40% of data breach records insufficient – Canadian Privacy Commissioner releases findings on data breach register inspections

October 5, 2020 | David Krebs, Elissa Brock

As the Canadian Office of the Privacy Commissioner (“OPC”) signaled it would do at the end of 2019, it completed a targeted investigation of data breach registers at a select number of organizations. The OPC released has now released a report on its findings.

Keeping a record of all breaches of security safeguards affecting personal information, irrespective of the significance of harm, has been a legal requirement in Canada under the Personal Information Protection & Electronic Documents Act (“PIPEDA”) since November 1, 2018, failing which, organizations may face fines up to $100,000. This targeted investigation was launched in order to shed light on the methods by which companies are assessing risk and in order to assess to what extent these companies are complying with PIPEDA. While the OPC decided to focus on the telecommunications sector, the report is intended to guide all organizations subject to Canadian federal law. In this article, we provide a summary of the report as well as an overview of the learnings for both Canadian companies as well as companies from other jurisdictions that are subject to PIPEDA.

OPC’s Findings

  • Generally, the audited companies already had breach programs in place. That said, areas of improvement were identified in terms of recording and reporting breaches.
  • 40% of the breach records did not contain sufficient information to assess “Real Risk of Significant Harm” (“RROSH”).
  • 39% of recorded breaches were caused by human error.
  • 20% of breach records reflected non-reported breaches that may have in-fact been reportable under PIPEDA; that is, the specific process to assess harm was not compliant.
  • 5 out of 7 companies assessed RROSH using a checklist tool.
  • Generally with respect to reporting assessments, the content of the breach was being analyzed and the context of the breach was not being taken into account
  • Only 1 out of 7 organizations had a breach record retention strategy. We note that PIPEDA Regulations require a retention period of 24 months after the breach occurred.
  • Some organizations erroneously relied on solicitor-client privilege and did not provide complete records. We note that while privilege may apply, organizations must still maintain sufficient information in their records to comply with PIPEDA Regulations.

These findings result in a number of important learnings for organizations and sources of potential compliance risk.

Learnings

  • Review “blind spots”: Your organization may have a solid compliance framework but may not be capturing all potential sources of data breaches.
  • Data breach risk is a team sport: Management of engagement with privacy professionals and your IT department will ensure a more comprehensive program and appropriate and efficient risk assessment
  • OPC is clear that it can, and will, levy fines for non-compliance. We note that given that data breach requirements have now been the law for almost 2 years, the expectations surrounding compliance are likely to further increase both in terms of the gravity of a breach that requires disclosure as well the repercussions for failure to maintain proper records.
  • Monitor and improve your program: as with the above, OPC expects organizations to look back and review whether there has been an under/over reporting of incidents in the past and to ensure that appropriate risk assessment are currently in place
  • Context is important: The context of the breach, not just the content of the information breached, is important in making the decision whether to report or not. Even though the same information may have been breached in two different situations, the context of the breach may make it such that in one instance the breach should be reported and in the other not.
  • Educate and train: organizations need to train staff so that incidents can be escalated appropriately.

We are seeing a rapid modernization of privacy legislation globally as well clear signs that Canadian privacy law will change, as evidenced by the introduction of Quebec’s Bill-64, the consultation on establishing provincial privacy legislation undertaken by the Ontario government (as we’ve outlined in a previous article), and the potential PIPEDA reform as called for by the OPC (see our previous article).

Having a robust and agile privacy program that is able to withstand regulatory scrutiny on key aspects appears to becoming increasingly important for any organization subject to Canadian and other applicable privacy laws.

Disclaimer

This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.