Clients often ask us to explain the difference between a privacy "hack" and a "breach" where an individual's personal information is concerned. Indeed, while there is generally understood to be a difference between these concepts, confusion remains with respect to how each is precisely defined - and how such definitions inform a company's legal obligations.

A hack is commonly associated with a malicious intent to modify hardware or software in a way that was not intended by the developer. A privacy breach can also have dire consequences, but is usually associated with human error in that information is left unintentionally unsecured.

Some have even tried to distinguish a "hack" from a "crack," noting that hacking is not always done for malicious purposes, whereas criminal intent always underlies a "crack".[1]

However, these terms are not well delineated by Canadian institutions and are frequently used interchangeably by the media. For example, Netflix's The Great Hack sheds light on the Facebook-Cambridge Analytica data scandal. However, some authors point out that this data scandal is properly a "breach" and not a "hack." Cambridge Analytica exploited a mistake in Facebook's systems, rather then breaking through Facebook's security measures.[2]

What does this distinction mean for Canadian businesses? Likely, not as much as one might think. The Office of the Privacy Commissioner of Canada (OPC) clearly considers a "hack" to fall within a range of privacy breaches. Accordingly, the Personal Information Protection and Electronic Documents Act (PIPEDA) defines a "breach of security safeguards" broadly as the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards or from a failure to establish those safeguards.[3]

In keeping with the spirit of PIPEDA, the OPC's official guidance, "Tips for containing and reducing the risks of a privacy breach," asks readers to not only consider appropriate responses to hackers — for example, through intrusion prevention and detection systems — but also strongly encourages them to think beyond hackers when anticipating data and privacy threats.[4]

As it relates to mandatory breach reporting, whether or not a breach was malicious is only one of several factors the OPC considers when assessing the risk of information being misused and/or causing significant harm. Ultimately, a Canadian business will be required to maintain appropriate privacy safeguards in all cases.

[1] See a variety of online articles distinguishing the concepts: Hackers vs. Crackers: Easy to Understand Exclusive Differences: https://www.educba.com/hackers-vs-crackers/; Crack: https://www.techopedia.com/definition/10256/crack; What is Hacking?: https://www.lifewire.com/definition-of-hacking-817991; Hacker: https://searchsecurity.techtarget.com/definition/hacker.

[2] See Jenny Knafo, "Data Breach vs. Data Hack" (May 23, 2019).

[3] Personal Information Protection and Electronic Documents Act, SC 2000, c 5, s 2(1).

[4] Office of the Privacy Commissioner of Canada, "Tips for containing and reducing the risks for a privacy breach".