<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Cybersecurity &#8211; Office of the Information and Privacy Commissioner of Alberta</title>
	<atom:link href="https://oipc.ab.ca/resources/cybersecurity/feed/" rel="self" type="application/rss+xml" />
	<link>https://oipc.ab.ca</link>
	<description>Office of the Information and Privacy Commissioner of Alberta</description>
	<lastBuildDate>Tue, 19 May 2026 17:48:11 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	

<image>
	<url>https://oipc.ab.ca/wp-content/uploads/2022/01/cropped-OIPC-Icon-32x32.png</url>
	<title>Cybersecurity &#8211; Office of the Information and Privacy Commissioner of Alberta</title>
	<link>https://oipc.ab.ca</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>FAQs for the public about the unauthorized distribution of the List of Electors</title>
		<link>https://oipc.ab.ca/resource/faqs-for-the-public-about-the-unauthorized-distribution-of-the-list-of-electors/</link>
		
		<dc:creator><![CDATA[Elaine Schiman]]></dc:creator>
		<pubDate>Thu, 07 May 2026 22:25:36 +0000</pubDate>
				<guid isPermaLink="false">https://oipc.ab.ca/?post_type=resource&#038;p=17566</guid>

					<description><![CDATA[]]></description>
										<content:encoded><![CDATA[<div class="wpb-content-wrapper"><div class="vc_row wpb_row vc_row-fluid"><div class="wpb_column vc_column_container vc_col-sm-12"><div class="vc_column-inner"><div class="wpb_wrapper">
	<div class="wpb_text_column wpb_content_element " >
		<div class="wpb_wrapper">
			<p>Following the incident involving the List of Electors (LoE) that was made public on April 30, 2026, the Office of the Information and Privacy Commissioner (OIPC) began receiving calls from many Albertans raising concerns about their personal information being included in the LoE and what recourse they may have as a result of the alleged breach. To address these and other concerns, the OIPC has created this document to help Albertans learn about what they can do, who to direct their questions to, and more information about the role and powers of the Information and Privacy Commissioner.</p>
<p>We ask that Albertans review the information in this document before contacting our office.</p>
<h3><strong>SOURCES OF INFORMATION ABOUT THE INCIDENT</strong></h3>
<p><strong>Statement by the Information and Privacy Commissioner on learning of the incident</strong></p>
<p>The Information and Privacy Commissioner issued a <a href="https://oipc.ab.ca/information-and-privacy-commissioner-of-alberta-issues-statement-regarding-unauthorized-distribution-of-list-of-electors/" target="_blank" rel="noopener">news release</a> on Friday, April 30, 2026 concerning this incident.</p>
<p><strong>Elections Alberta news releases that may answer questions</strong></p>
<p>Because this incident involved the List of Electors under the <em>Election Act,</em> the Elections Alberta website contains the latest information about the incident and the Elections Alberta investigation. (<a href="https://www.elections.ab.ca/resources/media/news-releases/" target="_blank" rel="noopener">News Releases | Press Releases | Announcements &#8211; Elections Alberta</a>).</p>
<h3><strong>FAQ</strong></h3>

