One year ago, Canadian businesses became subject to increased data breach notification requirements under PIPEDA (the Personal Information Protection and Electronic Documents Act). Rather than deciding whether to voluntarily disclose or report breaches, they were now required to report all breaches that pose a significant risk of harm to individuals to the Office of the Privacy Commissioner. They are also required to notify the affected individuals.
So what have the breach report numbers looked like over the past 12 months? Here are some key statistics from a recent report by OPC, who received 680 reports — six times the volume submitted in the 12 months prior to the new requirement going into effect.
- The number of Canadians affected by a data breach is well over 28 million.
- The majority of reported breaches – 58% – involved unauthorized access. Employee snooping and social engineering hacks were key factors in these types of breaches.
- One in four incidents involved social engineering attacks such as phishing and impersonation.
- More than one in five incidents involved accidental disclosure.
- Loss of hardware or paper records accounted for 12% of the breach reports.
- Theft of documents, computers or computer components accounted for 8% of the breach reports.
You can read the full blog post here.