sign in sign up
<<
Home , Social Insurance Number

Special Report to Parliament

Findings under the Privacy Act

Investigation into the loss of a hard drive at Employment and Social Development

March 25, 2014

Office of the Privacy Commissioner of Canada 30 Victoria Street Gatineau, K1A 1H3

© Minister of Public Works and Government Services Canada 2014

IP54-56/2014E-PDF 978-1-100-23322-2

Follow us on Twitter: @PrivacyPrivee

Contents

Investigation into the loss of a hard drive at Employment and Social Development Canada ...... 1 Complaint Under the Privacy Act...... 1 Introduction ...... 1 Background ...... 1 Methodology ...... 2 Summary of Facts ...... 2 ESDC’s Actions Following the Incident...... 4 Application ...... 9 Analysis ...... 9 I. Physical Controls ...... 10 II. Technical Controls ...... 11 III. Administrative Controls ...... 12 IV. Personnel Security Controls ...... 13 Findings ...... 14 Recommendations ...... 15 Other Observations ...... 21 Conclusion ...... 22 Additional Information ...... 23

Investigation into Background 2. On December 17, 2012, ESDC verbally the loss of a hard notified our Office of the incident. Formal written notification was subsequently received from ESDC on January 7, 2013. drive at 3. ESDC’s written notification advised that the external hard drive contained personal Employment and information dated from 2000-2006 for Canada Student Loan borrowers, including: Social Development Social Insurance Number (SIN), first name, last name, date of birth, home address, and telephone number. ESDC subsequently Canada informed our Office that the external hard drive also included student loan balance information. In addition, the external hard Complaint Under the drive contained employee information from a Business Continuity Plan fan out list. This information included first name, last name, Privacy Act home address and home phone number and/or cell phone number.

4. Upon receipt of the notification from ESDC, Introduction we determined that there were reasonable grounds for a Commissioner-initiated 1. This Report of Findings relates to a complaint against the Department to Commissioner-initiated complaint against ascertain whether there has been a Employment and Social Development contravention of the Privacy Act. Canada (ESDC), formerly Human Resources and Skills Development Canada (HRSDC), in relation to the loss of an 5. Accordingly, the Office of the Privacy external hard drive (the “incident”) Commissioner of Canada (the “OPC”) containing the personal information of initiated a complaint against ESDC on 583,000 Canada student loan borrowers, January 11, 2013, pursuant to subsection and 250 ESDC employees. 29(3) of the Privacy Act (the Act).

6. The OPC’s investigation focused on the incident in relation to the disposal, use and disclosure provisions of the Act.

1 11. According to ESDC’s representations, the Methodology hard drive was stored in a lockable filing cabinet located in that employee’s cubicle, 7. Our investigation examined the in an envelope, hidden under suspended circumstances surrounding the incident, as files. well as ESDC’s policy framework in order to identify the degree of conformity with the 12. ESDC reported that the external hard drive applicable privacy- was a 1 terabyte (TB) Seagate GoFlex. It related policies, and whether the was not password protected, nor was the Departmental policies and procedures that information contained on it encrypted. The were in place at the time of the incident serial number of the hard drive remains were sufficient and effectively implemented. unknown.

8. To this end, we reviewed the 13. According to ESDC, the external hard representations received from ESDC in drive was used to backup information in relation to the incident, and our preparation for the migration of information investigation entailed interviews with key from the T drive to the U drive on the employees identified as having access to Department's network. The migration of the missing external hard drive, as well as information was performed by the a site visit to ESDC’s Canada Student Innovation, Information and Technology Loans Program (CSLP) Unit, and meetings Branch (IITB) on October 12, 2012. with Departmental officials.

14. ESDC confirmed that the IITB was not involved in the backup of information on Summary of Facts the hard drive, as the hard drive was not technically necessary for the data 9. The CSLP promotes accessibility to post- migration. The hard drive was only used secondary education for students with a as a risk mitigation measure by the CSLP demonstrated financial need by lowering to protect against inadvertent loss or financial barriers and ensuring Canadians deletion of the files during the migration. have an opportunity to develop the knowledge and skills to participate in the 15. By way of background, ESDC confirmed economy and society. With these that the data migration project started in objectives in mind, the CSLP offers a suite 2011 by the Operational Program Support of student financial assistance programs Division (OPSD). The OPSD became the and services, including student loans for Program Integrity and Accountability (PIA) full-time and part-time students, non- Division in the fall of 2011. The PIA repayable grants, and repayment Division provides stewardship to the CSLP assistance measures for borrowers who through leadership in planning, reporting, experience difficulty repaying their loans. portfolio management, accountability, program integrity and compliance, as well 10. The investigation confirmed that, on as administrative services for the CSLP, November 5, 2012, an employee of the including finance, human resources, CSLP Unit went to retrieve an external financial and information management, hard drive from a filing cabinet and noticed security and accommodations. that it was missing.

2 16. Following a comprehensive review of the 20. In addition to the seven pieces of personal files and folders on the Department’s information described by ESDC in its network that were identified for the notification to our Office, the files relating to migration project, ESDC informed our client satisfaction surveys may have also Office that the following data files were included the following fields of information compromised by the loss of the external in relation to borrowers: hard drive, each of which is described in more detail below: Loan certificate number, loan ID number, loan class (whether the borrower is in study, • Files pertaining to client satisfaction or in repayment), whether the borrower had surveys; direct contact with the Service Provider, the

name of the education institution that the • Files containing investigation reports; borrower attended, the borrower’s gender, • Files containing CSLP financial, language, marital status, the province that business plan and Human Resources issued the loan, the type of loan (e.g. part information; time loan), years of study, end of study date, loan interest rate, loan interest type, • Files containing Business Continuity the date the loan was issued, the Planning information. disbursement date, the federal loan

disbursement amount, the student loan 17. Notwithstanding the above, as the hard consolidation date, whether the borrower is drive is missing, ESDC submits that there active (borrower sent in consolidation is no way to conclusively identify what agreement), or passive (borrower did not information was in fact backed up to the hard drive. submit consolidation agreement), the type of loan (eg. full-time direct, part-time direct, Client Satisfaction Surveys integrated), delinquency flag (identifies whether the borrower is in delinquency), the 18. The CSLP conducts an annual survey to delinquency date, a ‘paid in full’ indicator, track experience and satisfaction with the outstanding balance on the loan, fax CSLP service delivery for in-study number. borrowers and those borrowers in repayment. The survey is also used to 21. ESDC submits that not all information fields measure satisfaction with service delivery were populated for each borrower. The by the National Student Loans Service personal information of the affected Centre (NSLSC), and helps the CSLP individuals on the external hard drive was better understand the client population. contained within different data files and, as The PIA Division is responsible for the such, the number of information fields client satisfaction survey on behalf of the found within these files varied. CSLP.

