Should your cloud computing provider report suspected security breaches?

Earlier this week, I wrote about new Alberta breach reporting obligations in the Alberta Health Information Act. This post considers how distinctions between suspected, probable, unconfirmed and confirmed data breaches matter in cloud computing agreements.

Not every security incident is a security breach, and not every suspected security breach turns out to be an actual breach exposing personal data. I would argue that Canadian breach reporting laws generally focus on actual breaches; but, I would also argue that this doesn’t necessarily mean that the breach must be confirmed. For example, Canada’s new federal breach reporting law in the Personal Information Protection and Electronic Documents Act defines a “breach of security safeguards” as:

“the loss of, unauthorized access to or unauthorized disclosure of a personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.”

It would be a stretch to interpret the words “the loss” etc. and “resulting from” as actually meaning “the suspected loss” or “possibly resulting from”. On the other hand, it is unlikely that a breach must be confirmed in the sense of there being no reasonable doubt. Courts find facts based on the balance of probabilities. It is very likely, therefore, that a court would conclude that probable breaches fall within the definition of a “breach of security safeguards”. This isn’t a foregone conclusion. It still requires the court to read into the provision a threshold that the court may be reluctant to do. On the other hand, “confirmed” may be too high a test once the court has access to information about how difficult it is in some instances to confirm a breach to the level of “no reasonable doubt”.

Ontario’s Personal Health Information Protection Act is similar. PHIPA imposes a reporting obligation to notify an individual if:

“personal health information about an individual … is stolen or lost or if it is used or disclosed without authority…”

It would be challenging to read “is” as “may have been”. On the other hand, it would substantially weaken the protections of this provision if “is” were to be read as requiring confirmation that puts the breach beyond reasonable doubt.

So, what is the right test for contractual breach reporting obligations in a cloud computing agreement? Should cloud service providers report anything less than a probable or confirmed breach? Should every security incident be reported? There may be good reasons to request reporting of security incidents that are only suspected breaches. Arguably, reporting on all security incidents might provide users of cloud computing services with additional data that can be used to exercise oversight and ongoing due diligence of the cloud service provider. Reporting of suspected breaches may be appropriate if the organization expects or wants to be involved in the investigation to determine whether a breach occurred.

However, I’d argue that information on all security incidents or even just suspected breaches has minimal relevance when dealing with public cloud computing services and can be misleading as to the overall risk profile of those services. What is more meaningful is to understand how the cloud service provider investigates security incidents and classifies them. Ideally, users of cloud services would obtain information during due diligence and contractual commitments that would provide users with assurance that investigations into security incidents are and will be properly resourced and auditable and that these investigations are and will be timely and effective in resulting in establishing whether the incident involved a confirmed breach or, if not fully confirmed, sufficiently probable that the incident should be treated as a breach.

What do you think? DM me on Twitter – @TM_Banks.


Cloud computing update: Alberta Health Privacy Breach Provisions

On August 31st, new provisions in Alberta’s Health Information Act will come into force that have important implications for users and providers of cloud computing services.

These provisions impose new breach reporting obligations on healthcare service providers and other individuals and entities subject to the Health Information Act.

However, it is important for cloud computing service providers to know that they also have a statutory duty to report certain types of breaches to their custodians – irrespective of what the cloud computing contract says and irrespective of whether the breach is a result of an error or omission by the cloud computing service provider.

What happens on August 31st?

Beginning on August 31st, custodians in Alberta that are covered by the Health Information Act will be required to report certain privacy breaches to the Office of the Information and Privacy Commissioner of Alberta (OIPC), the Minister of Health, and affected individuals. In addition, an affiliate of a custodian (such as an information manager) will have a duty to report certain privacy breaches to the custodian. In each case, the report must be made as soon as practicable.

What are the penalties for noncompliance?

Failure to comply with the new breach reporting provisions is a provincial offence. Fines for noncompliance range between $200,000 and $500,000 for organizations and between $2,000 and $10,000 for individuals. Alberta has a track record of prosecuting Health Information Act offences.

Who are custodians?

Custodians include a wide-range of healthcare service providers and stakeholders in the Alberta healthcare sector. Custodians include regulated health professionals (like doctors, pharmacists, and dentists), healthcare service delivery organizations (like hospitals, nursing homes, and ambulance operators) as well as other governmental bodies involved in the healthcare sector (like provincial health boards, regional health authorities and community health councils).

What do cloud service providers have to do?

A cloud service provider may be an “affiliate” under the Alberta Health Information Act. Cloud service providers should obtain legal advice as to whether they fall under the definition of “affiliate” in the Health Information Act and, if they operate outside of Alberta, whether they are subject to Alberta’s jurisdiction when they provide services to Alberta entities.

Beginning August 31, affiliates have direct obligations under the Health Information Act to notify the custodian of any loss of individually identifying health information or any unauthorized access to or disclosure of individually identifying health information in the custody or control of the custodian. Reports must contain prescribed information and be made as soon as is practicable.

