[BreachExchange] Reporting of government privacy breaches varies widely

[Audrey McNeil]

http://ipolitics.ca/2016/04/16/reporting-of-government-privacy-breaches-varies-widely/

Federal government departments breached the privacy of more than 45,000
Canadians last year but only a small fraction of those breaches were ever
reported to Canada’s Privacy Commissioner.

Moreover, the proportion of breaches reported to the Privacy Commissioner’s
office varied widely from one department to another. For example, while the
Justice Department reported 80 per cent of the breaches it discovered, the
agency with the largest number of breaches – the Canada Revenue Agency –
only revealed less than one per cent of its 3,868 breaches to Privacy
Commissioner Daniel Therrien’s office.

While departments are not required to notify Therrien of every breach that
occurs, last year he was only notified about 5.3 per cent of the 5,853
privacy breaches discovered by departments.

Those breaches – everything from tax information or passports being sent to
the wrong address to lost memory sticks, e-mails accidentally disclosed or
unauthorized access to files – affected more than 45,894 Canadians.

While departments did not report any known cases of criminal activity as a
result of the breaches, in several cases departments like the RCMP and the
Canada Border Services Agency qualified that by saying they could not know
if the private information or documents involved in the breach were used in
a crime.

Tobi Cohen, spokeswoman for the privacy commissioner’s office, said
Therrien is concerned about the breaches of privacy by federal government
departments and has called for Parliament to give reporting requirements
more teeth.

“The Commissioner recently appeared before Parliament to discuss Privacy
Act reform. Among our recommendations is that breach reporting be required
by law, not simply by way of a directive from the Treasury Board
Secretariat,” she said. “We’ve also recommended that the Privacy Act
require federal organizations to safeguard the personal information in
their care – currently it does not.”

What does – or doesn’t – have to be reported to the Office of the Privacy
Commission (OPC) has changed significantly over the years.

In the past, Treasury Board policy said “it is strongly recommended that
institutions notify the OPC and of the mitigation measures being
implemented” if the breach involved sensitive personal data, can result in
identity theft or related fraud or “can otherwise cause harm or
embarrassment which would have detrimental effects on the individual’s
career, reputation, financial position, safety, health or wellbeing.”

In 2014, however, Prime Minister Stephen Harper’s government changed the
reporting requirement to require departments only report “material privacy
breaches” that “involves sensitive personal information and could
reasonably be expected to cause serious injury or harm to the individual
and/or involves a large number of affected individuals.”

Examples given of sensitive information are medical, psychiatric or
psychological information; information compiled and identifiable as part of
an investigation into a possible violation of law; criminal history;
information on the eligibility for social benefits; information concerning
an individual’s racial or ethnic origin, religious or political beliefs,
associations or lifestyle or information describing an individual’s
finances such as financial history or tax returns.

Examples of serious injury or harm to an individual under the guidelines
include identity theft or related fraud; material loss to the individual;
or “lasting harm or embarrassment that will have direct negative effects on
a litigation involving the individual or on an individual’s career,
reputation, financial position, safety, health or well-being.”

In both cases, departments are required to document decisions not to notify
the privacy commissioner of a breach.

In some cases, departments had privacy breaches involving large numbers of
Canadians but did not notify the privacy commissioner’s office, according
to documents tabled in the House of Commons last week in response to a
question from NDP MP Alexandre Boulerice.

Canada Post had one breach that affected 1,330 individuals but did not
report it to the Privacy Commissioner. The Correctional Service of Canada
had one breach that affected 545 people and another that touched 506 but
neither of them were among the 55 breaches it reported to the privacy
commissioner out of a total of 169 breaches that affected 1,480 people.

Employment and Social Development Canada, which runs the Service Canada
offices, reported 596 breaches that affected 1,585 people but blamed nearly
half of them on Canada Post.

“Out of the 596 breaches, 243 were caused by the Canada Post Corporation
(CPC)(passport lost in mail)” it wrote.

Employment and Social Development Canada only reported 12 breaches to the
privacy commissioner even though lost passports could potentially be used
to commit identity theft.

Although it is charged with safeguarding some of Canadians most sensitive
information — their tax returns — the Canada Revenue Agency once again
topped the list with 3,868 privacy breaches affecting 13,665 individuals.
The vast majority of those breaches (3,842) were not reported to the
privacy commissioner although one incident affected 8,451 people.

“In the last years, we have seen the number of breaches going up. Canadians
trust the government with very personal financial information. They
rightfully expect that it will be kept safe. It is even more true ‎in
breaches at the CRA where it exposes law abiding Canadians to thieves and
fraudsters,” said Boulerice, the NDP Ethics criic, in a statement.

In an explanation it included with its statistics, the CRA said 91.6 per
cent of its information and privacy breaches involved misdirected mail, 6.3
per cent relate to the theft, loss or compromise of information and 2.1 per
cent represent administrative investigations. The agency estimates 10-15
per cent of the misdirected mail was the result of taxpayer error.

In some cases, departments admitted that they really don’t know how many
people were affected by a privacy breach.Immigration, Refugees and
Citizenship Canada reported it had 304 breaches affecting 2,354
individuals. However, there are 50 other breaches where it has not yet
determined the number of individuals who might have been affected.

The Department of National Defence also admitted it only supplied partial
numbers, saying the Director General of Defence Security’s databank only
track incidents of high or very high severity and does not keep track of
the number of people affected. The partial records showed 101 breaches
affecting 384 individuals, including the accidental dissemination of a
database with personal information on more than 100 people to individuals
who should not have received it. None of the incidents were reported to the
privacy commissioner.

One of the single largest breaches occurred at Public Services and
Procurement Canada where one incident affected 10,308 individuals. It was
one of the four incidents out of 121 that made it to the privacy
commissioner’s office.

While many departments gave little or no information about the type of
incident that caused the privacy breach, Statistics Canada outlined its 36
incidents affecting 5,287 people in great detail from child immunizations
and parental attitude data that was not suppressed when sent to another
government department to a list of 1,006 business and household addresses
that was lost.

The Canadian Security Intelligence Service refused to disclose whether it
had any privacy breaches, citing national security. However, its sister
agency, the Communications Security Establishment, acknowledged it had 13
breaches affecting 630 people, including one that touched 465 people. None
of the incidents were reported to Therrien’s office.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160418/020badbf/attachment.html>