skip to main content
Back to all blog posts

Posted in: Data Security/Privacy

Mar 13, 2018

Phishing Risk Deemed Sufficient in Alberta to Trigger “Real Risk Of Significant Harm” Threshold

By Steve J. Tenai

Since 2010, Alberta’s Personal Information Protection Act (“PIPA”) requires private sector organizations to notify the Office of the Information and Privacy Commissioner (“OIPC”) of a breach of personal information where a “reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.” 

On February 28, 2018, Uber was ordered to notify its riders of a breach of rider data stored in a cloud-based server. The data included, among other things, a rider’s name, mobile number, email address, hashed and salted password, password change, user ID, unique and other identifiers, and user rating. Uber had been contacted by an individual who claimed he had accessed this user information, which was confirmed by Uber, and paid the demanded ransom to destroy the data and obtain assurances that it would not be further disseminated. 

Uber had assessed the information to not be sensitive and to be insufficient for identity theft or financial harm. It also considered that there was no real risk of significant harm of phishing as a result of the incident because any potential harm from phishing results as a consequence of the individual supplying personal information such as access codes and passwords and not the consequence of having received an email. OIPC reached a different conclusion.

Alberta’s Privacy Commissioner reasoned that individual names, mobile telephone numbers and email addresses of riders, when combined with profile information, could be used to send sophisticated, user-specific emails and text messages purportedly from Uber. Merely clicking on a link, without a user providing any additional information, could potentially cause significant harm such as activating malware. The Commissioner noted that despite individuals being increasingly aware of the possibility of receiving phishing emails and texts, incidents of phishing occur regularly. Further, as smartphones are one of the primary means to access Uber’s services, users may be particularly vulnerable to these types of harm.

No weight was given to Uber having received assurances from the hacker that the personal information would not be used or further disseminated. The fact that these assurances were given by individuals who deliberately accessed the information without authority, made ransom demands, and accepted payment of ransom weighed against trusting their assurances.

As Alberta’s breach notification threshold under PIPA aligns with Division 1.1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) (yet to come into force) and under the European Union’s General Data Protection Regulation (GDPR) (set to come into force in late May 2018), breach notification decisions from Alberta’s OIPC offer some guidance that may transcend that province.

Related Categories

Related Blogs

Posted in: Data Security/Privacy

Insights TheSpotlight
Cybersecurity Disclosure Guidance for Public Companies By Steve J. Tenai Mar 01, 2018 On February 21, 2018, the United States Securities and Exchange Commission issued interpretive guidance on cybersecurity disclosure obligations for public companies subject to U.S. securities laws. The Guidance underscores that public companies should inform investors about material cybersecurity...

Posted in: Data Security/Privacy

Insights TheSpotlight
Embracing Artificial Intelligence at Your Law Firm 3 Keys to Successfully Introducing AI By Aaron Baer Jan 05, 2018 Advances in technology are transforming entire industries: Airbnb and Uber have wreaked havoc on the hotel and taxi industries; Netflix and online-streaming have turned the media industry on its head; self-driving cars are set to revolutionize the automotive industry.

Posted in: Privacy | Court Decision | Data Security/Privacy

Insights TheSpotlight
Texting and the Expectation of Privacy By Donald B. Johnston Dec 11, 2017 The Supreme Court of Canada published an important judgment on December 8, 2017, concerning whether or not Canadians have the right to expect that their texting conversations will remain private. Interestingly, the judgment of the court was split – which shows that even the cleverest lawyers can ...