FACT PATTERN
 

You are working for Canada Connect, a Canadian Social Media Start-Up headquartered in Toronto. The company started out as a private venture among friends, but quickly blossomed into a leading social networking site. Within two years of operations, the company amassed $10 million dollars in revenue and is now valued at $50,000,000. The company is well-regarded by the public and has financially benefitted from a clean public image.  

Canada Connect’s platform has two main components, a social networking division where users can share life updates with their friends, and a marketplace where users can trade goods and virtually complete monetary transactions. Both sides of the operation have been revenue positive, with the majority of revenue stemming from advertisements on the social networking side and transaction fees on the marketplace side. Due to the rapid nature of Canada Connect’s growth, both divisions are overseen by the same executive team and all operations are run through central management. 

As of today, there are about 15 million active users throughout Canada. About 10% of users log in daily, with nearly 50% logging in monthly. Users access the site with their email address and passwords and, once active, are able to chat with friends, share life events, network about potential employment, or write restaurant reviews, among other things. On the marketplace, users can view and post a variety of items, and then use their credit cards for purchases or send e-transfers directly from their bank. 

Due to the nature of its operations, Canada Connect collects large amounts of information including names, birthdates, mailing addresses, location details, academic institutions, employment status, and SIN numbers. The marketplace division has access to user’s banking information and financial records. Most users are only active on the networking side of the platform, but only a single log-in is required to access both.  

As a result of the data under their control, Canada Connect has endeavoured to be diligent in protecting the privacy of users and has created a boilerplate privacy policy that all users adhere to. They’ve hired a number of people who sit within their privacy and compliance division, and are tasked with keeping the company protected.  The collected data can only be accessed by the IT team and the members of the executive team. However, the company does not have a policy of deleting data, as they believe that the link between older data and new data points may help them to better understand their customers. Additionally, the back-end data is not encrypted on the database, it is only encrypted in transit from client’s interface to the database. 

Today, one of the executives of the company, Tim Chef, reports that he may have run into a security problem while working from home on an unprotected network. He tells you that between one to two weeks ago he received an odd email from IT asking him to update his log-in and password to Canada Connects’ back-end database, which stores customer information for both portions of the platform. Tim sent off the information and did not think anything of it until a member of the sales team received a similar email and escalated it up to him. The IT team has no knowledge of any such emails going out. IT also notices that Tim had recently downloaded an unapproved third-party calendar application that integrated with his email platform. 

Tim’s log-in information could also provide access to a variety of confidential corporate documents. As a top executive, he has access to intellectual property strategy, business strategy, vendor data, corporate timelines, and more. There is no clear indication that the information has been compromised, but IT cannot be certain that the files were not accessed or distributed. 

The CEO of the company, Whitney Shepherd, tasks your team with determining what the holistic risk to the company is. Your team consists of: 
 

  • Chief Operating Officer (“COO”) – The COO is the senior executive tasked with overseeing the day-to-day administrative and operational functions of a business. The COO will be responsible for tracking the discussion, making the ultimate decisions, and presenting the solution to the CEO. 

 

  • Chief Privacy Officer (“CPO”) – The CPO is the “breach coach”, the individual responsible for managing a privacy breach. Their job is to be aware of the statutory regulations affecting the company, the notification requirements to the public, and to act as the expert in the areas of privacy and compliance. They are the central authority for making privacy decisions and protecting the interest of Canada Connect’s consumers. 
     

  • Chief Information Security Officer (“CISO”) – The CISO is the individual within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technology are protected. They respond to incidents, establish controls, and manage security technologies. 
     

  • Risk and Compliance Officer – The Risk and Compliance Officer ensures the firm is in compliance with regulatory requirements as well as internal policies and bylaws. In the course of their duties, they focus on the business, brand, and reputational risk of the company’s activities, and seek to mitigate that risk wherever possible. 
     

  • Communications Officer – The Communications Officer are responsible for creating communications content on behalf of the organization. With respect to a privacy breach situation, they are focused on the public relations aspect and on engaging early with stakeholders. 
     

  • General Counsel – The General Counsel is the chief lawyer of the legal department. Their duties involve overseeing the legal issues in all departments and, when dealing with privacy breaches, a focus on litigation risk. 
     

Whitney asks that you start by identifying the potential breach incidents and the risk relating to each. She also wants to know the types of information that may have been exposed and the timeline of the exposure. 


 

Part 2: Contain  

You learn that Tim wasn’t the only person in the organization to fall victim to the phishing scam. At least five other members of the management team also provided their credentials. You also learn that many members of Canada Connect have been based at co-working spaces with people who are not employed by Canada Connect. It turns out that none of the team members have password-protected their computers nor installed VPNs when working on public networks, and there were multiple instances where the computers were left open overnight. Clearly, there are privacy issues within Canada Connect. 

Whitney wants you to take the next steps to protect the organization. She is also very concerned about the confidential corporate information that may be accessible. How can you remove the immediate threats to the organization? 

 

Part 3: Notify  

Now that you have identified and contained the immediate threat, Whitney wants to understand what the notification requirements are for anyone whose information may have been exposed? She also wants to know how you will determine who Canada Connect will need to notify? 

 

Part 4: Protect  

You have successfully identified and notified those affected by the privacy breach. However, news of the recent security issues at Canada Connect is spreading fast, and worried customers who weren’t notified about the breach are now contacting the company wanting to know how to protect themselves. They are still worried that their information was compromised and is secretly in the hands of hackers. These customers want to know how to identify and respond to unusual activity and are demanding remedial protective measures. Other customers are reporting that they have been contacted by scammers who are now threatening to abuse their personal information unless ransom is paid. Whitney wants to know how Canada Connect should respond to both the customers who have been contacted by scammers, as well as the customers who remain concerned about potential security breaches down the line. What should Canada Connect tell them to do, and can the company offer them anything in the way of support? 

 

Part 5: Eradicate  

The management of Canada Connect is concerned about the possibility of a repeat incident down the line. They had thought they were well protected with their security safeguards, but Whitney has quickly realized that the company is vulnerable. She tasks you with setting out a new security strategy that will protect Canada Connect and its users, and eliminate the loopholes that led to the current situation. Whitney also wants you to consider the privacy policies that will need to be implemented and which, if any, staff need to be hired.