One year ago, marks the anniversary of mandatory breach reporting under the Personal Information Protection and Electronic Documents Act, otherwise known as PIPEDA. To commemorate the anniversary, the OPC released a one-year summarizing blog, highlighting key findings and suggestions to organizations.
Since November 2018, business organizations which are subject to PIPEDA have been obligated to notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals of a data breach that involves personal information that poses a real risk of significant harm to an individual. Those subject to PIPEDA are also mandated to keep records of all breaches, including those which do not pose a “real risk of significant harm,” for a minimum of two years.
Key Trends Identified
The Office of the Privacy Commissioner reported that it received approximately 680 breach reports since the initiation of the mandatory reporting requirements. This figure represents a six-fold volume increase from the year prior. Based on the reports, over 28 million Canadians were affected by a data breach during this period of time. Perhaps unsurprisingly, these figures far exceeded the OPC’s initial expectations which were established with the statistics analyzed from the experience of the Office of the Information and Privacy Commissioner of Alberta, as their mandatory breach reporting laws have been in effect for over 10 years.
Much of the incidents reported (58%) involved the unauthorized access to personal information, not surprisingly driven by social engineering or employees being overly intrusive. In the instance of social engineering, cyber criminals often target a select number of individuals using psychological techniques including phishing campaigns, publicly available information and the like to convince individuals that the cybercriminal is someone else, such as a supervisor, financial institution or anyone else that may encourage said individual to overshare personal details (passwords, credentials or otherwise).
Less than a quarter (22%) of breach reports resulted from accidental disclosure, where documentation including personal information was provided to the wrong individual(s) or accidently left unattended. The remaining breach reports (20%) involved the loss or theft of devices or files which contained personal information.
As previously mentioned, only those breaches involving a “real risk of significant harm” must be reported to the OPC. The determining factor of a breach involving a real risk of significant harm is determined by the organization across an assessment of sensitivity of the personal information involved and statistical probability of misuse of the data, determined through analysis referred to as the RROSH test. Business organizations that are subject to PIPEDA should be aware of the framework to establish potential harm so that all data breaches are consistently assessed.
What is real risk of significant harm (RROSH)?
Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
Factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm include the sensitivity of the personal information involved in the breach of security safeguards and the probability the personal information has been/is/will be misused.
You can find detailed information regarding the RROSH test here.
As well, business organizations must also maintain an accurate record of each and every breach, including those which do not meet the harm threshold criteria for mandatory reporting. These records should be maintained for a minimum of two years and must include adequate information to allow the OPC to verify their compliance with PIPEDA’s breach reporting requirements.
The OPC maintains the authority to proactively inspect breach records held by any organizations under PIPEDA and have recently done just that with a review involving the examination of breach records of several organizations. Once completed, the OPC plans to share the full analysis with stakeholders and update guidance based on results and lessons learned.
The OPC has gathered and developed the following recommendations for organizations based on the year’s observations:
Know your vulnerabilities. Conduct risk and vulnerability assessments and/or penetration tests within your organization to ensure that threats to privacy are identified.
Are your employees aware of risks and their privacy responsibilities? Are third parties collecting personal information on your behalf without appropriate safeguards? Identify your organizations’ weak points before a breach identifies them for you!
Attackers will often re-use the same attacks against multiple organizations. Pay attention to alerts and other information from your industry association and other sources of industry news. Don’t be the next vulnerable target!