After a data breach, a company can easily find that the due diligence it exercised to avoid the breach in the first place can readily be turned against it. “Privacy impact assessments” and “threat risk assessments” are increasingly common, identifying privacy and security risks associated with new projects, new products and new processes. They should be a frank assessment highlighting all of the things that can go wrong to that the business can understand the steps to take to mitigate these risks. If they don’t identify all the risks, they are incomplete. But as most privacy professionals know, you can readily pay a million dollars to avoid a thousand dollars worth of risk. Mitigation steps need to be proportional to the risk, but only the worst case scenarios can instruct you on how badly things can go.
As important as these documents are, they can easily become the “smoking gun” that is front and centre in an investigation by regulators or a class action lawsuit. A privacy risk that is identified and unaddressed (or not fully addressed) will quickly be presented as negligence and recklessness.
I recently reviewed a “privacy risk assessment” prepared by a privacy consultant that was authored a few months before a significant breach involving tens of thousands of individuals. The report was the work of a privacy consultant and can readily be interpreted as a chronicle of previous privacy breaches (all of which could have been much worse), common carelessness on the part of employees, and budgetary constraints that led to cut corners. Many risks were identified and not all were ultimately addressed. The report can be seen to point in a direct line to negligent and reckless handling and safeguarding of sensitive personal information, while management was fully aware of systemic shortcomings. The report concludes that the organization should seek an “acceptable level” of privacy and security breaches. I expect that this document will be Exhibit “A” the class action lawsuit that has already been filed. The consultant's working notes will also be relevant evidence, along with any interviews he carried out. It may well be that the manager who commissioned it will soon regret making that decision.
The reason why this privacy risk assessment will be front and centre in a lawsuit is that the report was not prepared by a lawyer. It was prepared by a consultant who is not able to offer legal advice, despite the fact that it refers to compliance with privacy legislation. The only way to confidently keep anything out of court and off the record is to make sure that it is protected by legal advice privilege. If the report had been prepared by a lawyer or even by a consultant on a lawyer’s instructions in order to support the lawyer’s legal advice, it would never see the light of day unless the organization chooses to waive its privilege. The report would have served its purpose of allowing the organization to have a frank assessment of its vulnerabilities -- warts and all -- without the risk that it would be front and centre in court.
Note: I expect that this may be received as self-serving since I am a lawyer. I look forward to any debate or discussion that this raises.
Is this not taking privilege too far? After all, an assessment of the gaps in business policy which may lead to oversteps would seem to fall squarely under "business counsel."
ReplyDeleteI can certainly see where the line would blur, but surely we ought to draw a true line rather than burying all PIAs under solicitor-client privilege.
That's a really good and valid comment. It would depend on what is actually being achieved.
ReplyDeleteMuch privacy advice is rooted in evaluating compliance with legislative requirements and determining whether the organization meets those requirements. A determination of legal risk would also be legal advice, if performed y a lawyer. Many (but not all) of the privacy impact assessments I've seen are essentially that.
On the other hand, an assessment of whether an organization meets an ISO standard or DSS requirements likely does not fit within "legal advice" and may not be subject to privilege even if performed by a lawyer.
BC FIPPA requires PIAs to be completed in certain circumstances and requires the public body to submit the document to the privacy commissioner for her review and comment. Do you think this compelled disclosure outside of the public body jeopardizes privilege ? Arguably a document created for the commissioner would fall outside of FIPPA for access purposes but question the impact on privilege.
ReplyDeleteThanks for your comment. I think there would be enough wiggle room to argue that it would compromise the privilege.
ReplyDeleteI wonder if disclosure for a discrete statutory purpose - to the Commissioner - avoids waiver. I'd expect in this situation that the Commissioner would be obliged to protect the confidentiality of the compelled PIA.
ReplyDeleteIt's an interesting situation for sure. I'm not certain these compelled PIAs would attract privilege in the first place based on the standard criteria to decide whether solicitor-client privilege covers the document.
However, I'd expect if privilege did attach in the first place, it would remain preserved against the outside world even if disclosed in confidence to the Privacy Commissioner. This assumes that the Commissioner's "review and comment" is not public.