Patients and Philanderers: Why the Ashley Madison Report has Something Important to Say about Cybersecurity Standards for Patient Data

Author: John Beardwood

A) Introduction

Privacy legislation in Canada, the U.S. and elsewhere, while imposing detailed requirements on issues such as consent, often reverts to high level principles in outlining privacy safeguards or security obligations.  One concern of the legislators has been that by providing more detail, the laws could make the mistake of making a “technology pick,” which – given the pace of evolving technology – could very well be out of date in a few years.  Another concern is that what constitutes appropriate security measures can be very contextual.  Nevertheless, however well-founded those concerns, the result is that organizations seeking direction from the law as to how these safeguard requirements translate into actual security measures are left with little to no clear guidance on the issue.  

For example, the Personal Health Information Protection  Act (“PHIPA”) provides guidance as to what constitutes appropriate security safeguards for personal health information in Ontario.  However, PHIPA simply states that a health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal. Unfortunately, this principles-based approach loses in clarity what it gains in flexibility.

On August 22, 2016, however, the Office of the Privacy Commissioner of Canada (the “OPC”) and the Australian Privacy Commissioner (together with the OPC, the “Commissioners”) provided some additional clarity as to privacy safeguard requirements in their published report (the “Report”) on their joint investigation of Avid Life Media Inc. (“Avid”).[1] 

The Report is significant, in that organizations collecting, using and disclosing highly sensitive personal information – like personal health information -have now been provided with reasonably detailed guidance as to what the cybersecurity standards are under the law:  that is, what measures are expected to be implemented by an organization in order to substantiate that the organization has implemented an appropriate and reasonable security standard to protect highly sensitive personal information.  While these cybersecurity standards have been proposed by the federal Privacy Commissioner, and not by the provincial privacy commissioners primarily charged with regulating the use of personal health information, given the relationship between the federal and provincial privacy commissioners we expect that the standards expressed in the Report will be very influential in shaping the cybersecurity expectations of those commissioners.

A. Key Privacy Security Insights

1. The Report:  Security Safeguards Due Diligence

In the Report, the OPC provides guidance on the level of diligence expected of an organization when determining adequate security safeguards under Principle 4.7 of PIPEDA, namely that: 

· Sensitivity of Data: an organization needs to understand the sensitivity of the personal information that they collect, use and disclose, and the corresponding required level of safeguards under PIPEDA;

· Security Risk Policy: an organization should adopt clear and appropriate processes, procedures and systems to handle information security risks, supported by adequate expertise, whether such expertise is internal or external;

· Safeguard Assessment: an organization should conduct a meaningful assessment (i.e. one that doesn’t just focus solely on the risk of financial loss to individuals due to fraud or identity theft, but also on their physical and social well-being) of the required level of safeguards for any given personal information; and

· Risk Balance: safeguards should be adopted by an organization with due consideration of the risks faced.

Based on the foregoing diligence, the Report provides specific insight into what Canadian privacy commissioners would likely require as adequate safeguards where an organization collects, uses or discloses highly sensitive personal information like patient information. 

[1] PIPEDA Case Summary #2016-005 - Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner.