Archive 5 min read

You Can't Blame 'Em

We build services and solutions using parts provided by other companies. That's the only way to move forward effectively. When a security or privacy breach happens, how do you handle those parts out of your direct control? Especially considering your customer may not have any idea they exist?

You Can't Blame 'Em

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning everybody. How are you doing today? Back inside for the show, wanted to talk about an interesting issue that popped up here in Canada. So yesterday, the CBC covered a data breach. The Ontario cannabis store, which is the official government online store for selling legalized cannabis here in Canada is reporting a data privacy breach.

But 4500 of the initial 200,000 orders had their shipping information breached at Canada Post. Now, Canada Post is our mail service and it's the official delivery service for the OCS because Canada Post will do the age verification at the door. So that aligns and government supporting another government branch, blah, blah blah, right?

Or at least crown corporation. It's a blurry line. So the interesting thing about this data breach though and good on the O CS for coming out and uh advising customers who are affected and listing exactly what information was and was not open. Um But the interesting thing was there was some finger pointing going on between uh the O CS and Canada Post.

Um So it seems the technical details what we can piece together based on some uh based on the breach notification based on CBC reporting, based on me following up with the O CS with some questions is this Canada Post's business delivery tool had an issue in it where somebody was able to actually go in and query these 4500 orders from O CS.

So O CS put it in the system to ship it out um and to see where they were going, who signed for the delivery, all the delivery details. So basically what you'd see when you click in the tracking number, that's obviously a breach and the s is informing the privacy commissioner, but they're also pointing the finger at Canada Post and saying we decided.

So, OCS is saying that they decided to inform their customers despite the fact that Canada Post decided not to inform its customers. So what we can infer from that is that Canada Post informed ocs said based on the risk they're not informing the other customers.

Um But O CS took that extra step and said we're gonna talk to our downstream customers. The question is here though, is, were other business customers from Canada Post impacted that's unknown at this point because Canada Post isn't referring that information, the really key point.

And why I wanted to talk about this today on the show is that O CS pointing the finger at Canada Post looks bad no matter what happened. Canada Post is part of the O CS customer experience. It's part of that user experience from start to finish.

You do business with CS S will, then you know, you put it on their online store which is hosted by Shopify, another service provider in their supply chain or their experience chain. Let's use that the user experience chain, you put that in, they process ocs has the stock and all that kind of stuff and then they ship it out via Canada post as a customer.

You don't care. You do not care who's under the hood. You think you're doing business with just one entity ocs and this mirrors every organization out there. We have multiple people involved in our supply chain, in our service chain and our customers don't care and they shouldn't care.

And at no point, should you be pointing fingers at somebody else no matter how right you are, no matter how difficult it is to kind of swallow that. Um You need to come out and say, listen, we're working with that partner. You know, because uh we're, you know, evaluating the risk.

We're, we're going there, not pointing and saying, well, we think they should do this but they're refusing because your customer is trusting you and because they trust you, they're trusting your choices. And if right out of the gate, you're showing them that you've made an incorrect choice unless it's been absolutely egregious and you're rethinking doing business with them.

So you're saying, you know what service provider a downstream had this massive and catastrophic thing. This goes everything we researched about them and therefore we're moving to service provider B an event in the wake of this breach, pointing fingers doesn't really help because at the end of the day, the customer doesn't care, the customer cares that they did business with you.

They're not going to call your supplier and work through things they want to deal with you. So it's really interesting in that a, you know, early on in the, in the company's lifespan in O CS lifespan, they're dealing with a privacy breach.

The communication was good and clear. They're dealing with the privacy commissioner. The only bad thing here is that sort of pointing finger swapping thing because that never looks good. And I think that's something we all need to tackle is our overall supply chain.

The risk that that presents to us and then how do you manage that risk in the event of a privacy or security breach? Do you mention that it's third parties to companies? How do you do that in a positive manner or in a manner that's accurate without throwing somebody under the bus?

If you do throw them under the bus that you mean to, what are the consequences of throwing somebody under the bus, that kind of thing right now. This is not the first time Oss has thrown Canada and they also blamed them for uh because of this current labor issues at Canada Post.

They blame them for, um, delivery times. Um, so there's not a great relationship right out of the gate between those two from a business perspective. That's really interesting from a customer perspective. I think that's interesting when it comes to security and privacy, airing your dirty laundry, um, is never a good sign, especially when you're trying to highlight how good your online security is and your overall security and treatment of information.

So, interesting stuff. Uh Let me know what you think. Hit me up online at Mark NC A for those of you in the vlogs in the comments down below as always. And by email me at Markan dot C A for everybody, including our podcast listeners.

I do read every comment I get. Um uh whether or not I can get back to them is a question because uh great uh ask, this is the audience is really interactive across a bunch of platforms. I know sometimes if you're looking on one platform, it doesn't seem like there's a big viewership.

But when you see the aggregate, we are up to several 100 people watching this every day, which is amazing and that's generating a ton of questions and feedback. So please keep it coming. I do read them all. I will get back to them all eventually or answer you here on the show.

Have a great day. Um I hope you're set up for a fantastic one. We will talk to you online and we'll see you on the show tomorrow.

Read next