The Toronto Sun reported this morning that the privacy of 4,500 consumers of recreational cannabis in Ontario has been compromised. The names and addresses of individuals purchasing cannabis through the Ontario Cannabis Store (OCS) website, and the names of the individuals who signed for the package delivery, was accessed by an unidentified individual through the Canada Post online tracking tool in late October or early November.

The OCS has notified the impacted consumers and has reported the breach to the Office of the Privacy Commissioner. Canada Post has announced that it has fixed the loophole and further unauthorized access has been prevented. During the ramp up to legalization and over the past few weeks, the OCS has consistently prioritized the privacy of its consumers. For example, its privacy policy reveals a focus on shipping, stating that "when we ship orders, we deliver in discreet, plain packaging, so the nature of your purchase is not revealed." Privacy has been noted as a major concern for many consumers of cannabis.

But even the most prepared corporation can be at risk when a third-party service provider gets breached. Understanding the risk of a cyberattack on your third-party service providers is an integral part of any business arrangement.

Consumers of recreational cannabis in Ontario who are worried about their privacy do not have an alternative legal purchase option at the moment as they are required to purchase from the OCS's website and Canada Post is the only shipping provider.

Addresses and names of consumers are generally considered to be "personal information" under Canada's federal privacy Act, PIPEDA. The OCS breach highlights the risk of attacks and cybersecurity incidents occurring through third-party service providers. While some of the tasks surrounding consumer privacy can be contracted out, the ultimate responsibility for maintaining consumer privacy cannot be delegated.

Third-party vendors are a critical factor in cybersecurity. If you are an organization that engages third-party service providers to assist with processing personal information, you should protect yourself by ensuring that you have a recorded basis for selecting the third-party vendor. This should also ensure that you know the third party has the appropriate safeguards in place. Contractual provisions with third parties should identify items such as:

  • Its obligation to safeguard the personal information;
  • Its obligation to notify you about security incidents;
  • Your ability to oversee and potentially audit its operations as it concerns the personal information it processes on your behalf;
  • Who bears the burden of the costs associated with a data security incident; and
  • Any requirement that it procure cybersecurity insurance to cover the costs associated with a breach.