		</div>
	</div>
</div></div></div></div><div class="vc_row wpb_row vc_row-fluid"><div class="wpb_column vc_column_container vc_col-sm-12"><div class="vc_column-inner"><div class="wpb_wrapper"><div  class="vc_do_toggle vc_toggle vc_toggle_default vc_toggle_color_default  vc_toggle_size_md"><div class="vc_toggle_title"><h4>This incident involves personal information and the privacy of Albertans. What is the Information and Privacy Commissioner doing about this incident?</h4><i class="vc_toggle_icon"></i></div><div class="vc_toggle_content"><p>As stated in a news release by <a href="https://www.elections.ab.ca/resources/media/news-releases/" target="_blank" rel="noopener">Elections Alberta</a> and the <a href="https://oipc.ab.ca/information-and-privacy-commissioner-of-alberta-issues-statement-regarding-unauthorized-distribution-of-list-of-electors/" target="_blank" rel="noopener">Information and Privacy Commissioner</a>, the <em>Election Act</em> governs the content, distribution, protection, and authorized use of the provincial List of Electors. The Information and Privacy Commissioner does not have jurisdiction over the creation and distribution of the List of Electors by Elections Alberta or over those entitled to receive this list, such as registered political parties. This activity is governed by the <em>Election Act</em>.</p>
<p>Based on information received from Elections Alberta, the Information and Privacy Commissioner can share the following information with Albertans: if you are registered to vote in Alberta, your name was on the List of Electors. If you are not sure if you are registered, you can go to <a href="https://www.voterlink.ab.ca/" target="_blank" rel="noopener">https://www.voterlink.ab.ca/</a> to confirm.</p>
<p>You may remove your name from the List of Electors by contacting Elections Alberta, but that will require you to sign a declaration the next time you go to vote, and you will no longer receive personalized <em>Where to Vote</em> information.</p>
</div></div><div  class="vc_do_toggle vc_toggle vc_toggle_default vc_toggle_color_default  vc_toggle_size_md"><div class="vc_toggle_title"><h4>Is the Information and Privacy Commissioner going to investigate?</h4><i class="vc_toggle_icon"></i></div><div class="vc_toggle_content"><p>On May 6, 2026, the Information and Privacy Commissioner issued a Notice of Investigation to the Centurion Project Ltd. regarding her investigation under the <em>Personal Information Protection Act</em> (PIPA) into allegations that the Centurion Project Ltd. has collected, used and disclosed personal information derived from the Alberta List of Electors, which, if true, may be in violation of the PIPA. More information about this investigation can be found in the <a href="https://oipc.ab.ca/office-of-the-alberta-information-and-privacy-commissioner-issues-notice-of-investigation-regarding-alleged-breach-of-list-of-electors/" target="_blank" rel="noopener">news release</a> issued on May 7, 2026, announcing this investigation to the public.</p>
</div></div><div  class="vc_do_toggle vc_toggle vc_toggle_default vc_toggle_color_default  vc_toggle_size_md"><div class="vc_toggle_title"><h4>There has been online commentary encouraging affected individuals to contact the federal privacy Commissioner&#039;s office to request an investigation into this matter. Is this a good idea?</h4><i class="vc_toggle_icon"></i></div><div class="vc_toggle_content"><p>The federal Privacy Commissioner does <strong>not</strong> have any authority to investigate this matter. If you ask his office to investigate, they will send you back to the Office of the Information and Privacy Commissioner (OIPC) of Alberta. In addition, Albertans should remember the Information and Privacy Commissioner is <strong>independent of government</strong>.</p>
</div></div><div  class="vc_do_toggle vc_toggle vc_toggle_default vc_toggle_color_default  vc_toggle_size_md"><div class="vc_toggle_title"><h4>How does PIPA protect me?</h4><i class="vc_toggle_icon"></i></div><div class="vc_toggle_content"><p>Under PIPA, an organization may only collect, use or disclose personal information if permitted by PIPA. For personal information that is in the custody or control of an organization, the organization is obligated to make reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction. “Organization” is defined in PIPA to include a corporation.</p>
<p>It is important for the public to know that privacy laws, such as PIPA, ensure an individual has control over their own personal information. PIPA facilitates this control using a two-pronged approach to collection, use and disclosure of personal information. An organization subject to PIPA may <em>only</em> collect, use or disclose personal information with consent (unless an exception to consent exists) <strong><u>and</u></strong> for a reasonable purpose. Any collection, use or disclosure of personal information that does not meet these two requirements is unauthorized and unlawful.</p>
<p>There seems to be confusion in the public domain about privacy laws. They are not about confidentiality; they are about the right of individuals to control their own personal information and retain the choice to decide which organization to do business with and which of their personal information the organization may collect, use or disclose. This is how control is generally exercised under PIPA.</p>
<p>Your personal information belongs to you. That&#8217;s true even when some of it is easy to find or already out in public. Being visible doesn&#8217;t make it free for the taking. In Alberta, organizations can only collect, use, or share your personal information when PIPA allows it, because the information is yours, not theirs.</p>
