On December 1, 2020, Canada's Office of the Privacy Commissioner (“OPC”) issued a report on a data security incident at the Quebec-based financial services firm Desjardins.  The Desjardins incident involved an insider at the firm who accessed, collected, and leaked the personal information of over 9.7 million customers and users from Canada and elsewhere during a two year period—a staggering amount of data over an extended period of time.   

The personal information included key identifying details such as birthdates, email addresses, social insurance numbers, and other data.  These details were sold by the malicious employee to other third parties during the relevant period.  Desjardins had few internal controls to restrict access to and copying of personal data.  In fact, the insider used basic USB thumb drives to move data outside the firm.  All around, the scope and duration of this incident was a serious information security and privacy failure signaling a lack of rigor in the supervision of day-to-day business and technology practices.

The Violation 

The actions of the Desjardins insider were clear violations of Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), which requires security safeguards to protect data based on sensitivity, secure retention of personally identifiable information (“PII”), and measures to protect against the risks of ongoing harm and future identify theft.  These PIPEDA mandates roughly align with other global privacy regulations like the EU’s General Data Protection Regulation as well as USA state requirements in New York, California, and Massachusetts.  In short, the controls discussed by the OPC are table stakes protocols for any organization that processes sensitive information, regardless to geography or business vertical. 

Long-Term Ramifications 

The OPC issued several recommendations to Desjardins, including the identification and safeguarding of systems containing personal information, considering if it had appropriate technical and organizational controls in place to detect and protect against data leakage risks, and improving practices for retention, de-identification, and destruction of data.  It should also be noted that, in addition to the sanctions from the OPC, Desjardins faces a class action lawsuit from a group of individuals whose data was impacted in the incident.  The ramifications of this incident are multilayered and will persist for several years to come. 

The Need for Better Oversight 

The Desjardins incident highlights the need for firms to examine every potential data leakage vector within their organization to account for insider and data loss protection (DLP) risks.  Locking down shared directories and PII repositories is a start, but considering the emerging risks of communication and collaboration platforms is essential.    

The fact that the use of tools like Zoom, Cisco Webex, and Microsoft Teams has rapidly expanded, means that their rich data sharing features like webcams, whiteboards, chat, screen sharing, and file transfers must be rigorously examined, and supporting DLP technologies applied to them wherever possible.  While the Desjardins issue involved the manual copying of data to a thumb drive, the next data privacy incident is just as likely to occur when an insider displays PII by sharing sensitive Excel sheets on screen, links to GDrive in a Zoom chat, or shows sensitive documents over a webcam. 

What Theta Lake Brings to the Table 

At Theta Lake, we’ve developed several AI-based detections to help organizations manage DLP and security risks related to the exposure of sensitive PII in collaboration conversations.  From a fundamental visibility perspective, Theta Lake provides comprehensive transparency into every interaction that takes place on collaboration tools across what was spoken, shown, and said to determine if data like email addresses, birth dates, credit cards, and SSNs are being shared.  Theta Lake identifies the risks of data leakage to shadow IT and email applications like Dropbox, Box, and Gmail by analyzing links exchanged during chat, screenshares, and in shared documents.  Theta Lake also examines files shared in chat applications like MS Teams and RingCentral Glip to determine if they contain PII or other sensitive data.  Finally, Theta Lake detects the sharing of confidential and sensitive documents when they are displayed on screen or discussed—key for understanding how employees may be distributing sensitive information. 

Using enhanced DLP and security tools like Theta Lake provides organizations with a complete understanding of the privacy and security risks of this expanding use of collaboration applications.  As activities from customer support to investment advice and education move to collaboration tools, the need to demonstrate the rigor of data protection practices is critical to any organization managing sensitive information.  Investing in intelligent supervision and security tools now, provides enhanced privacy protections and mitigates the risk of future sanctions from privacy and security regulators.