B.C. Ministry of Health fires 5 for privacy breach

Number of breaches ‘increasing exponentially,’ says industry expert

In September, the British Columbia Ministry of Health fired five employees and suspended two others for alleged misuse of confidential medical information. The employees were working with contractors on drug-related research and it is believed they went outside the rules around taking and using data, said Health Minister Margaret MacDiarmid.

“We take all allegations of this nature very seriously,” she said. “We must ensure confidence is maintained in the integrity of the public service to execute its responsibilities in a manner that meets the high standards of conduct expected by the public.”

Privacy breaches have “increased exponentially in the last five or six years,” said Michael Collins, regional vice-president of Shred-it in Oakville, Ont. Two-thirds of large organizations have suffered a data breach, found a survey of 1,000 Canadian employers by Shred-it.

But, in reality, it’s likely even more, said Mario Morel, chief architect and operations manager at security specialists NCI in Mississauga, Ont.

“There’s what I would call reported breaches and non-reported breaches and, by my experience, there’s a lot more breaches that go uncovered or unreported than those that are reported,” he said.

The average total organizational cost for data breaches in the United States in 2011 was US$5.5 million and the average cost per compromised record was US$194, according to the 2011 Cost of Data Breach Study, released in March 2012 by the Ponemon Institute in the United States.

There are many different types of privacy breaches, including intentional employee action, which may be malicious or not. Some employees may be seeking information about a specific individual with malicious intent, such as an ex boyfriend, while others may simply be poking around out of boredom, said Bev Hooper, owner of Hooper Access and Privacy Consulting in Victoria.

“Privacy is breached because people are just negligent or unaware,” said Morel. “They just didn’t think twice before trying to snoop on a client’s personal information.”

Another common form of a privacy breach is employee error, said Hooper.

“I put the wrong letter in the wrong envelope and unfortunately I didn’t realize it until after I put it in the mailbox,” she said. “Those are the things that show we’re all human and they happen, unfortunately.”

Technology glitches are another common form of privacy breaches. Computers and IT systems may not be set up properly and information may be sent to the wrong people or employees may have access to data they shouldn’t have, said Morel.

Theft is another way privacy is breached. One way this can occur is through hacking into a computer system.

“There’s a lot of value in personal information and identity thieves will come in, pull servers, remove data and that data is long gone before you probably even realize it’s been removed,” said Hooper.

The best way to defend against system theft is to encrypt the data, she said.

Theft can also take the shape of stealing actual hardware, such as a laptop or USB stick.

In July, Elections Ontario warned voters of a privacy breach when two USB keys holding personal information for as many as 2.4 million individuals went missing. Ontario’s Information and Privacy Commissioner Ann Cavoukian said she has repeatedly warned this kind of information should not be stored on USB keys, laptops or other mobile devices.

“I am deeply disturbed that a breach of this extent, the largest in Ontario history, involving millions of individuals, could happen at Elections Ontario,” she said. “Ultimately, at the root of the problems uncovered in the course of my investigation was a failure to build privacy into the routine information management practices of the agency.”

In light of this event, Cavoukian released the report A Policy is Not Enough outlining steps employers should take to build a culture of privacy.

The first step is to implement a privacy policy that reflects the needs and risks of the organization.

“Simply having a generic privacy policy which does not consider the particular challenges of a given organization is not sufficient,” she said.

Employers should make sure they have lockdown codes on computers, laptops, photocopiers, printers and all devices of this nature so the information does not get into the wrong hands, said Collins.

They should also consider implementing a clean-desk requirement and including it within the privacy policy.

“It gets confidential information off people’s desk that can get exposed to facility cleaning staff or the general population as they’re coming by or perhaps a client when they’re in your business,” said Collins. “(It’s) fairly simple to put into play but companies and employees need constant reminders.”

Employers also need to put access controls in place for physical and electronic spaces, he said. Files should be accessible only to those in need-to-know positions and they should be aware of how to keep the information safe.

“We have a tendency to leave filing cabinets unlocked and doors propped open because of ease of access, when in reality what we’re doing is exposing ourselves and those people who have entrusted us with information,” said Collins.

Businesses should make sure they are only obtaining the necessary information required to complete a transaction, whether it be with customers or with employees. For example, HR often requests the social insurance numbers of new employees but this is not needed unless a background check is being conducted, said Collins. Having this information on file over-exposes a company to potential privacy breaches.

The final step of the file protection piece is proper destruction of material at end-of-life, said Collins. Most organizations (92 per cent) have a document destruction protocol in place, but only 40 per cent of employees strictly adhere to the system, found the Shred-it survey. The privacy policy should outline when information should be destroyed and how it should be done, he said.

Employers should develop and conduct privacy education and awareness training programs to ensure all employees understand the policies and practices, said Cavoukian’s report.

“Training and general awareness is huge. I can’t tell you how many times I investigated a breach where the employee hasn’t meant to do it but they have, and they didn’t realize it was personal information,” said Hooper.

Privacy training should take place on an annual basis and should be a part of the orientation for new employees, she said. It shouldn’t just be a document employees read and sign off on — they should be tested on it as well to demonstrate they really understand the policy, said Hooper.

Organizations should designate a central go-to person for privacy-related inquiries within the organization, said Cavoukian’s report.

Nine in 10 (93 per cent) organizations have an employee directly responsible for managing data security issues, found the Shred-it survey.

Employers should also verify both the employee and organizational execution of privacy policies, said the report.

“Have a really good audit program — have the ability to review keystroke activity of employees who have access to databases that contain a lot of personal information,” said Hooper. “And make sure you audit your printing functions, so ‘I know you didn’t need to print 400 pages yesterday, why were you printing so much?’”

Employers should proactively prepare for a potential privacy breach by establishing a data breach protocol, said the report. In the event of a privacy breach, employers should notify the go-to privacy person right away and initiate containment measures to stop the propagation of the breach. This may require shutting down systems or suspending implicated employees, said Hooper.

Employers also need to initiate a privacy breach investigation, communicate with the individuals whose privacy has been breached within 72 hours, and explain the incident to employees before they hear about it in the media, said Morel.

If not handled properly, breaches can result in a loss of business, loss of clients’ and employees’ trust, and damage to the company reputation, said Hooper.

“It’s not to say those that have breaches have problems and are bad companies. Those that have breaches and that try to bury their heads in the sand and don’t do anything and don’t come out proactively and deal with employees are the ones that concern me the most.”

A policy is not  enough

7 steps organizations can take

In A Policy is Not Enough, Ontario’s Information and Privacy Commissioner Ann Cavoukian outlines seven steps organizations should consider implementing to effectively translate privacy policies into privacy practices.

• Implement a privacy policy that reflects the privacy needs and risks of the organization and consider conducting an effective Privacy Impact Assessment.

• Link each requirement within the policy to a concrete, actionable item — operational processes, controls and/or procedures, translating each policy item into a specific practice that must be executed.

• Demonstrate how each practice item will actually be implemented.

• Develop and conduct privacy education and awareness training programs to ensure all employees understand the policies and practices required, as well as the obligations they impose.

• Designate a central go-to person for privacy-related queries within the organization.

• Verify both the employee and organizational execution of privacy policies and operational processes and procedures.

• Proactively prepare for a potential privacy breach by establishing a data breach protocol to effectively manage a breach.

Latest stories