Investigation into Agronomy’s privacy practices related to safeguards, accountability valid consent for the collection and use of personal information
Notice
The report of findings in this case has been reproduced below, using gender-neutral language and removing the name of a third party-vendor and certain other identifying information. Any modifications from the original report of findings are identified by brackets.
PIPEDA Findings # 2023-002
July 31, 2023
Overview
The complainant alleged that the Agronomy Company of Canada Ltd. (“Agronomy”) had not adequately safeguarded [their] personal information, resulting in the compromise of [their] personal information in a breach of Agronomy’s systems. The Complainant further alleged that Agronomy lacked accountability structures, and collected their personal information for purposes to which [they] had not consented. The complainant had conducted business with [the vendor], a member of the Agromat Group (“Agromart”), a collection of agricultural companies partly owned by Agronomy.
In early April 2020, a malicious threat actor used valid administrator credentials to gain full access to Agronomy’s systems. Over a period of two months, the threat actor moved through the system and exfiltrated the personal information of 845 individuals who were customers of various Agromat members.
The compromised personal information included, depending on the individual: social insurance number (“SIN”), date of birth (“DOB”), driver’s license number, name, address, phone number, bank account number and name of financial institution, credit card information, passport information, information on salary or pension, e-mail address, and/or electronic signature. This is sensitive information that could be used by malicious actors to perpetrate identity theft. As such, the strength of the security safeguards implemented by Agronomy should have been commensurately high.
On May 27th, 2020, the threat actor proceeded to deploy ransomware to the systems, encrypting and locking them. Agronomy was unaware that its systems had been compromised until the ransomware was deployed and the threat actor emailed a ransom demand along with proof of exfiltrated personal information. In the days that followed, Agronomy retained third-party security experts and began an investigation. As the ransom was not paid, the threat actor initiated an auction of the breached data before publishing the dataset on the dark web in June 2020. Agronomy was initially uncertain how many individuals had been affected, and hired a third-party e-discovery company to analyze the leaked dataset to identify the affected individuals. Agromat members notified affected individuals between July 2020 and February 2021.
Our investigation found a number of deficiencies in Agronomy’s safeguards, which contributed to the breach. Specifically:
- Agronomy lacked multifactor authentication for administrator accounts, which facilitated the threat actor’s ability to gain access to the system with stolen credentials.
- The threat actor was able to move around freely due to a lack of segregation in Agronomy’s network. As a result of this unnecessary amalgamation, multiple systems belonging to a variety of Agromat members were linked together and accessible to the threat actor.
- The threat actor was able to read the data that they accessed across the network as it was not encrypted.
- A lack of detection and response tools allowed the threat actor to access the network, exfiltrate data and cover their tracks, without being detected over a period of approximately two months.
We therefore concluded that Agronomy lacked appropriate safeguards commensurate to the sensitivity of information in question. That said, Agronomy made a variety of improvements to its security posture, and agreed to our recommendation that it implement, within two months of the issuance of this report, an incident management plan and protocol for zero-day attacks. As such, we consider this aspect of the complaint to be well-founded and conditionally resolved.
With respect to the issue of accountability, we found that Agronomy did not have a comprehensive privacy policy, had a general lack of policies, practices, and associated training for the protection of personal information under its control, and had not appointed an individual to be accountable for PIPEDA compliance. Agronomy has since either addressed or committed to address each of these accountability failings. As such, we consider this aspect of the complaint to be well-founded and conditionally resolved.
Lastly, Agronomy relied on the consent obtained by [the vendor] for its collection and use of personal information in the provision of credit services to the complainant. The complainant alleged that [they] had not consented to the collection and use of [their] personal information for the provision of credit. Our investigation determined that the Agromat form that the client acknowledged having filled out and signed when opening [their] account: was prominently titled as a “credit application”; clearly explained that their information would be used for purposes of Agromat granting credit; and resulted in the provision of $100,000 in credit, which the complainant, in fact, used. As a result, we determined that Agronomy had ensured valid consent, such that this aspect of the complaint was not well-founded.
