Canadian Privacy Commissioner Release Results of Investigation into Desjardins Data Breach

On December 14, 2020, the Privacy Commissioner of Canada released a statement on the findings of the joint investigation of the Office of the Privacy Commissioner (OPC) with the Commission d’accès à l’information du Québec into the security breach at Fédération des caisses Desjardins du Québec (Desjardins) that occurred in May 2019 and affected almost 10 million individuals in Canada and abroad.

The security breach, previously reported by the E-TIPS® Newsletter here, was a result of an ill-intentioned employee exfiltrating sensitive personal information of customers collected by Desjardins. Although the personal information was stored in two data warehouses the employee had limited access to, other employees, in the course of fulfilling their duties, regularly copied the information onto a shared drive that had far less restrictive access requirements than the data warehouses. Over twenty-six months, the malicious employee compromised the data of nearly 9.7 million Canadians.

Privacy Commissioner of Canada Daniel Therrien said that "Desjardins did not demonstrate the appropriate level of attention required to protect the sensitive personal information entrusted to its care.” The investigation revealed that Desjardins failed to meet several of its obligations under PIPEDA, including:

• failure to ensure proper implementation of policies and procedures for managing personal information;
• inadequate access controls and data segregation practices involving the personal information;
• inadequate employee training and awareness surrounding the sensitive nature of the personal information the organization was entrusted with; and
• failure to implement retention periods or procedures regarding the destruction of personal information.

Upon conclusion of the investigation, Desjardins agreed to a series of recommendations to improve its program for information security and protection of personal information. It also committed to provide progress reports to the OPC every six months and to engage external auditors to assess and certify its programs and submit an assessment report to the OPC.

Summary By: Hashim Ghazi