Investigation of the loss of an unencrypted Universal Serial Bus (USB) storage device by the Royal Canadian Mounted Police

Complaint under the Privacy Act (the Act)

March 11, 2025

Description

In March 2022, our Office received notification of a data breach at the Royal Canadian Mounted Police (RCMP) involving the loss of an unencrypted Universal Serial Bus (USB) storage device containing a large amount of sensitive data. Our investigation examined the RCMP’s response to the breach considering the circumstances surrounding the loss of the USB storage device, and assessed the overall use of USB storage devices within the RCMP.

Takeaways

Employees have a responsibility to ensure that breaches are reported promptly to ensure the timely notification to affected individuals.
Institutions have a responsibility to ensure that the measures in place to safeguard personal information are adequate and commensurate with the sensitivity of the information under its control.
Institutions have a responsibility to ensure that the policies and procedures that are in place to safeguard personal information under its control are being followed and enforced.

Report of findings

Overview

In March 2022, the Royal Canadian Mounted Police (the “RCMP”) notified the Office of the Privacy Commissioner of Canada (the “OPC”) that a material privacy breach^{Footnote 1} occurred following the loss of a USB storage device at a detachment.^{Footnote 2} The device was then found and used by malicious actors.

The device, which was not encrypted nor password protected, contained various documents, including photos, videos, and other sensitive personal information of 1,741 individuals, including witnesses, complainants, subjects of interest, informants, police officers, and civilian employees.

The OPC’s investigation of this breach considered whether the RCMP contravened the Privacy Act (the “Act”), and whether the RCMP’s response to the breach was appropriate. Given that during this investigation the OPC received two other reports involving breaches of a similar nature, the investigation also considered whether the RCMP’s measures to protect information on USB storage devices, and to prevent their loss more generally, were adequate.

Our investigation first established that the RCMP contravened section 8 of the Act, given that individuals whose personal information was on the device did not consent to the disclosure of their information, and that none of the provisions under subsection 8(2) that would allow for the disclosure of personal information without consent applied. Second, as pertains to the RCMP’s response to the breach, the OPC concludes that the RCMP personnel failed to report the loss of the USB storage device to the RCMP authorities in a timely manner. However, the OPC notes that once it became aware of the breach, the RCMP’s notification to affected individuals and the steps taken to mitigate the risk of further harm to individuals were generally appropriate in the circumstance. Finally, the OPC finds that the RCMP failed to take appropriate measures to safeguard the personal information.

Considering the above, on March 15, 2024, the OPC recommended to the RCMP that it implement a series of measures to strengthen its safeguards related to the use of USB storage devices; this included measures not only to ensure that approved USB devices are used, but also audits to confirm that USB devices are returned when no longer needed, as well as additional training. While the RCMP indicated several months later that it accepted the OPC’s recommendations, it explained that it could not commit to a timeline for their implementation. The RCMP also explained that, at the time of writing of this report, it was piloting interim solutions to significantly reduce the use of unencrypted USB devices while exploring options to cease the use of USB storage devices. However, the RCMP could not provide nor commit to any timelines to carry out these pilot projects and, by extension, to implement the OPC’s first two recommendations. As for providing additional training, the RCMP submitted that its ATIP and Security teams offer ongoing presentations and awareness sessions with a particular emphasis on privacy breaches, data security and the onboarding of new technology.

Noting that the RCMP has reported additional breaches due to the loss of USB storage devices and considering the absence of a timeline to substantially address the matter, including the implementation of the OPC’s recommendations or alternate solutions, we find the complaint to be well-founded and unresolved.

Background

In March 2022, the RCMP notified the OPC that a material privacy breach had occurred at one of its detachments. The RCMP became aware of this breach when a confidential informant reported that a USB storage device (the “device”) belonging to the RCMP had been found circulating in the criminal community and that copies were being made and offered for sale to members of the public.
While a security incident^{Footnote 3} report was submitted to the RCMP’s Departmental Security Section (the “DSS”) that oversees the detachment where the incident occurred, the loss of the device was not mentioned. Rather, the report only spoke to the loss of keys to detachment doors and locks. It was only 21 days later that the loss of the device was reported to the DSS – one day after the RCMP was contacted by the confidential informant. It was later explained that the delay was because attempts were being made to find the lost device.
Through its own investigation, the RCMP confirmed that the lost device contained documents relating to various RCMP files and investigations which implicated the personal information of 1,741 individuals, including witnesses, complainants, subjects of interest, informants, police officers, and civilian employees. The RCMP’s investigation also established that only some of the documents on the device were password protected and that the device itself was not encrypted nor password protected.
The personal information at issue included names, biographical information, citizenship status, contact information, criminal history, information/checks, dates and places of birth and death, employee identification, physical attributes, signatures, other identification numbers, photos, and videos.

