privacy commissioner's report into student loan harddrive loss

8/12/2019 Privacy Commissioner's report into student loan harddrive loss.

1/27

Special Report to Parliament

Findings under the Privacy Act

Investigation into the loss of a hard drive at

Employment and Social Development Canada

March 25, 2014


2/27

Office of the Privacy Commissioner of Canada

30 Victoria Street

Gatineau, Quebec

K1A 1H3

Minister of Public Works and Government Services Canada 2014

IP54-56/2014E-PDF978-1-100-23322-2

Follow us on Twitter: @PrivacyPrivee


3/27

Contents

Investigation into the loss of a hard drive at Employment and

Social Development Canada .................................................................................................... 1

Complaint Under the Privacy Act............................................................................................. 1

Introduction ............................................................................................................................. 1Background ............................................................................................................................. 1

Methodology ............................................................................................................................ 2

Summary of Facts ..................................................................................................................... 2

ESDCs Act ions Following the Incident................................................................................... 4

Appl ication ................................................................................................................................ 9

Analysis ..................................................................................................................................... 9

I. Physical Controls ............................................................................................................ 10

II. Technical Controls .......................................................................................................... 11

III. Administrative Controls ............................................................................................... 12

IV. Personnel Security Controls ........................................................................................ 13

Findings ................................................................................................................................... 14

Recommendations .................................................................................................................. 15

Other Observations ................................................................................................................ 21

Conclusion .............................................................................................................................. 22

Additional Information ............................................................................................................ 23


4/27


5/27

1

Investigation into

the loss of a hard

drive at

Employment andSocial Development

Canada

Complaint Under the

Privacy Act

Introduction

1. This Report of Findings relates to aCommissioner-initiated complaint againstEmployment and Social DevelopmentCanada (ESDC), formerly HumanResources and Skills Development Canada(HRSDC), in relation to the loss of anexternal hard drive (the incident)

containing the personal information of583,000 Canada student loan borrowers,and 250 ESDC employees.

Background

2. On December 17, 2012, ESDC verballynotified our Office of the incident. Formalwritten notification was subsequentlyreceived from ESDC on January 7, 2013.

3. ESDCs written notification advised that theexternal hard drive contained personal

information dated from 2000-2006 forCanada Student Loan borrowers, including:Social Insurance Number (SIN), first name,last name, date of birth, home address, andtelephone number. ESDC subsequentlyinformed our Office that the external harddrive also included student loan balanceinformation. In addition, the external harddrive contained employee information froma Business Continuity Plan fan out list. Thisinformation included first name, last name,home address and home phone number

and/or cell phone number.

4. Upon receipt of the notification from ESDC,we determined that there were reasonablegrounds for a Commissioner-initiatedcomplaint against the Department toascertain whether there has been acontravention of the Privacy Act.

5. Accordingly, the Office of the PrivacyCommissioner of Canada (the OPC)initiated a complaint against ESDC onJanuary 11, 2013, pursuant to subsection29(3) of the Privacy Act (theAct).

6. The OPCs investigation focused on theincident in relation to the disposal, use anddisclosure provisions of theAct.


6/27

2

Methodology

7. Our investigation examined thecircumstances surrounding the incident, aswell as ESDCs policy framework in orderto identify the degree of conformity with the

applicable Government of Canada privacy-related policies, and whether theDepartmental policies and procedures thatwere in place at the time of the incidentwere sufficient and effectively implemented.

8. To this end, we reviewed therepresentations received from ESDC inrelation to the incident, and ourinvestigation entailed interviews with keyemployees identified as having access tothe missing external hard drive, as well as

a site visit to ESDCs Canada StudentLoans Program (CSLP) Unit, and meetingswith Departmental officials.

Summary of Facts

9. The CSLP promotes accessibility to post-secondary education for students with ademonstrated financial need by loweringfinancial barriers and ensuring Canadianshave an opportunity to develop theknowledge and skills to participate in theeconomy and society. With theseobjectives in mind, the CSLP offers a suiteof student financial assistance programsand services, including student loans forfull-time and part-time students, non-repayable grants, and repaymentassistance measures for borrowers whoexperience difficulty repaying their loans.

10. The investigation confirmed that, onNovember 5, 2012, an employee of the

CSLP Unit went to retrieve an externalhard drive from a filing cabinet and noticedthat it was missing.

11. According to ESDCs representations, thehard drive was stored in a lockable filingcabinet located in that employees cubicle,in an envelope, hidden under suspendedfiles.

12. ESDC reported that the external hard drive

was a 1 terabyte (TB) Seagate GoFlex. Itwas not password protected, nor was theinformation contained on it encrypted. Theserial number of the hard drive remainsunknown.

13. According to ESDC, the external harddrive was used to backup information inpreparation for the migration of informationfrom the T drive to the U drive on theDepartment's network. The migration ofinformation was performed by the

Innovation, Information and TechnologyBranch (IITB) on October 12, 2012.

14. ESDC confirmed that the IITB was notinvolved in the backup of information onthe hard drive, as the hard drive was nottechnically necessary for the datamigration. The hard drive was only usedas a risk mitigation measure by the CSLPto protect against inadvertent loss ordeletion of the files during the migration.

15. By way of background, ESDC confirmedthat the data migration project started in2011 by the Operational Program SupportDivision (OPSD). The OPSD became theProgram Integrity and Accountability (PIA)Division in the fall of 2011. The PIADivision provides stewardship to the CSLPthrough leadership in planning, reporting,portfolio management, accountability,program integrity and compliance, as wellas administrative services for the CSLP,including finance, human resources,financial and information management,security and accommodations.


7/27

3

16. Following a comprehensive review of thefiles and folders on the Departmentsnetwork that were identified for themigration project, ESDC informed ourOffice that the following data files werecompromised by the loss of the externalhard drive, each of which is described in

more detail below:

Files pertaining to client satisfactionsurveys;

Files containing investigation reports;

Files containing CSLP financial,business plan and Human Resourcesinformation;

Files containing Business Continuity

Planning information.

17. Notwithstanding the above, as the harddrive is missing, ESDC submits that thereis no way to conclusively identify whatinformation was in fact backed up to thehard drive.

Client Satisfaction Surveys

18. The CSLP conducts an annual survey totrack experience and satisfaction with

CSLP service delivery for in-studyborrowers and those borrowers inrepayment. The survey is also used tomeasure satisfaction with service deliveryby the National Student Loans ServiceCentre (NSLSC), and helps the CSLPbetter understand the client population.The PIA Division is responsible for theclient satisfaction survey on behalf of theCSLP.

19. ESDC reported that some of the

information contained on the hard drivestems from files associated with theCSLP's client satisfaction surveys thatwere conducted in 2004-2005, 2005-2006,and 2006-2007. ESDC subsequentlyconfirmed that some of the affectedborrowers fall beyond the survey yearsinitially reported, up to and including thedisbursement year 2012.

20. In addition to the seven pieces of personalinformation described by ESDC in itsnotification to our Office, the files relating toclient satisfaction surveys may have alsoincluded the following fields of informationin relation to borrowers:

Loan certificate number, loan ID number,loan class (whether the borrower is in study,

or in repayment), whether the borrower had

direct contact with the Service Provider, the

name of the education institution that the

borrower attended, the borrowers gender,

language, marital status, the province that

issued the loan, the type of loan (e.g. part

time loan), years of study, end of study

date, loan interest rate, loan interest type,

the date the loan was issued, the

disbursement date, the federal loandisbursement amount, the student loan

consolidation date, whether the borrower is

active (borrower sent in consolidation

agreement), or passive (borrower did not

submit consolidation agreement), the type

of loan (eg. full-time direct, part-time direct,

integrated), delinquency flag (identifies

whether the borrower is in delinquency), the

delinquency date, a paid in full indicator,

the outstanding balance on the loan, fax

number.

21. ESDC submits that not all information fieldswere populated for each borrower. Thepersonal information of the affectedindividuals on the external hard drive wascontained within different data files and, assuch, the number of information fieldsfound within these files varied.

Investigation Reports

22. We confirmed that the investigationreports, described by ESDC as part of theinformation content on the hard drive referto the administrative investigations thatwere undertaken to confirm the eligibility ofa number of students for the CSLP,including loans, grants, and repaymentassistance.


8/27

4

23. ESDC submits that the following dataelements were included in a series ofworking documents that itemized theindividuals being reviewed for eligibility:clients name, address, SIN, date of birthand loan amount.

24. Our review confirmed that the hard drivemay have also included the following fieldsof information in the investigation reports:

Canada student loan number, amount paid

(including interest), amount paid to principal

only, and status (this indicates whether it is

paid in full; there is no account activity; the

loan was referred to legal for civil action; the

individual declared bankruptcy or is

deceased; or the loan is resolved).

25. ESDC submits that not all fields werepopulated in relation to each of the 583,000borrowers affected by the breach, as not allof these borrowers were the subjects ofinvestigations for the purposes of programeligibility.

CSLP Financial, Business Plan and HRInformation

26. Our investigation confirmed that this

information refers to documents thatcapture both CSLP financial and work planactivities that are undertaken on an annualbasis in order to assign resources and workfor a given fiscal year within the program.Consequently, no personal information wascaptured in these files.

Employees Personal Information forBusiness Continuity Planning

27. Further to paragraph 3 of this Report,

ESDC reported to our Office that theexternal hard drive also containedemployee information from a businesscontinuity plan fan out list.

28. We confirmed that a fan out list is used tocontact employees in the event of anemergency situation which interrupts theirwork, such as a building shutdown. The fanout list is an evergreen document; it isupdated regularly to ensure that theinformation is accurate, and to reflect

changes in personnel.

29. ESDC confirmed that 250 Learning Branchemployees were affected by this incident.The information contained in the fan out listincluded the employees first name, lastname, home address, home telephonenumber, and, in some cases, cellularphone number.

ESDCs ActionsFollowing the

Incident

30. As part of its submissions to our Office,ESDC provided a comprehensive report ofthe chronology of actions taken to respondto the incident, including details of theoffice sweeps and building searches,

meetings organized with staff, thecommuniqus to staff, the preliminaryinterviews that were conducted with theemployee who reported the harddrive missing, and others identified ashaving access to the hard drive, as well asthe steps taken by IITB to locate, scan andreview external hard drives located in thebuilding and other locations in the NationalCapital Region.

31. We highlight the following dates fromESDCs representations:

On November 5, 2012, the employeesmanager was notified of the missingexternal hard drive and search effortsensued;


9/27

5

On November 22, 2012, the Director ofthe CSLP was notified of the incidentand additional search efforts wereinitiated, including communication withall staff;

On November 26, 2012, the Director of

the CSLP was advised of theinformation content on the externalhard drive and proceeded to advisesenior management of a potentialprivacy incident;

On November 29, 2012, the SecurityIncident Report was signed off by theDirector of the CSLP. The RegionalSecurity Office (RSO) initiatedadditional searches and sweeps of theoffice area and building, and also

interviewed the employee who reportedthe incident, and three formeremployees;

On December 6, 2012, following acomprehensive review of the files andfolders that were saved to the externalhard drive, ESDC determined that thescope of the personal informationcompromised pertained to over500,000 clients.

32. On January 4, 2013, ESDCs SpecialInvestigations Unit, Internal Integrity andSecurity Directorate, was mandated toundertake a formal internal investigation inorder to ascertain the circumstancessurrounding the loss of the hard drive.ESDCs internal investigation concludedwith a report dated February 27, 2013, anda supplementary addendum to the reportdated April 9, 2013.

33. As part of its internal investigation, ESDC

reported that interviews were conductedwith four employees in the CSLP Unit whowere identified as part of the working groupcreated to work on the data migrationproject. These employees were identifiedas having the hard drive in theirpossession for the purposes of assistingwith the migration project, or havingknowledge of its storage location.

34. In addition, the computers of the fouridentified employees were subject to an ITforensic analysis in order to determine ifany external hard drive had beenconnected to them.

35. Interviews were also conducted with 15

employees working in the same areawhere the hard drive was reported missing,including two employees currently workingin other federal departments.

36. ESDC confirmed that the CSLP area iscontrolled by an access card system andthe access logs for the area were reviewedas part of its investigation.

37. A Canada-wide search was also conductedon ESDCs departmental network to verifyif an external hard drive matching the makeand model of the missing drive wasconnected to one of its computers.

