Few Canadian organizations are prepared to handle data breaches, says a Canadian lawyer who focuses on cyber security and data protection law.
“Many Canadian organizations haven’t done some of the basic things that regulatory guidance and best practices suggest to minimize risk of a data breach,” Bradley Freedman, Vancouver-based partner at the Borden Ladner Gervais law firm said in an interview Sunday.
“In many cases its because decision-makers decide maybe the costs aren’t justified, or it’s not a profit centre and they want to spend the money in other ways.”
Either way, he said, “in my view it’s short-sighted and misguided.”
Freedman was interviewed after publishing a blog on the weekend on lessons learned following the recent settlement of up to $1.25 million in a class action lawsuit against Walmart Canada and PNI Digital Media Inc., who were sued in the wake of a 2015 data breach at Walmart’s Photocentre photo processing website. PNI provided the site’s software.
Sometime between June 1, 2014 and July 10, 2015 the site was breached, giving attackers access to personal and financial information of customers.
In a May 30 Ontario court decision the plaintiffs were ordered to pay
–one year of credit monitoring for victims up to a total of $350,000;
–out of pocket loses up to $5,000 a person up to a total for the group of $400,000;
–claims administration costs of up to $250,000 to Deloitte Canada, which is administering the payment of claims;
–and legal costs of $250,000.
As part of the settlement neither Walmart Canada nor PNI admitted any wrongdoing.
Freedman wasn’t involved in the case, but said a number of lessons can be learned from this and other data breaches:
–every organization should establish a documented, comprehensive information security governance framework to ensure that appropriate practices, procedures, policies and systems for the protection of personal information and payment card information are established, consistently understood and effectively implemented;
— a cyber risk management program should include risks arising from suppliers of products and services it uses as well as from business partners with access to the organization’s systems or who might otherwise be a risk to the organization’s cybersecurity posture;
— an organization should have a comprehensive and suitable data security incident response plan and a trained multidisciplinary incident response team;
–an organization should give timely notice of a data security incident to affected individuals and organizations (including payment service providers), regulators and law enforcement in accordance with data incident notification obligations.
Meanwhile the Toronto Star reports a U.S. judge has given interim approval to a US$11.2 million deal with the Canadian-based parent of online dating service Ashley Madison to settle class action lawsuits in the United States after the 2015 data breach involving approximately 36 million user accounts around the world. A final approval hearing will be held Nov. 20
There is a separate class action suit in Canada.
Earlier this month Ruby Corp. and Ruby Life Inc. (which had been called Avid Dating Life before the breach), issued a statement describing the proposed settlement, which consolidates several lawsuits into one before the United States District Court for the Eastern District of Missouri.
If approved the money will go into a settlement fund to pay class members who submit valid claims for alleged losses resulting from the data breach and alleged company misrepresentations.
The consolidated class action complaint alleges that the defendants misrepresented that they had taken reasonable steps to ensure AshleyMadison.com was secure and that the data breach resulted in the public release of personal information including data of some users who had paid a fee to delete their information from the AshleyMadison.com website.
In settling Ruby denies any wrongdoing. The statement says the parties have agreed to the proposed settlement “to avoid the uncertainty, expense, and inconvenience associated with continued litigation, and believe that the proposed settlement agreement is in the best interest of ruby and its customers.”
The statement also says that account information wasn’t verified by the company so the names of alleged members released by the hackers may not have actually been a members of Ashley Madison.
The statement adds that since July 2015, Ruby also implemented numerous remedial measures to enhance the security of its customers’ data.