PIPEDA mandatory breach notification provisions turn one

Office of the Privacy Commissioner’s blog post describes data breaches, numbers and trends

Lisa R. Lifshitz

How times passes when you’re having fun. The provisions of Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) that deals with mandatory data breach notification, celebrated their first birthday on November 1st.

In recognition of this milestone, Canada’s federal regulator, the Office of the Privacy Commissioner of Canada (OPC), issued a rather entertaining blog post that described the initial outcomes of federal mandatory breach reporting, as well as offering certain “lessons learned” during this inaugural year.

By way of reminder, prior to the enactment of the PIPEDA sections requiring businesses subject to PIPEDA to report to the OPC any “breaches of security safeguards” involving personal information that pose a real risk of significant harm to individuals (in addition to notifying affected individuals and third party organizations, including government institutions, that may be able to reduce or mitigate the risk of arising from the incident) any data breach reporting to the Commissioner was done on a strictly voluntary basis.

In other words, exempting specialized categories of personal information such as health information (which in Canada is subject to separate private sector provincial privacy laws containing their own express requirements), organizations did not generally have explicit legal obligations to report the unauthorised use, loss or disclosure of personal information following a security or other incident.

This meant, practically, that most organizations that had experienced a breach chose to sweep such experience under the rug, as they were generally loath to report such breaches to the federal regulator unless there were extenuating circumstances.

Such circumstances included the determination that the unauthorised use or disclosure of personal information involved the personal information of Albertans. This disclosure would trigger mandatory reporting to the Office of the Information and Privacy Commissioner of Alberta “without reasonable delay” of a privacy breach pursuant to Alberta’s Personal Information Protection Act if a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.

To avoid inconsistency, organizations subject to Alberta’s mandatory data breach notification requirements often reported to the federal regulator as well. Additionally, in the event of significant breaches that would likely invite OPC scrutiny, some entities chose to report voluntarily in an effort to get “ahead of the story” and better shape the narrative (and look cooperative), with a view to controlling the resulting fallout and salvaging the breaching organization’s reputation.

Data Breaches Numbers and Impact. Stating the obvious, the OPC began its blog post by noting that since data breach reporting became mandatory, it has seen the number of data breach reports “skyrocket”. Since November 1, 2018, the regulator reported that it had received 680 breach reports, six (6) times the volume received during the same period one year earlier, from a gamut of Canadian businesses, including “well-known corporate names” as well as from small- and medium-sized businesses. Based on the reports that it has received to date, the OPC estimated that the number of Canadians affected by a data breach is well over 28 million.

Breach Trends.

  • Based on its learning to date, the OPC’s blog post noted that the majority of reported breaches — 58 per cent — involved unauthorized access of personal data.
  • Canadian companies are now reporting breaches affecting a small number of individuals, often through a targeted, personalized attack (the OPC agreed with this position).
  • Approximately one in four of the incidents reported involved the use of social engineering attacks by hackers/fraudsters such as phishing and impersonation in order to gain unauthorized access. These individuals deployed a number of methods, including using publicly available information and information disclosed in other privacy breaches, in their efforts to trick individuals to disclose personal information.
  • The OPC highlighted that “fraud through impersonation” has become especially prevalent in the telecommunications industry where customer service agents are being duped into believing that the fraudulent person is an account holder. After persuading the customer service representative to assist them, the hackers obtained changes to the account, including assigning phone numbers to a new SIM card, which ultimately allowed them to access other accounts.
  • The OPC also stated that one in five data breaches reported involved accidental disclosure, i.e. where documents containing personal information are inadvertently provided to the wrong individual because of an incorrect postal address or incorrect email, or an email was sent without blind copying recipients or are left behind accidentally.
  • Twelve per cent of the unauthorized disclosure occurred because of the loss of a computer, storage drive or actual paper files.
  • Eight per cent of data breaches occurred as result of the theft of documents, computers or computer components.

Reducing Privacy Breach Risks. The OPC’s blog post also reiterated the importance of organizations pro-actively reducing their privacy breach risks. This includes the need for organizations to truly know and understand their data –i.e. what personal information they have, where it is, and what is being done with it, who can access it and what they can do with it- before it can be protected. Organizations should also know their vulnerabilities, conducting risk and vulnerability assessments and/or penetration tests within their organization to ensure that threats to privacy are identified.

