July 2020 - LifeLabs Cyber Security Breach - Implications and Lessons for Businesses

  “An attack of this scale is extremely troubling … This should serve as a reminder to all institutions, large and small, to be vigilant. Cyberattacks are growing criminal phenomena and perpetrators are becoming increasingly sophisticated. Public institutions and healthcare organizations are ultimately responsible for ensuring that any personal information in their custody and control is secure and protected at all times.” - Information and Privacy Commissioner of Ontario, Brian Beamish.   On October 28, 2019, LifeLabs detected a security breach that exposed the sensitive personal information of 15 million Canadians including their name, address, email, customer login and password, health card number and lab tests. You may have been personally affected by this breach. LifeLabs chose to pay a ransom to recover the data but is still dealing with the fallout of the breach. Now that the privacy commissioner’s joint report was released, it found that LifeLabs did not reasonably protect the personal information of its customers. The report calls the incident a "significant privacy breach" which violated Ontario's health privacy law and the Personal Health Information Protection Act (PHIPA). What can other Canadian businesses learn from this incident? First, let’s consider which organizations and industries should pay attention to this warning:

1. Health and medical practices. These organizations are obligated to know and follow the Privacy laws and regulations of their province (PHIPA) and how to appropriately use technology to comply with them.
2. Any business that holds any confidential records of individuals (clients or employees) or businesses - names, addresses, credit card information, payroll information, etc. This information is valuable to hackers who will use it for identity theft or blackmail, or sell it on the dark web for others to do so.

  Why should businesses be concerned about this breach? Most businesses can take a lesson from LifeLabs’ story. This breach was very embarrassing for the company. They received nationwide media attention for all the wrong reasons. As a business owner, you know how precious your reputation is. In this case, most who use LifeLabs don’t have the choice to take their business elsewhere, but if a breach were to happen to your business, would your clients take their business elsewhere? LifeLabs was closely scrutinized by the Privacy Commissioners of both BC and Ontario. The results of the investigation found that LifeLabs failed to have adequate technology security policies. This teaches us about timing, businesses need to give attention to IT security and data protection policies now, not once a breach has already occurred. Another finding of the investigation was that LifeLabs collected and stored more personal information than was reasonably necessary to have. Carefully consider what information you need to collect from your clients and employees. Another example of this was in November of 2018, when Marriott had a massive breach. Along with other personal information, millions of people’s passport numbers were stolen. There was no reason for Marriot to store this highly valuable information. This incident is not over for LifeLabs either. Several class action suits are pending in both BC and Ontario provincial legislation should be changed to allow fines against companies that don’t protect personal information. The lawsuits accuse LifeLabs of negligence, breach of contract, violating their customers’ confidence as well as privacy and consumer protection laws, and inadequate security training for employees. It is true that positioning your business to be secure has a cost, but in the long run, it is well worth it. Legislation is also moving in the direction of holding businesses and CEOs financially accountable for security breaches. Consider the comments of Michael McEvoy, B.C.’s privacy commissioner and health minister in regards to the LifeLabs breach:

“This investigation also reinforces the need for changes to B.C.’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.”

To incentivize organizations that collect personal details to secure them properly, the European Union has already gone this direction with its General Data Protection Regulation (GDPR) introduced in 2018. We may see very similar changes to Canada’s privacy laws. To read more about what businesses need to know about Canada’s privacy laws, visit here. It is clearly important to ask the difficult question: If your business had a data breach next week and had to be transparent about your cybersecurity measures, how would you look? To discuss your Cyber Security, give us a call at 613-817-1212 or email us at support@allcareIT.com. LifeLabs had this to say in a statement: “What we have learned from last year’s cyberattack is that we must continually work to protect ourselves against cybercrime by making data protection and privacy central to everything we do.” Thanks for the advice LifeLabs! Recap:

• Now is the time to institute IT security and data protection policies
• Collect and store only necessary data
• Investing in Cyber Security is necessary and will save money and reputation in the long run
• Ensure you understand your data privacy obligations under the law