Complaint and Background
- The Office of the Privacy Commissioner of Canada (“OPC”) received a complaint under the Personal Information Protection and Electronic Documents Act(“PIPEDA” or the “Act”) from an individual alleging that Agronomy Company of Canada Ltd. (“Agronomy”), a wholly owned subsidiary of Sollio Groupe Coopératif (“Sollio”), and its affiliate partners failed to safeguard [their] personal information against unauthorized access and disclosure, and that [their] personal information was subsequently compromised and used to facilitate financial fraud. The Complainant further alleged that Agronomy collected [their] personal information for purposes to which [they] had not consented, and that it lacked a privacy policy and privacy officer.
- Agronomy is affiliated with the Agromat Group (“Agromart”), which consists of various joint-venture agricultural companies that are partly owned by Agronomy. Agronomy and its affiliate partners offer a variety of agricultural products and services to farms across Ontario and Eastern Canada. This includes the sale of seeds, fertilizer and various crop production and protection products, as well as crop advisory, nutrient management planning and professional application services. Agronomy and its affiliates maintain 22 joint venture retail locations as well as logistical and distribution sites. The complainant had a business relationship with [the vendor], a member of the Agromat Group, 50% owned by Agronomy. At the time of the attack, the IT infrastructure of Agronomy and many of its affiliate partners was amalgamated.
- Our Office notes that in its representations to our Office, Agronomy asserted that it is a data processor providing services to various member companies of the Agromat group, and that it was these individual companies, including [the vendor] which were the data controllers. Agronomy asserted that as a result, the act should only apply to it on the basis of being a processor. Our Office did not opine on this position as it is immaterial to PIPEDA in this case. In the matter at hand, Agronomy collected, used and disclosed personal information sourced from Agromat members in the context of a commercial activity through its provision of credit and information technology services.
- In early April 2020, Agronomy’s systems were breached by a malicious threat actor who had obtained administrative credentials, which in turn provided unfettered access to Agronomy’s systems. The threat actor was able to successfully infiltrate Agronomy’s systems and exfiltrate the client information of multiple Agromat members. In late May 2020, the threat actor installed a ransomwareFootnote 1 application onto the system, which encrypted and locked affected servers and workstations. This was Agronomy’s first indication that its systems had been compromised. The threat actor followed up on this by contacting Agronomy and sharing a sample of files that had been exfiltrated along with a ransom demand. Agronomy determined that the sample contained the personal information of two individuals. Agronomy refused to pay the ransom and the threat actor responded by putting the files up for auction on their website, on the dark web, in June 2020.
- Following this publication, Agronomy was able to recover a copy of the stolen data and have the threat actor’s website shut down. Based on analysis of the leaked database, initiated in July 2020 and concluded in February 2021 by a forensics expert hired by Agronomy, the respondent ultimately determined that unauthorized third parties had gained access to the personal information of 845 of its clients. The specific personal information obtained was dependent on the information associated to those accounts and is covered in paragraph 14. Agromat members proceeded to notify the affected clients over a staggered period from June 2020 to February 2021, as they were identified as having been affected, offering them one year of credit and identity theft monitoring by a third-party service.
- The threat actor responsible for the breach was identified as “REvil”, also known as “Sodinokibi”. REvil was a group of cybercriminals operating out of Russia and Eastern Europe, which primarily engaged in fraud through the development and deployment of ransomware. The group was targeted by a joint international law enforcement operationFootnote 2 in November 2021, which resulted in the arrest of five alleged members, and a subsequent major operation by Russian authorities in January 2022, which resulted in multiple arrests and charges that effectively dismantled the groupFootnote 3.
Methodology
- Our Office analyzed representations and materials provided by Agronomy in response to requests by our office in relation to the breach. We also reviewed available open-source information related to the breach incident.
