In just six months, between September and March last year, more than 447,000 people were reportedly victims of a data breach with “risk of serious harm,” according to the Quebec data regulator.
Since the entry into force of the new provisions of the law modernizing the legal provisions on the protection of personal data, more than 218 incidents have been reported to the Commission d’accès à l’information (CAI).
“The same person may have been the victim of several incidents, or the information may not be available or accurate, particularly due to the controls that may extend over a long period of time,” says CAI spokesman Jorge Passalacqua.
“If the incident poses a risk of serious harm to the individuals whose information is affected, the organization must notify the Commission,” he adds.
For the CAI, “a confidentiality incident is any access, use or communication of personal data not permitted by law, loss of personal data or any other breach of its protection”.
“reputation issues»
Are there more incidents than before? Maybe not, says Romain Gauthier, CEO and co-founder of privacy expert firm Didomi.
Most notably, companies are now being forced to disclose them to the Commission d’accès à l’information (CAI) and we’re talking more about that.
“We could put that under the rug so nobody sees. Now this is no longer possible. There are reputational problems,” Romain Gauthier notes.
Photo courtesy of Didomi
Romain Gauthier, CEO of Didomi
“Often we demonize the regulations, we say they are difficult, but the result is still positive. There is progress on data protection,” he adds.
According to him, the second phase of Law 25, which will come into force next September, will allow people to know what companies are doing with their data.
“He will be in control. He can say: “Yes, I accept that you use my cookies [mouchards] on your site or not. I have the right to take action against it.” It’s a very tangible notion of consent,” he summarizes.
“You can put a sword of Damocles on companies that piss you off with the statement ‘I want to access and delete my data,'” he concludes.
- Listen to the economics column with Yves Daoust, Money Manager of the Journal de Montréal and Journal de Québec, on Richard Martineau’s mic QUB radio :
THREE COMPANIES WHO HAVE REPORTED INCIDENTS
National Bank
On December 23, the Quebec bank’s legal department reported a confidentiality incident to the Commission d’accès à l’information (CAI). When asked by Le Journal, the financial institution refused to say how many people were targeted or what types of data were compromised. “This is a situation affecting a very limited number of customers, all of whom were informed a few months ago,” spokesman Alexandre Guay said.
Beneva
On January 30, Quebec insurer Beneva reported an incident to the CAI. According to the company, it was a simple mistake that shouldn’t cause too much damage. “This minor incident, due to human error, affected about ten people and, given the nature of the personal data involved, the risk of identity breach is very low.” The individuals concerned have been informed individually and are satisfied with the actions taken,” he assured Journal its publicist Catherine Tardif.
sun life
Toronto-based Sun Life reported incidents three times, on November 11 and 17, and on January 6. The insurer did not want to specify how many people are affected and what data is involved. “These statements relate to isolated situations that affected a limited number of people. “In accordance with standard practice, we have informed the individuals concerned and reported these incidents to the relevant regulators,” Ariane Richard told the journal Public Relations.
Hydro-Québec has been affected by two incidents in the last few months
The state-owned company reported two incidents to the Commission d’accès à l’information six months ago
Hydro-Quebec fell victim to “phone scams” and a cascade of “unusual connections” last December that affected 173 customer seats.
The first incident, reported to the Commission d’accès à l’information (CAI) on December 15, prompted customer service staff to divulge two customers’ confidential information, the state-owned company confirmed.
“The information passed on to third parties is personal data, but it is not of a banking nature or.” [numéro d’assurance sociale] NAS,” assures its spokesman Louis-Olivier Batty.
Provided by Louis-Olivier Batty
Louis Olivier Batty
“The special police officers of our corporate security service had informed the two affected customers about the incident,” he said.
More than 173 customer areas affected
The second incident was reported to the CAI eight days later, following a problem two months earlier.
“An alert from our monitoring system has detected multiple unusual connections to customer areas from one IP address over a short period of time, suggesting the connections are automated and potentially malicious in origin,” Hydro-Québec said.
More than 173 customer areas are affected, but the state-owned company says this is not the cause of the disruption.
“The information that can be seen does not include the full bank account number or the credit card.” [puisqu’elle ne fait pas partie de nos modes de paiement acceptés] or social security number,” says Hydro.
In an interview with the Journal last April, Hydro-Québec’s head of cybersecurity, who is responsible for overseeing its critical infrastructure, warned that the main threat often comes from within.
Can you share information about this story with us?
Do you have a scoop that might be of interest to our readers?
Write to us or call us directly at 1-800-63SCOOP.