CBC News reports:
A laptop with a database containing the personal financial information, names, birth dates, social insurance numbers, and addresses of 92 people has been stolen in Saint John, a CBC News investigation reveals.
The laptop, containing the information of an identity thief’s dreams, was left in a car overnight, unattended. The car’s window was smashed and the laptop was stolen.
The theft occurred late Jan. 17 or early on Jan. 18, according to Tyler Campbell, a communications officer with the Department of Post-Secondary Education, Training and Labour (PETL).
“The person who stole it would have had to get through the first screen, the lock screen, Microsoft password, and then figure out how to get into the database, which is also password protected,” says Campbell.
The department collects the relevant private information of New Brunswickers accessing the self employment benefit program through Southwest Community Business Development Corp. The laptop was in the possession of a CBDC Southwest employee.
Now steel yourself for the Bullshit Response of the Day:
“The laptop was not in plain view, it was put away, and someone decided that they were going to break into the vehicle and that is circumstances outside of our control. There’s absolutely nothing we can do in that particular circumstance,” said Heather Hubert, the CBDC Southwest executive director.
That statement needs to be shared and ridiculed worldwide.
Read more on CBC News.
I blushed while reading this.
*pretending it doesn’t exist*
In their defense though, their privacy policy does state that they protect your personal info via “locked doors” (that is their “security”, seriously, check it out while it’s still up). What we have here is a very rude thief who did not respect the locked door rule.
BRW or BRM (Bullshit Response of the Week/Month)?
I think I like that. New section?
So if this is a new section you plan on, I get to write the first headline!
Rude thief smashes window and steals Canadians’ sensitive and personal information.
CBDC Southwest executive director states they broke the locked door privacy rule; thus this is circumstances outside of their control.
*pushes jaw back up*
So, my friend from the north: when are polite Canadians going to rise up and demand better security, transparency, and accountability for protection of their personal information? No custodian of PII or PHI should be able to use such ridiculously low security protocols or to say “It’s out of our control” when they never used encryption or other commercially available and reasonable security?
Wish I had a magic reply to that question. It’s something I’ve asked as well.
Awareness? A whole lot of lack of awareness?
I know the first time a gov entity lost whole files on me (PHI) I knew nothing about what rights I have, or don’t have. I wasn’t really into privacy nor knew anything abut it. I did complain to the place though and was told it happens all the time and to live with it (this was a prov gov place). I never knew, or was told, how and where I could file a complaint. I was just more or less told I look foolish for even questioning the losses.
In all honesty, I think it is lack of awareness, knowledge and education (on all sides). Final answer and best guess.
There can never be a “rise up”, or people demanding more, without some basic knowledge. No?
The way I see it, I think most entities view privacy (as a whole) as a money pit. It doesn’t generate revenue (for most). Maybe I’m wrong.
Want me to move up there for a while? No, huh? 🙂
HAH!
You wouldn’t get past the border 😉
But if you did, through some miracle (or perhaps a nightmare to some), I will dub thee official stirrer-upper and welcome you with open arms.
I can see the Canadian defamation and SLAPP suits now… A glass of Caribou for liquid courage (for me) would be required.
I *always* get past the border. Why do you think I post under a pseudonym? 🙂
Wanted to add… Just to touch base on the knowledge and education part (and training is something I have seen you touch on a few times before in relation to the NullCrew hacks).
Quote from their privacy policy:
“the CBDCs have developed this Policy, implemented document security measures and trained our directors and staff about our policies and practices. This Policy recognizes and is in compliance with the following ten Privacy Principles set out in PIPEDA”
I don’t think anyone was trained really.
I don’t think they are even compliant with PIPEDA when I glance over their policy in relation to the nature and sensitivity of what they collect on people. PrivCom has some basic auditing checklists on their website. Maybe they should try it one day.
They don’t even have a point of contact in relation to someone responsible for privacy within their organization, as they should per Canuck privacy reg’s. Just a general phone number. But they sure as heck state, “We may seek to be reimbursed for copying charges” if someone wants to see their info. Guess the most important part to them is there.
A whole lot of lacking in their policy. How do you train someone to policy when the policy is lacking?
Guess it’s out of their control.
I guess the best thing to do is to advice all the staff that has laptops to encrypt their files, also not to leave their belongings inside the car when they’re out. It’s good to bring it with them or left it at home or in the office.