{"id":591,"slug":"brinks-home-opc-finding-2024","title":"OPC vs Brinks Home (PIPEDA Findings #2024-002, Mar 28 2024): inadequate safeguards left customer data accessible for 10 weeks","kind":"reference","scope":"business","status":"current","audiences":["kevin","claude-code","candid-team"],"topics":["regulatory-compliance","security-vulnerabilities"],"reference_body":"**Claim:** Office of the Privacy Commissioner of Canada finding **#2024-002** (March 28, 2024) against **Brinks Home**: Brinks *\"had not implemented adequate safeguards, resulting in the compromise of customers' personal information via its online portal.\"*\n\n**The specifics:** Customer data was **accessible to former occupants for 10 weeks**. OPC finding: **\"well-founded and resolved.\"** No fine.\n\n**Source:** <https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2024/pipeda-2024-002/>\n\n**Confidence:** Verified.\n\n**Why this is the canonical Canadian service-business privacy case:**\n- **Service business** (home security) — exactly the Candid client profile\n- **Portal-based data exposure** — the modern failure mode\n- **10-week window** — the cost of poor monitoring / poor structured logging\n- **\"Well-founded and resolved\"** — under current PIPEDA, OPC cannot fine. The cost was reputational and remediation, not financial penalty.\n\n**Implication for the data-ownership thesis:** a deliberate data layer with proper access controls is the **defense**, not the risk. Scattered data across Gmail + Drive + half-used CRM is harder to inventory, harder to respond to access requests from, harder to delete on request, and harder to secure than a single Postgres warehouse with proper access controls.","rationale_body":null,"metadata":null,"links":{"outgoing":[{"slug":"pipeda-bill-c-27-died-january-2025","title":"Canadian privacy 2026: PIPEDA still governs; Bill C-27 died on the Order Paper Jan 6, 2025 — no fines, only findings","kind":"reference","scope":"business","link_type":"depends-on"}],"incoming":[{"slug":"rule-structured-data-is-privacy-compliance-accelerator","title":"RULE: Treat a deliberate data layer as a privacy-compliance accelerator, not a privacy risk. The scattered alternative is harder to comply with.","kind":"rule","scope":"business","link_type":"depends-on"},{"slug":"research-brief-dataset-is-the-product","title":"Research brief: The Dataset is the Product — when a service business should own its data (piece 12 of 15)","kind":"reference","scope":"business","link_type":"relates-to"}]},"created_at":"2026-05-22T20:37:13.207Z","updated_at":"2026-05-22T20:37:13.207Z"}