As described in numerous previous articles over the course of 2019, the past year saw an unprecedented number of breach notifications in Canada. In Europe, under the scrutiny of the General Data Protection Regulations (“GDPR”), there were a whopping 89,200 notifications in the first twelve months of the GDPR coming into force in May 2018.
To round out this turbulent year, we thought it was time to revisit the developments since the beginning of the year, as well as take note of the important recent summary by the federal Office of the Privacy Commissioner (“OPC”). With that, “once more unto the (data) breach…”
Breach Notification – by the Numbers
In Canada, under the breach notification provisions of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), there have been 680 breach reports filed at a federal level since November 1, 2018 (the date on which notification became mandatory). This number is up from just over 100 (voluntary) reports for the prior period. More than 28 million Canadian records have been impacted by data breaches, driven to a large extent by the massive Desjardins and Capital One incidents.
As a comparison, in the UK, the Information Commissioner’s Office (“ICO”) reported more than 3,000 notifications during the first quarter of 2019 and more than 3,200 in the fourth quarter of 2018. Taking into account the difference in population, it may appear that UK is out-reporting Canada by 10:1, but this is not an entirely accurate reflection of the Canadian landscape. An additional 697 breaches were reported in Alberta over the past 12 months, not to mention reports filed under both voluntary and mandatory sector-specific laws across Canadian provinces. That being said, the strict 72-hour notification parameter and the potential for massive fines of up to 4% of global annual turnover dwarf the (not insignificant) regulatory risks that are currently in place in Canada.
According to a major study conducted last year, in Canada, the average cost of a data breach in 2018 was $6.11M, with direct and indirect costs per record of approximately $220. As discussed in previous blog posts, enforcement is the source of current debate in Canada and an aspect of the law that would likely change with any contemplated amendments to PIPEDA. That is, the Canadian regulator may soon have more tools, including the ability to impose more significant fines. The timing and details of such changes are, at this stage, an open question, but as Commissioner Therrien noted earlier in the year, “the real question before us now is how Canada’s laws should be updated [not if].” Failing to report, failing to report in a timely fashion, or not having appropriate security safeguards may become even costlier than it is today.
Source of Data Breaches
According to the recent summary prepared by the OPC, 58% of all breaches involved “unauthorized access,” as opposed to theft, loss and accidental disclosure. Roughly 25% of all reports involved phishing or impersonation (social engineering attacks), with attackers becoming increasingly sophisticated in their efforts to convince the targets they are someone else. Loss of data (loss of mobile device and other documentation) accounted for 12% of all breaches.
In the UK, breaches involving incorrect recipients of email, fax and regular mail accounted for nearly 30% of breaches in the recorded time-period. Interestingly, phishing is noted as accounting for only 10% of the reported breaches, while loss of data was fairly consistent with the OPC’s numbers, at approximately 11%.
There are many drivers behind the numbers, and it would be presumptuous to draw too many conclusions from the OPC’s report or the comparison with other jurisdictions. Breach categories will differ from jurisdiction to jurisdiction, and criminal activity, although seemingly without boundaries, will differ as well. As noted, the legal framework and interpretation of the requirements will also differ. That said, it is helpful to monitor changes and discrepancies as the GDPR has and will continue to influence Canadian privacy law, not to mention those Canadian business that are directly subject to it. In the first 12 months of the GDPR, there were 446 cross-border investigations commenced by EU Data Protection Authorities, and this number is unlikely to decrease.
Breach Reporting Tips from the Commissioner
The OPC summarized the following tips based on its observations from the previous year:
- Contain the breach: address the breach by stopping any unauthorized access, shutting down the breached system, and correcting security vulnerabilities
- Investigate the breach: designate a privacy officer to lead the initial breach investigation and provide initial recommendations for further action
- Notify: determine the individuals, internally and externally, who need to be notified of the incident
- Record: organizations subject to PIPEDA are required to keep and maintain a record of every breach of security safeguards involving personal information
- Do not destroy evidence: specific types of evidence may be valuable in determining the cause of the breach or the appropriate corrective action.
The OPC reminds readers of the basic expectations but does not necessarily offer many new insights into what organizations can do to meet the expectations under PIPEDA. These types of insights may be forthcoming in future reports, which we will be keeping a close eye on.
For additional reading on practical breach response tips, our last article contains some very helpful insights co-authored with our guest-contributor Claudiu Popa.
2020 will be another important year for organizations as they determine their risk exposure and legal obligations as they relate to cybersecurity and personal data breach notifications. The legal landscape will be more mature and perhaps more settled as it relates to reporting, as will organizations’ responses; but with that, expectations on those organizations by the public and regulators may also increase. Canadian enforcement, potential changes to PIPEDA, and how that impacts overall risk exposure will also be key considerations.
Your cybersecurity contacts at Miller Thomson:
David Krebs, contact at 306.667.5632 or email@example.com
Kathryn Frelick, contact at 416.595.2979 or firstname.lastname@example.org
Derrek Fahl, contact at 306.667.5628 or email@example.com
Eric Charleston, contact at 416.595.8617 or firstname.lastname@example.org
 Note that this number does not include any reports filed with provincial regulators.