July 23, 2012 5:45 AM
Elections Ontario recently lost two USB data keys containing confidential information on as many as 2.4 million voters in about 25 ridings. The two employees using the thumb drives did not bother to encrypt the data nor use password protection. It seems the data keys were not even locked in a drawer. Presumably, someone walking by just grabbed them off a desk.
According to IT professional and trainer Mitch Garvis, encrypting a 4GB thumb drive takes less than five minutes. We don’t know the capacity of the stolen drives, but we’re talking a number of minutes. Those are minutes these two incompetent employees chose not to invest in the privacy of 2.4 million Canadians.
I live in one of those 25 ridings, and I want senior people fired over this. Why? Because this behaviour is all-too common, and the only way it will stop is if senior people pay the price for the ineptitude of their employees.
In 2009, a USB key containing the health information on almost 84,000 patients of a Durham, Ont., health clinic was swiped. At the time, Ontario Privacy Commissioner Ann Cavoukian said “No personal health information should be transported on mobile devices, unless the information is encrypted. This requirement is perfectly clear and encryption technology is readily available.”
For the Elections Ontario fiasco, she hardly needs to come up with a new comment. Swap “health information” for “voter information” and the advice is the same.
But, many will argue, the fault is with the employees, and not the executives. After all, “Election Ontario policies dictate that USB keys must be password protected and encrypted if they are being used to carry personal information, and that USB keys must be in the custody of Elections Ontario personnel at all times,” according to a press release.
If you feel that way, consider this: Greg Essensa, Ontario’s chief electoral officer, learned of the data breach on April 27, 2012, but only informed his bosses and the public on July 17. And this delay represents his accountability, according to a press release. He stated: “...in consideration of my accountability to the people of Ontario, I am making this notification today."
So, being accountable means hiding news of the breach for almost three months. The lost data includes names, addresses, genders, birth dates and whether a person voted in the last election. In other words, this is an ID-theft gold mine.
By sitting on this disclosure for almost three months, Essensa gave criminals a valuable head start. And in fact, with no sense of irony, he is now advising us: “As a precaution, Elections Ontario recommends that Ontarians in the impacted electoral districts monitor and verify their personal transaction statements from governments, financial institutions, businesses and any other institutions to detect any unusual activity.”
He does not acknowledge the hours this will consume, nor admit the reality that almost no one will actually do this. Some people may be more diligent for a short time but then we will all return to our busy schedules, leaving identity thieves free to burrow into our lives.
The two incompetents who actually mishandled the USB keys should be penalized. Elections Ontario has said they no longer work for the organization, although they won’t specify if they left or were fired.
Now it’s time for executives to pay as well. Essensa should step down, for allowing employees to ignore the rules and for waiting almost three months to admit to Canadians that the information Elections Ontario promised to protect had simply walked out the door.
Peter Wolchak has been a professional print journalist for more than a decade. Starting as a news photographer at a community newspaper, Peter then worked as a staff writer at ComputerWorld Canada, a national trade magazine, and later served as the editor of that publication for four years. Peter then moved up to the national business magazine arena as the editor of Backbone. In addition to these journalism activities, Peter has also worked as a public speaker and discussion moderator, served as a judge for the McLuhan Festival’s Vortex awards, and sits on the E-Business Program Advisory Committee at Sheridan College.
Posted by Sue Ansell at July 23, 2012 5:45 AM
Categories: Security Technology law