Investigation Reports 19. ESDC reported that some of the information contained on the hard drive 22. We confirmed that the “investigation stems from files associated with the reports”, described by ESDC as part of the CSLP's client satisfaction surveys that information content on the hard drive refer were conducted in 2004-2005, 2005-2006, to the administrative investigations that and 2006-2007. ESDC subsequently were undertaken to confirm the eligibility of confirmed that some of the affected a number of students for the CSLP, borrowers fall beyond the survey years including loans, grants, and repayment initially reported, up to and including the assistance. disbursement year 2012.

3 23. ESDC submits that the following data 28. We confirmed that a ‘fan out list’ is used to elements were included in a series of contact employees in the event of an working documents that itemized the emergency situation which interrupts their individuals being reviewed for eligibility: work, such as a building shutdown. The fan client’s name, address, SIN, date of birth out list is an ‘evergreen’ document; it is and loan amount. updated regularly to ensure that the information is accurate, and to reflect 24. Our review confirmed that the hard drive changes in personnel. may have also included the following fields of information in the investigation reports: 29. ESDC confirmed that 250 Learning Branch employees were affected by this incident. Canada student loan number, amount paid The information contained in the fan out list (including interest), amount paid to principal included the employee’s first name, last only, and status (this indicates whether it is name, home address, home telephone paid in full; there is no account activity; the number, and, in some cases, cellular phone number. loan was referred to legal for civil action; the

individual declared bankruptcy or is deceased; or the loan is resolved). ESDC’s Actions 25. ESDC submits that not all fields were populated in relation to each of the 583,000 Following the borrowers affected by the breach, as not all of these borrowers were the subjects of investigations for the purposes of program Incident eligibility. 30. As part of its submissions to our Office, CSLP Financial, Business Plan and HR ESDC provided a comprehensive report of Information the chronology of actions taken to respond to the incident, including details of the 26. Our investigation confirmed that this office sweeps and building searches, information refers to documents that meetings organized with staff, the capture both CSLP financial and work plan communiqués to staff, the preliminary activities that are undertaken on an annual interviews that were conducted with the basis in order to assign resources and work employee who reported the hard for a given fiscal year within the program. drive missing, and others identified as Consequently, no personal information was having access to the hard drive, as well as captured in these files. the steps taken by IITB to locate, scan and review external hard drives located in the Employees’ Personal Information for building and other locations in the National Business Continuity Planning Capital Region.

27. Further to paragraph 3 of this Report, 31. We highlight the following dates from ESDC reported to our Office that the ESDC’s representations: external hard drive also contained employee information from a business • On November 5, 2012, the employee’s continuity plan fan out list. manager was notified of the missing external hard drive and search efforts ensued;

4 • On November 22, 2012, the Director of 34. In addition, the computers of the four the CSLP was notified of the incident identified employees were subject to an IT and additional search efforts were forensic analysis in order to determine if initiated, including communication with any external hard drive had been all staff; connected to them.

• On November 26, 2012, the Director of 35. Interviews were also conducted with 15 the CSLP was advised of the employees working in the same area information content on the external where the hard drive was reported missing, hard drive and proceeded to advise including two employees currently working senior management of a potential in other federal departments. privacy incident;

36. ESDC confirmed that the CSLP area is • On November 29, 2012, the Security controlled by an access card system and Incident Report was signed off by the the access logs for the area were reviewed Director of the CSLP. The Regional as part of its investigation. Security Office (RSO) initiated

additional searches and sweeps of the office area and building, and also 37. A Canada-wide search was also conducted interviewed the employee who reported on ESDC’s departmental network to verify the incident, and three former if an external hard drive matching the make employees; and model of the missing drive was connected to one of its computers. • On December 6, 2012, following a comprehensive review of the files and 38. ESDC’s internal investigation established folders that were saved to the external the following facts: hard drive, ESDC determined that the scope of the personal information • The initial backup of the information at compromised pertained to over issue to the external hard drive was 500,000 clients. conducted in 2011 in the Operational Program Support Division (OPSD); 32. On January 4, 2013, ESDC’s Special Investigations Unit, Internal Integrity and • Between January and August 2012, the Security Directorate, was mandated to hard drive was used to conduct undertake a formal internal investigation in sporadic safeguarding (backups) of the order to ascertain the circumstances information on the T drive by the surrounding the loss of the hard drive. working group within the CSLP Unit. ESDC’s internal investigation concluded ESDC established that no files were with a report dated February 27, 2013, and deleted from the hard drive by the a supplementary addendum to the report working group members; dated April 9, 2013. • The IT forensic analysis confirmed that 33. As part of its internal investigation, ESDC an external hard drive with the same reported that interviews were conducted make and model (Seagate GoFlex) with four employees in the CSLP Unit who was connected in June 2012 to one of were identified as part of the working group the computers searched. ESDC created to work on the data migration reported that, based on the balance of project. These employees were identified probabilities, this external hard drive as having the hard drive in their (and its associated serial number) was possession for the purposes of assisting likely the missing hard drive; with the migration project, or having knowledge of its storage location.

