Orbit Money Inc. – Data Breach

Purpose:
The purpose of this Data Breach Policy is to explain how Orbit Money Inc. (“we,” “our,” “us”) responds to a data breach, the measures we take to prevent breaches, and how we protect our users, employees, business partners, and third parties. This policy applies to all users of Orbit Money Inc.’s services, employees, and third parties involved in the handling of sensitive data.
In instances where a customer’s transaction is completed with a teller acting on the customer’s behalf, the same protections and security measures apply as if the transaction were conducted directly through our online platform. We are committed to safeguarding customer data, regardless of how the transaction is initiated or processed.
Orbit Money Inc. is committed to complying with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal privacy law, and any applicable provincial privacy legislation. We also acknowledge the principles of the General Data Protection Regulation (GDPR) where applicable (e.g., concerning data of EU residents). Data breaches pose a serious threat to both our users and our organization, and we are dedicated to responding swiftly and effectively to any breach.
What is a Data Breach?
A data breach is a security incident in which sensitive or private information is exposed, accessed, or acquired without authorization. This includes the unauthorized disclosure of personal, financial, or corporate data.
Examples of exposed data may include:

  • Personal information (names, addresses, phone numbers, email addresses, Social Insurance Numbers (SIN), dates of birth, etc.)
  • Financial data (credit card information, bank account details, transaction history)
  • Corporate information (intellectual property, business plans, confidential communications)
  • User credentials (usernames, passwords, access tokens)

A data breach may occur if a hacker gains access to Orbit Money Inc.’s database or network, or if a user’s credentials are compromised in some way. It can also result from employee negligence, system vulnerabilities, or other security failures.
How a Data Breach Could Happen:
Data breaches can occur for several reasons, including:

  • Weak Passwords: If an individual (whether an employee, customer, or third party) uses weak passwords, such as simple or predictable combinations, they can be easily guessed by cybercriminals.
  • Human Error: Employees or users who share login details, leave devices unattended, send data to the wrong recipient, or fall victim to phishing attacks increase the risk of a breach. Insecure devices or unencrypted data can also lead to a breach.
  • System Vulnerabilities: Vulnerabilities in our systems, including outdated software, unpatched systems, or coding errors, can provide entry points for hackers.
  • Malware: Clicking on a malicious link or downloading a harmful attachment can allow hackers to install malware (e.g., ransomware, spyware) on a device, which then provides them access to Orbit Money’s systems.
  • Social Engineering: Attackers may manipulate individuals into divulging confidential information or granting access to systems through deception (e.g., phishing, pretexting).
  • Insider Threats: A current or former employee, contractor, or other authorized user may intentionally or unintentionally misuse their access to sensitive data.
  • Physical Breaches: Unauthorized access to physical locations where data is stored (e.g., offices, data centers) can lead to data breaches.

How We Respond to a Data Breach:
In the event of a data breach, we have established a systematic response plan, outlined in our Incident Response Plan (IRP), to mitigate harm, recover data, and prevent future breaches. The following steps provide a high-level overview of our response:

