The office of the information and privacy commissioner (OIPC) says there were nearly 2,000 privacy breaches in Alberta over 11 years..On Wednesday, a report was released analyzing Alberta’s Personal Information Protection Act (PIPA) breaches from 2010 to 2021..In May 2010, requirements to report certain breaches to the OIPC and notify affected individuals came into force under PIPA..Data shows that organizations sent millions of notifications to people affected by breaches since the requirements came into force. The leading reason for notification to an affected individual has been unauthorized access to personal information, most often caused by a compromised electronic information system, such as the installation of malware or ransomware..According to the report, there were nearly 2,000 privacy breaches reported in Alberta over the 11-year period..“Organizations face constant challenges in preventing and responding to breaches, and this report shows how dynamic privacy and security management has become," said Jill Clayton, information and privacy commissioner.."The legal mechanisms have remained the same but the administrative and technical aspects require regular reviews and updates." .The provincial government said the report offers guidance to help organizations and law firms specializing in privacy law decide whether there is a real risk of significant harm (RROSH) to an affected individual as a result of a breach. RROSH is the legal threshold under PIPA for reporting breaches..In particular, the executive summary of the report lists criteria on when the commissioner decided there was RROSH or no RROSH, and why there was a no-jurisdiction finding in some cases..Based on information submitted by organizations when reporting a breach, the report analyzed how long it takes to discover breaches, notify individuals, and report to the OIPC. It also looks at whether malicious intent or deliberate action was involved in a breach, types of harm, types of personal information, and reporting industries, among other data..Hypothetical scenarios in the report comparing “typical” RROSH and no RROSH breaches between those analyzed in 2010-11 and 2020-21 show how they have changed over time..Alberta became one of the first North American jurisdictions to require organizations to notify individuals affected by breaches and to report those incidents to the OIPC. The commissioner was also given the power under PIPA to require organizations to notify an affected individual when the commissioner determines there is a real risk of significant harm to the affected individual as a result of a breach.."Digital realities underscore the need for regular privacy and security training for staff in all industries and for diligence in performing security updates to IT infrastructure," Clayton said.."Beyond digital privacy and security management, it is also important for organizations to remind staff regularly about not leaving work products in vehicles and to triple check addresses when sending mail or email containing personal information.".Clayton said as her term as commissioner ends, she is proud of the work done to implement processes to review and deal with reported breaches. ."We led the way in Canada, and helped to ensure that Albertans affected by privacy breaches could take the steps necessary to protect themselves from harm,” said Clayton.
The office of the information and privacy commissioner (OIPC) says there were nearly 2,000 privacy breaches in Alberta over 11 years..On Wednesday, a report was released analyzing Alberta’s Personal Information Protection Act (PIPA) breaches from 2010 to 2021..In May 2010, requirements to report certain breaches to the OIPC and notify affected individuals came into force under PIPA..Data shows that organizations sent millions of notifications to people affected by breaches since the requirements came into force. The leading reason for notification to an affected individual has been unauthorized access to personal information, most often caused by a compromised electronic information system, such as the installation of malware or ransomware..According to the report, there were nearly 2,000 privacy breaches reported in Alberta over the 11-year period..“Organizations face constant challenges in preventing and responding to breaches, and this report shows how dynamic privacy and security management has become," said Jill Clayton, information and privacy commissioner.."The legal mechanisms have remained the same but the administrative and technical aspects require regular reviews and updates." .The provincial government said the report offers guidance to help organizations and law firms specializing in privacy law decide whether there is a real risk of significant harm (RROSH) to an affected individual as a result of a breach. RROSH is the legal threshold under PIPA for reporting breaches..In particular, the executive summary of the report lists criteria on when the commissioner decided there was RROSH or no RROSH, and why there was a no-jurisdiction finding in some cases..Based on information submitted by organizations when reporting a breach, the report analyzed how long it takes to discover breaches, notify individuals, and report to the OIPC. It also looks at whether malicious intent or deliberate action was involved in a breach, types of harm, types of personal information, and reporting industries, among other data..Hypothetical scenarios in the report comparing “typical” RROSH and no RROSH breaches between those analyzed in 2010-11 and 2020-21 show how they have changed over time..Alberta became one of the first North American jurisdictions to require organizations to notify individuals affected by breaches and to report those incidents to the OIPC. The commissioner was also given the power under PIPA to require organizations to notify an affected individual when the commissioner determines there is a real risk of significant harm to the affected individual as a result of a breach.."Digital realities underscore the need for regular privacy and security training for staff in all industries and for diligence in performing security updates to IT infrastructure," Clayton said.."Beyond digital privacy and security management, it is also important for organizations to remind staff regularly about not leaving work products in vehicles and to triple check addresses when sending mail or email containing personal information.".Clayton said as her term as commissioner ends, she is proud of the work done to implement processes to review and deal with reported breaches. ."We led the way in Canada, and helped to ensure that Albertans affected by privacy breaches could take the steps necessary to protect themselves from harm,” said Clayton.
