On July 27, 2022, the Office of the Information and Privacy Commissioner of Alberta (OIPC) released its 2022 PIPA Breach Report.[1] The report analyzes the nearly 2,000 breach reports[2] received by the OIPC during
the ten year period since reporting was mandated in Alberta under the Personal Information Protection Act (PIPA)[3].
The PIPA Breach Report represents a rare and unique opportunity to obtain key insights from a leading Canadian privacy and data protection regulator regarding cybersecurity trends from matters reported to its office as well as guidance regarding the considerations taken into account in determining whether the applicable breach reporting threshold in Alberta (a real risk of a significant harm (RROSH) to an individual) has been triggered in the event of a breach.[4]
The following chart summarizes and draws percentages from statistics on decision points and decisions where the OIPC found the RROSH threshold was met. While the report includes statistics for each of the ten years, we have included the first year and most recent year for the sake of comparison.
By the Numbers[5]
Overall | 2010-2011 reporting period | 2020-2021 reporting period | |
Number of reports made | 1,977 | 50 | 377 |
Types of cases Reported |
|||
Percent of reports assessed where RROSH was met | 68% | 40% | 80% |
Percentage of reports assessed considered where no RROSH was met | 21% | 44% | 11% |
Percentage of reports assessed where no jurisdiction of OIPC was found | 10% | 16% | 9% |
Cause of breach for RROSH breaches |
|||
Compromised Electronic Information System (ie. malware, ransomware, hacking) | 37% | 15% | 47% |
Transmission Error (ie. misdirected communications) | 15% | 15% | 11% |
Theft (ie. stolen objects) | 15% | 45% | 10% |
Failure to Secure | 10% | 10% | 11% |
Phishing / Social Engineering | 12% | 0% | 18% |
Timelines to Report breaches to the OIPC [6] |
|||
7 days or less | 15% | 25% | 14% |
7-14 days | 15% | 20% | 14% |
14-30 days | 21% | 35% | 19% |
30-60 days | 24% | 10% | 26% |
60 days or more | 22% | 10% | 26% |
Timelines to notify affected individuals as part of a breach[7] |
|||
7 days or less | 26% | 15% | 27% |
7-14 days | 11% | 5% | 11% |
14-30 days | 17% | 10% | 19% |
30-60 days | 15% | 15% | 19% |
60 days or more | 19% | 0% | 22% |
Key Takeways
A number of takeaways and key findings can be taken from the OIPC’s PIPA Breach Report that serve as useful guidance regarding how the OIPC is likely to approach the following issues:
RROSH Threshold
- Intent is a key differentiator between a finding that the RROSH threshold has been met or not. The PIPA Breach Report noted that 71% of decisions where the RROSH threshold had been met were in instances caused by deliberate action including actions by third party actors with malicious intent, whereas 86% of decisions where the RROSH threshold was not met was where the incident was caused inadvertently.
- The OIPC found that the key factors that contributed to a finding of no RROSH included:
- Where personal information is recovered, the organization confirms it has been destroyed securely, or the organization confirms it has not been used, forwarded or retained;
- The data at issue involved in the particular incident was encrypted; or
- The unintended recipient of personal information is a known or trusted party.
Notification
- Reporting Delays: The OIPC noted that the time it took organizations to report breaches had increased significantly over time – likely due to the fact that more complex breaches require lengthy investigations. As a result, the OIPC noted that the delay in reporting was a cause for concern for affected individuals, as time is of the essence to mitigate a real risk of significant harm to affected individuals.
- Early Notification: Since 2012 – 2013, at least 80% of organizations had already notified affected individuals at the time the breach was reported to the Commissioner. Although organizations are not required to notify affected individuals where there is no RROSH finding, in the majority (52%) of decisions where the threshold was not met, the organization had already notified affected individuals at the time they reported a breach to the OIPC.
Jurisdiction
Finally, the OIPC noted some of the key reasons where it had found no jurisdiction, included :
- Instances where no information was found to have been collected, used, or disclosed in Alberta;
- Where the organization was a “federal work, undertaking or business” and therefore subject to Canada’s federal privacy legislation (Personal Information Protection Electronic Documents Act PIPEDA) as opposed to PIPA;
- Where the organization was a non-profit organization and the information at issue was not collected, used or disclosed in connection with any commercial activity;
- Where the organization had “custody” of the personal information but did not have “control” of the personal information (as the organization that “controls” the personal information is required to report the breach); or
- Where the information involved in the breach incident was not personal information as defined in PIPA. Most commonly, these breaches involved corporate credit cards or other corporate information.
The PIPA Breach Report provides helpful insights on how breach reporting have evolved over the last ten years in Alberta, the first Canadian jurisdiction that introduced mandatory breach notification in the private sector. These findings can inform and guide organizations that experience cybersecurity and privacy incidents impacting the personal information of Alberta domiciled individuals.
The authors would like to thank articling student Erin Colwell for her assistance in preparing this update.
[1] https://oipc.ab.ca/wp-content/uploads/2022/07/PIPA-Breach-Report-2022.pdf
[2] Under section 34.1 of PIPA, the OIPC must be notified of any incident involving the loss, unauthorized access to or disclosure of personal information where a reasonable person would consider that there exists a real risk of significant harm (RROSH) to an individual as a result of the loss or unauthorized access or disclosure.
[3] PIPA applies to corporations, unincorporated associations, trade unions, partnerships or individuals acting in commercial capacities that collect, use or disclose personal information in Alberta. It does not apply to individuals acting in a personal capacity, or public bodies.
[4] The RROSH test has two constituent elements. First, there must be a “real risk” and second, “significant harm”, each with several facets to consider and weigh. This “real risk” standard does not require that significant harm will certainly result from the incident, but the likelihood that it will result must be more than mere speculation or conjecture in that a cause and effect relationship between the incident and possible harm must exist. “Significant harm” has a broad interpretation and covers a wide range of situations such as bodily harm, humiliation, damage to the reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
[5] Numbers are rounded the nearest percentage. Only 20 RROSH cases were reported in the 2010-2011 reporting year so numbers are unlikely to be statistically significant.
[6] Section 34.1(1) of PIPA requires organizations to provide notice to the Commissioner “without unreasonable delay”.
[7] The Commissioner has authority under section 37.1 of PIPA to require an organization to notify affected individuals for whom there is a real risk of significant harm as a result of a breach. Section 37.1(7) of PIPA states that an organization is not prohibited or restricted from notifying individuals on its own initiative. Typically organizations will notify at the same time or before reporting to the OIPC.