5 • The IT analysis was inconclusive in • The procedures outlined in ESDC’s relation to two of the computers “Departmental Security Policy and searched – one employee’s computer Procedures Manual” for handling the was replaced in October 2012 and sent information contained on the external to surplus; and the other computer was hard drive (Protected B), were not reimaged in December 2012, erasing followed in relation to storage (where all evidence that a hard drive may have removable media is used to store been connected to it; sensitive information, the media should be stored in a security-approved • ESDC found no evidence that a container); and encryption (sensitive Seagate GoFlex external hard drive information should be encrypted). was ever connected to the fourth computer analyzed during the internal 39. ESDC issued a public statement on investigation; January 11, 2013 regarding the loss of the external hard drive, providing background information and a timeline • ESDC also confirmed that the hard of events in relation to the incident on drive was left for periods of time its website. (weeks) without being stored in a locked filing cabinet. Even when stored in the cabinet, the cabinet was not 40. ESDC submits that, in order to mitigate always locked and other employees the impact on those clients affected by the loss of the hard drive, it initiated a involved in the data migration project were aware of the location of the keys; public awareness campaign that included press releases, public • The external hard drive was last seen announcements, and special by an employee in August 2012, and as information on the Department’s previously noted, it was discovered website. In addition, ESDC set up a missing on November 5, 2012; dedicated toll-free information line in order for individuals to verify whether • The access log report for the period of they were affected by the incident, and August 2012 – November 2012 to obtain additional information revealed that over 200 different regarding the incident. This service was employees had access to the CSLP offered to individuals starting on controlled area. ESDC’s review January 14, 2013. confirmed that all individuals had approved access; 41. Between January 28, 2013 and February 1, 2013, ESDC sent out • Following multiple searches of the notification letters to those clients for building where the CSLP is located, which it had current contact information. ESDC found no evidence of a break ESDC advised affected clients of the and enter into the building, or forced personal information that was attempts to access the cabinet where compromised by the loss of the external the hard drive was stored; hard drive, including: Social Insurance Number (SIN), first name, last name, • The information contained on the hard date of birth, home address, telephone drive was not encrypted and was not number, and student loan balance. protected by a secure password;

6 42. In its representations to our Office, 47. ESDC also confirmed that, starting on ESDC submits that, in the spirit of January 21, 2013, a notation was placed on informing affected individuals as quickly the SIN record of affected individuals in the and clearly as possible, the files and Social Insurance Register indicating that the fields of information were analyzed and SIN was involved in an incidence of loss. The grouped into seven key pieces of notation specifies that personal information, as described agents must follow an enhanced above. authentication process prior to issuing another SIN card or modifying information on 43. The notification letters to affected the SIN record. The authentication process clients also included ESDC’s offer for involves the agent asking a series of credit protection through an agreement additional questions and requesting photo with Equifax. identification to validate the identity of the individual. In addition, the SIN transactions 44. ESDC confirmed that it contracted with on the Social Insurance Register for the Equifax to provide affected clients, upon affected SINs are reviewed regularly and consent, with free credit and identity Service Canada will notify the affected protection services. This offer was individual immediately of any concern. announced publicly by ESDC on January 25, 2013. 48. Although the monitoring function commenced on January 21, 2013, ESDC 45. ESDC subsequently contracted with the explained that a retroactive post analysis credit bureau TransUnion Canada on for all SIN transactions processed during June 7, 2013, to offer additional credit the period from November 5, 2012 to protection to clients affected by the January 18, 2013, was conducted and no incident. ESDC announced this offer to anomalies were found. The SIN the public on June 28, 2013, stating that transactions on the Social Insurance individuals who previously provided Register (SIR) for the affected SINs their consent for the services of Equifax continue to be reviewed regularly. To date, would automatically be included to ESDC reported that there have been no receive the service from TransUnion anomalies detected. Canada. 49. SIN monitoring was organized by ESDC 46. The notation will stay on credit files at until the end of January 2015. A flag will TransUnion and Equifax for a period of remain on the identified SINs, and as noted six years unless affected individuals above, individuals that request a change to choose to have it removed. This flag will a SIN that was involved in the incident will alert credit grantors that data may have need to undertake an enhanced been compromised, and lenders will authentication process. then take additional steps to verify the person’s identity before granting credit 50. ESDC reported that the hard drive was not or opening or using accounts. located, and submits that it is unknown whether the disappearance of the hard drive was the result of a human error or malicious intent; however, it submits that, based on analytic reports from Equifax Canada and the Social Insurance Register, it is in a position to indicate that, as of the date of this Report, it has found no evidence of malfeasance connected to the loss of the hard drive.

7 51. The matter was also referred by ESDC to Departmental Directives and Protocols the Royal Canadian Mounted Police (RCMP) on January 7, 2013 for 56. On January 14, 2013, ESDC issued new IT investigation. It was subsequently reported Security Guidelines to all staff. The “USB publicly on August 8, 2013, that the RCMP Storage Devices Directive” provides would not launch a criminal investigation direction that only authorized USB devices into the matter. are allowed for use on departmental computers. This includes portable hard 52. ESDC submits that appropriate drives and USB keys. administrative action has been taken in relation to the incident, in line with Treasury 57. To implement the Directive, all Board Secretariat’s “Guidelines for unencrypted USB devices were collected Discipline”. for proper disposal and a limited number of encrypted (password or biometric) are ESDC’s Privacy being distributed to employees who Management Framework regularly work with protected or classified information. Further, ESDC 53. ESDC submits that the Department reported that it now regularly scans its commenced a review of its privacy corporate network to detect the use of management framework in 2010, which unauthorized USB devices. resulted in the launching of a multi-year privacy renewal initiative. 58. ESDC also reported that an updated version of its “Information Classification 54. In 2011-2012, ESDC conducted a review Guide” was reissued on January 15, 2013 of privacy management practices and to enhance employees’ awareness of the convened with key stakeholders to inform requirements for safeguarding protected the development of the Privacy Renewal and classified information. Action Plan. The first phase of the Action Plan was launched in 2011-2012, which 59. In addition to the new USB Directive, included a privacy risk triage and the ESDC is conducting a risk assessment of drafting of a consolidated Departmental all other mobile devices to identify the risk Privacy Code. The new Privacy Code of loss of personal information. To this came into force in March 2013. end, it has temporarily disabled the ability of employees to write on CDs, DVDs, and 55. In 2012-2013, four key priorities were other optical media unless a legitimate identified for the second phase of the business requirement is identified and Action Plan, including program-led Privacy approved. Action Plans for eight of ESDC’s statutory programs; the re-design of the 60. ESDC confirmed that work is ongoing Department’s Privacy Impact Assessment within the department to develop and (PIA) Process; the launch of a new deliver enhanced integrated training for “Departmental Policy on Privacy departmental staff. All employees will be Management”; and the implementation of a required to undertake mandatory training renewed privacy training and awareness on the subjects of privacy, security, strategy. information technology security, information management and values and ethics. Re-certification will be required every 24 months.

