New HRSDC rules still allow USB keys
Unencrypted portable drives with personal information previously lost
The federal department that lost the personal information of almost 600,000 Canadians late last year finalized a new directive for mobile data devices that still allows portable drives and USB keys, but only in limited cases.
The new guidelines were written over seven days and finalized just a day before Human Resources and Skills Development Canada announced it had lost an external hard drive containing the personal information of 583,000 Canada Student Loan recipients. The guidelines still allow for devices that aren’t encrypted or password protected — required by Treasury Board guidelines — but employees have to receive clearance to use them, according to the department’s guidelines.
The directive was accompanied by a recall of all USB keys in the department that weren’t encrypted or password protected, and gave senior managers the ability to confiscate personal drives that employees had used to store sensitive departmental information.
Collected USB keys were then physically destroyed, because deleting data from them doesn’t ensure the information can never be accessed, according to government guidelines.
The only USB keys now allowed in departmental use are those that have biometric encryption, or are encrypted and password protected. They will also now have an “attached coloured tag” with a service-desk phone number to make it “less likely to be forgotten or misplaced,” and increase the likelihood that if someone finds the device, they will call the department and return it, according to the policy.
“In the past few months, there were very serious incidents that led to the decision to prohibit portable USB storage devices,” reads a set of key messages for supervisors to use with employees, which was released to Postmedia News under the access-to-information law.
“These changes go into effect immediately. For many employees, this means no change; for others it will be significant. You can expect to hear more in the coming weeks as this represents a significant and important change that touches many employees.”
The policy, finalized Jan. 10, came after two data losses at HRSDC, including one where a lawyer lost a USB key with personal information on more than 5,000 Canadians applying for a federal disability pension.
The agency that tracks and prevents funds from reaching terrorists and organized crime was also the subject of a data loss in October when an unencrypted USB key with casino patrons’ information was left inside a locked briefcase stolen out of a car in Calgary.
The student loan breach is the subject of a class-action lawsuit filed in the Federal Court of Canada. While the loss was reported on Jan. 11, the drive was last seen in late August and noticed missing on Nov. 5.
The delay in publicly reporting the loss partly stirred the NDP digital-issues critic to file a private member’s bill that, if passed by the Commons, would require private companies and organizations to report any loss of personal information if there is any risk of harm.
Charmaine Borg said that this language is a lower threshold than what is currently in government legislation before Parliament, Bill C-12, which would require reporting only if there is a serious risk of harm.
She argued that companies domestically and internationally flout current privacy laws in Canada because of lacklustre reporting requirements.
“That’s what I’m seeking to correct: To make those organizations who may have made a mistake or may have not treated personal information in a correct way so that there are consequences,” Borg said.
Her bill has the backing of privacy groups and experts.