The claims process for the CAS privacy breach is now open:
FAMILY AND CHILD SERVICES LANARK, LEEDS AND GRENVILLE SETTLES CLASS ACTION FOR FIVE MILLION DOLLARS..
"The court process will determine whether there was negligence or not." I think that's the ultimate question said Raymond Lemay, the now former Executive Director for FCSLLG.
The claims process for the CAS privacy breach is now open: https://www.fcssettlement.com/
Had FCSLLG and their board of directors told the truth from the very beginning would it have cost them millions of dollars on top of all their legal fees defending their big lie?
What’s the difference between an intranet and the Internet?
The Internet is a globally-connected network of computers that enables people to share information and communicate with each other. An intranet, on the other hand, is a local or restricted network that enables people to store, organize, and share information within an organization.
There’s one more type of ‘net’ to consider, and it relates to enterprise collaboration with external users: What is an extranet?
An extranet is a web portal that is accessible by an organization and its external vendors, partners, customers, or any other users that require access to restricted information.
With an extranet, the host organization manages the site administration and content, and provides controlled access to internal and external members. Some example use cases for an extranet include a partner or vendor portal, a customer community, or a franchise network.
https://app.hacknotice.com/#/hack/5a68bd59df51ae46fda3b414
Is it safe to store corporate information on Google Drive (or similar services)?
When it comes to storing a company’s confidential information and/or backing it up, various questions tend to come up with regard to the location where this storage will take place. Some companies choose to manage everything for themselves, providing remote access so their employees can look it up whenever they need it.
Others, however, have embraced the cloud and all its advantages, like the low cost of choosing companies that are specifically dedicated to these tasks and the availability of the information, regardless of where it might be (as long as we have an Internet connection, of course).
https://www.welivesecurity.com/2017/07/26/safe-store-corporate-information-google-drive/
https://www.cbc.ca/news/technology/the-safest-place-to-store-your-data-1.854465
2017: "Family and Children's services of Lanark, Leeds and Grenville faces $75 MILLION DOLLAR negligence suit."
2021: FCSLLG settles suit for 5 million dollars.
According to the suit, the personal information of the 285 clients was compiled into an electronic file, prepared for the service’s board of directors on new cases arising between April and November of 2015, but was not properly secured on the agency’s network.
This made the list publicly available to anyone, they said, and in her affidavit Denham explained how she came into possession of the sensitive and confidential documents.
She said she found and clicked on an unrelated document on the website intended for the public. She deleted a portion of the URL, and she was taken to a directory of folders with documents, within which she found the document with the names of local families.
She said she was never asked a username or password and was never faced with any security measures that impeded her ability to access the documents.
She said she attempted multiple times to advise the agency the confidential documents were available on the public website, beginning in February 2016, but the documents were still publicly available by late April 2016. This is when she decided to post the location of the report on the Facebook group where she claims she posted an image of a hyperlink, which was deleted by the group’s administrator within hours.
The suit initially alleged last year that someone hacked into the website to find the list, but lawyers for the plaintiff say an affidavit from Kelley Denham, the person who allegedly posted the location of the client list to Facebook and one of the defendants in the case, changed their course of action.
“We initially believed, based on quotes from (FCS executive director) Raymond Lemay and news reports, that this was a case of hacking of the secured FCSLLG website intended only for members of its board of directors,” Sean Brown, a lawyer with Flaherty McCarthy LLP who represents the plaintiff, told The Recorder and Times in an email.
“It now appears that this is not the case. Rather, it appears that the FCSLLG website was completely unsecured between February and April 2016, with the full knowledge of FCSLLG.”
Lemay admits the report was on the FCSLLG's website but says it was hidden behind several layers of security including a password given only to the organization's board of directors.
"We suspect it was a hack. It might not have been a sophisticated one," says Mr. LeMay, the organization's executive director and I suspect that is the case," he adds.
"You have to go through the back door. You have to be looking for this," he says.
(Funny how Mr Lemay just assumes Kelley was looking for "it" when she stumbled across the list with her name on it while doing research on FCSLLG's internal complaint process.)
