On September 23, 2020, Canadian e-commerce company Shopify Inc. (Shopify) announced that, in accordance with its obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), it had notified the Office of the Privacy Commissioner of Canada (the OPC) about a security incident carried out by two "rogue" employees.

Under PIPEDA, it is mandatory for organizations to report a breach of security safeguards where it is reasonable to believe that the breach creates a "real risk of significant harm". The security breach centred on the illegitimate attainment of customer records connected to "less than" 200 Shopify merchants, all of whom were promptly notified.

In a statement, Shopify confirmed that the company terminated the employees’ access to the Shopify network and referred the incident to law enforcement, stating that they are "currently working with the FBI and other international agencies in their investigations of these criminal acts".

The compromised data included basic contact information and details as to the products and services used by the merchants, but complete payment card numbers and other potentially sensitive personal or financial information was not part of the breach.  Shopify further stated that, at this stage, there is no evidence of the data being used.

Summary By: Hashim Ghazi


20 10 07

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.