Scope and Methodology

Subsection 29(3) of the Act gives the Privacy Commissioner the authority to initiate a complaint against an institution if he is satisfied that there are reasonable grounds to investigate a matter under the Act. Upon considering the highly sensitive nature of the personal information contained on the device, the potential harms to individuals impacted by the loss of the device (including reputational harm and risks to personal safety) and considering that the OPC had previously made recommendations to the RCMP regarding the use of USB storage devices,^{Footnote 4} the Commissioner initiated a complaint against the RCMP.
The OPC’s investigation focused on three issues:
1. Whether, as a result of the privacy breach, the RCMP disclosed information in contravention of section 8 (permissible disclosures) of the Act;
2. Whether the RCMP’s response to the privacy breach was appropriate in the circumstances; and
3. Whether the RCMP’s measures to protect the personal information contained on USB storage devices were sufficient.
Our analysis considered the circumstances that led to the privacy breach, including (i) the purposes for placing personal information on USB storage devices (ii) the overall use of USB storage devices at the RCMP detachment where the device was lost, and (iii) the policies and procedures relating to the procurement and use of USB storage devices that were in place at the time of the breach. To this end, we considered representations submitted by the RCMP and conducted interviews during a site visit with key RCMP witnesses and personnel from the detachment, as well as other RCMP officials.

Analysis

Issue 1: Did the RCMP disclose personal information in contravention of section 8 of the Act?

Subsection 8(1) of the Act states that personal information can only be disclosed with an individual’s consent or in accordance with the provisions of subsection 8(2) of the Act, which permits disclosures without consent for a limited range of specified purposes.
The OPC determined that the contents of the device, which included personal information, were disclosed. This is based on the following facts: (i) the device was lost, (ii) it was determined that it contained highly sensitive personal information, yet was not encrypted or password protected, and (iii) its contents were illegitimately copied and being offered for sale to the public.
Individuals whose personal information was contained on the device did not consent to the disclosure of their information. Further, none of the provisions that would allow for the disclosure of personal information without consent found under subsection 8(2) apply to the facts of this case. There was therefore an unauthorized disclosure of highly sensitive personal information, and, accordingly, the OPC finds that the RCMP disclosed personal information in contravention of section 8 of the Act and that the complaint is well-founded.

Issue 2: Was the RCMP’s response to the breach appropriate in the circumstances?

The Treasury Board Secretariat (“TBS”) issues directives and guidance on the operations of the Privacy Act. While TBS issued a new Directive following the incident, when the breach occurred, it was TBS’s Guidelines for Privacy Breaches^{Footnote 5} (the “Guidelines”) that were in effect and applied to the incident. Section 4 of the Guidelines provided guidance on the steps an institution should take to adequately respond to a breach. These steps included:
- Taking immediate actions to stop the breach and to secure the affected records, systems, or web sites; for instance, by attempting to retrieve any documents or copies of documents that were wrongfully disclosed.
- Documenting the privacy breach, describing, among other elements:
  - the circumstances that gave rise to the breach,
  - the personal information that was or may have been compromised,
  - the individuals or groups of individuals affected by the breach,
  - The process to notify those affected individuals.^{Footnote 6}
- Notifying the departmental Access to Information and Privacy (“ATIP”) Coordinator and Departmental Security Officer, and the OPC and TBS if the breach is determined to be a material breach.

