Editor’s note: This is an updated version of a story that first appeared Sept. 14.
The federal government now says the device with personal information on 227 employees of Infrastructure Canada that was reported stolen last month was an unencrypted USB key.
News of the theft was first revealed Sept. 13 by Global News and confirmed to IT World Canada the following day by a spokesperson for Public Services and Procurement Canada (PSPC).
A PSPC employee notified Ottawa police of the theft August 20, and then told their government supervisor the next day, Rania Haddad, a PSPC spokesperson said in an email. The statement didn’t detail what was on the device, but on Sept. 17 PSCP said it was a USB key, which, contrary to government rules, wasn’t encrypted. “An internal investigation is underway to examine why and how this happened and identify measures to ensure this does not happen again.”
Word that a government staffer was allowed to store personally identifiable data on a storage device without encryption angered Canadian privacy expert Ann Cavoukian. “I was very disturbed to hear about this case,” she said in an interview Monday. “Of course things get lost or stolen, which is why you [employers] have to insist that any information on USB keys have to be encrypted.”
“There have to be repercussions when [rules] aren’t enforced,” she added. “There has to be some consequence for doing what you’re not supposed to do. The reason you’re supposed to encrypt data on USB keys is because they are small, they might get lost or stolen. That’s the whole point of encrypting. It’s not a big deal these days to encrypt devices.”
“The government has to a better job of driving this home across the board in terms of what is expected (of employees) when you copy personally identifiable data onto a USB key,” she added.
According to Global News, PSPC’s Deputy Minister Marie Lemay sent an email Sept. 7 to affected staff that “no banking or social insurance information was affected. However, your name, personal record identifier (PRI), date of birth, home address and salary range may have been on the stolen device.”
The original government statement also said that so far no incident has been reported about malicious use of the stolen information.
“An internal investigation is underway to examine why and how this happened and identify measures to ensure this does not happen again,” the statement said. The federal privacy commissioner has also been notified.
PSPC hasn’t explained why it took 17 days for employees to be notified. New federal data breach notification rules come into effect Nov. 1 obliging employers that come under the Personal Information Protection and Electronic Documents Act (PIPEDA) to notify affected individuals as soon as feasible of breaches of security safeguards involving personal information where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual.” However, that standard only applies to the private sector. Government employees are covered under the Privacy Act.
In Monday’s PSPC statement said the department “took action as quickly as possible. We worked closely with the affected government department to validate what information was held on the key, to identify affected individuals, and send timely notification. An internal investigation is ongoing.”
However, Cavoukian said it was “appalling” that it took 17 days.