  • Establish a Data Breach Response Team: We have established a cross-functional Data Breach Response Team (DBRT) responsible for coordinating and managing the response to any data breach. The DBRT includes representatives from legal, IT, security, communications, and senior management.
  • Contain the Breach:
    • As soon as a breach is detected, the DBRT will take immediate steps to contain it. This may involve:
    • Isolating affected systems (e.g., servers, networks, databases).
    • Shutting down compromised user accounts or applications.
    • Blocking network traffic to and from suspicious sources.
    • Preserving evidence for forensic analysis.
    • If the breach stems from a customer’s account or a specific area of our platform, we will take swift action to limit the spread of damage, whether the transaction was initiated online or via a teller.
  • Assess the Breach:
    • The DBRT will promptly assess the severity and scope of the breach, including:
    • Determining the nature of the breach (e.g., hacking, human error, system vulnerability).
    • Identifying the systems and data affected.
    • Evaluating the sensitivity of the exposed data (e.g., personal, financial, corporate).
    • Determining the number of individuals affected.
    • Assessing the potential risk of harm to affected individuals, in accordance with PIPEDA.
  • Notification:
    • We will comply with PIPEDA’s requirements regarding notification of the Privacy Commissioner of Canada and affected individuals.
    • Notification to the Privacy Commissioner of Canada: We will notify the Privacy Commissioner of Canada as soon as feasible after determining that the breach creates a real risk of significant harm to individuals. The notification will include the information required by PIPEDA, including:
    • A description of the circumstances of the breach.
    • The date or estimated date of the breach.
    • A description of the personal information involved in the breach.
    • An assessment of the risk of harm to affected individuals.
    • The number of individuals affected.
    • The steps we have taken to reduce the risk of harm.
    • Contact information for our organization.
    • Notification to Affected Individuals: Unless prohibited by law, we will notify affected individuals as soon as feasible after determining that the breach creates a real risk of significant harm. The notification will be conspicuous and will be given directly to the individual, except in limited circumstances where indirect notification is permitted under PIPEDA. The notification will include sufficient information to allow the individual to understand the significance of the breach and to take steps to reduce the risk of harm, including:
    • A description of the breach.
    • The types of personal information involved.
    • The steps we have taken to address the breach and mitigate its effects.
    • The steps affected individuals can take to protect themselves.
    • Contact information for further inquiries.
    • Method of Notification: Notification may be provided through various methods, including email, mail, telephone, or other appropriate means, depending on the circumstances of the breach and the contact information available. We will choose the most effective method to reach affected individuals in a timely manner.
  • Investigation and Remediation:
    • We will conduct a thorough investigation to determine the root cause of the breach and implement corrective actions to prevent similar incidents in the future. This may involve:
    • Forensic analysis of affected systems.
    • Reviewing security logs and access controls.
    • Identifying vulnerabilities in our systems or processes.
    • Implementing security enhancements, such as patching systems, updating software, and strengthening access controls.
  • Security Audit:
    • Following a breach, we will conduct a comprehensive security audit to evaluate the effectiveness of our existing security measures and identify areas for improvement. This audit will include:
    • Reviewing server configurations, network security, and system architecture.
    • Analyzing user access logs and authentication mechanisms.
    • Assessing the effectiveness of firewalls, intrusion detection/prevention systems, and anti-virus software.
    • Evaluating data encryption methods and key management practices.
    • Auditing third-party service provider security practices.
    • Performing a DNS audit to ensure the security of our infrastructure.
  • Update the Incident Response Plan:
    • We will review and update our IRP based on the lessons learned from each incident. This includes:
    • Updating our policies, procedures, and security standards.
    • Providing additional training to employees on security best practices and breach prevention.
    • Revising our communication protocols and notification procedures.
    • Improving our data backup and recovery procedures.
  • Documentation: We will maintain detailed records of all data breaches, including the date, time, nature of the breach, data involved, actions taken, and any notifications made. These records will be retained in accordance with PIPEDA’s record-keeping requirements.

Protecting Ourselves from a Data Breach:
We are committed to proactive measures to prevent data breaches and protect sensitive data. These measures include:

