• About
  • Events
  • Offices
  • Careers
  • Students
  • Media
Background Image
Bennett Jones
  • People
  • Services
  • Experience
  • Insights
Search By:
 
Find a Person
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z all
People
Services
Experience
Insights
Offices
About
Media
Search
Aboriginal Law
Accountant Liability Litigation
Agribusiness, Food & Beverage
Anti-Spam Law
Appellate Advocacy & Judicial Review
Arbitration
Asset/Equipment Finance & Leasing
Aviation
Banks & Financial Institutions
Bermuda & Caribbean
Biotech, Pharma & Lifesciences
Cannabis Law
China
Class Action Litigation
Climate Change
Commercial Litigation
Commercial Real Estate
Commercial Transactions
Competition/Antitrust
Constitutional Law
Construction
Corporate Finance
Corporate Governance
Cybersecurity
Defamation
Defence & Security
Employment Services
Energy
Energy Litigation
Environmental Law
Estate Litigation
Financial Services
Fintech & Blockchain
Forestry
Franchising
Fraud Law
Gaming & Hospitality
Governmental Affairs & Public Policy
Health Law
India
Infrastructure & Project Development
Intellectual Property Law
Intellectual Property Litigation
International Arbitration
International Trade & Investment
IT & Business Services
Mergers & Acquisitions
Middle East & North Africa
Mining
Oil & Gas
Payment Solutions
Pensions & Benefits
Power & Renewables
Privacy & Data Protection
Private Equity & Capital Funds
Procurement & Outsourcing
Product Liability
Product Regulation
Project Finance
Property Development & Real Estate
Regulatory
Restructuring & Insolvency
Retail
Securities Litigation
Shareholder Activism & Critical Situations
Structured Finance & Asset Securitization
Tax
Tax Litigation & Dispute Resolution
Technology Law
Technology, Media & Entertainment
Trading & Derivatives
Transfer Pricing
Transportation
United States of America
Venture Capital
Wills, Estates & Trusts
 

Blog

What Can Canada Expect with Mandatory Breach Notification?

August 08, 2018

Contact Us
 
Subscribe
Print
Share
Share
Twitter
LinkedIn
Email

Written by Martin P.J. Kratz QC

November 1, 2018, brings mandatory breach notification to Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), following Alberta’s Personal Information Protection Act (PIPA) which has had such a law since 2010.

What can Canada expect to see when the reporting of breaches becomes mandated as opposed to voluntary?

Australia recently implemented a Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Australia) setting out requirements for entities in responding to data breaches. Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach. The scope of the Australian system includes Australian Government agencies, larger businesses and not-for-profit organizations, credit reporting bodies, health service providers, and others.

The Office of the Australian Information Commissioner (OAIC) releases quarterly reports which provide a guide to the breaches reported and may be an interesting data point for Canadians to consider as we move towards national mandatory breach reporting. See “Notifiable Data Breaches Quarterly Statistics Report”, July 2018, Office of the Australian Information Commissioner.

A preliminary observation is that the number of reported breaches went up in a mandatory system versus the voluntary system. Canada can certainly expect that as well.

The OAIC found for the second quarterly report 242 notifications of data breaches of which 59% were due to malicious or criminal attacks, 36% due to human error and 5% due to system faults. The OAIC noted that attacks included “cyber incidents such as phishing, malware, ransomware, brute-force attack, compromised or stolen credentials and hacking by other means, as well as social engineering or impersonation and actions taken by a rogue employee or insider threat. Theft of paperwork or storage devices was a significant source of malicious or criminal attacks.”

The human error incidents were cases such as personal information sent to the wrong recipient by email or mail, unauthorized disclosures and loss of a storage device.

The kinds of personal information involved in the data breaches were:

  • 89% contact information, such as an individual’s home address, phone number or email address;
  • 42% financial details;
  • 39% identity information such as information that is used to confirm an individual’s identity, such as passport number, driver’s licence number, etc.;
  • 25% health information;
  • 19% tax file numbers (another form of identifier); and
  • 8% other sensitive information.

The top industry sectors by notifications in the OAIC report were:

  • 49 notifications by health service providers of which 59% were due to human error and 41% due to a malicious or criminal attack;
  • 36 notifications in the finance sector of which 50% were due to human error and 47% due to a malicious or criminal attack;
  • 20 notifications in the legal, accounting and management services sector of which 30% were due to human error and 60% due to a malicious or criminal attack;
  • 19 notifications in the education sector of which 47% were due to human error and 47% due to a malicious or criminal attack;
  • 15 notifications in the business and professional association sector of which 20% were due to human error and 73% due to a malicious or criminal attack.

An early lesson is the substantial number of breaches due to human error. These suggest organizations maintain and expand training, policies and procedures to heighten awareness of this preventable risk.

The Australian experience suggests Canadian organizations should review their privacy policies, practices and procedures to firstly minimize the breaches due to human error. Secondly, Canadian organizations should maintain an ongoing awareness of the substantial number of malicious or criminal attacks and implement policies and practices to defend against such attacks, detect them when they occur and minimize the damage caused by such an incident.

It would be helpful to the educational effort in support of preparedness to minimize and mitigate the impact of breaches in Canada if the Canadian Privacy Commissioner’s Office considered a similar form of reporting on the breach notifications it receives after November 1, 2018.

Subscribe
Share
Share      
 
Twitter
LinkedIn
Email
 

Author

  • Martin P.J. Kratz QC, FCIPS Martin P.J. Kratz QC, FCIPS, Partner, Trademark Agent

Looking Forward: Class Actions in 2019

Download now

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

Expedited Proceedings at Canada’s Competition Tribunal

February 15, 2019
       

Blog

Health Canada Guidance on Cannabis Recalls

February 14, 2019
       

Blog

The Business Council of Canada’s Task Force on Canada’s [...]

February 14, 2019
       

Blog

CBCA Private Corporations Subject to New Shareholder [...]

February 11, 2019
       

Blog

Curtailment Rules Come Into Force for Production of [...]

February 06, 2019
       

Firm Information

  • People
  • About
  • Recruitment
  • Anti-Spam Learning Centre
  • Kickstart
  • Client Extranet

Offices

  • Calgary
  • Edmonton
  • Ottawa
  • Toronto
  • Vancouver
  • New York
  • United States of America
  • Beijing
  • Doha

Stay Connected

Careers

  • Privacy Policy
  • Disclaimer
  • Terms of Use

© Bennett Jones LLP 2019 All rights reserved. Bennett Jones refers collectively to the Canadian legal practice of Bennett Jones LLP and the international legal practices and consulting activities of various entities which are associated with Bennett Jones LLP

Bennett Jones