Quoi faire en cas de violation des données d'entreprise ...€¦ · données d'entreprise Managing...

Quoi faire en cas de violation des données d'entreprise

Managing Corporate Data Breaches

George J. Pollack, Partner/Associé Davies, Montréal

Steve Mott, Principal BetterBuy Design, USA

March 20, 2012

ACADACADÉÉMIE DAVIESMIE DAVIES – pour la formation juridique continue DAVIES ACADEMYDAVIES ACADEMY – for continuing legal education

PART I - The Scourge of Data Breaches (and Mag-stripe Technology)

Data Breach Problem in Perspective

4

The Costs of Cybercrime

HP's second annual Cost of Cybercrime Study pegged the median annualized cost of cybercrime incurred by a benchmark sample of organizations at $5.9 million

The survey revealed a range of $1.5 million to $36.5 million, a 56 percent increase from the median cybercrime cost reported in HP's inaugural study published in July 2010

Organizations that had deployed security information and event management solutions realized a cost savings of nearly 25 percent over those who didn't

In 2011, the survey shows, the average time to resolve a cyber-attack took 18 days, with an average cost to participating organizations of nearly $416,000

That's a nearly 70 percent increase from the estimated $250,000 cost and a 14- day resolution period surmised from last year's study

Source: Hewlett-Packard “Cost of Cybercrime” Study, 2011

http://www.hp.com/hpinfo/newsroom/press/2011/110802xa.html

5

Another Look at Costs

SOURCE Forrester Research Inc.

6

But Even Security Companies Get Compromised

Cybercrime is expensive. Just ask storage maker EMC, parent of security

provider RSA. EMC CFO David Goulden the other day said last month's breach

of the system that stores secret codes for RSA's SecurID multifactor

authentication

tokens cost EMC $66.3 million in the second quarter. That's well

above average, according to a just‐released survey by technology provider

Hewlett‐Packard, conducted by the Ponemon Institute.

Source: Hewlett-Packard “Cost of Cybercrime” Study, 2011

http://www.govinfosecurity.com/category.php?catID=206

7

High-level View of Data Breaches

Source: Verizon Business; 2010 Data Breach Investigation Report

8

PCI is Not a Solution to This Problem


9

Financial Services: Twice the Breach of Retail


10

Internal Sources a Big Issue


11

Hacking and Malware Spur the Problem


12

Secret Service: Compromises are Inherent


13

Malware Injections: Half the Compromises


14

Backdoor Access Control: Malware Favorite


15

Hackers: Relying on Stolen Logins


16

Payment Card Data the Favorite Target


17

Cost of Prevention: Too Low to Ignore


18

Existing IT Systems MUST Change


A Deep-Dive on Data Breach Costs

20

Trends in Per-Record Data Breach Costs

Source: Ponemon Institute; study of 45 breaches-2009

21

Indirect Costs: Twice Direct Charges


22

Average Cost/Firm: Nearly $7 million


23

Lost Business: Exceeds Other Direct Costs


24

Encryption Gaining as Key Solution


25

Customer Churn a Big Cost Driver


26

Violation of Trust an Important Factor


27

Direct Costs are Increasing


28

Taking Time for Notification Lowers Costs


29

Consultants a Must for Lowering Costs ;o)


30

QSAs: Like Firewalls and Encryption

Source: PCI-DSS QSA Survey-2010

A Few Words About Card Payments

32

Key Things to Remember about PCI

• PCI theory (protected data) is wildly unaddressed by PCI policy; it is NOT a solution across industries, because principal owners don’t understand businesses other than card payments

• PCI practice in card payments is stacked against merchants; merchant inputs are barely considered in PCI Security Standards Council proceedings; the purpose is to make bank issuers whole on fraud and risk of mag-stripe

• The rationale is to avoid investing in better technology (e.g., Chip+PIN in EMV) as long as possible