- Agronomy engaged an independent company, specializing in IT security, to conduct a forensic analysis of the incident, as well as a company specializing in e-discovery to analyse the data published by the threat actor. Agronomy refused the OPC’s requests to access any reports generated by third parties, claiming solicitor-client privilege. Without access to these important sources of information, our Office relied upon the information provided by Agronomy in response to our individual requests for information, which was also at times limited due to IT staff turnover at the company and incomplete documentation (as discussed further below).
Analysis
Details of the Breach
Description of the Breach
- In early April 2020, the threat actor was able to use valid credentials to gain access to an administrator account on Agronomy’s systems, which the threat actor then used to successfully initiate a remote desktop connection to a workstation belonging to an Agromat member company. Agronomy represented to our Office that it was unable to determine how the threat actors had obtained the credentials that they had used to gain access. We note that there a variety of avenues that can be used to obtain such credentials, including social engineeringFootnote 4 techniques such as phishingFootnote 5, as well as credential stuffingFootnote 6, malwareFootnote 7, insider threatFootnote 8 and many other tactics. In the matter at hand, Agronomy advised that no evidence of employee involvement in the incident was found, indicating that the threat actor had stolen the credentials. Our Office notes that administrator accounts are particularly valuable targets given the ability for a threat actor to leverage elevated privileges associated with such accounts to expand access and assume control of an entire system.
- In May, the threat actor attempted to use their access to the system to access corporate bank accounts and purchase bitcoin, but they were ultimately unsuccessful in doing so. The threat actor then took advantage of the amalgamated design of Agronomy’s systems to move laterally through the network and take control of additional systems in the Agronomy network environment. Between May 18 and May 27, 2020, the threat actor used their control over Agronomy systems to exfiltrate data from shared folders, ranging from corporate communications and records to customer databases. They then deployed ransomware on May 27, 2020, encrypting the contents of the system and blocking legitimate access. It is only at this point that Agronomy became aware of the attack. This delay in detection likely contributed to the threat actor’s success in erasing system logs, given that they were able to complete all activities and exfiltration, and then remove all traces of that work prior to deploying ransomware.
- Upon realizing that its systems had been compromised, Agronomy commenced assembly of an incident response team including third-party security specialists, and referred the matter to law enforcement. The incident response team was fully assembled, with additional resources, in the following days. Subsequent to the ransomware deployment, the threat actor contacted Agronomy by email and demanded a ransom in exchange for decryption keys for their system, providing sample files to prove the successful exfiltration of data. Agronomy refused to pay the ransom, and based on the sample files provided, identified two affected individuals. Agronomy represented that Agromat members took steps to notify these two individuals of the breach on June 5, 2020. Agronomy notified our Office of the breach and the 2 affected individuals on June 8, 2020.
- On June 2, 2020, following Agronomy’s failure to pay the demanded ransom, the threat actor initiated an “auction” of the entirety of the exfiltrated data on a digital marketplace that it had created. The auction remained open for a week. The threat actors made a number of posts on twitter with regard to the auction, making Agronomy aware that it was taking place. For several days during this period, until Agronomy’s systems were secured by third-party experts, the threat actor continued to publish excerpts from Agronomy’s corporate communications regarding the company’s attempts to address the breach. The threat actor subsequently released the exfiltrated files to the dark web. With the assistance of its third-party experts, Agronomy was able to obtain a copy of the breached dataset and hired a third-party e-discoveryFootnote 9 service provider to analyse the data and determine the affected parties.
- Agronomy represented that Agromat member companies sent notifications to affected individuals over a period beginning June 5, 2020 and ending February 17, 2021. Agromat members sent new notifications as they became aware of affected individuals through the progressing e-discovery process. The complainant in this matter was sent a notification from [the vendor] by mail [in July 2020], and received it in [the same month]. Agronomy sent our Office incremental updates on the breach, with the number of affected individuals growing steadily over several months from the initial figure of 2, to the final number of 845.