</div></div><div  class="vc_do_toggle vc_toggle vc_toggle_default vc_toggle_color_default  vc_toggle_size_md"><div class="vc_toggle_title"><h4>What powers does the Commissioner have in conducting investigations?</h4><i class="vc_toggle_icon"></i></div><div class="vc_toggle_content"><p>The Information and Privacy Commissioner is an independent Officer of the Legislature and is mandated under PIPA to monitor compliance with this Act to ensure its purposes are achieved.</p>
<p>Under PIPA, the Commissioner has broad powers of investigation, including the authority to launch investigations into allegations of non-compliance by organizations.</p>
<p>When conducting an investigation, the Commissioner has all the powers, privileges and immunities of a commissioner under the <a href="https://www.canlii.org/en/ab/laws/stat/rsa-2000-c-p-39/latest/rsa-2000-c-p-39.html" target="_blank" rel="noopener"><em>Public Inquiries Act</em></a>, and the powers set out in section 38 of PIPA, including the following:</p>
<p><strong>(2)</strong>  The Commissioner may require any record to be produced to the Commissioner and may examine any information in a record, including personal information, whether or not the record is subject to this Act.</p>
<p><strong>(3)</strong>  Notwithstanding any other enactment or any privilege of the law of evidence, an organization must produce to the Commissioner within 10 days any record or a copy of any record required under subsection (1) or (2).</p>
<p><strong>(4)</strong>  If an organization is required to produce a record under subsection (1) or (2) and it is not reasonable to make a copy of the record, the organization may require the Commissioner to examine the original record at its site.</p>
<p><strong>(5)</strong>  After completing a review or investigating a complaint, the Commissioner must return any record or any copy of any record produced.</p>
<p><strong>(6)</strong>  The Commissioner may publish any finding or decision in a complete or an abridged form</p>
<p>Note that the authority under the <em>Public Inquiries Act </em>does not give the Commissioner the ability to conduct a public inquiry. Rather, this authority extends certain powers under that Act to the Commissioner, such as the power to compel witness testimony.</p>
<p>Section 36(1)(b) gives the Commissioner the power to order an organization to comply with PIPA on finding a violation of PIPA at the conclusion of an investigation. Orders of the Commissioner can be enforced by the Court.</p>
<p>Under section 37.1(1), the Commissioner has the power to require an organization to notify individuals affected by a breach of their personal information, where there is a real risk of significant harm to these individuals as a result of the breach.</p>
<p>Under PIPA, in sections 59(1)(d), (e) and (f) it is an offence for a person, including an organization, to</p>
<p>(d)    obstruct the Commissioner or an authorized delegate of the Commissioner in the performance of the Commissioner’s duties, powers or functions under this Act, including but not limited to obstructing the Commissioner or authorized delegate by disposing of, altering, falsifying, concealing or destroying evidence relevant to an investigation or inquiry by the Commissioner;</p>
<p>(e)    make a false statement to the Commissioner or an authorized delegate of the Commissioner, or mislead or attempt to mislead the Commissioner or authorized delegate, in the course of the performance of the Commissioner’s duties, powers or functions under this Act;</p>
<p>(f)    fail to comply with an order made by the Commissioner under this Act.</p>
<p>The penalty for being found guilty of an offence under PIPA is up to $10,000 for an individual and up to $100,000 for an organization.</p>
<p>Section 60(1) of PIPA provides any individual who is affected by an order made by the Commissioner, which has become final as a result of there being no further right of appeal, with a cause of action against the organization for damages for loss or injury that the individual has suffered as a result of the breach by the organization of obligations under this Act or the regulations.</p>
</div></div><div  class="vc_do_toggle vc_toggle vc_toggle_default vc_toggle_color_default  vc_toggle_size_md"><div class="vc_toggle_title"><h4>I want the Commissioner to tell me if my personal information was on the List of Electors in this incident.</h4><i class="vc_toggle_icon"></i></div><div class="vc_toggle_content"><p>The Information and Privacy Commissioner does not have any involvement in the creation of the List of Electors and does not have access to the List of Electors. This is governed by the <em>Election Act</em>. Any questions about information contained in the List of Electors should be directed to <a href="https://www.elections.ab.ca/" target="_blank" rel="noopener">Elections Alberta</a>.</p>
</div></div><div  class="vc_do_toggle vc_toggle vc_toggle_default vc_toggle_color_default  vc_toggle_size_md"><div class="vc_toggle_title"><h4>I want the Commissioner to charge the persons responsible for this incident.</h4><i class="vc_toggle_icon"></i></div><div class="vc_toggle_content"><p>There are offences and penalties under Alberta’s access and privacy laws. For example, there have been several prosecutions pursued in the courts for violations of the <em>Health Information Act</em>.</p>
<p>However, the Commissioner does not have the ability to “charge” anyone with an offence or administer penalties under those laws. This is generally under the purview of Crown prosecutors and the courts, respectively.</p>