• Visa’s expectation is that merchants will roll over and play dead

• Visa mau-mau’s QSAs and QIRAs when it can

• Seminal suit by Utah restaurant could start the unraveling process

• Pressure on PCI Council resulting in acceptance of encryption and tokenization as a solution

• Use in mobile will further break lock of PCI on POS marketplace and beyond—to all industries (but there are no regulations for mobile)

33Source: Hospitality Lawyer.com

Utah Restaurant

Lawsuit Could Start an Anti-PCI ‘Revolution’

34

Cloud-based Transacting Can Bypass Mag-Stripe

What to Do After A Breach is Discovered

36

What Happens after a Breach

Many organizations go public too early—before the facts are known—trying to avoid vilification, but inadvertently attracting misplaced lame

Many organizations belatedly put in place training and awareness programs to help reduce the risks of future breaches

Most increased their security budgets, and 28 percent hired additional IT staff

In addition, the actions most often taken to help reduce negative consequences of a breach were to hire legal counsel and forensics experts

http://www.bankinfosecurity.com/category.php?catID=315

37

Best Practices from Legal Point-of-View

• A breach WILL happen (and might have already happened—but you don’t know it yet)

• Assume it has/will happen, and develop a remediation program ASSUMING THE BAD GUYS are already there, in order to prevent damage when they do get in

• Have lawyers and forensic experts hired, briefed and on-call

• Document everything—especially access history

• Ensure staff responsibility for vigilance and policy enforcement are trained and monitored

• When confronted, push back quickly and hard to make sure blamed gets shared appropriately

How to Prevent A Breach in the First Place

39

Accenture: Data Privacy and

Protection at the Tipping Point

How Global Organizations

approach the challenge of

protecting personal data

(Ponemon Institute—2009)

40

Contrasting Individual Privacy Values

Source: Accenture/Ponemon

41

Privacy Sensitivity Varies by Industry


42

Most Failures are from Within


43

Organization Cultural Values Make A Difference


44

Policies Accompany Cultural Values


45

What Prevents Data Breaches

Creating an information strategy that enables the organization to identify, track and control how data flows across all areas of an organization’s systems and processes

Assigning ownership of and accountability for data privacy and protection through a data governance program

Evaluating their current data privacy and protection technologies to confirm they are providing the necessary level of protection

Building a consistent level of awareness of the importance of data privacy and protection among the workforce and providing employees with the appropriate guidance for how to handle sensitive data

Reexamining their data privacy and protection investmentsChoosing business partners with care

Having formal incident response policies, procedures and team

Part II – The Legal Ramifications of a Data Breach

47

Part II – The Legal Ramifications of a Data Breach

INTRODUCTION

• One of the features of the digital age has been the increased collection, storage and accessibility of personal data that is used by both private and public sector organizations for a wide variety of social, commercial and other purposes.

48

Part II – The Legal Ramifications of a Data Breach (cont'd)

• This information has become a valuable commodity not only for organizations intending to make legitimate and lawful use of personal data but also, more ominously, for predators with more sinister and often obscure objectives in mind.

49

• All sectors of the economy are vulnerable to cyber attacks designed to access a vast amount of electronically stored personal data, and data breaches are now becoming commonplace occurrences.


50

• The emergence of new technologies, including cloud computing, enhances the vulnerability of stored data to unlawful access and dissemination, and has significantly enhanced the risks of a data compromise event and amplified the consequences of unauthorized access.


51

• Other than observing "best practices" from an information- technology perspective – including firewalling sensitive data, enforcing password discipline and monitoring data storage systems in order to detect unauthorized access or exfiltration of data – there is no single body of rules, guidelines or standards that define what constitutes reasonable care in the safeguarding of electronically stored data.


52

• The law governing a breached entity's liability for the consequences of a data breach is in its infancy, and Canadian courts have not yet had the opportunity of defining what constitutes reasonable care in the electronic storage of personal data or prescribing sanctions for entities that are negligent in the manner in which they use, disseminate or store personal data.


