Given that such sensitive information – the names, social insurance numbers and banking details – for 11,841 University of Victoria employees was stored on a device so susceptible to loss or theft, B.C.’s privacy commissioner says there is “no rationale” that the information wasn’t digitally secure.
Elizabeth Denham, the province’s Information and Privacy Commissioner, released her report Thursday on an investigation into a major data and electronics theft at UVic on Jan. 8 of this year. She says the university breached the Freedom of Information and Protection of Privacy Act when it failed to protect its employees’ personal information.
“While the University has established privacy and security policies in recent years, the institution failed to implement reasonable safeguards to protect data stored on the USB drive. Such safeguards are a legal requirement…,” read a press release from the OIPC.
Thieves targeted the payroll department in the non-alarmed Administrative Services Building, and stole a number of electronics. Among them was an unencrypted USB flash drive containing the personal information of anyone on UVic’s payroll since 2010.
“Limiting the amount of data stored on a mobile device or in other information systems reduces the negative effect of a privacy breach. The device contained the information of a large number of past employees,” Denham wrote in her report. “Given the amount and sensitive nature of personal information contained on the University mobile storage device, coupled with the ease of encrypting the information, there is simply no rationale for failing to encrypt this information.”
To the university’s credit, Denham said, the flash drive was stored in a locked and hidden safe.
“(The) device was stored in the safe, because staff recognized the risk associated with the sensitive data,” she wrote. ” Of course, in the actual event, what was perceived to be a very secure location was not, because the safe was not properly fixed in place. The anchors were not appropriate to prevent the safe being dislodged, and the thieves were able to remove it.”
A Saanich police investigation into the theft is still ongoing.
The majority of the electronics that were stolen were recovered in late January, but the flash drive in question is still outstanding. They were found destroyed in a garbage bag in a Canada Post drop box atop Bear Mountain.
Affixed to the bag was a dubious apology note: “The information on these devices was not copied, distributed, or exploited. We want to part of everyday people living in fear that their personal information is being used against them to take they’re (sic) hard earned money,” the letter read. But police aren’t buying it.
“We think this is a ruse by someone who wants to allay the public’s fears. But what they may have done is transferred the data, they’ll sit on it, and then go ahead and start defrauding people in a couple of months,” said Sgt. Dean Jantzen.
Jantzen says four current and former UVic employees came forward following the data breach claiming to have had money stolen from their bank accounts, but police have determined three of them to be unrelated. Police cannot confirm if the one outstanding fraud happened as a result of the data theft, or if it, too, is unrelated.
“it is clear that the type of personal information stored on the mobile storage device is valuable to criminal organizations. In addition to using it for identity theft, criminals can also exploit personal information to impersonate another individual, obtain medical treatment or use the basic information to create a fictitious identity,” Denham wrote in her report.
She said had the university invested in relatively inexpensive of data security measures, namely encryption software, the data would’ve been protected.
The flash drive was intended to be a back-up for the payroll department, in the case of an emergency where that information, which is typically stored on a secure server, was inaccessible.
“University staff made it clear that senior staff in Financial Services had considered using encryption on the storage device and in fact had received advice from others that encryption should be used. … However, although there appears to have been an intention to encrypt the data, it was not carried out,” Denham wrote.
The privacy commissioner made five recommendations as a result of the investigation:
• The University of Victoria should formally review their privacy and security policies at a minimum of every three years;
• The University should re-assess the physical security of the Financial Services area to determine whether it is necessary to alarm the entire building, and to assess other buildings on campus where personal information is stored;
• The University should develop a comprehensive policy, procedure, training and technical solution to ensure that personal information stored on laptops and other mobile security devices is protected as required by the Freedom of Information and Protection of Privacy Act. This policy and training program should include issues of data limitation, encryption, appropriate password maintenance, physical security, wireless security and proper disposal;
• The University should develop a policy that requires the privacy manager to conduct risk assessments of personal information data banks on an annual basis and report to the University President on the result of these assessments;
• The University should provide a copy of the report of the external consultant to my office for review and comment prior to its finalization.
UVic president David Turpin responded in a press release.
“We appreciate the commissioner’s thorough and thoughtful report and recognize that it identifies areas in which the university can improve the protection of personal information,” he said.
UVic earlier this year also commissioned an external privacy review, expected to be released later this spring. Former privacy commissioner David Flaherty is conducting that one.
Turpin says the university has already taken steps toward improving security on campus, including alarming part of the Administrative Services Building, mandating encryption standards for all the university’s electronic devices, and reviewing the policies and procedures surrounding personal information.