</div></div><div  class="vc_do_toggle vc_toggle vc_toggle_default vc_toggle_color_default  vc_toggle_size_md"><div class="vc_toggle_title"><h4>I want to file a complaint about this incident with the Commissioner’s office. Can I do this and, if so, how do I do this?</h4><i class="vc_toggle_icon"></i></div><div class="vc_toggle_content"><p>An individual who believes their personal information has been collected, used or disclosed without authority by an organization under PIPA, may make a complaint to the Information and Privacy Commissioner.</p>
<p>That said, the Information and Privacy Commissioner has launched an investigation into these activities by the Centurion Project and may, at the conclusion of her investigation, issue a public investigation report about her findings and any recommendations. The Commissioner has the power to order compliance should she find non-compliance with PIPA.</p>
<p>Rather than making a complaint at this time, individuals may wish to hold off until the conclusion of this investigation.</p>
</div></div><div  class="vc_do_toggle vc_toggle vc_toggle_default vc_toggle_color_default  vc_toggle_size_md"><div class="vc_toggle_title"><h4>What can I do to protect myself?</h4><i class="vc_toggle_icon"></i></div><div class="vc_toggle_content"><p>The potential harms and steps to take to prevent those harms depend on individual circumstances.</p>
<p>For example, you may be an Albertan who does not mind that your name and mailing address is in the public domain. However, you may be employed in a sensitive occupation (such as law enforcement, or similarly exposed professions), be a victim of domestic violence, or belong to another vulnerable group, where the public disclosure of this information may present unique harms to you that may require unique steps to protect yourself.</p>
<p>If you are concerned about personal safety, you should consult resources available from your nearest law enforcement agency about personal safety, such as tips provided by the following agencies:</p>
<p>Alberta RCMP – <a href="https://rcmp.ca/en/alberta/alberta-rcmp-services-and-information" target="_blank" rel="noopener">Services and Information</a></p>
<p>Calgary Police Service – <a href="https://www.calgarypolice.ca/public-safety/crime-prevention.html" target="_blank" rel="noopener">Crime Prevention</a></p>
<p>Edmonton Police Service – <a href="https://www.edmontonpolice.ca/CrimePrevention/PersonalFamilySafety/PersonalSafety" target="_blank" rel="noopener">Personal Safety</a></p>
<p>&nbsp;</p>
<p>In addition, all Albertans should remain vigilant about identity-related fraud; Elections Alberta provided some general advice in this news release <a href="https://www.elections.ab.ca/resources/media/news-releases/update-unauthorized-use-of-list-of-electors/" target="_blank" rel="noopener">UPDATE: Unauthorized Use of List of Electors &#8211; Elections Alberta</a>, which is summarized below:</p>
<ol>
<li><em>Be aware and vigilant. Watch for unexpected mail or missing statements, emails, or phone calls such as debt collection calls for unknown accounts.</em></li>
<li><em>Be skeptical of texts and emails claiming to help reclaim your information. Do not click links and go only to the official websites of entities you know. Legitimate organizations will not ask for sensitive information via email or text.</em></li>
<li><em>Consider setting up information monitoring through your internet web browser, antivirus protection, and financial institution.</em></li>
<li><em>If you think you are a victim of identity theft, you should make a report to the police immediately.</em></li>
</ol>
<p>Lastly, you should be vigilant about online safety, including when it comes to information received by email, mail, phone or other means, as these kinds of breaches sometimes lead to personal information being used to manipulate your views or to deliver misinformation about certain events or activities.</p>
<p>Always check sources and avoid clicking on any links sent to you.</p>
<p>DO NOT provide any further personal information to an unknown person without verifying who is collecting this information.</p>
<p>Note that personal information that is accessible in the public domain can be combined with other publicly available information about individuals and be used to target individuals or groups for malicious purposes.</p>
</div></div><div  class="vc_do_toggle vc_toggle vc_toggle_default vc_toggle_color_default  vc_toggle_size_md"><div class="vc_toggle_title"><h4>I want to know if my name appears on any citizen petition lists submitted to Elections Alberta. How can I get this information?</h4><i class="vc_toggle_icon"></i></div><div class="vc_toggle_content"><p>The Information and Privacy Commissioner does not have access to the information as citizen petitions are not within her mandate. This question can be posed to the Office of the Chief Electoral Officer.</p>
<p>Information concerning this question was posted in this message from the Chief Electoral Officer: <a href="https://www.elections.ab.ca/resources/media/news-releases/message-to-albertans-re-unauthorized-use-of-list-of-electors/" target="_blank" rel="noopener">Message to Albertans from the Chief Electoral Officer re: Unauthorized Use of List of Electors &#8211; Elections Alberta</a></p>
</div></div></div></div></div></div><div class="vc_row wpb_row vc_row-fluid"><div class="wpb_column vc_column_container vc_col-sm-12"><div class="vc_column-inner"><div class="wpb_wrapper">
	<div class="wpb_text_column wpb_content_element " >
		<div class="wpb_wrapper">
			<h3><strong>STAY INFORMED</strong></h3>
<p>This guidance will be updated as we receive more questions regarding this incident.</p>
<p>Last updated May 19, 2026</p>

