On November 1, 2018, the Office of the Privacy Commissioner of Canada (OPC) made it mandatory for businesses to report any breaches of personal information that risks significant harm, to the federal government.
After a year of reporting the OPC has released a report with their findings.
Here are some of the highlights:
- In one year of the mandate, 680 breaches were reported, 6 times more than the year before.
- Over 28 million Canadians were affected by said breaches.
- 58% of the breaches were caused by unauthorized access such as hacking and employee snooping.
- 22% of the breaches involved social engineering attacks such as phishing and impersonation, usually stemming from accidentally sending information to the wrong person.
- 12% of the breaches were from the loss of assets such as computers, storage drives and paper files.
- 8% of the breaches were from documents, computers or computer components getting stolen.
Despite companies only having to report significant breaches, they must maintain records of all breaches within the last two years, which the OPC can access and review at any time. With this data they hope to get a better understanding of what approaches organizations are using to meet breach records and reporting responsibilities. Furthermore, this data will provide insight into what challenges organizations are facing when dealing with breaches allowing the OPC to give further/future guidance to organizations.
How to reduce privacy breach risks:
- Know what , where and what you are doing with personal information in your organization.
- Identify your organizations’ weaknesses by conducting risk and vulnerability assessments and/or penetration tests ensuring that threats to privacy are identified.
- Stay informed of breaches in your industry by setting up alerts to forwards said information, attacks are often similar among multiple organizations.
- Be aware of Fraud through impersonation.
How to respond to a breach:
- Contain the problem by putting a stop to any unauthorized practices and recovering records.
- Shut down the system containing the breaches and change any access codes.
- Lead an initial breach investigation.
- Inform those involved internally and potentially externally.
- Do not destroy any evidence.
- For the complete report, click here