To mark the one-year anniversary of mandatory breach reporting under the Personal Information Protection and Electronic Documents Act (PIPEDA), the Office of the Privacy Commissioner of Canada (OPC) published a blog post providing observations, statistics and compliance tips.

Since November 2018, organizations that are subject to PIPEDA are required to notify the OPC and affected individuals of a "breach of security safeguards" involving personal information that poses a real risk of significant harm to an individual. Organizations are also required to keep records of all breaches, including breaches that do not pose a real risk of significant harm, for a minimum of two years.

As the number of data breaches continue to skyrocket in Canada, the OPC's recent guidance on lessons learned from mandatory reporting complements other resources on preparing for a cybersecurity incident.

KEY TRENDS & RISKS IDENTIFIED BY THE OPC

The OPC reported that it received 680 breach reports since mandatory reporting requirements came into effect – six times the volume received in the prior year. Based on these reports, at least 28 million Canadians were affected by a data breach during this time. These figures exceeded the OPC's expectations, which were based on the experience of the Office of the Information and Privacy Commissioner of Alberta's when that province's mandatory breach reporting provisions went into effect almost a decade ago.

Most incidents reported involved unauthorized access to personal information, often driven by social engineering hacks or employee snooping. In the case of social engineering, attackers often target a small number of individuals using sophisticated psychological techniques, publicly available information, and information disclosed in other privacy breaches, to try to convince the individuals that the attacker is someone else.

OPC, "A full year of mandatory breach reporting" (Oct 31, 2019)

Roughly 22 per cent of breach reports involved accidental disclosure, such as where documents containing personal information were provided to the wrong individual(s) or left behind accidentally. The remaining breach reports involved the loss or theft of devices or files containing personal information.

REPORTING BEST PRACTICES

Only breaches involving a real risk of significant harm need to be reported to the OPC. Whether a breach involves a real risk of significant harm is determined by the organization through an assessment of the sensitivity of the personal information involved and the probability of misuse (an analysis commonly referred to as the RROSH Test). Organizations that are subject to PIPEDA should have a framework for assessing potential harm so that all breaches are assessed consistently.

Organizations must also keep and maintain a record of every breach, even those that do not meet the harm threshold for reporting. These records must be maintained for two years and must include enough information to allow the OPC to verify compliance with PIPEDA's breach reporting provisions. Organizations should have a consistent process for creating and maintaining breach records.

The OPC has the authority to proactively inspect breach records and has recently done so with a review exercise involving an examination of the breach records of several organizations. Once the full analysis has been completed, the OPC plans to share the results with stakeholders and update guidance based on lessons learned.

The OPC's post also reiterates the importance of proactively reducing the risk of a data breach. In particular, the OPC suggests that organizations consider the following:

  • Understand your data. Know what personal information your organization holds, where it is stored, and how it is used. Keep records of when and where the personal information was collected, when it is shared or transferred, and who can access it. Without a strong understanding of your data universe, it will be difficult to protect it.
  • Be aware of your vulnerabilities. Conduct risk and vulnerability assessments, including penetration tests to ensure potential threats to privacy within your organization are identified. It is important to also address whether third parties are collecting personal information on your behalf with appropriate safeguards, to train employees to be aware of risks and their responsibilities regarding information.
  • Be aware of breaches in your industry. Attackers often re-use the same attacks against multiple organizations. It is important to pay attention to alerts and information from industry associations and other sources of industry news to avoid similar threats.

ADDITIONAL RESOURCES AVAILABLE FROM BLAKES

Blakes has prepared several resources to help organizations navigate the breach reporting and record-keeping requirements under PIPEDA, as well as prepare for, and respond to, cybersecurity incidents:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

For permission to reprint articles, please contact the Blakes Marketing Department.

© 2019 Blake, Cassels & Graydon LLP.