Written by Martin P.J. Kratz QC
November 1, 2018, brings mandatory breach notification to Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), following Alberta’s Personal Information Protection Act (PIPA) which has had such a law since 2010.
What can Canada expect to see when the reporting of breaches becomes mandated as opposed to voluntary?
Australia recently implemented a Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Australia) setting out requirements for entities in responding to data breaches. Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach. The scope of the Australian system includes Australian Government agencies, larger businesses and not-for-profit organizations, credit reporting bodies, health service providers, and others.
The Office of the Australian Information Commissioner (OAIC) releases quarterly reports which provide a guide to the breaches reported and may be an interesting data point for Canadians to consider as we move towards national mandatory breach reporting. See “Notifiable Data Breaches Quarterly Statistics Report”, July 2018, Office of the Australian Information Commissioner.
A preliminary observation is that the number of reported breaches went up in a mandatory system versus the voluntary system. Canada can certainly expect that as well.
The OAIC found for the second quarterly report 242 notifications of data breaches of which 59% were due to malicious or criminal attacks, 36% due to human error and 5% due to system faults. The OAIC noted that attacks included “cyber incidents such as phishing, malware, ransomware, brute-force attack, compromised or stolen credentials and hacking by other means, as well as social engineering or impersonation and actions taken by a rogue employee or insider threat. Theft of paperwork or storage devices was a significant source of malicious or criminal attacks.”
The human error incidents were cases such as personal information sent to the wrong recipient by email or mail, unauthorized disclosures and loss of a storage device.
The kinds of personal information involved in the data breaches were:
- 89% contact information, such as an individual’s home address, phone number or email address;
- 42% financial details;
- 39% identity information such as information that is used to confirm an individual’s identity, such as passport number, driver’s licence number, etc.;
- 25% health information;
- 19% tax file numbers (another form of identifier); and
- 8% other sensitive information.
The top industry sectors by notifications in the OAIC report were:
- 49 notifications by health service providers of which 59% were due to human error and 41% due to a malicious or criminal attack;
- 36 notifications in the finance sector of which 50% were due to human error and 47% due to a malicious or criminal attack;
- 20 notifications in the legal, accounting and management services sector of which 30% were due to human error and 60% due to a malicious or criminal attack;
- 19 notifications in the education sector of which 47% were due to human error and 47% due to a malicious or criminal attack;
- 15 notifications in the business and professional association sector of which 20% were due to human error and 73% due to a malicious or criminal attack.
An early lesson is the substantial number of breaches due to human error. These suggest organizations maintain and expand training, policies and procedures to heighten awareness of this preventable risk.
The Australian experience suggests Canadian organizations should review their privacy policies, practices and procedures to firstly minimize the breaches due to human error. Secondly, Canadian organizations should maintain an ongoing awareness of the substantial number of malicious or criminal attacks and implement policies and practices to defend against such attacks, detect them when they occur and minimize the damage caused by such an incident.
It would be helpful to the educational effort in support of preparedness to minimize and mitigate the impact of breaches in Canada if the Canadian Privacy Commissioner’s Office considered a similar form of reporting on the breach notifications it receives after November 1, 2018.