I’m no longer surprised when we first learn about breaches that happened years ago. Case in point: a 2006 breach in Canada is now in the media after the Canadian Press uncovered it in an Access to Information request:
The confidential tax files of almost 2,700 Canadians are missing after a Canada Revenue Agency worker took them home and let a friend download them onto a laptop.
The laptop has disappeared, the agency is scrambling to rewrite its security protocols and the privacy commissioner is asking why no one alerted her to the breach in confidentiality.
[…]
The major breach occurred in early 2006, when an auditor in the agency’s Toronto office asked a government computer technician to download 37,488 of her emails and 776 documents onto 16 CDs. The confidential material covered the years 2000 to 2006, and was not encrypted as required by agency rules.
The woman took the CDs home, and allowed a male friend to copy at least one of them to a laptop.
Read more on CTV.ca. It seems that not only did the worker breach data protection rules, but the agency was unable to recover the laptop with the CD the friend had downloaded onto his computer, as he refused to cooperate.
After all that, the agency decided that this incident was “low risk” and did not need to be reported to the Privacy Commissioner.
“Low risk?” Even if the agency trusted the employee not to misuse the data, do they really know her friend well enough to be confident that there is “low risk?” If the laptop onto which the CD was downloaded was the property of a private company, it has gone totally out of the agency’s control and they should have reported this.
I’ll say it again: entities should not be allowed to determine risk as their assessments tend to be self-serving.