Alberta’s Privacy Commissioner issued the following press release today:
The Office of the Information and Privacy Commissioner has received more than 90 breach notification reports in the past 16 months. Breach notification became mandatory under the Personal Information Protection Act (PIPA) in May of 2010.
Any personal information breach that presents a real risk of significant harm must be reported to the Commissioner. The Commissioner in turn can order an organization to notify affected individuals of the breach, which allows people to take the necessary steps to protect themselves against risks such as identity theft.
Information and Privacy Commissioner Frank Work says the number of breach notifications is startling. “This is a significant number over a short period of time, and my staff has been stretched to the limit dealing with these numbers. We need to spend a lot of time on these files, and at times it can be overwhelming.”
Work says though that it’s encouraging to know that organizations are responding to the mandatory notification provision. “In many cases, organizations have already taken steps to notify affected individuals. Reporting to my office has become an important educational step for organizations to realize the importance of protecting the personal information they are responsible for.”
For the most part, the majority of reported breaches involve human error including email, fax or regular mail errors, stolen or lost unencrypted electronic devices, improper record and electronic media destruction. In other cases IT glitches and computer hacking are to blame. A lot of these losses are preventable with proper security systems and encryption.
The Commissioner’s office publishes Notification Decisions where there is a real risk of significant harm as an educational tool for other organizations.