Connect with us


Lessons learned from Alberta’s Office of the Information and Privacy Commissioner (OIPC) 11-Year Report – McMillan LLP



Lessons learned from Alberta’s Office of the Information and Privacy Commissioner (OIPC) 11-Year Report

September 20, 2022
Privacy Bulletin

5 minute read

On May 1, 2010, Alberta became one of the first North American jurisdictions to require organizations to notify individuals affected by privacy breaches and to report those incidents to Alberta’s OIPC.  This was legislated under section 34.1 of Alberta’s Personal Information Protection Act[1] (“PIPA”), which requires organizations to notify the OIPC of any privacy breach “involving the loss of or unauthorized access to or disclosure of” personal information where there exists “a real risk of significant harm” (“RROSH”) to an individual. After receiving a breach report, section 37.1 of PIPA grants the OIPC the authority to require an organization to notify individuals for whom there is a RROSH as a result of the breach. This requirement to notify is set out in section 19.1 of the associated Personal Information Protection Act Regulation[2] (the “PIPA Regulation”).

The OIPC has reflected back on this 11 year history by issuing the PIPA Breach Report 2022[3] (the “Report”), which summarizes the nearly 2,000 privacy breach reports reported to the OIPC between April 1, 2010 and March 31, 2021.

The OIPC Report

As outlined in the Report, OIPC received 1,977 breach reports during the 11 year period, and of these breach reports, the following determinations were made:

These breaches have led to organizations sending millions of notifications to affected individuals in the past 11 years, including 1,951,180 notifications required under PIPA between April 1, 2020 and March 31, 2021 alone.

In determining the risk a breach poses to an individual, the OIPC considers the intent or cause of the breach, the type of personal information involved, whether the data was encrypted, and the length of time the data was exposed.

The OIPC Report notes that almost all of the reported RROSH breaches involved some basic contact information of the affected individuals, such as telephone numbers or mailing addresses. However, most of the breaches involved identity, financial, and employment information, leading to the threat of identity theft, fraud, or financial loss. The Report also indicates a decrease in compromised medical information and an increase in compromised transaction information, such as purchase history, which can lead to increased vulnerability to identity theft and fraud.

The OIPC Report indicates that the industries most commonly affected by RROSH breaches are the finance, retail trade, and insurance industries, while the most commonly affected individuals are an organization’s customers or clients, followed by its employees. For more information on employee breaches, see our bulletin Stop Snooping: Alberta Privacy Commissioner Finds Employee Snooping Results in Real Risk of Harm.


The most common cause of the reported RROSH breaches were compromised electronic information systems through the installation of malware or ransomware, or through the exploitation of system vulnerabilities. The theft of physical documents, devices, or storage mediums was the second leading cause, and transmission errors through misdirected mail, emails, or faxes was the third most common.

While social engineering and phishing was the fourth leading cause of the RROSH breaches through the past decade, this vulnerability has recently become the second most common cause. As these attacks continue to become more prevalent, companies need to be cautious about divulging sensitive information to malicious actors posing as someone else, and also ensure that their own employees are not collecting such information from customers and co-workers (unless such information is required as part of their job function or for business operations). For this reason, clear privacy policies and practices are essential.

The remaining causes of the reported breaches consist of misconfigured networks, unencrypted storage mediums, the accidental publication of personal information, and rogue employees.

Detection and Reporting

The Report indicates that organizations are taking an increasing number of days to detect and report RROSH breaches. The average overall timeline has been 90 days to detect a breach and 43 days to report it to the OIPC. The increasing timeline may be due to the insidious nature of compromised electronic information systems, the rising popularity of retaining specialized third parties to assist with breach responses, and the increasing number of other jurisdictions requiring a breach report within a specified timeframe. By comparison, PIPA does not stipulate any strict reporting timeframe.

Section 19 of the PIPA Regulation states the report to the OIPC must be in writing and include the following information:

  • A description of the circumstances of the breach;
  • The date on which or time-period during which the breach occurred;
  • A description of the personal information involved in the breach;
  • An assessment of the risk of harm to individuals because of the breach;
  • An estimate of the number of individuals to whom there is a RROSH because of the breach;
  • A description of any steps the organization has taken to reduce the risk of harm to individuals;
  • A description of any steps the organization has taken to notify individuals of the breach; and
  • The name and contact information for a person who can answer, on behalf of the organization, the OIPC’s questions about the breach.

While PIPA does not provide any criteria in defining a RROSH, the OIPC has provided several helpful resources for organizations, including key steps to take in responding to a breach and information on how to report a privacy breach.


Overall, according to the OIPC, it took on average 43 days for organizations to notify affected individuals of a RROSH breach. In almost all of the RROSH breaches, organizations notified affected individuals directly through in-person meetings, telephone, mail, or email. The OIPC authorized an indirect notification in 4% of these breaches, most commonly delivered using website postings, social media, or traditional media when the organization did not have current contact information for some of the affected individuals.

Section 37.1(7) of PIPA states than an organization is not restricted from notifying individuals on its own initiative. Further, section 19.1 of the PIPA Regulation states that notice must be given directly to the individual and include:

  • A description of the circumstances of the breach;
  • The date on which or time-period during which the breach occurred;
  • A description of the personal information involved in the breach;
  • A description of any steps the organization has taken to reduce the risk of harm; and
  • The name and contact information for a person who can answer, on behalf of the organization, questions about the breach.

Looking Forward

As the number of data breaches that pose a RROSH rise each year, organizations need to be aware of the requirement to report certain breaches to the OIPC and promptly notify affected individuals. Timely notifications are imperative in mitigating the potentially devastating impacts of compromised personal information.

It is important for companies to be prepared for a breach prior to one occurring so that they are ready to take immediate action upon learning of a breach. The OIPC echoes this warning by noting that the proactive implementation of safeguards is the most effective way to protect individuals from the potential harm of privacy breaches. The Report recommends that organizations:

  • Implement regular and/or immediate security patching on networks, servers, and devices;
  • Sign up for and review updates from cybersecurity agencies and other professionals to keep updated on new threats and possible solutions to protect the organization’s information technology infrastructure;
  • Train employees regularly on detecting phishing or social engineering attempts; and
  • Train employees regularly on protecting personal information contained in laptops or paper documents.

If your organization has any questions about the Report or how you can evaluate, develop, and implement appropriate privacy and data protection policies and procedures to comply with applicable privacy laws and PIPA’s current requirements, a member of our Privacy & Data Protection Group would be pleased to assist.

by Julia Loney, Gordana Ivanovic, Kristen Shaw, & Stephen Johnson (Summer Law Student)

[1] Personal Information Protection Act, c. P-6.5 2003.
[2] Personal Information Protection Act Regulation, AB Reg 366/2003.
[3] Available online: PIPA-Breach-Report-2022.pdf (

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2022

Adblock test (Why?)

Source link

Continue Reading


Google Kills Stadia, Its Cloud Gaming Service, Refunding Everyone – Kotaku



Google talked a massive game back when Stadia was first unveiled at the Game Developer Conference 2019, but it was clear by the time the service launched later that year that it wasn’t ready for primetime. The tech was impressive but promised features were missing and the launch library wasn’t very impressive. While Stadia did continue to add new games, most had to be purchased a la carte, making it a steep investment for the casual audience it was aimed at. Then Xbox Game Pass came along and married a huge library with a single monthly fee. Stadia, meanwhile, reportedly struggled to get big games on its platform, spending tens of millions to attract titles like Red Dead Redemption 2.

Of course, none of that is to say Stadia was doomed from the start. Google’s track record, and Stadia’s own past, call into question whether it was ever properly committed to the ambitious endeavor. Stadia’s first-party studios shutdown last year, scuttling projects that were still in pre-production and leaving some developers who had moved across the country for the company feeling betrayed. At the time, Kotaku reported that Harrison had told Stadia staff that Microsoft buying Bethesda had been one of the reasons for the closures, convincing Google that the price of competing in first-party development was more than it wanted to pay.

“We remain deeply committed to gaming, and we will continue to invest in new tools, technologies and platforms that power the success of developers, industry partners, cloud customers and creators,” Harrison wrote in today’s blog post.


Adblock test (Why?)

Source link

Continue Reading


This new underwater camera is powered by sound –



As It Happens6:24Scientists develop a wireless underwater camera that’s powered by sound

What if you could photograph the deepest depths of the sea using a camera powered only by the ocean’s soundscape?

That’s the end goal of a new prototype device developed by scientists at the Massachusetts Institute of Technology (MIT) — a wireless, battery-free underwater camera that runs on sound waves. 

“The way it works is that, underwater, actually, you have a lot of sound,” Fadel Adib, an associate professor of electrical engineering and computer science at MIT, told As It Happens host Nil Köksal.

“The sound comes from the waves, sounds of animals and so on and so forth. You also have ships. And all of these cause underwater sound.”

Adib and his colleagues authored a paper outlining their prototype, published this week in the journal Nature Communications. They say it can take colour photos in dark environments, and is 100,000 times more energy-efficient than other undersea cameras.

So much ocean left to explore

The ocean makes up about 70 per cent of the planet’s surface, but marine experts estimate that somewhere between 80 to 95 per cent remains unexplored.

Adib blames that on the limitations of existing underwater cameras. In order to keep them running for a significant period of time, you have to keep them powered by tethering them to a research vessel, or sending a ship to recharge their batteries.

“And so what we ended up doing to overcome this is that we built the first underwater camera that needs no battery, and it can self-power and it can also get data and transmit it back to us,” he said.

WATCH | How MIT’s wireless underwater camera works:

[embedded content]

Guadalupe Bribiesca-Contreras, a postdoctoral researcher at the U.K.’s Natural History Museum who has used underwater photography to discover new deepsea life, called the findings “so exciting.”

“Time-lapse cameras have been used to understand more about life in the deepsea, but a challenge has been how long the batteries last,” she told As It Happens in an email.

“Having a battery-free camera could allow us to better understand the deepsea ecosystems, as well as monitor these.”

How it works

The prototype underwater camera is made up of two domes and a cylinder. One dome houses the image sensor, and the other houses the flash.

The cylinder is covered in a specialized material that allows the camera to harness sound waves and convert them into electrical energy, which it uses to power up. Once powered, the camera emits a low-powered flash that allows it to capture images. It then transmits those images to a remote receiver. 

The prototype underwater camera is made up of two domes and a cylinder. One dome is the image sensor, and the other is the flash. The cylinder is covered in a material that allows it to harvest sound waves and convert it into electrical energy. (Adam Glanzman/MIT)

So far, the researchers have tested the device only in freshwater environments, and they supplied the sound needed to power the device from nearby on the shore. The next phase of research, Adib said, will involve testing it in the ocean off the coast of Cape Cod, Mass., and harnessing sounds from the sea itself. 

“In the future, you can imagine using the existing sounds [such as] dolphins to be able to power them up. But that’s going to require some level of research before we do that,” Adib said.

They’re also working on expanding its communication range transmission time, Adib said. Currently, it’s limited to about 100 metres and takes about two hours to transmit a colour photo.

Once they’ve perfected the technology, Adib says it could have major implications for ocean exploration and climate change research.

“We want to be able to use them to monitor, for example, underwater currents, because these are highly related to what impacts the climate,” he said. “Or even underwater corals, seeing how they are being impacted by climate change and how potentially intervention to mitigate climate change is helping them recover.”

A blurry but colorful picture of a starfish and four rocks.
A starfish photographed by the new underwater camera prototype. (Submitted by Fadel Adib)

It could also be useful in aquaculture, also known as seafood farming.

“We can deploy our cameras in these offshore aquaculture farms and use them for monitoring the fish so that we can monitor their health, react and optimize their feeding and so on and so forth,” Adib said. “It’s a fast growing food sector, and it is very important for the world food security over the next few decades.”

And maybe one day, he says, it could even help us understand another vastly underexplored frontier. 

“We’ve also been in discussions with NASA for future space missions where they want to use them to search for life in extraterrestrial oceans, because that’s where they need to search for life,” Adib said. “That’s yet another area where battery power is extremely difficult.”

The research was funded, in part, by the U.S. Office of Naval Research, the Sloan Research Fellowship, the National Science Foundation, the MIT Media Lab and the Doherty Chair in Ocean Utilization.

Adblock test (Why?)

Source link

Continue Reading


Disney & Apple Join NFT Race



One of the biggest buzzwords in the last five years has been NFTs. Non-fungible tokens are a revolutionary new take on collectibles, blockchain technology, and entertainment. It combines all three in an accessible way—at least for those who understand blockchain and have a digital wallet with some crypto holdings.

Clearly, NFTs are a hit… or, at least, in theory. The trend piggybacks on the success of collectible groups, which range from fine arts to ancient coins to Magic: The Gathering cards. Though largely niche and granular, these collectibles groups tend to be lucrative and highly active. But NFTs are a lot more than just new digital assets to be collected. And just because the concept has seen huge publicity in the last five years, that doesn’t mean it will stand the test of time.

One industry that has stood the test of time is casino gaming. The casino gaming market is worth around $57 billion, according to Straights Research. While poker sees the most coverage from broadcasting groups and gaming publications, the most popular sector is actually online slots. A player can find a platform that offers online slots from anywhere in the world—straight from a mobile device. Developers like NetEnt and Play’s Go release slots like Gonzo’s Quest and Book of Dead that are played by millions worldwide each week. Interest in slots has continued to grow despite minimal coverage from media on both slots and casino gaming in general.

Clearly, an industry’s success isn’t necessarily tied to its publicity… but NFTs will need plenty more support in terms of investment and attention if they are to survive—especially considering the recent crypto crash.


Apple & Disney Opting into NFTs

NFTs landed two huge coups after recent announcements from Apple and Disney. Apple recently updated its Apple App Store policy to allow NFTs to be bought, sold, and traded on apps sold in the store. (The Google Play Store has offered this for a while.)

However, the offering comes with a major catch. The company will take a 30% cut from any developers who earn more than $1 million on the app store and 15% from anyone making less than that.

Meanwhile, Apple still isn’t opening its doors to crypto transactions. And neither is Disney.

But recently, Disney made headlines for a posting for an open job. The company is looking to find a lawyer for ‘emerging technologies’. The role includes a huge emphasis on NFT products, which has led many to speculate about Disney’s plans with NFTs, blockchain, and crypto.

Last year, the company also made a huge leap when a patent was filed for a ‘virtual-world simulator’. Most analysts assume that this refers to a potential VR Disney Land and Disney World. Meanwhile, the company’s Disney Accelerator Program featured multiple companies focusing on NFTs and Web3 projects.

NBA’s Top Shot Market Sinking Quickly

When some people think of collectibles, their minds shoot to the days of sports trading cards from the 1980s and 90s. As a highly successful collectible project, the NBA’s commissioner, Adam Silver, launched his own modern remake with the Top Shot Marketplace. In it, collectors can purchase some of the league’s most memorable ‘Moments’ (lingo for an NFT).

The project quickly took off. In February 2021, the site reached a fever pitch when some Moments sold for more than $100,000—or up to $208,000, in the case of one LeBron Dunk Moment. Today, the average Moment sells for around $180, marking one of the biggest flops in NFT history after one of its biggest booms.


PL Deal Dead on Arrival

With the NBA enjoying much success throughout 2021 with Top Shot, the UK’s Premier League looked to accomplish something similar. The Premier League even shortlisted Dapper Labs, which launched Top Shot on its blockchain platform, as one of its potential partners before siding with ConsenSys in March of this year. However, the project has since been slashed.

Though the project was suspected to rake in over $400 million a year for the league and its teams, blockchain platforms can no longer promise the same return on investment. This is largely due to the crypto crash, which cost holders billions worldwide. However, the Premier League might not totally discard the project and instead could switch gears to offer NFTs based on fantasy football.

Continue Reading