Ontario students lost information from a lack of adequate cyber protection by government IT officials resulting in class-action suit, awarding $60 per student affected. This sets a precedent for Canadians who once felt immune to financial penalties from cybersecurity standards. As thousands of records have been exposed by everyone from Uber, Equifax and Yahoo, this could open the door to similar cases. In this article we discuss what went wrong with the OSAP attack and how you can prevent this from happening to you.
While the settlement still needs to be approved as fair by February 2018, the current damages awarded amounted to about $5.2 Million in fees and $60 per student record lost. Putting the total at $17.2 Million dollars for not having adequate cyber protection.
Just how protected was OSAP? Where did they fail to enable a process, technology or hire the right people? More importantly, are you making the same mistakes?
What Happened Technically?
The personal records of 583,000 applications were placed on a portable hard drive, that was not encrypted, which went missing in January of 2013. The Employment and Social Development Office notified stakeholders and offered to cover a year's worth of credit monitoring reporting for those affected.What Did They Do Wrong?
They could detect the breach and notified officials within weeks of becoming aware. They contacted the stakeholders and offered an initial payout for the lost information. For many companies this is more than they would expect of themselves - if you lost a USB key with HR information, would you know about it?
The fact is the act of having the unencrypted drive present and losing the data was negligence and left them liable.
What Could They Have Done Differently?
As part of our security hygiene check, we make sure our clients inspect every connected device, look for encrypted drives, and ensure USB keys are authorized and encrypted before connecting this information. Any circumvention of these policies would not be considered negligence because every reasonable action taken to protect the user's data was taken.
Closing the Gap for Canadians
Many Canadians were willfully unaware of the protections required to avoid this type of loss because they were not legally liable for so long. From PHIPPA and C-SOX, we have not seen many cases or judgments involving financial penalties or jail time. Even copyright infringement cases from illegal downloads were covered by levies on CDs for many years. In a way, Canadians were sheltered from having to care about digital privacy and cybersecurity.
The OSAP judgment and the Digital Privacy Act will change that this year. Many organizations, from Uber, Equifax, Yahoo, LinkedIn and others who have suffered massive data breaches, may be required to offer similar settlements in cases where negligence was observed. This is where companies need a security company that is dedicated to preventing breaches and offering a response.
To do this we needed to do something different. Not offering a consulting capacity alone or software to solve a niche threat. We are not software alone; we offer prevention audits to check for the very issues that these firms were subject to and offer a response service to detect this type of activity.
The IntelliGO Managed Detection and Response (MDR) Platform collects data from all your systems and can correlate threat intelligence to help you find and respond to threats you may have missed.
Download a sample of our Prevention Posture Assessment (PPA) report and find out how you can use it to determine if you have been breached or can be breached by malware.