Due diligence: law firms vulnerable to privacy breaches
By Rob Lamberti, AdvocateDaily.com Contributor
The people whose privacy was breached when a hacker stole information about Ontario Cannabis Store customers from Canada Post could face problems crossing the border into the U.S., says Ryan Duquette, principal of Oakville-based Hexigent Consulting.
American authorities have indicated they intend to deny access to those who use cannabis or are employed in the field, and Duquette says entry to that country could become complicated if the breached material somehow gets into U.S. hands.
The Ontario Cannabis Store issued a statement on Nov. 7 indicating the breach affected about 4,500 customers. The store had been notified by Canada Post six days earlier that limited delivery information was accessed, including the postal code, the Canada Post tracking number and the name or initials of the person who was supposed to sign for the delivery.
"What I was thinking about this breach is that those 4,500 people are going to have a very difficult time denying they ever used marijuana," Duquette tells AdvocateDaily.com. "Their information is directly linked to purchasing cannabis products and is now out there in the public realm."
Duquette advises anyone affected by a data breach to take steps to repair the damage, including changing passwords to accounts and conducting credit checks to ensure their identities haven't been stolen.
But the Canada Post breach is more challenging, he says.
"There is nothing those affected can do to change the fact that the information is out there and it may have an impact on their future travel, especially for those with business ventures in the U.S.," Duquette says.
"From a risk perspective, if you're a CEO whose name is on that list, how will this affect your reputation? Is it going to impact the clients you work with, shareholders, your brand, and how you are seen within your organization," Duquette says. "There's much to think about here.”
Marijuana is a Schedule 1 drug in the U.S., in the same class as heroin and LSD. The Drug Enforcement Administration notes those drugs are "substances, or chemicals (that) are defined as drugs with no currently accepted medical use and a high potential for abuse."
Duquette says a medical cannabis user could argue they were prescribed the herb, but the hacked material from Canada Post more than likely includes recreational users.
"Reputation is something I talk to people about all the time," he says. "When you buy something and put your information into a database somewhere, just sit back and think if there would be any shame or risk to their business if the information became public."
Duquette argues people would have preferred to walk into a cannabis store — as was planned by the previous Ontario government — to purchase recreational cannabis. "It's a little bit more anonymous doing it that way," he says.
But there are no foolproof systems in the cyber age, Duquette says.
"That's the challenge with this industry," he says, adding vulnerable access points into computer systems are constantly being found by hackers, while analysts need to develop ways to protect software and hardware updates that create new unintentional access points.
"It's an ongoing struggle," Duquette says. "The cybersecurity arm of our company can help law firms and other organizations," he says. "The updates to the Personal Information Protection and Electronic Documents Act (PIPEDA) legislation around mandatory breach reporting came into effect Nov. 1, forcing people to think about protecting their data."
Firms should determine if they are doing the best they can to protect the data it is entrusted with, and how to do it, he says.
Hexigent tests computer systems to determine if a company’s security is robust and capable of defending itself from outside attacks, and if not, it can build a "strategic roadmap" to bolster its systems, Duquette says.
"We are seeing hackers targeting law and accounting firms because they are sitting on a treasure trove of other people's information," he says. "Are their clients going to want to continue doing business with them if they haven't done their due diligence to make sure their systems are as protected as possible."
Duquette says consulting with an expert is a good first step as many firms "don't know where to start" in protecting their systems.