Privacy Commissioner Shares Lessons Learned After One Year of Mandatory Breach Reporting

November 6, 2019

On November 1 of last year, Canadian businesses became subject to new mandatory breach reporting regulations under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). After a year in action, the Privacy Commissioner of Canada weighed in on observations he has noticed within the year. The highlights of the report are as follows:

  • There were 680 breach reports over the past year, six times more than the previous year.  The Commissioner called this a “staggering” increase.
  • These impacted 28 million Canadians.
  • 58% of breaches involved unauthorized access, 20% accidental disclosures, 12% loss of files, and 8% due to theft of files.
  • The post also makes a point of reminding organizations that they must keep a record of every breach and to keep those records for two years.  You will recall that the Commissioner has the right to inspect those records.
  • Finally, it notes it has just completed a records review to assess compliance in this regard and the results will be shared after they are analyzed.

View the Complete Report