Download to read offline
Uploaded byDan Michaluk
Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
The document discusses the critical importance of multi-factor authentication (MFA) in school boards, noting challenges related to implementation and employee compliance, as well as the legal implications of enforcing such rules. It highlights the significance of conducting privacy impact assessments and developing change management plans, while also addressing issues of threat information sharing and data access under privacy laws. Furthermore, it emphasizes the financial implications of data breaches and the necessity for prudence in handling sensitive information.
Law◦
More Related Content
Similar to Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
More from Dan Michaluk
Ecno cyber - 23 June 2023 - djm(137852631.1).pptx
- 1. Presented By A cyberbriefing for school board IT professionals Dan Michaluk June 23, 2023
- 2.
- 3. o Multi-factor authenticationis one of the most critical information security controls, yet some boards do not enforce participation o Boards and other institutions have enforced a mandatory rollout after attacks, and as part of the response process, which invites sub-optimal change management o Installation of MS Authenticator on personal devices is a sensitivity, and some employees will not have compatible devices o Hardware tokens are expensive The context Labour issues and MFA 3
- 4. o School boardshave management rights that allows them to establish and enforce work rules o But any rule enforced by disciplinary power must meet the so-called KVP test, which at its core requires “reasonableness” o An arbitrator will weigh the Board’s justification against the impact of its work rule, including the impact on personal privacy The law Labour issues and MFA 4
- 5. o CUPE grievedrequirement to work from home during the pandemic due do the alleged downloading of costs o TDSB provided scope for some reimbursement and problem solving o Arbitrator Geldof dismissed the grievance o Decision warns against a reach into “metaphorical pockets” but relying on or piggybacking on expenses already borne by employees in their personal capacity The TDSB case and piggybacking on personal phones Labour issues and MFA 5
- 6. o Do itnow, not when you are in an incident and in a rush o Conduct a privacy impact assessment on MS Authenticator (or your alternative) o Build a change management plan and implement it, and collaborate with labour relations from the start o Consider offering hardware tokens to those without compatible phones Practical advice Labour issues and MFA 6
- 7.
- 8. Costs → You’ll helpothers and be perceived as helping others → You will receive that help when you need it → If you need response help, others may offer Benefit Threat information sharing 8 o Time and energy when time and energy are limited o There are limited confidentiality risks
- 9. Threat information sharing 9 oThis is a “prisoner’s dilemma” problem, but for the sector as a whole the costs outweigh the benefits o There needs to be an understanding about confidentiality and there needs to be a means of streamlining the sharing o Anyone who receives threat information must respect the responding institution’s need for space and autonomy o Sharing through a trusted intermediary would help o Encouragement and principled commitment to sharing rather than hard rules/commitments should be adopted
- 10.
- 11. o Access toan account by a threat actor o Depending on your license, you may have access to data about what was browsed and downloaded o If legacy protocols are enabled you may have evidence that the entire account was synched out o Oftentimes, there is a lack of evidence of anything other than account access o And evidence of a motive other than data theft – e.g. lateral phishing or gathering intelligence to support a wire fraud scam Business e-mail compromises explained BECs and PHIPA 11
- 12. o Entire accountexposure is expensive to deal with o Assume $5,000 to $15,000 per account for analysis o We have seen lateral phishing attacks that expose 100s of accounts Business e-mail compromises explained BECs and PHIPA 12
- 13. o IPC PHIPAdecision from April o IPC (without deciding the issue) sets out its position that access to an account equals access to the information in the account (under PHIPA) o IPC has now taken that position with BLG clients – position rests on the words “make information available” in the definition of disclose in PHIPA o We question the position, but boards need to consider this when PHIPA regulated information is in accounts – beware counsellors and social workers o And boards need to build and/or enforce policies on e-mailing personal health information and re- consider e-mail retention Decision 205 BECs and PHIPA 13
- 14.
- 15. For more information,contact: The information contained herein is of a general nature and is not intended to constitute legal advice, a complete statement of the law, or an opinion on any subject. No one should act upon it or refrain from acting without a thorough examination of the law after the facts of a specific situation are considered. You are urged to consult your legal adviser in cases of specific questions or concerns. BLG does not warrant or guarantee the accuracy, currency or completeness of this presentation. No part of this presentation may be reproduced without prior written permission of Borden Ladner Gervais LLP. © 2023 Borden Ladner Gervais LLP. Borden Ladner Gervais is an Ontario Limited Liability Partnership. Thank You Dan Michaluk Partner 416.367.6097 [email protected]