Each state in the U.S. has their own individual laws as to when a company must report a data breach. In addition, there are federal laws and EU laws that likewise dictate when companies need to disclose. 

On September 1, 2018, Colorado will enact the toughest law yet, giving companies 30 days to provide notice of a breach involving personal information belonging to Colorado residents. Most states mandate 45 or 60 days. 

According to The Wall Street Journal, "Colorado also expanded the definition of personal information to include biometric data, driver’s license numbers, passwords and other items. In other state laws, personal information is often limited to a first name or initial and last name in combination with an identifier, such as a Social Security number."

Just this week, Air Canada discovered a breach and responded within days of discovering it. You can see their response below to the people who they believe were affected. It timely and clearly explains:

  • What happened;
  • The steps the company took to limit the breach; and,
  • What they need their customers do to further protect themselves. 

Your system will be breached. It is not a matter of IF, it will be a matter of WHEN. To prepare your company needs to create the protocols to MONITOR your systems and develop the PLANS to respond. This includes creating the TEAM and creating SIMULATED responses. 

In 2017, a data breach compromised the personal information of 147.9 million Equifax customers. The company was not prepared for the breach and failed in their response, leaving peoples personal data exposed. 

if the law in your state or for your industry is unclear, company's in the U.S. should use  the European Union’s General Data Protection Regulation (GDPR), which went into effect in May, as guidance which requires companies to disclose a breach within 72 hours of discovering it. Companies, both large and small, should now put the plans in place and prepare for the next attack. 

28 AUGUST 2018

We recently detected unusual log‑in behaviour with Air Canada’s mobile App between Aug. 22‑24, 2018. We immediately took action to block these attempts and implemented additional protocols to protect against further unauthorized attempts. As an additional security precaution, we have locked all Air Canada mobile App accounts to protect our customers’ data. 

Am I affected? 
As a result of our analysis, we are confident your account was not affected by these unauthorized attempts. As an additional security precaution however, we have locked all Air Canada mobile App accounts to further protect customer data.

To reactivate your Air Canada mobile App account, please see the instructions below or follow the prompts the next time you log into your Air Canada mobile App. 

Your privacy and the protection of your data are extremely important to Air Canada. Our security is multi‑layered, and we work with leading industry experts to continuously improve our practices as technology and security procedures evolve. 

Reset your password 
Please reset your password to resume using Air Canada’s mobile App and mobile products with confidence. 

Your new password must be a minimum of 10 characters. Here are some helpful tips in creating your new password: 
• Minimum of 10 characters which must contain at least 1 uppercase letter, 1 number, 1 symbol/special character, 1 lowercase letter
• Do not use your old password
• Do not use your name or something easily associated with you
• Do not use your Air Canada mobile App password with other accounts

You can reset your password by following the prompts when you next log‑in to your Air Canada mobile App, or you may reset your password now or you may also go to https://services.aircanada.com/portal-web/mobile/profile?action=resetpwd&locale=en 

For more information 
We regret any inconvenience this has caused. If you have questions, please refer to additional information posted on aircanada.com 


Catherine Dyer
Senior Vice President, Chief Information Officer
Air Canada