There are many instances in which it’s desirable for a company to approach or break records. Positive quarterly or annual reports that detail groundbreaking revenue and profit levels come to mind. When you think of people marking a historic event in their organization’s history, the connotations are often positive. Unfortunately for the clients, employees, directors and other stakeholders of one Canadian company, a recent historic and massive – if not record breaking – matter announced by its CEO has been anything but positive.
It’s been less than a month since the CEO of Desjardins Group announced that there had been a data breach impacting the credit union’s members and clients. The breach is believed to have affected 40% of the financial institution’s members and clients. This is no small business; based in Quebec, it also has outlets in Ontario. Not only is it North America’s largest federation of credit unions, it’s cited as the sixth largest cooperative financial group on the planet, with assets exceeding $300B.
Desjardins Board Chair, President and CEO Guy Cormier advised that information relating to roughly 173,000 businesses and 2.7 million individuals had been inappropriately accessed and then shared.
The Unintended Consequences of a Data Breach
These are no small numbers – either in and of themselves, or considered in the context of the country as a whole. While Canada is geographically the second largest country on the planet, ours is not among the most populous nations. The reported numbers suggest that this data breach has impacted approximately seven percent of the Canadian population.
If reading this has you thinking about cybersecurity, that’s good. All boards should be directing increased levels of scrutiny to their organizations’ cybersecurity practices, and engaging in cybersecurity incident simulation exercises. In this particular instance, though, we’re not looking at a cyber attack. We’re talking about something else directors and management need to have on their radars: potential for havoc wrought from within by a rogue employee.
That was the case for Desjardins. A single, now former, employee leaked details such as names, email and traditional mailing addresses, birth dates and transaction habits. While the breach did not include PINs, passwords or security questions, the former employee did leak individuals’ SINs. Canadian readers will be familiar with this acronym for social insurance numbers, which are akin to American readers’ SSNs, or social security numbers. A look at Desjardins’ website newsroom will tell more of this unfortunate tale – as well as illustrating the steps the credit union has been taking.
On July 15, 2019, Cormier expanded on previous commitments made to those impacted by the breach. The company announced that, as of this past Monday, all credit union members, not only those impacted by the breach, are now automatically protected against identity theft. The coverage, for which members do not need to enrol, includes reimbursement of up to $50K for expenses associated with identity theft. The scope of expenses for which members could be reimbursed ranges from documentation notarization to accounting and legal fees, and even salary loss.
The early fallout? Tens of thousands of credit union members have signed a petition demanding that the federal government replace the SINs of those impacted. The credit union is facing two proposed class-action lawsuits, which allege that the institution was either negligent or violated individuals’ privacy rights.
Cormier has participated in an emergency meeting of Parliament’s Standing Committee on Public Safety and National Security. There, he called for formation of a stakeholder committee to study global best practices and recommend legislative changes to make Canada a leader in protection of personal information.
Desjardins isn’t the only organization to have experienced an insider breach. It’s been mere months since Herjavec Group CEO Robert Herjavec noted (likely not for the first time) that employees represent an organization’s biggest cybersecurity risk. It’s not necessarily that there’s a plethora of rogue employees roaming your halls, though. Even if employees are ethical and well intended, they can still represent a risk. As Herjavec Group EVP of Global Security Services Lewie Dunsworth observed, “The majority of security incidents happen because the insider threat occurred by accident”.
Data Leaks & Secure File Sharing
Nor is this such a leak anything new. Cisco has cited the 2016 Verizon Data Breach Investigations Report, which found that 15% of data breaches were “a direct result of insider deliberate or malicious behaviour”. Cisco acknowledged that the reported percentage might be low, as not all insider breaches are reported or even discovered. That’s in part because, Cisco said, some of the information to which insiders have legitimate access is highly sensitive.
In New York State, Northwell Health VP and CISO Cathy Hughes said in late 2018 that insider threat and employee awareness remain the number one cyber concern the healthcare industry faces. She knows whereof she speaks; Northwell Health is the state’s largest private employer and healthcare is among the most attacked industries when it comes to cyber crime.
Do you rely on your portal for board and committee meeting materials, but turn to email or other less secure means when you want to share other files or resources? Perhaps you and your board chair collaborate on sensitive documents. In the past, you may have password-protected a document and felt confident then sharing it by email. Independent of the follow up calls you may have received because the recipient forgot the password, there’s a more effective and less cumbersome way to share files.
The Importance of Secure File Sharing For Risk Management
The term is secure file sharing, and that’s another way of referring to sharing files in a private, protected manner. Diligent Secure File Sharing positions you to communicate and collaborate over a private, cloud-based network that’s independent from individuals’ corporate email networks. It offers security in the form of encryption and auditing capabilities. While there are multiple files that you intend to share with the board at large, there are others that are intended solely for an individual director or two, or perhaps a specific committee. With secure file sharing, you have the ability to specify who should or shouldn’t receive a given file.
Imagine what it must be like to serve as the corporate secretary or other governance professional working with the board of an organization that’s experienced a data leak. Any governance professional who has been in the career for a length of time will have war stories she or he will never tell, and has likely had to undertake discreet communications to alert directors to a significant organizational issue.
In this role, you remain calm and poised in the face of crisis, but it’s preferable to not have your organization embroiled in one in the first place. If you’d like to help ensure your board and organization avoid the reputational and other harms that can occur with data leakage, take a bit of time to reflect on the information that you, your directors and management team share with one another – and how you share it.