New “real world” guidance on data breach notification and reporting - real risk of significant harm
Вставка
- Опубліковано 30 лис 2024
- In Canada, data breaches must be reported to the Privacy Commissioner and individuals must be notified if the event creates a "real risk of significant harm". But what does that mean?
You can read the original report of findings here: www.priv.gc.ca...
Where you can find me
► Privacylawyer blog: blog.privacyla...
► BlueSky:: bsky.app/profi...
► Twitter: / privacylawyer
► LinkedIn: / davidtsfraser
Disclaimer: This is intended for education and information only and should not be taken as legal advice. If you need advice for your particular situation, you should seek out qualified counsel.
All views expressed are solely those of the creator and should not be attributed to his firm or any of its clients.
Thanks David! As you say, a reasonable and pragmatic decision. Thanks for sharing it.
This is fantastic, anonymized post-mortems like this are so very illustrative, and although they lack the precision of exhaustive policy, paved paths/what to avoid/norms are typically what companies are after.
It does mention (at 07:11) Brinks but that may be a typographic slip. And we know most serious damaging accidents are by slip, trip, fall.
@@Don.Challenger I don't believe full anonymization is required. I work in tech, we do incident post-mortems all the time, I often am the one instituting that policy. We would partially anonymize (employee names) and slightly redact (security) our internal ones to create our external/customer facing ones. A similar process seems to be applied here; I skimmed the source report that was linked.
In this one, the OPC did name the company. I don't think it was really necessary. It may have been a negative, since any customer of that company might now wonder if they were one of the 3000+ with information potentially exposed. In videos like this, I generally don't emphasize the name of the organization unless there's really a reason to do so.
@@privacylawyer brinks is a public company, and an American one at that, they might be required to make public disclosures due to a variety of reasons regardless. So the OPC might not be adding any significant publicity than what's already available.
Besides, I think getting companies into the habit of being more public about issues they encounter is better in the long run for everyone.
So, why did the Privacy Commissioner believe the logs purporting to show login activity to other user accounts from the subcommunity of misconfigured systems (and was the misconfiguration for the benefit of one special user but that required opening the door to a larger block of users? how or was that ever determined?) couldn't the logging system itself have been misconfigured or tampered with? There is after all a real risk of noncompliance and untruthful disclosure especially where reputation, commercial gain and preventing liability all lay on a greener side of a fence.
Tangentially, did any of those extra privileged customers of that home 'security' service happen to receive misdelivered shipments of bullion during that timeframe? That lapse too was via breaches of privileged internal communication of information which might be termed a misconfiguration just as well.
Some good questions. The report of findings doesn't go into that level of detail. What apparently happened is that an employee configured the 200 customers as "dealers" rather than just customers, so they had elevated privileges to view certain information related to select other customers. That sounds credible. If I had advised the company, I would have suggested looking into whether this was just a mistake or something else. Whether that happened is not in the report of findings.