Wait, what’s a privacy breach again?
January 24, 2024
For some folks, the mere mention of a breach shivers down the spine, while others might not give it a second thought. But although privacy breaches have become increasingly prevalent in today’s digital age, most people are unclear about what they really entail.
Spoiler alert: not every breach is related to your computer—and many don’t involve hackers at all. Whether it’s a missing device, a software bug, or even a rogue employee, there are plenty of lesser-known, not-so-obvious risk factors that go beyond the digital realm.
But keep in mind: regardless of the cause, you’re legally obligated to protect client data every step of the way and to report any significant breach of information. And in order to report, you need to know what’s included. So let’s take it back to the basics. What’s a privacy breach? What counts? And how can you keep your business, your clients, and their data safe?
Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal, insurance, or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.
What’s a privacy breach?
In Canada, consumer data is protected under a federal law known as the Personal Information Protection and Electronic Documents Act, or PIPEDA, which governs the collection, use, and disclosure of all personally identifiable information (PII) gathered in commercial activities. PII includes, but isn’t limited to: names, social security numbers, income details, credit records, medical history, address, ethnic origin, political affiliations and beliefs, education, employment history, and more. PII excludes any business information needed to conduct work, such as employee names, titles, or business addresses, phone numbers, or emails.
PIPEDA defines a “breach of security safeguards” as: the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish security safeguards. In other words, breaches can happen when personal information is lost, stolen, or mistakenly shared without authorization or consent, regardless of who’s at fault.
All organizations subject to PIPEDA, or a “substantially similar” provincial legislation, must report privacy breaches to affected individuals and the appropriate Office of the Privacy Commissioner of Canada. Failure to do so can lead to regulatory compliance violations, fines, and penalties.
RELATED: All About PIPEDA: How do privacy laws affect my business?
What counts?
Security incidents can generally be lumped into two categories: digital and physical.
DIGITAL
A digital privacy breach takes place in the virtual world, targeting computer systems, networks, databases, or online platforms to compromise electronically stored information. Examples include:
1) Cyberattacks
A cyberattack is any intentional or malicious attempt to view, expose, alter, disable, deny, or destroy computer systems, networks, or infrastructure. The primary motive of a cyberattack is to bypass controls, gain entry to a system, and manipulate or steal data, often for financial gain. Cyberattacks can take a variety of forms, including but not limited to:
- Phishing: When cybercriminals try to trick, coax, or “phish” people into revealing sensitive information by clicking on fake links, opening infected attachments, or downloading malicious software. Phishing scams are typically sent through email or text message.
- Ransomware: A type of harmful software that infiltrates systems, encrypts data, and disables user access to their data until a sum of money is paid to a threat actor within a set period of time. Learn more.
- Denial of Service (DoS) Attack: A form of traffic manipulation in which the attacker floods the bandwidth of a targeted system, like a virtual private network (VPN) server or other web-based app, with hundreds of useless connections to crash the servers.
- Credential Stuffing: When cybercriminals use login credentials from one platform (user IDs, email addresses, passwords, and/or pin numbers) to gain unauthorized entry to other accounts.
- Supply Chain Attacks: If a cybercriminal can’t get past an organization’s defences, they’ll turn to a less secure outside partner, provider, or other third-party with access to their systems. This way, hackers can infiltrate large enterprises through the weaker links in global supply chains, like smaller distributors and suppliers with fewer resources.
RELATED: Ransomware: Should You Pay Up?
2) Network Security Issues
Network security issues are a bit of a grey area. A bug or misconfiguration on its own doesn’t technically constitute a breach, but it could lead to one; any unintentional flaws or holes in your security perimeter can create vulnerabilities that could later cause a data leak or be exploited by a threat actor. For example, if a security gap allows a cybercriminal to bypass authentication measures and view sensitive information, that would be considered a privacy breach.
Ultimately, whether a network security issue counts as a breach depends on the impact it has to your organization and client data. Be sure to promptly fix all vulnerabilities as soon as you become aware of them to prevent compromise.
RELATED: When should you report a cyber incident?
3) Third-Party Compromise
Here’s another grey area: in this day and age, most companies are reliant to some degree on third-party software. But what if one of your stakeholders experiences a breach or a ransomware attack? Or if there’s a bug in the third-party software or code you’re using across your servers? You’re not entirely sure if your clients’ data has been exposed—could you be liable?
Under Canadian privacy laws, organizations are responsible for safeguarding data collected from clients every step of the way. Whether it’s a cloud services provider (CSP), a managed services provider (MSP), or another vendor in your supply chain, using any kind of third-party to collect, store, process, or otherwise handle confidential data doesn’t absolve you of responsibility in the event of a breach. As the data owner, you’re still obligated to take direct action the moment you become aware of a security lapse—and you can be held liable for your clients’ data, even if the breach in question wasn’t your fault.
