PIPEDA – Lessons Learned and Recommendations for Businesses One Year after Introduction of Mandatory Breach Reporting

Published on: November 2019 | What's Trending

Image of hacker for PIPEDA blog

One year ago, on November 1, 2018, changes were made to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) requiring organizations to report to the Office of the Privacy Commissioner of Canada (“OPC”) breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals. The changes required organizations to notify the affected individuals and maintain records of all data breaches for a minimum of 2 years. Before these mandatory obligations were implemented, organizations would simply report data breaches to the OPC voluntarily.  The OPC recently issued a report outlining the impact of those changes and the trends observed over the past year.

The OPC report pointed out that fraudsters and hackers often utilize similar techniques to attack businesses in the same industry.  Businesses, therefore, need to be vigilant and keep abreast of data breaches and attacks in their industry. For example, the OPC reported a trend in the telecommunication industry whereby hackers are impersonating others to convince customer service agents to make changes to customers’ accounts (e.g. assigning a phone number to a new SIM card). Once the changes are made the hackers can gain access to the accounts.

Following November 1, 2018, the OPC received 680 data breach reports affecting approximately 28 million Canadians, a dramatic six-fold increase in the number of data breach reports from businesses of all sizes.  The data breaches include loss, theft, unauthorized access and accidental disclosure of personal information.  The OPC reported that 58% of the data breaches involved unauthorized access caused by employee snooping and social engineering hacks such as phishing and impersonation to access others’ personal information.  The accidental disclosure of personal information resulted from employees inadvertently using a wrong email address or mailing address. Other data breaches resulted from the loss and theft of storage drives, computers and paper files.

Data breaches remain a real concern for businesses as they can detrimentally impact their customers and cause significant harm to an organization’s reputation. The media is constantly reporting data breaches and hacks involving large corporate databases. Customers are becoming more and more concerned about their privacy.  Organizations that take proactive measures to protect personal information will earn the trust of more customers ultimately leading to more profitability.

In a recent OPC survey of Canadians, it was reported that 92% expressed some level of concern about the protection of their privacy. Most Canadians (76%) have refused at some point to provide their personal information to a business and have not traded their personal information for discounts or incentives on a good or service (70%).  The survey also indicated that 45% did not trust that businesses in general respect their privacy rights.

In order to meet customers’ expectations and comply with privacy laws, businesses need to ensure that they have the proper safeguards in place to protect personal information under their control from being lost, misused or stolen.  Businesses need to understand what personal information they have, where it is, what they are doing with it and how they are protecting it.  They need to know when and where they collect personal information, where it goes and who can access it.

Businesses should make sure that their employees are properly trained so that they understand their privacy responsibilities along with personal information policies and procedures. Safeguards may include limiting access to authorized personnel, locking filing cabinets, using strong passwords, encryption and antivirus software for computers. It is important for businesses to appoint a privacy officer that is responsible for privacy compliance and that employees and customers know who the person is and how to contact them if necessary. Businesses should also undertake risk and vulnerability assessments to identify and minimize potential threats to protect the organization and its customers.  These safeguards should also extend to information collected by third parties acting on behalf of a business.

If your business experiences a data breach, you should contact a privacy lawyer immediately to ensure that you are complying with your obligations as steps need to be taken quickly. An assessment will be made as to whether the breach needs to be reported to the OPC. Failure to report a significant breach could lead to fines of up to $100,000 for each time a person is impacted by a breach.