53

• The one exception is in the area of the storage of credit card account data. Here, the credit card associations such as Visa and MasterCard, have promulgated a set of rules known as the Payment Card Industry Data Security Standards ("PCIDSS") which prescribes minimum safeguards that merchants, credit card transaction processors and others in the payment card transaction chain must observe in the handling, transmission and storage of card holder account data.

• Failure to adhere to the PCIDSS can lead to the imposition of onerous penalties and assessments in the event that account data is compromised by an intrusion.


54

• There now exists legislation at the federal level (The Personal Information Protection and Electronic Documents Act) and in some provincial jurisdictions (e.g. in Québec, An Act Respecting the Protection of Personal Information in the Private Sector; in Alberta, the Personal Information Protection Act) that establish a range of obligations around the collection, use, disclosure and handling of personal information. Only the Alberta legislation contains mandatory breach notification provisions.


55

• While the caselaw has not yet begun to coalesce around a body of guiding principles with respect to liability for the consequences of a data breach, hacking incidents have begun to spawn litigation including some very high-profile class action litigation in Ontario and Québec:


56

• Speevak v. Canadian Imperial Bank of Commerce – Alleging the unauthorized access to sensitive financial and other information about customers stored by a financial institution.


57

• Scholes v. Honda Motor Company – Alleging the compromise of customer data held by an automobile manufacturer.


58

• Maksimovic v. Sony of Canada Inc. and D'Cruze v. Sony of Canada Ltd. (Ontario) and Banks v. Sony Canada Ltd. (Québec) – Alleging the compromise of credit card data following the hacking of Sony's "Playstation" gaming platform.


59

The Québec Context

• Quebec has extensive privacy rights which may be invoked when an individual's personal information has been compromised.

• Liability for damages sustained as the result of a data compromise could flow from a number of juridical sources including:

• The Civil Code of Quebec (the "CCQ")• An Act Respecting the Protection of Personal Information in

the Private Sector (the "Private Sector Act")• The Quebec Charter of Human Rights (the "Charter")

• Violation of privacy rights can give rise to compensatory and punitive damages.

60

A. The CCQ

3. Every person is the holder of personality rights, such as the right to life, the right to the inviolability and integrity of his person, and the right to the respect of his name, reputation and privacy.

These rights are inalienable.

35. Every person has a right to the respect of his reputation and privacy.

No one may invade the privacy of a person without the consent of the person unless authorized by law.

The Québec Context

61

A. CCQ (continued)

1457. Every person has a duty to abide by the rules of conduct which lie upon him, according to the circumstances, usage or law, so as not to cause injury to another.

Where he is endowed with reason and fails this duty, he is responsible for any injury he causes to another person by such fault and is liable to reparation for the injury, whether it be bodily, moral or material in nature.

The Québec Context

62

B. The Charter

5. Every person has a right to respect for his private life.

24. No one may be deprived of his liberty or of his rights except on grounds provided by law and in accordance with prescribed procedures.

The Québec Context

63

C. The Private Sector Act

• The object of the legislation is to establish standards for the exercise of the rights conferred by articles 35 et seq CCQ concerning "… the protection of personal information relating to the other persons which a person collects, holds or communicates to third persons in the course of carrying on an enterprise within the meaning of article 1525 of the Civil Code". (Article 1)

• Personal information is defined as any information which relates to a natural person and allows that person to be identified. (Article 2)

The Québec Context

64

C. The Private Sector Act (cont'd)

• Article 10 prescribes that:

"A person carrying on an enterprise must take the security measures necessary to ensure the protection of personal information collected, used, communicated, kept or destroyed and that are reasonable given the sensitivity of the information, the purpose for which it is to be used, the quantity and distribution of the information and the medium on which it is stored".

