A few weeks ago, I wrote in this space about how I was helping a client deal with a data breach. It was a unique case (aren’t they all?) in which it became quite difficult to determine if the legal threshold for reporting was met. The legal threshold, if you recall, is that you must report breaches if there is a “real risk of significant harm” that could result from the incident.
My comments could have been seen as a complaint to our regulators that we do not yet have a clear and practical way of making solid determinations on this very important threshold issue — what is and isn’t RROSH?
In Alberta, where they have had a mandatory and legal requirement to report breaches for a number of years, the commissioner publishes decisions in which that office has determined that there is a RROSH.
Unfortunately, we don’t get to see those decisions when that office agrees there is no RROSH. What we do see is helpful, but even more transparency would be useful.
Meanwhile, the federal office hasn’t published anything yet, in these early days of breach requirements being in force, other than their guidance that says they will evaluate the sensitivity of the information at issue along with the probability of harm that might result from the incident.
They are not advising on RROSH because they want to have some experience dealing with all this before they provide more specific guidance or direction on the issue.
In the meantime, however, there is some uncertainty, and I presume those of you who, like me, are counseling organizations either from within or from outside feel the same. Just today I dealt with yet another breach where this very question was at stake. On measure, I applied what I know and didn’t believe it was RROSH. Was I right?
More importantly, are you having the same kinds of questions in your work?
For example, what if sensitive information of many people is mistakenly disclosed to only one person, and they say it was quickly deleted without being read? What if your breached information was encrypted? Does that change the analysis? Does it matter if it involved a cloud-based email account?
I think many questions still remain when effectively applying the new breach requirements — and RROSH in particular. Understandably, companies don’t want and should not have to over-report, but they also want to make sure they do what they are supposed to. Experience and guidance will help.
What do you think? Where do you still have questions, if any, about breaches? What do you think is more RROSH than not? Let me know. It’s not like breaches are going away anytime soon.
If you want to comment on this post, you need to login.