News Release

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Lack of basic privacy and security measures causing major data breaches, Privacy Commissioner says

Tabling of Privacy Commissioner of Canada's 2007 Annual Report on the Personal Information Protection and Electronic Documents Act

Ottawa, June 3, 2008 — Too many data breaches are occurring because companies have ignored some of the most basic steps to protect personal information, says the Privacy Commissioner of Canada, Jennifer Stoddart.

The Commissioner’s 2007 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA) was tabled today in Parliament.

“Many companies need to do more to prevent inexcusable security breaches,” Commissioner Stoddart says.  “Too often, we see personal information compromised because a company has failed to implement elementary security measures such as using encryption on laptops.”
Voluntary privacy breach guidelines which the Office of the Privacy Commissioner (OPC) developed with business and consumer groups, and published last summer, appear to be prompting more organizations to report breaches.

The OPC has received 21 voluntary breach reports in the first five months of 2008. Last year, there were 34 voluntary reports of breaches to the OPC – up from a total of 20 reports in 2006.

Over the last few years, hundreds of thousands of Canadians have been affected by data breaches.

“Many organizations want to be good corporate citizens and do the right thing,” says Commissioner Stoddart.  “While the increased number of reports is a positive sign, it’s clear we still aren’t hearing about every breach which could have a harmful impact on people.”

Financial institutions are reporting the largest number of breaches to the OPC.  Some telecommunications, insurance and retail companies have also reported breaches.

The OPC is concerned that few small- and medium-sized enterprises are reporting breaches.

Examples of reported breaches include the theft of laptops containing unencrypted personal information, data tapes lost in transit, improperly discarded paper records, and misdirected faxes. 

Information the OPC is collecting from the voluntary reports is helping to shed light on some of the common problems which are leading to breaches. 

It is clear, for example, that unprotected laptops remain a huge issue which companies must address.  Many breaches related to electronically stored data, often customer information stored on stolen laptop computers. Almost nine in 10 people whose data was compromised by a self-reported breach in 2007 were put at risk because their personal information was held in an electronic format that was either not secured or lacked adequate protection mechanisms such as firewalls and encryption.

Other breaches occurred because employees had not followed established company practices.  Companies can address this problem by providing ongoing privacy training, yet a poll commissioned by the OPC last year found only a third of all businesses had trained staff about their responsibilities under Canada’s privacy laws.

The OPC strongly supports a plan by Industry Canada to introduce mandatory breach notification.  Reporting requirements will encourage businesses to do more to reduce the risk of a data breach and ensure all organizations are playing by the same rules.  They will also ensure Canadians are notified about serious breaches.

Industry Canada has prepared draft breach notification reporting rules and is now fine-tuning this model based on stakeholder input. 

The current proposals suggest the federal government is generally headed in the right direction and that Canada will have a breach reporting regime which is both reasonable and flexible. 

As the federal government completes its work on reporting requirements, the OPC continues to investigate a wide range of privacy complaints.

The OPC received 350 new PIPEDA complaints during 2007.  Almost one third of complaints involved financial institutions. As in past years, other major sectors for complaints were telecommunications, insurance, sales and transportation.  The annual report is available on the OPC website.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

To view the report:

— 30 —

For more information or interview requests, contact:

Anne-Marie Hayden
Office of the Privacy Commissioner of Canada
Tel: (613) 995-0103
Email: ahayden@priv.gc.ca

Date modified: