Compliance Letter to the Office of the Privacy Commissioner of Canada (“OPC”) By Nova Scotia Power
This compliance letter concerns a privacy breach at Nova Scotia Power that began around March 19, 2025. A malware attack allowed a threat actor to access and exfiltrate sensitive customer information, including names, contact details, financial information, and SINs, affecting approximately 375,000 current and 540,000 former customers. Nova Scotia Power has committed to specific actions, including deleting customer SINs and undergoing an external security assessment, to address the breach. Upon the Commissioner's satisfaction with these commitments, the investigation will be discontinued.
- Adequacy of security safeguards following a significant data breach.
- Timeliness and method of notification to affected individuals.
- Collection and retention of Social Insurance Numbers (SINs).
- Breach response and remediation efforts.
Investigation discontinued based on commitments made by Nova Scotia Power.
The investigation will be discontinued because Nova Scotia Power has agreed to fulfill specific commitments, including data deletion and security enhancements, which the Commissioner deems a fair and reasonable response to the breach.
AI-generated summary for reference only. Always verify against the official decision ↗
Nova Scotia Power committed to deleting customer SINs, conducting an external security assessment, and implementing recommendations to enhance safeguards and notification processes.
- s. 12.2(1)(c) PIPEDA
- s. 11(2) PIPEDA
- s. 20(2) PIPEDA
This summary is informational only and not legal advice.