05/04/2026
How a “Board Portal” Was Just a Public Website
In organizations responsible for protecting vulnerable people, privacy is not optional—it is a legal obligation. Systems that handle sensitive information are expected to meet a basic standard of security.
In this case, they did not.
What was described as a “board portal” was not a secured system, a private network, or even a controlled access platform.
It was a public website.
The Claim vs. The Reality
Leadership presented the system as a “private electronic portal” with multiple layers of security, accessible only to authorized users. The terminology implied a restricted environment—something designed to prevent unauthorized access.
But under scrutiny, those claims collapsed.
There was no login requirement.
No authentication.
No access control.
Confidential documents were placed on a publicly accessible platform where they could be reached by anyone with a standard web browser.
No Breach Ever Occurred
When the matter reached court, the central issue became clear:
There was no hacking.
An IT specialist testified that the documents could be accessed without passwords, without tools, and without any form of deception. They were simply available online.
The court agreed.
The information was publicly available.
That finding carries legal weight. If there is no barrier to access, there is no intrusion. The system wasn’t compromised—it was open.
What a Real Board Portal Requires
A legitimate board portal is built specifically to protect sensitive information. It is not just a document repository—it is a controlled system designed with layered security.
These systems operate using a defense-in-depth model, meaning multiple safeguards are in place so that failure at one level does not expose the data.
At minimum, a proper system includes:
Encryption of data both in storage and during transmission
Granular access controls to limit who can view or interact with specific files
Multi-factor authentication (MFA) to verify user identity
Audit logging to track every access and action
Remote wipe capabilities for lost or compromised devices
More advanced implementations also include:
SIEM systems to monitor activity and detect anomalies in real time
Centralized logging and alerting across all systems
Hardware-based key protection to secure encryption credentials
These are standard practices—not optional enhancements.
What Was Actually Used
None of these protections were meaningfully implemented.
Instead, the system relied on a common content management platform designed for publishing content to the open internet.
No authentication barriers.
No layered defenses.
No monitoring capable of detecting unauthorized access.
In practical terms, sensitive information was placed into an environment built for public visibility.
The Financial Fallout
The consequences were substantial.
A class-action lawsuit initially sought $75 million. The case ultimately settled for $5 million, with additional legal and administrative costs.
Attempts to recover those losses through insurance failed. The policy excluded coverage for data distributed via an “internet website.” Because the system functioned as one, the exclusion applied.
The organization was left to cover the costs itself.
Beyond the Settlement
The financial impact is only part of the outcome.
Sensitive personal information was exposed without resistance. Trust was damaged. And when another breach occurred years later, it raised questions about whether the underlying issues had been addressed at all.
The Critical Distinction
This case underscores a basic but essential reality:
A secure portal requires controlled access and layered protection.
A public website provides neither.
Labeling one as the other does not change how it functions—or how it is treated in court.
The Failure
This was not a sophisticated cyber incident.
No advanced techniques were used.
No defenses were bypassed.
Because there were no meaningful defenses in place.
Sensitive data was placed on a system designed for open access and left there without protection.
Final Word
Nothing was hacked.
No barriers were broken.
No systems were breached.
Because there were no barriers to begin with.
The issue was not technical complexity.
It was a fundamental failure to understand the difference between private and public systems—and the consequences of treating them as the same.
The result was predictable.
And entirely avoidable.
PROTECTED BOARD PORTAL OR PUBLICLY ACCESSIBLE WEBSITE?
Difference between Internet, Intranet and Extranet
This video is about the internet intranet and extranet. Today in this video you will learn, what is the difference between internet, intranet and extranet. They have been explained with real-life examples so everyone could easily understand.
https://youtu.be/HEzN3B_aXE4
Internet vs. intranet vs. extranet: The key differences
1. Internet : The network formed by the co-operative interconnection of millions of computers, linked together is called Internet. Internet comprises of :
People : People use and develop the network. Resources : A collection of resources that can be reached from those networks. A setup for collaboration : It includes the member of the research and educational committees worldwide.
2. Intranet : It is an internal private network built within an organization using Internet and World Wide Web standards and products that allows employees of an organization to gain access to corporate information.
3. Extranet : It is the type of network that allows users from outside to access the Intranet of an organization.
https://www.joinblink.com/intelligence/internet-intranet-extranet
CAS whistleblower acquitted.
The judge noted that the CAS did not take appropriate measures to secure private information. The judge also noted there were no special computer skills or deception required to access the files, which were not marked as confidential and came with no warnings or disclaimers.
The information was publicly available, the judge ruled. He said there was no hacking and Denham didn’t break any Children’s Aid Society (CAS) laws about identifying children involved in court proceedings.
By Gary Dimmock
Published Jun 04, 2020
https://conspiranon.blogspot.com/2024/05/family-and-childrens-services-of-lanark.html
IT SPECIALIST
The majority of testimony on Aug. 14 came from David Schmidt, an IT specialist, who was contracted to investigate the issues with the organization’s website. (It was also noted that he was the son-in-law of Margaret Row, a project manager for FCSLLG.)
LAX SECURITY
In later testimony, Schmidt said that accessing the sensitive documents from the organization’s website (which was a WordPress web page), in 2016, would not have required passwords and usernames to access the private board portal on the website.
