OPC vs Brinks Home (PIPEDA Findings #2024-002, Mar 28 2024): inadequate safeguards left customer data accessible for 10 weeks

Claim: Office of the Privacy Commissioner of Canada finding #2024-002 (March 28, 2024) against Brinks Home: Brinks "had not implemented adequate safeguards, resulting in the compromise of customers' personal information via its online portal."

The specifics: Customer data was accessible to former occupants for 10 weeks. OPC finding: "well-founded and resolved." No fine.

Source: https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2024/pipeda-2024-002/

Confidence: Verified.

Why this is the canonical Canadian service-business privacy case:

• Service business (home security) — exactly the Candid client profile
• Portal-based data exposure — the modern failure mode
• 10-week window — the cost of poor monitoring / poor structured logging
• "Well-founded and resolved" — under current PIPEDA, OPC cannot fine. The cost was reputational and remediation, not financial penalty.

Implication for the data-ownership thesis: a deliberate data layer with proper access controls is the defense, not the risk. Scattered data across Gmail + Drive + half-used CRM is harder to inventory, harder to respond to access requests from, harder to delete on request, and harder to secure than a single Postgres warehouse with proper access controls.