On October 31, 2019, the Office of the Privacy Commissioner of Canada shared what has been learned and what businesses need to know with respect to mandatory data breach reporting under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
As you may recall, organizations that are subject to PIPEDA must report breaches of security safeguards, notify the affected individuals, and keep records of all data breaches in accordance with the Breach of Security Safeguards Regulations: SOR/2018-64.
This requirement is mandatory.
It has been about one year since data breach reporting has become mandatory, and the Office of the Privacy Commissioner of Canada has written to share some of the numbers and trends that have been occurring.
For instance, the Privacy Commissioner has received 680 breach reports – this constitutes a number that is six times higher than the number of reports from one year earlier. Indeed, the Privacy Commissioner states that this is a “staggering increase and higher than we had anticipated”.
Moreover, the number of Canadians who have been affected by a data breach is over 28 million. It is important to note that there were two major data breaches over the past year, Desjardins and Capital One, and the 28 million includes the individuals affected by these breaches.
You may be wondering, what has been the main cause of the data breaches? The majority of reported breaches (58 percent or 397 reports) had to do with unauthorized access. Some factors that lead to unauthorized access include employee snooping and social engineering hacks such as fishing and impersonation. How can this occur? The Privacy Commissioner states that fraudsters and other bad actors use sophisticated tactics to convince employees at organizations that they are someone else, and subsequently, the employee simply provides the information. Also, about 20 percent or 147 of reported breaches were actually accidental disclosures; an example of an accidental disclosure is where documents that contain personal information are provided to the wrong person because of an incorrect email or an email without the proper blind copying (bcc).
In addition, about 12 percent or 82 reported breaches involved situations where information may have been disclosed due to the loss of a computer, storage drive or actual paper files. Lastly, about eight percent or 54 reported breaches involved theft of documents, computers, or computer components.
Interestingly, the Privacy Commissioner notes that there has been a significant increase in the number of reports of breaches where only a small number of individuals (sometimes just one) are affected by a breach; sometimes, these types of breaches come in the form of targeted, personalized attacks.
What can employers do in light of this information?
Given the findings, the Privacy Commissioner recommends the following in order to reduce the risks of privacy breaches:
- Know what personal information you have, where it is, and what you are doing with it. It is important to ask questions such as: When and where does the organization collect personal information?; Where does that information go?; and Who can access it, and what do they do with it?
- Know your vulnerabilities. It is necessary to conduct risk and vulnerability assessments and penetration tests within your organization as required in order to ensure that threats to privacy are identified. Is important to ask several questions, including: Are third parties collecting personal information on your behalf without appropriate safeguards?; and Are the employees aware of risks and their privacy responsibilities?
- Be aware of breaches in your industry. Interestingly, attackers often re-use the same attacks against multiple organizations. It is important to pay attention to alerts and other information from sources of industry news to remain vigilant.
- Remain aware that there is a risk of significant harm even when there is only one person affected by the breach. It is important to remain aware in order to prevent unauthorized accesses, even when dealing with small groups.
- Contain the situation. It is important to stop the unauthorized practice, recover the records, shut down the system that was breached, revoke or change computer access codes, or correct weaknesses in physical or electronic security.
- Designate someone to lead the initial breach investigation. It is necessary for this individual to have the appropriate authority and knowledge to conduct the initial investigation and make initial recommendations prior to the subsequent more detailed investigation.
- Determine who needs to be made aware of the incident internally, and potentially externally, at the preliminary stage. It is important to escalate internally as appropriate, including informing the person within the organization responsible for privacy compliance. Likewise, it is important to review the document, “What you need to know about mandatory reporting of breaches of security safeguards”.
- Organizations must report a breach to the Privacy Commissioner if the breach involves a real risk of significant harm. In the document, “What you need to know about mandatory reporting of breaches of security safeguards,” it states that “a risk of significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm include the sensitivity of the personal information involved in the breach of security safeguards and the probability the personal information has been/is/will be misused.
- Remember that, in addition to reporting, there are other requirements. That is, even if there is no need to report a breach to the Privacy Commissioner because there is no real risk of significant harm, organizations are still required to keep and maintain a record of every breach of security safeguards involving personal information in their possession. These records must be kept for a minimum of two years.
- Be careful not to destroy evidence. This information could be valuable in determining the cause or allow for taking appropriate corrective action.
In addition, since employee snooping was noted as one of the factors that contribute to unauthorized access, it is important to note that the Privacy Commissioner has made recommendations in its “Ten tips for addressing employee snooping.”
With respect to employee snooping, which has the potential of leading to unauthorized access, employers are recommended to do the following in terms of education, protection, monitoring, and response:
- Education: foster a culture of privacy by clearly establishing expectations and requirements for employees; have periodic and/or “just-in-time” training and reminders of policies around snooping to stay fresh; and ensure employees know that consequences will be enforced to the organization will take steps to detect and dissuade violators and enforce consequences.
- Protect: ensure access is restricted to information required to perform the job in accordance with documented processes for granting and revoking access to information, and use physical, organizational, and technological safeguards; allow individuals to block specific employees from accessing their personal information and ensure that the blocked individual is indeed not allowed to circumvent this measure; and have access logs and/or other oversight tools in place to investigate allegations of employee snooping by reactively reviewing such logs in order to confirm/deny employee snooping allegations made against an employee.
- Monitor: proactively monitor and/or audit access logs and other oversight tools and have proactive measures in place to monitor and/or audit for undetected employee snooping; and understand “normal” access, to better detect inappropriate access that indicates there is a problem.
- Respond: Investigate all reports of employee snooping because they must be taken seriously; and where proactive measures fail, respond appropriately, and this can include, but is not limited to, appropriate consequences for the snooper (which may include disciplinary action), notification to the Privacy Commissioner, and notification to the affected individual.
For more information, please refer to the Privacy Commissioner’s “What you need to know about mandatory reporting of breaches of security safeguards” document here.