Lost USB key from Employment and Social Development Canada reinforces lessons learned

An earlier investigation into a data breach involving ESDC was featured in an OPC special report tabled in Parliament on March 25, 2014, which noted that the organization did not translate its formal privacy and security policies for the protection of personal information into meaningful business practices.

The OPC investigation concluded that this was a major contributing factor resulting in the loss of a hard drive, which was noticed missing on November 5, 2012. The drive contained the personal information of 583,000 student loan recipients.

That same month, a USB key containing the personal information of 5,045 Canada Pension Plan Disability appellants disappeared from a desk in an ESDC office. As with the hard drive, the USB key was neither password-protected nor encrypted, nor was it ever found.

The missing personal information included each individual’s SIN, date of birth, surname, medical conditions, date of birth, education level, type of occupation and whether other payments were being received, such as worker’s compensation. In the wrong hands, such information could lead to identity theft or fraud.

An OPC investigation into the disappearance of the USB key found weaknesses in the same four types of privacy management controls considered in the student loan hard drive case; namely physical, technological, administrative and personnel controls.

This disappearance differed from the student loan hard drive case because a Justice Canada lawyer had custody of the USB key when it went missing. The lawyer was working from an office at ESDC to help triage the disability pension appeal cases pending a hearing before the former Review Tribunal. The lawyer had left the USB key lying on a desk in a locked office instead of storing it in a security cabinet.

More generally, our investigation found that the Justice department also failed to translate its security and privacy policies into meaningful business practices.

Both ESDC and Justice accepted OPC’s nine recommendations to better protect personal information under their control. Most of the recommendations echo those made in the hard drive case.