On November 1st of last year, businesses became subject to new mandatory breach reporting regulations under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Organizations subject to PIPEDA are required to report to our office any breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals. They also need to notify affected individuals about those breaches, and keep records of all data breaches within the organization.
Previously, data breach reporting to our office was done on a voluntarily basis.
Since reporting became mandatory, we’ve seen the number of data breach reports skyrocket. Some of those reports have involved well-known corporate names, but we have also seen significant volumes coming from small- and medium-sized businesses.
With nearly a year of experience under our belt, we’ve noticed a few things we’d like to share, and given we are at the anniversary of this important milestone, we couldn’t think of a better time to do it.
The Numbers
Type of breach chart
Text version
Since November 1st, 2018, we have received 680 breach reports. That is six times the volume we had received during the same period one year earlier. It’s a staggering increase and higher than we had anticipated given the experience of our counterparts at the Office of the Information and Privacy Commissioner of Alberta when their mandatory reporting laws came into effect. These reports have also been revealing and have offered a clearer picture of the challenges faced by Canadian businesses.
According to those reports, the number of Canadians affected by a data breach is well over 28 million. That number includes, of course, some of the huge breaches that have made the headlines – Desjardins and Capital One, for example.
Our work and observations to date have highlighted the importance of taking steps to reduce privacy breach risks. Here are a few of those tips:
- Know what personal information you have, where it is, and what you are doing with it. When and where do you collect personal information? Where does that information go? Who can access it, and what do they do with it? You must understand your data before you can protect it!
- Know your vulnerabilities. Conduct risk and vulnerability assessments and/or penetration tests within your organization to ensure that threats to privacy are identified. Don’t just focus on technical vulnerabilities, though. Are third parties collecting personal information on your behalf without appropriate safeguards? Are your employees aware of risks and their privacy responsibilities? Over the last year the OPC has seen each of these scenarios lead to a breach. Identify your organizations’ weak points before a breach identifies them for you!
- Be aware of breaches in your industry. Attackers will often re-use the same attacks against multiple organizations. Pay attention to alerts and other information from your industry association and other sources of industry news. Don’t be the next vulnerable target!
By way of example, a trend we have seen in the telecommunications industry is fraud through impersonation, where bad actors have convinced customer service agents into believing that they are an account holder. They do this by drawing from publicly available information, information from other breaches, phished information as well as social engineering techniques. Once they’ve convinced the customer service rep, they make changes to the account, such as requesting that a phone number be assigned to a new SIM card, ultimately allowing them to access other accounts. We understand fraudsters target one company and, as the company addresses the issue, the attackers move on to another company.
Early breach trends
The majority of reported breaches – 58 per cent – involved unauthorized access.
We have seen a significant rise in reports of breaches affecting a small number of individuals – often just one and sometimes through a targeted, personalized attack. This is the correct approach to reporting: there can be risk of significant harm even when only one person is affected by an incident.
Employee snooping and social engineering hacks are key factors behind breaches resulting from unauthorized access. In fact, roughly one in four of the incidents reported to us involved social engineering attacks such as phishing and impersonation.
Fraudsters and other bad actors use increasingly sophisticated tactics to convince employees at an organization that they are someone else. For example, they employ a variety of psychological techniques, try multiple avenues to get at personal information, use publicly available information and information disclosed in other privacy breaches.
More than one in five data breaches reported to our office over the past year involved accidental disclosure. This would include situations where documents containing personal information are provided to the wrong individual (for example, because an incorrect email or postal address was used, or an email was sent without blind copying recipients) or are left behind accidentally.
Situations where information may have been disclosed due to the loss of a computer, storage drive or actual paper files accounted for 12 per cent of the breach reports we saw.
Theft of documents, computers or computer components, which led to a data breach, accounted for 8 per cent of the breach reports.