Personal Information involved in the breach
- As noted above, Agronomy ultimately determined that the threat actors had obtained the personal information of 845 individuals. These individuals were clients of various Agromat Group companies, including [the vendor], whose personal information was stored on Agronomy’s systems. The compromised personal information included information collected from Agromat account applications, and included, depending on the individual: social insurance number (“SIN”), date of birth (“DOB”), driver’s license number, name, address, phone number, bank account number and name of financial institution, credit card information, passport information, information on salary or pension, e-mail address, and electronic signature.
Issue 1: Did Agronomy implement appropriate safeguards to adequately protect personal information under its control?
- Principle 4.7 of PIPEDA provides that personal information must be protected by security safeguards appropriate to the sensitivity of the information. As set out in Principle 4.7.1 of PIPEDA, the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
- Principle 4.7.3 further provides that methods of protection should include: (a) physical measures, such as locked filing cabinets and restricted access to offices; (b) organizational measures, such as security clearances and limiting access on a “need-to-know” basis; and (c) technological measures, such as the use of passwords and encryption.
- Our Office identified numerous deficiencies in Agronomy’s safeguards. We found that, for the reasons outlined below, the safeguards implemented by Agronomy, when considered in their totality, were not adequate to protect the personal information under its control.
Sensitivity of Personal Information
- The compromised personal information included a variety of biographical and financial details as well as SIN, which is particularly sensitive, given its permanence and importance for establishing identity and functioning in Canadian society. Our Office notes that information such as this can be used by malicious actors to perpetrate identity theft. Additionally, we note that in certain cases, bank account information and credit card numbers were also compromised, potentially enabling financial fraud.
- Given the sensitivity and associated risks outlined above, the security safeguards implemented by Agronomyto protect this personal information should have been commensurately strong.
- The complainant has alleged that [they were] the victim of financial fraud as a result of the breach. The respondent denies this allegation. It was not within the scope of our investigation to determine this issue.
- Agronomy has advised that aside from the complainant, no other individuals have contacted them, either to complain about the breach or report losses.
Technical Safeguards
- With respect to technical safeguards, our Office found a number of significant gaps in relation to Agronomy’s breach prevention and response. Certain of these gaps contributed directly to the occurrence and severity of the breach in question. Specifically: (i) Agronomy did not employ multifactor authentication, which facilitated the threat actor’s ability to gain access to the system with stolen credentials; (ii) after gaining access to the network, the threat actor was able to move around freely due to a lack of segregation in Agronomy’s network architecture; (iii) the threat actor was able to read the data that they accessed across the network as it was not encrypted; and (iv) due to a lack of detection and response tools, the threat actor was able to access the network, exfiltrate data and cover their tracks, without being detected for approximately two months.
- Agronomy did not utilize multifactor authentication for employee access to its systems, which allowed the threat actor to use stolen credentials to obtain full administrative access to the respondent’s systems. Multifactor authentication is widely recognized as a security best practice – even more so in the case of accounts with broad administrative authority with access to highly sensitive information. If multifactor authentication had been in place, then simply knowing the administrator’s password would not have been enough to gain access to the account. The threat actor would have needed a second factor such as something that the administrator “had”, like a phone or USB key, or something the administrator “was”, like a biometric print.
- The severity of the attack was exacerbated by the lack of segregation in Agronomy’s network architecture. Agronomy had linked multiple Agromat systems together, even though this was unnecessary, which allowed the threat actor to take advantage of lateral movement to compromise and take over multiple systems in the Agromat corporate network. It is a best practice to link only necessary workstations and systems together in a network to minimize the harm that can be caused by lateral movement. Had the networks of various Agromat retailers been segregated, the impact of the breach may have been significantly diminished, as the threat actor would likely only have been able to assume control of one of the Agromat retailers’ systems.
- Agronomy did not utilize encryption to secure its database or data. It stored sensitive personal information in shared folders that were widely accessible to employees. Agronomy represented that as the threat actor had access to an administrator account, encryption would not have prevented the malicious actions taken. We note, however, that various levels of administrative privilege can exist, and an administrator does not necessarily need to have access to all encryption keys. It is generally a good security practice to segment access and permissions to minimize the impact of any one account being compromised. In any event, setting the specific incident aside, the lack of encryption coupled with lax data storage practices (discussed below in paragraphs 36 and 37), rendered Agronomy’s data susceptible to compromise in a wide variety of scenarios, and thus represented a critical vulnerability. Encryption of corporate data is a standard best practice, and in the case at hand, where the records included sensitive personal information, we would have expected encryption to be in place.
- Agronomy also lacked adequate attack detection and response tools. A lack of tools to provide alerts in the face of suspicious behaviour can allow threat actors to go undetected until serious harm has been done. More specifically, Agronomy did not have adequate logging and alerting tools, such as a Security Information and Event Management (SIEM)Footnote 10 solution. Nor did it have a detection or response tool such as an Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) product.Footnote 11
- A properly configured SIEM is able to aggregate and analyze data from a variety of sources from across an enterprise network, and when equipped with proper rules for detecting suspicious behaviour, can provide alerts to staff and in turn, enable mitigation and response. A SIEM solution provides wide coverage by analyzing millions of events and identifying attacks, some of which a single security tool may miss.
- An EDR or XDR provides centralized monitoring, detection and response capabilities to endpoint devices such as workstation computers, servers and phones – a vulnerable part of the network.
- At the time of the incident, Agronomy relied on logs from its firewall hardware and operating system for monitoring and detection. The firewall did log a number of actions conducted by the threat actor. A review of the logs provided to our Office by the respondent revealed account behaviour and access patterns that could have been flagged as suspicious. However, in the absence of a detection and response solution, none of these actions resulted in alerts to staff – these actions were not identified as suspicious until the post-incident investigation by third-party experts.
- The result in this case was that the threat actor was able to exploit undetected access to Agronomy’s systems for approximately two months to further their control over the entire system and cover their tracks by deleting a variety of logs and backups. Agronomy did not discover the intrusion or compromise until the threat actor deployed ransomware to encrypt and lock its systems. Had Agronomy implemented properly configured detection and response tools, the incident may have been identified within hours or at most days, potentially preventing or significantly mitigating the exfiltration of customer data.
- We also identified further safeguard gaps that, while not linked directly to the breach, represented a failure by the respondent to adequately safeguard the sensitive information under its control.
- With regard to attack prevention, while Agronomy had a firewall and antivirus solution in place, it lacked a Web application firewallFootnote 12 and could not provide any information on steps it had taken to hardenFootnote 13 its servers, measures we would have expected, in accordance with standard practices.
- Agronomy also lacked a patch management policy or protocol, to promptly install available software updates with a view to protecting against known vulnerabilities. The company represented that patching had been proceeding in an ad-hoc manner. Agronomy had been working towards applying operating system updates to workstations and servers, but not all systems had been updated. While the evidence suggests that out-of-date software was not directly responsible for the breach in this case, failure to patch systems and keep them up to date is a significant risk that can cause or aggravate breaches. Once malicious actors are aware of a vulnerability for which a patch has been created, they will quickly seek out opportunities to exploit the vulnerability in systems that have not yet been patched. It is therefore of utmost importance to have a protocol in place to ensure that patches are implemented on an expedited basis, as soon as they are made available.
Organizational Safeguards
- In addition to the deficiencies that we identified in Agronomy’s technical safeguards, our Office also found significant gaps with respect to the company’s safeguard practices and policies.
- First, Agronomy did not have incident response protocols for responding to a cyberattack.
- In this case, we recognize that Agronomy did take steps to respond after discovering the breach, including to deploy a response team and seek internal and external expert assistance. Further, an incident response plan may not have materially improved the outcome in this case, given the respondent’s failure to detect the threat actor’s intrusion for approximately two months, until ransomware had already been deployed (at which point, most of the harm was already done).
