PIPEDA Findings #2022-004: Investigation into MGM breach highlights how to assess risk, and need for timely assessment
This investigation concerned MGM Resorts International's handling of a 2019 data breach that affected millions of guests, including nearly two million Canadians. The OPC initiated a complaint after media reports indicated a breach and MGM had not reported it. The investigation found that MGM failed to promptly assess the risk of significant harm (RROSH) posed by the breach and did not report it to the OPC or notify affected Canadians as soon as feasible. MGM has committed to updating its privacy breach response framework to ensure timely RROSH assessments and reporting.
- Whether the personal information involved in the breach posed a real risk of significant harm (RROSH) to affected Canadians.
- Whether MGM adequately assessed the RROSH.
- Whether MGM reported the breach to the OPC and notified affected Canadians as soon as feasible.
- Whether MGM's delay in assessing the breach and notifying Canadians contravened PIPEDA's mandatory breach reporting obligations.
Complaint well-founded and conditionally resolved
The OPC found that the breach posed a RROSH due to the sensitivity of the compromised information, including government identifiers, and the probability of misuse by malicious actors. MGM contravened PIPEDA by failing to promptly assess this risk and by delaying the reporting of the breach to the OPC and the notification of affected individuals.
AI-generated summary for reference only. Always verify against the official decision ↗
MGM committed to amending its privacy breach response framework to ensure prompt RROSH assessments and timely reporting and notification of breaches involving Canadian residents, and to provide evidence of these amendments to the OPC.
- s. 10.1 PIPEDA
This summary is for informational purposes only and does not constitute legal advice.