breach

Subscribe to breach via RSS

On June 18, 2015, Canada’s Senate and House of Commons passed the Digital Privacy Act to amend the country’s federal Personal Information Protection and Electronic Documents Act (PIPEDA). Many of the amendments are scheduled to come into force on a date to be determined by the government. The revised requirements (highlighted below) will have a significant impact on the treatment of personal information by organizations that are subject to PIPEDA. These are organizations that either are federally regulated and fall under the legislative authority of the Parliament of Canada, or operate within a province that does not have in place data protection legislation that has been determined to be substantially similar to PIPEDA (all Canadian provinces other than Alberta, British Columbia and Quebec).

Three amendments are noteworthy for businesses subject to PIPEDA.

The U.S. National Labor Relations Board (NLRB) recently filed complaints against the United States Postal Service (USPS), alleging that the USPS violated the National Labor Relations Act (NLRA) by failing to collectively bargain with its employees’ union regarding the postal service’s response to a 2014 data breach that reportedly affected over 800,000 current and former postal employees. Specifically, in one of its complaints, the NLRB alleged that the postal service’s unilateral decision to provide credit monitoring and fraud insurance to affected employees without engaging in collective bargaining with the union on these issues violated Sections 8(a)(1) and (5) of the NLRA. These provisions of the NLRA mandate collective bargaining for any issue that relates to the “wages, hours, and other terms and conditions of employment.”

Late afternoon last Friday, the White House released its draft Consumer Privacy Bill of Rights Act (the “Act”).  This follows on the heels on the President’s announcement of cybersecurity as a top priority of the administration, which foreshadowed the release of the Act and included other initiatives, including one for a single national breach notification standard.  It also comes at a time when consumers may be feeling particularly interested in addressing cybersecurity threats, given healthcare insurer Anthem Inc.’s data breach and Sony Pictures Entertainment’s hack in November.

What Does the Act Govern?

The Act was originally articulated by the Administration in 2012, and the Act tracks the language used by the Administration in 2012.  The stated purpose of the Act is “[t]o establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.”

Specifically, the Act enumerates the following general principles:

  • Transparency: Covered entities must provide notice about the entity’s privacy and security practices.  The notice must be easily understandable, accurate, timely, conspicuous, and conveniently accessible and must provide individual’s with a company contact to address privacy concerns.
  • Individual Control: Covered entities must provide individuals with “reasonable means to control” the process of their data.  Individuals must be able to understand how to use the control mechanisms and must be able to withdraw consent that is reasonably comparable to the means used to grant consent.  Once consent has been withdrawn, the covered entity must delete the data with 45 days.
  • Focused Collection and Responsible Use: Covered entities must collect, retain, and use personal data in a manner that is reasonable in light of context and must minimize privacy risk (i.e., the potential for the data to cause harm to an individual) when determining its collection, retention, and use practices.  Context is defined in the Act by reference to several factors including the extent and frequency of interactions between individuals and the entity, a user’s understanding about how the entity processes collected data, and the types of personal data processed.  Responsible use includes the data minimization principle of deleting, destroying, or de-identifying personal data after it has fulfilled its business purpose.
  • Respect for Context: Covered entities who are not in accordance with the Act and are not using personal data reasonably in light of context must mitigate privacy risks by, inter alia, providing heightened transparency and individual control, absent limited exceptions.
  • Security: Covered entities must identify risks to the privacy and security of personal data, establish, implement, and maintain safeguards to ensure the security of personal data, and regularly assess, and if necessary adjust, those safeguards.  The reasonableness of the safeguards adopted will be determined by reference to the privacy risk of the data, the foreseeability of threats, widely accepted industry practices, and the cost of the safeguards.
  • Access and Accuracy: Covered entities must provide reasonable access to or a representation of the personal data under their control and must establish, implement, and maintain procedures to ensure such personal data is accurate.  Reasonableness considerations include the privacy risk, the risk of adverse action against the individual if the data is inaccurate, and the cost of providing access or ensuring accuracy.  Covered entities must also provide individuals with means to dispute and resolve the accuracy and completeness of the personal data.
  • Accountability: Covered entities must ensure compliance with the Act through training of their employees, internal or independent evaluations or audits, incorporating privacy and data protection into their systems and practices, and binding third parties to which personal data is disclosed to use that data “consistently with the covered entity’s commitments.”