Hacked, cracked or breached: What's in a name when it comes to privacy?

22 October 2019

Clients often ask us to explain the difference between a privacy "hack" and a "breach" where an individual's personal information is concerned. Indeed, while there is generally understood to be a difference between these concepts, confusion remains with respect to how each is precisely defined - and how such definitions inform a company's legal obligations.



A hack is commonly associated with a malicious intent to modify hardware or software in a way that was not intended by the developer. A privacy breach can also have dire consequences, but is usually associated with human error in that information is left unintentionally unsecured.

Some have even tried to distinguish a "hack" from a "crack," noting that hacking is not always done for malicious purposes, whereas criminal intent always underlies a "crack".[1]

However, these terms are not well delineated by Canadian institutions and are frequently used interchangeably by the media. For example, Netflix's The Great Hack sheds light on the Facebook-Cambridge Analytica data scandal. However, some authors point out that this data scandal is properly a "breach" and not a "hack." Cambridge Analytica exploited a mistake in Facebook's systems, rather then breaking through Facebook's security measures.[2]

What does this distinction mean for Canadian businesses? Likely, not as much as one might think. The Office of the Privacy Commissioner of Canada (OPC) clearly considers a "hack" to fall within a range of privacy breaches. Accordingly, the Personal Information Protection and Electronic Documents Act (PIPEDA) defines a "breach of security safeguards" broadly as the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards or from a failure to establish those safeguards.[3]

In keeping with the spirit of PIPEDA, the OPC's official guidance, "Tips for containing and reducing the risks of a privacy breach," asks readers to not only consider appropriate responses to hackers — for example, through intrusion prevention and detection systems — but also strongly encourages them to think beyond hackers when anticipating data and privacy threats.[4]

As it relates to mandatory breach reporting, whether or not a breach was malicious is only one of several factors the OPC considers when assessing the risk of information being misused and/or causing significant harm. Ultimately, a Canadian business will be required to maintain appropriate privacy safeguards in all cases.


[1] See a variety of online articles distinguishing the concepts: Hackers vs. Crackers: Easy to Understand Exclusive Differences: https://www.educba.com/hackers-vs-crackers/; Crack: https://www.techopedia.com/definition/10256/crack; What is Hacking?: https://www.lifewire.com/definition-of-hacking-817991; Hacker: https://searchsecurity.techtarget.com/definition/hacker.

[2] See Jenny Knafo, "Data Breach vs. Data Hack" (May 23, 2019).

[3] Personal Information Protection and Electronic Documents Act, SC 2000, c 5, s 2(1).

[4] Office of the Privacy Commissioner of Canada, "Tips for containing and reducing the risks for a privacy breach".


NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.