"The court process will determine whether there was negligence or not." I think that's the ultimate question.
http://www.recorder.ca/2017/12/15/fcs-faces-negligence-suit
WHAT DOES MULTIPLE LAYERS OF SECURITY MEAN?
Juniper ISG2000 Integrated Security Gateway
The ISG2000 is a fully integrated FW/VPN/IDP system with multi-gigabit performance, a modular architecture, and rich virtualization capabilities, delivering up to 4 Gbps of firewall throughput and up to 2 Gbps of optional integrated IDP throughput. The base FW/VPN system allows for up to four I/O modules and three security modules for IDP integration.
Juniper Networks ISG Series Integrated Security Gateways are purpose-built, security solutions that are ideally suited for securing enterprise, carrier, and data center environments where consistent, scalable performance is required.
The ISG Series offers:
ASIC-based architecture provides linear performance for all packet sizes at multi-gigabit speeds.
Predictable performance
System and network resiliency: Hardware component redundancy, multiple high availability options and route based VPNs offer reliability and resiliency.
: The ISG Series provides embedded Web filtering, anti-spam, IPS, ICAP antivirus redirect, and optionally integrated IDP.
Network security:
Network segmentation: Security zones, virtual systems, virtual LANS and virtual routers allow administrators to deploy security policies to isolate guests and regional servers or databases.
Certifications: The ISG Series fulfills the requirement for FIPS, common criteria, ICSA, and others.
Robust IPv6
Optional Integrated IDP
The ISG Series firewall/VPN with IDP uses the same award-winning software found on Juniper Networks IDP Series appliances. The IDP security module combines eight detection mechanisms, including stateful signatures and protocol anomaly detection. The ISG with IDP defends against security threats such as worms, trojans, malware, spyware, and hackers and can provide information on rogue servers and data on applications and operating systems that were inadvertently added to the network. Application signatures enable administrators to maintain compliance and enforce corporate business policies with accurate detection of application traffic.
https://www.ndm.net/firewall/Juniper-Firewall/isg2000-integrated-security-gateway
https://www.juniper.net/us/en/solutions/security/
The IC6500 FIPS Unified Access Control Appliance is built to meet the needs of the most demanding and complex government agencies and secure enterprise environments. A next generation hardened, centralized policy management server, it provides the same functionality found on the Juniper Networks IC6500 UAC Appliance, delivering superior scalability, performance, and redundancy. The IC6500 FIPS UAC Appliance adds a dedicated FIPS 140-2 Level 3 certified hardware security module to handle all cryptographic operations. This server also includes tamper evident labels which can deter physical security breaches on the network and provide a visual indication of device integrity.
IC6500 FIPS, through the UAC Agent or UAC agent-less mode, can gather user authentication, endpoint security state, and device location data in order to define dynamic access policies that the server distributes to enforcement points across the network. These enforcement points include any vendor-independent 802.1x-enabled access point and s
2021: THE SETTLEMENT.
The parties have reached a settlement of this lawsuit. The parties appeared before The Honourable Mr. Justice C. MacLeod (by Zoom) on May 3, 2021 at 10AM for Settlement and Class Counsel Fee approval. Justice MacLeod approved the proposed settlement and class counsel fees.
You may read the Reasons of Justice MacLeod HERE.
http://www.casprivacybreach.com/wp-content/uploads/2021/05/CV-18-78827-CP-May-3-2021-Hearing.pdf
You may read the Order signed by Justice MacLeod HERE.
You will receive additional communication from Ricepoint Administration as the court-appointed claims administrator. This notice will provide you with the necessary information to claim compensation as a class member.
Proceeding under the Class Proceedings Act, 1992, S.O 1992 c. 6 as amended
SETTLEMENT APPROVAL ORDER
THIS MOTION, made by the Plaintiff, on consent, for an order approving the settlement of this action pursuant to section 29(2) of the Class Proceedings Act, 1992, SO 1992, c 6 (the “CPA”), in accordance with the terms of the Settlement Agreement between the Plaintiff and Defendants dated November 18, 2020 (the “Settlement Agreement”); AND THIS MOTION, made by Class Counsel for approval of their fees and disbursements payable under a contingency fee agreement between the Plaintiff and Class Counsel dated April 21, 2016, in accordance with section 32(2) of the CPA.