38. ESDCs internal investigation establishedthe following facts:

The initial backup of the information atissue to the external hard drive wasconducted in 2011 in the OperationalProgram Support Division (OPSD);

Between January and August 2012, thehard drive was used to conductsporadic safeguarding (backups) of theinformation on the T drive by theworking group within the CSLP Unit.ESDC established that no files weredeleted from the hard drive by theworking group members;

The IT forensic analysis confirmed thatan external hard drive with the same

make and model (Seagate GoFlex)was connected in June 2012 to one ofthe computers searched. ESDCreported that, based on the balance ofprobabilities, this external hard drive(and its associated serial number) waslikely the missing hard drive;


10/27

6

The IT analysis was inconclusive inrelation to two of the computerssearched one employees computerwas replaced in October 2012 and sentto surplus; and the other computer wasreimaged in December 2012, erasingall evidence that a hard drive may have

been connected to it;

ESDC found no evidence that aSeagate GoFlex external hard drivewas ever connected to the fourthcomputer analyzed during the internalinvestigation;

ESDC also confirmed that the harddrive was left for periods of time(weeks) without being stored in a

locked filing cabinet. Even when storedin the cabinet, the cabinet was notalways locked and other employeesinvolved in the data migration projectwere aware of the location of the keys;

The external hard drive was last seenby an employee in August 2012, and aspreviously noted, it was discoveredmissing on November 5, 2012;

The access log report for the period ofAugust 2012 November 2012revealed that over 200 differentemployees had access to the CSLPcontrolled area. ESDCs reviewconfirmed that all individuals hadapproved access;

Following multiple searches of thebuilding where the CSLP is located,ESDC found no evidence of a breakand enter into the building, or forcedattempts to access the cabinet wherethe hard drive was stored;

The information contained on the harddrive was not encrypted and was notprotected by a secure password;

The procedures outlined in ESDCsDepartmental Security Policy andProcedures Manualfor handling theinformation contained on the externalhard drive (Protected B), were notfollowed in relation to storage (whereremovable media is used to store

sensitive information, the media shouldbe stored in a security-approvedcontainer); and encryption (sensitiveinformation should be encrypted).

39. ESDC issued a public statement onJanuary 11, 2013 regarding the loss ofthe external hard drive, providingbackground information and a timelineof events in relation to the incident onits website.

40. ESDC submits that, in order to mitigatethe impact on those clients affected bythe loss of the hard drive, it initiated apublic awareness campaign thatincluded press releases, publicannouncements, and specialinformation on the Departmentswebsite. In addition, ESDC set up adedicated toll-free information line inorder for individuals to verify whetherthey were affected by the incident, andto obtain additional information

regarding the incident. This service wasoffered to individuals starting onJanuary 14, 2013.

41. Between January 28, 2013 andFebruary 1, 2013, ESDC sent outnotification letters to those clients forwhich it had current contact information.ESDC advised affected clients of thepersonal information that wascompromised by the loss of the externalhard drive, including: Social InsuranceNumber (SIN), first name, last name,date of birth, home address, telephonenumber, and student loan balance.


11/27


12/27

8

51. The matter was also referred by ESDC tothe Royal Canadian Mounted Police(RCMP) on January 7, 2013 forinvestigation. It was subsequently reportedpublicly on August 8, 2013, that the RCMPwould not launch a criminal investigationinto the matter.

52. ESDC submits that appropriateadministrative action has been taken inrelation to the incident, in line with TreasuryBoard Secretariats Guidelines forDiscipline.

ESDCs PrivacyManagement Framework

53. ESDC submits that the Departmentcommenced a review of its privacy

management framework in 2010, whichresulted in the launching of a multi-yearprivacy renewal initiative.

54. In 2011-2012, ESDC conducted a reviewof privacy management practices andconvened with key stakeholders to informthe development of the Privacy Renewal

Action Plan. The first phase of the ActionPlan was launched in 2011-2012, whichincluded a privacy risk triage and thedrafting of a consolidated Departmental

Privacy Code. The new Privacy Codecame into force in March 2013.

55. In 2012-2013, four key priorities wereidentified for the second phase of the

Action Plan, including program-led PrivacyAction Plans for eight of ESDCs statutoryprograms; the re-design of theDepartments Privacy Impact Assessment(PIA) Process; the launch of a newDepartmental Policy on PrivacyManagement; and the implementation of a

renewed privacy training and awarenessstrategy.

Departmental Directives and Protocols

56. On January 14, 2013, ESDC issued new ITSecurity Guidelines to all staff. The USBStorage Devices Directive providesdirection that only authorized USB devicesare allowed for use on departmental

computers. This includes portable harddrives and USB keys.

57. To implement the Directive, allunencrypted USB devices were collectedfor proper disposal and a limited number ofencrypted (password or biometric) arebeing distributed to employees whoregularly work with protected or classifiedinformation. Further, ESDCreported that it now regularly scans itscorporate network to detect the use of

unauthorized USB devices.

58. ESDC also reported that an updatedversion of its Information ClassificationGuide was reissued on January 15, 2013to enhance employees awareness of therequirements for safeguarding protectedand classified information.

59. In addition to the new USB Directive,ESDC is conducting a risk assessment ofall other mobile devices to identify the riskof loss of personal information. To thisend, it has temporarily disabled the abilityof employees to write on CDs, DVDs, andother optical media unless a legitimatebusiness requirement is identified andapproved.

60. ESDC confirmed that work is ongoingwithin the department to develop anddeliver enhanced integrated training fordepartmental staff. All employees will berequired to undertake mandatory trainingon the subjects of privacy, security,information technology security,information management and values andethics. Re-certification will be requiredevery 24 months.


13/27

9

61. The Department is also implementing anEngagement Plan to engage employeeson the stewardship of information. Tosupport this Plan, ESDC implemented aportal on the Stewardship of Information in

August 2013. The site provides employeeswith information relating to the

management and protection ofDepartmental information assets, as wellas information on the issues of privacy,security, IT security, informationmanagement, and values and ethics.

Application

62. In making our determination, weconsidered sections 3, 6, 7 and 8 of the

Act.

63. Section 3 of theActdefines personalinformation as information about anidentifiable individual that is recorded inany form including, without restricting thegenerality of the foregoing: informationrelating to race, national or ethnic origin,colour, religion, age, marital status,education, medical, criminal oremployment history, financial transactions,identifying numbers, fingerprints, blood

type, personal opinions, etc.

64. Subsection 6(3) of theActrequires that agovernment institution dispose of personalinformation under its control in accordancewith the regulations and in accordance withany directives or guidelines issued by thedesignated minister in relation to thedisposal of that information.

65. Paragraph 7(a) of theActstates thatpersonal information shall not, without the

consent of the individual to whom it relates,be used by the institution except for thepurpose for which the information wasobtained or compiled by the institution orfor a use consistent with that purpose.

66. TheActstates that personal informationcan only be disclosed with an individual'sconsent Subsection 8(1) or inaccordance with one of the categories ofpermitted disclosures outlined insubsection 8(2) of theAct.

Analysis

67. The personal information contained on themissing external hard drive for example,name, address, date of birth, SIN isclearly personal information as defined bysection 3 of the Privacy Act.

68. Following our analysis of ESDCs policies,in particular, the Departmental Security

Policy and Procedures Manual (June2005), the Policy on Departmental ITSecurity Management (December 2010),and the Departmental Privacy Policy (lastupdated in October 2009), we are satisfiedthat these policies conformed to therequirements of the relevant TreasuryBoard Secretariat (TBS) policies andguidelines, in particular, the Policy onGovernment Security, the OperationalSecurity Standard: Management ofInformation Technology Security (MITS),

and the Operational Security Standard onPhysical Security (OSSPS).

69. What this means is that we are satisfiedthat ESDC had in place at the time of theincident the policies commensurate withthe requirements demanded by theGovernment of Canada for the protectionof its personal information holdings.

70. Notwithstanding the above, ourinvestigation identified a number of

weaknesses in ESDCs control over thepersonal information identified on themissing hard drive. In our view, theDepartment failed to translate its ownprivacy and security policies intomeaningful business practices.


14/27

10

71. For ease of reference, we have organizedour analysis around four types of controlsthat the OPC has identified as providingprotection against data breaches whatwe refer to as the four pillars of soundprivacy management.

72. We base these controls on the TBSsDirective on Privacy Practicesand thePolicy on Government Security,specifically:

I. Physical Controls

II. Technical Controls

III. Administrative controls

IV. Personnel Security Controls

I. Physical Controls

73. Physical security controls are paramount inensuring that government information(including personal information), assetsand services are protected againstcompromise. This includes implementingstrategies to mitigate the risk ofunauthorized access, use or disclosure ofpersonal information.

74. Our investigation established that theCSLP Unit is located in an operationalzone, limited to authorized departmentalemployees. The physical area is controlledby an electronic card access system and ismonitored after-hours by a security alarmsystem. The entrance to the building ismonitored by a Commissionaire and visitoraccess is strictly controlled (sign-in andvisitor pass).

75. While base building security isfundamental to safeguarding governmentemployees and assets, physical securitystrategies must also be in place to protectinformation and to comply withGovernment of Canada policies.

76. In line with ESDCs Departmental SecurityPolicy and Procedures Manual and theGovernment of Canadas OperationalSecurity Standard on Physical Security,protected information, which includespersonal information, must be stored in asecurity-approved container (e.g. approved

filing cabinet). It also requires thatprotected information and valuable assetsare properly safeguarded when occupantsare away from their workstations for anylength of time. Accordingly, keys or otherlocking features of security containersmust also be safeguarded.

77. We highlight that the personal informationcontent on the missing external hard driveis classified at the Protected B level,according to the Government of Canada

classification standards. TBS states thatthis applies to sensitive personal, privateand business information wherecompromise could result in grave injury(e.g. loss of reputation, identity theft, etc.).

78. ESDCs Departmental Security Policy andProcedures Manual requires that, whereremovable media is used to store sensitiveinformation, including personal information,the media must be stored in a security-approved container when not in use.

79. Our investigation established that the harddrive was often left unsecured for extendedperiods of time without being stored in afiling cabinet. Even when stored in thecabinet, the cabinet was not always lockedand other employees were aware of thelocation of the keys.

80. Portable devices are attractive assets andsafeguards must be in place to protect thepersonal information stored on thoseassets. To this end, we are not satisfiedthat ESDC had in place robust physicalsecurity controls to mitigate the risk ofcompromise to both the external hard driveand the personal information stored on it.


15/27

11

II. Technical Controls

81. Federal Departments and agencies arerequired by the Policy on GovernmentSecurity (PGS) to protect governmentassets and information, including personalinformation, and are directed to have an IT

Security strategy in place to protectinformation throughout its lifecycle. ITSecurity refers to the safeguardsimplemented to preserve theconfidentiality, integrity, availability,intended use and value of electronicallystored, processed or transmittedinformation.

82. ESDCs Departmental Security Policy andProcedures Manual requires thatmeasures must be established to

safeguard personal or other sensitiveinformation throughout its lifecycle. Thisincludes the secure processing, storing,handling, communicating, transmitting anddestroying of sensitive information inaccordance with departmental securitystandards, and on the basis of a Threatand Risk Assessment (TRA). Further, itstates that personal or other sensitiveinformation must be identified and markedaccording to its highest level of security.

83. Our investigation determined thatremovable media (e.g. external harddrives, USB keys, etc.) were not subject tosecurity risk assessment activities at thetime of the incident. ESDC did not requirethat a TRA or a Privacy Impact

Assessment (PIA) be conducted in relationto the use of removable media containingpersonal information. In addition, themissing external hard drive was notmarked as required by ESDCs policy.

84. ESDC submits that it annually conductsrisk assessment exercises; however, givenlimited resources, priority was given tohigher level threats. Removal media werenot identified as a high level threat. Inaddition, ESDC submits that the use ofremovable media with desktop or network

hardware and software were also notamongst the systems examined at the timeof the incident. It indicated that theDepartment is now proceeding with aprogressive certification and accreditationof its systems.

