In September, I reported a case in Canada involving Mark Morris, a man who purchased decommissioned hardware from Ernst & Young in 2006 that he claimed had not been properly wiped. Morris had been employed by Synergy Partners, a firm Ernst & Young bought in 2003. He had purchased at least two servers and dozens of devices in 2006, but it wasn’t until March 2014, when he booted one of the servers, that he discovered that it contained personal information that had not been wiped.
Unable to resolve the issue to Morris’s satisfaction, Ernst & Young subsequently obtained consent orders in July and December of 2014, requiring him to secure the server and any devices and allow them access to the devices to inspect and wipe them. The consent orders also required Morris to tell Ernst & Young the name of a law firm to whom he had sold a second decommissioned server.
The consent orders did not require Morris to return any hardware to Ernst & Young, and Morris informs DataBreaches.net that he uses the devices on a daily basis in the operation of his businesses.
Yesterday, the Office of the Information and Privacy Commissioner of Alberta issued its findings in response to a complaint he filed about Ernst & Young’s breach and incident response.
The OIPC considered four issues. The first was whether the server in question contained personal information, as defined by the Personal Information Protection Act (PIPA). The server contained 58,170 documents that were at least 10 years old, and of which, approximately 494 contained some form of personal information. Approximately 200 of those files were resumes, employee lists, and other files with salary or information of Synergy and its clients’ personnel. Of those 200 files, 24 contained sensitive personal information. The server sold to the law firm contained no personal information and appeared to have been wiped.
So in answer to the first question, yes, the server contained information that should have been protected under PIPA. Since Ernst & Young purchased Synergy Partners in 2003, they were responsible for that server and for wiping it properly before sale. Their failure to do so was an unintended contravention of PIPA.
The OIPC also considered whether Ernst & Young had had “reasonable security arrangements” in place to protect the personal information. On that issue, the OIPC found that they had reasonable procedures in place but had not confirmed that they had been followed. In 2008, and before it even know of this breach, Ernst & Young implemented a media sanitization policy that required confirmation. They also changed their policy to no longer sell decommissioned hardware, so the OIPC was confident that this problem would not likely reoccur.
But once it knew of the breach, was Ernst & Young’s incident response reasonable and adequate? On that issue, the OIPC found that under the circumstances, Ernst & Young had done what it could to recover the hardware and ensure that it would not be further disclosed. The only thing they hadn’t done (as far as the OIPC knows) – and that the OIPC recommended that they do even now – was to formally notify the OIPC of the breach, as required by section 34.1 of PIPA. Once the OIPC is formally notified, the Commissioner would/will determine if notification to affected individuals is required.
DataBreaches.net emailed Ernst & Young to inquire whether they have now formally notified the OIPC and whether they intend to notify affected individuals. Their response was as follows:
EY is committed to the protection of the confidentiality and privacy of client information. As part of this commitment, our business operations are founded
on robust data privacy and information security programs. EY takes proactive
physical, technical and administrative measures to safeguard documents,
computers and other data devices that contain client information. As this
matter is before the Office of the Information and Privacy Commissioner of
Alberta , EY will not be able to comment any further at this time.
Asked whether he was satisfied with the OIPC’s findings, Morris responded:
No, I am not satisfied. I will request an inquiry as the personal information for people is still in my possession and also outside the jurisdiction of the court order that they obtained. They make the privacy commissioner believe that they contained the breach. The breach is not contained as someone could break into my buildings and steal the computers with all the information on them. The computers could also be hacked and have the information compromised.
Morris believes that the OIPC has been misled into thinking that all personal data has been wiped. He alleges that Ernst & Young’s experts did not find all the relevant files because they searched manually instead of using forensic software, and the consent order only applied to devices in Morris’s custody or control. Morris claims that they never asked about any systems that were sold, other than the three he bought from them. Morris has offices in the USA, Alberta and Europe:
The 37 devices they inspected were either in Saskatchewan or available over VPN’s (Canada, USA and Europe) for them to inspect. They inspected them manually and did not purge many instances of the data on these devices.
There was about 250 devices in Saskatchewan that they did NOT inspect and were
sold after their original court order expired. They had a week to inspect and
left after 2 days and a few hours as one of the inspectors wanted to attend to
his child’s ball game in Toronto and they never came back. They stated that
they had no intention to have EY personnel return to my Saskatchewan premises
as their further attendance is NOT needed.
Morris, who has not received any money from Ernst & Young other than compensation for the time he had to be present while they were on his premises inspecting, adds that he
cannot be responsible for events not within my control where the devices are located. They obtained a order in Alberta when they clearly know that the majority of the devices are in Saskatchewan, USA and Europe.
So according to Morris, full copies of all of the files with personal information that were purged from the server at his location still reside on devices in other locations.
Under the OIPC’s procedures, outlined in their findings to Ernst & Young and Morris, the Commissioner has the discretion to open an inquiry or not.