Earlier this year, the Office of the Privacy Commissioner of Canada (the “OPC”) published its findings from the investigation it conducted into the data breach suffered by VTech. The OPC’s findings provide Canadian businesses with some helpful guidance about (i) the manner in which personal information should be protected, and (ii) data security requirements that are expected under the Personal Information Protection and Electronic Documents Act (the “PIPEDA”).

Background

VTech is a Hong Kong-based global manufacturer and supplier of electronic learning products for children. VTech has a Canadian subsidiary for its operations in Canada.

In November 2015, VTech suffered a data breach where an unauthorized user gained access to its network. By using an “SQL injection”[1] which exploited a vulnerability in VTech’s network application, the user was able to access, copy, and exfiltrate data held by VTech.

Upon learning of the incident through the media, VTech immediately launched an internal investigation. A few days later, VTech confirmed that some data had indeed been compromised through the unauthorized access and issued a press release. VTech stated that the compromised data included the following types of personal information:

  • Parents’ account information, including name, email address, mailing address, IP address, password and the last four digits and expiry date of credit cards; and
  • Children’s information, including name, gender, birthdate, pictures and voice recordings.

The unauthorized user was eventually arrested and the stolen data was quickly recovered by VTech. However, the OPC received a complaint from a Canadian citizen alleging that VTech had failed to adequately protect his/her personal information as well as his/her child’s information. In this regard, the OPC reported its findings on the adequacy of VTech’s security system under PIPEDA.

Data security findings

PIPEDA requires businesses in possession of personal information to comply with the following principles: (i) implementation of data security, confidentiality and integrity measures for any personal information they collect, process or hold; and (ii) safeguards commensurate to the sensitivity of the personal information collected, including physical, organizational and technological measures (e.g., social insurance numbers should have greater security safeguards than, say, telephone numbers).

That being said, the OPC found that VTech’s security measures were inadequate at the time of the incident, especially given the sensitivity of the information it held. The OPC also found that the compromised information could have been used for phishing attacks or identity theft. VTech’s data protection and security measures had the following deficiencies:

  1. Organizational: VTech had not implemented network controls in order to limit access to administrator accounts to only those employees who needed access for their work. Further, VTech did not have a global data security policy or a related training program.
  2. Technological: VTech stored and transmitted personal information without any cryptographic protection. Further, VTech did not have a regular testing protocol to detect vulnerabilities of its network nor any program related to software maintenance. VTech also did not have a risk mitigation strategy in the event of a security breach. Finally, VTech did not have a logging and monitoring mechanism to detect unusual activity.

Findings regarding the response to the Cyber-attack

Important amendments were made to PIPEDA in June 2015. The amendments included, among other things, mandatory breach notification and a security safeguard breach record keeping. These changes will be implemented once the Breach of Security Safeguards Regulations come into force (date yet to be determined but likely later this year). These regulations will require businesses that are victims of a data breach to:

  • Report the breach to the OPC if it considers that it poses a real risk of significant harm to affected individuals;
  • Notify affected individuals as soon as feasible. This notification must contain specific details to allow affected individuals to take the necessary measures to reduce the risks resulting from the breach; and
  • Keep a record of all data breaches.

In light of these requirements, the OPC found that VTech’s response to the breach was timely and appropriate under the circumstances. Once VTech became aware of the breach, it acted promptly and took adequate measures to mitigate potential impact(s) resulting from the breach. VTech also notified users and the OPC of the breach early on in the process. Furthermore, VTech hired legal counsel specializing in cybersecurity in order to analyze the extent and cause of the breach and to take the appropriate corrective measures to avoid a similar attack in the future.

Conclusion

The OPC’s findings are instructive since they provides insights into the Commissioner’s views on best practices for data security and how to respond effectively to a data breach. The report, read in conjunction with the PIPEDA, should serve as a benchmark against which existing cybersecurity incident monitoring and response plans are measured. Where gaps and deficiencies are identified, organizations should update their plans to ensure that they not only comply with Canadian requirements, but also fit into a broader global plan, if the business collects personal information about data subjects outside of Canada.