Much ado was made about the GDPR (the European Union’s General Data Protection Regulation) when it came into effect in May 2018. Companies these days have to be extra careful about how they use data from European individuals and entities, and the penalties can be harsh, up to about $22 million, for not reporting data breaches within 72 hours of discovery.
The changes made to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) in November 2018 got a lot less media coverage. But Canadians deserve strict data protection regulations, and the changes made to PIPEDA last year are a definite step in the right direction.
Like Europe’s GDPR, Canada’s PIPEDA pertains to the data of Canadian individuals and entities, whether or not the computers that use the data are on Canadian soil. We’re already seeing the fruits of the labor of the changes to PIPEDA. Thanks to those changes, the Office of the Privacy Commissioner of Canada now has more concrete information about data breaches Canadians were subject to between November 1st, 2018 and October 31st, 2019. The new information is concerning, but we can’t properly prevent data breaches without understanding them and their impact.
This is what was amended to PIPEDA last year. According to David Young Law’s legal blog:
“The new rules mandate reporting to the Office of the Privacy Commissioner, as well as notification of affected persons, of any security breach posing a ‘real risk of significant harm’ to individuals. These responses must be made as soon as feasible after discovery of a breach. The regulations will set out the items of information that must be included in the reports and notifications. In addition, the new rules will require organizations to keep records of all breaches whether or not they meet this threshold.”
“As soon as feasible after discovery of a breach” is a lot more vague than the GDPR’s specific 72 hours upon discovery, and I can see corporate lawyers arguing about what “as soon as feasible after discovery of a breach” means in each legal context. Nonetheless, it’s better than nothing, eh?
Now that organizations are obligated to report known data breaches which affect Canadians, here are the facts that the Office of the Privacy Commissioner of Canada has reported. The news isn’t very comforting, but it’s best that we know the truth.
Here are the sober facts. In the time period from November 1st 2018 to October 31st, 2019, the Office of the Privacy Commissioner of Canada has received 680 data breach reports, or about 57 reports per month. According to the Privacy Commissioner, that’s about six times the volume of data breach reports they received between 2017 and 2018. I don’t think Canadian data breaches have multiplied sixfold, but I do think the new legal obligation to report data breaches is the most significant contributing factor to the increase of reports. It concerns me that organizations may have known about lots of data breaches before November 2018 and decided not to report them, for whatever reason.
Now, onto the even less fun part. A whopping 28 million Canadians have been affected by those 680 reported data breaches. According to a 2019 population estimate, Canada now has 37,602,103 people. So most Canadians have likely been affected by those breaches, including yours truly. A couple of those breaches were huge and made major news headlines, the Capital One and Desjardins breaches.
First, excerpts from Capital One’s press release:
“On July 19, 2019, we determined that an outside individual gained unauthorized access and obtained certain types of personal information about Capital One credit card customers and individuals who had applied for our credit card products. Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.
Importantly, no credit card account numbers or login credentials were compromised and less than one percent of Social Security numbers were compromised. In addition, the outside individual who took the data was captured by the FBI. The government has stated they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual.”
Here’s what Desjardins said in June about their data breach:
“On June 14, 2019, the Laval police contacted Desjardins with information confirming that the personal information of more than 2.9 million members had been shared with individuals outside the organization. This includes 2.7 million individual members and 173,000 business members. This situation is the outcome of unauthorized and illegal use of our internal data by an employee who has since been fired. In light of these events, and given the circumstances, additional security measures were put in place on all accounts. Desjardins Group will be sending a letter to all members affected by the incident.”
Then on November 1st, they confirmed that the breach was much larger in scope than originally reported:
“On October 31, the Sûreté du Québec informed Desjardins that the privacy breach, which was initially announced on June 20, appears to have affected the data of 4.2 million individual caisse members who do their banking with Desjardins in Quebec and Ontario. There is no information at this time about whether or not more business members have been affected. As a reminder, this situation only involves caisse members who use Desjardins banking services in Quebec and Ontario.
Desjardins would like to emphasize that from July onward, all caisse members who do their banking with Desjardins in Quebec and Ontario have been protected by Desjardins identity protection. This protection is provided at no cost, and no registration is required. In addition, Desjardins is now extending the Equifax credit monitoring service to all caisse members.”
The Office of the Privacy Commissioner of Canada has some more insight into the 680 data breaches between November 1st, 2018 and October 31st, 2019. Most of the reported breaches, about 58 percent, involved unauthorized access. They said:
“We have seen a significant rise in reports of breaches affecting a small number of individuals – often just one and sometimes through a targeted, personalized attack. This is the correct approach to reporting: there can be risk of significant harm even when only one person is affected by an incident.
Employee snooping and social engineering hacks are key factors behind breaches resulting from unauthorized access. In fact, roughly one in four of the incidents reported to us involved social engineering attacks such as phishing and impersonation.
Fraudsters and other bad actors use increasingly sophisticated tactics to convince employees at an organization that they are someone else. For example, they employ a variety of psychological techniques, try multiple avenues to get at personal information, use publicly available information and information disclosed in other privacy breaches.”
More than one in five data breaches involved accidental disclosure. They describe accidental disclosure as “situations where documents containing personal information are provided to the wrong individual (for example, because an incorrect email or postal address was used, or an email was sent without blind copying recipients) or are left behind accidentally.”
Hopefully with this new information, organizations worldwide which handle the data of Canadian individuals and entities can better security harden their networks, so these breaches can become less frequent or otherwise have less of an impact in future.