Law Times

Page 10 January 25, 2016 • Law Times www.lawtimesnews.com Hackers cause of data breach? Accidental disclosure far more likely BY YAMRI TADDESE Law Times I n the vast majority of data breach incidents at federal institutions, the culprits are not conniving hackers who managed to steal private infor- mation. In fact, in 73 per cent of cases, data breach incidents arose from blunders on the part of the institutions themselves. Federal government agencies reported a record high number of data breaches in 2014-15, ac- cording to a December report from the privacy commissioner. "While we did see some cases where network vulnerabilities and technological glitches led to the disclosure of Canadians' personal information, our review of data breaches reported dur- ing 2014-2015 found that — as in previous years — accidental dis- closure, a risk which can often be mitigated by more rigorous pro- cedures, was the leading cause," said Daniel Therrien, the privacy commissioner. "In fact, acciden- tal disclosure was by far the larg- est category of data breaches, rep- resenting 73 per cent of the total number reported." Therrien's report said govern- ment agencies at times sent out letters in oversized envelopes that revealed recipients' social security numbers through the address window. In another in- cident that led to a class action, Health Canada sent out letters to 41,000 users of medical mari- juana in envelopes bearing the name of the program, which exposed recipients as users of marijuana to anyone who saw and handled the envelopes. In yet another case, the names of individuals requesting records under the Access to Informa- tion Act related to a former Ab- original Affairs and Northern Development Canada minister's expenses were revealed to "de- partmental personnel who had no need to know such informa- tion," according to the commis- sioner. "Knowing that nearly three quarters of breaches could have been prevented with greater care is a concern," Therrien said. "It shows that institutions are still suffering breaches stemming from misdirected mail or overly large envelope windows despite years and years of similar epi- sodes. "Relatively simple steps can and must be taken to curtail these types of breaches. It is my hope that this year's annual re- port will serve as a reminder of the need for greater vigilance." The commissioner said feder- al institutions reported 256 data breaches in 2014-2015, up from the previous year's 228, which was itself double the number of reported breaches a year earlier. "Many institutions have made some strides to better protect personal information," the com- missioner said. "That being said, the breach reports we've received, the results of our investigations, and our latest audit all suggest there is still much room for im- provement." David Fraser, a privacy lawyer at McInnes Cooper LLP, is coun- sel for the plaintiffs in the medi- cal marijuana users' information breach case. In that case, "the government knew that they had audits and consultants telling them they weren't doing enough and they continued to not do enough," he says. "It wasn't so much the risk of malicious access to that infor- mation — it was the carelessness," Fraser says. He says guaranteeing absolute security of information is almost impossible, even if institutions are spending millions of dollars to protect data. In the end, the question comes down to wheth- er the government is taking the right steps to prevent avoidable breaches, Fraser says. "It seems the issue is [that] across a number of government departments the answer is no. It looks like they're not doing enough and that's not OK," he continues. Cassels Brock & Blackwell LLP privacy lawyer Bernice Karn says privacy breaches are a major concern for in-house counsel, especially as class actions are al- lowed to proceed even in cases where harm to individuals isn't necessarily established. "From an in-house perspec- tive, it's a major compliance head- ache. For class action lawyers, for plaintiffs' lawyers, it's kind of a bonanza and I think it's only go- ing to be more so," she adds. According to Fraser, govern- ment agencies have greater onus to protect customer and patient records. "You and I can choose what bank we go to, so if one bank has a track record of being lax with re- spect to privacy and security, you can go somewhere else. But you don't get to choose the hospitals you go to in this country and you don't get to choose what govern- ment you deal with," Fraser adds. "I think that increases the onus on the public sector to make sure at the very least what is ade- quate and what is legally required because it's in all the privacy stat- utes that they have to protect in- formation." In his latest report, the privacy commissioner focused on the use of unencrypted portable data storage at federal institutions. "These devices can be easily lost, misplaced, or stolen. With- out proper controls, federal insti- tutions are running the risk that the personal information of Ca- nadians will be lost or inappro- priately accessed," Therrien said. When it comes to the use of portable devices, Fraser says there is a sense of "casualness that has crept in" in both govern- ment and other organizations. "You copy records on some drive, you take them home, and you work on them without rec- ognizing that actually these are very sensitive records and so maybe there's a degree of com- placency that has started to re- permeate the government and other organizations," he says. "They shouldn't be so comfort- able." LT FOCUS THE RIGHT CONNECTIONS MADE EASY Alberta Legal Telephone Directory is all about your legal community connecting you to the lawyers and law offices you need in Alberta, Northwest Territories, Nunavut and Yukon. Published annually for over 30 years, it keeps you connected with new and updated names, mailing addresses, email addresses, phone numbers and fax numbers each year. Searching is easy with: • Alphabetical and geographical listing of lawyers and law firms • Alphabetical listing of Judges Also quickly and easily access: • Law Societies • Courts of Appeal • Federal Court of Canada • Government of Canada departments • Judicial districts and judicial officials • Incorporated Municipalities • Land registration and information services • Provincial government departments • Boards and Commissions • Law Related Services, Institutions and Organizations • University law faculties ... and more. This portable and easily shared resource will be an indispensable quick reference guide for your office. Durable spiralbound format saves on wear and tear of everyday usage. New Edition Spiralbound • August 2015 $45* • L88804-762 Multiple copy discounts available *Plus applicable taxes and shipping & handling (Prices subject to change without notice) 2015-16 Alberta Legal Telephone Directory – the right connections made easy. Order your copy today. Visit www.carswell.com or call 1-800-387-5164 for a 30-day, no risk evaluation Untitled-1 1 2015-11-24 2:55 PM Source: Office of the Privacy Commissioner of Canada. Check out lawtimesnews.com for insight from our regular online columnists Monica Goyal discusses the latest gadgets and trends in legal technology in Bits & Bytes From trade deals to foreign investment, Patrick Gervais keeps you up to date on business issues in Trade Matters Darcy Merkur brings a plaintiff-side perspective on insurance matters in Personal Injury Law n NUMBER OF INCIDENTS

• Cover