Federal privacy commissioner poised to investigate security lapse

By Scott Taylor, Randy Richmond, The London Free Press

Instead of late Christmas cards, 5,000 Canadians are getting warning letters from the federal government telling them it lost their sensitive personal information on a thumb-sized computer storage device last month. Free Press reporters Randy Richmond and Scott Taylor, who broke the story last week, look at the fallout.

— — —

Privacy commissioner’s office will probe how info went missing

The massive federal department responsible for Canada’s employment, training and pension programs faces a formal investigation into a possible breach of the nation’s privacy law, and for possibly breaking the rules covering the reporting of such breaches.

An employee of Human Resources and Skills Development Canada (HRSDC) lost a USB stick containing sensitive, personal information of about 5,000 Canadians, The Free Press first reported last week.

“I think you can expect that we will be investigating the matter,” Anne-Marie Hayden, spokesperson for the Privacy Commissioner of Canada, said this week.

“Our investigation would focus on the application of the Privacy Act, but may also refer to relevant Treasury Board guidelines and directives as appropriate.”

The Privacy Act is designed to “protect the privacy of individuals with respect to personal information about themselves held by a government institution . . . ”

The Privacy Commissioner investigation would examine how the USB stick — a thumb-sized digital storage device — was misplaced, and what personal information it contained, Hayden said.

The Treasury Board of Canada sets the rules for how federal departments handle private information of Canadians and breaches of privacy.

For example, the board recommends mobile-computer devices be encrypted to protect the private information they carry.

That’s a policy Human Resources and Skills Development Canada generally follows, but did not in this case, spokesperson Christian Plouffe said in an e-mail.

“As much as possible, we limit situations where employees are required to store and transport protected information on portable media devices, like memory sticks. Where such situations are unavoidable, encryption is required,” he said. “We are analyzing why this was not done in this incident . . . ”

The Treasury Board also says it’s “strongly recommended” the privacy commissioner be notified of breaches, especially involving medical information and social-insurance numbers “as soon as possible after the institution becomes aware of the breach.”

That means, according to the board, “within days.”

The USB stick was reported missing at Human Resources and Skills Development Canada national headquarters Nov. 17.

But the privacy breach wasn’t reported to the privacy commissioner’s office until more than a month later, Dec. 21.

That’s the same day letters went out to about 5,000 Canadians notifying them the stick with their private information was missing.

As of Monday, the privacy commissioner’s office had received 100 calls and several official complaints that would spark an investigation, Hayden said.

In a case outlined in the 2010-2011 annual report, the Privacy Commissioner took Human Resources and Skills Development Canada to task for losing a sheet of paper containing the social-insurance numbers and names of 32 people.

“We were especially disturbed that the breach involved the SIN (social-insurance number), which is a critically important piece of personal information for people dealing with federal and other institutions. Because of its value, the number is highly vulnerable to misuse if it falls into the hands of identity thieves,” the commissioner stated.

“Worse, the breach was the fault of HRSDC, the very department that issues and manages the use of the SIN.”

In its 2008/2009 report, the commissioner warned “all employees of the importance of protecting the personal information of Canadians. Data . . . should be protected by encryption.”

— — —

‘Anybody could have that information and be using it’

The stakes are higher than just the risk of ID theft for one Londoner whose personal information Ottawa lost on the thumb drive, along with data on 5,000 other Canadians.

The 50-year-old woman told The Free Press she’s been fighting for a disability pension for three years.

On the cusp of finally being approved, her information has now gone missing. She was notified by letter of the lost USB key by Human Resources and Skills Development Canada.

Her social-insurance number, medical conditions and employment information were on the missing stick.

Now she’s afraid she’ll have to continue to make do on social assistance while the bureaucratic gaffe plays out.

“I suffer from severe vertebrae damage and the pain is tremendous,” she said. “I tried to get a disability pension for that because I couldn’t work, but then I was prescribed OxyContin and became addicted to it.”

In a twist worthy of a black comedy, she claims the government did then approve her request — because she had become a drug addict and was taking a daily dose of methadone to wean her off the Oxy.

“Can you imagine that?” she asked. “My back is damaged and I can’t get a pension, but I get addicted to a prescribed drug and they approve me.”

Now all her information is not only missing, but also possibly accessible to someone who shouldn’t have it.

“I think I should be allowed to have a new social-insurance number or something,” she said. “Anybody could have that information and be using it. Then the government tells me steps I can take to protect myself. I shouldn’t have to do that.”

When the woman called Human Resources and Skills Development Canada, a man apologized and assured her everyone’s information is still on hard copy. But he couldn’t promise whether her case won’t end up in limbo again while the situation is investigated.

“I’m trying to get by on social services when I rightfully should have a pension. Then this happens and they don’t even have the decency to send me the notice by registered mail. I thought it was a letter saying I was going to get my money. That’s $41,000 now, but instead this happens. I asked him if this is going to delay it even longer. He didn’t answer me.”

randy.richmond@sunmedia.ca

scott.taylor@sunmedia.ca

— — —

THE GAFFE

  • A thumb-sized computer storage stick, called a USB key, is lost by an employee of Human Resources and Skills Development Canada (HRSDC). On the stick are files with sensitive information on Canadians from coast to coast.
  • The information wasn’t encrypted, meaning it can be accessed easily.
  • It included social-insurance numbers, birthdates, medical records and other information, including about disability payments.

— — —

THE NUMBERS

5,000: Canadians whose information was on the stick

Nov. 17, 2011: Date storage stick reported lost

100: Phone complaints fielded so far

34: Days it took Human Resources and Skills Development Canada to alert federal privacy watchdog and mail apology letters.

4: Days before Christmas affected Canadians were told, by snail mail.

— — —-

CONSEQUENCES

  • Thousands left without peace of mind that their information is secure
  • Warning letters to take steps to safeguard their data.
  • Risk of ID theft.
  • Possible formal probe into the security breach.

— — —

THE PRIVACY BREACH

As defined by the federal Treasury Board, a privacy breach with government information involves improper or unauthorized collection, use, disclosure, retention and/or disposal of personal information.

Share

Comments are closed.

Twitter widget by Rimon Habib - BuddyPress Expert Developer