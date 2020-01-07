One year ago, on November 1, 2018, changes were made to the
Personal Information Protection and Electronic Documents
Act ("PIPEDA") requiring organizations to report to
the Office of the Privacy Commissioner of Canada ("OPC")
breaches of security safeguards involving personal information that
pose a real risk of significant harm to individuals. The changes
required organizations to notify the affected individuals and
maintain records of all data breaches for a minimum of 2 years.
Before these mandatory obligations were implemented, organizations
would simply report data breaches to the OPC voluntarily. The OPC
recently issued a report outlining the impact of those changes and
the trends observed over the past year.
The OPC report pointed out that fraudsters and hackers often
utilize similar techniques to attack businesses in the same
industry. Businesses, therefore, need to be vigilant and keep
abreast of data breaches and attacks in their industry. For
example, the OPC reported a trend in the telecommunication industry
whereby hackers are impersonating others to convince customer
service agents to make changes to customers' accounts (e.g.
assigning a phone number to a new SIM card). Once the changes are
made the hackers can gain access to the accounts.
Following November 1, 2018, the OPC received 680 data breach
reports affecting approximately 28 million Canadians, a dramatic
six-fold increase in the number of data breach reports from
businesses of all sizes. The data breaches include loss, theft,
unauthorized access and accidental disclosure of personal
information. The OPC reported that 58% of the data breaches
involved unauthorized access caused by employee snooping and social
engineering hacks such as phishing and impersonation to access
others' personal information. The accidental disclosure of
personal information resulted from employees inadvertently using a
wrong email address or mailing address. Other data breaches
resulted from the loss and theft of storage drives, computers and
paper files.
Data breaches remain a real concern for businesses as they can
detrimentally impact their customers and cause significant harm to
an organization's reputation. The media is constantly reporting
data breaches and hacks involving large corporate databases.
Customers are becoming more and more concerned about their privacy.
Organizations that take proactive measures to protect personal
information will earn the trust of more customers ultimately
leading to more profitability.
In a recent OPC survey of Canadians, it was reported that 92%
expressed some level of concern about the protection of their
privacy. Most Canadians (76%) have refused at some point to provide
their personal information to a business and have not traded their
personal information for discounts or incentives on a good or
service (70%). The survey also indicated that 45% did not trust
that businesses in general respect their privacy rights.
In order to meet customers' expectations and comply with
privacy laws, businesses need to ensure that they have the proper
safeguards in place to protect personal information under their
control from being lost, misused or stolen. Businesses need to
understand what personal information they have, where it is, what
they are doing with it and how they are protecting it. They need to
know when and where they collect personal information, where it
goes and who can access it.
Businesses should make sure that their employees are properly
trained so that they understand their privacy responsibilities
along with personal information policies and procedures. Safeguards
may include limiting access to authorized personnel, locking filing
cabinets, using strong passwords, encryption and antivirus software
for computers. It is important for businesses to appoint a privacy
officer that is responsible for privacy compliance and that
employees and customers know who the person is and how to contact
them if necessary. Businesses should also undertake risk and
vulnerability assessments to identify and minimize potential
threats to protect the organization and its customers. These
safeguards should also extend to information collected by third
parties acting on behalf of a business.
If your business experiences a data breach, you should contact a
privacy lawyer immediately to ensure that you are complying with
your obligations as steps need to be taken quickly. An assessment
will be made as to whether the breach needs to be reported to the
OPC. Failure to report a significant breach could lead to fines of
up to $100,000 for each time a person is impacted by a breach.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.