<table id="tablepress-2" class="tablepress tablepress-id-2">
<tbody class="row-striping">
<tr class="row-1">
	<td class="column-1"><p><strong>Disclaimer</strong><br><br />
This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the laws <a href="https://oipc.ab.ca/legislation/" target="_blank" rel="noopener">the OIPC oversees</a> and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of <a href="https://www.alberta.ca/alberta-kings-printer.aspx" rel="noopener" target="_blank">Alberta King's Printer</a>.</p><br></td>
</tr>
</tbody>
</table>
<!-- #tablepress-2 from cache -->

		</div>
	</div>
</div></div></div></div>
</div>]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Letter from OIPC to Ministers of PPHS and HSHS regarding Bill 11 &#8211; December 1 2025</title>
		<link>https://oipc.ab.ca/resource/letter-from-oipc-to-ministers-of-pphs-and-hshs-regarding-bill-11-december-1-2025/</link>
		
		<dc:creator><![CDATA[Elaine Schiman]]></dc:creator>
		<pubDate>Mon, 01 Dec 2025 22:26:38 +0000</pubDate>
				<guid isPermaLink="false">https://oipc.ab.ca/?post_type=resource&#038;p=17186</guid>

					<description><![CDATA[]]></description>
										<content:encoded><![CDATA[]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Securing Personal Information: A Self-Assessment Tool for Public Bodies and Organizations</title>
		<link>https://oipc.ab.ca/resource/securing-personal-information/</link>
		
		<dc:creator><![CDATA[ssibbald]]></dc:creator>
		<pubDate>Tue, 01 Mar 2022 20:40:42 +0000</pubDate>
				<guid isPermaLink="false">https://staging.oipc.ab.ca?post_type=resource&#038;p=2504</guid>

					<description><![CDATA[]]></description>
										<content:encoded><![CDATA[]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Cloud Computing for Small- and Medium-Sized Enterprises</title>
		<link>https://oipc.ab.ca/resource/cloud-computing/</link>
		
		<dc:creator><![CDATA[ssibbald]]></dc:creator>
		<pubDate>Fri, 25 Feb 2022 18:27:36 +0000</pubDate>
				<guid isPermaLink="false">https://staging.oipc.ab.ca?post_type=resource&#038;p=2324</guid>

					<description><![CDATA[]]></description>
										<content:encoded><![CDATA[]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Web Buckets</title>
		<link>https://oipc.ab.ca/resource/web-buckets/</link>
		
		<dc:creator><![CDATA[ssibbald]]></dc:creator>
		<pubDate>Thu, 24 Feb 2022 22:26:34 +0000</pubDate>
				<guid isPermaLink="false">https://staging.oipc.ab.ca?post_type=resource&#038;p=2289</guid>