IF FCSLLG WON'T COME CLEAN AND TELL THE TRUTH NOW WHAT REASON IS THERE FOR ANY FAMILY COURT JUDGE TO BELIEVE THEIR SWORN AFFIDAVITS?
Lies: why children lie and what to do.
Key points: Children might start telling lies from around three years of age.
Encourage children to tell the truth by emphasising the importance of honesty.
Deal separately with lies and the behaviour that leads to lies.
https://raisingchildren.net.au/preschoolers/behaviour/common-concerns/lies
4 Fun Ways to Teach Children about Telling the Truth
http://www.momentsaday.com/teach-children-about-telling-the-truth/
10 Steps to Stop a Child From Lying
https://www.verywellfamily.com/steps-help-child-stop-lying-tell-the-truth-1094945
Why does my child lie so much?
Kids tell lies for lots of reasons. Usually they want to take control of a situation by changing the story so that it works better for them. A common example is telling a lie to cover up a mistake and avoid getting in trouble.
Why Do Children Lie? Normal, Compulsive, and Pathological Lying in Kids.
6 Subtle Characteristics of The Pathological Liar
https://psychcentral.com/blog/caregivers/2014/09/6-subtle-characteristics-of-the-pathological-liar#1
M.M. v. FCSLLG, 2021 ONSC 3310 (CanLII)
https://www.canlii.org/en/on/onsc/doc/2021/2021onsc3310/2021onsc3310.html
The parties have reached a settlement of this lawsuit. The parties appeared before The Honourable Mr. Justice C. MacLeod (by Zoom) on May 3, 2021 at 10AM for Settlement and Class Counsel Fee approval. Justice MacLeod approved the proposed settlement and class counsel fees.
You may read the Reasons of Justice MacLeod HERE.
http://www.casprivacybreach.com/wp-content/uploads/2021/05/CV-18-78827-CP-May-3-2021-Hearing.pdf
You may read the Order signed by Justice MacLeod HERE.
http://www.casprivacybreach.com/wp-content/uploads/2021/05/MM-v-FCSLLG-CV-18-78827-CP-Signed-Order-May-3-2021.pdf
You will receive additional communication from Ricepoint Administration as the court-appointed claims administrator. This notice will provide you with the necessary information to claim compensation as a class member.
Proceeding under the Class Proceedings Act, 1992, S.O 1992 c. 6 as amended
SETTLEMENT APPROVAL ORDER
THIS MOTION, made by the Plaintiff, on consent, for an order approving the settlement of this action pursuant to section 29(2) of the Class Proceedings Act, 1992, SO 1992, c 6 (the “CPA”), in accordance with the terms of the Settlement Agreement between the Plaintiff and Defendants dated November 18, 2020 (the “Settlement Agreement”); AND THIS MOTION, made by Class Counsel for approval of their fees and disbursements payable under a contingency fee agreement between the Plaintiff and Class Counsel dated April 21, 2016, in accordance with section 32(2) of the CPA.
What is the best way to store and share confidential client information? Well if you're FCSLLG you use WordPress to make a internet website and call it a board portal, host it on a server in the U.S. that deletes all it's logs every 30 days and fail to employ any security measures that aren't purely cosmetic in nature and upload unencrypted confidential client and corporate documents to it ..
A series of purely comical coincidental errors and lapses in competence that are in no way suspicious, individually.
https://kinsta.com/blog/is-wordpress-secure/
https://www.wpwhitesecurity.com/statistics-70-percent-wordpress-installations-vulnerable/
https://cyberforces.com/en/wordpress-most-hacked-cms
https://www.infosecurity-magazine.com/news/wordpress-comprises-90-of-hacked-1-1/
https://www.wpbeginner.com/beginners-guide/reasons-why-wordpress-site-gets-hacked/
https://outsourcify.net/the-most-common-reasons-why-wordpress-sites-are-hacked/
https://www.webarxsecurity.com/wordpress-sites-get-hacked/
https://www.webarxsecurity.com/website-hacking-statistics-2018-february/
CAS whistleblower cleared of hacking charges
CAS whistleblower acquitted
https://www.recorder.ca/news/local-news/cas-whistleblower-acquitted
2016: Names of 285 people referred to children's aid in Lanark, Leeds and Grenville posted online
Lemay admits the report was on the FCSLLG's website but says it was hidden behind several layers of security including a password given only to the organization's board of directors.
