Cyber attacks on Indigo, Telus put spotlight on privacy
“We deeply regret this incident and are committed to ensuring employees have the support they need.”
So said Indigo, in response to a ransomware attack on Feb. 8 when the book retailer’s employee data was “improperly accessed.”
A similar incident confronted TELUS days later, when concerning messages were posted online by someone on a criminal forum.
“Today we’re selling email lists of TELUS employees from a very recent breach,” said the Feb. 17 post.
These kinds of attacks are becoming increasingly common, and as a business risk, employers should be prepared, says Suzanne Kennedy, a partner at Harris in Vancouver.
“There's a lot that can be done now, before you are the victim of an incident — a massive incident affecting your employees’ privacy. Doing those things now will really serve you well later. And not doing those things now may certainly expose you to greater legal risks.”
There’s definitely been a growth in class-action proceedings in relation to privacy breaches, says Kennedy, and “that law is still evolving.”
“Employers that can show that they had appropriate security measures in place before the breach, and they acted responsibly following the breach, are far less likely to find themselves on the other end of a lawsuit like that.”
Knowing the privacy rules
For one, employers should have a good understanding of what laws apply to them when it comes to employee data, and protection of that data, says Kennedy.
“Privacy in the employment relationship is regulated differently, depending on what jurisdiction you are employed in, whether you're federally regulated or provincially regulated, whether you work for government or private sector. So there's this whole matrix of different laws.”
Read next: How to use the RASCI matrix for HR projects
Federally, for example, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how employee personal information can be collected, used, and disclosed, while provincially, Alberta, British Columbia and Quebec have legislation around personal information in the private sector, and Ontario has public sector privacy laws.
Employers should also look at what promises have been made in collective agreements, says Kennedy, along with employment contracts and policies “about how you're going to protect information — and make sure that you understand that.”
The next piece would be looking at your security and figuring out whether your information systems meet industry best practices, she says.
“If you came into work tomorrow and your systems were down, and you discovered that you'd been the victim of a ransomware attack, do you know who your first phone call would be? Have you walked through, as an organization, how some of these scenarios would play out? Do you know what the decision-making structure is, do you have a crisis management plan in place?”
When employers are faced with this kind of crisis, people can waste a lot of time trying to figure out who should do what, she says, “whereas if you've already done that planning in advance, you know who's in charge, everybody knows where they're supposed to be and what the priorities are, things will flow much more smoothly.”
While CEOs say cybersecurity is amongst their top concerns in the workplace, Canadian organizations say they're underprepared for a cyberattack, according to a recent report.
Considerations for collecting, retaining employee data
Under the privacy legislation, the collection and retention of data is subject to a “reasonableness” standard, says Karen Tereposky, senior associate at Samfiru Tumarkin in Calgary.
“We probably need to have more guidance [from government]... like a rule: ‘Keep it for this long and then get rid of it once your employees have left,' but I think that's part of the problem is that it's just subject to this reasonableness thing, and that can be interpreted so many ways.”
As an example, Tereposky says she was involved in a litigation where the company only kept certain data on its server for six months, and was unable to provide emails going further back.
“In that instance, they're getting in trouble for not having the right information, but then if you hold onto it too long, and it gets leaked, then that's not good either. So there’s got to be some sort of balance there.”
Ultimately, employers should take a harder look at what’s a reasonable period for their business purposes, she says.
“I can see why the legislation is worded in that way — because it's obviously going to be a different length depending on what the information is and what your business is, what the purpose is for it being collected — but it definitely does create a lot of uncertainty.”
Even if you're not subject to privacy legislation and haven't made explicit promises to employees, “there's still a liability risk if you happen to be the unlucky employer that is hit with a cyber attack,” says Kennedy.
That’s why a privacy management program makes sense, with the two big concerns for employers being how much data they’re collecting, and how long they’re retaining it.
Employers should have a strict appreciation of what personal information they have — especially with sensitive categories — to understand: “Is there really a legal or a business or an operational reason why we need to retain this information?” says Kennedy.
“If not, then they should have some processes and standards in place for securely and safely destroying information that's no longer needed.”
Sensitive information within an organization should be shared only on a need-to-know basis, says Kennedy, “particularly if it's medical or employment history information, disciplinary records — only the people that need to have access to that information to perform their duty should have access to it.”
Issues around privacy came to the forefront recently at CBC after sensitive employee data was published on the company’s online HR portal.
Notification considerations
Of course, notifying employees of a possible breach of their personal data is an important consideration.
“Increasingly, laws are coming into force in Canada which require mandatory breach notification and reporting,” says Kennedy.
Under the Alberta legislation, there are guidelines about what organizations must say, says Tereposky — but they’re not really specific.
The Personal Information Protection Act (PIPA) mentions “without unreasonable delay,” for example.
Even if an employer is not required by law to notify people, it’s the “best strategy to reduce everybody’s risk,” says Kennedy.
“If I'm the subject of a privacy breach, if you don't tell me that's happened to me, I don't have the opportunity to contact my credit card company, call my bank — in other words, I'm prevented from taking steps to protect myself from harm.”
And that also reduces the employer’s overall exposure, she says, so “it's a really good risk mitigation strategy.”
In addition, privacy has become an important value in the community, and people expect organizations to be responsible around their privacy, says Kennedy.
“Not notifying can have some significant repercussions just around community confidence and reputation, and how your employees view you,” she says.
“You want to show that you're accountable and you're being responsible… So I think that the notification piece has got both a legal and moral or ethical aspect to it.”
Additional support for employees
After Indigo investigated its cyber attack, the company promised staff two years of free credit monitoring and identity theft protection.
It seems like a reasonable thing to do, says Tereposky.
“It's a prudent step and it probably insulates them a bit,” she says. “If there is any possibility of damage, then at least the employees are protected in a good faith move.”
It also helps build goodwill with employees.
“It's not that anybody has really had any harm or had any loss, I guess, at this stage, but people are just concerned about the unknown of what could potentially happen with this and what they can do to protect themselves,” says Tereposky.
Increasingly, with the risk of identity theft, the community expects employers to take measures like that of Indigo, says Kennedy.
“It protects the individual but... that's also going to protect Indigo from liability; the more we can help people make good decisions to protect themselves from harm, the more the organization is actually also dealing with its own risk exposure.”
“If you're in a class-action lawsuit and you had 500, 1,000 people who had all been a victim of identity theft, if you've given them credit monitoring and they're able to prevent that from happening, your legal exposure is diminished because you've stopped that damage from occurring... it is about being responsible and helping people — but you're also reducing your own risk as an employer.”
