Losing Trust: Canadian Data Breach Spotlights Human Error

Friday, July 27, 2012

Kelly Colgan

F29746c6cb299c1755e4087e6126a816

A massive Canadian data breach was making headlines, and it shows how governments and businesses are susceptible to big league data loss.

More than 2 million voter records from the province of Ontario were lost when two USB drives went missing.

The drives went missing in April, but the news was made public only recently. In Canada 2 million is a relatively bigger number than in the Lower 48, since the country has 34 million people, while the United States has 311 million.

Names, addresses, gender, birth dates and other information Elections Ontario “may have had on record” vanished.

The government agency does not keep track of social insurance numbers—the Canadian equivalent of Social Security numbers—drivers license information or voter financial data.

The fact that it happened in Ontario, of all places, is worth pointing out.

Ontario privacy commissioner Ann Cavoukian is regarded as a thought leader on privacy matters. She’s worked hard to implement strong data security policies in Ontario, and the impact of her brainchild, Privacy by Design (PbD), has been recognized both in the U.S. and around the world. (In full disclosure, not only am I a true believer in the tenets of Privacy by Design but an official PbD ambassador. So I proselytize whenever I can!)

But every data protection program has a human component. At Elections Ontario, policies were not followed and data that was transferred from a provincial computer to a portable device was neither encrypted nor de-personalized. This practice is in direct contradiction to common best practices and standards not just in the province of Ontario but all over the world.

At this time, no one is sure whether the drive was lost or stolen, which doesn’t help the matter since citizens really don’t know whether to worry or not. Now I’ve worked with several businesses in the past that have lost thumb drives or other storage devices with sensitive client or financial information.

Sometimes the device and its data are found behind a file cabinet months later without issue, and sometimes it turns out to be stolen and the data misused. So at this time, the risk is anyone’s guess.

The success or failure of any institutional data protection program depends on how rigorously that program is followed. But even if the data was stolen for malicious purposes, most of the information isn’t more sensitive than what can be gleaned off someone’s Facebook profile.

The issue here is that our modern democratic society is based on the privacy of our vote. It’s just supposed to be you in that voting booth and there’s something intensely personal about voting records. The privacy of our voting information is like the privacy of our medical information.

It’s not just about protecting ourselves from identity theft or fraud like when our account number or government-issued ID numbers are exposed. It’s what I like to call privacy for the sake of privacy. Just knowing that someone could be looking at our personal histories doesn’t sit well with the public.

The feeling in Ontario may be less about account numbers and more about personal trust between citizen and state.

Eduard Goodman, Chief Privacy Officer, Identity Theft 911
An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar’s Internet, E-Commerce & Technology Law Practice Section.

Possibly Related Articles:
7727
Breaches
Information Security
Data Loss breaches Privacy Best Practices Trust Policies and Procedures Data Protection
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.