85. ESDCs Departmental Security Policy andProcedures Manual also requires that,where removable media is used to storesensitive information, including personalinformation, the information should be

encrypted. Further, ESDCs SecurityBulletin entitled Encryption Requirements(December 2008), states that, wherepossible, management should limitsituations where employees are required tostore protected information, includingpersonal information, on portable mediadevices. Where unavoidable, it is theemployees responsibility to ensure thatthe information is encrypted.

86. While ESDC submits that at least two

approved procedures were readilyavailable to the users of the external harddrive 1) the password protection feature;and 2) the use of the Entrust encryptionsoftware; the investigation establishedthat no technological safeguards wereimplemented to protect the informationcontent on the hard drive in this case.

87. We recognize that ESDC introduced a newUSB Storage Devices Directive inJanuary 2013 that prohibits the use of

unencrypted USB keys and hard drives ondepartmental computers. To this end, weencourage ESDC to continue with theimplementation of this risk managementstrategy, including regularly scanningnetwork drives to detect unauthorizeddevices and clearly communicating thenew Directive to all employees.


16/27


17/27

13

96. Administrative safeguards also refer to theenforcement of an institutions writtenpolicies, directives, procedures andprocesses for the protection of personalinformation.

97. Further to paragraph 70, while we are

satisfied that ESDC had in place at the timeof the incident sound policies in relation tothe management of its personal informationholdings, we are of the view that there is anidentifiable gap in the translation of thesepolicies to the day-to-day businessoperations of the Department.

98. Consequently, we are not satisfied that, atthe time of the incident, ESDC had effectivecontrols in place to ensure themanagement of the information in question

throughout its lifecycle.

IV. Personnel Securi ty Controls

99. Personnel security controls refer to aDepartments management of itsemployees suitability, proper training,supervision and disciplinary procedures.

100. The examination of the trustworthinessand suitability of employees to protect theemployer's interests is accomplished byconducting security assessments andreliability checks, which are conditions ofemployment under the Public ServiceEmployment Act (PSEA).

101. Our investigation confirmed that theemployees who had access to theinformation content on the external harddrive each had a valid security clearancecommensurate with the level ofinformation required for their positions.

102. Government of Canada employees areresponsible for managing the informationthey collect, create and use to support theprograms and services under which theyoperate.

103. To accomplish this, employees have aresponsibility to apply Government ofCanada and Departmental policyinstruments (policies, standards andassociated procedures). Employees musttherefore be provided timely access totraining to ensure that they have the

necessary knowledge, skills andcompetencies to effectively carry out theirduties.

104. We are not satisfied in this case that theemployees who had access to theexternal hard drive fully understood theprivacy risks inherent to the use of aportable device, or the vulnerabilities ofthe information stored on the device. Infact, it is our view that the employeesinterviewed during the investigation did

not have a clear understanding of theinformation content on the hard drive atall.

105. Further to paragraphs 70 and 97, it is ourview that there is an identifiable gap inthe translation of Departmental policies tothe day-to-day business operations of thedepartment. To this end, we highlightthat there is a lack of employeeawareness in the following areas thatcontributed to vulnerabilities in ESDCs

information management practices at thetime of the incident:

Information stewardship identifyingand handling personal information;

Security responsibilities proceduresfor storing personal information andassets containing personalinformation;

IT controls and responsibilities implementing safeguards to protect

personal information, particularlyinformation stored on portabledevices (e.g. encryption);

Threats awareness of the inherentrisks associated with the loss orunauthorized access, use ordisclosure of personal information.


18/27

14

106. Employee awareness is accomplishedthrough effective management, leadershipand the supervision of employees, whichsupport information managementpractices and mitigate the risks of humanerror, wrongdoing or negligence. This mayinclude formal direction, follow-ups,

monitoring, inspections, and auditcontrols. There are consequences to non-compliance, and steps must be taken toidentify the risks and manage them beforethey occur.

107. ESDC submits that the IT SecurityCentre of Excellence, under its ITSecurity Awareness Program, issuesmonthly tips and alerts to staff. Inaddition, the Department sends outperiodic reminders to employees on the

importance of protecting the personalinformation of Canadians and the strictprocedures to be followed in handlingsuch information. IT Security

Awareness Training was also deemedmandatory by ESDC in June 2009 withthe approval of the Policy onDepartmental IT Security Management.

108. Further to paragraph 60, ESDC submitsthat work is ongoing to develop anddeliver enhanced integrated training for

departmental staff. All employees willbe required to undertake mandatorytraining on the subjects of privacy,security, IT security, informationmanagement and values and ethics.

109. We encourage ESDC to continue withthe establishment of a comprehensivetraining and awareness program toensure that employees have thenecessary knowledge, skills andcompetencies to effectively carry out

their information management duties.

110. Further to paragraph 52, ESDC submitsthat appropriate administrative actionhas been taken in this case. To thisend, Departments are authorized toestablish standards of discipline and toset penalties, including termination ofemployment, suspension, demotion to a

position at a lower maximum rate ofpay, and financial penalties that may beapplied for breaches of discipline ormisconduct, in line with Treasury BoardSecretariats Guidelines for Discipline.

Findings

111. The Privacy Act requires governmentinstitutions to respect the privacy of

individuals by properly managing thecollection, use, disclosure, retentionand disposal of personal information.

112. ESDC regularly collects personalinformation for purposes ofadministering the CSLP. It stands toreason that, in order to meet itsobligations to ensure that it does notuse or disclose personal information ina manner contrary to theAct, it is anecessary precondition that ESDC

protect the personal information it hascollected during its life cycle - from thetime of collection until it is destroyed byan approved method.

113. In order to effectively protect thepersonal information againstunauthorized uses and disclosures,government institutions must implementappropriate security safeguards.


19/27

15

114. This notion is supported at the policylevel within the federal government. Forexample, TBSs Directive on PrivacyPracticescalls for limiting access anduse of personal information byadministrative, technical and physicalmeans to protect personal information,

and TBSs Policy on GovernmentSecurityand its related standardsestablish minimum safeguards toprotect and preserve the confidentialityand integrity of government assets,including personal information.

115. ESDCs failure to implement theappropriate safeguards to protect thepersonal information in question hascreated a significant risk forunauthorized access, use or disclosure

the very threats that the Governmentof Canada is entrusted to protect it from.Of great concern is the volume andsensitivity of the personal informationcontained on the external hard drive information that could, in the wronghands, lead to identity theft or fraud.

