The Office of the Privacy Commissioner (OPC) recently released a report marking the one-year anniversary of the mandatory breach reporting regulations under the Personal Information Protection and Electronic Documents Act (PIPEDA) coming into force. Since November 1, 2018, organizations subject to PIPEDA must report to the OPC any breaches of security safeguards that pose a real risk of significant harm to individuals affected by the breach and also notify the affected individuals. The organizations must also keep records of all data breaches that occur within their organization.
Numbers speak for themselves
The OPC notes in its report that since the mandatory reporting obligations came into force, they have seen the number of data breach reports “skyrocket.” Reports are coming in from large, well-known corporations, as well as small- and medium-sized businesses that are subject to PIPEDA. The numbers are staggering and much higher than anticipated considering this report covers only a one-year period:
- 680 breach reports – six times the number of reports compared to the previous year when the data breach reporting was voluntary;
- 28 million Canadians affected by a data breach during this year;
- 58 percent of the breaches reported (397) due to unauthorized access;
- 22 percent of the breaches reported (147) due to accidental disclosures;
- 12 percent of the breaches reported (82) due to loss of a computer, storage drive or paper files; and
- 8 percent of the breaches reported (54) due to theft of documents, computer or computer components.
The OPC expected these numbers to be lower based on the experience of its counterparts from the Office of the Information and Privacy Commissioner of Alberta, where the mandatory reporting laws have been in effect for more than 10 years.
There is no doubt that Canadian businesses face challenges with respect to privacy risks, and steps must be taken to reduce risks of breaches. In its report, the OPC takes the opportunity to highlight some important steps that companies can use when considering privacy and risks associated with data breaches:
- Know the personal data under your control, but also know where it is, where you collected that personal information, as well as what you are doing with that data and where it goes. Make sure you know who is authorized to access what type of data and for what purpose they can access it.
- Know your vulnerabilities. Once you are aware of all the data under your control, you must conduct risk and vulnerability assessments, or penetration tests within the organization to ensure you are able to identify threats to privacy. More than half the breaches reported were caused by unauthorized access, but a significant number of breaches resulted from accidental disclosures or loss of data. So the focus of your risk assessments should be broad. Besides the obvious technological safeguards that must be implemented, ensure your third party providers have appropriate safeguards in place, and your employees are trained in their jobs and are aware of the risks associated with their responsibilities.
- Be aware of breaches in your industry. Attackers think if it worked once it may work again, so they will re-use the same type of attacks on other organizations with a similar business profile. Subscribe to associations in your industry to stay apprised of any developments and alerts in the field that may go out.
Be mindful that obligations under the mandatory breach reporting regulations require reporting only when there is a real risk of significant harm to individual(s) affected. It is not relevant whether one individual or one million individuals have been affected by the breach. To extrapolate from this, it is conceivable that many more breaches of personal data have occurred in the past year that did not reach the threshold of “real risk of significant harm,” and, therefore, these organizations were under no obligation to report the breach to the OPC or the affected individuals.
The OPC also included a number of tips on the immediate steps to respond to a breach:
- Contain the breach by stopping the unauthorized access, recovering the lost records or shutting down the system that suffered the breach;
- Designate someone with appropriate authority to take the lead in investigating the breach and make sure the organization is taking the necessary steps to address the breach;
- Determine if any notifications are necessary, internally or externally, and escalate the matter to the appropriate entities responsible for privacy compliance; and
- Document the steps taken and do not destroy any evidence that may be valuable in determining the cause of the breach, so you can take appropriate corrective actions.
We often hear it is not a matter of “if” an organization will suffer a data breach, but, rather, “when” an organization will be the target of a data breach. The numbers just released by the OPC illustrate that the targets of these attacks can be anyone, and vulnerabilities within can happen to any organization, large or small. Therefore, we would add to the OPC’s recommendations, and suggest that organizations be prepared for the time when it happens. These preemptive measures are essential to ensuring that the risks and damages flowing from the breach are minimized.
To that end, we recommend having a breach response plan in place to quickly and efficiently respond to any breach situation in a planned and coordinated manner. The plan should include a set of actions and clearly outline who is responsible for what and when their services are engaged. There should be a chain of command and the assigned individuals should know what their roles are, as well as what they are expected to do immediately upon learning that there has been a breach. These individuals should be trained and kept apprised at all times of any changes within the company, and the way the personal information is collected, processed and/or shared.
Be prepared, be ready and always be on alert! Being prepared and having an efficient plan in place can reduce the financial and reputational damage associated with a data breach.