Over the past twelve months, we have seen more and more clients experiencing a variety of cybersecurity incidents. Most prominently, these have been "business email compromise" incidents as well as malware deployments, such as ransomware attacks. The latter have received increasing media coverage over the past several months, in particular the Colonial Pipeline incident that had a negative impact on the oil supply in North America for a number of days. The very recent reported data breach at Canada Post is a stark reminder of how vulnerable the transportation industry can be to these attacks via their service providers.
According to Canada Post, it has notified 44 business clients who had customer information at issue. According to the statement, the impacted information contained personal information of approximately 950,000 individual consignees.
What happened?
A Canada Post vendor, Commport Communications, was attacked by cybercriminals, who deployed ransomware on their systems. During the attack, data was compromised and potentially exfiltrated. This data was mainly shipping information, including names and mailing addresses, and, in some cases, email addresses and phone numbers. The alleged gang behind the attack, the "Lorenz" group, is reported to have posted the stolen data on its website as proof of the attack and data theft.
While this was an attack against the vendor and not against Canada Post directly, Canadian privacy law puts the onus on the organization who collected and was "in control" of the personal information. Under the federal Personal Information Protection and Electronic Documents Act, it is the vendor's customer – in this case, Canada Post – that usually has the primary and sole duty to report the incident to impacted individuals and as well the federal (and/or provincial) Privacy Commissioner whenever there is a "real risk of significant harm" based on the breach. The vendor's duty to report, if any, stems from contractual obligations owed to the "controller" of the personal information, or it might be based on other commercial or reputational considerations.
What should businesses do?
A supply chain must be managed with the appropriate contractual provisions, including obligations to notify the customer promptly of data security incidents. If a report is received, organizations should take proactive steps to understand the incident and data impacted, and make a determination of the risks involved, what legal obligations and breach reporting requirements are triggered, and whether the incident poses a "real risk of significant harm" to impacted individuals. Vendors should be put to task on showing how the incident was remediated and provide comfort that steps are taken to prevent similar attacks in the future. Depending on the nature of the attack, this may include proof of employee training, patching systems, multi-factor authentication for remote access, or removing service accounts.
Companies must also consider cyber insurance as an important risk management tool. While cyber incident and data breach prevention are the primary goals, insurance provides a safety net. To minimize data breach risks, a transport or logistics company is well advised to conduct due diligence when selecting a service provider to whom it plans to entrust personal information. Lastly, having in place a vendor compliance monitoring system is also a good way to ensure that a service provider is taking all necessary precautions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