Regarding measures taken to stop the breach, we note that the RCMP member who lost the device only reported the incident the day after a confidential informant contacted the RCMP and therefore did not report the missing device for 21 days. The RCMP subsequently attempted to recover the original device, without success. Even if it had been able to retrieve the original USB storage device, the RCMP had limited to no means to prevent the further dissemination of the information given the time elapsed and the unknown quantities of copies made and circulating, as reported by the confidential informant.
With respect to documenting the breach, the RCMP conducted interviews with its personnel to better understand the circumstances that gave rise to the breach. It also launched a full investigation into the breach, which enabled the RCMP to assess the device’s contents, confirm the scope and nature of the information that was stored on the device, and the identity of the individuals whose personal information was impacted by the breach.
The RCMP further notified its Departmental Security Office and Departmental ATIP Coordinator; the Coordinator assessed the breach to be material^{Footnote 7} and proceeded to notify both the OPC and TBS.
With respect to notifying individuals impacted by the breach, the RCMP completed an assessment to identify the level of risk associated with each affected individual. Individuals were grouped into three categories of risk – high, medium, and low – and the RCMP notified affected individuals as follows:
1. Individuals in the high-risk category were notified in person by a member of the RCMP, and in some cases along with a member of victim services. Where needed, safety measures were put into place to protect the individuals.
2. Individuals in the medium-risk category were notified by phone.
3. Individuals in the low-risk category were notified by mail.

The RCMP reported that a number of affected individuals could not be notified (where contact information was unknown, individuals could not be located, or individuals did not wish to have any contact with the police).

We are satisfied with the general approach taken by the RCMP to notify affected individuals and accept that indirect notification was not possible given the risks that this could present to certain individuals, as noted above.
We also note that the failure to report the loss of the device at the same time as the loss of detachment keys was reported caused delays in the RCMP’s ability to notify the affected individuals.
In this regard, we note that the RCMP’s DSS publication on security incident reporting, dated December 2021, indicates that members are to report security breach of information and other assets (defined as the “unauthorized disclosure, theft, loss or access to sensitive information and other assets” (our emphasis)). While during our interviews the RCMP indicated that these incidents should be reported immediately, the publication issued by the DSS is silent on the timeframe within which an incident should be reported.
We conclude that, once it had become aware of the breach, the RCMP’s response to the breach, notification of affected individuals, and steps taken to mitigate the risk of harm to individuals were generally appropriate in the circumstances. However, given the RCMP personnel’s initial failure to report the lost USB storage device to RCMP authorities in a timely manner, the OPC finds this aspect of the complaint to be well-founded and has recommended that the RCMP revisit its policies to ensure timely reporting of breaches by RCMP personnel to the relevant RCMP authorities and conduct training on proper breach management.
Additionally, the OPC remains concerned with the RCMP’s safeguards as it relates to its use of USB storage devices for sensitive personal information. Of note, during its investigation, the OPC received two other breach reports of a similar nature from other RCMP detachments. Given that the OPC previously made recommendations regarding the use of USB storage devices dating as far back as 2014, we continued to advance our investigation on the initial breach incident to determine whether the RCMP’s practices surrounding the use of the lost device were sufficient at the time of the breach but also whether these practices were sufficient for USB storage devices in general.

Issue 3: Were the RCMP’s measures in place sufficient to protect information on USB storage devices and to prevent their loss?

The Act is silent about measures that institutions should take to prevent unauthorized disclosures of personal information under section 8. However, the OPC has previously found that sound security practices are an essential component for meeting the protection requirements established under the Privacy Act.^{Footnote 8} As such, institutions should take appropriate measures to safeguard personal information that are commensurate with the sensitivity of the information and the likelihood of misuse (if a disclosure were to occur).
Given the nature and sensitivity of the information that the RCMP handles on a daily basis, the OPC would have expected the RCMP to have strict security measures in place to safeguard its information holdings. We also would have expected for those measures to be stringently monitored and that the RCMP would take prompt action where non-compliance, whether accidental or not, is discovered.
In this case, information on the device was highly sensitive (the identification of victims and confidential informants) and it was found circulating in the criminal community. This creates a higher risk that individuals could be seriously harmed.

