Statement by the Privacy Commissioner of Canada following an investigation into a data breach at Desjardins
December 14, 2020
The Privacy Commissioner of Canada, Daniel Therrien, issued the following statement at a media teleconference.
(Check against delivery)
Good morning. My comments relate to my office’s investigation conducted under Canada’s federal private sector privacy law. The results of our respective investigations point in the same direction.
The Desjardins data breach is the largest ever in Canada’s financial services sector.
Our investigation revealed that Desjardins did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care.
Desjardins had already identified some of the deficiencies that ultimately led to the breach, but was too slow to react. That being said, the organization did respond very well once it was informed of the breach.
When this incident first came to light in the media, citizens were shocked because we expect financial institutions to be extremely rigorous when it comes to data security.
This expectation is reflected in the law, which requires organizations to protect personal information with security safeguards that are appropriate to the sensitivity of the information.
It is difficult to see how an employee managed to exfiltrate Desjardins clients’ personal information for at least 26 months and that the financial institution only initially learned about what was happening from the police.
Data protection is complex, especially for a large company like Desjardins, which deals with millions of people as well as business partners. The technologies involved are also complex. However, a company the size of Desjardins has the means, and the legal obligation to deploy these means, to protect its members’ data.
What happened to Desjardins could have happened to other companies. As we know, these types of breaches happen all too often. This breach should serve as a lesson to other organizations.
Regulators do not expect perfection, but they do expect data to be protected with measures that are consistent with the sensitivity of the information. This includes systems to detect unusual activity that could be fraudulent.
That being said, we are satisfied with the mitigation measures Desjardins has offered to those affected. The proposed set of measures goes beyond what other organizations have offered in similar circumstances.
Going forward, Desjardins has committed to implementing a series of improvements in information security, information retention periods and access controls. It has also committed to providing us with progress reports every six months.
In closing, I would like to thank Ms. Poitras and the Commission d’accès à l’information for their cooperation in this important investigation.
- Date modified: