Lessons learned from Alberta’s Office of the Information and Privacy Commissioner (OIPC) 11-Year Report
September 20, 2022 Privacy Bulletin 5minute read
On May 1, 2010, Alberta became one of the first North American jurisdictions to require organizations to notify individuals affected by privacy breaches and to report those incidents to Alberta’s OIPC. This was legislated under section 34.1 of Alberta’s Personal Information Protection Act[1] (“PIPA”), which requires organizations to notify the OIPC of any privacy breach “involving the loss of or unauthorized access to or disclosure of” personal information where there exists “a real risk of significant harm” (“RROSH”) to an individual. After receiving a breach report, section 37.1 of PIPA grants the OIPC the authority to require an organization to notify individuals for whom there is a RROSH as a result of the breach. This requirement to notify is set out in section 19.1 of the associated Personal Information Protection Act Regulation[2] (the “PIPA Regulation”).
The OIPC has reflected back on this 11 year history by issuing the PIPA Breach Report 2022[3] (the “Report”), which summarizes the nearly 2,000 privacy breach reports reported to the OIPC between April 1, 2010 and March 31, 2021.
The OIPC Report
As outlined in the Report, OIPC received 1,977 breach reports during the 11 year period, and of these breach reports, the following determinations were made:
These breaches have led to organizations sending millions of notifications to affected individuals in the past 11 years, including 1,951,180 notifications required under PIPA between April 1, 2020 and March 31, 2021 alone.
In determining the risk a breach poses to an individual, the OIPC considers the intent or cause of the breach, the type of personal information involved, whether the data was encrypted, and the length of time the data was exposed.
The OIPC Report notes that almost all of the reported RROSH breaches involved some basic contact information of the affected individuals, such as telephone numbers or mailing addresses. However, most of the breaches involved identity, financial, and employment information, leading to the threat of identity theft, fraud, or financial loss. The Report also indicates a decrease in compromised medical information and an increase in compromised transaction information, such as purchase history, which can lead to increased vulnerability to identity theft and fraud.
The OIPC Report indicates that the industries most commonly affected by RROSH breaches are the finance, retail trade, and insurance industries, while the most commonly affected individuals are an organization’s customers or clients, followed by its employees. For more information on employee breaches, see our bulletin “Stop Snooping: Alberta Privacy Commissioner Finds Employee Snooping Results in Real Risk of Harm”.
Causes
The most common cause of the reported RROSH breaches were compromised electronic information systems through the installation of malware or ransomware, or through the exploitation of system vulnerabilities. The theft of physical documents, devices, or storage mediums was the second leading cause, and transmission errors through misdirected mail, emails, or faxes was the third most common.
While social engineering and phishing was the fourth leading cause of the RROSH breaches through the past decade, this vulnerability has recently become the second most common cause. As these attacks continue to become more prevalent, companies need to be cautious about divulging sensitive information to malicious actors posing as someone else, and also ensure that their own employees are not collecting such information from customers and co-workers (unless such information is required as part of their job function or for business operations). For this reason, clear privacy policies and practices are essential.
The remaining causes of the reported breaches consist of misconfigured networks, unencrypted storage mediums, the accidental publication of personal information, and rogue employees.
Detection and Reporting
The Report indicates that organizations are taking an increasing number of days to detect and report RROSH breaches. The average overall timeline has been 90 days to detect a breach and 43 days to report it to the OIPC. The increasing timeline may be due to the insidious nature of compromised electronic information systems, the rising popularity of retaining specialized third parties to assist with breach responses, and the increasing number of other jurisdictions requiring a breach report within a specified timeframe. By comparison, PIPA does not stipulate any strict reporting timeframe.
Section 19 of the PIPA Regulation states the report to the OIPC must be in writing and include the following information:
A description of the circumstances of the breach;
The date on which or time-period during which the breach occurred;
A description of the personal information involved in the breach;
An assessment of the risk of harm to individuals because of the breach;
An estimate of the number of individuals to whom there is a RROSH because of the breach;
A description of any steps the organization has taken to reduce the risk of harm to individuals;
A description of any steps the organization has taken to notify individuals of the breach; and
The name and contact information for a person who can answer, on behalf of the organization, the OIPC’s questions about the breach.
Overall, according to the OIPC, it took on average 43 days for organizations to notify affected individuals of a RROSH breach. In almost all of the RROSH breaches, organizations notified affected individuals directly through in-person meetings, telephone, mail, or email. The OIPC authorized an indirect notification in 4% of these breaches, most commonly delivered using website postings, social media, or traditional media when the organization did not have current contact information for some of the affected individuals.
