David Elder -
A recently publicized privacy breach by a Canada Revenue Agency (CRA) employee underlines the need for all organizations to impose strict controls and safeguards respecting the ability of employees to remove sensitive data from the workplace.
In a widely reported story, it was recently discovered, through a request under the Access to Information Act, that confidential material respecting Canadian taxpayers, contained in hundreds of documents and tens of thousands of email messages sent and received by a CRA employee, were downloaded in unencrypted form to CDs taken home and retained by a CRA auditor, at least some of which were subsequently copied to a third party’s laptop. While the CDs have been recovered, the laptop – thought to contain the tax files of at least 2,700 Canadians – is still missing.
Although the incident in question raises concerns with respect to the Privacy Protection Policy issued to government institutions under the Privacy Act, it also provides important lessons for private sector organizations, which are subject to similar legal requirements. All Canadian private sector privacy laws, both federal and provincial, include data protection requirements that require private organizations to protect personal information with appropriate security safeguards, including physical, organizational and technical measures.
The first - and most obvious – lesson from the CRA case is to minimize the ability of employees and consultants to remove personal information from company premises. The less data that leaves the building or the company servers/network, the less the risk that it may be lost, stolen or otherwise disclosed to unauthorized parties.
Recognizing that, in today’s mobile and networked world, it is unavoidable that work will be done by some employees outside the office, the second lesson is to employ robust safeguards to protect the personal data that must be accessed and used outside company premises.
One approach is to have clear policies respecting removal from the office of personal information and required practices for the protection of devices on which it is stored. Such policies should be readily available and regularly communicated to employees; however, such “soft” controls are not, by themselves, a complete solution. Policies will always be breached by some employees (which, in fact, is what occurred in the CRA case) and organizations will likely still be accountable for such breaches.
Another, more reliable, layer of protection is to use “hardwired” security: robust physical, and particularly, technological measures that keep personal information secure and confidential.
One of the best technological protections for data on portable storage media and devices is encryption, since strongly encrypted data remains inaccessible to most third parties, even if the device itself falls into the wrong hands, which tends to happen frequently with portable devices such as laptops and flash drives. Encryption has been strongly endorsed by privacy commissioners across Canada, and is generally considered to the required standard of protection for personal information stored on portable devices. In the health information context, he Ontario Information and Privacy Commissioner has gone so far as to suggest that the loss or theft of a device containing encrypted personal information would not generally be considered to be a loss or theft of personal information.
Other important technological solutions would include configuring most computerized corporate equipment to block the ability to download content to portable storage devices, logging and retaining each incident of such activity for the few devices for which such downloading may be permitted (such as those accessible by senior IT and security professional). However, even this kind of encryption scheme is not foolproof, as there is still room for inappropriate action by IT and security employees. In fact, in the CRA case, the data in question was actually copied to the unencrypted CDs by a Government IT technician, contrary to Government policy.
Recognizing such vulnerabilities, another technological solution adopted by many companies with a mobile workforce is to host all records on company controlled servers, using a “virtual desktop” solution to allow employees to access workplace files remotely via a secure internet connection. Such a solution eliminates entirely the need for storage on portable devices, as all documents and data are stored in the corporate system.
A final lesson here is to consider notifying the appropriate federal or provincial privacy commissioner(s) of any material data breaches, even if there is no legal requirement to do so (while federal legislation including such a requirement is currently before Parliament, at present only the Province of Alberta requires breach notification by private sector organizations). Such notification was apparently not done in the CRA case, depriving the CRA of potentially useful advice as to appropriate taxpayer notifications or other remedial action – as well as leaving the Office of the Privacy Commissioner flat-footed when contacted by media about the breach.
This post is part of an occasional series highlighting the lessons that businesses can learn from recent news items and events.