The Office of the Privacy Commissioner of Canada (“OPC”) released its Report of Findings (“Report”) following an investigation into Company Home (“Company”), an alarm monitoring company that works with authorized dealers that sell the systems to customers. The Report is dated March 28, 2024 was just published on June 6, 2024.

The OPC investigation had two aspects, the first arising from a complaint from a customer alleging inadequate safeguards, and the second resulting from the OPC’s inquiry into whether the Company had failed to report a breach for which a “real risk of significant harm” (“RROSH”) existed.

Takeaways for businesses:

  • Proper training of front line staff (customer service representatives) so they are able to quickly and appropriately identify privacy concerns is an effective (and relatively inexpensive) way to avoid escalation into a privacy complaint (and investigation).
  • The OPC appears to be have taken a pragmatic approach to an analysis under the RROSH harm test, and sets out how it arrived at the conclusion that RROSH was not triggered. This is helpful instruction for businesses which often deal with RROSH edge cases.

Background

The Company had suffered a privacy breach in 2022, discovered by a customer who logged onto the Company’ portal and was able to access the personal information of other customers. When the customer initially reported this to a Company customer service representative, the employee did not escalate the matter.

Seeing that the issue was left unresolved about ten weeks later, the customer followed-up with the Company and filed the complaint with the OPC.

The Company ultimately investigated, and concluded that human error during the set up of the accounts resulted in the personal information of 3,340 customers to be accessible by about 20 customers via the Company’s portal. The personal information involved in the breach included:

  • customer names, phone numbers and addresses;
  • emergency contact name, phone number and whether they had a key to the house; and
  • alarm system model type and a list of monitored devices (e.g., “door sensor”) and location (e.g., “front door”).

Findings

Following its investigation into the matter, the OPC concluded the following:

  1. No RROSH found

The breach did not trigger the obligation under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), to report the OPC and notify affected individuals. In other words, the breach did not pose a “real risk of significant harm”.

As part of the analysis, the OPC reviewed the sensitivity of the personal information involved, and the probability that the personal information has been, is being, or will be misused.

Sensitivity: The OPC recognized that the information could be sensitive in that it could potentially be leveraged by a malicious actor to assist in gaining unauthorized access to a customer’s home.

Likelihood of misuse: The OPC reasoned that since  the number of individuals with unauthorized access to the personal information was low (i.e. at most 20), that they were known Company customers, and that the access was granted unintentionally by the Company itself (as opposed to, say, a malicious hack by a customer), the likelihood of one of those customers using the information in ways that harm could be caused was low.

Consequently, there was no RROSH posed by the breach, and so, the Company was not required under law to report the breach to the OPC or to notify affected individuals.

2. Failure to have adequate safeguards found

The OPC found the Company failed to implement safeguards to protect the personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, as required by Principle 4.7.1 of PIPEDA.

The OPC focused on the Company’s failure to appropriately escalate the original complaint, which left the unauthorized access unresolved for an additional 10 weeks. Efforts to resolve the issue during the OPC’s investigation – including the resetting account permission, updating account registration processes, monitoring account discrepancies, revision of training — were recognized by the regulator, but ultimately, the OPC found these were implemented too late to prevent the finding of non-compliance.

As such, the lack of breach management process – which should have included training to employees about the proper and timely escalation of suspected breach – was found to be a failure to comply with PIPEDA.

This Report underscores the critical need for organizations (and their employees) to treat privacy complaints seriously and promptly and thoroughly investigate each one. It also highlights the fact that RROSH analysis is not a mechanical exercise. Organizations should take a thoughtful approach to such analysis.

Additionally, while an investigation by the OPC into an organization’s breach management practices is infrequent, it is a good reminder that the regulator will not hesitate to retroactively probe breaches upon receiving complaints, in order to assess compliance with breach reporting obligations.

For more information on privacy training, RROSH analyses, and investigations, please reach out to Sasha Coutu or any member of Dentons’ Privacy and Cybersecurity group.

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
, ,
Sasha Coutu

About Sasha Coutu

Sasha Coutu is an associate in the Privacy and Cybersecurity group and the Litigation and Dispute Resolution group at Dentons.

RELATED POSTS