- That said, had Agronomy implemented appropriate tools to detect and alert them of the breach sooner, a proper incident response protocol could have assisted in further mitigating the harms of the breach. Moreover, as explained in paragraph 12, the threat actor continued to acquire and publish Agronomy’s confidential communications even after the deployment of ransomware alerted Agronomy to a breach. Agronomy explained that while its executives were communicating on an affiliated company’s network, which had not been compromised, one Executive involved in the discussion had email forwarding in place, which was sending emails to the compromised system. Proper incident response protocols would likely have addressed and therefore prevented this type of behaviour and could have allowed the network to be secured more expeditiously. In general, preparation and planning for cyber incidents is an important safeguard in and of itself, where responding immediately to an incident is often critical to assessing, managing and mitigating harm associated with a discovered breach.
- Agronomy also lacked proper information management and data storage practices to ensure the secure storage of the sensitive personal information of its customers. Rather than storing personal information in a secure database or repository, Agronomy employees had saved the highly sensitive personal information of the 845 affected individuals in various shared folders, labelled as “miscellaneous documents”, across its network.
- This gap in information management contributed to Agronomy’s delay in identifying affected individuals. Agronomy lacked knowledge of and familiarity with its own data storage practices, and rules for the storage of customer data on its servers. This resulted in significant delays, such that Agronomy identified affected individuals in a staggered fashion over the course of 7 months through third-party e-discovery of the breached dataset. Seeking expert support to confirm the affected individuals and data was a positive step, but the e-discovery expert’s identification of affected individuals would likely have been accelerated if Agronomy had had appropriate information management and storage rules in place.
- Ultimately, Agronomy had a general lack of security-related documentation and records. As a result of limited or incomplete documentation and records with respect to the organization’s past safeguard practices, there were many basic questions that Agronomy was unable to answer, thus diminishing our ability to assess Agronomy’s complete security safeguard infrastructure. Agronomy explained that there had been a change in its entire IT team and much of its IT infrastructure since the breach. Staff turnover and infrastructure changes are to be expected over time. However, adequate recordkeeping and documentation related to safeguards and the breach would have allowed Agronomy to better answer our questions, and to maintain corporate knowledge that could assist the company in avoiding similar safeguard weaknesses in future.
- Similarly, Agronomy was unable to provide any documentation with respect to training for IT and other staff. The respondent was also unable to confirm whether any IT training had been provided to its staff. We note that given the fast-paced nature of IT security, ongoing training, particularly in cybersecurity, is critical to ensuring that key safeguards are in place and properly configured.
- This highlights the importance for organizations to ensure that documented policies and record-keeping practices are in place to properly evaluate, manage, track and demonstrate the implementation of adequate safeguards in compliance with PIPEDA.
Assessment of Agronomy’s Safeguards before and after the Breach
- We find that the specific weaknesses described above constitute a failure by Agronomy to implement security safeguards appropriate to the sensitivity of the personal information held by the company, in contravention of Principle 4.7 of the Act.
- We recognize that not all SMEs will have the capacity to maintain, in-house, the diverse expertise necessary to ensure adequate technical safeguards, information management and breach response protocols and associated training in a dynamic threat environment. However, there are a variety of third-party service providers and automated tools that can be employed by SMEs to address gaps in safeguards and assist in fulfilling compliance requirements under the Act.
Actions taken by Agronomy since the Breach
- We note that Agronomy has made a number of significant improvements to its overall security posture since the breach, including by contracting for third-party services that it may not have capacity to maintain in-house. These improvements have been guided by external experts as well as an entirely new internal IT team, and recommendations by our Office, as detailed further below.
Technical Safeguard Improvements
- Agronomy has implemented multifactor authentication for all external services, infrastructure and administrative services, as well as many employee accounts. It has also moved its infrastructure to a third-party infrastructure-as-a-service (i.e., cloud) platform and implemented conditional access, based on employee need.
