When your data leaks through the fingers of companies that should have known better, they send letters. Not alerts - those come later - but letters. That's because by law, they have to. They also have to be clear, helpful and transparent, but not all companies read the legislative fine print. What's more, the media often simply amplify the rhetoric without critically analyzing the impact of their news.

It wasn't always so. For the first two decades of the current millennium, Canada's private sector privacy law did not require companies to notify their victims. This was a due to Big Tech sector lobbying couched as a charitable act intended to avoid creating public panic (I'm looking at you, ITAC) but really served to create a regulatory oasis in Canada away from California's progressive SB1386 agenda, which mandated breach notification for the first time in the USA.

For the most part, these letters are largely performative exercises. They apologize. They reassure. They obfuscate. And they always indicate that your stolen data may have been impacted. Indeed, that is one of today's certainties. Like the fact that our data will be taken even if it's bolted down, or that the use of ad blockers will soon be criminalized. (stay tuned)

Last week's announcement from Nova Scotia Power arrived, along with a dozen media requests for yours truly to participate in a battery of interviews that spanned the entire week. The utility being the latest inductee into the Data Breach Hall of Fame, thousands of Canadians received letters letting them know that criminals now had their personal information.

Those recipients - now victims - wondered out loud what two years of credit monitoring actually does and whether it's adequate given the sensitivity of the stolen data. Whether you're interested, impacted, or are just watching the digital fire from the sidewalk, this incident is as good as any other opportunity to ponder those questions.

[by the way: if you're a member of the media, our lovely nonprofit focused on the cybersafety of intergenerational Canadians has just what you need. A handy guide for interviewers on dealing with cyber incidents. Read on.]
Is it time for someone to start asking questions?

🔍 1. “Why did you have that information to begin with?”

Seriously. Why does a utility company need your driver’s license, SIN, and banking data? Are they processing your tax return or just sending your hydro bill?

From NSP’s May 13, 2025 notification letter:

“Your personal information was stored on the impacted servers… [including]: name, phone number, email address, date of birth, customer account history… and driver’s license number. For some… bank account numbers.”

It is unclear why the company collected these sensitive pieces of ID. Even more confusing is the fact that the company's President indicated that this sensitive information was collected to "identify" individuals. However, this practice was only extended to about half of those customers, which begs the question: how many utility customers are considered unidentified?

Unless Nova Scotia Power moonlights as Revenue Canada, a utility has no business stockpiling skeleton keys to your identity.

Moving on.

“Why wasn’t it deleted?”

There's a difference between collecting data and keeping it.

Unfortunately, Canadian companies hoard data like tinned soup in a Cold War bunker: just in case. Problem is, stale data gets hacked even faster than fresh information, because it's often left on insecure legacy systems, forgotten and unpatched. I'm not saying that this is what happened in this case, but it's something to ponder.

Privacy laws demand deletion policies. Ethics demand common sense. Neither involves storing your Christmas 1985 hydro consumption data and SIN forever just in case someone wants to run a marketing campaign on 40-year-olds with a propensity for National Lampoon-type light displays.

Remember: old data increases the appeal of the company that was entrusted with it.

3. “What are the actual risks now that it’s out there?”

The standard corporate incantation: “We have no evidence of misuse.” That’s not assurance. It’s a guarantee of reputational damage when the company was told by extortionists that in the absence of ransom payment, the data would be published online.

Identity theft is patient. It doesn't need to act today. Your data might be dormant in a fraudster’s Excel sheet, getting cross-referenced with other breaches. It's the long con. And yet, in this case, many NSP customers were notified by the credit reporting agency that their data was already 'out there', a fact that was only later corroborated by the company.

If you're one of the unlucky recipients of the infamous letter, you're not just running the risk of:

  • Credit card fraud, financial swindles
  • CRA scams, benefits and tax shenanigans,
  • Phishing attacks, clickbait and weaponized electronic messages.

Nope. You are a long term source of potential profit for professional cybercriminals (and amateurs alike) who will exchange your stolen credentials and compromised digital trail, perhaps for years to come.

Is it time to ask the company why credit monitoring is limited to two years? How did the math come about? Can we see the complex risk equations? As my old math teacher - Ed - used to say: Show your work!

More importantly, what types of identity breaches, impersonation, scams and crimes (such as extortion and intimidation) does the service not cover.

You might find the answer enlightening, if one happens to be forthcoming.

4. About that SIN...

News flash: the Social Insurance Number is not a general-purpose ID. It’s a controlled substance, meant for tax authorities, employers, and... that’s pretty much it.

