The number of data breaches reported to the federal privacy commissioner by bureaucrats increased, hitting a record high according to a new report.
Privacy commissioner Daniel Therrien said Thursday in his annual report to Parliament that 228 data breaches across the federal government were reported for the 12 month period ending March 31. Human error accounted for just over two-thirds of those breaches.
The number was more than twice the number reported for the previous fiscal year. And it doesn’t include the embarrassing discovery that the agency lost an unencrypted USB drive when it changed offices early in the year. That was reported in April, after the fiscal year covered in the most recent report.
Meanwhile the office is investigating 339 complaints over a mass mailing by Health Canada which allegedly exposed the names and mailing addresses of some 40,000 people involved in a marijuana medical access program.
Veterans Affairs Canada had the biggest number of breaches during the fiscal year, 60, followed by Citizenship and Immigration Canada (54), Canada Revenue Agency (33) and Correctional Service Canada (22).
Because reporting to the commissioner is voluntary, the office can’t say whether there really have been more breaches than in previous years, or whether departments are now fessing up more. However, the reporting should be more accurate because in May Treasury Board issued a directive requiring federal institutions to report all material data loss to both the commissioner and Treasury Board.
One particularly enormous data breach the government suffered recently was the 2012 loss from Employment and Social Development Canada of an external hard drive containing the personal information of 583,000 student loan recipients, the report noted.
To remind readers about the damage clumsiness can cause the report notes that Parliament was told last March how the hard drive was left unsecured for extended periods of time, was not password protected and held unencrypted personal information.
As a result the commissioner’s office issued a four-page tip sheet with checklists on four controls for protecting against breaches. Physical controls, for example, stress the importance of protecting devices not in use by placing them in locked cabinets or in storage areas where access is restricted. Technological controls would include encryption or strong passwords, with training for employees in each. Imprinting serial numbers one devices so they can be tracked is another recommendation. So is using portable storage devices to store personal information only as a last resort.
Personnel security controls include regular mandatory training about security and privacy, and monitoring the use of personal storage devices by employees to ensure policies and procedures are being followed.
Also in the report, the privacy commissioner’s office said it wants to get a better idea of how bureaucrats use portable storage, so it has started to study how into 17 departments and agencies use the devices and whether they have implemented policies and adequate controls. It hopes to have the report done in the next year.