- The respondent has implemented an enterprise password manager and enforced password policy to improve the strength and quality of passwords, which can protect against brute-force attacksFootnote 14 by threat actors attempting to gain systems access.
- Agronomy completed a full review of its firewall and account configurations and implemented a new EDR and antivirus product.
- It also implemented alerting functions and rulesets in its logging and monitoring tools for suspicious behaviour in administrative accounts.
- Agronomy has changed its network architecture to remove connections between Agromat affiliate sites. As a result, an attack on one system will no longer affect the others.
- It also implemented third-party patch management software, and configured automated patching to ensure software is kept up to date.
- Since the breach, the respondent has implemented a Data Loss Prevention (DLP)Footnote 15 service to enhance security, including through encryption, and control of databases and files. A DLP can, for example, identify sensitive information that matches defined characteristics (such as a number with 9 digits, that resembles a SIN) and protect it from unauthorized access and exfiltration.
Organizational Safeguard Improvements
- Agronomy now includes IT training in its employee development plan, to be delivered to all staff on an ongoing basis. Agronomy also provides cybersecurity training to staff. It has contracted with a third-party provider to deliver ongoing training and conduct phishing simulations, to assist employees in recognizing and protecting against phishing attacks.
- Finally, in response to a recommendation by our Office, Agronomy agreed to implement protocols for incident management and zero-dayFootnote 16
- As a result, we find this aspect of the complaint to be well-founded and conditionally resolved.
Issue 2: Was Agronomy accountable for personal information under its control?
- Principle 4.1 of PIPEDA states that organizations are accountable for personal information under their control and shall designate individual(s) who are accountable for the organization’s compliance with the PIPEDA’s principles. Principle 4.1.4 further provides, in part, that organizations shall implement policies and practices to give effect to the principles of the Act, including: (a) implementing procedures to protect personal information; (c) training staff and communicating to staff information about the organization’s policies and practices; and (d) developing information to explain the organization’s policies and procedures.
- While we did not conduct a complete review of the respondent’s Accountability management framework, we found with respect to safeguards, as detailed above, that Agronomy had a general lack of privacy policies and practices, and associated training, to protect the information under its control.
- Agronomy also lacked a comprehensive privacy policy. Agronomy had only a policy related to its processing of personal information via the Agromat website (e.g., with respect to cookies and analytics).
- Finally, we note that Agronomy had not designated an individual to be accountable for compliance with the Act.
- We therefore find that Agronomy contravened Principle 4.1 and 4.1.4 of PIPEDA.
- In our view, had Agronomy implemented a robust privacy management program, with a designated Privacy Officer, information security procedures and practices, and associated training, many if not all of the safeguard failures we identified in this investigation could have been significantly mitigated or avoided entirely.
- During the course of our investigation, Agronomy implemented various security procedures and policies in relation to the protection of personal information (as detailed under Issue 1). The company has also committed to designating a Privacy Officer, and has developed a privacy policy, accessible at the point of collection via inclusion in its application form, which addresses its practices with respect to collection, use and disclosure of the personal information of its clients.
- As a result, we find this aspect of the complaint to be well-founded and conditionally resolved.
Issue 3: Did Agronomy obtain valid consent?
- Principle 4.3 of PIPEDA states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.6 provides that an organization should generally obtain express consent when the information is likely to be considered sensitive. Principle 4.3.2 further states that the principle requires “knowledge and consent” and that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
- Agronomy relied upon consent obtained by its affiliates, such as [the vendor] in the case of the complainant, for its collection and use of personal information. Agronomy used this personal information to provide credit services to the clients of Agromat member companies. The respondent explained that members of the Agromat Group, including [the vendor], relied on a single standard form document to obtain consent for the collection, use and disclosure of the personal information of clients. This form would be provided to an individual client to enable them to contract with Agromat companies for services as well as to allow them to establish a credit agreement if desired. Agronomy further explained that the majority of customers chose to enter into a credit agreement. The standard form would also enable a client file to be created, which was necessary for taking orders, issuing invoices and delivering products.
