
LifeLabs goes to court to block privacy watchdogs from probing 2019 data breach - guessmyname
https://www.cbc.ca/news/business/lifelabs-data-breach-1.5667618
======
gruez
Is there a reason why we can't have strict liability laws for data breaches?
Seems like every time companies get off because proving negligence or damages
is too hard. If you get hacked, you should pay $x per affected individual. No
more "we did our best, but it was a Sophisticated Attack™ carried out by a
nation state/APT, so plz don't fine us". Imagine if companies could use this
logic if they lost physical goods. eg. if a bank got robbed, they shouldn't be
able to say "well they were a really sophisticated crew of bank robbers, so
there goes your deposit!".

~~~
cenal
We all know public entities would be exempt. What’s the point then?

Government will just leak more important info.

I think a shift toward identity as a service is underway for the market to
solve this. Auth0 and the like are offering a solution.

~~~
gruez
>I think a shift toward identity as a service is underway for the market to
solve this. Auth0 and the like are offering a solution.

How does auth0 solve this? This isn't about your email or passwords getting
leaked. This is about your lab test results (eg. HIV, herpes, etc.) getting
leaked.

------
shahsyed
Canadian here.

Not sure how there is no government oversight for handling of sensitive data
in the first place. I get that we have a "Privacy Commissioner of Canada". But
this sort of thing should almost never happen.

Also, how the heck can a privately owned company that deliberately mishandled
data (let's be honest here - instead of paying legal fees to fight in court,
you could be, I don't know, tightning up your NetSec?) overrule a federally
mandated officer?

Holy crap this stinks.

~~~
0xBeefFed
Write to your MP. Not that they will do anything - Maybe you'll be luckier
than me and wont get a canned response about how they are "working hard to
stop this" without taking action.

~~~
shahsyed
I occasionally do - and there are times where I do get a response back.

I'm considering registering myself as a lobbyist so that I can have more of a
face to face contact with councillors in my city, and actually push for more
change.

Because right now, if people in tech aren't advocating for better security
practices...we're going to doom ourselves by standing by and not doing
anything at all.

------
brutus1213
Canadian here. This lifelabs breach is a national travesty. Compared to the
ruckus the opposition made for the We charity situation, why are they not
after these guys? This really disgusts me about our political system today ..
if you can score points against your opposition, go full-on guns blazing. If
it actually is of consequence to citizens, meh.

~~~
wolco
Wait that whole billion dollar ethical possible crimminal situation that the
government created on their own makes you made you angry at the opposition
(left / right / french / green)?

You don't think it's of any consequence to citzens? You think they are causing
an unnecessary ruckus?

What part of Canada are you from? Is that you Justin?

~~~
brutus1213
All levels of the Canadian govt have done a reasonable job during the pandemic
when a bulk of the world has faltered. I'm not a fan of all the fiscal
stimulus (top tax bracket) but I understand why it is being done. There is a
concept called Helicopter money that some economists have proposed. You may
want to look into that.

I'm in Ontario btw and don't see the need for a personal attack in your
comment.

------
motohagiography
The cost of litigating to suppress details could be less than the cost of
LifeLabs potential exposure to a class action suit because of what could
potentially be construed as negligence in their IT security practices. They're
not just psycho jerks for fighting it, it could just be part of their
fiduciary duty.

The risk to them is, IMO, the standard of security and privacy governance
within the public sector is much higher than pretty much any other institution
I've seen, so in comparison, showing that a private company did not meet that
standard would be trivial. However, the question of what kind of diligence was
done on the original contract (or not) could blow up, since every mandatory
risk assessment (if completed) done on it would have raised this breach
possibility and recommended controls to mitigate it.

I was livid when I read about the breach as it's precisely the kind of
incident every single security and privacy analyst who has ever advised the
public service has used as a baseline scenario. It fell out of the news cycle
I think because it was so bad it crossed the line into discrediting
institutions, which isn't done in mainstream Canada.

The party in power whose minister approved this contract has been out of power
for 3+ years, so politically for them it's just wastewater under the bridge,
but as a legacy, this breach was in the realm of worst case scenario. For the
sake of popular trust in the health system in general, the root cause analysis
should be seen through.

------
pards
As a Canadian, I find this disgraceful. This data breach poses a significant
and life-long financial risk to all those impacted. For example, insurance
companies could obtain this data and use it to increase premiums for
individuals they deem to have higher risk due to the data from their blood
tests.

LifeLabs needs to be held accountable and the courts should make an example
out of them, and send a clear message to other companies that hoard personal
data.

Corporations need to consider personal data as a liability, not an asset.

------
gentleman11
Reminds me of a small privacy issue with many Canadian institutes: a lot of
medical institutions and facilities use google maps or google fonts. This sort
of reveals to google that a user with a certain ip address is visiting a
certain site related to <private medical issue>

------
ec664
Stalling tactic? I don't recall anyone ever being fined over a breach. Sounds
like a tactic to escape whatever is left of the news cycle on this.

------
14
I now wonder where does the Prime Minister get his lab work done?

~~~
14
I lost a few points but it was a genuine question. Does the PM just walk into
a lab with a requisition and get blood work or does he have a private doctor
and private lab do it. As the PM I would assume his medical results would be
of interest to some people and as a Canadian genuinely have no idea how he
manages his affairs. It would be interesting to learn more about how he keeps
his affairs private.

~~~
jbay808
He comes from an important political family, but he hasn't been Prime Minister
for his whole life. There's a fair chance that LifeLabs has handled his data
at some point.

