Early numbers from privacy commissioners on mandatory breach reporting

The federal Office of the Privacy Commissioner of Canada (OPC) has already seen a four-to-five times increase in the number of breaches reported to its office since the mandatory breach notification requirements came into effect last November.

On Nov. 1, 2018, amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect, requiring organizations to disclose data breaches if they pose a “real risk of significant harm.”

When it was “voluntary breach reporting” before the law, “the plateau was around 100 breaches reported to our office every year,” said Abubakar Khan, director of the OPC’s business advisory directorate.

Although the information he provided is “four to four-and-a-half months of data not formally reported on or analyzed,” Khan estimates there is a four-to-five times multiplication in terms of breach reporting numbers. He also estimates there is a “good 10-to-15% of oscillating component that is being reported to us probably out of caution.” For example, either the “jurisdiction is not there or the real risk of significant harm thresholds are not met, but they are still reported.”

Khan was speaking Thursday at the NetDiligence Cyber Risk Summit in Toronto, along with Jill Clayton, information and privacy commissioner of Alberta, and Brian Beamish, information and privacy commissioner of Ontario.

Alberta has had mandatory breach reporting and notification since May of 2010 for private sector incidents where a “reasonable person may consider there is a real risk of significant harm,” Clayton said during the session Canadian Regulatory Update: So we finally have our regs, what now?

“There is a very steady increase over the years,” Clayton said of the number of breaches reported. In the last reporting year – 2017-18 – Alberta had between 230 and 240 breaches reported to the commissioner, up 43% from the previous year.

On Aug. 31, 2018, mandatory breach reporting came into force for Alberta’s health sector. However, unlike the private sector threshold, for the health sector, the threshold is a “risk of harm to an individual as a result of the loss or unauthorized access or disclosure.

“We started to get a little bit concerned after the amendments came into force and these things started to roll in,” Clayton said, noting that on some days, there we upwards of 20 reports. About six months after the law came into effect, she estimates there have been 600 reports, which could in theory double to over 1,000 in a one-year period.

“It’s a bit complicated because some of our health custodians also have obligations under our private sector obligations,” she added. “So, they are dealing with two different breach reporting and notification schemes.”

In Ontario, private sector organizations are subject to PIPEDA, not a “made-in-Ontario” privacy law, Beamish noted. In the public sector area, which covers provincial government and municipal government organizations, there is voluntary breach reporting. In 2018, 121 breaches were voluntarily reported to the commissioner by government organizations. “There is a significant level of reporting even though there is no mandatory requirement,” Beamish said.

The health sector in Ontario covers all healthcare organizations and professionals. However, pharmacies and labs are private organizations, which require mandatory reporting.

Mandatory health sector reporting to the office of Ontario’s privacy commissioner has only been in effect since Oct. 1, 2017. “The notification to patients is for any breach, regardless of seriousness,” Beamish said. “Reporting to my level, it has to come up to a level of significance.”

For 2017, which included three months of mandatory reporting, there were 324 breach reports to the office. In 2018, that number climbed to 506.