The Manitoba government announced a privacy breach on August 26, 2020 that resulted in the personal information of over 9,000 children being disclosed. An email with the children’s personal information was accidentally sent from a staff member of the Children Disability Service to about 100 agencies and advocacy groups. The intended recipient was the Manitoba Advocate for Children and Youth.
The email inadvertently disclosed personal information about the children including addresses and diagnoses. The information was contained in a spreadsheet which was password protected, but the password was included in the text of the email.
Human error is often the cause of the inadvertent disclosure of personal information collected by a business. A breach of privacy such as that of the Manitoba Children Disability Service requires a business to notify the privacy commissioner, and the affected individuals. It can lead to an investigation by the privacy commissioner, as well as possible litigation if the disclosed personal information is sensitive and puts the affected individuals at risk of harm (e.g. identity theft).
It is integral for businesses to have strong email policies in place. An obvious provision is that a password to a document is never sent in the same email as the password-protected document.
It is not enough to just have a strong email policy. Employees have to be trained on the policy. Annual training should be conducted to reinforce the importance of compliance with the policy.
The Lerners Privacy, Data and Information Security team is able to assist clients in developing a strong email policy that reduces the risk of inadvertent disclosure of personal information, and conduct corresponding employee training. In the event of a privacy breach, the Lerners team can help clients to navigate the breach notification process.