On October 13, 2021, the Office of the Information and Privacy Commissioner of Alberta (OIPC) released its investigation report regarding LifeLabs Inc.’s (LifeLabs) compliance with Alberta’s Personal Information Protection Act (PIPA).

On December 16, 2019, LifeLabs notified the OIPC that it suffered a privacy breach, potentially affecting up to 15 million customers. LifeLabs indicated that the cyberattack resulted in unauthorized access to customer information such as names, addresses, phone numbers, login information, health card numbers and lab test results.

The OIPC investigated whether LifeLabs has protected the personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal, or destruction in accordance with Section 34 of PIPA.

The investigation resulted in the following three findings and five recommendations to LifeLabs.

The OIPC first found that LifeLabs did not meet its obligations under Section 6(1) of PIPA to develop and follow reasonable policies and practices to meet its obligations under Section 34. The OIPC stated that it was unclear which security policies and practices were consistently followed or followed at the time of the security incident.

Secondly, the OIPC found that LifeLabs did not retain personal information only for as long as reasonably required for legal or business purposes, as required by Section 35 of PIPA. LifeLabs therefore did not meet its obligations under Section 34 to make reasonable security arrangements to protect against unauthorized access, use, disclosure, or copying.

Lastly, the OIPC found that LifeLabs did not protect personal information in its custody or under its control by making reasonable security arrangements in accordance with Section 34.

The OIPC therefore recommended that LifeLabs:

  1. create Alberta-specific policies and practices as appropriate in accordance with PIPA;
  2. formally adopt its draft policies and practices, and develop a process to ensure compliance with its privacy and security policies and practices;
  3. complete a thorough review of all personal information maintained to ensure compliance with its records retention and disposition policies;
  4. implement the technical components contained in its draft and adopted policies, and encrypt data; and
  5. formally adopt and follow best practices for patch management.

In April 2021, LifeLabs agreed to implement the OIPC’s recommendations and indicated that it had already implemented some of the recommendations during the course of the investigation.

Summary By: Steffi Tran

E-TIPS® ISSUE

21 10 27

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.