Foreign Companies Should Assess Breach Impact on Canadians as Part of their Initial Assessment

  • 28 octobre 2022
  • Kirsten Thompson and Jaime Cardy (Dentons)

The Office of the Privacy Commissioner of Canada (OPC) recently issued PIPEDA Findings #2022­004 (Report). The Report provides insight into the threshold for triggering organizations’ privacy breach notification and reporting obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA)[1] and underscores the need for a timely risk assessment that includes Canadians’ personal information. PIPEDA does not currently have a hard timeline for breach reporting, saying instead that organizations must report/notify “as soon as feasible after the organization determines that the breach has occurred.” With this Report, the OPC is setting the expectation that while this timeline is flexible, it is not infinitely elastic.

Background

The OPC Report follows an investigation into a US-based entity that owns and operates several hotels and casinos in the US (Company), which suffered a privacy breach in July 2019. An unauthorized third party gained access to the Company’s external cloud server, extracted guest data, and then offered the dataset – which contained guest records for approximately 10.6 million guests – for sale on a hackers forum on the dark web. The Company became aware of the breach shortly after it occurred, hired security experts to conduct a forensic investigation, took steps to ensure that the unauthorized user no longer had access to its server, and purchased a copy of the dataset in return for the vendor’s agreement to remove the posting. It also began notifying affected American guests and American privacy regulators of the incident in September 2019.

In February 2020, the OPC learned of the incident through media reports and, apparently assuming that the personal information of Canadians must have been included in the affected dataset, noted that it had not received a breach report. The OPC contacted the Company to obtain information about the breach. The Company conducted further analysis and reported to the OPC in June 2020 that the personal information of 1.9 million Canadians had been affected, including government identifiers of 5,635 Canadians. The Company began notifying the affected Canadians immediately.

Given the potential impact on Canadians and the amount of time that had elapsed between the discovery of the incident and the Company’s report/notification under PIPEDA (roughly 12 months), the OPC decided to initiate its own complaint under section 11(2) of PIPEDA. The OPC is entitled to do so if it is “satisfied that there are reasonable grounds to investigate” a matter under Part 1 of PIPEDA. The OPC Report does not indicate whether it received any complaints from affected individuals.

The OPC’s analysis focused on whether the breach met the “real risk of significant harm” (RROSH) threshold and whether the Company’s report of the breach to the OPC and notification to affected Canadians was done “as soon as feasible,” as required by section 10.1 of PIPEDA.