So Nov 1 the new breach notification requirements came online. I was wondering who would have the honour of the first, and, it seems it might be OCS (wiki). In the CBC story they blame the post office, just like in Friends.

Interestingly tho, one can reverse engineer the customer size. In the article they say ‘4500 people’ were breached, and, this represents 2% of the customer orders that day, implying that the Nov 1 customer order size was 225,000.

Now, who wants to be next and fess up to not having their IT ducks in a row on breach prevention and be in good company?

PS, now is the time to check your order numbers are not sequential. Remember the Olestra and the Bike?


Y’all read the updates to PIPEDA? Starting November 1st 2018 (yup this week) you have some reporting obligations if you have a ‘security breach’ of your privacy safeguards.

You probably think it doesn’t apply to you. You are wrong. Big and small. A new acronym for you RROSH (Real Risk of Significant Harm).  Who wants to be the first to fill out the form?

So… are all your laptops encrypted (with something better than BitLocker please), with UEFI secure boot? Is your data all encrypted at rest on your servers? Are all your personal fields hashed with salt? Don’t be ‘that company’ that fesses up to keeping the SIN + Passport + home address + Credit Cart w/ CVC in a ‘foo.csv’ file in the root of an old web server that gets sold on ebay.

What’s your egress firewall policy? In your cloud? In your site?