[BreachExchange] BC Pension Plan warns 8, 000 people about privacy breach after box goes missing

Tue Apr 9 02:01:17 EDT 2019

https://www.cbc.ca/news/canada/british-columbia/bc-pension-plan-warning-8000-privacy-breach-1.5087283

About 8,000 College Pension Plan members are receiving notification
from the B.C. Pension Corporation that their personal information may
be at risk after a box went missing during an office move earlier this
year.

The box contained microfiche with personal information of members who
worked from 1982 to 1997. Some of the information includes, names,
social insurance numbers and dates of birth.

"We did an extensive search and because we couldn't find it, we took
the safe route and declared a breach," said Sherry Sheffman with the
B.C. Pension Corporation.

BC Information and Privacy Commissioner Michael McEvoy said in a
statement that the breach was discovered in October of 2018, after the
corporation moved offices in September. However, the public body did
not report the missing personal information to his office until March
8.

"The recent breach of personal information at B.C. Pension Corporation
clearly demonstrates why British Columbia requires mandatory breach
notification," said McEvoy.

"With mandatory breach notification in place, public bodies and
organizations would be required to report breaches or suspected
breaches to my office within days of discovery. In this case, the BC
Pension Corporation would have been required by law to report the
breach in October."

Low risk, says pension corporation

Microfiches were used before the new payroll system was implemented,
and are maintained for archival purposes for data prior to 1999, said
Sheffman.

Since the data is in a microfiche and non-digital format, the pension
corporation considers the breach low risk, Sheffman told Daybreak
South's Christine Coulter.

"The microfiche is very, very difficult almost impossible to read
without special equipment and it's difficult to convert to a medium
that could be used online," she said.

High risk, says FIPA

However, Sara Neuert, executive director of the B.C. Freedom of
Information and Privacy Association, feels otherwise.

"I would not say that this is a low risk. I think this is a really
high risk. In a province where we're fighting such crime as money
laundering, the government should be stepping forward and trying to
take that stand and protect people's data a little bit more," said
Neuert.

"To have microfiche out there where anyone who is ingenious enough to
figure out how to access what data is on there I think is very high
risk. And the fact that 8,000 people have been affected by this breach
I think is really staggering."

The association wants the province to update the Freedom of
Information and Privacy Act to give the privacy commissioner more
oversight, so there are penalties for future breaches, said Neuert.

"This is a public body and I think the government needs to step up and
update our legislation in a way that will protect people out there."

'This really isn't acceptable,' says affected member

West Kelowna resident Pamela Stevens is one of the affected members
who received a letter dated March 29, informing her of  the privacy
breach.

"I couldn't believe that it actually had happened. You know this
really isn't acceptable," said Stevens.

"The information is out there and there are people that wait around
for these things to happen to get people and to use their cards and
information to misuse it."

Since the breach, the pension corporation has placed additional
security and controls on microfiche records, said Sheffman.

"To protect members from potential unauthorized access, the
corporation has enlisted services of a private cyber-security firm to
do a search and determine if any information was at risk," said
Sheffman.

"To date there is no evidence of any malicious players."