8 61. The Department is also implementing an 66. The Act states that personal information ‘Engagement Plan’ to engage employees can only be disclosed with an individual's on the stewardship of information. To consent – Subsection 8(1) – or in support this Plan, ESDC implemented a accordance with one of the categories of portal on the Stewardship of Information in permitted disclosures outlined in August 2013. The site provides employees subsection 8(2) of the Act. with information relating to the management and protection of Departmental information assets, as well as information on the issues of privacy, Analysis security, IT security, information management, and values and ethics. 67. The personal information contained on the missing external hard drive – for example, name, address, date of birth, SIN – is clearly personal information as defined by Application section 3 of the Privacy Act.

62. In making our determination, we 68. Following our analysis of ESDC’s policies, considered sections 3, 6, 7 and 8 of the in particular, the “Departmental Security Act. Policy and Procedures Manual” (June 2005), the “Policy on Departmental IT 63. Section 3 of the Act defines personal Security Management” (December 2010), information as information about an and the “Departmental Privacy Policy” (last identifiable individual that is recorded in updated in October 2009), we are satisfied any form including, without restricting the that these policies conformed to the generality of the foregoing: information requirements of the relevant Treasury relating to race, national or ethnic origin, Board Secretariat (TBS) policies and colour, religion, age, marital status, guidelines, in particular, the Policy on education, medical, criminal or Government Security, the “Operational employment history, financial transactions, Security Standard: Management of identifying numbers, fingerprints, blood Information Technology Security (MITS)”, type, personal opinions, etc. and the “Operational Security Standard on Physical Security (OSSPS)”. 64. Subsection 6(3) of the Act requires that a government institution dispose of personal 69. What this means is that we are satisfied information under its control in accordance that ESDC had in place at the time of the with the regulations and in accordance with incident the policies commensurate with any directives or guidelines issued by the the requirements demanded by the designated minister in relation to the Government of Canada for the protection disposal of that information. of its personal information holdings.

65. Paragraph 7(a) of the Act states that 70. Notwithstanding the above, our personal information shall not, without the investigation identified a number of consent of the individual to whom it relates, weaknesses in ESDC’s control over the be used by the institution except for the personal information identified on the purpose for which the information was missing hard drive. In our view, the obtained or compiled by the institution or Department failed to translate its own for a use consistent with that purpose. privacy and security policies into meaningful business practices.

9 71. For ease of reference, we have organized 76. In line with ESDC’s “Departmental Security our analysis around four types of controls Policy and Procedures Manual” and the that the OPC has identified as providing Government of Canada’s “Operational protection against data breaches – what Security Standard on Physical Security”, we refer to as the four pillars of sound protected information, which includes privacy management. personal information, must be stored in a security-approved container (e.g. approved 72. We base these controls on the TBS’s filing cabinet). It also requires that Directive on Privacy Practices and the protected information and valuable assets Policy on Government Security, are properly safeguarded when occupants specifically: are away from their workstations for any length of time. Accordingly, keys or other I. Physical Controls locking features of security containers must also be safeguarded. II. Technical Controls III. Administrative controls 77. We highlight that the personal information IV. Personnel Security Controls content on the missing external hard drive is classified at the “Protected B” level,

according to the Government of Canada I. Physical Controls classification standards. TBS states that this applies to sensitive personal, private 73. Physical security controls are paramount in and business information where ensuring that government information compromise could result in grave injury (including personal information), assets (e.g. loss of reputation, identity theft, etc.). and services are protected against compromise. This includes implementing 78. ESDC’s “Departmental Security Policy and strategies to mitigate the risk of Procedures Manual” requires that, where unauthorized access, use or disclosure of removable media is used to store sensitive personal information. information, including personal information, the media must be stored in a security- 74. Our investigation established that the approved container when not in use. CSLP Unit is located in an operational zone, limited to authorized departmental 79. Our investigation established that the hard employees. The physical area is controlled drive was often left unsecured for extended by an electronic card access system and is periods of time without being stored in a monitored after-hours by a security alarm filing cabinet. Even when stored in the system. The entrance to the building is cabinet, the cabinet was not always locked monitored by a Commissionaire and visitor and other employees were aware of the access is strictly controlled (sign-in and location of the keys. visitor pass). 80. Portable devices are attractive assets and 75. While base building security is safeguards must be in place to protect the fundamental to safeguarding government personal information stored on those employees and assets, physical security assets. To this end, we are not satisfied strategies must also be in place to protect that ESDC had in place robust physical information and to comply with security controls to mitigate the risk of Government of Canada policies. compromise to both the external hard drive and the personal information stored on it.

10 II. Technical Controls 84. ESDC submits that it annually conducts risk assessment exercises; however, given 81. Federal Departments and agencies are limited resources, priority was given to required by the Policy on Government higher level threats. Removal media were Security (PGS) to protect government not identified as a high level threat. In assets and information, including personal addition, ESDC submits that the use of information, and are directed to have an IT removable media with desktop or network Security strategy in place to protect hardware and software were also not information throughout its lifecycle. IT amongst the systems examined at the time Security refers to the safeguards of the incident. It indicated that the implemented to preserve the Department is now proceeding with a confidentiality, integrity, availability, progressive certification and accreditation intended use and value of electronically of its systems. stored, processed or transmitted information. 85. ESDC’s “Departmental Security Policy and Procedures Manual” also requires that, 82. ESDC’s “Departmental Security Policy and where removable media is used to store Procedures Manual” requires that sensitive information, including personal measures must be established to information, the information should be safeguard personal or other sensitive encrypted. Further, ESDC’s Security information throughout its lifecycle. This Bulletin entitled “Encryption Requirements” includes the secure processing, storing, (December 2008), states that, where handling, communicating, transmitting and possible, management should limit destroying of sensitive information in situations where employees are required to accordance with departmental security store protected information, including standards, and on the basis of a Threat personal information, on portable media and Risk Assessment (TRA). Further, it devices. Where unavoidable, it is the states that personal or other sensitive employee’s responsibility to ensure that information must be identified and marked the information is encrypted. according to its highest level of security. 86. While ESDC submits that at least two 83. Our investigation determined that approved procedures were readily removable media (e.g. external hard available to the users of the external hard drives, USB keys, etc.) were not subject to drive – 1) the password protection feature; security risk assessment activities at the and 2) the use of the Entrust encryption time of the incident. ESDC did not require software; – the investigation established that a TRA or a Privacy Impact that no technological safeguards were Assessment (PIA) be conducted in relation implemented to protect the information to the use of removable media containing content on the hard drive in this case. personal information. In addition, the missing external hard drive was not 87. We recognize that ESDC introduced a new marked as required by ESDC’s policy. “USB Storage Devices Directive” in January 2013 that prohibits the use of unencrypted USB keys and hard drives on departmental computers. To this end, we encourage ESDC to continue with the implementation of this risk management strategy, including regularly scanning network drives to detect unauthorized devices and clearly communicating the new Directive to all employees.

