The Office of the Privacy Commissioner of Canada announced this week that, in response to complaints received, it is investigating Ticketmaster because of the way the company handled a massive data breach that affected, according to some news stories, 500 million customers.
The OPC statement does not say too much — because, after all, there is now an active investigation — other than the fact that it will assess Ticketmaster's compliance with the federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act. In particular, the OPC noted it will examine the company's practices with respect to security safeguards and whether it complied with breach notification requirements.
It reminds me of other high-profile data breach cases that have come into the public eye over the years. Anyone remember Desjardins? Or how about Equifax?
The first data breach case investigated in Canada involved the retailer TJX/Winners and was quite high profile. Back in the early 2000s, the company was the victim of a pretty sophisticated organized crime hack that led to the bad guys being able to access customers' personal information, including, in some instances, credit card and even driver's license information.
In Canada, it was the first time the OPC teamed up with another regulator — Alberta — and, after a rather cooperative investigation, we learned the security safeguards the retailer was using were out of date. It was the first lesson in Canada that organizations had to be more vigilant in protecting personal information against bad actors.
The retailer didn't fair as well in the United States in the sense that the Canadian approach was to learn lessons and try to fix things so this wouldn't happen again. In the U.S., it was forced to defend and eventually settle a class action.
All this to say, privacy pros and their security counterparts clearly have a lot of work to do in this area and it is only going to get more complicated as the bad guys get access to more and more sophisticated technology fueled, in part, by advances in artificial intelligence and, soon, quantum computing.
No rest for the weary.
OK. That's just one story in this week's news and a little history lesson. Now it's time you catch up on the rest of the goings on in Canada's ever-evolving privacy and AI world.
Have a good weekend.
Kris Klein, CIPP/C, CIPM, FIP, is the managing director for Canada at the IAPP.