116. ESDC also has a responsibility toensure it disposes of personalinformation in accordance with therequirements of theAct, which includes

a requirement that the information bedisposed in accordance with anydirectives or guidelines issued by thedesignated minister (i.e., the Presidentof the Treasury Board).

117. In this regard, the TBS Directive onPrivacy Practicesrequires thatgovernment institutions dispose ofrecords containing personal informationin accordance with the provisions of theLibrary and Archives of Canada Actand

according to government securitystandards.

118. Given that the hard drive in this case islost, ESDC is not in a position todemonstrate that it complied with theserequirements to properly dispose of thepersonal information contained on thehard drive.

119. Based on the above, we are notsatisfied that ESDC has met therequirements of sections 6(3), 7 or 8 ofthe Privacy Actin this case.

120. Accordingly, we have concluded that

the matter is well-founded.

Recommendations

121. In a letter dated November 4, 2013, ourOffice provided a Preliminary Report ofFindings to ESDC pursuant tosubsection 33(2) of the Privacy Act.This Report contained details of ourinvestigation and set out the preliminary

findings and recommendations of ourinvestigation.

122. To this end, we recommended thatESDC implement a number of securitymeasures to contribute to theprevention of a similar incident, and tohelp ESDC meet the requirements oftheActto protect against unauthorizeduses and disclosures of personalinformation. The recommendationsmade to ESDC were based on the four

types of controls that the OPC hasidentified as providing protectionagainst privacy breaches, further toparagraph 72 of this Report.

123. In its response to the PreliminaryReport of Findings received onDecember 4, 2013, ESDC accepted ourrecommendations in full. Set out beloware our recommendations and ESDCsresponse to each of ourrecommendations.


20/27

16

OPC Recommendation 1

We recommended that ESDC revisit its

physical security control practices to ensure

that regular monitoring and inspections are

incorporated into its security program. Thiswill help to ensure that personal information

is stored in approved cabinets when

employees are away from their desks for any

length of time; that cabinets are locked

accordingly; that keys for cabinets are

properly safeguarded; and that attractive or

valuable assets (i.e. external hard drives,

laptops, etc.) containing personal information

are properly safeguarded.

ESDCs Response

ESDC submits that it has commenced security

sweeps in its buildings, including employee

cubicles and offices. ESDC contends that this

initiative will raise awareness and help mitigate

the potential loss of government assets and

information. ESDC is finalizing a plan to

conduct security sweeps in all regions.

ESDC highlighted that it is also developing a

Departmental Security Framework that sets out

the effective management of security

responsibilities and imbeds security principles

and practices at both the strategic and

operational levels. The Framework and

associated plans will help to define different

types of security requirements, inform

improvements to security functions, as well assupport security training and awareness.


A PIA is a formal process that helps

determine whether initiatives involving the

use of personal information raise privacy

risks, and proposes solutions to eliminate ormitigate privacy risks to an acceptable level.

A TRA assists in the determination of IT

security requirements and can be short and

simple, depending on the sensitivity, criticality

and complexity of the program, system or

service being assessed. We recommended

that ESDC establish protocols to coordinate

the identification and categorization of its

personal information holdings and assets

with departmental PIA and TRA activities inorder to mitigate all identified privacy risks.

ESDCs Response

ESDC highlighted that the identification,

assessment and mitigation of privacy risks is a

key pillar of its Privacy Management

Framework. Following the first phase of

ESDC's 2011 Privacy Renewal Action Planwhich included a series of privacy risk

assessments of the Department's major

statutory programs and personal information

holdings, program-led Privacy Action Plans

were developed and launched for the

Department's eight statutory programs in 2012

as part of phase two of the Privacy Renewal

Action Plan.

In 2012-2013, ESDC submits that it re-engineered its Privacy Impact Assessment

(PIA) process to enhance and streamline the

Department's privacy risk assessment and

mitigation process, and also launched a new

strategic planning process to support the

implementation of an annual privacy and

information security work plan.


21/27

17

ESDC submits that it will continue to support

the implementation of a risk-based, proactive

approach to privacy management by building

on progress achieved to date and identifying

and assessing emerging privacy and security

risks.


We recommended that ESDC complete a

comprehensive review of its materiel holdings

to ensure that all personal information and

assets containing personal information are

identified and marked according to the

highest appropriate security level (e.g.

Protected B), in line with ESDCsDepartmental Security Policy and

Procedures Manual, and Treasury Boards

Security Organization and Administration

Standard for selecting minimum safeguards

to protect information and assets.

ESDCs Response

ESDC highlighted that it is presently executingan Information Management strategy across all

branches and regions which includes the

following core elements:

i. Examination of all repositories to

develop an inventory of information

assets;

ii. Appropriate retention and disposition

decisions to ensure that transitoryrecords which are no longer required

are disposed of, and records of

business value are preserved;

iii. Classification of remaining records tothe appropriate security level, followingthe Department's informationclassification guide;

iv. Appropriate protection, through accessrights, encryption, or both, ofinformation that is rated Protected orabove.


We recommended that portable storage

devices only be used as a last resort to store

or transfer personal information, and only if it

is demonstrably necessary to fulfill a specific

and documented purpose. All sensitive or

personal information stored on portable

devices must be protected by strong

technological safeguards, including

encryption.

ESDCs Response

ESDC highlighted that steps have been taken

to restrict and manage the use of portable

storage devices, including: 1) On January 11,

2013, the USB Storage Devices Directive was

implemented that restricts the use of portable

storage devices to instances where

management has validated the need,

mandates the use of encrypted (biometric and

password) USB keys or hard drives, and

imposes consequences for failure to comply;

2) On January 18, 2013, the monitoring of

desktop computers for unauthorized use of

USB devices began; 3) On May 27, 2013,

security software was deployed to block

unauthorized use of USB devices; and 4) On

June 3, 2013, security software was deployed

to block all other portable storage devices,such as optical media (CD/DVD) and floppy

disks. Only authorized users can save to such

media.


22/27

18


We recommended that ESDC establish

proper materiel management practices to

inventory and monitor all assets that may be

used to store or transmit sensitive personal

information. This may include affixing a barcode or other inventory measure to enable

tracking of the asset. In addition, the relevant

asset information (e.g. serial number) must

be communicated to the appropriate asset

management staff.

