As mandatory breach reporting celebrates its one year anniversary, the Office of the Privacy Commissioner of Canada has advised that 680 security and privacy breaches have been reported, 58% of those were a result of unauthorized access to personal information and 28 million Canadians were affected by a breach last year.
Since November 1, 2018, organizations subject to the Personal Information Protection and Electronic Documents Act (PIDEDA) have been required to report certain security and privacy breaches to affected individuals and the Office of the Privacy Commissioner of Canada and keep associated records.
Security and privacy breaches are an increasing concern and additional statistics released by the Commissioner include:
- A six-fold increase in breaches have been reported to the Commissioner since mandatory breach reporting came into effect.
- A quarter of the reported breaches involved social engineering attacks such as phishing.
Besides unauthorized access, other types of breaches involved accidental disclosure, the loss of a computer, storage drive or paper documents, and the theft of documents.
Be Weary of “Phishing” Attacks
The Commissioner has attributed the high number of breaches to the increasingly sophisticated techniques used by fraudsters to trick employees of organizations into believing that the fraudsters are someone else. These “phishing” or social engineering attacks are becoming increasingly popular and often involve the use of psychological techniques such as the use of publicly available information to impersonate someone else. This increase in social engineering attacks highlights the importance of having a strong privacy compliance program in place that includes appropriate training of everyone within an organization who may access personal information in the course of performing their role.
Tips to Reduce Risk of Privacy Breach
Of note, the Commissioner has supplied the following tips to organizations to reduce their risk of a privacy breach:
- Know what personal information you have, where it is, and what you are doing with it. When and where do you collect personal information? Where does that information go? Who can access it, and what do they do with it? You must understand your data before you can protect it.
- Know your vulnerabilities. Conduct risk and vulnerability assessments and/or penetration tests within your organization to ensure that threats to privacy are identified. Don’t just focus on technical vulnerabilities, though. Are third parties collecting personal information on your behalf without appropriate safeguards? Are your employees aware of risks and their privacy responsibilities? Over the last year, the Commissioner has seen each of these scenarios lead to a breach. Identify your organization’s weak points before a breach identifies them for you.
- Be aware of breaches in your industry. Attackers will often re-use the same attacks against multiple organizations. Pay attention to alerts and other information from your industry association and other sources of industry news. Don’t be the next vulnerable target.
While the increase in the number and sophistication of these types of attacks is alarming, it is important to remember that an organization only needs to report a breach involving a “real risk of significant harm” to affected individuals and the Commissioner’s office. Risk of harm is determined on a case-by-case basis; however, the more sensitive the information and the more likely the information could be misused to inflict harm, the more likely the breach will need to be reported.
For more information, read our previous posts about mandatory breach notification requirements and the Commissioner’s guidance for those requirements. The privacy team at MLT Aikins has assisted a number of organizations in preparing for and in dealing with privacy and security breaches, including with respect to developing, updating, and implementing appropriate privacy compliance programs. The privacy team offers a number of important tools for this purpose. We can help your organization ensure it is appropriately prepared for and appropriately responds to such breaches in accordance with legal requirements and best practices, and thereby mitigate risks to your organization.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.