Section 37.1(7) of PIPA states than an organization is not restricted from notifying individuals on its own initiative. Further, section 19.1 of the PIPA Regulation states that notice must be given directly to the individual and include:
A description of the circumstances of the breach;
The date on which or time-period during which the breach occurred;
A description of the personal information involved in the breach;
A description of any steps the organization has taken to reduce the risk of harm; and
The name and contact information for a person who can answer, on behalf of the organization, questions about the breach.
Looking Forward
As the number of data breaches that pose a RROSH rise each year, organizations need to be aware of the requirement to report certain breaches to the OIPC and promptly notify affected individuals. Timely notifications are imperative in mitigating the potentially devastating impacts of compromised personal information.
It is important for companies to be prepared for a breach prior to one occurring so that they are ready to take immediate action upon learning of a breach. The OIPC echoes this warning by noting that the proactive implementation of safeguards is the most effective way to protect individuals from the potential harm of privacy breaches. The Report recommends that organizations:
Implement regular and/or immediate security patching on networks, servers, and devices;
Sign up for and review updates from cybersecurity agencies and other professionals to keep updated on new threats and possible solutions to protect the organization’s information technology infrastructure;
Train employees regularly on detecting phishing or social engineering attempts; and
Train employees regularly on protecting personal information contained in laptops or paper documents.
If your organization has any questions about the Report or how you can evaluate, develop, and implement appropriate privacy and data protection policies and procedures to comply with applicable privacy laws and PIPA’s current requirements, a member of our Privacy & Data Protection Group would be pleased to assist.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
The federal government is ordering the dissolution of TikTok’s Canadian business after a national security review of the Chinese company behind the social media platform, but stopped short of ordering people to stay off the app.
Industry Minister François-Philippe Champagne announced the government’s “wind up” demand Wednesday, saying it is meant to address “risks” related to ByteDance Ltd.’s establishment of TikTok Technology Canada Inc.
“The decision was based on the information and evidence collected over the course of the review and on the advice of Canada’s security and intelligence community and other government partners,” he said in a statement.
The announcement added that the government is not blocking Canadians’ access to the TikTok application or their ability to create content.
However, it urged people to “adopt good cybersecurity practices and assess the possible risks of using social media platforms and applications, including how their information is likely to be protected, managed, used and shared by foreign actors, as well as to be aware of which country’s laws apply.”
Champagne’s office did not immediately respond to a request for comment seeking details about what evidence led to the government’s dissolution demand, how long ByteDance has to comply and why the app is not being banned.
A TikTok spokesperson said in a statement that the shutdown of its Canadian offices will mean the loss of hundreds of well-paying local jobs.
“We will challenge this order in court,” the spokesperson said.
“The TikTok platform will remain available for creators to find an audience, explore new interests and for businesses to thrive.”
The federal Liberals ordered a national security review of TikTok in September 2023, but it was not public knowledge until The Canadian Press reported in March that it was investigating the company.
At the time, it said the review was based on the expansion of a business, which it said constituted the establishment of a new Canadian entity. It declined to provide any further details about what expansion it was reviewing.
A government database showed a notification of new business from TikTok in June 2023. It said Network Sense Ventures Ltd. in Toronto and Vancouver would engage in “marketing, advertising, and content/creator development activities in relation to the use of the TikTok app in Canada.”
Even before the review, ByteDance and TikTok were lightning rod for privacy and safety concerns because Chinese national security laws compel organizations in the country to assist with intelligence gathering.
Such concerns led the U.S. House of Representatives to pass a bill in March designed to ban TikTok unless its China-based owner sells its stake in the business.
Champagne’s office has maintained Canada’s review was not related to the U.S. bill, which has yet to pass.
Canada’s review was carried out through the Investment Canada Act, which allows the government to investigate any foreign investment with potential to might harm national security.
While cabinet can make investors sell parts of the business or shares, Champagne has said the act doesn’t allow him to disclose details of the review.
Wednesday’s dissolution order was made in accordance with the act.
The federal government banned TikTok from its mobile devices in February 2023 following the launch of an investigation into the company by federal and provincial privacy commissioners.
— With files from Anja Karadeglija in Ottawa
This report by The Canadian Press was first published Nov. 6, 2024.
LONDON (AP) — Most people have accumulated a pile of data — selfies, emails, videos and more — on their social media and digital accounts over their lifetimes. What happens to it when we die?
It’s wise to draft a will spelling out who inherits your physical assets after you’re gone, but don’t forget to take care of your digital estate too. Friends and family might treasure files and posts you’ve left behind, but they could get lost in digital purgatory after you pass away unless you take some simple steps.