ESDCs Response

ESDC confirmed that, as a result of theincident, portable devices are now procured,

distributed and managed centrally, and

Assistant Deputy Minister (ADM) approval is

required to use such devices. In addition,

ESDC highlighted that laptops are tagged and

tracked by serial number and report to a

technical console each time they are

connected to ensure proper security software is

deployed. Encrypted USB keys and portable

hard drives are tracked by serial number thisinformation is integrated into the software

which is used to monitor connections to the

Department's network. As a safeguard,

devices are attached with a coloured tag that

identifies the Department's Service Desk 1-800

number, in the event a device is found. ESDC

also confirmed that the Department's Material

Management Policy is being updated to reflect

how these devices are tracked.


We recommended that ESDC incorporate

regular security reviews or physical

inspections of assets containing personal

information to ensure proper safeguards are

implemented to protect personal information.

ESDCs Response

ESDC submits that the following efforts will

assist the Department in raising awareness

among its employees and will enhance

mitigation of the potential future loss of

government assets and information:

i. The Clean Desk Guideline wasshared with all employees in August2013, to encourage a clean deskpractice to prevent the unauthorizeddisclosure of sensitive information andloss of personal items;

ii. Security sweep inspections ofemployee cubicles and offices havecommenced;

iii. A compliance validation is included inthe approved scope of the Internal

Audit on IT Security, wherebyindividual, portable digital media will beexamined to assess controls in theareas of policy management, technicalsecurity and operational security. Theconduct phase of the audit isproceeding until July 2014.


23/27

19


We recommended that ESDC develop and

implement controls to ensure that personal

information is managed rigorously throughout

its entire lifecycle. This includes establishing

controls to manage and track personalinformation, and ensuring that there is

awareness and accountability for the

information throughout its lifecycle.

ESDCs Response

ESDC attests that a critical element of its

Information Management strategy is ensuring

the appropriate classification of records and theappropriate storage of records classified at

protected or above. Through proper training, a

disciplined process, and regular follow-up,

ESDC submits that awareness of the proper

handling of sensitive records will remain high.

Effective June 2013, Data Loss Prevention

(DLP) software has been deployed which

permits routine scanning of information

repositories. Advanced algorithms detect whenpotentially sensitive files are not properly

protected, which allows management to take

action to ensure the records are more

appropriately managed.

ESDC further submits that promoting employee

awareness and accountability for personal

information throughout the information lifecycle

is a key component of its Privacy Renewal

Action Plan. ESDC highlighted some of itsongoing efforts, including a privacy awareness

week in January 2013; activities organized in all

branches and regions between February and

June 2013 to directly engage employees on the

importance of personal information protection;

the launch of a new 'Stewardship of Information'

portal to provide employees with information

about roles and responsibilities, policies, tools,

and other resources on the subjects of privacy,

security, information management, and values

and ethics, in August 2013. ESDC will continue

to reinforce awareness of employee roles and

responsibilities and the risks and threats

associated with the protection of personalinformation through targeted outreach and

awareness activities.


We recommended that ESDCs training and

awareness program include a particular focus

on the following:

Strategies to ensure that all employeesunderstand their roles and responsibilitiesfor the management of personalinformation through its lifecycle, includingidentifying and handling personalinformation;

The requirements for physical securityoutlined in ESDCs own DepartmentalSecurity Policy and Procedures Manual(approved cabinets, locking devices,

etc.), including the requirements for theproper operation and safeguarding ofattractive or valuable assets that containpersonal information (i.e. external harddrives, laptops, etc.);

The requirements for safeguardingpersonal information, including IT controlsfor portable devices (e.g. encryption).Employees that have access to sensitivepersonal information must be aware ofthe privacy risks inherent to the use of

portable devices, as well as thevulnerabilities of the information that maybe stored on these devices (i.e. loss orunauthorized access, use or disclosure ofpersonal information);

The consequences of not adhering toDepartmental security and privacystandards.


24/27

20

ESDCs Response

ESDC highlighted that in April 2013, the

Department approved an integrated learning

strategy aimed at new and existing employees

that consolidates learning in the key areas

related to the protection of personalinformation. As a further measure, all new and

existing Departmental employees are required

to undertake mandatory testing every two

years to ensure ongoing compliance to the

functions related to the protection of personal

information.

ESDC also submits that when a portable

storage device is issued, the employee signs

an acknowledgement that they have receivedthe device and understand the provisions for its

use.


We recommended that participation in

training sessions should be mandatory and

participation should be documented.

ESDCs Response

As part of its learning policy suite, ESDC

submits that the Department approved new

mandatory training guidelines that clearly

outline the approach, roles and responsibilities

for management and employees on the

learning requirements relating to the new

mandatory Stewardship of Information andWorkplace Behaviours Training Program. This

training program, which integrates training for

privacy, information technology security,

information management, security and values

and ethics/code of conduct, was approved as a

Departmental mandatory learning objective and

was launched in September 2013. During this

first phase, the training program was further

refined and systems issues were addressed.

As a result, the training program was re-

launched in February 2014. It is anticipated

that all employees will complete the training by

August 2014.

All employees will be required to undertake the

mandatory training and testing. The

Department will be tracking compliance with

the mandatory learning objective through a

learning management system, and quarterly

completion reports will be provided to senior

officials. Senior management is accountable for

the effective monitoring of employees'

attendance regarding the mandatory training,

testing and revalidation.


We recommended that ESDC incorporate

measures to monitor personal information

management practices, particularly in those

cases where it is necessary to use or transfer

personal information to portable storage

devices (i.e. external hard drives, laptops,etc.). This may include formal direction,

follow-ups, inspections, or audit controls.

ESDCs Response

ESDC submits that the following steps are in

place to monitor information management

practices with respect to potentially sensitive

information:

In accordance with the USB StorageDevices Directive, all USB devices forsaving information must be encryptedbiometrically or with a password;


25/27

21

Each person who receives an encrypteddevice signs an acknowledgement of thestandard for acceptable use of the deviceand agreement to submit it for audit at anytime. The Internal Audit of IT Security willinclude a provision for this compliancecheck;

USB ports are monitored and IT securityprepares a weekly report on potentiallyunauthorized use of USB devices; and

Data Loss Prevention tools are scanningfile repositories to identify files which maypresent a risk.

