Geoff Leo reports on what sounds like an utterly unsatisfactory response by the government to questions as to why it didn’t directly notify those affected of a breach:
The minister responsible for the Saskatchewan Liquor and Gaming Authority (SLGA) says the Crown corporation didn’t directly notify its business partners that their data may have been stolen in a hack because those companies should have figured it out on their own.
According to a Dec 28 news release, SLGA’s computer systems were the target of a “cyber security incident” on Christmas Day. It said that at that time, “SLGA does not have any evidence that the security of any customer, employee or other personal data has been misused.” The organization repeated that line in communications with business partners.
Three weeks after the hack, the organization alerted employees that their data may have been stolen and offered them credit monitoring services.
At that time, it gave no such notification to SLGA’s suppliers, vendors or licensees.
So the government told them they had no evidence, but then only told some of those affected when the risk level changed after they did find evidence. They didn’t directly update/notify the others?
[…]
In an email, SLGA told CBC it is required by law to notify people whose data may have been unlawfully accessed and may be misused. The organization said rather than notify the potential victims directly, it decided to use the “indirect notification” approach, posting an update on its website.
SLGA says in a written statement on its website that Saskatchewan’s privacy commissioner has given the thumbs up to this indirect approach in cases “where the privacy breach is potentially very large or you may not be able to identify the affected individuals.”
Ah, the old “indirect notification approach,” otherwise known as “We can’t be expected to act responsibly after we were breached, so you’re kind of on your own. 🙁 ”
Unbelievable. At the very least, the government should have plastered big press releases in national media and popular provincial media.
Read more at CBC.
h/t, Brett Callow, who has his own thoughts on the matter.