A public utility doesn’t qualify. Unless they’ve pivoted to payroll services, there’s no excuse.

🔑 A SIN is a blueprint for identity theft. If an organization asks for your SIN, the answer should probably be "no thanks”.

5. Why contact the Privacy Commissioner?

Filing a (free) report with the OPC (Office of the Privacy Commissioner) can help you feel like an independent agency is on your side, but the help takes time - sometimes years - to arrive.

Yes, the Office of the Privacy Commissioner of Canada can:

  • Investigate,
  • Recommend,
  • Name and shame.

But don't expect fines or other punishment for negligence or lack of due care. Canada's privacy enforcement is still in its infancy when it comes to violations of your legal rights.

Beyond picking on this unfortunate utility, the opportunity here exists for Canadian

  1. companies to pull up their socks and check their cybersecurity practices to avoid similar disasters
  2. media to learn to ask the right questions and cover cyber incidents in ways that are helpful to a busy public
  3. citizens to understand the real risk of significant harm to themselves and their families, as a result of such breaches

For instance, a quick risk analysis I performed once we knew what data was compromised allowed me to put together a simple table of scenarios that could impact people now and in the future.

In effect, as long as the stolen data remains current - like SINs have a tendency to do, since they are basically unchangeable and only expire when you do - the risks of identity fraud and other serious outcomes can linger like a bad smell.

Journalists need to ask real questions

This week, I had the pleasure to meet a half-dozen reporters who were laser focused on getting to the bottom of the problem with questions like:

  • what can the thieves do with that particular kind of personal data?
  • how did the company decide on precisely 2 years of credit monitoring coverage?
  • was the breach notification letter adequate? If not, what was it lacking?

Detail? Transparency? Panache?

If you're reporting on a breach, don’t parrot corporate talking points. Don’t let “no evidence of misuse” slide. Flag phrases like "we activated our Mega Speed Incident Response Plan and proceeded to further improve our already supertight defences".

And certainly, for your readers' sake, don't let the "any" in "we apologize for any inconvenience stand.

As I've written before in my Media Cybersecurity Briefings, your audience deserves a watchdog, not a stenographer.

Visit https://www.badsecurity.ca/not-every-hacker-is-a-genius/

While I've got your attention, our team of crack editors at Canada's Cybersafety Foundation created an amazing resource you should know about: The Cyber Interview Best Practices Guide. Or as it's modestly titled, "Media Resources".

I guess the KnowledgeFlow Foundation likes to downplay the criticality of these resources, because real journalism doesn't need horn-tooting. So check it out as it:

  • Cuts through techno-jargon,
  • Protects the public interest,
  • Doesn’t let companies redefine “victimless.”
Yup. Nope. No AI at all. Just me. (CC BY-NC-SA)

Real reporters rave about these shareable resources: "we can’t stop breaches, but we can stop enabling them."

Final Thought: Trust is Flammable

One common theme across this week's carousel of interviews (I'm now big in Nova Scotia) has been the public's trust. Much like the previous catastrophic breach that impacted the province exactly 24 months ago, hundreds of thousands of its citizens were affected, and that stolen information could increase the risk to victims should it get aggregated with the fresh new dataset. Or any other.

Was there any obligation on the part of the organization - or any government agency - to spell out the incremental risk? Should the public be informed of the threats to all those stolen identities? Where does notification cross over into fear, uncertainty and doubt (FUD)? In this case, people wanted to know via scenarios, examples and clear explanations.

The utility isn’t just cleaning up a mess—they’re trying to rebuild trust with matches and gasoline, so it's never a great idea to placate the public with trivialities, false assurances and platitudes. But this didn't appear to simply be a redemption arc. I was a wake-up call, and people did call... the media to ask about the impact on their lives and what they could do about it, because that letter didn't do much to put them at ease.

So if you run a business, your reputation will hinge upon the answers to three simple questions:

  • Do we hoard data? How much of that information is not absolutely required?
  • Are we using cloud and AI vendors? If so, your supply chain might need a tune.
  • Are we running breach simulations, or are we running from accountability?

Because early detection, rapid response and ethical breach notification are the substance of preparation and the magic sauce of risk management when it comes to protecting your organization's good name. Cybersecurity planning - or lack thereof - shows right through those letters of apology.

It's just basic hygiene.

As Knowledgeflow's modestly named "Media Resources" section never ceases to allude to: Don't just parrot the propaganda. Don't buy the talking points. And push back on the rhetoric. Always be asking the right questions, even if they are uncomfortable.