Alberta Report on Private Sector Privacy Breaches

According to the Alberta Information and Privacy Commissioner, as of April 30 of this year, 151 privacy breaches have been reported to the Office of the Information and Privacy Commissioner. The majority of reported breaches involve human error, such as misdirected email, faxes, stolen or lost unencrypted electronic devices and improper record and electronic media destruction. Many of these breaches are preventable with proper security systems and encryption.

Since May of 2010, Alberta’s Personal Information Protection Act (PIPA) requires private sector organizations to report privacy breaches that present a real risk of significant harm to the Information and Privacy Commissioner.

The commissioner in turn can require an organization to notify affected individuals of the breach, which allows people to take the necessary steps to protect themselves against risks such as identity theft.

The report noted that organizations are taking breaches seriously and are developing proper policies, procedures and security arrangements to protect personal information. But the number of breaches shows there is still a lot of work to be done.

Specifically, out of the 151 reported breaches:

  • 63 involved a real risk of significant harm to an individual
  • 51 involved no risk for significant harm
  • 24 cases PIPA did not apply
  • 13 cases are still under review

The four main causes of the 63 breaches that involved a real risk of significant harm included:

  • 22 breaches caused by human error such as misdirected faxes, emails sent to the wrong individuals, inappropriate disposal of personal information, loss of files and electronic devices, etc.
  • 18 breaches caused by theft of computer devices, including laptops, memory sticks and hard drives
  • 14 breaches caused by electronic system compromises
  • 9 breaches caused by failure to control access to files and networks

The Office of the Privacy Commissioner has prepared several documents to share and explain their findings, and to help private sector organization in Alberta know what to do to prevent such breaches:

A Snapshot – Two Years of Mandatory Breach Reporting

Cause of Breaches and Breach Prevention Recommendations

Comments are closed.