I wasn’t even going to mention this breach on this blog. I originally intended to just add it to DataLossDB, but when I read it, I was somewhat put off by the school board’s actions and statements so I decided to comment on it here.
Jeff Hicks reports:
Nine computers stolen from the Waterloo Region District School Board’s education centre in Kitchener on Dec. 1 contained personal information about individuals.
So, should parents and families be worried?
“If there are risks associated with the content, we will contact families directly,” said board chair Catherine Fife on Friday after the first media release was issued on the month-old break-in and theft.
So more than one month after the theft, the board still hasn’t determined if there are risks and hasn’t contacted anybody directly? Why not? Are they working round the clock on this or did they take the holidays off or..?
“I think, as a board, we are being responsible by sharing the information and letting the public know that a breach has occurred.”
No details on what type of personal information was contained on the laptops, used by staff, were released by the Board on Friday.
The number of people or families with information at risk was not released.
Families should be grateful that the board disclosed that there had been a breach a month after the fact and without any details? This is what the board considers being responsible? Seriously?
More than one month after a breach, the board should not only have notified employees or parents of students who might have been affected but they should have made a public disclosure that contains some actual… what’s that word I’m looking for…. oh, right: details.
The board says the computers conform to industry standards and highly specialized knowledge would be needed to bypass security to get at the information.
“They may not be able to access that information,” Fife said. “It’s a layered process.”
This has nothing to do with computers conforming to industry standards. It has everything to do with the school board having good security protocols in place and the employees complying with them. Are we to infer that the files or the drives weren’t actually encrypted?
[…]
Board staff are working on a list of individuals whose information was on the stolen computers.
Why isn’t that list compiled already? Were there thousands of individuals or students whose names needed to be compiled? Did the board have current backups of all of the nine laptops’ drives?
I know that Canada has different breach disclosure and breach notification requirements than U.S. states do, but I would hope that the Privacy Commissioner of Ontario, Dr. Ann Cavoukian, would open a sua sponte investigation into this incident to determine if Waterloo Region District School Board had adequate security and privacy protections in place and whether their breach response is reasonable or not. If I were a parent of a student in that district, I’d want to know why we hadn’t already been informed of the breach and what data was on it from our family.
This was the school board’s second disclosed breach in the past six months. The first, disclosed in August, involved two microfilm tapes containing data on over 2,250 students that went missing in the mail to them from a firm in Winnipeg. After that breach, the board changed to using a courier service. It was never disclosed when that loss actually occurred or what security was on the microfilm tapes.
Maybe the Waterloo Region District School Board has a reasonable explanation why notification has been delayed in its most recent breach. Maybe they don’t. But so far, their “disclosure” leaves this blogger with more questions than answers.
CORRECTION of January 15: This was apparently their third breach. Coverage by Waterloo Chronicle reports:
In October a list of e-mail addresses and phone numbers for families of children attending Lester B. Pearson Public School was accidentally attached to a school council newsletter e-mailed out to the parents of about 700 students. A portion of the e-mails were immediately recalled but 300 could not be called back.