The Data Breach
Word of the data breach first broke out in July of 2015, when third-party photo processing vendor, PNI Digital Media, announced a data breach of their system – exposing many retailers, including Walmart, CVS, and Costco, that use their service to operate online photo centres. It was found that hackers have breached PNI’s data centre servers and installed malware to collect credit card data and personal information of customers.
The aftermath of the breach resulted in a class-action lawsuit in Ontario against Walmart and PNI on the grounds of failure to comply with the due diligence to properly handle sensitive customer data. This included:
- Use of inadequate data encryption;
- Engagement of personnel or contractors with inadequate skills, education, training and expertise;
- Failure to use an outside, secure payment service;
- Failure to use adequate technological security measures (e.g. firewalls, encryption, up-to-date hardware, software and security protocols, and protection against known vulnerabilities);
- Failure to heed warnings about inadequate security and related risks;
- Failure to follow industry standards and guidelines (e.g. PCI-DSS) for the protection of personal information and financial information; and
- Failure to establish and effectively implement an internal computer security protocol.
The settlement resulted in up to $1.5 million in financial losses for Walmart Canada and PNI, who must now provide one-year of credit monitoring for affected customers, reimburse the plaintiffs’ legal costs and other expenses involved with remediating the incident, and other administrative costs associated with the case.
Lessons Learned
This case sets a precedence for how security must be handled by businesses of all sizes. Borden Ladner Gervais LLP’s Bradley Freedman has recently shared his insights on the data breach and the aftermath of its class-action lawsuit. He has highlighted five key lessons Canadian organizations can take away from the Walmart Canada’s data breach:
1. Governance Framework
Establishing enterprisewide guidelines, creating a system of cybersecurity adopted by everyone, and setting up a solid foundation is the backbone for proper cybersecurity. A strong governance framework is becoming a necessity to survive in today’s competitive environment. Firms must be adamant that cybersecurity is embraced by executives and high influence staff in order to solidify its importance across the enterprise. To learn how to implement a culture of cybersecurity, please see How to Build a Culture of Cybersecurity at Your Firm.
Our secure file sharing solution may also benefit you. Get a free 15-day free trial today. No credit card info required.
2. Supply Chain Cyber Risk Management
Mitigating risks associated with collaboration and information exchange with partners in the supply chain, such as suppliers or services used by the company, is just as important as mitigating the risk of internal users. The security framework of your firm must encompass all data touch points within the firm and out. Access to files must be safeguarded very carefully. Although not an absolute necessity, enforcing audit trails can help with managing access control.
3. Data Breach Response
All organizations should have a response plan that is consistent with applicable laws, offers advice and instructions in how to manage a crisis, and is designed and implemented by a multidisciplinary team, such as public relations advisors, legal advisors, and senior managers. Response plans must be designed with all possible scenarios in mind to be effective in mitigating a security crisis. Although the risk of a data breach is mostly preventable, it never hurts to prepare for the worst (while hoping for the best!)
4. Data Breach Notification
An organization must give timely notice of a data security incident to affected individuals and organizations, regulators and law enforcement in accordance with data incident notification obligations under statute, contract and generally applicable common law and civil law. For more details on these obligations and what is considered “timely notice”, read all the details at BLG’s Bulletin Data Incident Notification Obligations.
5. Litigation
In the case of a data breach, consider offering affected customers with reasonable remedies, such as credit and identity theft monitoring and limited reimbursement for documented out-of-pocket costs, to avoid the cost of a class-action lawsuit. The key of this tip is customer relationship management. Providing the right remedies to affected customers in a timely matter while maintaining an honest and transparent approach makes it easier for your customers to believe in your firm’s future improvement and for you to re-establish trust with them later on.