A Recent Update from the Office of the Privacy Commissioner of Canada Provides Insight into the Prevalence and Effect of Data Breaches in Canada
In the digital age, the Internet plays a significant role in the daily lives of Canadians. Along with the benefits it brings in terms of connectivity, harmful consequences in the form of major data breaches are increasingly affecting Canadians across the country. In fact, according to a recent update provided by the Office of the Privacy Commissioner of Canada, over 28 million Canadians were affected by data breaches in the last year. Since November of last year, when the PIPEDA's1 mandatory reporting requirements came into force, the regulator received 680 data breach reports from commercial organizations of all sizes across the market, which was six times the volume received the year prior.2 These statistics suggest the massive impact of data breaches on very sensitive personal information of Canadians.
What is a Data Breach?
PIPEDA is a federal statute that governs the collection, use and disclosure of personal information by commercial organizations in Canada.
Pursuant to the Act, personal information means information about an identifiable individual. The types of personal information collected and held by commercial organizations can range from an individual's name and birthdate to more sensitive information including medical and financial records. The legislation requires businesses to implement security safeguards to protect personal information in their control from loss, theft, and unauthorized access or disclosure, including:
- physical measures (locking filing cabinets),
- organization measures (security clearances), and/or
- technological measures (use of passwords and encryption).
The rigour of security safeguards is commensurate with the sensitivity of the information.
PIPEDA defines a breach of security safeguards, or "data breach," as the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards, or from a failure by the organization to establish such security safeguards.
Canadian Businesses Must Report Serious Breaches of Security Safeguards
When sensitive, personal information is compromised in a data breach, there may be a real risk of significant harm to an individual including, among other things, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to loss of property.
As of November 1, 2018, Canadian commercial organizations became subject to mandatory data breach reporting obligations pursuant to PIPEDA. Essentially, any breach of security safeguards involving personal information that creates a real risk of significant harm to an individual must be reported to the Privacy Commissioner, the regulatory body charged with enforcing Canada's Privacy Act3 and PIPEDA.
Contravention of these mandatory reporting provisions subjects any contravening organization to potential offences and fines of up to $100,000.
In addition to mandatory data breach reporting, PIPEDA directs that businesses must be aware of and prevent potential security risks through a combination of technology, training, policies, and processes. In the event of a data breach, commercial organizations are obligated to:
- Assess the real risk of significant harm by considering the sensitivity of the personal information involved in the breach and the probability the personal information has or will be misused;
- Notify all affected individuals as soon as possible after a data breach to allow affected individuals to understand the significance of the breach and to take steps to reduce the risk of harm that could result from the breach;
- Maintain a record of all breaches of security safeguards involving personal information that occurs within the organization, including the date or estimated date of each breach, a general description of the circumstances of the breach, the nature of information involved in the breach, and whether the Privacy Commissioner and affected individuals were notified; and
- Keep records of all data breaches within the organization, including those that do not present a real risk of significant harm, for a minimum of two years, which may be inspected at any time by the Privacy Commissioner.
Privacy Commissioner Sees Number of Data Breach Reports "Skyrocket" in 2019
The Privacy Commissioner received a staggering increase in the number of data breach reports in 2019, which was significantly higher than anticipated. This year's surge in data breach reports, which aligns with the first anniversary of mandatory data breach reporting laws in Canada, offers "a clearer picture of the challenges faced by Canadian businesses" and those who may be affected by a data breach. For example:
- Most data breaches in Canada involve unauthorized access to personal information (58% or 6 in 10 reported breaches), with major causes being employee snooping and social engineering hacks. Additional types of reported breaches include those where information is disclosed due to the loss of computer or paper files (12%) and theft of documents or computers leading to a data breach (8%);
- There has been a steep increase in reports of breaches affecting a small number of individuals. Namely, many breaches involve only one affected individual in a targeted, personalized attack;
- 1 in 4 reported data breaches involve phishing and/or impersonation; and
- At least 1 in 5 reported data breaches involve accidental disclosure (i.e., documents containing personal information are provided to the wrong individual).
Significance to Canadians
Canadians are increasingly aware of their privacy rights and interests. The recent Privacy Commissioner update makes evident that there is a real risk of significant harm in an increasing number of data breach incidents and, accordingly, Canadian businesses are expected to safeguard the personal information of their customers and to take steps to reduce privacy breach risks in accordance with their obligations under PIPEDA.
We Can Help
Individuals who have been affected by serious data breaches may have a legal claim for compensation.
1 Personal Information Protection and Electronic Documents Act, SC 2000, c 5 [PIPEDA].
2 See online: https://www.priv.gc.ca/en/blog/20191031/
3 RSC 1985, c P-21.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.