On July 29, 2022 the Office of the Information and Privacy Commissioner of Alberta (the “OIPC”) issued its report on data breaches (PDF) (the “Report”). Alberta has been the leading Canadian jurisdiction with the most long-standing experience when it comes to reviewing, assessing and reporting on data breaches since it began mandatory breach reporting under the Personal Information Protection Act, SA 2003, c P-6.5 (the “PIPA”) in 2010. The Report is an invaluable resource for organizations regarding the lessons learned from close to 2000 submitted and reviewed breach reports.
This comprehensive Report outlines important learnings and comparisons that, among other things, showcase the evolution of breach reporting in the province.
Here are the key takeaways we see from this Report:
Findings and trends based on reported breaches
- There have been 1953 breach reports submitted between 2010 – 2022. 68% of these were found to have met the “RROSH” threshold under PIPA. RROSH means there was a “real risk of significant harm” based on the unauthorized access to, loss or theft of personal information. These decisions are posted publicly on the OIPC website and provide for a treasure trove of guidance for organizations and their advisors.
- There has been a significant increase in breaches meeting the RROSH threshold over the years. For breach reports submitted in the last five years, i.e. between 2017 to 2022, 70% to 80% met the RROSH threshold, whereas for reports submitted between 2010 and 2013, less than half were considered to have implications signifying RROSH.
- Compromised IT systems caused 37% of all decisions where RROSH was found. The percentage of attacks on IT systems as the cause for data breaches has been increasing rapidly. It is now the cause of close to 50% of RROSH breaches.
- Social engineering and phishing, often leading to compromised IT systems, are the root cause of many privacy breaches reported by organizations. Listed as the fourth leading cause of breaches in the overall 2010-2022 period, this has been moving upwards to become the second leading cause in recent years.
- Notably, 71% of RROSH breaches have been found to be caused by non-accidental and deliberate action or malicious intent, including ransomware attacks (malicious software encrypting a user’s files and making it impossible to access the files without a “key”, leading to demands for ransom from the user in exchange of the “key”) and system hacks. The likelihood of significant harm increases in such instances, usually resulting in RROSH.
- In the early years of breach reporting, (a) Finance; (b) Health Care and Social Assistance; (c) Information; (d) Mining, Quarrying, and Oil and Gas Extraction; and (e) Real Estate and Rental and Leasing were the leading industries reporting breaches. This disparity with other industries has narrowed significantly over time.
- Retail Trade and Accommodation and Food Services have seen an upward trend in breach reporting, almost exclusively due to compromised IT systems. This is likely a result of increased reliance on online transactions.
Individuals and information impacted
- Individuals most commonly affected by a RROSH breach are customers or clients (impacted in 56% of reported RROSH breaches), with employees being the second-largest affected group.
- Identity, financial and employment information tend to be compromised in RROSH breaches. The majority of RROSH decisions (between 69% and 81%) involve some basic contact information associated with an individual, such as a telephone number or mailing address. In recent years, email addresses have come to be increasingly compromised, while targeting of medical information has been on the decline.
- Out of the 1953 reported breaches, personal information was subject to unauthorized access in 42% of all RROSH breaches, unauthorized disclosure in 36%, and loss in 21%. In recent years, more than 50% of RROSH breaches have been found to involve unauthorized access to personal information. In 2010-11, this percentage was 25%. This upward trend aligns with the increase in compromised IT systems.
Based on its review of breach reports, the OIPC has the following key recommendations about what organizations can do to enhance their system security:
- Implement regular and/or immediate security patching on networks, servers and devices;
- Sign up for and review updates from cybersecurity agencies and other professionals to keep up to date on new threats and possible solutions to protect the organization’s IT infrastructure;
- Train staff regularly on detecting phishing or social engineering attempts;
- Train staff regularly on protecting personal information contained in laptops or paper documents. For example, repeat the message that no devices or documents should be left in vehicles to reduce breaches caused by theft.
Findings on notification
- A positive finding of the OIPC is there has been less over-reporting of breaches by organizations, indicating that organizations have become more adept at assessing the likelihood of RROSH resulting from a breach.
- On the flip side, organizations are taking longer to report breaches. While the OIPC noted that there are good reasons why this might be the case – for example, complexity of cyber attacks, or multiple reporting jurisdictions – the fact remains that this is a concern for impacted individuals. Timely reporting is viewed as a key aspect of remediation of the harms of a breach.
- Notification in over 90% of cases was via direct notification; in 4% of the cases indirect notification was authorized. This was mainly the cases where there was insufficient contact information at hand.
- PIPA and PIPA Regulations, along with guidance of the Office of the Privacy Commissioner under Canada’s Personal Information Protection and Electronic Documents Act (S.C.2000, c.5) (“PIPEDA”), provide a roadmap to determine the factors that contribute to an assessment of whether there is a real risk of significant harm:
- Risk increasing factors were noted as follows: Deliberate action or malicious intent to cause the breach; personal information was not recovered, returned or destroyed securely; lengthy data exposure; and personal information was exposed and no ability to determine whether information was accessed and where personal information was not encrypted.
- Risk reducing factors and where no RROSH was found are as follows: Accidental or inadvertent cause of the breach; personal information is recovered, the organization confirms that personal information accessed has been destroyed securely, or the organization confirms it has not been used, forwarded or retained; encryption of the personal information; breach is reported to the organization by the unintended recipient(s); unintended recipient of personal information is a known or trusted party; and fewer personal information data elements are at issue and the personal information cannot be used for significant harm.
We should note that in some cases, one factor can be determinative but in other cases it may simply be one of the considerations. For example, mere presence of malicious intent may not always be sufficient to cause a RROSH determination whereas cases where data was sufficiently encrypted would generally be viewed as a very strong determining factor that personal information could not be accessed or used and therefore no harm can arise.
The findings of the Report conform to what our firm has been seeing in this area. Cyberattacks, especially ransomware incidents, email compromise and wire fraud, have been increasing whereas cases of stolen or lost devices leading to a significant data incident have been becoming less prevalent. This decreasing prevalence, in our view, is mainly due to the fact that organizations have been enhancing their protections by limiting data stored on devices, training employees, and increasing device/data encryption.