One year of mandatory breach reporting – over 28 million Canadians affected

Supported By:

Net Patrol International Inc.  Data Investigation and Forensic Services
Bankruptcy and Insolvency Trustees

Gatineau (November 8, 2019) – The Office of the Privacy Commissioner of Canada (OPC) recapitulates on one year of mandatory data breach reporting. On November 1, 2018, new regulations went into effect under Canada’s federal private sector privacy law. Since then the OPC received reports of 680 data breaches – six times the volume of previous years. In total, over 28 million Canadians have been affected by a data breach during the last year.

On occasion of the one year anniversary of the mandatory data breach reporting, the Office of the Privacy Commissioner of Canada (OPC) informed the public that 680 data breach reports have been received since the new regulations became effective.

The new regulation regarding the Personal Information Protection and Electronic Documents Act came into force on November 1 of last year. Previously, the disclosure of data breaches was on a voluntary basis. The OPC announced in their statement that the number of reported data breaches in the last year is six times higher than the reported data breaches of previous years.

Additionally, the OPC found out that over 28 million Canadians were affected by a data breach in the time period. However, a day after the OPC published their numbers, the Desjardin insurance group announced in a news conference that according to new findings, about 4.2 million members were affected by their massive data breach earlier this year. Initially, it was believed that 2.9 million Canadian members were impacted. 1.3 million Canadians whose personal information was compromised who are not yet considered in the OPC numbers.

The 680 reported data breaches were broken down to the following four causes for the disclosure by the OPC: 397 incidents involved unauthorized access, 147 incidents were due to accidental disclosure, 82 incidents were attributed to a loss, and 54 incidents were due to theft.

‘Through both the exercise and the breach reports we have received to date, it has become clear that breaches remain an ongoing threat for all organizations. Businesses need to be aware of the myriad of potential risks and tackle them through a combination of technology, training, policies and processes,’ said the office in their statement.

However, the standards in cybersecurity issues are constantly changing due to the adaptability of the fraudsters. The OPC discovered that about 25 percent of the incidents involved ‘social engineering attacks’. Fraudsters use increasingly tactics like phishing or impersonation which makes the schemes more sophisticated. The number of breach reports affecting a small number of individuals – often just one – was also remarkable for the OPC.

Victims of privacy breaches can find more information on the website of the Office of the Privacy Commissioner of Canada.