11 III. Administrative Controls 93. We are also of the view that there was a lack of effective management and control 88. Administrative controls refer to the over the personal information content on procedural safeguards implemented for the the hard drive. In particular, we highlight safe handling of personal information, the following observations:

which includes the enforcement of an institution’s policies, directives and • While ESDC submits that the processes for the protection of personal information at issue was initially saved information throughout its lifecycle. to the hard drive in 2011 by the Operational Program Support Division, 89. In order for a federal institution to provide the investigation was unable to adequate security for personal information conclusively establish the exact under its control, it must have a clear idea information content on the hard drive of where data is collected and stored. The when it was provided to the members identification and control of assets, both of the data migration project (CSLP materiel and information, is a fundamental Unit); and critically important aspect of privacy • Our investigation determined that the compliance that assists in minimizing the members of the data migration project risk of loss or damage to federal assets did not have a clear understanding or and information, including personal awareness of the information content information. on the external hard drive;

• Our investigation was unable to 90. ESDC’s “Departmental Security Policy and establish what exact information was Procedures Manual” stipulates that the backed-up to the hard drive by the Director or delegate is accountable for the members of the data migration team, security of all materiel assets listed for the or the exact information content on the office. Assets Management should be hard drive at the time it was discovered consulted for asset control and inventory missing. requirements.

94. In fact, further to paragraph 17, ESDC 91. Our review established that, at the time of submits that there is no way to the incident, there was no comprehensive conclusively determine what was on the inventory of the portable devices under the hard drive when it was reported missing in control of the CSLP Unit. In fact, we November 2012. ESDC created an confirmed that the employees involved in algorithm in order to scan the network the data migration project were not drive to identify files and folders that required to sign for the external hard drive, contained personal information. The and the device contained no inventory or information identified during this network tracking number. Moreover, ESDC was scan was reported by ESDC as the unable to conclusively confirm the serial information content on the external hard number of the missing hard drive. drive.

92. Departments are not only required to be 95. To this end, we are not satisfied that ESDC continually aware of the assets they hold, properly identified or categorized the but must also be aware of their associated information according to its sensitivity (i.e. sensitivity and criticality. This is the Protected B), or that controls were in place foundation of a risk management to monitor the security of this information philosophy. throughout its lifecycle, which includes

employee awareness of these sensitivities.

12 96. Administrative safeguards also refer to the 103. To accomplish this, employees have a enforcement of an institution’s written responsibility to apply Government of policies, directives, procedures and Canada and Departmental policy processes for the protection of personal instruments (policies, standards and information. associated procedures). Employees must therefore be provided timely access to 97. Further to paragraph 70, while we are training to ensure that they have the satisfied that ESDC had in place at the time necessary knowledge, skills and of the incident sound policies in relation to competencies to effectively carry out their the management of its personal information duties. holdings, we are of the view that there is an identifiable gap in the translation of these 104. We are not satisfied in this case that the policies to the day-to-day business employees who had access to the operations of the Department. external hard drive fully understood the privacy risks inherent to the use of a 98. Consequently, we are not satisfied that, at portable device, or the vulnerabilities of the time of the incident, ESDC had effective the information stored on the device. In controls in place to ensure the fact, it is our view that the employees management of the information in question interviewed during the investigation did throughout its lifecycle. not have a clear understanding of the information content on the hard drive at IV. Personnel Security Controls all.

99. Personnel security controls refer to a 105. Further to paragraphs 70 and 97, it is our Department’s management of its view that there is an identifiable gap in employees – suitability, proper training, the translation of Departmental policies to supervision and disciplinary procedures. the day-to-day business operations of the department. To this end, we highlight 100. The examination of the trustworthiness that there is a lack of employee and suitability of employees to protect the awareness in the following areas that employer's interests is accomplished by contributed to vulnerabilities in ESDC’s conducting security assessments and information management practices at the reliability checks, which are conditions of time of the incident:

employment under the Public Service • Employment Act (PSEA). Information stewardship – identifying and handling personal information; 101. Our investigation confirmed that the • Security responsibilities – procedures employees who had access to the for storing personal information and information content on the external hard assets containing personal drive each had a valid security clearance information; commensurate with the level of • IT controls and responsibilities – information required for their positions. implementing safeguards to protect personal information, particularly 102. Government of Canada employees are information stored on portable responsible for managing the information devices (e.g. encryption); they collect, create and use to support the • Threats – awareness of the inherent programs and services under which they risks associated with the loss or operate. unauthorized access, use or

disclosure of personal information.

13 106. Employee awareness is accomplished 110. Further to paragraph 52, ESDC submits through effective management, leadership that appropriate administrative action and the supervision of employees, which has been taken in this case. To this support information management end, Departments are authorized to practices and mitigate the risks of human establish standards of discipline and to error, wrongdoing or negligence. This may set penalties, including termination of include formal direction, follow-ups, employment, suspension, demotion to a monitoring, inspections, and audit position at a lower maximum rate of controls. There are consequences to non- pay, and financial penalties that may be compliance, and steps must be taken to applied for breaches of discipline or identify the risks and manage them before misconduct, in line with Treasury Board they occur. Secretariat’s “Guidelines for Discipline”.

