Organizations should plan for data loss

It’s not enough to rely on employees obeying policies: privacy commissioner

They used to make headlines — stories about the personal information of employees or consumers potentially in the wrong hands.

Now, it seems as though these breaches of privacy due to a misplaced laptop or a lost backup tape are so common the public only hears about a fraction of them.

One such story involved the theft of personal information of about 8,000 doctors in Alberta. Their personal records were stolen when an MD Management employee left a laptop unattended in his Jeep while he made a 10-minute stop at a store. Someone broke into the Jeep by unzipping the back passenger-side window of the soft top.

MD Management, a subsidiary of the Canadian Medical Association, offers financial services to member doctors and their families. The data lost contained the name, age, medical specialty, contact information and, in some cases, total financial assets with MD Management as well as shareholder number.

The laptop had encryption software but the data was not stored in the part of the computer that could be encrypted. The only protection was the password required to log on the Windows 2000 operating system. But as a portfolio officer at the Alberta Information and Privacy Commission noted, there is free software on the Internet that allows someone to sign on as a computer administrator to circumvent this requirement. Even the operating system’s maker Microsoft gives out instructions on how to bypass this password requirement.

According to the Privacy Rights Clearinghouse, a San Diego-based not-for-profit advocacy group on consumer rights, there were 229 instances of data loss or theft in the United States from January through September (no information was available for Canada).

More than 93.8 million people were potentially affected by these incidents.

Of these 229 cases, 63 involved the theft or loss of a laptop. Of those, 19 took place while the data was in the hands of a third party, such as an auditor, an insurer or, ironically, a records management service provider.

Brian Bowman, a lawyer specializing in privacy issues at the Winnipeg law firm Pitblado LLP, said he thinks instances of data loss in Canada are more frequent than people realize.

“If they were reported properly, people would be astounded in Canada if they truly knew how many privacy breaches occur,” said Bowman.

Just having a policy isn’t enough

The MD Management incident prompted the Alberta Office of the Information and Privacy Commissioner to investigate MD Management’s privacy measures. Foremost among its findings, released last month, was that it’s not enough to rely on employees to adhere to policy.

Most companies, like MD Management, have policies advising employees never to leave laptops unattended, portfolio officer Preeti Adhopia said in her report.

“These cases make clear that organizations cannot have all confidence that employees will or can remember to adhere to these policies,” said Adhopia. “Human nature and circumstances beyond the control of an employee must be accounted for when organizations consider personal information safeguards. Other lines of defence are critical.”

The federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), specifies expected safeguards. The methods of protection should include: physical measures, such as keeping data in locked filing cabinets and restricting access to offices; organizational measures such as having security clearances and limiting access on a “need-to-know” basis; and technological measures such as using passwords and encryption.

Adhopia said other measures are available. Employers could install “phone home” software that can trace the physical location of a laptop. Some organizations are exploring what’s called a “kill switch” that, when a stolen laptop is flagged, could initiate a series of actions to prevent unauthorized access or send “self-destruct” instructions.

In finding MD Management contravened its duty to safeguard personal information in its keeping, Adhopia recommended that it do more than just have encryption capability on laptops. The company should explicitly require employees to delete information from laptops once it’s no longer required. It should also conduct audits to make sure employees only have access to information needed for their work and that they comply with the laptop policy.

The service provider’s commitment

John Wunderlich, program director, compliance at Ceridian, a Winnipeg-based outsourcing firm, said instances of misdirected data inevitably happen. Any outsourcer that says it can guarantee privacy is “either lying to you or they don’t know what they’re talking about,” he said.

Ceridian sends out about one million packages of pay registers a year as part of its payroll service, and “not all of them are delivered perfectly,” said Wunderlich.

When a package is delivered to the wrong client, Ceridian will try to get the package back and reroute it to the right client. If there will be a delay in getting it back, Ceridian will issue a replacement package and get the original back to make sure it’s destroyed.

Ceridian will also contact the intended recipient to inform it of the mistake, as well as follow up with the company that received the package by mistake to allay any concern it may have. Usually, before contacting the former, Ceridian conducts “a quick evaluation to see if we had a process failure, so we’d be prepared to tell them what we’re doing about it in the future.”

The service provider does not typically set out, in advance, specific penalties for instances of a privacy breach, said Wunderlich.

“What we do commit to is we will work with the customer to help them deal with employees so that their employees have the necessary information to deal with identity theft,” he said. “But that hasn’t yet been necessary. There hasn’t been a case of identity theft based on a misdelivered package.”

With a background in information technology, Wunderlich was once fond of saying, “There are two kinds of hard-drives — the ones that crash, and the ones that haven’t crashed yet.

“When you’re in the HR world and you deal with personal information you have to take the same view. It may never happen. But you have to put yourself in a posture where you’re prepared, where you’ve identified the risk and what you’re going to do should it happen.”

Serious repercussions

Terry McQuay, president of the Toronto-based privacy firm Nymity, said the repercussions of data loss aren’t minor.

“There’s the media attention, the cost of notification, the reputational cost, the cost of dealing with credit agencies,” said McQuay. “These aren’t small. They have quite an impact on an organization.”

Winnipeg lawyer Bowman, who’s also chair of the Canadian Bar Association’s National Privacy and Access Law Section, said the advice he would give to organizations is to make sure an outsourcing contract sets benchmarks in terms of expected privacy protocol. A contract should also set out the ability of an organization to audit the service provider’s privacy practices. And not to be overlooked is a requirement that the service provider notify the client organization should something occur.

Apart from Ontario’s health information law, no other privacy legislation in Canada imposes on organizations the duty to notify instances of privacy breach. As a result, companies quite often do a cost-benefit analysis to determine whether they should alert affected organizations and individuals of lost data.

But Bowman thinks it’s just a matter of time before such a lax attitude blows up in people’s faces.

“Organized crime is getting more into identity theft,” said Bowman. “And combined with the fact that organizations aren’t taking the steps they should be to be proactive, I think it’s a ticking time bomb for companies that haven’t done their due diligence.”

To read the full story, login below.

Not a subscriber?

Start your subscription today!