Wednesday, June 6, 2018

INTACT Insurance fails GDPR compliance logic check

It is no secret that every enterprise will claim to be onboard for GDPR compliance.

It is also no secret that no one is GDPR compliant.  However to what degree and how much will they declare remains to be seen.   And some are going out of their way to prove they lack either competence or desire.

Many "normal" citizens feel that large multinational corporations actually care about them.  They love the points programs, and they love the perks.  They also fail to see that these "programs" are meant to keep you as a customer through the illusion that you are special.  You are not.  You are a requirement for doing business, and corporations love taking your money while delivering the most cost effective service possible.  This is a polite way of saying they deliver the least possible costly service while balancing the illusion that what they lay are only golden eggs.

One of the main parts of GDPR (and many would say common sense) is Article 25.

Article 25 is all about "Data Protection By Design and By Default".  It means build something that doesn't get you fired.  Build something that is reasonable and respectful of the data you are processing.

So lets take a look at INTACT INSURANCE TODAY.

They have a great app that they advertise with a catch phrase that translates into "reap the benefit of secure remote access to your data".  I didn't bother going to see the English version because hackers are lazy.  But it turns out, large corporations too.... read on....

Would it be any surprise that they are not GDPR compliant or it seems actually compliant to anything significant when it comes to security ?

Take a look at the User Agreement section on security:

How good do you feel as a customer now? 
Do you still feel valued?   
Do you still feel special?

If you do, contact me immediately, I have a new cryptocurrency to "sell" you at an amazing rate!

So as far as compliance to GDPR, they are failing in many areas way beyond "Secure Design".

It is fascinating to see how a legal department pumps out these gems to "protect" the enterprise and "protect" the share holders while letting everyone know that they will take no responsibility for pushing out bad software to their customers mobile phones and potentially exposing sensitive information or allowing identity theft.

Now what if this was actually all a magic trick and what they are actually doing is full out spying on their customers.   I didn't think of this one, my friend Eric (not the voice in my head) had this genius idea.   A mobile phone certainly knows what locations you visit, how fast you drive, and probably a bunch of other interesting things that they could always claim was done by spyware since "we do not guarantee" anything!

Maybe Facebook and Google have a lot to learn because this is actually pretty clever.  Build a contract that says we don't guarantee anything, hide it in a lot of legal terms, and your golden.  Oh... wait... GDPR actually says you cannot do that.  darn it.  

One thing remains certain is that large corporations have very large legal budgets and will work hard to ensure they take as little responsibility as possible

This is only Mid-Week.  So many breaches can come out before the weekend giving us all many other examples of GDPR failures, this one just happens to come before the breach.

Ultimately, if you read the small print or pay close attention, most enterprises already radiate their GDPR failure through their daily actions as is this example.

If someone takes the time to read through GDPR it all makes sense, but it relies on people knowing what they are doing and doing a good job across the board.  Not something most large enterprises are awesome at.

I'm really eager to see what the end of week breaches will be.  I always feel like Christmas day when Friday is just around the corner !


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...