- The personal information requested via this form included biographical data including name, address and DOB, SIN, driver’s license number, spousal DOB and SIN, and financial information such as banking information (i.e., the information that was compromised in the breach). Given the sensitivity of this information, express consent was required.
- The complainant acknowledged that [they] completed an “Agromart Group Credit Application and Agreement” but alleged that [they] had not consented to the “extensive collection of information” by the respondent for purposes of extending [them] credit. The complainant explained that [their] only intention was to purchase agricultural services from [the vendor] and that [they] [were] never made aware that [they] had applied for credit, nor that it had been extended. The complainant advised that the form [they] had completed was the only one that was made available to [them] to purchase goods and services from the respondent. Finally, the complainant asserted that [they] had never received any confirmation that credit was granted or approved.
- Our Office examined a copy of the original application form in question and noted the following:
- The form, which was two pages in length, included large block letters at the top of the page prominently identifying the form as “The Agromat Group Credit Application and Agreement”, followed by “Agromart Name: [Vendor]”.
- The form also had a section reading “Amount of Credit Required”, which was filled in by hand with the figure of $100,000 along with a ticked off box labelled “crop inputs”.
- This was followed by various terms and conditions setting out the obligations and authorizations necessary to obtain and retain credit.
- The complainant’s name, signature and date were visible at the bottom of the form, following the terms and conditions.
- Agronomy furnished our Office with records demonstrating that an account with a credit limit of $100,000 had been opened for the complainant after the receipt of [their] completed application form.
- The respondent explained that the extension of credit allowed customers to make orders and pay for them after receipt, via invoicing. In cases where credit is not furnished, customers can only receive goods and services after payment in full in advance of delivery.
- Agronomy provided our Office with invoices and payment records issued by [the vendor] demonstrating that product had been provided to the complainant, on credit, on various occasions – i.e., the complainant received product along with an invoice requesting payment, and [they] subsequently paid for the product.
- The complainant advised that [they] had generally pre-paid in advance each season, and that [they] rendered payment by cheque immediately whenever [their] purchases exceeded the amount paid in advance. The records provided to our Office by Agronomy corroborate the complainant’s explanation – outstanding balances, where the value of delivered product exceeded the prepaid amount, were paid within 3-5 weeks.
- Ultimately, we accept that the complainant was extended credit, and by carrying a balance, availed [themselves] of the benefits of the credit account over the course of the commercial relationship.
- The form that the complainant signed was clearly labelled as a credit application. The terms and conditions spoke extensively of the creation of a credit agreement and of the collection of personal information for the purpose of such an agreement. A $100,000 credit line was granted by the respondent, consistent with this form, and was subsequently used by the complainant.
- Given all the above, we find this aspect of the complaint to be not well-founded.
- Notwithstanding our finding in this case, Agronomy has advised that: (i) Agromat members use a new form which more clearly separates the section where the client can provide information for the purposes of requesting credit, and (ii) it will create a new form for clients who do not desire credit, which will not request any information aside from business details required for the opening of a client file and for regulatory compliance with the sale of controlled goods.
Conclusion
- Given all of the above, and considering the respondent’s commitment to implement our Office’s recommendations, as detailed in paragraphs 52 and 60, above, within two months of the issuance of this report, our Office finds:
- the Safeguards aspect of the complaint to be well-founded and conditionally resolved;
- The Accountability aspect of the complaint to be well-founded and conditionally resolved, and
- the Consent aspect of the complaint to be not well-founded.
- Notwithstanding the serious safeguard failings we found in our investigation, we commend Agronomy on the safeguard improvements that it implemented in response to the breach, which have resulted in a much more robust information security infrastructure.
- Date modified: