Ontario CA addresses claims arising out of IT security exploit

On January 11th, the Court of Appeal for Ontario dismissed an appeal of a decision that struck various pleadings of a former senior IT employee of Ontario and his family members, who the province alleges stole over $10 million by making fraudulent COVID benefit claims.

The Support for Families Program (SFFP) was launched quickly in April 2020 to help families with the cost of at-home learning. The IT employee helped develop the applications for the program, including its online application portal.

The province sued the employee and his family for allegedly stealing funds by making fraudulent applications and diverting them to bank accounts opened in the employee’s and his family members’ names – presumably by exploiting vulnerabilities known to the employee because of his duties. The province also alleges that the employee participated in and profited from a kick back scheme tied to the SFFP.

The employee has defended, and denies the allegations. In his defence, he pleaded contributory negligence – i.e., that the province was negligent in protecting itself against his alleged fraud. The family members – represented by the same counsel – say that the employee told them he used their personal information to open bank accounts in which to deposit the proceeds of fraud. Although they did not crossclaim against the employee, they counterclaimed against he province in intrusion upon seclusion and negligence.

The Court of Appeal affirmed the striking of these claims.

It held that a defendant to a fraud or unjust enrichment claim cannot raise contributory negligence as a defence. The Court explained that allowing for the defence would suggest that crime pays and unfairly punish organizations who do not take adequate steps to protect themselves.

It held that the intrusion upon seclusion claim is untenable because it is based on the employee’s alleged misuse of information entrusted to him by his family, not the employer’s enterprise or a risk created or excaberated by that enterprise.

It held that a negligence pleading properly framed to address the Crown’s immunity from tort liability would fail for a lack duty/proximity given the family members claimed to have no interaction with the province other than in respect of the province’s money that the employee transferred into their accounts.

Sometimes the best defence is a good offence. That was likely the motivation for these novel claims – perhaps an attempt to capitalize upon the province’s sensitivity to mismanagement claims. They were rightly struck, and organizations in Ontario who are defrauded by insiders can continue to breathe easy.

Ontario v. Madan, 2023 ONCA 18 (CanLII).

Data breach response – a multidisciplinary perspective

In some chance timing given the release of the report on the Canadian investigation into the TJX breach, I presented today at a lunch meeting of the Association of Certified Forensic Investigators of Canada together with David Malamed of Grant Thonrton. We called the presentation “Data Breach Response: A Multidisciplinary Perspective.”

This is the first presentation David and I have given on an project we started at the beginning of the summer together with Karen Gordon, an expert crises communicator from Squeaky Wheel Communications. The idea we are promoting is that organizations should be using multi-disciplinary teams to manage breach response and, whether internal or external experts are used, the team should be defined in a formal breach response plan.

I’ve posted a copy of the presentation here.

Case Report – Data breach investigation report released

The Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner of Alberta have released their joint report into the TJX/Winners data breach. They found that TJX breached the collection, retention and safeguarding rules in both the federal and Alberta commercial privacy statutes.

With respect to TJX’s system for preventing the fraudulent return of goods, the commissioners held that TJX breached both statutes by collecting drivers license and other provincial ID numbers to identify individuals who returned goods without a receipt. While they accepted the importance of identifying such individuals for purposes of fraud control, they also held that retaining this sensitive data was not necessary and that TJX also did not give adequate notice of the purposes for its collection. The commissioners said:

A driver’s license is proof that an individual is licensed to operate a motor vehicle; it is not an identifier for conducting analysis of shopping-return habits. Although licenses display a unique number that TJX can use for frequency analysis, the actual number is irrelevant to this purpose. TJX requires only a number—any number—that can be consistently linked to an individual (and one that has more longevity and is more accurate than a name and telephone number).

Moreover, a driver’s license number is an extremely valuable piece of data to fraudsters and identity thieves intent on creating false identification with valid information. After drivers’ license identity numbers have been compromised, they are difficult or impossible to change. For this reason, retailers and other organizations should ensure that they are not collecting identity information unless it is necessary for the transaction.

Having made this finding, they accepted TJX’s proposal to create unique identifiers from provincial ID numbers by using cryptographic hashing and approved of a three-year retention period for this information.

On the collection and retention of payment card information for processing purposes, the commissioners held that TJX’s retention of information for 18 months in accordance with its contractual obligations to financial institutions was reasonable, but were critical of TJX’s practice of retaining the information for longer periods for “troubleshooting” purposes. They reasoned that TJX had not clearly established “troubleshooting” as a primary purpose for collection, nor had it established the need to retain information in order to troubleshoot.

Finally, the commissioners held that TJX did not meet the safeguarding standard in both acts, primarily because it failed to upgrade its wireless encryption protocol within a reasonable period of time. Version 1.1 of the Payment Card Industry Data Security was released in September 2006 and endorsed the “Wi-fi Protected Access” or “WPA” encryption protocol. The commissioners said that TJX should have been adhering to this standard by “late 2006.” They commented:

TJX relied on a weak encryption protocol and failed to convert to a stronger encryption standard within a reasonable period of time. The breach occurred in July 2005, conversion began in October 2005, and the pilot project was completed in January 2007. We are also aware that the final conversion to a higher level of encryption will be completed soon.

Furthermore, while TJX took the steps to implement a higher level of encryption, there is no indication that it segregated its data so that cardholder data could be held on a secure server while it undertook its conversion to WPA.

TJX had a duty to monitor its systems vigorously. If adequate monitoring of security threats was in place, then TJX should have been aware of an intrusion prior to December 2006.

This comes just days after a settlement was announced in the related class action lawsuit.

Report of an Investigation into the Security, Collection and Retention of Personal Information (26 September 2007, C.P.P. and Alberta O.I.P.C.).