As the Canadian privacy landscape changes, organizations will need to be accountable

Ryan Berger, partner at Lawson Lundell LLP, explains that with more data available comes more accountability

Our use of technology continues to increase and the data created from that use is growing exponentially. Organizations collecting and using that data will be held accountable.

In the future we will be awash in data. As of 2020, one person using the internet creates roughly 1.7 megabytes of data every second.[1] Altogether, the global volume of existing data is currently 33 zeta-bytes, and it is predicted to increase to 175 zeta-bytes by 2025.[2] This is an incredible wealth of information. Approximately 90% of existing data has been created in the last two years alone.[3]

USING THE RIGHT DATA, IN THE RIGHT WAY

Using the right data in the right way can be extremely valuable to organizations. Some companies have already begun to harness the power of data. Walmart, for example, collects 2.5 petabytes of data from customers every hour.[4] By leveraging data processing and analytics, Walmart has been able to increase efficiency, optimize their supply chain, and improve the customer experience.[5] One example of Walmart’s big data success comes from mining sales data. In 2013, Walmart data analysts found a 700% increase in strawberry pop-tart sales before a hurricane.[6] If you see Walmart pushing strawberry pop-tarts in your area, its strategic – and you’ll know to expect a significant weather event.

At the same time, the consequences for using data the wrong way or allowing it to be vulnerable to misuse, however, will only increase.

THE IMPORTANCE OF GOOD DATA GOVERNANCE

With so much available data and the massive potential it holds, individuals, stakeholders, and others will demand more accountability from organizations than ever before. Without proper safeguards, cyber-criminals may be able to access company databases, expose sensitive information, and make a profit in the process. The Hive, a cyber-crime group, has extorted over $100 million USD by holding organizations’ computer systems hostage until they are paid a ransom.[7] Good data governance, including diligent cybersecurity, is an important way that organizations can prepare for increasing amounts of data, and the responsibility that comes with it.

A CASE STUDY ON GOOD GOVERNANCE AND SECURITY

The Federal Privacy Commissioner (“OPC”) launched an investigation into the Marriott Hotel chain’s compliance with the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA”) after news broke about a data breach relating to Marriott’s acquisition of Starwood Hotels.[8] The findings provide a useful case study for big data, the importance of good data governance, and the data risks to organizations, including sophisticated ones, engaged in mergers and acquisitions.

The data breach happened over the course of four years starting in 2014, but Marriott did not detect the breach until two years after they acquired Starwood. The attacker had installed a web shell on a Starwood server, which they used to upload additional tools that allowed them to remotely access the Starwood network including secured areas in Starwood’s system. The incident involved approximately 339 million records.

There are several key takeaways from the Marriott case. First, organizations should implement good data governance systems for their own organizations as well as any organizations they may acquire. Adequate safeguards and reasonable retention policies are instrumental. The case also highlights the importance of accountability. If organizations choose to collect personal information and use it to their benefit, they will be held responsible for keeping it safe. Organizations should also ensure that they are vigilant about their security standards and those of any subsidiaries they own or acquire in the future. We outline some of these lessons below.

PRIVACY AND CONFIDENTIALITY DEMAND REASONABLE SECURITY MEASURES

Implementing security safeguards that are proportionate to the sensitivity of the personal information an organization holds is a core element of good data governance and is required by privacy laws.

We learn in the Marriott case that technical security measures need to address, as much as reasonably possible, the main risks to unauthorized access, use and disclosure considering the nature of the technology and the information involved.

Malware was a particular threat, but Marriott did not effectively address it and lacked a security program designed to isolate suspicious code and/or prevent it from executing. While such a security measure was not expressly required by law or considered an industry standard at the time, it would probably have reduced the impact or prevented the Marriott incident entirely, saving countless dollars in legal fees, mitigation costs, and reputational damage. Organizations should consider taking a proactive approach to cybersecurity that addresses the particular technology they use.

After the acquisition, Marriott did not apply all their security standards to Starwood’s network and the standards that were applied were done inconsistently. Organizations should ensure that their monitoring and logging systems are applied uniformly and are designed to quickly respond to suspicious activities so they can identify security breaches quickly.

Encryption is an additional safeguard that is particularly important when dealing with sensitive information. Starwood had not applied encryption consistently to sensitive personal information, which left it exposed during the breach. Organizations should ensure that they enact clear, uniform policies on encryption that all employees understand, or invest in encryption software.

ACCOUNTABILITY INCLUDES ENSURING THE RIGHT MEASURES ARE IN PLACE

When an organization implements or acquires a new system or database that handles personal information, the organization should ensure it is adequately protected. Effective cyber-security due diligence is a crucial part of good data governance and a major area where the case suggests Marriott fell short.

Before they discovered the breach, Marriott thought that multi-factor authentication (MFA) had been implemented for anyone accessing the Starwood breached database. This assumption was based on compliance reports that rated Starwood’s compliance with the PCI DSS standard. However, the PCI DSS standard only considers cardholder data, which left major gaps in the compliance reports concerning other types of personal information in Starwood’s database.

