Breach Report - Office of the Information and Privacy Commissioner ...

June 18, 2012
Commissioner issues report on two years of mandatory breach
reporting in Alberta
Amendments to Alberta’s Personal Information Protection Act (PIPA) requiring private sector
organizations to report certain privacy breaches to the Information and Privacy Commissioner took
effect in May of 2010.
Any personal information breach that presents a real risk of significant harm must be reported to
the Commissioner. The Commissioner in turn can require an organization to notify affected
individuals of the breach, which allows people to take the necessary steps to protect themselves
against risks such as identity theft.
As of April 30 of this year, 151 breach reports have been received by the Office of the Information
and Privacy Commissioner. Commissioner Jill Clayton says “Alberta is the only jurisdiction in
Canada where there is a legal requirement to advise the Commissioner of certain breaches. The
reports give us an idea of how and why breaches are occurring, and also tell us how the private
sector is responding.”
Clayton adds that organizations are in a learning curve, and mandatory reporting has become an
important educational tool. “We are finding that organizations are taking breaches seriously and
are developing proper policies, procedures and security arrangements to protect personal
information. But, the numbers show there is still a lot of work to be done in making sure the
personal information of Albertans is protected.”
The majority of reported breaches involve human error such as misdirected email, faxes, stolen or
lost unencrypted electronic devices and improper record and electronic media destruction. Many of
these breaches are preventable with proper security systems and encryption.
The breach report update is available on the OIPC website at www.oipc.ab.ca
Contact:
-30-
Wayne Wood
Communications Director
Office of the Information & Privacy Commissioner
(780) 644-4015

Backgrounder on Mandatory Breach Notification
Mandatory breach notification became the law in Alberta May 1, 2010 as part of
amendments to the Personal Information Protection Act (PIPA).
Alberta is the only jurisdiction in Canada that requires private sector organizations
to report certain breaches to the Commissioner. The Commissioner also has the
power to require organizations to notify affected individuals.
From May 1, 2010 to April 30, 2012, the OIPC received 151 breach reports:
o 63 breaches involved a real risk of significant harm to an individual
o 51 breaches involved no risk for significant harm
o In 24 cases PIPA did not apply
o 13 cases were still under review
The four main causes of the 63 breaches which involved a real risk of significant
harm included:
o 22 breaches caused by human error such as misdirected faxes, emails sent
to the wrong individuals, inappropriate disposal of personal information, loss
of files and electronic devices, etc.
o 18 breaches caused by theft of computer devices, including laptops, memory
sticks and hard drives
o 14 breaches caused by electronic system compromises
o 9 breaches caused by failure to control access to files and networks