As the collection and user of personal data has increased in recent years, so has the incidence of privacy breaches. From Facebook to Google to Cathay Pacific, the scale and scope of privacy breaches has reached staggering levels. One industry that has largely managed to stay out of the public eye with respect to privacy issues is the restructuring and insolvency industry. While licensed insolvency trustees regularly deal with large amounts of personal information, there have been relatively few public incidents involving privacy issues and trustees. With the release of new Mandatory Breach Notification regulations (the “Regulations”) under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), there is potential for increased scrutiny of trustees’ handling of personal information.
The Regulations require organizations to notify individuals and the Office of the Privacy Commissioner of Canada (the “Commissioner”) about privacy breaches under certain specific conditions and to keep records of all privacy breaches. While the Regulations themselves may not introduce new risk for trustees, they will shine a light on the use of personal information in insolvency proceedings and may serve as a trigger for litigation where breaches do occur. This raises an important question: are the protections afforded trustees under the Bankruptcy and Insolvency Act and under model orders dealing with receiverships and CCAA arrangements sufficient?
Amendments to PIPEDA: Mandatory Breach Notification
The Regulations, which came into force on November 1, 2018, introduce new requirements with respect to companies’ obligation to report data breaches and to maintain records of those breaches. Companies are now required to report breaches of security safeguards involving personal information whenever there is a real risk of significant harm to the individual. There is a subjective analysis to be done on whether a ‘real risk of significant harm’ exists, but the Regulations provide guidelines to assist in the assessment.
Once a real risk of significant harm is assessed, the company has an obligation to report the breach ‘as soon as feasible’ to both the individual(s) at risk and the federal Privacy Commissioner. Failure to report the breach to the Privacy Commissioner may result in a fine of up to $100,000. The scope of the report to both individuals and the Privacy Commissioner is significant, and includes details of the incident itself, steps taken to remedy the situation and steps taken to mitigate damage.
In addition to reporting requirements, organizations must maintain records of all privacy breaches (regardless of the risk of harm) involving data under its control for a period of two years from the date of the breach.
Opportunities for data breaches are rife in restructuring and turnaround situations. By their very nature, these environments involve a breakdown of existing structures and processes. Disgruntled former employees and unpaid vendors with access to personal information present a risk of malicious data breaches, but a breach due to accident or oversight is just as likely. While none of these risks are new, the Regulations will require trustees to shine a spotlight on incidents when they occur, raising the spectre of litigation from affected parties.
Existing Protections in Legislation and Model Orders
Trustees have several protections against liability arising from data breaches, including statutory provisions in the Bankruptcy and Insolvency Act and standard paragraphs in the model receivership and CCAA orders used in most provinces. These protections however, restrict the personal liability of trustees only where (a) the events in question occurred before the trustee’s appointment or (b) where there has been no gross negligence or wilful misconduct. It is not clear that these clauses would apply in a situation where, for example, a trustee’s employee wilfully and maliciously released personal information relating to an estate.
An additional provision in the model receivership order deals with the release of employee information, but only in the context of a sale of assets. There is no specific protection for trustees where the data breach arises from accident or omission. Recent headlines around the bankruptcy of Netlink Computer Inc. and the reported release of customer information stored on abandoned computer equipment raise questions about the obligations of trustees where a bankrupt company has abandoned assets. The auctioneer engaged by the trustee in that case is now the subject of a class action suit; it is not inconceivable that liability could attach to the trustee as well.
Are New Protections Required?
The Regulations should serve as a wake-up call to the insolvency community. While data privacy issues may have flown under the radar in the past, they are unlikely to do so going forward. Existing protections in the Bankruptcy and Insolvency Act and the model receivership and CCAA orders are not sufficient to protect trustees from liability associated with the inadvertent release of personal information. The insolvency community should be actively pursuing amendments to legislation to clarify the trustee’s obligations with respect to pre-appointment breaches, breaches by third parties engaged by the trustee, and the trustee’s personal liability. The latter should also be addressed through changes to the model receivership and CCAA orders.