The Québec Context

65


• The Private Sector Act prescribes penal sanctions for the violation of the provisions of Division III of the legislation. Article 10 is included in Division III such that a violation of the obligation to safeguard information could lead to the imposition of a fine ranging from $1,000 to $10,000 for a first offence and, for a subsequent offence, to a fine of $10,000 to $20,000. (Article 91)

Where an offence is committed by a legal person, the administrator(s), director(s) or representative(s) of the legal person who authorized the act or omission constituting the offence, is (are) deemed to be a party to the offence. (Article 93)

The Québec Context

66


• The legislation does not contain a specific damages remedy for the violation of a duty imposed on an enterprise regarding the protection of personal information.

The Québec Context

67

• Federal legislation that applies generally to all collection, use or disclosure of personal information by private sector businesses within the legislative authority of Parliament.

• PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity.

• Schedule 1 to the PIPEDA sets forth a series of obligations and principles regarding the collection, use, storage and disclosure of personal information that constitute the Model Code for the Protection of Personal Information. Principle 7, which deals with the safeguarding of personal information, states that:

Personal Information Protection and Electronic Documents Act ("PIPEDA")

68

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

The security safeguards shall protect personal information against loss or theft as well as unauthorized access, disclosure, copying, use or modification. Organizations shall protect personal information regardless of the format in which it is held.

The nature of the safeguards will vary, depending on the sensitivity of the information that has been collected, the amount, distribution and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection […]


69

• In 2007, the Office of the Privacy Commissioner issued a series of guidelines entitled "Key Steps for Organizations in Responding to Privacy Breaches“ (the “Guidelines”). The purpose of the guidelines was to assist private sector organizations in taking appropriate steps in the event of a privacy breach and to provide guidance in assessing whether notification of the breach to affected individuals is required.


70

• Though voluntary, the Guidelines have been adopted as best practices by many private sector organizations. The Guidelines elaborate four steps that organizations should follow in responding to data breaches:

• Breach containment and preliminary assessment• Evaluation of risks associated with the breach• Notification• Prevention


71

• As the Guidelines are voluntary, an organization that has suffered a breach is not obliged to give notice of the potential compromise of data to the affected individuals.

• There are no penalties under PIPEDA for failing to follow the Guidelines. The legislation does, however, give the Federal Privacy Commissioner power to investigate a data breach. Amongst other things, the Commissioner may issue a report on the breach setting out his findings and recommendations. The Commissioner may also request that the breached organization give notice of any action taken to implement recommendations contained in the report or reasons why such remedial action will not be taken.

• However, a civil court would likely find that failure to respect the Guidelines amounted to a breach of a duty of care in respect of the safeguarding of personal information.


72

• Once the Commissioner has issued a report, no further action will be taken unless a complainant applies to the Federal Court to seek enforcement of damages. No fines are prescribed for organizations that have suffered data breaches and the Federal Court has been very circumspect in making damage awards for breaches of PIPEDA (Randall v. Nubodys Fitness Centres, 2010 FC 681 and Nammo v. Trans Union of Canada Inc., 2010 FC 1284).


73

On September 29, 2011, the Government of Canada introduced Bill C- 12, the Safeguarding Canadian's Personal Information Act which, if passed, will amend PIPEDA to add a new breach notification requirement. The Bill requires notification to the Commissioner of Privacy where "[…] any material breach of security safeguards involving personal information under an organization's control […]" occurs. The factors relevant to materiality include:


74

– The sensitivity of the personal information.

– The number of individuals whose personal data was involved.

– An assessment by the organization that the cause of the breach or a pattern of breaches indicates a systemic problem.


75

• The Bill also provides that the breached organization must notify an affected individual "[…] if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual".


76

"Significant harm" includes "[…] bodily harm humiliation damage to reputation, loss of employment, business or professional opportunities, financial loss, identity theft,negative effects on the credit record and damage to or loss of property." Considerations relevant to the of significance include:

– The sensitivity of the compromised information– The probability that personal information has been or will be

misused.


77

Notification must be given "[…] as soon as feasible after the organization confirms that the breach has occurred and concludes that it is required." The form and contents of the notice will be established by Regulation. The Bill provides, however, that the notice must provide "[…] sufficient information to allow the individual to understand the significance to them (sic!) of the breach and to take steps, if any and possible, to reduce the risk of harm that could result from it or mitigate the harm."


