Wendy J. Wagner
Associée
Co-chef, Groupe national Cybersécurité et protection des données
Article
4
Clients often ask us to explain the difference between a privacy "hack" and a "breach" where an individual's personal information is concerned. Indeed, while there is generally understood to be a difference between these concepts, confusion remains with respect to how each is precisely defined - and how such definitions inform a company's legal obligations.
A hack is commonly associated with a malicious intent to modify hardware or software in a way that was not intended by the developer. A privacy breach can also have dire consequences, but is usually associated with human error in that information is left unintentionally unsecured.
Some have even tried to distinguish a "hack" from a "crack," noting that hacking is not always done for malicious purposes, whereas criminal intent always underlies a "crack".[1]
However, these terms are not well delineated by Canadian institutions and are frequently used interchangeably by the media. For example, Netflix's The Great Hack sheds light on the Facebook-Cambridge Analytica data scandal. However, some authors point out that this data scandal is properly a "breach" and not a "hack." Cambridge Analytica exploited a mistake in Facebook's systems, rather then breaking through Facebook's security measures.[2]
What does this distinction mean for Canadian businesses? Likely, not as much as one might think. The Office of the Privacy Commissioner of Canada (OPC) clearly considers a "hack" to fall within a range of privacy breaches. Accordingly, the Personal Information Protection and Electronic Documents Act (PIPEDA) defines a "breach of security safeguards" broadly as the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards or from a failure to establish those safeguards.[3]
In keeping with the spirit of PIPEDA, the OPC's official guidance, "Tips for containing and reducing the risks of a privacy breach," asks readers to not only consider appropriate responses to hackers — for example, through intrusion prevention and detection systems — but also strongly encourages them to think beyond hackers when anticipating data and privacy threats.[4]
As it relates to mandatory breach reporting, whether or not a breach was malicious is only one of several factors the OPC considers when assessing the risk of information being misused and/or causing significant harm. Ultimately, a Canadian business will be required to maintain appropriate privacy safeguards in all cases.
[1] See a variety of online articles distinguishing the concepts: Hackers vs. Crackers: Easy to Understand Exclusive Differences: https://www.educba.com/hackers-vs-crackers/; Crack: https://www.techopedia.com/definition/10256/crack; What is Hacking?: https://www.lifewire.com/definition-of-hacking-817991; Hacker: https://searchsecurity.techtarget.com/definition/hacker.
[2] See Jenny Knafo, "Data Breach vs. Data Hack" (May 23, 2019).
[3] Personal Information Protection and Electronic Documents Act, SC 2000, c 5, s 2(1).
[4] Office of the Privacy Commissioner of Canada, "Tips for containing and reducing the risks for a privacy breach".
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.