The OPC reminded readers that key sources of vulnerability include third parties collecting personal information on their behalf without appropriate safeguards as well as employees who are unaware aware of risks and their privacy responsibilities and cited these examples as scenarios that lead to breaches that were reported to them. They also stated that as attackers will often re-use the same attacks against multiple organizations, it is worthwhile to pay attention to alerts and other information from industry associations and other sources of industry news to harden against potential breaches.

What to do in the event of a breach. The guidance offered in the blog post regarding an organization’s response in the event of a breach mirrored past advice from the OPC and therefore does not need to be repeated here. Determining whether a “real risk of significant harm” has occurred is based on an analysis of the sensitivity of the personal information involved in the breach and the probability that the personal information has been, is being or will be misused. Based on my experience to date, many Canadian organizations are more willing to consider reporting and erring on the side of caution and report regardless rather than risk censure from the OPC.

The Need to Retain Records. The post also reiterated that in addition the mandatory data breach notification requirements, since November 1, 2018 companies have a positive obligation to keep and maintain a record of every breach of security safeguards involving personal information in its possession, regardless of whether it decides to notify the OPC following such breach. Breaches must be recorded in detail and organization must keep those breach records for a minimum of two years. The OPC has the authority to proactively inspect those records.

Contracting for Privacy Breaches. In my view, the OPC’s post failed to call out the need for Canadian organizations to expressly ensure that their legal agreements with third parties, including vendors and service providers, mirror the organization’s data breach notification obligations so it can meet its data breach notification requirements under PIPEDA.

It is critical that clients “contract for breach,” as many standard form legal contracts are either completely silent on mandatory breach notification requirements or worse, minimize the vendor’s obligations in the event of a data/security breach arguably contradicting the law. I remain surprised by how many Canadian vendors seem unaware of the mandatory breach notification requirements under PIPEDA or at least purport to be unwilling to set out their commitments to clients in writing. As a result, it is critical to clarify these requirements and the allocation of responsibility, and any related costs, in advance rather than have to argue about them in the moment.

All third party agreements that involve the processing of personal information and that are subject to PIPEDA should therefore expressly require vendors to immediately notify customers of any suspected or actual accidental or unauthorized access or disclosure of the personal information either within a very short time frame or ‘as soon as feasible’ (the PIPEDA legal standard). Vendors should also be contractually required to investigate the breach, taking such actions as may be necessary or requested by customer to mitigate the effects and to minimize any damage resulting from the breach.

Vendors should be required to provide customers with detailed information about breach, including:
(i) how and when the breach occurred;
(ii) how and when the breach was discovered;
(iii) any steps taken to address the breach, mitigate such breach and any steps taken to prevent a recurrence;
(iv) provide sufficient information to allow individuals who may be affected by the breach to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm, and any other information required under PIPEDA; and most importantly,
(v) provide sufficient information to enable the customer to determine if the breach creates a real risk of significant harm to an individual who may be affected and therefore if notice must be given to the OPC or any other regulator, any third party organizations or to individuals.

It is also important to require vendors to assist the customer in the coordination of any external communications relating to the breach with regulators, including the OPC and to actively cooperate with regulatory bodies such as the OPC in connection with any audits or investigations, as requested by the customer and as required by applicable privacy laws.

Customers should ensure, via contract, that their vendors commit to preventing further breaches; and assisting in any regulatory investigation, ideally at their own cost.

I also typically flow down to vendors PIPEDA’s record-retention requirements, as discussed earlier, which oblige vendors to keep and maintain accurate and up-to-date records of all breaches during the term of the agreement and for a period of twenty-four (24) months thereafter; and to provide such records to customer upon request (and ensure that customers can provide these records to authorities such as the OPC if necessary).

Conclusion. The OPC’s post ended by noting that the OPC has just completed a record review exercise, examining organizations’ breach records to assess compliance, and getting a better sense of the plans, tools and approaches organizations are using to meet their breach record and reporting responsibilities and once its analysis is completed, the OPC will share the results, with a view to tweaking existing guidance on mandatory breach responsibilities, including assessment of the real risk of significant harm.

While light in tone the post nonetheless contains some nuggets of interesting information about how Canadian organizations have fared under PIPEDA’s mandatory data reporting regime. As the OPC concluded, breaches continue to remain an ongoing threat for all organizations. Businesses need to be aware of the myriad of potential risks and combat them through a combination of technology, training, policies and processes – including the use of adequate language in their legal agreements.