Investigation into Desjardins’ compliance with PIPEDA following a breach of personal information between 2017 and 2019
From the moment it was disclosed, it seemed clear that the Desjardins breach of 2019 that involved a rogue employee was going to cause big trouble for Desjardins. And sure enough, in one day, they were hit with two potential class action lawsuits. Desjardins subsequently announced they were expanding the mitigation services being offered, but regardless of that offer, the Quebec and federal privacy commissioners announced days later that they were jointly investigating the breach. And as 2019 drew to a close, Desjardins had to announce that 1.8 million credit card holders may also have been impacted.
As 2020 draws to a close, the Privacy Commissioner of Canada has issued their report. From the overview:
- On May 27, 2019, the Fédération des caisses Desjardins du Québec (“Desjardins”) notified the Office of the Privacy Commissioner of Canada (“our Office” or the “OPC”) of a breach of security safeguards that ultimately affected close to 9.7 million individuals in Canada and abroad. The compromised personal information included first and last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories. The number of individuals affected includes individuals whose personal information a malicious employee was able to access and/or exfiltrate.
- Desjardins also informed Quebec’s Commission de l’accès à l’information (the “CAI”) and other regulators of the fact that there were individuals within their jurisdictions that were affected by the incident.
- The OPC and the CAI launched investigations into this matter. To coordinate their efforts, the two Offices signed a collaboration arrangement on July 25, 2019.
- Desjardins concluded that the breach had been committed by one of its employees, who had been exfiltrating personal information over a period of at least 26 months. This raises the question as to whether Desjardins’ security safeguards were appropriate and whether it met accountability requirements with respect to the personal information entrusted to it. Given the age of some of the information compromised in the incident, the OPC also reviewed Desjardins’ data destruction practices.
- Our investigation concluded that Desjardins contravened the Personal Information Protection and Electronic Documents Act (“PIPEDA”)’s principles with regard to accountability, retention periods, and security safeguards. This report contains recommendations to Desjardins to address the contraventions found.
You can read the findings and the recommendations OPC made to Desjardins — recommendations that Desjardins reportedly agreed to. From the report’s conclusion:
- In view of all the above, we consider the complaints to be well-founded and conditionally resolved.
- The OPC will monitor Desjardins’ progress on its implementation of our recommendations.
Whether this report has any impact on the civil litigation remains to be seen.