Here’s how you can prepare your digital life for your survivors:
Apple
The iPhone maker lets you nominate a “ legacy contact ” who can access your Apple account’s data after you die. The company says it’s a secure way to give trusted people access to photos, files and messages. To set it up you’ll need an Apple device with a fairly recent operating system — iPhones and iPads need iOS or iPadOS 15.2 and MacBooks needs macOS Monterey 12.1.
For iPhones, go to settings, tap Sign-in & Security and then Legacy Contact. You can name one or more people, and they don’t need an Apple ID or device.
You’ll have to share an access key with your contact. It can be a digital version sent electronically, or you can print a copy or save it as a screenshot or PDF.
Take note that there are some types of files you won’t be able to pass on — including digital rights-protected music, movies and passwords stored in Apple’s password manager. Legacy contacts can only access a deceased user’s account for three years before Apple deletes the account.
Google
Google takes a different approach with its Inactive Account Manager, which allows you to share your data with someone if it notices that you’ve stopped using your account.
When setting it up, you need to decide how long Google should wait — from three to 18 months — before considering your account inactive. Once that time is up, Google can notify up to 10 people.
You can write a message informing them you’ve stopped using the account, and, optionally, include a link to download your data. You can choose what types of data they can access — including emails, photos, calendar entries and YouTube videos.
There’s also an option to automatically delete your account after three months of inactivity, so your contacts will have to download any data before that deadline.
Facebook and Instagram
Some social media platforms can preserve accounts for people who have died so that friends and family can honor their memories.
When users of Facebook or Instagram die, parent company Meta says it can memorialize the account if it gets a “valid request” from a friend or family member. Requests can be submitted through an online form.
The social media company strongly recommends Facebook users add a legacy contact to look after their memorial accounts. Legacy contacts can do things like respond to new friend requests and update pinned posts, but they can’t read private messages or remove or alter previous posts. You can only choose one person, who also has to have a Facebook account.
You can also ask Facebook or Instagram to delete a deceased user’s account if you’re a close family member or an executor. You’ll need to send in documents like a death certificate.
TikTok
The video-sharing platform says that if a user has died, people can submit a request to memorialize the account through the settings menu. Go to the Report a Problem section, then Account and profile, then Manage account, where you can report a deceased user.
Once an account has been memorialized, it will be labeled “Remembering.” No one will be able to log into the account, which prevents anyone from editing the profile or using the account to post new content or send messages.
X
It’s not possible to nominate a legacy contact on Elon Musk’s social media site. But family members or an authorized person can submit a request to deactivate a deceased user’s account.
Passwords
Besides the major online services, you’ll probably have dozens if not hundreds of other digital accounts that your survivors might need to access. You could just write all your login credentials down in a notebook and put it somewhere safe. But making a physical copy presents its own vulnerabilities. What if you lose track of it? What if someone finds it?
Instead, consider a password manager that has an emergency access feature. Password managers are digital vaults that you can use to store all your credentials. Some, like Keeper,Bitwarden and NordPass, allow users to nominate one or more trusted contacts who can access their keys in case of an emergency such as a death.
But there are a few catches: Those contacts also need to use the same password manager and you might have to pay for the service.
___
Is there a tech challenge you need help figuring out? Write to us at onetechtip@ap.org with your questions.
LONDON (AP) — Britain’s competition watchdog said Thursday it’s opening a formal investigation into Google’s partnership with artificial intelligence startup Anthropic.
The Competition and Markets Authority said it has “sufficient information” to launch an initial probe after it sought input earlier this year on whether the deal would stifle competition.
The CMA has until Dec. 19 to decide whether to approve the deal or escalate its investigation.
“Google is committed to building the most open and innovative AI ecosystem in the world,” the company said. “Anthropic is free to use multiple cloud providers and does, and we don’t demand exclusive tech rights.”
San Francisco-based Anthropic was founded in 2021 by siblings Dario and Daniela Amodei, who previously worked at ChatGPT maker OpenAI. The company has focused on increasing the safety and reliability of AI models. Google reportedly agreed last year to make a multibillion-dollar investment in Anthropic, which has a popular chatbot named Claude.
Anthropic said it’s cooperating with the regulator and will provide “the complete picture about Google’s investment and our commercial collaboration.”
“We are an independent company and none of our strategic partnerships or investor relationships diminish the independence of our corporate governance or our freedom to partner with others,” it said in a statement.
The U.K. regulator has been scrutinizing a raft of AI deals as investment money floods into the industry to capitalize on the artificial intelligence boom. Last month it cleared Anthropic’s $4 billion deal with Amazon and it has also signed off on Microsoft’s deals with two other AI startups, Inflection and Mistral.
