As Privacy Complaints Surged, Breach Reports Dwindled

The past year saw a substantial increase in complaints to the Office of the Privacy Commissioner of Canada – but reports of data breaches were curiously low, according to a new report.

On September 29, the Privacy Commissioner released its annual report highlighting enforcement activities and other initiatives from the past year. The Privacy Commissioner received 427 complaints under the Personal Information Protection and Electronic Documents Act (PIPEDA) – a 38% increase over the previous year – but reports of PIPEDA data breaches (645) were down by 17.5%.

PIPEDA governs how private sector organizations collect, use and disclose personal information. If a data breach presents a real risk of significant harm, organizations are required to report the breach to the Privacy Commissioner and the individuals affected by the breach.

The past year marked the first time since mandatory breach reporting took effect in 2018 that the Privacy Commissioner received fewer breach reports than the previous year.

“Moreover, this has occurred at a time when many organizations transitioned to remote work due to the pandemic,” the report stated. “Given the privacy risks associated with telework and hybrid working arrangements, we would have expected to receive more breach reports, not fewer.”

Majority of Breaches Involved Unauthorized Access

Most breaches (65%) reported to the Privacy Commissioner involved unauthorized access to personal information. Of those breaches, 69% were cyber incidents that involved ransomware, malware, hacking or phishing attacks.

The financial sector accounted for 20% of the breaches reported to the Privacy Commissioner, followed by the telecommunications (14%), insurance (14%) and professional services (12%) sectors. Despite the explosion in ecommerce during the pandemic, the retail sector accounted for only 8% of breaches – down from 10% the previous year.

The Privacy Commissioner expressed concern, however, that breaches are underreported among small and medium-sized enterprises, which account for close to 90% of the businesses in Canada.

“In the current digital economy, small organizations can often amass large amounts of sensitive personal information,” the report stated. “A majority of the breach reports received by our office continue to come from large organizations.”

Complaints Involved Mobile Apps, Voice Authentication and Surveillance

Despite the decline in breach reports, PIPEDA-related complaints surged over the past year. Most complaints (36%) involved the use and disclosure of personal information, followed by access to personal information (28%) and the collection of personal information (13%).

In response to these complaints, the Privacy Commissioner launched a number of investigations, including an investigation into a restaurant chain’s mobile app that tracked the movements of customers at all hours of the day – even when the app wasn’t running.

A telecommunications company was investigated for enrolling a customer in a voiceprint authentication program without the customer’s consent, and two trucking companies were investigated for surveilling drivers whenever they were behind the wheel – including when they were off duty.

Organizations Could Face Fines for Failing to Report Breaches

Despite the decrease in reported PIPEDA breaches, the Privacy Commissioner stressed that breaches “continue to be a significant area of concern” – and they’re likely underreported.

“Of course, our office can only report on the breaches that we know about,” the report stated. “Given the sheer volume of personal data that is collected, used and disclosed in the digital marketplace, many cases likely go unreported, or even undetected.”

Under PIPEDA, it’s an offence to knowingly contravene reporting, notification and record-keeping requirements in the event of a breach that poses a real risk of significant harm. Organizations that knowingly choose not to report such breaches could face a summary conviction and maximum fine of $10,000 or be found guilty of an indictable offence and face a maximum fine of $100,000. In addition, companies that fail to comply with PIPEDA could be subject to public reports, which can lead to reputational damage that could be far costlier than a fine.

If your organization needs help navigating privacy laws, the lawyers in the MLT Aikins Privacy, Data Protection & Cybersecurity team have extensive experience advising clients on their obligations for reporting and responding to breaches and developing effective strategies to mitigate the risk of breaches. Download our Cybersecurity Checklist to learn more.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.