					<description><![CDATA[The Office of the Information and Privacy Commissioner (OIPC) has seen an increase in reported breaches involving cloud storage containers,&#8230;]]></description>
										<content:encoded><![CDATA[<p>The Office of the Information and Privacy Commissioner (OIPC) has seen an increase in reported breaches involving cloud storage containers, or “web buckets”, that are unintentionally exposed publicly online, typically through misconfigured properties or settings.</p>
<p>While most web bucket incidents reported to the OIPC are from private sector organizations, due to breach reporting requirements under the Personal Information Protection Act (PIPA), this advisory is for any organization that is using or considering the use of web buckets for the storage of personal or health information, such as public bodies or health custodians regulated by Alberta’s Freedom of Information and Protection of Privacy Act (FOIP Act) or Health Information Act (HIA).</p>
<h4>What Are Web Buckets?</h4>
<p>Organizations are increasingly using external service providers to store data, run applications or otherwise deliver computing services “in the cloud”.<br />
Web buckets are one type of cloud service. Web buckets can be thought of as internet accessible containers, or folders, that store “objects” for various purposes, such as processing or to be displayed as content on websites. Objects are unstructured data or files (e.g. images, videos, documents, binaries, code, etc.)</p>
<h4>How Web Buckets Are Exposed</h4>
<p>Since data stored within web buckets is, by the nature of cloud computing, accessible via the internet, part of configuring buckets involves defining access permissions or controls, including setting who can read or write content for a bucket.</p>
<p>The contents of buckets are “exposed” when access permissions are misconfigured. For example, by mistakenly allowing unrestricted public access or providing access to all employees within an organization.</p>
<p>Misconfiguration of the buckets may result in unauthorized access and disclosure of an organization’s data, which may include individuals’ personal or health information.</p>
<h4>Privacy and Security Considerations</h4>
<p>Alberta’s privacy laws require that reasonable steps be taken to protect against risks to personal or health information, which generally extends to service providers that host data on behalf of organizations.</p>
<p>Prior to using web buckets to store and process identifying information, organizations should conduct privacy and security risk assessments to identify, prioritize, and address risks that may affect the information.</p>
<p>Organizations should implement reasonable administrative, technical and physical controls to manage or address identified risks, including:</p>
<ul>
<li><strong>Complete a Privacy Impact Assessment (PIA)<br />
</strong>A PIA is a process used for identifying and managing privacy and security risks associated with the collection, use, disclosure and retention of identifying information.PIAs should be conducted prior to implementing and operating web buckets.More information on how and when to complete a privacy impact assessment is available at www.oipc.ab.ca. Health custodians under Alberta’s HIA are required to complete a PIA and submit it to the OIPC for review for any new or changed information system or administrative practice that involves the collection, use or disclosure of individually identifying health information.</li>
<li><strong>Contracts and Agreements<br />
</strong>Ensure that a signed contract is in place between your organization and the web bucket service provider that addresses:</p>
<ul>
<li>Accountability and data ownership (i.e. who is responsible for personal information protection).</li>
<li>Data residency requirements (e.g. applicable legislation may require that personal information be stored within specific geographic locations).</li>
<li>How security incidents and privacy breaches will be managed, including steps that will be taken by the provider to ensure your organization is notified about the event in a timely manner.</li>
<li>How personal information will be securely returned to your organization and how copies in the provider’s systems will be securely deleted upon termination of services.</li>
<li>Who may access personal or health information stored in the provider’s systems, and the legal authority for such access (e.g. law enforcement).In addition to the above, ensure that your web bucket provider has reasonable privacy and security policies in place that govern its information handling practices. Understand what your cloud service provider is permitted to do with your records.</li>
</ul>
</li>
<li><strong>Encryption of Information<br />
</strong>Ensure that information in buckets is encrypted at rest, and in transit, using industry standard cryptographic algorithms at minimum.Ensure your cloud provider implements reasonable administrative and technical controls for the security of encryption keys, if the provider manages encryption on behalf of your organization.</li>
<li><strong>Logical Separation of Web Buckets<br />
</strong>Ensure your cloud provider implements reasonable technical controls that logically separate your organization’s personal information from that of other clients.</li>
<li><strong>Web Bucket Access Controls<br />
</strong>Ensure web buckets have reasonable access controls that are configurable, and align with your organization’s privacy and security policies and practices. This includes having processes and policies in place that govern who approves and provisions access, and for terminating access to the buckets in a timely manner.Also ensure access permissions for buckets and their contents (objects) are configured in accordance with your organization’s privacy and security policies so that authorized individuals access the least amount of information required to complete a task.Conduct periodic reviews of your access control settings to reasonably protect the information in the buckets and to ensure accounts that no longer need access to the buckets are removed.</p>
<p>If your website accesses data from buckets, ensure visitors are only able to access the information required for the services that your organization provides. For example, for a bucket that requires public access, such as website content, ensure that identifying information is not stored within the same public bucket as it may list its files and directories to any user.</li>
<li><strong><strong>Prepare for Incidents and Breaches<br />
</strong></strong>Implement an incident response plan, including processes and procedures for managing security incidents and privacy breaches.Understand your organization’s role, and that of the service provider, in managing incidents and breaches.</p>
<ul>
<li>Perform periodic audits of accesses to information in your web buckets.</li>
<li>Ensure information in the buckets is securely backed up and stored in an alternate location.</li>
<li>Periodically test your backups for recoverability.</li>
<li>Provide appropriate training to your staff.</li>
</ul>
</li>
</ul>
<p>Other guidance may prove helpful in identifying and addressing risks and understanding legal obligations to protect personal or health information. Resources, such as “Securing Personal Information: A Self-Assessment Tool for Organizations” and “Cloud Computing for Small- and Medium-Sized Enterprises”, are available at www.oipc.ab.ca.</p>
<h4>When a Breach Occurs</h4>
<p>Despite policies and guidance, breaches still occur. If an incident occurs, the OIPC has guidance available called “Key Steps in Responding to Privacy Breaches”.</p>
<p>Certain incidents under PIPA and HIA must be reported to the OIPC, and may voluntarily be reported under the FOIP Act.</p>
<p>The OIPC has guidance on its “How to Report a Privacy Breach” webpage at www.oipc.ab.ca for reporting breaches to the Information and Privacy Commissioner.</p>
<p>The OIPC may be able to provide general advice or guidance for responding to the privacy breach and ensuring steps are taken to comply with obligations under privacy legislation.</p>
<p><em>October 2020</em></p>

<table id="tablepress-2-no-2" class="tablepress tablepress-id-2">
<tbody class="row-striping">
<tr class="row-1">
	<td class="column-1"><p><strong>Disclaimer</strong><br><br />
This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the laws <a href="https://oipc.ab.ca/legislation/" target="_blank" rel="noopener">the OIPC oversees</a> and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of <a href="https://www.alberta.ca/alberta-kings-printer.aspx" rel="noopener" target="_blank">Alberta King's Printer</a>.</p><br></td>
</tr>
</tbody>
</table>
<!-- #tablepress-2-no-2 from cache -->
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Ransomware</title>
		<link>https://oipc.ab.ca/resource/ransomware/</link>
		
		<dc:creator><![CDATA[ssibbald]]></dc:creator>
		<pubDate>Thu, 24 Feb 2022 22:17:17 +0000</pubDate>
				<guid isPermaLink="false">https://staging.oipc.ab.ca?post_type=resource&#038;p=2285</guid>

