Any organization that lets staff use a portable device capable of holding customer information – including laptops — should insist that data encryption is always on, says Ontario’s privacy commissioner.
Ann Cavoukian made that statement Tuesday after releasing a scathing report into the revelation that Elections Ontario can’t find two USB memory sticks with personal information of up to 4 million voters in the province.
In an interview Cavoukian said staff shouldn’t have to decide whether corporate data is sensitive enough that it needs to be encrypted.
The USB sticks were used in April to transfer data from Elections Ontario’s main Toronto office to a temporary facility where the voters’ list was being updated. That facility didn’t have online connectivity to the agency’s secure servers.
Cavoukian’s investigation into the loss of the sticks, first made public July 17, made it clear the incident was more than just two staffers who hadn’t ensured the USB keys were encrypted as recommended by IT staff, and then not locked them up at the end of one day as ordered.
In fact, after three days the sticks were first reported missing April 27 staff were given two more memory sticks to use.
“I hit the roof,” she found out, Cavoukian told reporters at a news conference in the Legislature building as she released her report.
“On what planet do you do the same thing again?”
Apparently the second set of sticks weren’t lost.
It gets worse. The staff working on updating the list and their immediate leaders were temporary employees, not provincial civil servants. They were told by their Elections Ontario supervisor that the data on the memory sticks had to be encrypted. But the staff not only had no idea how to do it, they didn’t know what encryption meant.
After doing an Internet search they assumed it was the same as zipping or compressing a file, Cavoukian’s investigation found – so again, the voter data wasn’t encrypted..
She said it was “totally inappropriate” for the voters list update to resume using the same method of transporting data.
Not only that, she said, the initial report by a forensics firm into the loss wrongly said the data on the keys could only be accessed by Elections Ontario software or “specialized” commercial software.
In fact, Cavoukian said, the information was in a “standard database coding language” that could be accessed by a variety of commercially available and free software programs.
It was initially believed that the missing sticks held data on 25 voting districts out of 107. However, because the temporary staff were working on a total of 49 districts, Cavoukian can’t be sure data on which districts were lost.
So she’s recommending that 4 million voters in the 49 polls watch their bank and credit card records for the next 12 months for suspicious activity.
Two people who had responsibilities for the drives for locking up the drives at the temporary facility are no longer with agency.
The Ontario Provincial police has opened a criminal investigation.
Cavoukian said she couldn’t fault completely Elections Ontario’s technical staff completely, for they repeatedly advised management against using USB keys. Instead a decision was made to give the project leaders memory sticks with encryption software, but not the training in how to use it. Nor could she fault the temporary staff.
“While there appeared to be a general recognition of the importance of privacy and security,” Cavoukain said, “for the most part concerns about how personal information was to be managed tended to be directed to Elections Ontario’s external stakeholders [including political parties and returning officers] who are the recipients of the information, as opposed to their internal processes.”
“Ultimately, at the root of the problems uncovered during my investigation was the complete failure to build privacy into the routine day to day information management practices of this organization,” she told reporters.
“What is particularly discouraging was the discovery that the privacy and security of personal information, which is their sole responsibility in terms of the electorate, was not part of the training programs that were offered to staff.
The need to protect personal information must be part of Election Ontario’s culture, she said, to restore the trust of taxpayers.
To do it, she recommends
–The agency hire an independent group to audit its privacy policies and procedures, and develop a requirement that any personal information stored on mobile devices must be encrypted.
–That requirement already exists, Cavoukian admitted, but it wasn’t reflected in the agency’s practices. “A policy is not enough sitting on some shelf, not understood, not translated into the day to day steps of your staff … It has to be embedded in the operations of your agency.”
–There has to be accountability “at the highest levels” at Elections Ontario, including the hiring of a privacy officer. It is “astounding” it doesn’t, Cavoukian said.
Also, the agency’s technology services department should take full responsibility for training and supporting staff to ensure the protection of personal voter information.
Cavoukian has also asked the provincial government to have the auditor-general regular privacy audits of public sector agencies, which, like Elections Ontario, don’t come under her office’s jurisdiction.
Cavoukian did her investigation at the request of Elections Ontario.