Ouch.
Howard Solomon reports:
Mistakes can happen in any organization, but when the office of the federal privacy commissioner loses an unencrypted hard drive with personal information it must sting.
But that’s what happened on Feb 14 during the agency’s move to Gatineau, Que. from its home across the river in Ottawa.
The Toronto Star revealed the loss in the print edition of the paper this morning, and it was confirmed in an ITWorldCanada.com interview with interim commissioner Chantal Bernier.
Read more on ITWorldCanada.com.
On April 17, Ms. Bernier sent a letter to John Sims, Privacy Commissioner, Ad Hoc, informing him of the loss. The letter, a copy of which was provided to DataBreaches.net by the Privacy Commissioner’s Office, says that they believe that the backup drive was lost during the move of headquarters from Kent Street in Ottawa to Victoria in Gatineau on February 14, and
On April 9, 2014, staff became aware that the drive contained a backup of the Performance Budgeting for Human Capital (PBHC) system, dating back to 2002; our Office shares the system with the Office of the Information Commissioner of Canada. This is the financial system used to manage and forecast employee salaries and it houses the personal information of employees. Specifically, it includes name, salaries, personal record identifiers (employee numbers) and payment descriptions (e.g., acting pay, arrears, and lump sums). Additionally, information which would normally be reflected on an organization chart, such as classification and position numbers, was also present on the drive.
Approximately 800 current and former employees of both their Office and the OIC are potentially affected by the incident.
Although the data were not encrypted. they were in a format that “would render it difficult to retrieve by anyone without technical expertise.”
In an update of April 22, the Office notes that the drive, a LaCie drive with no label on it indicating its purpose, was discovered missing in mid-March. The drive had been attached to one of the servers:
The drive had been used in the reconstruction of a server. It remained attached to the server infrastructure after the reconstruction of the server was complete. It was located in our secure data centre at 112 Kent.
Later in the summer of 2013, the drive was used to back up our Performance Budgeting for Human Capital system. As it was connected to the server, it did not appear to be an external drive when saving the data to the system.
The Office candidly acknowledged that data had been retained for too long. In an FAQ on the breach including in the April 22 update, they write:
This information dates back to 2002 – should you have been keeping it that long?
No. The retention period for this information is seven years. It should not have been kept for so long. This is one of the issues we are examining.
Both external and internal reviews are ongoing at this time, and current and former employees are in the process of being notified.
The adage, “people in glass houses shouldn’t throw stones” is relevant here. The OPC should have its own house in order before enforcing privacy rules on others. Set the example.
Yep, but if you look at how transparent they’re being about what happened, and what kind of info was involved, etc., I think they’re setting a good example on that. Should it have taken 3+ weeks to figure out that PII was on the drive? Probably not, but I’ve seen a lot worse.
Inform customers of data breach or pay $100,000 per case: new privacy bill
http://www.itbusiness.ca/news/businesses-could-face-fines-of-100000-per-individual-digital-privacy-act/47931
Businesses and organizations will be formally required to tell individual customers and the Privacy Commissioner of Canada if they’ve suffered a data breach – or pay up to $100,000 in fines for every individual not told, according to the new Digital Privacy Act, or Bill S-4, tabled in the Senate today.
Released today, the act was touted as an update to the Personal Information Protection and Electronic Documents Act. It requires organizations to tell individuals if they’ve lost any personal information, and if they could be targeted for risks like identity theft. They will also have to give individuals advice on next steps in protecting themselves, and they will have to inform the federal privacy commissioner about the data breach.