On November 7, 2018, the Ontario Cannabis Store (“OCS”) announced it had suffered a privacy breach involving approximately 4,500 customers who purchased recreational cannabis online. According to the OCS’s statement, Canada Post first notified the OCS about the breach on November 1, stating that the delivery information of OCS’s customers was accessed by an individual through the Canada Post’s delivery tracking tool. The accessed information included the date of delivery, postal code, and the name or initials of the person who signed upon delivery.
The OCS has referred this matter to the Office of the Information and Privacy Commissioner of Ontario, and has been working with Canada Post to identify the cause of the breach and prevent any further unauthorized access. Canada Post said in a statement: “Important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information.” Canada Post did not directly notify the affected individuals and is making its own determination whether individual notices are required.
The OCS has obligations under the Ontario’s with respect to the collection, use, disclosure, and disposal of personal information. Canada Post, as a Crown corporation, is subject to the federal Privacy Act. Neither of these pieces of legislation require organizations to notify the affected individuals about data breaches. This incident demonstrates how the two organizations approach privacy differently under the federal and provincial laws.
Summary By: Anna Troshchynsky