According to FCSLLG: Publishing or revealing the names of people involved with the Children's Aid Society is a crime. Successful convictions can result in thousands of dollars in fines and even jail time.
According to court: Publishing or revealing the names of people involved in "court matters" with the Children's Aid Society is a crime. Successful convictions can result in thousands of dollars in fines and even jail time.
"You have to go through the back door. You have to be looking for this," he says.
This is the second time in about three months that the organization has had to take down its website because of security concerns. An outside expert was brought in after a February scare to better secure the website. No sensitive information was revealed or even in danger in the first breach, Lemay says. He says they made the changes and were told the website was secure.
But a woman, who CTV cannot name because she has been involved with children's aid, says the link to the report was publically available. She says she found the link in several locations online and thought it was like all the other FCSLLG documents on its website.
Police probe leak of IDs of Lanark, Leeds and Grenville children's aid clients over web
Lemay said there was a previous breach of the agency in February which did not involve the release of confidential information. The person responsible was a children’s aid client who has been embroiled in a campaign against the agency, including posting hours-long YouTube videos of her interactions with members of the staff.
https://app.hacknotice.com/#/hack/5a68bd59df51ae46fda3b414
2016: INTERVIEW with Director of Service for Family and Children's Services of Lanark Leeds and Grenville
2016: This is how it started
2016: Full interview with Family and Children's Services of Frontenac, Lennox and Addington
2016: Family services sued after personal info hacked, posted on Facebook
It was the organization's second information breach this year.
The defendants "violated industry standards" and "failed to heed warnings about the inadequate security" to protect the computer systems and website where the confidential information was being stored, according to the statement of claim.
2018: Family and Children’s Services of Lanark, Leeds and Grenville allegedly suffered another "cyberattack..."
Raymond Lemay is back working at his computer, something he wasn’t able to do a few months back. In November, staff of Family and Children’s Services of Lanark, Leeds and Grenville were allegedly hit with a “malware” attack that locked them out their systems until they paid a $60,000 ransom.
https://globalnews.ca/news/4054200/leeds-lanark-and-grenville-family-childrens-services-ransomware/
2021: COURT OF APPEAL FOR ONTARIO
Court orders FCSLLG pay legal costs to the Co-operators Insurance Company in the amount of $45 000 dollars after first falsely claiming they were hacked. (now FCSLLG want everyone to think it was Laridae's fault their website/board portal had no security at all...)
CITATION: Family and Children’s Services of Lanark, Leeds and Grenville v. Cooperators General Insurance Company, 2021 ONCA 159
DATE: 20210315
DOCKET: C68449 and C68460
Page: 9
(b) FCS’s third-party claim against Laridae
[21] On May 28, 2018, FCS commenced a third-party claim against Laridae, seeking general and special damages, and contribution and indemnity for liability arising from the class action. FCS alleges that Laridae was negligent in providing advice and professional services and breached its contractual obligations to FCS.
[22] FCS claims its website was designed to be secure and password protected, so that FCS could upload documents intended for authorized users.
[23] FCS alleges that on or about February 11, 2016, it learned that an unauthorized internet user obtained a number of non-public documents from the secure section of the FCS website. The unauthorized user posted screenshots of the confidential personal documents to a video on YouTube.
[24] FCS alleges that Laridae advised FCS that it had “enhanced the security features of the [w]ebsite” and that it had “added two additional security features to the [w]ebsite, which were sufficient to prevent Internet users from obtaining unauthorized access to documents” in the secure section. Notwithstanding the repairs, in April 2016, a second incident took place whereby a hyperlink to the Report was posted on Facebook accounts.
[25] FCS advanced both a breach of contract claim and a negligence claim. Particulars of the negligence claim advanced by FCS against Laridae, reproduced from para. 17 of the statement of claim, are as follows:
::::::
DISPOSITION: Page: 37
[109] For the above reasons, I would allow the appeal and hold that Co-operators has no duty to defend either the class action or the third-party claim.
