• Unauthorized access to customer billing records
• Section 2(1) (definition of personal information) - the records in question contained personal information.
• Section 32 (disclosure) - the disclosure of the personal information was not in accordance with the Act.
• Section 3(1) of Regulation 823 (security) - there were not adequate security measures in place at the time of the breach.
Recommendations:
1. Hydro should implement measures to enhance security at the e-bill account creation stage.
2. Hydro should take measures to prevent, limit, and to detect the ability of employees to access lists of all Hydro customers.
3. Hydro should implement robust access controls.
4. Hydro should implement additional mechanisms to detect and limit unusual online account activities.
5. Hydro should repair the software coding that allowed for the unauthorized override of password protections.
6. Hydro should provide a quarterly report to the IPC regarding system enhancements designed to protect customer privacy.