Mandatory Breach Reporting Rules under PIPEDA Turns One

On November 1, 2018, mandatory breach reporting rules under the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect (reported by the E-TIPS® Newsletter here). Since then, the Office of the Privacy Commissioner of Canada (OPC) has received over 680 breach reports affecting more than 28 million Canadians.

The OPC assessed its first year of mandatory breach reporting under PIPEDA in a blog post on its website.  In those first 12 months, the OPC received 680 breach reports, an increase of six times the number of breach reports received by the OPC from voluntary disclosure. With respect to the reported breaches, the OPC noted the following trends:

• The majority of breach reports (58%) involved unauthorized access of personal data.
• There has been a significant rise in reports of breaches affecting a small number of individuals.
• Approximately one in four of the incidents reported involved the use of social engineering attacks by hackers/fraudsters such as phishing and impersonation in order to gain unauthorized access.
• “Fraud through impersonation” has become especially prevalent in the telecommunications industry where customer service agents are being duped into believing that the fraudulent person is an account holder.
• One in five data breaches reported involved accidental disclosure, i.e. where documents containing personal information are inadvertently provided to the wrong individual.
• Twelve per cent (12%) of the unauthorized disclosure occurred because of the loss of a computer, storage drive, or actual paper files.
• Eight per cent (8%) of data breaches occurred as result of the theft of documents, computers, or computer components.

The OPC’s full assessment of its first year of mandatory breach reporting can be found here.

Summary By: Jae S. Morris