing retailer operates a customer loyalty program. It outsources email communications for the loyalty program to a service provider, who emails the members with offers and rewards on behalf of the organization. The service provider’s new update software accidentally sends out an email to the loyalty members without blind carbon copying the recipients. All recipients can view the email addresses of all other recipients.

Personal information:Name and email address


72



1 2 3

43%

5%


73



1 2

66.5%

33.5%

1. No2. Yes

74



A soft-porn magazine operates a customer loyalty program. It outsources email communications for the loyalty program to a service provider, who emails the members with offers and rewards on behalf of the organization. The service provider’s new update software accidentally sends out an email to the loyalty members without blind carbon copying the recipients. All recipients can view the email addresses all other recipients.

Personal information:Name and email address, and reward club name


75



1 2 3

97%

0%3%


76



1 2

90%

10%

1. No2. Yes

77


Description of incident:A men’s clothing retailer operates a customer loyalty program. It outsources email communications for the loyalty program to a service provider, who emails its members with offers and rewards on behalf of the organization. The service provider discovers its system has been hacked and PI of account holders has been downloaded to a TFP site in a well-known black market/identity theft economy.



78



1 2 3

88.5%

5.0%6.5%


79



1 2

96%

4%

1. No2. Yes

80


Description of incident:A men’s clothing retailer operates a customer loyalty program. It outsources email communications for the loyalty program to a service provider, who emails its members with offers and rewards on behalf of the organization. The service provider discovers its system has been hacked and PI of account holders has been downloaded to a TFP site in a well-known black market/identity theft economy.


Number of affected individuals: Approx. 2 million

81



1 2 3

98.5%

0%1.5%


82



1 2

93.50%

6.50%

1. No2. Yes

83

Scenario E1 Appendix A - Raw Workshop Data

Description of incident:A construction company retains a third party service provider to conduct audiometric tests on employees. The service provider misplaces the envelope containing the test forms on public transportation vehicle. Despite attempts to retrieve the envelope, the test results are not recovered.

Personal information:Company name, employee occupation, work location and unique employee number (but no name), date employed, home address, age, telephone number, medical history (as it relates to audiometric testing – eg whether employee has cold/flu, head injury, hearing problems, past exposure to environmental noise, etc.), and the test results


84



1 2 3

75%

7%

18%


85



1 2

93%

7%

1. No2. Yes

86


Description of incident:A construction company retains a third party service provider to conduct audiometric tests on employees. The service provider misplaces the envelope containing the test forms on public transportation vehicle. Despite attempts to retrieve the envelope, the test results are not recovered.

Personal information:Company name, employee occupation, work location and unique employee number (but no name), date employed, home address, age, telephone number, medical history (as it relates to audiometric testing – e.g., whether employee has cold/flu, head injury, hearing problems, past exposure to environmental noise, etc.), the test results, and date of birth.


87



1 2 3

96%

0%4%


88



1 2

96%

4%

1. No2. Yes

89

Scenario F1 Appendix A - Raw Workshop Data

Description of incident:A therapist working with young special needs children has her home broken into and her laptop is stolen. The laptop, containing PI of patients and their parents, was not password protected and not encrypted.

Personal information:Names of children and parents, child’s date of birth, home address, contact numbers, school name and therapy session notes.


90



1 2 3

98%

0%2%


91



1 2

98%

2%

1. No2. Yes

92


Description of incident:A speech therapist working with adults has her home broken into and her laptop is stolen. The laptop, containing PI of patients was not password protected and not encrypted.


Name of patients, date of birth, home address, contact numbers, and therapy session notes


93



1 2 3

94%

1.50%4.5%


94



1 2

94.5%

5.5%

1. No2. Yes

95

Scenario G Appendix A - Raw Workshop Data

Description of incident:A manager emailed a work schedule, copying six employees. The manager did not realize the email contained an email string discussing the possible termination of one of the six employees. One of the employees notified the manager of the error the next day. The employees were instructed via email to delete the email if they had not read it yet or, if they had already read it, to disregard its contents.

Personal information: Name, termination details of one individual


96



1 2 3

82.5%

3.5%

14%


97



1 2

83%

17%

1. No2. Yes

98

Scenario H Appendix A - Raw Workshop Data

Description of incident:A customer’s husband opened her T5 at her home and then called her FI and was provided with additional information about her accounts. The customer complained. The organization checked its records and determined the husband had called twice – the first time he was denied information because he was not the account holder; the second time he pretended to be the account holder (wife) and provided correct answers to the identity verification questions.

Personal information: Name, address, SIN and account details


99

Scenario H Appendix A - Raw Workshop Data


1 2 3

71%

2%

27%


100

Scenario I1 Appendix A - Raw Workshop Data


A Hotel Manager overhears one of his front desk staff on the phone, confirming that an individual had stayed two days and booked two rooms. The Manager asks about the call and is advised by the employee that the individual’s wife had called and had wished to confirm details of her husband’s recent travel.


Name, date and length of stay, number of rooms booked


101



1 2 3

70.5%

4.50%

25%


102



1 2

66%

34%

1. No2. Yes

103


Description of incident:An individual contacted a hotel, identifying herself as the wife of a guest who had previously stayed at the hotel. Upon request, the hotel employee advised that the husband had stayed two days and booked two rooms. One week later, the hotel guest called and complained about the disclosure of his personal information. The hotel’s internal investigation confirmed the guest’s allegation.

