A joint investigation between B.C. and Ontario privacy commissioners has found that LifeLabs “failed to protect private information” during its 2019 privacy breach.
The privacy commissioners’ release on Thursday (June 25), found LifeLabs did not have “reasonable safeguards” in place to protect 15 million customers, largely in B.C. and Ontario. The company reported the breach to both privacy commissioners in November of last year, after detecting a cyberattack on its computer systems on Oct. 28.
Although B.C. and Ontario’s privacy commissioners released a broad overview of their investigation report on Thursday, they did not publish the entire report due to LifeLabs’ objections.
“LifeLabs has claimed that some of the information contained in the report is privileged or confidential and objected to the release of that information,” the release stated.
However, the privacy commissioners said they would release the full report unless LifeLabs attempts to get a court ruling in the company’s favour.
The privacy commissioners issued three joint orders to LifeLabs, outline broadly in Thursday’s release: to improve specific practices regarding information technology security, to formally put in place written information practices and policies with respect to information technology security, and to cease collecting specified information and to securely dispose of the records of that information which it has collected.
LifeLabs was also recommended to consult with third-party experts about if a longer period of credit monitoring would be “more appropriate.”
B.C’s privacy commissioner also said the LifeLabs case should serve as an example of why the office needs to be able to impose financial fines and penalties following investigations.
“This is the very kind of case where my office would have considered levying penalties,” said Michael McEvoy, Information and Privacy Commissioner of B.C. For its part, Ontario is expected to be able to levy financial penalties once a recently announced amendment to Ontario’s privacy law comes into effect. It would be the first province in Canada to have the ability to levy monetary penalties against individuals and companies that violate the Personal Health Information Protection Act.
Want to support local journalism during the pandemic? Make a donation here.