An “affiliate” includes (among others) “information service managers” and other individuals and entities that perform a service for a custodian under a contractual relationship. An “information service manager” is an individual or organization that does any of the following:

  • processes, stores, retrieves or disposes of health information,
  • strips, encodes or otherwise transforms individually identifying health information to create non‑identifying health information, or
  • provides information management or information technology services.

What do custodians have to do?

Custodians should ensure that they have implemented policies, procedrues and training to meet their new statutory obligation to give notice of any loss of individually identifying health information or unauthorized access to or disclosure of individually identifying health information in the custody or control of the custodian if there is a risk of harm to an individual as a result of the loss or unauthorized access or disclosure. The notice must be given as soon as practicable and contained certain prescribed information.

Custodians should ensure that their cloud service providers are aware of their broad obligation to report privacy breaches in accordance with these new provisions. Custodians should review their contracts to make sure that the terms relating to breach notification are broad enough to cover the scope of what is reportable under the Health Information Act. This is particularly important if there is an argument that the cloud service provider is beyond Alberta’s jurisdictional reach.

In addition, custodians should ensure that all individually identifying health information is encrypted at rest and in transit. Effective encryption is a factor that may avoid having a reportable breach. The Regulations provide that if a custodian is able to demonstrate that the information was encrypted and could not be accessed or would be unintelligible, the custodian is not required to give notice of the loss or unauthorized access or disclosure to the OIPC, the Ministry or the individual.

Do these provisions only cover unauthorized access by to or disclosure of health information to third parties?

No, the provisions are not limited to access by or disclosure to third parties. Unauthorized internal access and unauthorized disclosure between custodians are subject to the breach reporting provisions.

Do cloud service providers only have to report breaches where there is a risk of harm?

No, the risk of harm analysis test does not apply to cloud service providers. Whether there is a risk of harm is for the custodian to decide.

What factors can the custodian consider when evaluating a risk of harm?

The Regulations set out a non-exhaustive list of factors to be considered by the custodian when considering whether there is a risk of harm to an individual. These factors include (but are not limited to) whether:

  • the information has been or may be accessed and/or disclosed
  • the information has been misused or will be misused;
  • the information could be used for the purpose of identity theft or to commit fraud;
  • the information could cause embarrassment or physical, mental or financial harm to or damage to the reputation of the affected individual;
  • the breach has adversely affected or will adversely affect the provision of a health service to the individual;
  • the information was encrypted or otherwise secured in a manner that would prevent the information from unauthorized access or render the information unintelligible by a person who is not authorized to access the information;
  • the information was lost in circumstances in which the information was destroyed or rendered inaccessible or unintelligible;
  • the information was not accessed before it was recovered if it was recovered; and
  • any access or disclosure was only to a custodian or an affiliate and (i) that person is subject to confidentiality policies and procedures that meet the requirements of the Act, (ii) the person accessed the information in a manner that is in accordance with the person’s duties as a custodian or affiliate and not for an improper purpose, and (iii) the individual did not use or disclose the information except in determining that the information was accessed by or disclosed to the person in error and in taking any steps reasonably necessary to address the unauthorized access or disclosure.

Read more!

Find the amendments to the Health Information Act here.

The amendments to the Regulations can be found here.

Employees, Non-Profits and Privacy

Canada is not a bastion of  employee privacy rights. In fact, many provinces provide no statutory privacy protections to private sector employees. However, even where employees have been included in provincial privacy legislation – such as in Alberta – the law can still by patchy. pexels-photo-533189.jpeg

Let’s take the interesting case of Castledowns Bingo Association (Order P2017-07) in Alberta. The key issue for the adjudicator was whether Alberta’s Personal Information Protection Act (PIPA) applied to the employee-complainant. Spoiler alert – the employee won the battle on the application of PIPA but lost the war as to whether PIPA had been breached.

So why is this case interesting? PIPA only applies to non-profit organizations to the extent that organization is collecting, using or disclosing personal information “in connection with a commercial activity.” So is collecting, using and disclosing information about an employee “in connection with a commercial activity”? Here’s the problem: it is well-established that managing an employment relationship is not a commercial activity. The fact that the employee is paid does not make the employment relationship a commercial activity.

That should have been the end of it. However, the adjudicator clearly was not satisfied by leaving non-profit employees outside of PIPA and so contorted the meaning of “in connection with”. Without directly rejecting the idea that the management of an employment relationship is not a commercial activity, the adjudicator concluded that the real issue was whether the employee was performing a commercial activity. If so, then then the collection, use or disclosure of personal information was “in connection with” a commercial activity. This involved reading “in connection with” as meaning “in relation to” or “in association with” – instead of sticking with the words as enacted by the Legislature.

Of course, this resulted in some arbitrary results for the adjudicator, which were essentially left unresolved. An employee in the bingo hall would not be covered (not performing a commercial activity), but an employee in the lounge would be. The employee in the lounge would be covered, but, according to the adjudicator, the back office employee would not be (because bookkeeping is not directly performing a commercial activity even if the funds came from a commercial activity).

You can read the Castledowns Bingo Association case here.