Clients often ask us to explain the difference between a privacy “hack” and a “breach” where an individual’s personal information is concerned. Indeed, while there is generally understood to be a difference between these concepts, confusion remains with respect to how each is precisely defined — and how such definitions inform a company’s legal obligations.
A hack is commonly associated with a malicious intent to modify hardware or software in a way that was not intended by the developer. A privacy breach can also have dire consequences, but is usually associated with human error in that information is left unintentionally unsecured.
Some have even tried to distinguish a “hack” from a “crack,” noting that hacking is not always done for malicious purposes, whereas criminal intent always underlies a “crack.”1
However, these terms are not well delineated by Canadian institutions and are frequently used interchangeably by the media. For example, Netflix’s The Great Hack sheds light on the Facebook-Cambridge Analytica data scandal. However, some authors point out that this data scandal is properly a “breach” and not a “hack.” Cambridge Analytica exploited a mistake in Facebook’s systems, rather then breaking through Facebook’s security measures.2
What does this distinction mean for Canadian businesses? Likely, not as much as one might think. The Office of the Privacy Commissioner of Canada (OPC) clearly considers a “hack” to fall within a range of privacy breaches. Accordingly, the Personal Information Protection and Electronic Documents Act (PIPEDA) defines a “breach of security safeguards” broadly as the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards. 3
In keeping with the spirt of PIPEDA, the OPC’s official guidance, “Tips for containing and reducing the risks of a privacy breach,” asks readers to not only consider appropriate responses to hackers — for example, through intrusion prevention and detection systems — but also strongly encourages them to think beyond hackers when anticipating data and privacy threats.4
As it relates to mandatory breach reporting, whether or not a breach was malicious is only one of several factors the OPC considers when assessing the risk of information being misused and/or causing significant harm. Ultimately, a Canadian business will be required to maintain appropriate privacy safeguards in all cases.