Workplace data theft – Protect your company with best practices

August 8, 2019 Lisa Stam, Spring Law Employee Relations, HR Policies and Procedures, Human Resources, Privacy and Security, 0

The Capital One Data Breach has been big news lately, and for good reason. It’s a big deal. This breach compromised the data of over 100 million Capital One customers. Instead of a shadowy overseas hacker or a creepy crawler from the dark web, the hacker was a former employee of the cloud hosting company through which Capital One stored their data (unconfirmed, but likely Amazon Web Services). She hacked through Capital One’s firewall to access information stored on the Amazon cloud. See women can be hackers too! This particular woman is now in US federal custody. 

Allegedly, Capital One configured a web app incorrectly, which created the vulnerability through which the hacker was able to access the server and the data. 

This situation is a nightmare for all involved – the customers, Capital One, and perhaps Amazon – and serves as a good opportunity for us to remind users about data security and workplace privacy. 

Data governance in Ontario

Every modern workplace should have a data governance policy, especially now as it is becoming more common for employers to digitally store an employee’s entire work life that the employer may or may not be diligently protecting. The data governance policy may differ depending on your workplace and jurisdiction. The majority of Ontario workplaces are provincially regulated and employee information is not subject to any specific privacy or data governance law, with the exception of those that deal with private health information. Workplaces that deal with private health information – generally these are just bodies in the medical field – are governed by the Personal Health Information Protection Act. Even where no specific law applies, employees are entitled to a reasonable expectation of privacy in the workplace. 

The federal privacy legislation, Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to federally regulated private sector business (banks, telecommunication, interprovincial transportation, etc.) It governs personal information generally, and not just personal health information.

While PIPEDA only applies to employers in federal works, undertakings and businesses, adopting a PIPEDA-inspired standard in the workplace can benefit employers looking to strike a balance between their employee’s right to preserve their privacy and their right to collect and retain information critical to the functioning of their business.

Data governance policies

Schedule 1 of PIPEDA includes a list of 10 basic principles that businesses should use in order to ensure their use and storage of private data is reasonable. These rules are also reflected in various provincial private sector privacy laws and are frequently cited in privacy caselaw and arbitral decisions in Ontario. This list should provide employers in Ontario with the tools required to properly manage their employees private information, which provides the employer with added protection in the event that their data finds its way into the hands of hacker. 

1. Organizations are accountable and responsible for the data they manage.
2. Organizations should inform individuals of the personal information it collects from, why it collects it, and what it does with it.
3. In most instances, an employee should be given an opportunity to consent to the collection, use or disclosure of their personal information.
4. The information collected by an employer should be necessary for the purpose identified and should be collected using fair and lawful methods.
5. An organization should only disclose personal information for the purpose it was originally collected and store information only for as long as originally specified, unless the individual consents to other uses or there is a legal rationale for disclosing the information.
6. An individual’s personal information should be accurate, complete, and up-to-date.
7. Personal information should be protected using adequate safeguards.
8. Information about an organization’s privacy policy should be accessible and available upon request.
9. Individuals have the right to access their personal information and the right to have their information corrected.
10. Organizations are required to give employees the means to challenge an organization’s compliance with these principles.

Individual remedies

While Ontario lacks privacy legislation and thus cannot require employers to implement PIPEDA compliant privacy policies in their workplaces, employers should be mindful that employees do have avenues of recourse if their personal information is accessed or disclosed without their consent. In the landmark privacy case in Ontario, Jones v. Tsige, the Court of Appeal recognized employment information as one of the categories of personal information that could be highly offensive to invade. Employees have successfully relied on this case when their employers have used their personal information inappropriately or required them to undergo invasive tests where highly personal information was collected.

Takeaway for employers

With the stakes being what they are, it may be pragmatic for employers to simply limit data collection to information that is absolutely necessary for the functioning of their business rather than going on fishing expeditions under the guise of improving safety and security. Following the principles expressed in PIPEDA’s Schedule 1 seems like a small concession when you consider the potential havoc a privacy breach could create within an organization. In the event of a breach, having less will certainly provide more peace of mind.

• About
• Latest Posts

Follow me

Lisa Stam, Spring Law

Founder of Spring Law, Employment and Labour Lawyer at Spring Law

Lisa Stam is founder of Spring Law, a virtual law firm advising exclusively on workplace legal issues for employers and executives. She practices all aspects of employment, labour, privacy, and human rights law, with a particular interest in legal issues arising from technology in the workplace. Lisa’s practice includes a wide range of entrepreneurs in the tech space, as well as global companies with smaller operations in Canada. In addition to the day to day workplace issues from hiring to firing, Lisa frequently blogs and speaks on both the impact, risks and opportunities of social media and technology issues in (and out of) the workplace, as well as the novel ways in which changing expectations of privacy continues to evolve employment law. Read more here.

Follow me

Latest posts by Lisa Stam, Spring Law (see all)

• Surveillance in the workplace - March 11, 2020
• Are changes to Canada’s Privacy Law landscape on the horizon? - February 12, 2020
• Notable cases of 2019 - January 8, 2020

Capital One data breach, data governance, data theft, employment law, Personal Health Information Protection Act, personal information, Personal Information Protection and Electronic Documents Act, PHIPA, privacy compliance practices, private data storage

Are executives entitled to variable compensation after being terminated? Workplace investigation alert – Injunctions in investigations: Do they ever work?