					<description><![CDATA[What is Ransomware? Ransomware is malicious software (malware) installed on your device or system, including smartphones and tablets, that encrypts&#8230;]]></description>
										<content:encoded><![CDATA[<h4>What is Ransomware?</h4>
<p>Ransomware is malicious software (malware) installed on your device or system, including smartphones and tablets, that encrypts the hard drive or specific files then demands a ransom be paid before the device or information is decrypted. Importantly, hackers may access your data during the course of an attack.</p>
<p>Ransomware is typically spread via phishing where an attachment or link in an email or text message contains malware that is installed when opened. Ransomware on one device may spread to other devices through network vulnerabilities.</p>
<p>Variations of ransomware exist to attack most operating systems, including Windows, Android and iOS (Apple). Publicized instances of ransomware have occurred at hospitals and media organizations, as well as thousands of personal devices. There are several types of ransomware that you can learn more about online.</p>
<h4>Preventive Measures</h4>
<p>Alberta’s privacy laws require reasonable steps be taken to protect against risks to personal or health information. The OIPC recommends public bodies, health custodians and private sector organizations consider the following:</p>
<ul>
<li>Educate about phishing attacks. In particular, only download email attachments or click on links from trusted sources.</li>
<li>Back up information and system files regularly, and test backups to ensure they are working as expected.</li>
<li>Install internet security software and maintain updates.</li>
<li>Configure internet security software to receive automatic malware notices and perform real-time malware scans, in addition to regularly scheduled malware scans.</li>
<li>Install security patches for operating systems as soon as they become available.</li>
<li>Bookmark trusted websites and access those websites via bookmarks.</li>
<li>Avoid using administrator accounts for general use on your device. Administrator accounts that are exploited by malware may cause more damage.</li>
<li>Ensure a breach response plan is in place and educate users about what to do if attacked.</li>
</ul>
<h4>When a Breach Occurs</h4>
<p>Despite policies and guidance, breaches still occur. If an incident occurs, the OIPC has guidance available called “Key Steps in Responding to Privacy Breaches”.</p>
<p>Certain incidents under the Personal Information Protection Act and Health Information Act must be reported to the OIPC, or may voluntarily be reported under the Freedom of Information and Protection of Privacy Act.</p>
<p>The OIPC has guidance on its “How to Report a Privacy Breach” webpage at www.oipc.ab.ca for reporting breaches to the Information and Privacy Commissioner.</p>
<p>The OIPC may be able to provide general advice or guidance for responding to the privacy breach and ensuring steps are taken to comply with obligations under privacy legislation.</p>
<ul>
<li>Employees affected by a breach may need to take additional steps, such as:<br />
Changing credentials for various employee or personal accounts, if applicable</li>
<li>Monitoring personal accounts (online, financial, health, etc.)</li>
<li>Contacting or reporting the breach to the Canadian Anti-Fraud Centre</li>
</ul>
<p><em>March 2016</em></p>

<table id="tablepress-2-no-3" class="tablepress tablepress-id-2">
<tbody class="row-striping">
<tr class="row-1">
	<td class="column-1"><p><strong>Disclaimer</strong><br><br />
This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the laws <a href="https://oipc.ab.ca/legislation/" target="_blank" rel="noopener">the OIPC oversees</a> and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of <a href="https://www.alberta.ca/alberta-kings-printer.aspx" rel="noopener" target="_blank">Alberta King's Printer</a>.</p><br></td>
</tr>
</tbody>
</table>
<!-- #tablepress-2-no-3 from cache -->
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Phishing</title>
		<link>https://oipc.ab.ca/resource/phishing/</link>
		
		<dc:creator><![CDATA[ssibbald]]></dc:creator>
		<pubDate>Thu, 24 Feb 2022 22:10:48 +0000</pubDate>
				<guid isPermaLink="false">https://staging.oipc.ab.ca?post_type=resource&#038;p=2284</guid>

