Online service provider that suffered a breach had appropriate safeguards in place

PIPEDA Report of Findings #2014-004

April 23, 2014

---

An individual received a breach notification letter from a third-party provider of ticketing, marketing and fundraising services based in the United States (the “Organization”), indicating that her personal information (including name, contact information and credit card number) had potentially been accessed by a cyber attacker. While the individual did not have a direct relationship with the Organization, she had made a purchase from a merchant that used the Organization’s services.

The letter was part of a broader breach notification effort by the Organization, which included notifying (i) United States law enforcement, (ii) Canadian data protection authorities, including our Office, and (iii) the Organization’s clients. As some of the Organization’s Canadian clients were small businesses, the Organization also opted to contact those clients’ customers directly where this course of action would be the most expedient means of notification.

After receiving a notification letter, the individual filed a complaint with our Office against the Organization under the Personal Information Protection and Electronic Documents Act (the “Act”).

Although the Organization had proactively notified our Office of the breach, it did not concede the jurisdiction of our Office. The Organization stated that it did not control the personal information in question. It  maintained that its client was accountable under the Act since the client had collected and used the information. Notwithstanding this position, the Organization did cooperate with our investigation into the complaint.

Our investigation focused on two issues: (i) the applicability of the Act to the Organization in this matter, and, once we had determined that the Act applied, (ii) whether the Organization had safeguards in place appropriate to the sensitivity of the information at the time of the breach. It should be noted that the fact that a breach has occurred is not necessarily indicative of a contravention of the Act. For example, an organization may have appropriate safeguards in place and still fall victim to a determined, clever and/or innovative attacker.

Our Office notes that the individual specifically named the Organization in her complaint. As such, our Office’s investigation was limited to determining whether the Act applied to that Organization, and not whether it applied to other organizations associated with this incident.

In terms of applicability of the Act to the Organization, the Organization argued that it was a third-party processor and, therefore, did not control the personal information in question.  However, the Organization’s status as a third-party processor does not prevent it from being subject to the Act. The Act applies to all organizations that have personal information in their possession or custody, so long as the information was collected, used or disclosed in the course of a commercial activity that has a real and substantial connection to Canada.

The fact that the Organization was involved in a commercial activity was not contested.  Our Office however, found that the activity in question had a real and substantial connection to Canada.  Though the Organization did not specifically solicit business from Canadian consumers, it actively sought and entered into business relationships with Canadian organizations. Furthermore, the Organization’s business model required it to hold the personal information of those organizations’ customers (and thus, the personal information of Canadians) under its control.

As such, our Office found that the Act did apply to the Organization in relation to this complaint.

Having determined that the Act applied, the investigation set out to evaluate whether the Organization had the appropriate safeguards in place at the time of the incident. In this instance, our Office determined that the Organization had numerous technical safeguards in place at the time of the incident aimed at preventing and detecting breaches. These included: (i) the use of firewalls, (ii) the hashing and encryption of sensitive information, (iii) separate storage and obfuscation of encryption keys, and (iv)multiple intrusion detection systems (through which the breach was detected). The effectiveness of these safeguards was independently evaluated on a regular basis through external vulnerability scans and an audit of its “at-rest” data protection practices against industry standards.

The Organization also stated that it had a vulnerability management program in place at the time of the breach; however, the vulnerability that led to the incident was a “zero-day exploit”, meaning it was not publicly known prior to the attack, and as such, the Organization could not have had foreknowledge of it.

Given the above, our Office found that the Organization did have appropriate safeguards in place at the time of the breach. As such, our Office determined that the complaint was not well-founded.

Although our Office was satisfied with the safeguards the Organization had in place prior to the breach, we were encouraged to note that, on its own accord, the Organization put additional safeguards in place after the incident. These included: (i) salted hashing and stronger encryption of personal information; and (ii) reconfiguring its network to further isolate sensitive data. The Organization also conducted extensive penetration testing, updated all internal protocols, and provided additional training to staff. Our Office appreciates the Organization’s commitment to undertaking a thorough response to the incident, and recognizes that implementing improvements to safeguards in response to an incident does not necessarily indicate that those in place at the time of the incident were insufficient.