Disclosure confusion
Security breach warrants full report
Dealing with a security breach of personal information stored in a government database is always a tricky situation as well as a grave one. Officials obviously have to balance several vital priorities in their response: closing the breach, assessing its extent, notifying people who have been placed at risk by it, identifying who created and/or exploited it (and how), notifying police and assisting their investigation if there is evidence of a criminal offence and not just faulty programming.
Clearly, there’s a balance, too, between a duty to tell the public, and more urgently those whose information was compromised, and a carefulness about not giving a perpetrator opportunity to destroy evidence or evade police. It’s reasonable to say that where to strike this balance on disclosure will vary with circumstances: How grave is the risk to individuals? How hot on the trail are police?
All that said, it’s far from clear that the Nova Scotia government struck the right balance in taking a week to tell the public about a security breach in its freedom-of-information web portal, discovered on April 5, that allowed some 7,000 documents to be inappropriately accessed.
Internal Services Minister Patricia Arab and Premier Stephen McNeil said officials wanted to ensure disclosure did not impede the work of police, who on Wednesday charged a 19-yearold Halifax man with unauthorized use of a computer. But Supt. Jim Perrin says Halifax Police didn’t request any disclosure delay. It’s not reassuring for the government to create confusion on this issue.
Certainly, the breach, which occurred March 3-5, is serious. Officials say some 250 compromised documents contained exploitable personal information like birth dates, SIN numbers, addresses and client information related to government services. The circumstances are also worrisome. Officials say the breach was discovered by an employee who made a typing error on April 5. This triggered a massive document release through a system “vulnerability” that had been exploited by someone who had added code to gain access to everything on the portal.
As soon as possible, the minister owes the public a full report on the extent of the breach, how code was altered, whether other persons were involved and what is being done to improve security. Rightly, the portal was closed immediately and the people impacted are now being told. But the disclosure has been, at best, confused. The public needs more accountability and a better explanation.