78

• In addition to notifying individuals, organizations must also notify other organizations or "government institutions" of a breach if that other organization or government institution "[…] may be able to reduce the risk of harm […] or mitigate that harm."

• The Bill contains no penalties for organizations who do not report data breaches.

• However, a failure to provide notice where one was required could give rise to a civil, quasi-delictual claim for damages.


79

• Alberta has the most robust privacy legislation in Canada in the form of the Personal Information Protection Act ("PIPA") which provides for mandatory notification to the Alberta Privacy Commissioner ("APC") if personal information under an organization's control is accessed without authorization such that a reasonable person would consider that there exists real risk of significant harm to an individual.

• The APC may require the breached organization to notify the affected individuals where he determines that there is a real risk of significant harm as a result of the unauthorized access or disclosure.

Alberta

80

• Control of personal information is defined as meaning having the authority to manage personal information. When an organization engages the services of a person to manage personal information, the organization is responsible for that person's compliance with PIPA with respect to such services and the organization that engages the services of a third party is considered to be in control of the information (See Office of the Information and Privacy Commissioner, Best Buy Canada Ltd., P2011-ND-011 and Office of the Information and Privacy Commissioner, Aviscan Inc., P2011-ND-001).

Alberta

81

• Factors to be considered when determining whether a real risk of significant harm to individuals exists include the number of affected individuals, the maliciousness of the breach and whether there are indications that personal information was misappropriated for nefarious purposes, the sensitivity of the information and the harm that may result.

Alberta

82

• Significant harm means that it is important, meaningful and with non-trivial consequences or effects (Office of the Information and Privacy Commissioner, Canadian Standards Association, P.2011- ND-26).

• Credit card fraud is considered significant financial harm that can be caused by a privacy breach.

• Credit card numbers with names are considered personal information of high sensitivity (Office of the Information and Privacy Commissioners, Full Bars Communications Inc., P2010-ND-005).

Alberta

83

• Risk of real harm does not mean that harm will certainly result from the incident, but that the likelihood that it will result must be more than mere speculation or conjecture. This standard was found to be satisfied when data such as financial information was accessed without authorization and in a way, that suggests nefarious purposes (Office of the Information and Privacy Commissioner, Twin American LLC, P.2011-ND-010).

• PIPA provides for fines of up to $100,000 when a person fails to provide notice to the Commissioner when required to.

Alberta

84

• For retail businesses that rely on credit card transactions, PCI DSS represents both a challenge and a potential source of unexpected but significant liability in the event that a credit card association determines, in accordance with its proprietary, black-box methodology, that a data breach resulted from non-compliance with PCI DSS.

• The credit card associations have regulatory regimes – which are generally made applicable to merchants through the contracts they enter into with transaction processors – that give the associations broad and unfettered discretion to determine that a data breach resulted from PCI DSS non-compliance. There are no meaningful ways of appealing such findings.

PCI DSS – A Particular Regime

85

Liability for Damages

• To date, there is no caselaw in Québec – or anywhere else in Canada – dealing with liability for data breaches. However, under the legal regime outlined above, an organization that has failed to take reasonable care in safeguarding personal data from a cyber- attack could be liable for damages. To succeed, a plaintiff would be required to demonstrate that the breached entity acted wrongfully, that personal information intended to be treated as confidential was compromised, that he or she has sustained damages as a result and that there is a causal link between the damages and the wrongful act.

86

• Even in instances where a data breach results in the compromise of confidential personal data, damages may be hard to prove. For example, in the case of compromised credit card data, the financial institution typically covers any tangible costs. Other types of claims, including time lost and inconvenience, damage to reputation or mental suffering, are difficult to quantify and prove and typically give rise to nominal awards of damages.


