Last year was a big year for Canadian privacy professionals handling data breach notifications. That's because new requirements came into effect in August under Alberta's Health Information Act, and federal requirements under the Personal Information Protection and Electronic Documents Act came into effect a few months after that in November.
These new mandates have made waves in the Great White North, and privacy professionals and regulators have used this new legal landscape as an opportunity not only to break down the most prevalent types of breaches they have seen, but also to discuss what privacy pros can do to prepare themselves for the time they eventually stare down an incident.
Since the August implementation date of the new breach rules, Information and Privacy Commissioner of Alberta Jill Clayton said her office has seen a surge in reported incidents. The commissioner said, during a panel at the IAPP Canada Privacy Symposium in Toronto last week, 600 breaches were reported in the first three months, and she expects 1,300 to 1,500 to be sent to her office in year one.
In addition, the Office of the Information and Privacy Commissioner of Alberta is in the midst of analyzing the last nine years of breaches under the province's Personal Information Protection Act. While device theft has gone down and unauthorized disclosures have remained stable, Clayton said phishing attacks have surged in recent years, adding her office receives six to seven social engineering attack reports per week.
Phishing attacks have increased partly due to organizations' increased efforts to shore up their systems. And while the technical side of breach prevention may be stronger, hackers are turning their attention to employees, which is why Clayton said staff training is crucial to limit potential exposure.
Ted Charney, of Charney Lawyers, said more and more class-action lawsuits centered around phishing attacks have popped up over the past years. And Fasken Partner Alex Cameron said compromised emails via phishing make up "every other call" he receives, adding that depending on who gets attacked, compromised-email incidents mean the clock starts ticking instantly.
"There’s an immediate financial risk that needs to be mitigated before millions of dollars go to a destination that you’ll never be able to recover," Cameron said.
The good news? Steps to avoid trouble entirely within privacy professionals' hands. Charney said the longer an entity waits to notify individuals of a breach and to take the steps to remedy the incident, the worse it will be if they face litigation. Charney said, "Judges always focus on commending those companies that take immediate steps to remedy a breach."
When dealing with regulators after an incident, Clayton said it helps to establish communication with commissioners' offices even in cases when there is not a requirement to report a breach.
"Keep in mind whether it is a legal responsibility or not, it is useful to give us a call and a heads up because if it gets out there, someone is going to ask us," Clayton said. "It helps to be transparent."
Alerting the public about a breach is one of the most important aspects of a response plan, Charney said. If handled poorly, a subpar response can impact an organization's reputation and cause a lot of headaches.
"When it comes to time to notify customers, what you say when you notify them is important," Charney said. "Institutions have had their first response team, but they are not sure to what extent hackers have compromised the servers and what data may have been obtained."
Charney added notifying individuals without those crucial details could incite panic among customers, and that could lead to a mountain of complaints and customer inquiries. That said, customers could also lose trust in an organization if they are notified about a breach but find out their information had not been compromised at all. Charney said the best way to handle that is to tell customers in a letter they are notifying all their clients out of caution.
That's a lot to consider for an entity that is located in one province. For those who are in several different provinces or even different countries, breach notifications can become even more complicated.
"They get nervous about their potential exposure, and while they may be cooperative they are thinking they might get sued, so that is a different dynamic," Cameron said. "In terms of the multi-jurisdictional organizations, we are having to make an assessment in terms of not just Canadian law, but U.S. law and other foreign laws."
The landscape of privacy has changed by noticeable measures over the past decade, but advice on how to limit data breach exposure has remained constant, at least for Clayton. The commissioner said to make sure policies and procedures are in place to educate staff on different types of attacks, especially in industries where there is a great deal of turnover.
Canadian regulators and privacy professionals may have their hands full with an increased amount of phishing and social engineering attacks right now; however, the landscape will likely change again over the upcoming decade and beyond. As data's value continues to grow by the day, it looks like Canadian privacy professionals will still have their work cut out for them.