					<description><![CDATA[]]></description>
										<content:encoded><![CDATA[<div class="wpb-content-wrapper"><div class="vc_row wpb_row vc_row-fluid"><div class="wpb_column vc_column_container vc_col-sm-12"><div class="vc_column-inner"><div class="wpb_wrapper">
	<div class="wpb_text_column wpb_content_element " >
		<div class="wpb_wrapper">
			<p>Phishing is a type of security incident that can lead to a privacy breach. A breach means a loss of, unauthorized access to, or unauthorized disclosure of personal or individually identifying health information. Based on breach reports the Office of the Information and Privacy Commissioner (OIPC) receives, senior leaders and employees in all sectors are regularly subject to phishing incidents. These incidents can expose the personal or health information of employees, customers, patients or anyone otherwise affiliated with a private sector organization, health custodian or public sector body (collectively referred to as organizations in this document).</p>
<h4>What is Phishing?</h4>
<p>Phishing is defined as a social engineering attack carried out via electronic communications, typically email, but also instant messaging, text messaging and phone calls.</p>
<p>The objective of phishing attacks is for perpetrators to get individuals to divulge information for malicious purposes (e.g. for financial gain via fraud or theft or by selling personal information to other malicious actors, or to cause embarrassment, hurt or harm to an individual’s or organization’s reputation).</p>
<p>Phishing may occur in combination with other security incidents. For example, a third party (hacker) may gain unauthorized access to an email account belonging to an employee of an organization. The hacker then uses that account to send emails to other employees or contacts. These emails appear to be from the employee, and any replies may be redirected to a different email account controlled by the hacker.</p>
<p>Phishing attacks are often intended to obtain access to login credentials, such as usernames or passwords or other verification details (for example, “forgot your password” answers) for specific websites, programs or portals that may contain information of value to perpetrators.</p>
<h4>How is Phishing Executed?</h4>
<p>Many phishing attempts are done in bulk where a message will be crafted and sent to numerous email recipients, with the intent that a few people will become victims. However, there are highly targeted and sophisticated phishing attacks that may seek personal employee information, such as social insurance numbers, salary details or other employee information (which may be referred to as “whaling” or “spear-phishing” attacks). These latter types of phishing attacks (i.e. business email compromises) are often used against organizations.</p>
<p>A common scenario is when an employee of an organization receives an email that appears to be a request for tax forms from the organization’s CEO. Believing the email is legitimate, the employee replies to the message but it is sent to the unauthorized individual posing as the organization’s CEO.</p>
<h4>Signs of Phishing Attempts</h4>
<p>As the example above illustrates, phishing works by luring an intended victim using “bait” (hence the term “phishing”). For example, the “bait” may be that the email, call or text appears to be coming from a trusted source, such as an employer, a vendor/contractor, or a reputable organization.</p>
<p>To make it easier to distinguish legitimate requests from phishing attempts, the latter usually include one of the following:</p>
<ul>
<li>Requests for sensitive information (account information, passwords or social insurance numbers)</li>
<li>Threats with imminent consequences (“your computer is infected”, “I have compromising pictures of you” or “the CEO has asked for this ASAP”)</li>
<li>Rewards that seem too good to be true (promises of vacations or monetary gain)</li>
</ul>
<h4>Mitigating the Risks of Phishing</h4>
<p>To mitigate risks of phishing incidents, organizations must consider various safeguards that will help to educate all employees, including senior leaders. Safeguards may include the following:</p>
<ul>
<li>Implementing policies and procedures, and providing privacy and security training for staff.</li>
<li>Developing policies for reporting privacy and security incidents when they happen.</li>
<li>Fostering a culture that encourages employees to report issues or incidents when they happen is helpful.</li>
<li>Establishing password management policies that require employees not to reuse passwords across accounts. That way, one compromised account does not affect other accounts. For example, information from a compromised personal account could affect an employee’s account within the organization – or vice versa.</li>
<li>Confirming that a request for personal employee information is legitimate by contacting the sender.</li>
<li>Providing “think before you click” guidance. Pausing and considering whether a request in an email is legitimate may provide the extra time it takes to prevent a breach from occurring.</li>
<li>Considering flagging emails coming from external sources.</li>
<li>Using multi-factor authentication that relies on email, mobile app prompts, or other authentication tokens, whenever possible.</li>
</ul>
<h4>When a Breach Occurs</h4>
<p>Despite policies and guidance, breaches still occur. If an incident occurs, the OIPC has guidance available called “Key Steps in Responding to Privacy Breaches”.</p>
<p>Certain incidents under the Personal Information Protection Act and Health Information Act must be reported to the OIPC, or may voluntarily be reported under the Freedom of Information and Protection of Privacy Act.</p>
<p>The OIPC has guidance on its “How to Report a Privacy Breach” webpage at www.oipc.ab.ca for reporting breaches to the Information and Privacy Commissioner.</p>
<p>The OIPC may be able to provide general advice or guidance for responding to the privacy breach and ensuring steps are taken to comply with obligations under privacy legislation.</p>
<ul>
<li>Employees affected by a breach may need to take additional steps, such as:<br />
Changing credentials for various employee or personal accounts, if applicable</li>
<li>Monitoring personal accounts (online, financial, health, etc.)</li>
<li>Contacting or reporting the breach to the Canadian Anti-Fraud Centre</li>
</ul>
<p><em>May 2019</em></p>

<table id="tablepress-2-no-4" class="tablepress tablepress-id-2">
<tbody class="row-striping">
<tr class="row-1">
	<td class="column-1"><p><strong>Disclaimer</strong><br><br />
This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the laws <a href="https://oipc.ab.ca/legislation/" target="_blank" rel="noopener">the OIPC oversees</a> and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of <a href="https://www.alberta.ca/alberta-kings-printer.aspx" rel="noopener" target="_blank">Alberta King's Printer</a>.</p><br></td>
</tr>
</tbody>
</table>
<!-- #tablepress-2-no-4 from cache -->

		</div>
	</div>
</div></div></div></div>
</div>]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>
