Canada: OPC finds MGM in breach of PIPEDA for breach reporting failures
The Office of the Privacy Commissioner of Canada ('OPC') published, on 29 September 2022, its Report of findings No. 2022-004, as issued on 19 May 2022, in which it found that MGM Resorts International had violated Section 10.1 of the Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA'), following an investigation by the OPC.
Background to the Report
In particular, following media reports on a large scale data breach MGM suffered in 2019, the OPC had engaged with MGM to obtain additional information regarding the breach and the involvement of Canadians' personal information therein. Subsequently, upon receiving confirmation from MGM that personal information was affected by the breach, the OPC stated that it had initiated an investigation against MGM to assess whether it had complied with the mandatory breach reporting obligations under PIPEDA. In this regard, the OPC highlighted that MGM submitted a breach report to the OPC in connection with the breach on 3 June 2020 and notified affected individuals by 17 July 2020. Notably, the OPC highlighted that the breach included the publication of personal information of about 10.6 million MGM guests, 1.9 million of which belonged to Canadians, on a hacking forum, including names, contact details, dates of birth, and identification numbers.
Findings of the OPC
Notably, the OPC found that, given the sensitivity of the information in question and the potential for it to be misused by malicious actors, the breach had created a real risk of significant harm to the affected Canadians, such that MGM was required to report the breach to the OPC and notify affected individuals in Canada. As such, the OPC stated that it found MGM in breach of Section 10.1 of PIPEDA for its failure to report the 2019 breach to the OPC and notify affected Canadian individuals as soon as was feasible.
Ultimately, the OPC found MGM in breach of Section 10.1 of PIPEDA and noted that, upon its recommendation, MGM had committed to amend its privacy breach response framework by 30 June 2022, to ensure that in circumstances of a breach MGM will:
- promptly conduct an appropriate assessment as to whether such breach gives rise to a real risk of significant harm for the individuals concerned;
- upon determining that a breach gives rise to such a risk, in accordance with Section 10.1 of PIPEDA:
- provide a report, as soon as feasible, to the OPC; and
- notify, as soon as feasible, the relevant individuals affected by such breach; and
- provide a report and associated documentary evidence to the OPC to demonstrate that it has complied with its commitment to amend its privacy breach response framework.
Consequently, the OPC noted that in light of MGM's abovementioned committments and the fact that MGM had reported the breach and notified affected Canadian individuals, it considers the matter conditionally resolved.
You can read the Report here.