[110] I would award costs to Co-operators in the amount of $15,000 for the appeals and $30,000 for the applications, as agreed by the parties.
Released: March 15, 2021 “A.H.”
“J.A. Thorburn J.A.”
“I agree. Alexandra Hoy J.A.”
“I agree. David Brown J.A.
https://www.ontariocourts.ca/decisions/2021/2021ONCA0159.pdf
You can find Kelley's story here:
https://www.amazon.com/dp/B08ZHKM4B4/ref=sr_1_fkmr0_1
2021: COURT OF APPEAL FOR ONTARIO
Court orders FCSLLG pay legal costs to the Co-operators Insurance Company in the amount of $45 000 dollars after first falsely claiming they were hacked. (now FCSLLG want everyone to think it was Laridae's fault their website/board portal had no security at all...)
CITATION: Family and Children’s Services of Lanark, Leeds and Grenville v. Cooperators General Insurance Company, 2021 ONCA 159
DATE: 20210315
DOCKET: C68449 and C68460
Page: 9 (b) FCS’s third-party claim against Laridae
[21] On May 28, 2018, FCS commenced a third-party claim against Laridae, seeking general and special damages, and contribution and indemnity for liability arising from the class action. FCS alleges that Laridae was negligent in providing advice and professional services and breached its contractual obligations to FCS.
[22] FCS claims its website was designed to be secure and password protected, so that FCS could upload documents intended for authorized users.
[23] FCS alleges that on or about February 11, 2016, it learned that an unauthorized internet user obtained a number of non-public documents from the secure section of the FCS website. The unauthorized user posted screenshots of the confidential personal documents to a video on YouTube.
[24] FCS alleges that Laridae advised FCS that it had “enhanced the security features of the [w]ebsite” and that it had “added two additional security features to the [w]ebsite, which were sufficient to prevent Internet users from obtaining unauthorized access to documents” in the secure section. Notwithstanding the repairs, in April 2016, a second incident took place whereby a hyperlink to the Report was posted on Facebook accounts.
[25] FCS advanced both a breach of contract claim and a negligence claim. Particulars of the negligence claim advanced by FCS against Laridae, reproduced from para. 17 of the statement of claim, are as follows:
:
DISPOSITION: Page: 37 [109] For the above reasons, I would allow the appeal and hold that Co-operators has no duty to defend either the class action or the third-party claim.
[110] I would award costs to Co-operators in the amount of $15,000 for the appeals and $30,000 for the applications, as agreed by the parties.
Released: March 15, 2021 “A.H.”
“J.A. Thorburn J.A.”
“I agree. Alexandra Hoy J.A.”
“I agree. David Brown J.A.
https://www.ontariocourts.ca/decisions/2021/2021ONCA0159.pdf
2021: New Ontario Court of Appeal Decision Impacts The Scope of Insurance Coverage for Cyber Matters
The Ontario Court of Appeal has, in a recent ruling, significantly narrowed the availability of insurance coverage for cyber matters under traditional insurance policies.
In Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company, 2021 ONCA 0159, Co-operators General Insurance Company (“Co-operators”) denied a duty to defend Family and Children’s Services of Lanark, Leeds and Grenville (“FCS”) and Laridae Communications Inc. (“Laridae”) against two claims, relying upon the “data” exclusions under the respective insurance policies.
- SEE RELATED: 2021 Alleged CAS whistleblower cleared of hacking charges.
-https://www.recorder.ca/news/local-news/cas-whistleblower-acquitted
-You can find Kelley's story here:
https://www.amazon.com/dp/B08ZHKM4B4/ref=sr_1_fkmr0_1
Article continues:
Although the Superior Court application judge found Co-operators had a duty to defend against both claims, this decision was reversed by the Court of Appeal. The Court of Appeal determined that (1) the “data” exclusion clauses were unambiguous; (2) all claims asserted in the proceedings were covered by the clear language of the exclusions; and (3) denial of coverage would not nullify meaningful coverage under the policies.