Personal information:Name, date and length of stay, number of rooms booked


104



1 2 3

61%

5.5%

33.5%


105

Scenario J1 Appendix A - Raw Workshop Data


A banking branch is robbed of cash and an envelope containing customer PI. The incident was reported to the police.


Customer names, signatures, details of a single transaction and bank account numbers.


106



1 2 3

97%

0%3%


107



1 2

96.5%

3.5%

1. No2. Yes

108



A banking branch is robbed of cash and an envelope containing customer PI. The incident was reported to the police. All of the affected customers were notified and the organization offered to change their account numbers, replace their cheques and monitor their accounts.


Customer names, signatures, details of a single transaction and bank account numbers


109



1 2 3

41.5%

2.0%

56.5%


110

Scenario K Appendix A - Raw Workshop Data


A Financial Institution accidentally mailed T4A statements of two retirees to two other retirees. Within days, the two affected retirees were notified and offered monitoring services. The recipients had opened the files, although not addressed to them, and called the FI to advise of the error. The two recipients of the T4A statements were asked to return the information without making copies.


Pension and retirement income information, amount deducted, SIN, name and address


111



1 2 3

47.5%

3%

49.5%


112



1 2

88%

12%

1. No2. Yes

113

Scenario L Appendix A - Raw Workshop Data

Description of incident:A Financial Institution accidentally faxed RRSP transfer documents to the customer’s fax machine at work at 10:23am rather than on to another financial institution. The customer’s co-worker advised the customer that the document was there and the customer recovered it within the same work day. Co-workers had access to the machine. The customer advised the Financial Institution and accepted their offer of credit monitoring and their apology. She indicated that she was not upset and appreciated the FI’s response.

Personal information: Name, address, SIN, RRSP account number, and client number with a different FI.


114



1 2 3

52.5%

1.5%


115



1 2

33.5%

66.5%

1. No2. Yes

116

Scenario M Appendix A - Raw Workshop Data


A Retailer discovers that a list of credit card numbers has just been stolen. They immediately ensure that the relevant Financial Institutions and service providers are notified. The FI’s promptly discontinue the credit card numbers and advise the cardholders of what has happened and that their cards will be replaced.

Personal information:Credit card numbers (no other data)

Number of affected individuals: 5,000

117



1 2 3

19.5%

3.5%

77%


118



1 2

50.5%

49.5%

1. No2. Yes

119

Scenario N Appendix A - Raw Workshop Data


A financial institution mails the first page of a client monthly credit card statement together with a second page belonging to another client.


Name (but no contact information), credit card account number, monthly transactions on the account, and total credits and debits for the billing period.


120



1 2 3

46%

2%


121



1 2

78%

22%

1. No2. Yes

122

Scenario O Appendix A - Raw Workshop Data


A laptop belonging to an employee of a healthcare organization is stolen. It contained PI. The laptop was password protected but not encrypted; the files on the laptop were not password protected.


Name , contact information, Date of Birth and health information.


123



1 2 3

93.5%

3.5%3%


124



1 2

98.5%

1.5%

1. No2. Yes

125

Scenario P1 Appendix A - Raw Workshop Data


A bank bag of mortgage documents in transit to the processing centre is stolen from the courier. The bag is located by the police 5 days later and all the information appears to be intact and undisturbed.


Mortgage number, client name, property details, DOB, assets/liabilities.


126



1 2 3

66%

7.5%

26.5%


127



1 2

69.5%

30.5%

1. No2. Yes

128


Description of incident:A bank bag of mortgage documents in transit to the processing centre is stolen from the courier and never recovered.

Personal information: Personal cheques and cash.


129



1 2 3

75.5%

0%

24.5%


130



1 2

90.5%

9.5%

1. No2. Yes

131

Scenario Q Appendix A - Raw Workshop Data


During a collections call for an outstanding debt, the balance owing and the fact that payments were late are disclosed to the customer’s father.


Name, creditor, type of debt, balance owing, payment history.


132



1 2 3

46.5%

5%

48.5%


133



1 2

85.5%

14.5%

1. No2. Yes

134

Scenario R Appendix A - Raw Workshop Data


An organization learns that a former employee has stolen a customer list and is using it to solicit customers for a new organization.


Customer names, email addresses and mailing addresses


135



1 2 3

29.5%

1.5%

69%


136



1 2

72%

28%

1. No2. Yes

137

Scenario S Appendix A - Raw Workshop Data

If you are required to report in Alberta and are also subject to other privacy regulatory authorities, do you report to them voluntarily?

1 2 3

71%

4%

25%

1. Yes2. No3. Not Applicable

138

Scenario T Appendix A - Raw Workshop Data

Description of incident:A collection agent accidentally leaves a folder containing personal audit reports on the court clerk’s counter at the courthouse. The court clerk finds it 1 hour later. It looks undisturbed. The court clerk advises the credit reporting agency, who advises you at the collection agency.

Personal information:Personal financial information, credit bureau reports


139



1 2 3

61.5%

6%

32.5%


140



1 2

62%

38%

1. No2. Yes

141

1 2

83%

17%

Scenario U Appendix A - Raw Workshop Data

Do you believe that post-breach mitigation steps should impact the assessment of whether there is a RROSH?

1. No2. Yes

Exploring the Meaning of Real Risk of Significant …...8 Overview of The Workshops Workshop Format...

Documents

Transcript of Exploring the Meaning of Real Risk of Significant …...8 Overview of The Workshops Workshop Format...