data security

Canadian businesses are required to maintain a record of all data breaches. | wk1003mike / Shutterstock

After the first year of mandatory data breach reporting in Canada, it has become clear that lost or stolen records and devices account for a sizeable percentage of breaches.

Starting Nov. 1, 2018, Canada began requiring businesses to report to the federal government breaches of personal information when there is “real risk of significant harm.” A year later, the Office of the Privacy Commissioner of Canada (OPC) reported on some early takeaways from the breach notifications.

Overall, the OPC received 680 breach reports since Nov. 1, 2018, six times the number from the same period the year before, when reporting was voluntary. Breaches fell into the following categories:

  • 58% were caused by unauthorized access, including hacking and employee snooping.
  • 22% were accidental disclosure, including sending documents with personal information to the wrong person or leaving them behind accidentally.
  • 12% were from loss of a computer, storage drive or paper files.
  • 8% were from theft of documents, computers or computer components

The breaches affected a total of over 28 million Canadians, according to OPC.

Under the regulations, businesses are required to maintain a record of all breaches, even those they aren’t required to report to OPC because they don’t present a risk of significant harm to the individual whose data was breached. OPC, which has the authority to inspect those records, just completed a record review exercise.

“The full analysis of this inaugural exercise is underway, but we are confident it will help us learn not only about compliance with breach record maintenance, but also the challenges and pain points that may exist for organizations,” according to OPC. “Once the analysis is complete, we plan to share our results, and reflect on how it can inform existing and/or future guidance on mandatory breach responsibilities, including assessment of the real risk of significant harm.”

The National Association for Information Destruction (NAID) wrote about the OPC report on Nov. 6.

More stories about data security

IRT