The Office of the Information and Privacy Commissioner of Alberta has required a payment processing organization to notify individuals pursuant to section 37.1 of the province’s Personal Information Protection Act (PIPA) because there was a real risk of significant harm to those individuals affected by an incident that involved unauthorized access and theft of information of 60 Alberta residents.
“The identity information at issue could be used to cause the significant harms of identity theft, fraud and financial loss. The likelihood of harm is increased because the incident resulted from malicious intent (unauthorized access and theft of the information), the information was exposed for a considerable length of time, and was used for fraudulent purposes,” explained the Information and Privacy Commissioner.
On December 8, 2015, the organization was informed that a former employee had accessed an electronic file containing the information at issue.
The former employee had been employed with the organization between July and October 2014.
The organization’s investigation confirmed that the information of 41 former and current independent sales agents in Canada and Alberta was used to open fraudulent accounts for mobile phone services or to purchase smart phones.
The incident involved the following personal information: name, social insurance number, date of birth, address, primary telephone number and passport or other government issued identification number.
In total, the incident affected 841 Canadians. They were notified of the incident on or around January 29, 2016.
Steps the organization took to reduce the risk of harm to individuals
- Initiated an internal investigation.
- Reported the incident to law enforcement.
- Confirmed with the other company that all fraudulent accounts have been closed and all records pertaining to the organization’s sales agents were cleared from systems and relevant credit bureau records.
- Reviewed internal access protocols and data collection practices.
- Reminded employees of the importance of maintaining security and confidentiality.
- Established a toll-free dedicated hotline that the affected individuals can call if they have any questions or concerns.
Real risk of significant harm analysis
Per the Information and Privacy Commissioner, the identity information at issue could be used to cause the harms of identity theft, fraud and financial loss. She considered these significant harms. According to the Information and Privacy Commissioner, the likelihood of harm is increased because the incident resulted from malicious intent, and the information was exposed for a considerable length of time and was used for fraudulent purposes. As such, the organization was required to notify affected individuals in Alberta. However, since the organization had already notified the affected individuals directly, it was not required to do so again.
Takeaway for employers
Should an organization determine that a real risk of significant harm exists to an individual because of a breach of personal information, PIPA requires the organization to provide notice to the Office of the Information and Privacy Commissioner “without unreasonable delay” of the incident.
In order for the harm to be “significant,” it must be important, meaningful and with non-trivial consequences or effects; for there to be a “real risk,” there must be a cause and effect relationship between the incident and the possible harm.
Latest posts by Cristina Lavecchia (see all)
- Is the first Monday in August considered a statutory holiday? - August 4, 2017
- Three popular articles this week on HRinfodesk - August 3, 2017
- Three popular articles this week on HRinfodesk - July 27, 2017