Overall, the Court of Appeal broadly interpreted the insurance exclusion clauses to capture the claims in question and Co-operators was successful in denying insurance coverage, even at the duty to defend stage. The Court reached this conclusion even though the low threshold for coverage at the duty to defend stage is to demonstrate a “mere possibility” of coverage.
Background
In August 2015, Laridae was retained by FCS, a children’s aid society, to perform communication and marketing services, including work on its website. Less than a year later, a hacker accessed FCS’ secured portal, and obtained a confidential report with case files and investigations of nearly 300 people. The report was subsequently shared on Facebook, disclosing sensitive personal information. As a result of the disclosure, a $75 million class action was filed against FCS alleging that the leaked report contained defamatory materials and that FCS was negligent for enabling the data breach.
As FCS and Laridae were insured by Co-operators, both parties claimed that Co-operators owed them a duty to defend against the class action and third-party claim brought by FCS against Laridae for breach of contract and negligence.
Legal Analysis of the Insurance Policies
Laridae’s commercial general liability policy contained a data exclusion clause, which excluded “[any] personal injury arising out of the distribution, or display of ‘data’”, and defined “data” as “representations of information or concepts in any form”.[1]
Similarly, Laridae’s professional liability policy contained a data exclusion clause, which provided that “[t]here shall be no coverage under this policy in connection with any claim.. arising directly or indirectly from the distribution or display of data by means of an Internet Website … designed or intended for electronic communication of ‘data’”.[2]
In concluding that Co-operators did not have to defend either FCS or Laridae, the Court of Appeal ruled that:
There was no ambiguity in the policies, so general rules of contract construction used by the application judge (such as bringing in the reasonable expectations of the parties, avoiding unrealistic results, reviewing external sources) were not applicable.
The claims were clearly covered under the policy exclusions. Sharing the image of a link, which requires a user to take further steps in order to access the content, is still within the definition of “data”.
Applying the exclusions would not nullify meaningful coverage under the policies. It was clear that Co-operators would not insure against all risks while still providing coverage for a wide range of services. It was fair to hold parties to what they have bargained for.
Key Takeaways
This ruling signals a judicial shift in the interpretation of insurance policies for cyber coverage. Many insurers, in an effort to preclude so-called “silent” cyber coverage under non-cyber policies (such as commercial general liability policies, errors and omissions policies, directors and officers policies, property policies, and crime bonds) and to direct insureds to stand-alone cyber insurance policies for additional premiums, have inserted “data” exclusions in their non-cyber policies. The Court of Appeal interpreted such exclusions broadly as in effect applying to all claims directly or indirectly arising out of data. This decision highlights the need for businesses to obtain a separate cyber-specific insurance policy in order to better protect against cyber risks, rather than leaning on other insurance polices to provide adequate cyber coverage. Similarly, when negotiating contracts, it will be important to require counter-parties to undertake to obtain stand-alone cyber policies.
For more information, please contact the authors and see our Technology and Cyber/Data pages.
____________________________
[1] Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company, 2021 ONCA 0159 at paras 34 and 35.
[2] Ibid at paras 29 and 37.
https://www.lexology.com/library/detail.aspx?g=888edbc1-c191-407e-9b78-bce9f2dcc26d
THE ONTARIO COURT OF JUSTICE
BETWEEN: HER MAJESTY THE QUEEN
-and- KELLY J. Denham
APPEARANCES:FOR THE CROWN: Mr. Corbella FOR THE DEFENDANT: Mr. Mansour.
https://www.kelleyandderek.com/
HOW DOES A PRIVATE CORPORATION WITH NO INSURANCE COVERAGE OR INCOME OTHER THAN WHAT THE GOVERNMENT GIVES THEM COVER SETTLING CLASS ACTION LAWSUIT FOR $5 000 000 000.00 WHEN THEY'RE ALREADY IN DEBT - AND STILL HAVE OTHER LAWSUITS AGAINST THEM PENDING?
See: Material Uncertainty Related to Going Concern.
