• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Conference
  • Resources
  • Buy Policies
You are here: Home / Business / Data breaches: All’s not lost, even if your data is (and if you’ve taken precautions)

By Occasional Contributors | 2 Minutes Read August 10, 2016

Data breaches: All’s not lost, even if your data is (and if you’ve taken precautions)

Data securityAs anyone who’s ever left a USB key in a Kinko’s knows, it’s easy to lose a mobile device containing sensitive user information. As a recent statement from the Newfoundland and Labrador’s Office of the Information and Privacy Commissioner (OIPC) shows, taking preemptive steps to make the user information on a mobile device more secure could protect the information—and your organization—if the device ever falls into the wrong hands.

The incident

In June of 2015, someone at Eastern Health, the provincial health authority for Newfoundland and Labrador, lost a non-encrypted flash drive containing the names, Social Insurance Numbers, and identification numbers of some 9,000 Eastern Health employees. Luckily for Eastern Health, and its employees, the missing flash drive was ultimately found in a file folder and recovered. Even so, under section 15 of Newfoundland and Labrador’s Personal Health Information Act, Eastern Health was required to notify OIPC of the loss, and OIPC was entitled to review and make recommendations on Eastern Health’s data security practices.
OIPIC didn’t bring charges though—not just because the drive was found, but because it was satisfied that Eastern Health had taken steps to make sure that in the future, if another drive was lost, the user data would remain secure and inaccessible.

Lessons for organizations that collect user information

Any organization that handles user information can learn from Eastern Health’s experience. Based on what OIPC has said, here are six tangible steps your organization can take to protect user data in the event of a breach:

  1. Don’t use Social Insurance Numbers as employee IDs. Generate a unique number that’s not used outside your organization.
  2. Require your employees to verify their identify in order to access user information. Don’t just rely on passwords, which could be compromised—use security questions that only the employee would be able to answer.
  3. If there are non–encrypted USB drives floating around your organization, make sure that they’re returned and destroyed.
  4. Consider upgrading your organization’s antivirus platform so that any non-encrypted USB drives will automatically become encrypted.
  5. Make sure all other mobile devices that your organization has already issued are locked down or encrypted.
  6. Have a forward-looking policy on how your organization issues, controls, and uses mobile devices.

The takeaway? Data security doesn’t just mean building walls against unauthorized intruders; it’s just as important to think about how you’ll protect the user data your organization collects if the device that holds it falls into the wrong hands. Protect it properly, and you may limit your liability down the road.
By: Aaron Wenner, McCarthy Tétrault LLP

  • About
  • Latest Posts
Occasional Contributors
In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.
Latest posts by Occasional Contributors (see all)
  • What should charities do if they find out that a board member donated to the Freedom Convoy? - March 18, 2022
  • Accepting cryptocurrency for donations or payments can be quite risky for Canadian charities unless you know what you are doing - February 23, 2022
  • Being proactive with employee absences - January 26, 2022

Article by Occasional Contributors / Business, Information Technology, Privacy / antivirus, Data breach, data security, information protection, mobile device, Office of the Information and Privacy Commissioner, password protection, Personal Health Information Act, protect user data, USB drives, user data

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Conference
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2022 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy