Alarm company mishandled breach complaints, but no ‘real risk of significant harm’: Commission

By Sasha Coutu ·

Law360 Canada (July 8, 2024, 12:01 PM EDT) --
Sacha Couto
Sasha Coutu
The Office of the Privacy Commissioner of Canada (OPC) recently published its Report of Findings following an investigation into Company Home, an alarm-monitoring company that works with authorized dealers to sell the systems to customers.

The report, dated March 28, 2024, and released on June 6, 2024, addressed two primary concerns: a customer complaint regarding inadequate safeguards and whether the Company failed to report a breach posing a “real risk of significant harm” (RROSH).

Background of the investigation

The company suffered a privacy breach in 2022, discovered by a customer who logged onto the company’s portal and was able to access the personal information of other customers. When the customer initially reported the
Add required Alt Text here for accessibility purposes

nadia_bormotova: ISTOCKPHOTO.COM

issue to a company customer service representative, the employee did not escalate the matter. Seeing that the issue was left unresolved about 10 weeks later, the customer followed up with the company and filed the complaint with the OPC.

The company eventually investigated and concluded that human error during the setup of the accounts resulted in the personal information of 3,340 customers being accessible by about 20 customers via the company’s portal. The personal information involved in the breach included:

  • customer names, phone numbers and addresses;
  • emergency contact name, phone number and whether they had a key to the house; and
  • alarm system model type and a list of monitored devices (e.g., door sensor) and location (e.g., front door).

Key findings from the investigation

Following its investigation into the matter, the OPC concluded the following:

1. No RROSH found

The breach did not trigger the obligation under the Personal Information Protection and Electronic Documents Act (PIPEDA) to report the OPC and notify affected individuals. In other words, the breach did not pose a “real risk of significant harm.”

As part of the analysis, the OPC reviewed the sensitivity of the personal information involved and the probability that the personal information has been, is or will be misused.

Sensitivity: The OPC recognized that the information could be sensitive in that it could potentially be leveraged by a malicious actor to assist in gaining unauthorized access to a customer’s home.

Likelihood of misuse: The OPC reasoned that since the number of individuals with unauthorized access to the personal information was low (i.e. at most 20), they were known company customers and that the access was granted unintentionally by the company itself (as opposed to, say, a malicious hack by a customer), the likelihood of one of those customers using the information in ways that harm could be caused was low.

Consequently, there was no RROSH posed by the breach, so the company was not required under law to report the breach to the OPC or to notify affected individuals.

2. Inadequate safeguards detected

The OPC found the company failed to implement safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, as required by principle 4.7.1 of PIPEDA.

The OPC focused on the company’s failure to appropriately escalate the original complaint, which left the unauthorized access unresolved for an additional 10 weeks. Efforts to resolve the issue during the OPC’s investigation — including resetting account permission, updating account registration processes, monitoring account discrepancies and training revision — were recognized by the regulator, but ultimately, the OPC found these were implemented too late to prevent the finding of non-compliance.

As such, the lack of a breach management process — which should have included training to employees about the proper and timely escalation of suspected breaches — was found to be a failure to comply with PIPEDA.

Key takeaways for businesses:

  • Proper training of frontline staff (customer service representatives) so they are able to quickly and appropriately identify privacy concerns is an effective (and relatively inexpensive) way to avoid escalation into a privacy complaint (and investigation).
  • The OPC appears to have taken a pragmatic approach to an analysis under the RROSH harm test and sets out how it arrived at the conclusion that RROSH was not triggered. This is helpful instruction for businesses that often deal with RROSH edge cases.

This report underscores the critical need for organizations (and their employees) to treat privacy complaints seriously and promptly and thoroughly investigate each one. It also highlights the fact that RROSH analysis is not a mechanical exercise. Organizations should take a thoughtful approach to such analysis.

Additionally, while an investigation by the OPC into an organization’s breach management practices is infrequent, it is a good reminder that the regulator will not hesitate to retroactively probe breaches upon receiving complaints, in order to assess compliance with breach reporting obligations.

Sasha Coutu is an associate focused on data and technology with Dentons Canada’s privacy and cybersecurity group. As part of her practice, she provides practical advice to a wide range of organizations on how to navigate the intricate legal landscape of data protection. 

The opinions expressed are those of the author and do not reflect the views of the author’s firm, its clients, Law360 Canada, LexisNexis Canada or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

Interested in writing for us? To learn more about how you can add your voice to Law360 Canada, contact Analysis Editor Peter Carter at peter.carter@LexisNexis.ca or call 905-415-5811.