Reports slam province over privacy breach
Government failed to protect personal information with inadequate risk management around website
A pair of reports slam the Nova Scotia government for failing to protect personal information, saying the risk management around its freedom-of-information website was inadequate and a privacy breach last year was preventable.
In his report released Tuesday following a nine-month investigation, provincial Auditor General Michael Pickup says the breach was a “very clear example” of what can happen when government doesn’t protect the personal information entrusted to it.
“The inappropriate disclosure of personal information is actually not surprising given the extent of the failures found during our audit,” said Pickup.
A second report by Information and Privacy Commissioner Catherine Tully says the immediate cause of what were a series of 12 breaches by two individuals between Feb. 27 and April 3 of last year was a design flaw in the freedom-of-information website portal. She adds the breaches were ultimately preventable and were caused by a “serious failure of due diligence” in the deployment of a new technology tool.
The initial breach on March 3 wasn’t detected until a month later when it was inadvertently discovered by a government worker who reported it.
“The Freedom of Information and Protection of Privacy Act (FOIPOP) requires that public bodies make reasonable security arrangements to protect personal information,” wrote Tully. “The Department of Internal Services failed to make reasonable security arrangements for the FOIA website as required by (the act).”
As a result of the breaches, Tully says almost 7,000 records containing personal information were downloaded and more than 600 have not yet been located. She also said an unknown number of people who were affected by the download of the “600 plus” documents haven’t been notified by the province.
Pickup’s report says the inappropriate download included child custody documents, medical information, and proprietary business information.
Police arrested a 19-year-old man in connection with one of the breaches on April 11, however the case was dropped in May after police determined the teen didn’t intend to commit a crime by accessing the information.
Pickup found that the processes used to develop and implement the new software and website were poorly managed and didn’t adequately consider the risks involved.
“Security assessments which include penetration testing might have identified security vulnerabilities that could have been addressed before the systems went live, but security assessments were not required or completed,” Pickup said.
Both reports said the department relied too heavily on its relationships with both the company that designed the system, CSDC, and the company that provided project management and configuration services, Unisys.