  • Data Minimization and Retention:
    • We adhere to the principles of data minimization by collecting only the personal information that is necessary for identified purposes.
    • We have established data retention schedules to ensure that personal information is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.
  • Employee Education and Training:
    • We provide regular and comprehensive training to all employees, including those handling sensitive data, on data security best practices and their responsibilities under this policy and PIPEDA.
    • Training covers topics such as:
    • Recognizing and reporting potential security threats (e.g., phishing attacks, social engineering).
    • Proper handling of sensitive data, including encryption and secure storage.
    • Password security best practices.
    • Data breach response procedures.
    • Employees in roles involving sensitive data or financial transactions, including tellers, receive additional specialized training.
  • Data Security Measures:
    • We have implemented a multi-layered security approach to protect data and systems, including:
    • Encryption: We use strong encryption to protect sensitive data both in transit and at rest
    • .
    • Access Controls: We implement strict access controls, including role-based access control (RBAC) and the principle of least privilege, to restrict access to sensitive data to authorized personnel only.
    • Firewalls: We use firewalls to protect our networks from unauthorized access.
    • Intrusion Detection and Prevention Systems (IDPS): We employ IDPS to monitor for and block malicious activity.
    • Anti-virus and Anti-malware Software: We use up-to-date anti-virus and anti-malware software on all systems.
    • Vulnerability Management: We have a robust vulnerability management program that includes regular vulnerability scanning, assessment, and patching to ensure our systems are up to date and secure.
    • Regular Security Audits: We conduct regular security audits, both internally and externally, to assess the effectiveness of our security measures and identify potential vulnerabilities. These audits cover:
    • Network security
    • System configurations
    • Application security
    • Data storage and transmission
    • Third-party security practices
  • Password Management:
    • We enforce strong password policies, including requirements for:
    • Minimum password length.
    • Use of a combination of uppercase and lowercase letters, numbers, and special characters.
    • Regular password changes.
    • We require the use of multi-factor authentication (MFA) for accessing sensitive systems and data.
  • Secure Data Transfers:
    • All data transfers, both internal and external, are conducted securely using encrypted channels (e.g., SFTP, HTTPS).
    • We monitor data transfers to prevent unauthorized access or disclosure.
  • Third-Party Security:
    • We require all third-party service providers and business partners who handle sensitive data on our behalf to:
    • Comply with our security standards and this policy.
    • Enter into contracts that include data protection clauses and require them to implement appropriate security measures.
    • Undergo security assessments or audits to verify their compliance.
  • Physical Security: We maintain physical security measures to protect our facilities and data, including access controls, surveillance, and secure storage for sensitive documents.
  • Data Backups and Recovery: We perform regular data backups and have a documented data recovery plan to ensure business continuity in the event of a data breach or other disruption.

Individual Rights:
In accordance with PIPEDA, individuals have certain rights regarding their personal information. In the context of a data breach, we are committed to upholding these rights, which include:

  • Right to be Notified: The right to be notified of a data breach that creates a real risk of significant harm, as detailed in this policy.
  • Right to Access: The right to access their personal information held by Orbit Money Inc., including information related to a data breach affecting them.
  • Right to Rectification: The right to request that we correct any inaccurate or incomplete personal information.
  • Right to Erasure: The right to request the deletion of their personal information, subject to legal and regulatory requirements.
  • Right to Complain: The right to file a complaint with the Privacy Commissioner of Canada regarding our handling of their personal information.

Employee Discipline:
Any employee who violates this Data Breach Policy or contributes to a data breach through negligence, intentional misconduct, or failure to follow security procedures will be subject to disciplinary action, up to and including termination of employment, to the extent permitted by applicable law.
Incorporating the PAD Agreement:
As part of our commitment to protecting your data and financial information, we ensure that all transactions processed by Orbit Money Inc., whether directly by a customer or through a teller, comply with the Pre-Authorized Debit (PAD) Agreement. This includes maintaining secure protocols for transactions done through a teller. Customers initiating PAD transactions are protected under this policy, and we work with our third-party partners to ensure security throughout the process.
Final Note:
This policy will be periodically reviewed and updated to reflect changes in our business practices, legal requirements, or technological advancements. The responsibility for enforcing this policy lies with Orbit Money Inc.’s Compliance Department and Data Breach Response Team, who ensure ongoing monitoring to identify and mitigate any data breach risks.
If you have any questions regarding this policy, please contact us through the “Contact Us” page on our website: https://orbitmoney.com