UK Charity Fined £100,000 for Personal Data Breach
Jun 2018 Charity & NFP Law Update
On June 7, 2018, the Information Commissioner’s Office (“ICO”) of the United Kingdom published a monetary penalty notice fining a charity, the British and Foreign Bible Society (“Bible Society”), in accordance with s. 55A of the UK’s Data Protection Act 1998 (“DPA”), after a 2016 cyber-attack compromised the Bible Society’s computer network. The Bible Society is a “data controller” under s. 1(1) of the DPA, and must comply with data protection principles regarding personal data that it controls as a data controller. The data protection principles require data controllers to ensure, among other things, that “appropriate technical and organizational measures [are] taken against unauthorized or unlawful processing of personal data…” to maintain an appropriate level of security relative to the harm that could result from a data breach and relative to the nature of the data.
In 2009, the Bible Society created a service account intended for internal use, allowing users to log on to the network remotely and access network files. However, the account username and password were identical, and protection was therefore weak. As a result, attackers were able to access the network between November 16 and December 1, 2016, by guessing the weak password and username combination. An attacker subsequently installed ransomware on the network, encrypting 1 million shared files, including files with personal data. This data included details for 1,020 payment cards, 27,800 bank accounts, and contact information for 417,000 of the Bible Society’s supporters. While this information was retrieved by the Bible Society through a backup, files were obtained by the attacker, possibly including personal data.
The ICO found that the Bible Society had failed to implement appropriate technical and organizational measures for ensuring that the personal data on its network could not be accessed or processed by an attacker in contravention of the PDA. In addition to the weak password, the ICO found that the Bible Society did not have sufficient oversight of its network and systems; did not identify possible network risks when implementing the service account for remote access; did not remove all of the shared files from the network to a secured location with limited access; and did not enable ‘on access scanning’ that would have detected the ransomware when it was first deployed instead of the next day.
Given the number of individuals whose personal data was affected, the nature of the personal data, and the potential consequences of a breach, the ICO found that the contravention was of a serious nature. Further, as the attacker accessed financial data that could expose the data subjects to identity theft or financial harm, as well as sensitive personal information that would have allowed it to infer the religious beliefs of the subjects, the ICO found that the contravention was likely to cause substantial damage or distress to the data subjects. Although the ICO also found that the Bible Society did not intentionally contravene the DPA, it found that that the inadequacies were a matter of serious oversight and that the Bible Society ought reasonably to have known of the risk of a ransomware attack, of the vulnerability of the data on an open network, that such attack would cause substantial distress to the data subjects, and that the Bible Society should have ensured that the personal data was appropriately protected. The ICO therefore fined the Bible Society £100,000 for its contravention of the DPA.
Although this case takes place in the context of UK law, it is a reminder that attacks and data breaches can happen to any organization, including charities and not-for-profits. Regardless of their status as charities or other not-for-profits, all organizations should take steps to ensure that they have appropriate physical, technical and administrative safeguards in place to protect personal information in their custody or control. This case demonstrates that charities and not-for profits can face significant financial penalties for privacy breaches, whether they are subject to and have breached a statute (such as PIPEDA or the British Columbia Personal Information Protection Act), as in the UK case, or whether they are found liable in tort as the result of a lawsuit brought against them. This case is therefore a reminder to all charities and not-for-profits of the importance of ensuring that they put in place appropriate safeguards to protect the personal data in their possession.
Reduced Employee Benefits After Age 65 Found to be Discriminatory
Jun 2018 Charity & NFP Law Update
On May 18, 2018, the Human Rights Tribunal of Ontario (“HRTO”) released its interim decision in Talos v Grand Erie District School Board, in which the HRTO ruled that subsection 25(2.1) of the Ontario Human Rights Code (“Code”) was unconstitutional, as being contrary to the equality rights protections included in the Canadian Charter of Rights and Freedoms (“Charter”). Subsection 25(2.1) of the Code, in conjunction with the Employment Standards Act, 2000 (“ESA”), and its regulations, allows employers the discretion to terminate benefits for workers age 65 and older. It should be noted that this decision is not a general declaration of constitutional invalidity, as the jurisdiction of the HRTO, as decided in earlier case law, does not permit the HRTO to issue such declarations. However, the HRTO can refrain from applying the impugned section of the Code if, in its view, the section offends the Charter. Nonetheless, this decision is important insofar as it serves as an indication of the HRTO’s stance towards the reduction of employee benefits for employees over the age of 65.
For the balance of this Bulletin, please see Charity & NFP Law Bulletin No. 424.
Ontario Court Dismisses s. 6 CAA Application for Financial Disclosure
Jun 2018 Charity & NFP Law Update
On June 6, 2018, the Ontario Superior Court of Justice released its decision in Faas v CAMH, in which it considered an application by and the Faas Foundation and its principal, Andrew Faas (“Faas”) under s. 6(3) of the Charities Accounting Act (“CAA”) for a court order directing the Public Guardian and Trustee (“PGT”) to investigate how a public foundation and registered charity, the Centre for Addiction and Mental Health Foundation (“CAMH”), used donation funds from Faas. Faas brought the application in relation to a Donor Investment Agreement (“DIA”) for a $1 million donation to CAMH to develop a mental health program, Well@Work. The donations would be paid in three equal instalments over a three-year period while Well@Work was developed. While the first instalment was paid in 2015, no further payments were made.
As a donor, the DIA did not provide Faas with any access to CAMH’s internal information or work product, oversight of the program, or any involvement in program design or implementation. The DIA also required CAMH to report to Faas annually on the progress of Well@Work. While CAMH complied with its reporting requirement, Mr. Faas began to express dissatisfaction with the Well@Work’s program development, making various demands concerning the program design and implementation, and for greater disclosure of information, including an accounting of the program. As he believed that CAMH was “not going to be able to deliver on the three-year plan,” Mr. Faas also demanded a new grant proposal from CAMH with terms conforming more closely to his own vision for the program. Faas subsequently demanded CAMH to refund the first instalment of the donation. CAMH refused, claiming that the funds had been spent on developing Well@Work.
The court stated that s. 6(3) of the CAA provides courts with the discretion to make an order that a registered charity be investigated by the PGT where it is “of the opinion that the public interest can be served by an investigation of the matter complained of.” As such, it found that the threshold was whether the public interest would be served by a PGT investigation, and examined the jurisprudence surrounding s. 6 of the CAA to determine what the public interest was and when a PGT investigation would serve the public interest, finding that “public interest” is to be “construed in the context of the statute in which [it is] found.” Further, it noted the narrow mandate of the PGT, focused on financial management, and that courts can only order an investigation but cannot direct the PGT on as to how the investigation is to be conducted. In this regard, a s. 6 PGT investigation could not be used as “a mechanism by which a donor can gain information about the recipient of its funds.”
As s. 6(3) investigations are at the cost of the public, the court also stated that courts must be mindful of the disruptiveness and high cost of such investigations, and that an investigation should only be ordered “on reasonable and probable grounds and not on the basis of conjecture, surmise, or groundless accusations,” or to investigate administrative wrongdoings rather than financial matters. As such, in order for an investigation to serve the public interest, there must be mischief to the public at large rather than a “personality-driven dispute.”
Faas’ application was not with regard to CAMH’s failure to use the donated funds for CAMH’s charitable objects. The court instead found that the application questioned whether the donation was used “in a way that conforms with Mr. Faas’ personal vision of the funded program,” which it held was a private rather than public interest. Specifically concerning Faas’ demands for an accounting to ensure proper spending of the donated funds, the court held that it was based on conjecture, as no mischief was identified and there was no apparent misuse of funds. Based on its review of jurisprudence surrounding s. 6 of the CAA, the court found that Faas’ application fell outside the scope of the PGT’s jurisdiction, and held that “[a]bsent evidence of financial misdeeds, Faas has no particular right to a detailed accounting of CAMH’s program and its use of funds.”
This case reinforces the principle that courts are reluctant to interfere in a charity’s operations unless the public interest is being affected. Although the application in this case was not successful, this case should nonetheless serve as a reminder to charities of the importance of ensuring that donated funds are used to further their charitable objects, and to donors that s. 6(3) investigations will not be ordered lightly. In this case, Faas was ordered to pay $130,000 in costs for making an application in what the court considered to be a private interest rather than a public interest.