MT>3
  • Home
  • About
  • People
  • Services
    • e-Discovery
    • Managed Review
    • Information Governance
    • Due Diligence
  • Blog
  • News
  • Contact

Canada's Privacy Watchdog Sounds Alarm

27/9/2016

 
Canada’s privacy watchdog just released some pretty grim details about the state of Canadians’ privacy. The so-called “Internet of Things” is collecting all sorts of sensitive data about us and quite possibly mismanaging it; yet it seems that there is not much, as individuals, we can do to protect our information.

Users of connected devices are forced to click ‘agree’ when signing on for the first time. Without saying yes, the devices cannot be used as intended. But what are we saying yes to? We want to believe that our privacy is being safeguarded by these companies, but it is time to take a closer look at their privacy policies. They are vague, and in some cases, have not been properly proof-read and still contain placeholders where specific privacy policies should be spelled out.

The Office of the Privacy Commissioner of Canada (OPC) is clearly concerned about this. The Privacy Commissioner, Daniel Therrien, has stated that “[a]s this technology expands, it is imperative that companies do a better job of explaining their personal information handling practices.” The question remains as to how this can be accomplished. Canadians are quick to adopt new technology but, on their own, lack the resources to influence major change in the ways in which their privacy is protected.  This role may be best suited for a federal body with the power to implement and enforce privacy standards. Good thing for Canadians, the OPC is proactively investigating and making recommendations on the issue, thus putting companies on notice that enforcement will soon follow.

In any event, before clicking ‘agree’ be sure to read the fine print.

Yahoo! Breach 

23/9/2016

 
​Another corporate data breach. It seems like it happens almost every day. However, the Yahoo! data breach reported yesterday afternoon is not like most others.
 
Yahoo reported that the personal details (username, date of birth, telephone numbers, email addresses, etc.) of between 400 and 500 million user account had been stolen over two years ago, but they just discovered it recently. In fact, they didn’t discover the breach – they were notified after an internet auction site offered the information for sale. This could be the largest theft of non-company personal information ever (the Sony hack two years ago was larger, but only contained personal information of Sony employees and contractors).
 
Yahoo is now advising its users to change their passwords. While changing passwords on a periodic basis is always a good idea, doing it in light of this theft is even more important.
 
This breach highlights one of most compelling reasons to embrace Information Governance in the Internet age – it is not a matter of if you will be breached, but when you are breached. If you take this attitude, knowing what information you have so that you can protect the crown jewels becomes a no-brainer. 

An Ounce of Prevention – Reducing Data Breach Costs

19/9/2016

 
​On August 29th, Justice Paul Perell of the Ontario Superior Court approved a settlement in the class action lawsuit against Home Depot arising from a data breach it suffered in 2014. Justice Perell said that “(t)he case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak. The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behaviour modification.”
 
Essentially, the court declared that Home Depot did not do anything wrong and could not have prevented the data breach. Even so, this breach cost Home Depot Canada about $520,000 in legal fees and settlement costs as Home Depot spent millions of dollars in Canada on providing its customers with credit card monitoring services. Settling a class action is now one more spend in remediating a data breach in Canada.
 
Home Depot responded well (it contained the breach quickly, identified the stolen information, notified affected people as soon as possible, and offered to pay for credit monitoring services).  This indicates it was able to identify what information was affected by the breach.  
 
We believe the specific data breach that Home Depot suffered could have been mitigated if it had been more proactive with a comprehensive Information Governance strategy.
 
The breach involved hackers gaining access to credit card terminals through a third party vendor that contracted with Home Depot. When a consumer swiped their credit card at the terminal, the card information was transmitted, unencrypted, to a central Home Depot computer for processing. Over the course of five months, the hackers intercepted the information along the way, capturing the consumer’s credit card account information, email address, and purchase data. Following the breach, Home Depot replaced the terminals with those that transmitted the information in encrypted form, so that even if it was intercepted, it could not be deciphered.
 
In 2013, Home Depot suffered two small data breaches. At that time, it was advised by security experts to activate the encryption function of their credit card terminals. However, it decided not to do this in order to save money.
 
Home Depot could have also implemented or enforced more stringent IG practices, including policies on data transmission (that would have required encryption), data retention (that may have prevented some email addresses from being stolen) and ongoing compliance monitoring (which may have allowed them to discover the breach much more quickly).
 
Even though Home Depot responded well to the breach, it still incurred costs in the millions of dollars. Implementing and enforcing Information Governance ahead of time would have likely mitigated costs, and been a better use for the money.
<<Previous

    Categories

    All
    Artificial Intelligence
    Blockchain
    Cyber Security
    E Discovery
    Information Governance
    Legaltech
    Privacy
    Social Media
    Technology


    Archives

    March 2021
    February 2021
    November 2020
    October 2020
    July 2020
    June 2020
    April 2020
    March 2020
    February 2020
    January 2020
    November 2019
    October 2019
    September 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    May 2018
    April 2018
    March 2018
    September 2017
    August 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    September 2012
    August 2012
    July 2012
    June 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011
    October 2011
    September 2011
    August 2011
    June 2011
    April 2011
    March 2011
    February 2011
    January 2011
    December 2010
    November 2010
    October 2010
    September 2010
    August 2010
    July 2010
    June 2010
    May 2010
    March 2010
    February 2010
    January 2010
    October 2009
    September 2009
    August 2009
    December 2008
    March 2008
    November 2007
    October 2007

130 Adelaide Street West Suite 2020
Toronto, Ontario M5H 3P5
​ ​
t: 416-642-2220  
tf: 1-877-642-2220  
f: 416-868-0673
Contact MT>3
@MT>3 2018. All Rights Reserved
Picture

Privacy Policy and Terms of Use

  • Home
  • About
  • People
  • Services
    • e-Discovery
    • Managed Review
    • Information Governance
    • Due Diligence
  • Blog
  • News
  • Contact