On December 10, 2015, the Privacy Commissioner of Canada released an annual report to Parliament highlighting a result of an audit of the government’s management of portable storage devices and reported data breaches.
Portable storage devices are convenient because they can hold large amounts of information and are typically small and highly portable. However, this causes concern because of the potential for privacy and security risks.
An audit was conducted following serious concerns over some federal government data breaches involving portable storage devices. For instant, you may recall the incident that occurred in 2012 where a portable hard drive containing the personal information of almost 600,000 student loan recipients went missing.
As a result of the audit findings, the Privacy Commissioner of Canada urged federal departments and agencies to develop and implement more rigorous procedures and safeguards to protect Canadians’ personal information.
The report concerning the Privacy Act shows that there were a record-high number of federal government data breaches reported to the Office of the Privacy Commissioner of Canada, which could be seen from the results of an audit of the government’s management of portable storage devices.
Although it was noted that some progress was being made to better protect personal information, the audit results indicated that there is still much room for improvement.
In fact, in the year 2014-2015, federal institutions reported 256 data breaches. This number increased compared to the 228 breaches reported the year before. The leading cause of the breaches was accidental disclosure. It is difficult to know what the numbers were before this point, because last year was the first year that these institutions were required to report data breaches to the Privacy Commissioner.
This problem of accidental disclosure can be minimized with the addition of more rigorous procedures.
This is not to say that federal institutions do not have any policies, processes, or controls for portable storage devices; on the contrary, these mechanisms are in place, however more must be done in order to reduce the risk of privacy breaches. It is easy for these small devices to get lost or stolen. The consequences are that the personal information of Canadians would be in jeopardy.
More specifically, the audit examined 17 institutions, and observed a number of concerning phenomena. For example, 70 percent of the institutions had not formally assessed the risks surrounding the use of all types of portable storage devices. Worse, more than 90 percent did not track all portable storage devices throughout their lifecycle, and more than 85 percent did not retain records verifying the secure destruction of data retained on surplus or defective portable storage devices.
One of the more troubling findings was that 25 percent of the institutions did not encrypt data on the USB storage devices. Additionally, 55 percent did not assess the risk to personal information resulting from an absence of technical controls to prevent the connection of unauthorized portable storage devices on their networks. This means that it was unknown the extent of the risk of privately owned devices connecting to the network.
What is more, about 66 percent did not have any technical controls in place to prevent this connection of unauthorized portable storage devices.
Another main concern had to do with the security settings protecting data on smart phones at some of the audited entities. More specifically, there was a lack of encryption, strong password controls, and controls to prevent users from installing unauthorized applications.
Upon receiving the recommendations made in the audit, the institutions accepted all recommendations and will be implementing the suggestions.
The Privacy Commissioner, Daniel Therrien, stated:
We hope all federal institutions will take note of the audit and its recommendations with respect to portable storage devices. The audit highlights some preventive steps that can and must be taken to curtail breaches. There is a need for greater vigilance when it comes to protecting the personal information that Canadians entrust to their federal government
Information Technology PolicyPro published by First Reference Inc. has all the information, policies and procedures, tools and resources you need to ensure safeguards are in place to protect customer and employee personal information and comply with privacy law. Take a 30-day free trial and see for yourself.
- Recent proposal for an American federal privacy law - April 19, 2024
- Bill 149 receives royal assent March 21, 2024 - April 1, 2024
- Reasonable expectation of privacy in Internet Protocol (IP) addresses - March 26, 2024