107. ESDC submits that the IT Security Centre of Excellence, under its IT Security Awareness Program, issues Findings monthly tips and alerts to staff. In addition, the Department sends out 111. The Privacy Act requires government periodic reminders to employees on the institutions to respect the privacy of importance of protecting the personal individuals by properly managing the information of Canadians and the strict collection, use, disclosure, retention procedures to be followed in handling and disposal of personal information. such information. IT Security Awareness Training was also deemed 112. ESDC regularly collects personal mandatory by ESDC in June 2009 with information for purposes of the approval of the Policy on administering the CSLP. It stands to Departmental IT Security Management. reason that, in order to meet its obligations to ensure that it does not 108. Further to paragraph 60, ESDC submits use or disclose personal information in that work is ongoing to develop and a manner contrary to the Act, it is a deliver enhanced integrated training for necessary precondition that ESDC departmental staff. All employees will protect the personal information it has be required to undertake mandatory collected during its life cycle - from the training on the subjects of privacy, time of collection until it is destroyed by security, IT security, information an approved method. management and values and ethics. 113. In order to effectively protect the 109. We encourage ESDC to continue with personal information against the establishment of a comprehensive unauthorized uses and disclosures, training and awareness program to government institutions must implement ensure that employees have the appropriate security safeguards. necessary knowledge, skills and competencies to effectively carry out their information management duties.

14 114. This notion is supported at the policy level within the federal government. For 119. Based on the above, we are not example, TBS’s Directive on Privacy satisfied that ESDC has met the Practices calls for limiting access and requirements of sections 6(3), 7 or 8 of use of personal information by the Privacy Act in this case. administrative, technical and physical means to protect personal information, 120. Accordingly, we have concluded that and TBS’s Policy on Government the matter is well-founded. Security and its related standards establish minimum safeguards to protect and preserve the confidentiality and integrity of government assets, Recommendations including personal information. 121. In a letter dated November 4, 2013, our 115. ESDC’s failure to implement the Office provided a Preliminary Report of appropriate safeguards to protect the Findings to ESDC pursuant to personal information in question has subsection 33(2) of the Privacy Act. created a significant risk for This Report contained details of our unauthorized access, use or disclosure investigation and set out the preliminary – the very threats that the Government findings and recommendations of our of Canada is entrusted to protect it from. investigation. Of great concern is the volume and sensitivity of the personal information 122. To this end, we recommended that contained on the external hard drive – ESDC implement a number of security information that could, in the wrong measures to contribute to the hands, lead to identity theft or fraud. prevention of a similar incident, and to help ESDC meet the requirements of 116. ESDC also has a responsibility to the Act to protect against unauthorized ensure it disposes of personal uses and disclosures of personal information in accordance with the information. The recommendations requirements of the Act, which includes made to ESDC were based on the four a requirement that the information be types of controls that the OPC has disposed in accordance with any identified as providing protection directives or guidelines issued by the against privacy breaches, further to designated minister (i.e., the President paragraph 72 of this Report. of the Treasury Board). 123. In its response to the Preliminary 117. In this regard, the TBS Directive on Report of Findings received on Privacy Practices requires that December 4, 2013, ESDC accepted our government institutions dispose of recommendations in full. Set out below records containing personal information are our recommendations and ESDC’s in accordance with the provisions of the response to each of our Library and Archives of Canada Act and recommendations. according to government security standards.

118. Given that the hard drive in this case is lost, ESDC is not in a position to demonstrate that it complied with these requirements to properly dispose of the personal information contained on the hard drive.

15

OPC Recommendation 1 OPC Recommendation 2

We recommended that ESDC revisit its A PIA is a formal process that helps physical security control practices to ensure determine whether initiatives involving the that regular monitoring and inspections are use of personal information raise privacy incorporated into its security program. This risks, and proposes solutions to eliminate or will help to ensure that personal information mitigate privacy risks to an acceptable level. is stored in approved cabinets when A TRA assists in the determination of IT employees are away from their desks for any security requirements and can be short and length of time; that cabinets are locked simple, depending on the sensitivity, criticality accordingly; that keys for cabinets are and complexity of the program, system or properly safeguarded; and that attractive or service being assessed. We recommended valuable assets (i.e. external hard drives, that ESDC establish protocols to coordinate laptops, etc.) containing personal information the identification and categorization of its are properly safeguarded. personal information holdings and assets with departmental PIA and TRA activities in order to mitigate all identified privacy risks. ESDC’s Response

ESDC submits that it has commenced security ESDC’s Response sweeps in its buildings, including employee cubicles and offices. ESDC contends that this ESDC highlighted that the identification, initiative will raise awareness and help mitigate assessment and mitigation of privacy risks is a the potential loss of government assets and key pillar of its Privacy Management information. ESDC is finalizing a plan to Framework. Following the first phase of conduct security sweeps in all regions. ESDC's 2011 Privacy Renewal Action Plan which included a series of privacy risk ESDC highlighted that it is also developing a assessments of the Department's major Departmental Security Framework that sets out statutory programs and personal information the effective management of security holdings, program-led Privacy Action Plans responsibilities and imbeds security principles were developed and launched for the and practices at both the strategic and Department's eight statutory programs in 2012 operational levels. The Framework and as part of phase two of the Privacy Renewal associated plans will help to define different Action Plan. types of security requirements, inform improvements to security functions, as well as In 2012-2013, ESDC submits that it re- support security training and awareness. engineered its Privacy Impact Assessment (PIA) process to enhance and streamline the Department's privacy risk assessment and mitigation process, and also launched a new strategic planning process to support the implementation of an annual privacy and information security work plan.

16 ESDC submits that it will continue to support iv. Appropriate protection, through access the implementation of a risk-based, proactive rights, encryption, or both, of approach to privacy management by building information that is rated “Protected” or above. on progress achieved to date and identifying and assessing emerging privacy and security risks. OPC Recommendation 4