Other Observations

124. In our Preliminary Report of Findings,we also offered our observations toESDC in relation to the Departmentalresponse to the incident specifically,the immediate actions taken within theDepartment following the incident, andits notification to the affectedindividuals.

125. Concerns were raised to our Office byindividuals who filed complaintsregarding the delay by ESDC to notifyaffected individuals of the incident. Inaccordance with Treasury BoardsGuidelines for Privacy Breaches,notification to those affected by theincident, particularly in cases wheresensitive personal information iscompromised, ...should occur as soonas possible following the breach toallow individuals to take actions toprotect themselves against or mitigatethe damage from identity theft or otherpossible harm.

126. In our view, considering the scope ofthe breach and the mitigation measuresthat were necessary to be implementedby ESDC following the loss of theexternal hard drive, we find that thedelay in notifying affected individuals inwriting was reasonable in thecircumstances.

127. We acknowledge in this case thatsubstantial efforts were devoted tosearching for the missing external harddrive, including conducting IT forensicanalyses; identifying the individualsaffected by the incident and confirmingmailing information; initiating a public

awareness campaign (setting up a callcentre, preparing press releases, etc.);coordinating SIN monitoring; arrangingan agreement with Equifax for creditprotection services; and of course,issuing a public statement onJanuary 11, 2013.

128. Notwithstanding the above, we wouldlike to highlight that that there may havebeen more personal informationcompromised as a result of the loss of

the hard drive than was reported byESDC to affected individuals. Further toparagraph 20, ESDCs representationsdescribed the specific fields ofinformation that may have beencompromised as a result of the incident.

129. While ESDC submits that these fields ofinformation were grouped into sevenkey pieces of personal information inorder to inform affected individuals asquickly as possible, we failed to see

how some of the personal informationthat was not reported in ESDCsnotification letter to affected individuals

for example, a borrowers gender,language or marital status can begrouped into the seven key pieces ofpersonal information as ESDCsubmits.

130. In our view, the combination of certaintypes of sensitive personal informationincreases the risks for identity theft, and

therefore, it is essential in our view thata complete list of the personalinformation elements relating to theindividual that is thought to have beenor potentially been compromised, isincluded in the notification.


26/27

22

131. Transparency is a key fundamentalprinciple that upholds governmentaccountability. To this end, we remindESDC of Treasury Boards guidance forreporting and responding to privacybreaches, specifically, the Guidelinesfor Privacy Breaches. We also

underline the importance of compliancewith Treasury Boards Policy on PrivacyProtection which, as one if itsobjectives, is meant to enhanceeffective application of the Privacy Actand its Regulations.

132. In its December 4, 2013 response toour Office, we highlight the followingcomments from ESDC:

ESDC submits that the scale and

scope of the privacy breachrequired it to take a number of stepsto clearly identify what was missingand who was impacted. AdvisingCanadians and clients as quickly aspossible was of primordialimportance in this instance, and asa result, ESDC issued writtennotices and followed up with writtenletters to all clients for whom theDepartment had a valid address.

ESDC contends that waiting toprepare individualized letterscontaining the specific informationthat may have been contained onthe hard drive would haveunnecessarily delayed thenotification process. Since the initialnotification letters were mailed,clients have contacted theDepartment requesting confirmationof their specific information that wasbelieved to be contained on the

hard drive. The Department hasresponded to these requests withthe exact personal informationassociated with the particular clientmaking the request.

ESDC further submits that, to date,it has received no indication thatany of the personal informationpotentially stored on the externalhard drive has been accessed orused for fraudulent purposes. ESDCsubmits that it makes this statement

following its review of the monitoringof Social Insurance Numbers, aswell as in-depth reviews of affectedclients' consumer profiles byEquifax, the credit bureau withwhich the Department hascontracted to monitor the credithistory of interested individualsaffected by this incident.

Conclusion

133. Our investigation reviewed the physical,technical, administrative, and personnelcontrols in place at ESDC at the time ofthe incident what we refer to as thefour pillars of sound privacymanagement. In our view, thesecontrols should be incorporated into aninstitutions privacy managementframework to protect against databreaches, including the improper or

unauthorized collection, use,disclosure, retention and/or disposal ofpersonal information.

134. Our investigation identified ameasurable gap in ESDCsimplementation of its privacy andsecurity policies in the day-to-daybusiness operations of the Department.This gap resulted in weaknesses ininformation management controls,physical security controls, and most

importantly, the level of employeeawareness of Departmental policiesand procedures.


27/27

135. While we have found ESDC to be incontravention of sections 6(3), 7 or 8 ofthe Privacy Actin this case, theDepartment has accepted all of ourrecommendations in full and is in factwell-advanced in the implementation ofmany of the recommendations

identified.

136. Accordingly, we are satisfied that nofurther action is required by our Officeat this time. Nonetheless, we willfollow-up with ESDC in one year toconfirm its progress in theimplementation of ourrecommendations and its ongoingefforts towards the management of theDepartments personal informationholdings.

137. We also take this opportunity tohighlight that there needs to be asynergy between privacy and securitycontrols to effectively mitigate privacyrisks. It is the implementation of thesevery controls that will assist ESDC toadequately protect the personalinformation that Canadians entrust to it.

138. It is expected that ESDC will respectthe spirit and requirements of thePrivacy Act privacy is a fundamentalvalue to Canadians, and it is anessential element in maintaining publictrust in government. Therefore, weremind ESDC that it needs tocontinually be aware of the personalinformation and assets it holds, andtheir associated sensitivity andcriticality. The protection of personalinformation must be properly integratedin all Departmental functions, whichrequires the establishment of a

governance structure that has theweight, composition and mandate toeffectively ensure implementation ofpolicy instruments.

Additional

Information

139. For more information about our Office

and the powers of the PrivacyCommissioner, please visit us online atwww.priv.gc.ca. We also have anumber of resources available on ourweb site that may be of interest to thoseaffected by this incident, includingresources about identity theft and fraud.
http://www.priv.gc.ca/http://www.priv.gc.ca/http://www.priv.gc.ca/

privacy commissioner's report into student loan harddrive loss

Documents