A lack of MFA was an identified vulnerability. Marriott had various protections to control internal access into the breached database; and although the PCI DSS reports addressed MFA, Marriott did not ensure MFA was required for all accounts accessing the database. Certain administrator accounts that had access to the sensitive database did not require MFA, and the attacker exploited this gap throughout the breach. Access restrictions should apply to all potential users and correspond to the sensitivity of the information.

The independent PCI DSS compliance reports were not enough to discharge Marriott’s obligation to keep the personal information in their databases safe. In addition to the reports, the OPC said Marriott should have double checked either (1) the use of MFA to access their databases, or (2) the PCI DSS standard upon which their compliance reports were based. If your organization uses PCI DSS, consider whether an additional assessment with another standard may be necessary in order to rate your organization’s compliance with handling personal information that is not cardholder data.

Implementing and applying good data governance and security policies, which require appropriate security measures designed to address the particular risks posed in each case, are key features of a privacy management program.

LIMITING RISK: INFORMATION RETENTION AND DESTRUCTION

Good data governance involves, and privacy laws require, organizations to retain personal information only as long as it is necessary to fulfil the purposes for which it was collected. Data retained longer than necessary for legal or business purposes only becomes a liability.

Marriott had a 10 year retention policy designed to comply with certain legal requirements, but some information that was subject to the breach dated as far back as 2002. Retaining information for such long periods without destroying or anonymizing it increased the impact of Marriott’s incident.

A key feature of a privacy management program is to create and effectively implement data retention and secure destruction policies and processes so that important information remains accessible to the business and old information is purged as appropriate to limit risk.

CONCLUSIONS

None of Marriott’s actions were malicious, but they continue to deal with the ramifications years later. Not only was Marriott found to have breached their obligations under PIPEDA, but they are also currently defending multiple class action law suits. Two class action law suits surrounding the data breach are currently underway in Canada,[9] and earlier this year a federal judge in Maryland certified a class action suit spanning multiple districts in the United States.[10]

Data and privacy laws are still developing and the emerging patchwork of legal regimes across the country and the world is often challenging for organizations to navigate. Fines and penalties are becoming more commonplace in Europe under the GDPR. With the proposed changes coming to the Canadian privacy landscape under the Digital Charter Implementation Act (Bill C-27), including the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act, we are likely to see increased enforcement in Canada, including compliance orders by the OPC, administrative monetary penalties, and fines of up to 5% of global revenue or $25 million, whichever is greater, for the most serious offences.

As data abounds, organizations ought to ensure their privacy management programs keep pace.

The author thanks Emily Raymond for her help authoring this article

***

Ryan Berger is a leading privacy and employment lawyer, with a primary focus on providing strategic advice to businesses and employers. Ryan leads the Lawson Lundell’s Privacy Group and routinely advises public and private sector organizations on data protection, business confidentiality and privacy compliance, risk management strategies, breach response, access to information, and litigation. Ryan manages breach response teams for clients, including forensic investigation, crisis communications and notification.

On the transactional side, Ryan works closely with the firm’s business group on technology development, innovation and deals involving data, as well as cloud and Software as a Service (SaaS) agreements.

Ryan also has substantial employment law practice, having practiced commercial and employment litigation for over 20 years. He advises employers in a wide range of employment and dismissal cases, as well as harassment and human rights complaints. Ryan is experienced in the development and enforcement of restrictive covenants.

Ryan has unique experience in the health care space. He has advised and represented health authorities in privileging, discipline and related employment matters. He also combines his understanding of the health care space with keen interest in privacy law to advise electronic medical records providers, clinics and technology companies in the evolving digital health care world.

Ryan has extensive experience in commercial litigation, having appeared before all levels of court in British Columbia and the courts of other provinces, as well as various tribunals and boards.


[1] Halimjon Khujamatov et al, “Fog Computing Capabilities for Big Data Provisioning: Visualization Scenario” (2022) 14(13) Sustainability 1.

[2] Mozamel Musa Saeed & Mohammed Alsharidah, “Enhancing the quality of communication of cellular networks using big data applications” (2021) 8 Journal of Big Data 1.

[3] C Dobre & F Xhafa, “Intelligent services for Big Data science”, (2014) 37 Future Generation Computer Systems 267.

[4] Bernard Marr, “Really Big Data At Walmart: Real-Time Insights From Their 40+ Petabyte Data Cloud” (23 January 2017), online: Forbes

[5] Walmart Staff, “5 Ways Walmart Uses Big Data to Help Customers” (7 August 2017), online: Walmart Corporate

[6] Reagan Cook, “Walmart’s Big Data Strategy: Analyzing When People Crave Pop-Tarts” (3 February 2016), online: LinkedIn

[7] Carly Page, “Hive ransomware actors have extorted over $100M from victims, FBI says” (18 November 2022), online: Yahoo! News

[8] Hotel chain discovers breach of customer database following acquisition of a competitor (July 15, 2022), PIPEDA Findings #2022-005, online: OPC

[9] See Wong v Marriott International Inc., 2020 BCSC 55; Winder v Marriott International Inc., 2019 ONSC 5766.

[10] See In re: Marriott International Inc., Customer Data Security Breach Litigation, 341 FRD 128 (SD Md 2022).

Lawyer(s)