Startling Statistics from Mandatory Breach Notification

August 23, 2011

The Office of the Information and Privacy Commissioner has received more than 90 breach notification reports in the past 16 months. Breach notification became mandatory under the Personal Information Protection Act (PIPA) in May of 2010.

Any personal information breach that presents a real risk of significant harm must be reported to the Commissioner. The Commissioner in turn can order an organization to notify affected individuals of the breach, which allows people to take the necessary steps to protect themselves against risks such as identity theft.

Information and Privacy Commissioner Frank Work says the number of breach notifications is startling. “This is a significant number over a short period of time, and my staff has been stretched to the limit dealing with these numbers. We need to spend a lot of time on these files, and at times it can be overwhelming.”

Work says though that it’s encouraging to know that organizations are responding to the mandatory notification provision. “In many cases, organizations have already taken steps to notify affected individuals. Reporting to my office has become an important educational step for organizations to realize the importance of protecting the personal information they are responsible for.”

For the most part, the majority of reported breaches involve human error including email, fax or regular mail errors, stolen or lost unencrypted electronic devices, improper record and electronic media destruction. In other cases IT glitches and computer hacking are to blame. A lot of these losses are preventable with proper security systems and encryption.

The Commissioner’s office publishes Notification Decisions where there is a real risk of significant harm as an educational tool for other organizations.

Backgrounder on Mandatory Breach Notification

  • Mandatory Breach Notification became the law in Alberta May 1, 2010 as part of amendments to the Personal Information Protection Act.
  • Alberta is the only jurisdiction in Canada that has Mandatory Breach Notification requirements.
  • Approximately 65% of organizations who report a breach have already taken steps to notify affected individuals.
  • Organizations should take these minimum steps to reduce the chances of a breach:
    • Encrypt laptops and other portable media devices
    • Collect only personal information that is reasonably required to meet the purposes for which it is collected o Ensure the secure destruction of personal information when it is no longer required
    • Conduct regular reviews of administrative, physical and technical safeguards in particular protection against hacking o Develop policies on how your organizations collects, uses, discloses and disposes of personal information