[BreachExchange] Dalhousie University warns 20, 000 that personal data was open for months

Destry Winant destry at riskbasedsecurity.com
Sat Nov 25 14:50:45 EST 2017


https://www.itworldcanada.com/article/dalhousie-university-warns-20000-that-personal-data-was-open-for-months/399250

Earlier this year Nova Scotia’s information and privacy commissioner
called on the province to pass a law requiring all firms under its
jurisdiction to notify affected individuals of all privacy breaches
involving a real risk of significant harm.

The government should consider that request more seriously now that it
has been revealed that it took Dalhousie University seven months to
finally notify 20,000 people — mainly alumni — that information about
them was on a computer file that was accessible to the university’s
faculty, staff and students between Sept. 16, 2016, to March 3 of this
year.

The file had alumni, university friend and donor information, but
apparently not financial information.

A letter sent to alumnus blamed it on an error by an employee.

According to an article yesterday in the Halifax Chronicle Herald, the
problem was discovered in March but letters informing people started
arriving only this week.

“We became aware that members of the university community were using
this folder and may have used it to save information,” spokesman Brian
Leadbetter told the newspaper in an email.

“In this particular case, we have notified individuals out of an
abundance of caution. We have no evidence that the files were actually
accessed. The files did not contain any government-issued ID numbers
(e.g. social insurance number) or banking information (e.g. credit
card or bank information).

“We sincerely apologize for this error. We take our obligation to
protect the privacy of our stakeholders very seriously.”

The news report said a letter being sent by the university to those
affected said the institution “became aware on August 17, 2017 that a
file contained alumni, friend and donor information.

“To protect against the possibility of unwanted marketing, please be
wary of unsolicited emails, calls, or direct mail. Please rest assured
that we are doing everything we can to ensure the protection of your
personal information.”

Among the recommendations in her annual report to the legislature in
June, privacy commissioner Catherine Tully said the province should
require notification to affected individuals and the Commissioner,
without unreasonable delay, of all privacy breaches involving a real
risk of significant harm.

The recommendation didn’t define “real risk of significant harm.”
However, the only province in Canada that now requires data breach
notification is Alberta, which does use that phrase in its
legislation. In a document explaining how organizations should
interpret the phrase the province’s information and privacy
commissioner’s office says there are two tests: First, “there must be
some risk of damage, detriment or injury that could occur to an
individual as a result of the breach. For the harm to be significant,
it must be important, meaningful and more than trivial consequences or
effects.” The second test is to determine if a reasonable person would
consider there is a “real risk” that the significant harm identified
will occur to an individual.

Among the questions an organization should ask itself are

Who obtained or could have obtained access to the information?
 Is there a security measure in place to prevent unauthorized access,
such as encryption?
 Is the information highly sensitive?
 How long was the information exposed?
 Is there evidence of malicious intent or purpose associated with the
breach, such as theft, hacking, or malware?
 Could the information be used for criminal purposes, such as for
identity theft or fraud?
 Was the information recovered?
 How many individuals are affected by the breach?
 Are there vulnerable individuals involved, such as youth or seniors?

Tully said any breach notification should specify content requirements
for notification to individuals including details about the cause of
the breach, a list of the type of data lost or stolen, an explanation
of the risks of harm affected individuals may experience as a result
of the breach, and information about the right to complain to the
Commissioner.

In an interview this morning Tully said she was not contacted by the
university on whether it needed to notify potential victims.”In Nova
Scotia it’s quite unusual for public bodies to notify” after a breach
of security controls, she added, “so Dalhousie did follow best
practice when they notified affected individuals.”

Tully wouldn’t comment on the time it took for the university to send
out letters because other than the news report she has no details.
But, she added, “it is important that notification be sent out without
unreasonable delay.” She noted the province’s health information law
requires bodies holding medical information to send out breach notices
“at the first reasonable opportunity.”

Most organizations would realize they have to notify potential victims
if the data exposed has sensitive information such as passwords, bank
account numbers, social insurance numbers and the like. But Tully said
even a name alone could be sensitive in context — for example, if the
name was a subscriber to specialty magazine that would indicate
something personal.

Briefly, she agreed an organization should take the attitude “when in
doubt, notify.”

“When a breach falls in the grey area, where it’s not obvious — it’s
not medical or financial information [that’s been breached] — that you
have to be methodical in working through what the risks are” to an
individual.

But, she added, “sometimes you notify because it shows respect for the
individual. It allows them to decide if there’s a risk to them when
you can’t be certain what the risk might be … Sometimes organizations
are going to notify because it’s important for their reputation that
their stakeholders know that they are prepared to let individuals know
when this happens.”


More information about the BreachExchange mailing list