Data breaches: All’s not lost, even if your data is (and if you’ve taken precautions)

As anyone who’s ever left a USB key in a Kinko’s knows, it’s easy to lose a mobile device containing sensitive user information. As a recent statement from the Newfoundland and Labrador’s Office of the Information and Privacy Commissioner (OIPC) shows, taking preemptive steps to make the user information on a mobile device more secure could protect the information—and your organization—if the device ever falls into the wrong hands.

The incident

In June of 2015, someone at Eastern Health, the provincial health authority for Newfoundland and Labrador, lost a non-encrypted flash drive containing the names, Social Insurance Numbers, and identification numbers of some 9,000 Eastern Health employees. Luckily for Eastern Health, and its employees, the missing flash drive was ultimately found in a file folder and recovered. Even so, under section 15 of Newfoundland and Labrador’s Personal Health Information Act, Eastern Health was required to notify OIPC of the loss, and OIPC was entitled to review and make recommendations on Eastern Health’s data security practices.
OIPIC didn’t bring charges though—not just because the drive was found, but because it was satisfied that Eastern Health had taken steps to make sure that in the future, if another drive was lost, the user data would remain secure and inaccessible.

Lessons for organizations that collect user information

Any organization that handles user information can learn from Eastern Health’s experience. Based on what OIPC has said, here are six tangible steps your organization can take to protect user data in the event of a breach:

1. Don’t use Social Insurance Numbers as employee IDs. Generate a unique number that’s not used outside your organization.
2. Require your employees to verify their identify in order to access user information. Don’t just rely on passwords, which could be compromised—use security questions that only the employee would be able to answer.
3. If there are non–encrypted USB drives floating around your organization, make sure that they’re returned and destroyed.
4. Consider upgrading your organization’s antivirus platform so that any non-encrypted USB drives will automatically become encrypted.
5. Make sure all other mobile devices that your organization has already issued are locked down or encrypted.
6. Have a forward-looking policy on how your organization issues, controls, and uses mobile devices.

The takeaway? Data security doesn’t just mean building walls against unauthorized intruders; it’s just as important to think about how you’ll protect the user data your organization collects if the device that holds it falls into the wrong hands. Protect it properly, and you may limit your liability down the road.
By: Aaron Wenner, McCarthy Tétrault LLP

• About
• Latest Posts

Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Latest posts by Occasional Contributors (see all)

• How much should a Canadian registered charity spend on administration? - November 30, 2022
• Finance proposes changes to disbursement quota for charities and some increased transparency - November 11, 2022
• Budget Implementation Act passed allowing certain additional charitable partnerships - July 21, 2022