So there was no need for an Intranet or an Extranet to protect the information the were uploading to their WordPress Board Portal from FCSLLG's internal office computers.
HOW MANY WORDPRESS WEBSITES ARE HACKED EACH YEAR?
https://prominentweb.com/blog/how-many-wordpress-websites-hacked-each-year/
Understanding CMS Security: A Look at Website Vulnerabilities
Recent professional studies have revealed that approximately ninety percent (90%) of all compromised content management systems (CMS) on the Internet were WordPress sites. This is a significant figure compared to Joomla (4.3%) and Drupal (3.7%), which ranked second and third respectively.
https://marketing.legal/EN/success/tips-and-bits/wordpress-hacked-the-most
https://blog.hubspot.com/website/wordpress-security-issues
https://www.wpbeginner.com/beginners-guide/reasons-why-wordpress-site-gets-hacked/
https://blog.sucuri.net/2024/02/wordpress-hacked.html
1M+ WordPress Sites Hacked via Zero-Day Plug-in Bugs: A wide-ranging campaign to inject malicious code into WordPress-run websites has been ongoing for at least five years.
https://www.darkreading.com/vulnerabilities-threats/1m-wordpress-sites-hacked-via-zero-day-plugin-bugs
Cyber Liability Prior to FCSLLG v. Co-operators.
https://www.pallettvalo.com/wp-content/uploads/2021/05/PV-Insurance-Law-Court-of-AppealCGL-Policies-4-1.pdf
https://www.pallettvalo.com/articles/ontario-court-of-appeal-upholds-data-exclusion-clauses-in-cgl-policies-no-duty-to-defend/
Appeal Court ruling on data exclusion clauses significant for insurance bar, say lawyers.
https://lawlibrary.ca/wp-content/uploads/2021/04/Appeal-Court-ruling-on-data-exclusion-clauses-significant-for-insurance-bar-say-lawyers-The-Lawyers-Daily.pdf
Appellate Court rules on cyber breach class action coverage dispute
Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company, 2021 ONCA 159 (CanLII) On March 15, 2021, the Ontario Court of Appeal released its decision in Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company. This proceeding arose out of three separate applications dealing with the duty to defend, which were heard together.
Family and Children’s Services of Lanark, Leeds and Grenville (FCS) claimed that it was hacked in April 2016, and confidential reports were allegedly leaked onto two pages. Prior to this incident, FCS had hired Laridae Communications (Laridae) to refresh and review the FCS website. FCS and Laridae were both insured by Co-operators General Insurance Company (Co-operators). Following these alleged unintended disclosure incidents, a class proceeding was commenced against FCS seeking damages of $75 million. FCS also brought a third-party claim against Laridae.
Co-operators denied coverage to both FCS and Laridae, based on exclusion clauses in the policies, which excluded claims arising from the distribution or display of data by means of an internet website. FCS and Laridae claimed Co-operators had a duty to defend their interests in the class action and began applications. Co-operators brought a separate application for an order that it had no duty to defend Laridae in the class action.
https://canliiconnects.org/en/summaries/73734
Why Are Some Cybersecurity Insurance Claims Denied?
As we mentioned, one of the reasons claims are denied is a failure to take reasonable steps to protect your business. However, there are other reasons claims may be denied as well. Some insurers will only cover certain types of cyberattacks or data breaches. For example, they may not cover phishing attacks or social engineering. Check with your insurer to see what is and is not covered under your policy.
There are several reasons why cybersecurity insurance claims are denied. Here are some of the most common:
You Did Not Have Adequate Cybersecurity Measures in Place
Your claim might be denied if you did not have adequate cybersecurity measures in place at the time of the data breach or incident. Your insurance provider will want to see that you took reasonable steps to protect your data and systems. This includes things like having a firewall, using strong passwords, and having up-to-date anti-virus software.
You Failed to Take Reasonable Steps to Prevent the Data Breach or Incident
Even if you had cybersecurity measures in place, your claim may still be denied if it is determined that you could have prevented the data breach or incident. For example, your claim may be denied if you failed to patch a known security vulnerability.
You Did Not Notify Your Insurance Provider Promptly
If you did not notify your insurance provider of the data breach or incident promptly, your claim might be denied. It is important to contact your insurer as soon as possible to begin the claims process.
Your Policy Has Exclusions.
Some cybersecurity insurance policies have exclusions that may prevent your claim from being approved. For example, many policies exclude claims from certain cyberattacks, such as ransomware. Review your policy carefully to see if any exclusions could apply to your claim.
You Did Not Cooperate With the Investigation
Your claim might be denied if you did not cooperate with the insurance company’s investigation into the data breach or incident. The insurance company will want to interview you and review your records to determine what happened.
You Made Material Misrepresentations in Your Application
Your claim might be denied if you made material misrepresentations on your insurance application. For example, your claim may be denied if you failed to disclose a previous data breach or incident. Be sure to disclose all relevant information on your insurance application to avoid denying your claim.
https://daxtech.ca/will-your-cybersecurity-insurance-claim-be-denied/
2024: ‘I am deeply troubled’: Data breach impacts clients at Lanark County family services organization Posted on February 16, 2024 by Dissent Doe, PhD
https://databreaches.net/2024/02/16/i-am-deeply-troubled-data-breach-impacts-clients-at-lanark-county-family-services-organization/
