On November 1st of last year, businesses became subject to new mandatory breach reporting regulations under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Organizations subject to PIPEDA are required to report to our office any breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals. They also need to notify affected individuals about those breaches, and keep records of all data breaches within the organization.
Previously, data breach reporting to our office was done on a voluntarily basis.
Since reporting became mandatory, we’ve seen the number of data breach reports skyrocket. Some of those reports have involved well-known corporate names, but we have also seen significant volumes coming from small- and medium-sized businesses.
With nearly a year of experience under our belt, we’ve noticed a few things we’d like to share, and given we are at the anniversary of this important milestone, we couldn’t think of a better time to do it.
Type of breach
|Type of incident
Since November 1st, 2018, we have received 680 breach reports. That is six times the volume we had received during the same period one year earlier. It’s a staggering increase and higher than we had anticipated given the experience of our counterparts at the Office of the Information and Privacy Commissioner of Alberta when their mandatory reporting laws came into effect. These reports have also been revealing and have offered a clearer picture of the challenges faced by Canadian businesses.
According to those reports, the number of Canadians affected by a data breach is well over 28 million. That number includes, of course, some of the huge breaches that have made the headlines – Desjardins and Capital One, for example.
Our work and observations to date have highlighted the importance of taking steps to reduce privacy breach risks. Here are a few of those tips:
- Know what personal information you have, where it is, and what you are doing with it. When and where do you collect personal information? Where does that information go? Who can access it, and what do they do with it? You must understand your data before you can protect it!
- Know your vulnerabilities. Conduct risk and vulnerability assessments and/or penetration tests within your organization to ensure that threats to privacy are identified. Don’t just focus on technical vulnerabilities, though. Are third parties collecting personal information on your behalf without appropriate safeguards? Are your employees aware of risks and their privacy responsibilities? Over the last year the OPC has seen each of these scenarios lead to a breach. Identify your organizations’ weak points before a breach identifies them for you!
- Be aware of breaches in your industry. Attackers will often re-use the same attacks against multiple organizations. Pay attention to alerts and other information from your industry association and other sources of industry news. Don’t be the next vulnerable target!
By way of example, a trend we have seen in the telecommunications industry is fraud through impersonation, where bad actors have convinced customer service agents into believing that they are an account holder. They do this by drawing from publicly available information, information from other breaches, phished information as well as social engineering techniques. Once they’ve convinced the customer service rep, they make changes to the account, such as requesting that a phone number be assigned to a new SIM card, ultimately allowing them to access other accounts. We understand fraudsters target one company and, as the company addresses the issue, the attackers move on to another company.
Early breach trends
The majority of reported breaches – 58 per cent – involved unauthorized access.
We have seen a significant rise in reports of breaches affecting a small number of individuals – often just one and sometimes through a targeted, personalized attack. This is the correct approach to reporting: there can be risk of significant harm even when only one person is affected by an incident.
Employee snooping and social engineering hacks are key factors behind breaches resulting from unauthorized access. In fact, roughly one in four of the incidents reported to us involved social engineering attacks such as phishing and impersonation.
Fraudsters and other bad actors use increasingly sophisticated tactics to convince employees at an organization that they are someone else. For example, they employ a variety of psychological techniques, try multiple avenues to get at personal information, use publicly available information and information disclosed in other privacy breaches.
More than one in five data breaches reported to our office over the past year involved accidental disclosure. This would include situations where documents containing personal information are provided to the wrong individual (for example, because an incorrect email or postal address was used, or an email was sent without blind copying recipients) or are left behind accidentally.
Situations where information may have been disclosed due to the loss of a computer, storage drive or actual paper files accounted for 12 per cent of the breach reports we saw.
Theft of documents, computers or computer components, which led to a data breach, accounted for 8 per cent of the breach reports.
Tips on responding to a breach:
- Contain it! (e.g., stop the unauthorized practice, recover the records, shut down the system that was breached, revoke or change computer access codes or correct weaknesses in physical or electronic security).
- Designate someone to lead the initial breach investigation. This individual should have appropriate authority and knowledge to conduct the initial investigation and make initial recommendations. If necessary, a more detailed investigation may subsequently be required.
- Determine who needs to be made aware of the incident internally, and potentially externally, at this preliminary stage. Escalate internally as appropriate, including informing the person within your organization responsible for privacy compliance. Make sure to review our document What you need to know about mandatory reporting of breaches of security safeguards to fully understand your obligations.
- Be careful not to destroy evidence that may be valuable in determining the cause or allow you to take appropriate corrective action.
When to contact our office
Only a breach involving a real risk of significant harm to individuals needs to be reported to our office. Real risk of significant harm is determined based the sensitivity of the personal information involved in the breach and the probability that the personal information has been, is being or will be misused.
Wait, there’s more!
Commercial organizations that are subject to PIPEDA should know that it’s not just reporting data breaches that is now mandatory.
Commercial organizations must now keep and maintain a record of every breach of security safeguards involving personal information in its possession.
While there’s no need to report a breach to our Office that does not present a real risk of significant harm, companies must maintain a record of every breach that occurs within their organization, and keep those breach records for a minimum of two years.
And importantly, the OPC has the authority to proactively inspect those records.
To that end, the OPC has just completed a record review exercise, examining organizations’ breach records to assess compliance, and get a better sense of the plans, tools and approaches organizations are using to meet their breach record and reporting responsibilities.
The full analyses of this inaugural exercise is underway, but we are confident it will help us learn not only about compliance with breach record maintenance, but also the challenges and pain points that may exist for organizations. Once the analyses is complete, we plan to share our results, and reflect on how it can inform existing and/or future guidance on mandatory breach responsibilities, including assessment of the real risk of significant harm.
Through both the exercise and the breach reports we have received to date, it has become clear that breaches remain an ongoing threat for all organizations. Businesses need to be aware of the myriad of potential risks and tackle them through a combination of technology, training, policies and processes.
For more information
What you need to know about mandatory reporting of breaches of security safeguards
Ten tips for addressing employee snooping
Report a privacy breach at your business
Tips for mitigating password reuse risk
Receiving a privacy breach notification (for individuals)