Delayed breach reporting and a hesitant response by the Privacy Commissioner - at first.
At the beginning of this week it was reported that the personal information on thousands of Canadians had, ‘gone missing’. The facts of the case to date seem to be that an employe of Human Resources and Skills Development Canada (HRSDC) reported a lost memory stick. The memory stick was unencrypted, in violation of the HRSDC’s policies, and contained sensitive information about 5,000 or so Canadians. The information lost is reported to include names, social insurance numbers, and disability/health information about the affected individuals. The HRSDC has, or is in the process, of notifying the affected individuals and continues to search for the lost memory stick.
This file appears to have been badly handled on a number of levels. The first and most obvious is how did the information end up on an unencrypted memory stick in the first place? We have to ask what purpose was being served? If the employee in question had a laptop from HRSDC, why did they need the stick, and if they didn’t have a laptop were they planning to use the information on their home computer? I can’t count how may bad practices that entails.
Parenthetically I’ll note that in a separate news piece this past week, employee training can reduce insider breaches by 58% and that monitoring computers combined with meaningful sanctions of employees can reduce this by another 40%. It will be interesting to see what the OPC report will have to say, if it is made public, about both the level of employee privacy training and what are the consequences for employees who violate departmental privacy and security rules.
If we set aside the original problem, we are still left with a couple of puzzling questions about both the HRSDC and the OPC. On the HRSDC side more than a month passed between the reported loss and when the loss was reported to the OPC. Further, although it’s not entirely clear in the reports I’ve read, it also appears that a similar time frame elapsed before the HRSDC started notifying the affected individuals. This is, not to put too fine a point on it, inexcusably lax. If the memory stick is actually lost or sitting at a dry cleaner’s somewhere - no actual harm, other than the stress of knowing that this information has been lost, is likely to come to the individuals affected. If, on the other hand, the memory stick has landed in the hands of a person or persons with the skills and the inclination to use if the identity theft or fraud, then the faster the individuals know about this the better - in order to take the steps necessary to protect themselves. If the timeline is as reported and the HRSDC did delay a month before contacting individuals, then it sadly looks like managers at that department were more concerned about the department’s reputation and their careers than they were concerned with the individuals whose information they were charged with safeguarding.
On the OPC side I’m puzzled by the initial response by the OPC. The commissioner has been suggesting in more than a few forums that the ombudsman role that her office fulfills seems to be increasingly inadequate to the environment that everyone’s personal information inhabits. In that light, this seems to have been a case where the OPC would be well within its mandate to self-initiate an investigation without waiting for a complaint or complaints. In the news that announced that the OPC will investigate this issue, it was also stated that the OPC had taken close to 200 calls from people expressing concern about the breach. Surely if the OPC wants to move out of the ombudsman role it will need to be more proactive in the future.
The following is a time line of what has been reported to date:
- On November 16th an unencrypted memory stick with personally identifiable information was reported missing by an employee at Human Resources and Skills Development Canada (HRSDC)
- On December 21st, HRSDC notified the Office of the Privacy Commissioner of Canada (OPC) that the data had been lost
- On January 4th, the OPC confirmed, after what appeared to be some waffling in the media that it will be investigating the matter
Other privacy stories of note
Not a single store in Toronto’s Eaton Centre had proper signage about cameras
It passed the House, the Senate, and just before the new year, the President signed it into law. In a significant shift in video privacy - online video rental companies can now share information about the movies you rent or buy. As you might expect, things are about to get more social.
The long arm of Connecticut law supports personal jurisdiction over Canadian employee accessing company’s U.S. server
A Canadian employee of a U.S. firm allegedly forwarded confidential information from her corporate email to her personal email. The Connecticut courts held, on appeal, that because the server was located in Connecticut, the employer could sue and that the defendant would have to defend herself.
Medical centers that elect to keep psychiatric files private and separate from the rest of a person’s medical record may be doing their patients a disservice, a Johns Hopkins study concludes.