We recommended that portable storage OPC Recommendation 3 devices only be used as a last resort to store or transfer personal information, and only if it We recommended that ESDC complete a is demonstrably necessary to fulfill a specific comprehensive review of its materiel holdings and documented purpose. All sensitive or to ensure that all personal information and personal information stored on portable assets containing personal information are devices must be protected by strong identified and marked according to the technological safeguards, including highest appropriate security level (e.g. encryption. “Protected B”), in line with ESDC’s “Departmental Security Policy and Procedures Manual”, and Treasury Board’s ESDC’s Response “Security Organization and Administration Standard” for selecting minimum safeguards ESDC highlighted that steps have been taken to protect information and assets. to restrict and manage the use of portable storage devices, including: 1) On January 11, 2013, the “USB Storage Devices Directive” was ESDC’s Response implemented that restricts the use of portable storage devices to instances where ESDC highlighted that it is presently executing management has validated the need, an Information Management strategy across all mandates the use of encrypted (biometric and branches and regions which includes the password) USB keys or hard drives, and following core elements: imposes consequences for failure to comply; 2) On January 18, 2013, the monitoring of i. Examination of all repositories to desktop computers for unauthorized use of develop an inventory of information USB devices began; 3) On May 27, 2013, assets; security software was deployed to block

unauthorized use of USB devices; and 4) On ii. Appropriate retention and disposition June 3, 2013, security software was deployed decisions to ensure that transitory to block all other portable storage devices, records which are no longer required such as optical media (CD/DVD) and floppy are disposed of, and records of disks. Only authorized users can save to such business value are preserved; media. iii. Classification of remaining records to the appropriate security level, following the Department's information classification guide;

17 OPC Recommendation 5 OPC Recommendation 6

We recommended that ESDC establish We recommended that ESDC incorporate proper materiel management practices to regular security reviews or physical inventory and monitor all assets that may be inspections of assets containing personal used to store or transmit sensitive personal information to ensure proper safeguards are information. This may include affixing a bar implemented to protect personal information. code or other inventory measure to enable tracking of the asset. In addition, the relevant asset information (e.g. serial number) must ESDC’s Response be communicated to the appropriate asset management staff. ESDC submits that the following efforts will assist the Department in raising awareness among its employees and will enhance ESDC’s Response mitigation of the potential future loss of government assets and information: ESDC confirmed that, as a result of the incident, portable devices are now procured, i. The “Clean Desk Guideline” was distributed and managed centrally, and shared with all employees in August Assistant Deputy Minister (ADM) approval is 2013, to encourage a clean desk practice to prevent the unauthorized required to use such devices. In addition, disclosure of sensitive information and ESDC highlighted that laptops are tagged and loss of personal items; tracked by serial number and report to a technical console each time they are ii. Security sweep inspections of employee cubicles and offices have connected to ensure proper security software is commenced; deployed. Encrypted USB keys and portable hard drives are tracked by serial number – this iii. A compliance validation is included in information is integrated into the software the approved scope of the Internal Audit on IT Security, whereby which is used to monitor connections to the individual, portable digital media will be Department's network. As a safeguard, examined to assess controls in the devices are attached with a coloured tag that areas of policy management, technical identifies the Department's Service Desk 1-800 security and operational security. The number, in the event a device is found. ESDC conduct phase of the audit is proceeding until July 2014. also confirmed that the Department's Material

Management Policy is being updated to reflect how these devices are tracked.

18 OPC Recommendation 7 about roles and responsibilities, policies, tools, and other resources on the subjects of privacy, We recommended that ESDC develop and security, information management, and values implement controls to ensure that personal and ethics, in August 2013. ESDC will continue information is managed rigorously throughout to reinforce awareness of employee roles and its entire lifecycle. This includes establishing responsibilities and the risks and threats controls to manage and track personal associated with the protection of personal information, and ensuring that there is information through targeted outreach and awareness and accountability for the awareness activities. information throughout its lifecycle.

OPC Recommendation 8 ESDC’s Response We recommended that ESDC’s training and ESDC attests that a critical element of its awareness program include a particular focus Information Management strategy is ensuring on the following: the appropriate classification of records and the appropriate storage of records classified at • Strategies to ensure that all employees protected or above. Through proper training, a understand their roles and responsibilities disciplined process, and regular follow-up, for the management of personal information through its lifecycle, including ESDC submits that awareness of the proper identifying and handling personal handling of sensitive records will remain high. information;

Effective June 2013, Data Loss Prevention • The requirements for physical security outlined in ESDC’s own “Departmental (DLP) software has been deployed which Security Policy and Procedures Manual” permits routine scanning of information (approved cabinets, locking devices, repositories. Advanced algorithms detect when etc.), including the requirements for the potentially sensitive files are not properly proper operation and safeguarding of protected, which allows management to take attractive or valuable assets that contain personal information (i.e. external hard action to ensure the records are more drives, laptops, etc.); appropriately managed. • The requirements for safeguarding ESDC further submits that promoting employee personal information, including IT controls for portable devices (e.g. encryption). awareness and accountability for personal Employees that have access to sensitive information throughout the information lifecycle personal information must be aware of is a key component of its Privacy Renewal the privacy risks inherent to the use of Action Plan. ESDC highlighted some of its portable devices, as well as the ongoing efforts, including a privacy awareness vulnerabilities of the information that may be stored on these devices (i.e. loss or week in January 2013; activities organized in all unauthorized access, use or disclosure of branches and regions between February and personal information); June 2013 to directly engage employees on the importance of personal information protection; • The consequences of not adhering to Departmental security and privacy the launch of a new 'Stewardship of Information' standards. portal to provide employees with information

19 ESDC’s Response first phase, the training program was further refined and systems issues were addressed. ESDC highlighted that in April 2013, the As a result, the training program was re- Department approved an integrated learning launched in February 2014. It is anticipated strategy aimed at new and existing employees that all employees will complete the training by that consolidates learning in the key areas August 2014. related to the protection of personal information. As a further measure, all new and All employees will be required to undertake the existing Departmental employees are required mandatory training and testing. The to undertake mandatory testing every two Department will be tracking compliance with years to ensure ongoing compliance to the the mandatory learning objective through a functions related to the protection of personal learning management system, and quarterly information. completion reports will be provided to senior officials. Senior management is accountable for ESDC also submits that when a portable the effective monitoring of employees' storage device is issued, the employee signs attendance regarding the mandatory training, an acknowledgement that they have received testing and revalidation. the device and understand the provisions for its use. OPC Recommendation 10

OPC Recommendation 9 We recommended that ESDC incorporate measures to monitor personal information We recommended that participation in management practices, particularly in those training sessions should be mandatory and cases where it is necessary to use or transfer participation should be documented. personal information to portable storage devices (i.e. external hard drives, laptops, etc.). This may include formal direction, ESDC’s Response follow-ups, inspections, or audit controls.

As part of its learning policy suite, ESDC submits that the Department approved new ESDC’s Response mandatory training guidelines that clearly outline the approach, roles and responsibilities ESDC submits that the following steps are in for management and employees on the place to monitor information management learning requirements relating to the new practices with respect to potentially sensitive mandatory Stewardship of Information and information: Workplace Behaviours Training Program. This training program, which integrates training for • In accordance with the “USB Storage privacy, information technology security, Devices Directive”, all USB devices for information management, security and values saving information must be encrypted biometrically or with a password; and ethics/code of conduct, was approved as a Departmental mandatory learning objective and was launched in September 2013. During this

20 • Each person who receives an encrypted 127. We acknowledge in this case that device signs an acknowledgement of the substantial efforts were devoted to standard for acceptable use of the device searching for the missing external hard and agreement to submit it for audit at any drive, including conducting IT forensic time. The Internal Audit of IT Security will analyses; identifying the individuals include a provision for this compliance affected by the incident and confirming check; mailing information; initiating a public awareness campaign (setting up a call • USB ports are monitored and IT security centre, preparing press releases, etc.); prepares a weekly report on potentially coordinating SIN monitoring; arranging unauthorized use of USB devices; and an agreement with Equifax for credit protection services; and of course, • Data Loss Prevention tools are scanning issuing a public statement on file repositories to identify files which may January 11, 2013. present a risk.

128. Notwithstanding the above, we would like to highlight that that there may have Other Observations been more personal information compromised as a result of the loss of 124. In our Preliminary Report of Findings, the hard drive than was reported by we also offered our observations to ESDC to affected individuals. Further to ESDC in relation to the Departmental paragraph 20, ESDC’s representations response to the incident – specifically, described the specific fields of the immediate actions taken within the information that may have been Department following the incident, and compromised as a result of the incident. its notification to the affected individuals. 129. While ESDC submits that these fields of information were grouped into seven 125. Concerns were raised to our Office by key pieces of personal information in individuals who filed complaints order to inform affected individuals as regarding the delay by ESDC to notify quickly as possible, we failed to see affected individuals of the incident. In how some of the personal information accordance with Treasury Board’s that was not reported in ESDC’s “Guidelines for Privacy Breaches”, notification letter to affected individuals notification to those affected by the – for example, a borrower’s gender, incident, particularly in cases where language or marital status – can be sensitive personal information is grouped into the “seven key pieces of compromised, “...should occur as soon personal information” as ESDC as possible following the breach to submits. allow individuals to take actions to protect themselves against or mitigate 130. In our view, the combination of certain the damage from identity theft or other types of sensitive personal information possible harm.” increases the risks for identity theft, and therefore, it is essential in our view that 126. In our view, considering the scope of a complete list of the personal the breach and the mitigation measures information elements relating to the that were necessary to be implemented individual that is thought to have been by ESDC following the loss of the or potentially been compromised, is external hard drive, we find that the included in the notification. delay in notifying affected individuals in writing was reasonable in the circumstances.

21 131. Transparency is a key fundamental • ESDC further submits that, to date, principle that upholds government it has received no indication that accountability. To this end, we remind any of the personal information ESDC of Treasury Board’s guidance for potentially stored on the external reporting and responding to privacy hard drive has been accessed or breaches, specifically, the “Guidelines used for fraudulent purposes. ESDC for Privacy Breaches”. We also submits that it makes this statement underline the importance of compliance following its review of the monitoring with Treasury Board’s Policy on Privacy of Social Insurance Numbers, as Protection which, as one if its well as in-depth reviews of affected objectives, is meant to enhance clients' consumer profiles by effective application of the Privacy Act Equifax, the credit bureau with and its Regulations. which the Department has contracted to monitor the credit 132. In its December 4, 2013 response to history of interested individuals our Office, we highlight the following affected by this incident. comments from ESDC:

• ESDC submits that the scale and Conclusion scope of the privacy breach required it to take a number of steps 133. Our investigation reviewed the physical, to clearly identify what was missing technical, administrative, and personnel and who was impacted. Advising controls in place at ESDC at the time of Canadians and clients as quickly as the incident – what we refer to as the possible was of primordial four pillars of sound privacy importance in this instance, and as management. In our view, these a result, ESDC issued written controls should be incorporated into an notices and followed up with written institution’s privacy management letters to all clients for whom the framework to protect against data Department had a valid address. breaches, including the improper or

unauthorized collection, use, • ESDC contends that waiting to disclosure, retention and/or disposal of prepare individualized letters personal information. containing the specific information that may have been contained on the hard drive would have 134. Our investigation identified a unnecessarily delayed the measurable gap in ESDC’s notification process. Since the initial implementation of its privacy and notification letters were mailed, security policies in the day-to-day clients have contacted the business operations of the Department. Department requesting confirmation This gap resulted in weaknesses in of their specific information that was information management controls, believed to be contained on the physical security controls, and most hard drive. The Department has importantly, the level of employee responded to these requests with awareness of Departmental policies the exact personal information and procedures. associated with the particular client making the request.

22 135. While we have found ESDC to be in contravention of sections 6(3), 7 or 8 of Additional the Privacy Act in this case, the Department has accepted all of our recommendations in full and is in fact Information well-advanced in the implementation of many of the recommendations 139. For more information about our Office identified. and the powers of the Privacy Commissioner, please visit us online at 136. Accordingly, we are satisfied that no www.priv.gc.ca. We also have a further action is required by our Office number of resources available on our at this time. Nonetheless, we will web site that may be of interest to those follow-up with ESDC in one year to affected by this incident, including confirm its progress in the resources about identity theft and fraud. implementation of our recommendations and its ongoing efforts towards the management of the Department’s personal information holdings.

137. We also take this opportunity to highlight that there needs to be a synergy between privacy and security controls to effectively mitigate privacy risks. It is the implementation of these very controls that will assist ESDC to adequately protect the personal information that Canadians entrust to it.

138. It is expected that ESDC will respect the spirit and requirements of the Privacy Act – privacy is a fundamental value to Canadians, and it is an essential element in maintaining public trust in government. Therefore, we remind ESDC that it needs to continually be aware of the personal information and assets it holds, and their associated sensitivity and criticality. The protection of personal information must be properly integrated in all Departmental functions, which requires the establishment of a governance structure that has the weight, composition and mandate to effectively ensure implementation of policy instruments.

23