Starting November 1, 2018, it will no longer be optional to report breaches to the Office of the Privacy Commissioner of Canada (OPC) for organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Organizations must report breaches of security safeguards that create a real risk of significant harm to an individual. Failure to report those breaches will be an offence.
So what type of scrutiny of security safeguards should an organization expect after making a breach report to the OPC?
First, be prepared for follow-up
The OPC is not required to “do” anything with a breach report under PIPEDA. However, the OPC’s current practice under its voluntary reporting program involves reviewing the report and asking follow-up questions about the vulnerabilities exploited in the security breach. The OPC also frequently asks more general questions about the organization’s security measures. This process is likely to continue.
The fact that the OPC is asking questions does not necessarily mean that the organization is under investigation. However, the OPC has the power to commence an investigation if the Commissioner is satisfied that there are reasonable grounds to investigate a matter. Therefore, organizations should be prepared for OPC staff to scrutinize the report and the organization’s answers to follow-up questions for evidence of non-compliance.
In addition, individuals who are affected by the breach have the right to make a complaint to the OPC. This will trigger an investigation (although the OPC does have some discretion to decline to investigate or to divert the complaint for early resolution ). OPC in-take staff will likely assist the complainant in framing the complaint about the breach as a complaint about the adequacy of the organization’s security measures, which the OPC will then investigate. OPC staff are forthcoming about whether the organization is under investigation as a result of a complaint. Nevertheless, whenever an organization receives a communication from the OPC following a breach, the organization should ask whether the organization is under investigation as a result of a complaint or otherwise, even if OPC staff do not volunteer this information.
Demonstrate the standard of care was met, if possible
The overarching concerns of the OPC following a breach are to evaluate (i) whether the vulnerability that gave rise to the breach has been satisfactorily addressed and (ii) whether the organization has or is now employing security measures that meet the requirements of PIPEDA.
In evaluating whether an organization has met or is now meeting the standard of care for security measures, the OPC will assess the organization’s security measures against the criteria in Principle 4.7 of Schedule 1 to PIPEDA, which deals with the requirement to protect personal information through the use of appropriate safeguards. The OPC expects that an organization will document its security measures as well as how the organization addresses foreseeable risks to personal information in the organization’s custody or control. Therefore, organizations should be prepared to answer the following questions and show proof of compliance:
- Does the organization have an information classification system to identify sensitive personal information?
- Has the organization calibrated the security measures so that sensitive personal information is subject to a greater degree of protection?
- Do the security measures provide protection against loss or theft of personal information as well as unauthorized activities with respect to that personal information, such as unauthorized access, disclosure, copying, use and modification?
- Do the security measures cover the lifecycle of the personal information from collection through to, and including, secure destruction?
- Do the security measures include physical protections, technical measures and administrative policies and procedures?
- Were employees trained to identify sensitive personal information and how to protect all personal information from loss or theft as well as unauthorized activities?
What types of deficiencies fall below the standard of care?
The OPC has issued numerous decisions on security safeguards over the years. Many of these are summarized in an Interpretation Bulletin. However, this Interpretation Bulleting has not been updated since 2015. So, organizations should also review more recent decisions involving security breaches, such as the Investigation into Ashley Madison (PIPEDA Report of Findings #2016-005) and the investigation into VTECH (PIPEDA Report of Findings #2018-001).
Based on the Interpretation Bulletin and more recent decisions, there are certain “badges” of non-compliance with the security measures required by PIPEDA.
Deficient administrative controls
- Missing documentation on security policies and procedures (these should include an overarching risk management framework that addresses risk-prevention and detection / monitoring for loss, theft or unauthorized activities)
- Lack of training of employees and tests or audits to ensure compliance by employees with policies and procedures
- Failing to remain knowledgeable regarding technological advances to ensure safeguards are up-to-date
- Failing to monitor and act on third-party notices (e.g. announcements by software providers, cloud service providers etc. of vulnerabilities) to ensure vulnerabilities are patched in a timely way
- Failing to have a third-party processor / vendor compliance program that includes periodic audits or evaluations of the security of the vendor
Deficient technical controls
- Failing to use strong encryption for sensitive personal information in-transit and at rest
- Failing to protect encryption keys
- Failing to use multifactor identification for remote access
- Failing to employ strong authentication and access controls to avoid unauthorized access and use of personal information (including at the Admin account level)
- Failing to protect account credentials or permitting the sharing of account credentials among employees (i.e. failing to ensure unique user ids and passwords)
- Failing to deploy anti-virus and anti-malware software and to test for well-known and commonly exploited vulnerabilities in networks and systems
- Failing to log and monitor access and use of resources and data to detect unauthorized activity
- Failing to act on alerts from intrusion detection and other monitoring systems to fully investigate the reasons for the alert
- Failing to limit the use of portable devices for the storage of personal information and to ensure those portable devices are encrypted
Deficient physical controls
- Failing to ensure that physical premises are protected and monitored for unauthorized access (including failing to ensure internal access controls to areas in which sensitive data is stored)
- Failing to ensure that paper-based documents are kept in locked cabinets and work areas
- Failing to ensure that disposal methods are secure
Not every breach is a violation
Not every breach will result in a finding of wrongdoing. In PIPEDA Report of Findings #2014-004, the OPC stated explicitly that the mere fact of a breach does not mean that the organization has contravened PIPEDA. In the case of Report of Findings #2014-004, the breach resulted from a zero-day exploit in software used by the organization. The vulnerability was not publicly known prior to the breach occurring. The organization had numerous other technical safeguards in place and the breach would not have been prevented by reasonable security measures. The OPC stated:
The fact that a breach has occurred is not necessarily indicative of a contravention of the Act. While an organization may not have been able to prevent a breach, it may still have had appropriate safeguards in place.
Moreover, the organization demonstrated to the OPC that even though it could not have prevented the exploit using reasonable security measures, it learned from the incident and implemented additional security measures. The OPC reported that these included: (i) salted hashing and stronger encryption of personal information; (ii) reconfiguring its network to further isolate sensitive data; (iii) conducting extensive penetration testing; (iv) updating all internal protocols; and (v) providing additional training to staff.
Don’t expect a dramatic shift in approach… but expect alarm
It is unlikely that we will see a dramatic shift in the approach taken by the OPC to security safeguards, at least in the short-term. Brent Homan, Director General for Investigations, has been promoted to the position of Deputy Commissioner, Compliance. Mr. Homan has been involved in all of the most important OPC investigations since 2012. It is unlikely that he will suddenly shift the OPC’s position on security safeguards.
However, the OPC is likely to be very alarmed by the volume of breach reports. I am certain it will look like there is a pandemic from their vantage point. There is a risk that this may lead to an unwarranted overreaction, combined with a desire by the OPC to flex its “regulatory muscles”. Unfortunately, organizations should be prepared to be treated as criminals rather than co-victims of breaches. However, once the dust settles, it is likely that any departure from the OPC’s more measured approach will be short-lived.