Privacy Commissioner Shares Lessons Learned After One Year of Mandatory Breach Reporting
November 6, 2019
On November 1 of last year, Canadian businesses became subject to new mandatory breach reporting regulations under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). After a year in action, the Privacy Commissioner of Canada weighed in on observations he has noticed within the year. The highlights of the report are as follows:
- There were 680 breach reports over the past year, six times more than the previous year. The Commissioner called this a “staggering” increase.
- These impacted 28 million Canadians.
- 58% of breaches involved unauthorized access, 20% accidental disclosures, 12% loss of files, and 8% due to theft of files.
- The post also makes a point of reminding organizations that they must keep a record of every breach and to keep those records for two years. You will recall that the Commissioner has the right to inspect those records.
- Finally, it notes it has just completed a records review to assess compliance in this regard and the results will be shared after they are analyzed.