The short answer? A third-party breach software glitch, or other cyber incident doesn’t always count as a breach on your end, BUT it’s still best to treat it like one, just in case. Much like your own network security issues, these things always have the potential to escalate. If you fail to report them and end up being affected later on, you’ll be setting yourself up for lasting financial, legal, and reputational harm.
RELATED: Decoding MSPs: Your Guide to Outsourcing IT Services
4) Email Misdelivery
It’s not just a hacker in a dimly lit room you have to worry about—sometimes it’s your own staff. Misdirected emails from auto-complete, a spelling mistake, or accidentally hitting “reply all” can open the door to hackers and other threat actors. Plus if your email contains confidential client or third-party data, you’ll have to tell them about the breach, which could tarnish your brand image, damage the relationship, and even end your contract.
RELATED: The Human Factor: Tackling Insider Threats in Cybersecurity
PHYSICAL
Most people tend to associate security issues with computer systems and cyber threats, but privacy breaches can occur just as easily through in-person interactions, electronic devices, or paper records, as they do online. Some are obvious, like if a burglar breaks in and steals some of your files, but most physical breaches are the result of human error, working on auto-pilot, or mundane, day-to-day actions that go unnoticed. In some cases, physical breaches can even lead to data breaches if documents or devices containing sensitive information are compromised. Examples include:
1) Lost or Stolen Devices
Losing your device is more than an inconvenience; it’s a potential privacy breach waiting to happen. If a portable device containing any confidential client data, be it a computer, laptop, smartphone, tablet, USB stick, external hard drive, or a POS system, is lost or stolen, you could be at risk. Even without theft, hackers, fraudsters, and other threat actors can still tamper with devices if they’re left unattended in public.
This can get tricky with the rise of “Bring-Your-Own-Device” (BYOD) policies, since many individuals regularly use their personal gadgets for business functions. Unfortunately, employers have limited control over unmonitored, personally-owned devices, with weak passwords, infrequent security updates, and lax software management providing potential entry points for attackers. But here’s the kicker: if client data is leaked, your company, rather than the employee, bears the liability, even if the breach occurred on an employee-owned device.
RELATED: What happens if your laptop is stolen?
2) Unattended Files
Misplacing or stepping away without securing sensitive documents poses a serious risk of unauthorized access to anyone passing by or entering the workspace. If confidential data (i.e. personal or financial information, client contracts, employee records, receipts, blank checks) is included, any lost physical files or records constitute a breach, like:
- Leaving documents unattended (i.e. a desk, meeting room, a public place, a car, or even at home);
- Leaving documents in an unlocked cabinet;
- Leaving printouts in a shared printer tray;
- Leaving your devices unlocked or unattached (i.e. leaving your computer unattended with sensitive files open);
- Taking pictures of sensitive documents and forgetting to delete them; and
- Intercepting mail containing sensitive information (i.e. if someone gains access to client data via mail).
3) Improper Disposal of Records
You might be tempted to toss some old files into the recycling bin during a routine cleanup. Or pass on company gadgets to the new hire without fully wiping them. But improper disposal of records as a direct violation of privacy standards. When data isn’t discarded or destroyed securely, it becomes susceptible to compromise, heightening the chances of identity theft, fraud, or other malicious activity.
According to PIPEDA, all organizations must:
- “Dispose of personal information that does not have a specific purpose or no longer fulfills its intended purpose”
- “Dispose of information in a way that prevents a privacy breach, such as by securely shredding paper files or effectively deleting electronic records.”
- “If information is to be retained purely for statistical purposes, employ effective techniques that would render it anonymous.”
- “Ensure all personal information is fully deleted before disposing of electronic devices such as computers, photocopiers and cellphones.”
To learn more about the best practices for data retention and disposal, click here.
4) Physical Surveillance
Under PIPEDA, monitoring individuals’ activities, behaviours, or movements in physical spaces without their explicit consent is considered a violation of privacy rights. That includes setting up a hidden camera, recording conversations or meetings, or even eavesdropping. Another common breach tactic, tailgating, involves an unauthorized individual slipping into a restricted area behind someone with proper ID. Once inside, they can exploit unattended badges or computers to disrupt the system.
In addition to consent, PIPEDA states that any personal information stored should be: proportionate to the purpose for which it is obtained, collected only when necessary, and securely handled and retained. If these conditions are not met, physical surveillance could very well be considered a breach, especially if personal information falls into the wrong hands; the potential for misuse by unauthorized third-parties is high. PIPEDA offers more guidance on overt, covert, and street-level video surveillance here.
5) Insider Access
We all know security mistakes can happen, but internal threats aren’t only about human error. They also include intentional breaches from people inside your organization who abuse their access privileges to compromise data, snoop, or even share intel with other parties.
And while not every snooping employee is carrying out an inside job or acting with malicious intent, remember, PIPEDA’s definition of a breach isn’t limited to cybercriminals. At the end of the day, it doesn’t matter who comes into contact with the data—a hacker, an overly curious employee, a third-party, or you yourself—anyone who views confidential personal data without permission counts as a breach of security safeguards.
