A couple of years ago, I rented a U-Haul to move some furniture. This past week, I got an email that U-Haul’s databases was hacked and my personal information including driver’s license data was stolen. I’m currently following up with U-Haul about the scope and impact of this breach.
Hacks happen, but U-Haul broke Canadian law in how it stored customer’s data. Businesses have significant responsibilities under Canadian Law to protect their client’s data and delete it when it has served its purpose. Breaching the law can result in fines of up to $100,000.
Is your business at risk of fines if your systems are hacked? Canada’s Privacy Commissioner or indeed any individual can initiate a complaint under the Personal Information and Protection of Electronic Data Act (PIPEDA). To reduce the risk of fines under the act, there are ten principles that every Canadian business should follow.
Your business needs to assign a privacy officer to implement policies, monitor, and manage your compliance with the act. The name and contact information for this person must be made known to anyone who asks who this person is. (In my call with U-Haul, they had no person responsible for this role.)
Before collecting any data, your business must inform anyone who’s personal information you collect (this includes customers, clients, contractors, employees for example):
- What data are you collecting?
- Why you are collecting this data? How is this data to be used to provide services to the customer and collect payment for the services rendered
The customer or person has explicitly consented to allowing you to collect and store the information identified above for the reasons stated. Typically, once you tell them why you need this data, they might enter it into a form and click a submit button.
Note that if you ever change or add to the “Identifying Purpose”, you need to re-obtain the person’s consent to the new purpose. For example, if you collected the information to be able to bill the customer, but you then decide to use the information to more effectively target new market demographics for your services, you must inform your customers of this and get their consent to the change.
If a little data is good, then a lot of data is better, right? No!
There’s a temptation to collect more data than we need in the case that it might be needed in the future. But PIPEDA does not allow you to collect information indiscriminately. You can only collect the minimum data necessary to fulfil the Identifying Purpose. And that purpose must be disclosed to the person so that they can Consent to your collection of it.
Limiting Use, Disclosure, and Retention
All personal data should have a policy defining its minimum and maximum retention periods. For example, data should be kept long enough so that if a customer inquires about an invoice, you can answer their questions. But it can’t be kept indefinitely. Again, as an example, once a person is no longer a customer, then policy should state that their data will be purged within 60 days of their paying any account balance in full. (U-Haul violated the Act by keeping personal information long after the rental agreement and customer relationship had ended, and all periods in which to determine damage or insurance claims and all financial transactions had lapsed).
Personal information must be kept accurate, complete, and up-to-date as necessary. Data updates should rely on the person’s own supplied information and not any hearsay or third-party information which may be inaccurate.
Businesses should take reasonable efforts based on industry best-practices to protect collected personal information against loss; theft; unauthorized access, disclosure, copying, use, or modification.
Businesses that are hacked by a cybercriminal are not necessarily in breach of this principle unless they are shown to be negligent or foolish in their protection of data. For example, they didn’t use encryption to store or transmit data; they used weak password to authenticate employees and agents; or they failed to take appropriate actions to patch or harden their IT systems based on published threat reports. U-Haul admitted that the attack vector was a compromised account by one of their franchisees, but without further investigation, this does not necessarily indicate a lack of appropriate safeguards.
Your business must share its policies and practices readily with individuals who ask about them. Individuals should not have to make an unreasonable effort to obtain copies of these practices and policies. (U-Haul did include a phone number in its communication with victims of its hack but could not provide any information or copies of any security policies or practices when asked to do so).
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of this information and have it amended as appropriate. (I did not ask U-Haul to divulge the contents of my personal information when I called them; however, based on the findings to date, I suspect that they would not have the appropriate policies and practices in place to comply with this requirement if asked).
Any individual can inquire or challenge you about any of the above principles. You must have processes and procedures in place to handle inquiries about your policies and practices related to management of personal information. The complaint process should be easily accessible and simple to use. You must investigate all complaints and if found to be justified, take the necessary actions to amend your policies and practices. (Again, without any policies or procedures, U-Haul is not able to receive or manage any complaints about their policies and procedures).
We need to remember that personal information does not belong to a business. It belongs to the person choosing to do business with us. Businesses that don’t understand this, risk a public relations nightmare when the data in their possession gets compromised or hacked. Eventually this will happen.
These principles outlined in PIPEDA are reasonable requirements and practices to ensure that any business that values its clients treats them with respect and dignity. The time and effort to draft the necessary policies and practices and assigning an employee to protect personal data does not need to be difficult or time consuming. In fact, it can help build your brand as a customer-focused enterprise.