Ontario CA addresses claims arising out of IT security exploit

On January 11th, the Court of Appeal for Ontario dismissed an appeal of a decision that struck various pleadings of a former senior IT employee of Ontario and his family members, who the province alleges stole over $10 million by making fraudulent COVID benefit claims.

The Support for Families Program (SFFP) was launched quickly in April 2020 to help families with the cost of at-home learning. The IT employee helped develop the applications for the program, including its online application portal.

The province sued the employee and his family for allegedly stealing funds by making fraudulent applications and diverting them to bank accounts opened in the employee’s and his family members’ names – presumably by exploiting vulnerabilities known to the employee because of his duties. The province also alleges that the employee participated in and profited from a kick back scheme tied to the SFFP.

The employee has defended, and denies the allegations. In his defence, he pleaded contributory negligence – i.e., that the province was negligent in protecting itself against his alleged fraud. The family members – represented by the same counsel – say that the employee told them he used their personal information to open bank accounts in which to deposit the proceeds of fraud. Although they did not crossclaim against the employee, they counterclaimed against he province in intrusion upon seclusion and negligence.

The Court of Appeal affirmed the striking of these claims.

It held that a defendant to a fraud or unjust enrichment claim cannot raise contributory negligence as a defence. The Court explained that allowing for the defence would suggest that crime pays and unfairly punish organizations who do not take adequate steps to protect themselves.

It held that the intrusion upon seclusion claim is untenable because it is based on the employee’s alleged misuse of information entrusted to him by his family, not the employer’s enterprise or a risk created or excaberated by that enterprise.

It held that a negligence pleading properly framed to address the Crown’s immunity from tort liability would fail for a lack duty/proximity given the family members claimed to have no interaction with the province other than in respect of the province’s money that the employee transferred into their accounts.

Sometimes the best defence is a good offence. That was likely the motivation for these novel claims – perhaps an attempt to capitalize upon the province’s sensitivity to mismanagement claims. They were rightly struck, and organizations in Ontario who are defrauded by insiders can continue to breathe easy.

Ontario v. Madan, 2023 ONCA 18 (CanLII).

NIST’s recommended password policy evolves

As imperfect a means of authentication as they are, “memorized secrets” like passwords, pass phrases and PINs are common, and indeed are the primary means of authentication for most computer systems. In June, the National Institute of Standards and Technology issued a new publication on digital identity management that, in part, recommends changes to password policy that has become standard in many organizations – policy requiring passwords with special characters.

Here is what the NIST says:

Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and may be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist compromised values, the subscriber SHALL be required to choose a different memorized secret. No other complexity requirements for memorize secrets SHOULD be imposed.

The NIST believes that the complexity derived from special characters is of limited benefit to security, yet creates (well known) useability problems and promotes “counterproductive” user behaviour – writing passwords down or storing them electronically in plain text. It’s better, according to the NIST, to allow for long passwords (that may incorporate spaces) and use other protective measures such as password blacklists, secure hashed password storage and limits to the number of failed authentication attempts.

The NIST publication includes other related guidance, including a recommendation against routine password resetting.

NIST Special Publication 800-63B – Digital Identity Guidelines (June 2017)

The science of breach prevention and the art of breach response

Data loss prevention and response is a big topic now! The HRSDC lost hard drive is about a huge (but seemingly benign) incident that has attracted great attention. We also have the Obama administration’s attention to corporate network security – such attention given at a time in which sacrifices are being made to corporate network security based on trends such as BYOD.

Here is a practical guide that we’ve prepared to address the salient issues. We hope it’s useful to you.

BYOD policy – Charting a good path to higher ground

This is just a cross-post to a piece of mine that we’ve published  on the Hicks Morley website. Here’s a link and a teaser:

The desire to use personal mobile devices to undertake work has risen like the incoming tide. Employers must make a choice: turn the tide on the use of personal devices by re-enforcing an outright ban or chart a thoughtful path to higher “Bring Your Own Device” or “BYOD” ground. Employers that do neither will sink into the mire of unreasonable IT security risk. This FTR Now discusses the pros and cons of adopting policy that allows employees to use a personal mobile device for work and the aims of proper BYOD policy.