87

• Québec law does not impose a duty to notify individuals whose personal data is compromised as a result of a data breach. However, we believe that a Québec court could hold a breached entity liable for a failure to notify on the general principles set out above, especially in light of the fact that the compromise of personal data places individuals at greater risk of identity theft, and the failure to notify could deprive the affected individuals of their ability to mitigate the risk of harm.


88

• The class action litigation currently before the courts is likely to influence how the courts in Québec, and elsewhere in Canada, define the standard of care to be exercised in safeguarding confidential information.


89

• Card associations may impose punitive fines and assessments, often in the millions of dollars, on non-compliant organizations. These assessments are intended amongst other things, to recoup a) the costs involved in re-issuing compromised cards; and b) the value of estimated fraud.

• TJX (Operating the brands TJ Max, Marshalls, Winners, etc.) – Data breach in 2007 with 46,500,000 cards compromised. TJX eventually settled with Visa for $40.9 million. This was over and above amounts that TJX paid to settle litigation against it by the Federal Trade Commission and the attorneys general from 41 states.


90

• Heartland Payment Systems - Data breach in 2008 with as many as 100 million credit and debit cards compromised. The Company is reported to have paid about $160 million in fines, including $60 million paid to Visa.


91

• Traditional errors and omissions and commercial general liability policies were written for a conventional basket of risks, not those inherent in the electronic storage of data.

• While insurance is not an alternative to rigorous risk management, proper cyber-crime coverage can mitigate losses flowing from a data breach.

Insurance

92

• New cyber liability insurance products are emerging on the market, covering, to varying extents an insured's liability where it is held liable for cyber-related injuries sustained by third parties. These products also offer coverage for out of pocket expenses incurred by the breached entity in connection with:

- breach notification

- breach management

- audit and remediation

- redress funds for affected individuals

- business interruption

Insurance

93

• The law relating to data breaches and associated liabilities is in its earliest stages of development in Canada

• There are a series of common sense steps that organizations can take to mitigate their exposure in the aftermath of a breach:

• Determine what data elements have been breached and how sensitive these elements are; the more sensitive the data, the greater the risk of harm to individuals. This assessment will help determine whether a breach should be responded to, who should be informed (including privacy commissioners) and what form that notification should take;

A commonsense approach to handling the fallout from data breaches

94

• The cause and extent of the breach should be determined and an assessment should be made as to whether there is a risk of on-going breaches and compromise of information.

• Determine how many individuals have had their information placed at risk and who are these individuals, i.e. Members of the public? Employees? Service providers?


95

• Assess the possibility of foreseeable harm in light of the breach, the likely reasonable expectations of the individuals whose information was compromised and the party who is suspected of having caused the breach. Consider what the nature of the harm to the individuals might be (e.g. does the breach pose a risk to personal security or financial loss) and what impact the breach may have on the organization's reputational interests and finances. Also to be weighed in the balance is whether notification itself could cause harm to the public.


96

• Notification, even when it is not obligatory by law, may be an important mitigation strategy. Although each breach incident will vary and a case by case approach should be taken, an overriding consideration (aside from statutory notice obligations) in deciding whether to notify should be whether notification is necessary to avoid or mitigate harm to an individual whose personal data has be compromised.

• You may wish to consider notifying other parties of a data breach including insurers, the police, professional association etc.


Merci / Thank you

This presentation will be available online at This presentation will be available online at dwpv.com/academydwpv.com/academy

Cette prCette préésentation sera disponible en ligne sur sentation sera disponible en ligne sur dwpv.com/academiedwpv.com/academie

1386 Long Ridge Road

Stamford, CT 06903

Office: 203.968.1967

email: [email protected]

website: www.betterbuydesign.com

Steve Mott, Principal

BetterBuyDesignGeorge J. Pollack, Partner

DaviesOffice: 514.841.6451

email: [email protected]

Quoi faire en cas de violation des données d'entreprise ...€¦ · données d'entreprise Managing...

Documents

Transcript of Quoi faire en cas de violation des données d'entreprise ...€¦ · données d'entreprise Managing...