We draw attention to Note 3 in the financial statements, which indicates that the Society's operating fund revenues exceeded expenses by $206,391 during the year ended March 31, 2020 and, as of that date, the Society's current liabilities exceeded its current assets by $3,866,228. As stated in Note 3, these events or conditions, along with other matters as set forth in Note 3, indicate that a material uncertainty exists that may cast significant doubt on the Society's ability to continue as a going concern. Our opinion is not modified in respect of this matter.
https://fcsllg.ca/wp-content/uploads/2020/09/Financial-Statements-2020.pdf
SO HOW DOES FCSLLG FIND THE MONEY? THEY HAVE A FUNDRAISER AND START KNOCKING ON DOORS. DOORS TO BANKS, TO RETAILORS AND TO THE INDEPENDENTLY WEALTHY PLEADING FOR THEM TO SAVE THE CHILDREN...
2017: "Family and Children's services of Lanark, Leeds and Grenville faces $75 MILLION DOLLAR negligence suit."
2021: FCSLLG settles suit for 5 million dollars.
"The court process will determine whether there was negligence or not." I think that's the ultimate question said Raymond Lemay, the now former Executive Director for FCSLLG.
According to the suit, the personal information of the 285 clients was compiled into an electronic file, prepared for the service’s board of directors on new cases arising between April and November of 2015, but was not properly secured on the agency’s network.
This made the list publicly available to anyone, they said, and in her affidavit Denham explained how she came into possession of the sensitive and confidential documents.
She said she found and clicked on an unrelated document on the website intended for the public. She deleted a portion of the URL, and she was taken to a directory of folders with documents, within which she found the document with the names of local families.
She said she was never asked a username or password and was never faced with any security measures that impeded her ability to access the documents.
She said she attempted multiple times to advise the agency the confidential documents were available on the public website, beginning in February 2016, but the documents were still publicly available by late April 2016. This is when she decided to post the location of the report on the Facebook group where she claims she posted an image of a hyperlink, which was deleted by the group’s administrator within hours.
The suit initially alleged last year that someone hacked into the website to find the list, but lawyers for the plaintiff say an affidavit from Kelley Denham, the person who allegedly posted the location of the client list to Facebook and one of the defendants in the case, changed their course of action.
“We initially believed, based on quotes from (FCS executive director) Raymond Lemay and news reports, that this was a case of hacking of the secured FCSLLG website intended only for members of its board of directors,” Sean Brown, a lawyer with Flaherty McCarthy LLP who represents the plaintiff, told The Recorder and Times in an email.
“It now appears that this is not the case. Rather, it appears that the FCSLLG website was completely unsecured between February and April 2016, with the full knowledge of FCSLLG.”
Lemay admits the report was on the FCSLLG's website but says it was hidden behind several layers of security including a password given only to the organization's board of directors.
"We suspect it was a hack. It might not have been a sophisticated one," says Mr. LeMay, the organization's executive director and I suspect that is the case," he adds.
"You have to go through the back door. You have to be looking for this," he says.
(Funny how Mr Lemay just assumes Kelley was looking for "it" when she stumbled across the list with her name on it while doing research on FCSLLG's internal complaint process.)
"The court process will determine whether there was negligence or not." I think that's the ultimate question.
http://www.recorder.ca/2017/12/15/fcs-faces-negligence-suit
2018: Ransomware attacks hit two Ontario children’s aid societies.
Officials with Family and Children’s Services of Lanark, Leeds and Grenville — claim to have seen an English ransom message flash on their computer screens, demanding $60,000, when they tried to access their database in November.
“It encrypted most of our servers,” says the Lanark agency’s executive director, Raymond Lemay. “No data was taken out of our system. It was just an attempt by whatever you call these people to get a ransom.”
Lemay says his agency didn’t pay up. He says it used an offline backup of computer files to get the agency up and running again in about eight hours.
Cybersecurity experts from the province’s Ministry of Children and Youth Services, along with a private internet security firm, swooped into the agency to neutralize the malware in the infected servers.
“It took them about three weeks to find the needle in the haystack,” Lemay says.
The ransomware attack locked the agencies out of local online files that contained private information on the children and families they serve.
Lemay says the ransomware attack cost his agency $100,000 to fix, an expense covered by his agency’s “cyber insurance.”
Comments
Post a Comment