In the wake of a privacy breach at the B.C. Pension Corporation, B.C.’s privacy commissioner is once again calling on the provincial government to compel public and private bodies to report privacy breaches to his office within days of discovery.
Michael McEvoy said the case clearly demonstrates why B.C. requires mandatory breach notification.
In late March, B.C. Pension Corporation notified 8,000 members of the college pension plan it administers of a potential privacy breach after a box of microfiche containing sensitive personal information, including date of birth, social insurance numbers, and income information went missing “following a recent office move.”
McEvoy said the office move took place in September 2018 and the microfiche was found to be missing in October. B.C. Pension Corporation reported the missing personal information to the privacy commissioner on March 8 and informed pension plan members in a letter dated March 29.
McEvoy said his office has been calling on government for years to add breach-notification requirements to B.C.’s privacy laws.
“As it is now, it is not a requirement for public bodies or private organizations to report privacy breaches to my office or individuals who are affected by a breach,” he said in an interview Saturday.
If such mandatory reporting were in place, organizations would be required to report breaches or suspected breaches to his office within days of discovery, McEvoy said.
With such a law in place, the B.C. Pension Corporation would have been required to report the breach last October — not March.
“We have very experienced staff who work on these issues all the time,” he said, adding that his office can help organizations contain a breach, assess the risk and ensure that affected individuals are notified if necessary.
“If somebody is harmed by a privacy breach, sensitive information might be disclosed,” he said. “That’s the kind of information that could be used, for example, by identity thieves. So it’s important that individuals know at the first possible instance whether or not the information’s been breached so that they can take action. For example, to look for unusual transactions on their credit cards or to get credit monitoring.”
In this case, affected individuals should review their credit activity since September 2018, said McEvoy.
B.C. Pension Corporation spokeswoman Sherry Sheffman said it’s believed the breach is low risk because the data is on microfiche, which is difficult to read without special equipment. The information on the microfiche was also very old.