So what can you do?
While some of the examples above seem innocent enough, the fact of the matter is: as long as someone manages to get a hold of confidential information, you could be liable for a breach. That’s why it’s key to understand exactly what counts so you can set up robust controls, protect data, and respond to incidents quickly and effectively. After all, knowledge is power and prevention is the first line of defence.
There’s no foolproof method to privacy and confidentiality, but businesses must heed PIPEDA’s mandates and pay special attention to proper collection, storage, and disposal procedures; both digital and physical measures are critical here. With more business being conducted virtually than ever before, all organizations and working professionals must reevaluate their security posture and take a more disciplined approach to get ahead of cyber threats. At the same time, businesses, particularly those that operate primarily online, cannot forget the importance of physical defences and constant vigilance to adequately safeguard data. Here are some tips to keep in mind:
1) Implement administrative controls.
- Set a strong example from the top-down with clear privacy and security policies that outline how personal information is collected, stored, handled, shared, and disposed of and ensure compliance with any applicable regulations in addition to PIPEDA.
- Be transparent with staff and offer regular security awareness training on data protection, security risks, and best practices. Be sure to highlight the impact of seemingly harmless behaviours, like using a personal email to send private information, improperly accessing data in the cloud, ignoring software updates, and saving confidential data of the VPN.
- Provide IT teams with the support and resources they need to address cyber risks.
- Address data security and confidentiality in all agreements with independent contractors, clients, and suppliers.
- Develop or amend incident response and business continuity plans in case of a breach. Plans should include measures for identifying, containing, mitigating, and recovering from security incidents.
2) Implement physical controls.
Some of these tips might go without saying, but take the following precautions to strengthen your security:
- Lock doors, using lockable filing cabinets, and/or using key cards to limit access to areas where records are stored.
- Train staff to ward off physical security risks and data compromise (i.e. social engineering tactics, discussing confidential client information in public, leaving files unattended)
- Install security equipment, like security cameras and locks.
- Wipe and/or destroy devices securely once they are no longer use, including old hard drives and computers in the storage closet.
- Invest in additional measures as needed, like security, back-up tech support, shredders, and more.
3) Implement technological controls.
Fortify your defences to ensure you’re in the best possible position to prevent compromise. Consider the following solutions, if you haven’t already:
- Incorporate multi-factor authentication (MFA) across your enterprise wherever critical or sensitive data is stored or transmitted, including corporate email accounts, VPNs, financial accounts, and on all MSP accounts used to access your systems.
- Install firewalls, anti-virus software, VPNs, and more on devices as needed to protect your security perimeter.
- Apply the principle of least privilege and limit access controls across your network to the minimum necessary for employees to perform their duties.
- Patch all systems, software, and third-party apps with latest updates as soon as they are available.
- Ensure that sensitive data is encrypted during transmission and storage.
- Set up an offline backup system that isn’t connected to the internet or any of your local networks to prevent hackers from reaching network backups and increase the chances of data recovery.
- Routinely re-assess your security measures and scan for vulnerabilities in your network and all provider networks. Address weaknesses where needed.
RELATED: Prepare Now or Pay Later: How Can Businesses Mitigate the Risk of Ransomware?
4) Obtain Data Security & Privacy Breach Insurance.
For maximum protection, consider Data Security & Privacy Breach Insurance. Your general liability policies won’t cover a breach, but a dedicated cyber policy can help offset some of the potential financial loss following a breach, cyberattack, or network security issue, like if your company’s information is stolen by a hacker, or accidentally released by an employee. Coverage highlights include:
- Legal fees, damages, and defence costs;
- A specialized data forensics team to investigate the cause of the breach;
- A legal breach coach to advise you on response and regulatory compliance;
- Client notification and credit monitoring for affected parties; and
- PR consulting services to manage reputational harm.
To be clear, Cyber Insurance isn’t a replacement for cybersecurity. You should still invest in preventative measures to reduce the risk of a breach. But in case that’s not enough, insurance will provide you with the resources and support you need to get your business back online and regain your clients’ trust.
RELATED: All About Cyber Insurance: What is it, What’s Covered, and Why Do You Need it?
5) Work with a broker.
For more guidance on cyber risk management, a licensed broker like PROLINK can help you plan, protect, and ensure a safer environment for businesses and individuals alike. With over 40 years of experience and a specialized knowledge of cyber markets, we’re ahead of industry trends. Our dedicated team of risk advisors will:
- Identify exposures based on your business operations and unique needs;
- Share what steps others in your industry are taking and advise you accordingly;
- Outline a proactive approach to risk management to control your costs long-term;
- Conduct a robust assessment of your existing insurance policies to detect any coverage gaps;
- Secure a specialized solution that aligns with your strategic objectives.
To learn about your exposures and how you can protect yourself, visit our Cyber Security & Privacy Breach Toolkit and connect with PROLINK today for more guidance!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.