Procurement and Use of USB Storage Devices Policies

The RCMP’s “Standard for the Transfer of Unclassified, Protected A or Protected B Data to and from the RCMP Office Support Services (ROSS) Network Using a USB storage device” (the “Standard”), dated September 2021, authorizes the use of USB storage devices for legal disclosure, the sharing of information with police partners, and the sharing of RCMP member’s occupational health and safety information in situations where secure file sharing software is not an option. In those instances, the use of USB storage devices is subject to certain requirements, including that:
1. Detachments must purchase USB storage devices through Shared Services Canada.
2. Detachments must inventory USB storage devices using an approved asset management system, devices must have a unique identifier and can only be assigned to an authorized individual.
3. USB storage devices must be secured with an authorized full disk encryption solution and a password that meets RCMP password policy.
Our site visit confirmed that USB storage devices were used to physically transfer information in instances where information was too large in size to be sent via email or through a secure file sharing software. We also confirmed that the Detachment’s Finance unit is in charge of procuring USB storage devices through Shared Services Canada.
The site visit also enabled us to confirm that the RCMP detachment did not follow, at least at the time of the breach, some of the procedures and policies in place for USB storage devices containing protected information. Specifically, contrary to the Standard’s requirements:
1. There was no system in place to ensure that RCMP members were only procuring USB storage devices through Shared Services Canada;
2. There was no system in place to properly tag or track the devices once procured (i.e., devices were not assigned a unique identifier and signed out by the member it was issued to); and,
3. The procured USB storage devices were not being encrypted prior to issuance to members.
The RCMP’s own internal investigation determined that, with regards to the lost USB storage device, there had been a contravention of the above-noted policies and procedures, namely:
1. It was not procured through the approved process, and not properly inventoried;
2. It was unencrypted; and,
3. It contained personal information that was not for a purpose authorized under section 3.2 of the Standard.^{Footnote 9}

Security and Privacy Awareness

During the interviews, the RCMP made little reference to security awareness training or the periodic reinforcement of security awareness through targeted communications and materials.
In its representations, the RCMP included copies of notices and communications it issued to members regarding the proper use of USB storage devices and the importance of protecting information stored on those devices. We note, however, that these were sporadic. In response to the breach, the RCMP issued several reminders in the days and months after the breach occurred.
We also heard during our interviews that communications from RCMP Headquarters are often unread, with members placing more importance on communications from the regional or detachment levels.
The RCMP explained that it conducts ongoing security awareness campaigns through the communication of periodic reminders, and that “for your information” material is an integral part of a security program. Based on the information we gathered, it therefore appears that at the time of the breach, the RCMP’s communications to members regarding responsibilities and best practices concerning USB storage devices were either ineffective or had not taken place in a long time.
Finally, with regard to privacy training more generally, numerous witnesses we spoke to during our site visit noted that it had been a substantial amount of time - sometimes more than a decade - since they participated in any privacy related training. One witness stated that members take initial privacy training at depot,^{Footnote 10} but are not provided further privacy training thereafter.

Policy Compliance Monitoring

Our review of the RCMP’s policies revealed that Article 5 of Section F of the policy document titled “AM XI.1 Organizational and Administrative Security 2006-03-14“, dated March 2006, speaks to the conduct of periodic unit security reviews. In addition, Article 6 speaks to the continual reinforcement of security awareness training for protecting RCMP information and assets.
Through our interviews, we were able to conclude that the detachment was not conducting scans for unauthorized devices or adequately monitoring for process compliance. While the RCMP’s IT department was periodically conducting security audits, as per the policy, these audits were inadequate in identifying the use of USB storage devices not procured through the approved process. We also noted as part of our interviews that the conduct of security sweeps for unauthorized devices was difficult, as detachments were usually aware of scheduled sweeps and that the completion of unscheduled sweeps was challenging due to resource issues.
In terms of continual reinforcement of security by the detachment and its supporting IT department, our analysis enabled us to confirm that there was no system in place to disable an unauthorized device that had been connected to a detachment computer, nor was there a system in place to remotely alert IT to the connection of an unauthorized device or peripheral. Such a system is a strong element of a security program.
Ultimately, while the policies that the RCMP had in place at the time of the breach were generally adequate, they were insufficiently communicated and enforced to prevent the misuse of USB storage devices, which increased the risk of a privacy breach or other security incident occurring. We also note that the lack of privacy training among members further increased the risk of misuse of personal information.
During our interviews, the RCMP indicated that it took the following measures following the breach:
1. Shortly after the breach, the RCMP sent a department-wide communiqué reminding members of their responsibilities regarding the protection of information and privacy breach reporting.
2. The detachment implemented a system to tag assets and track all USB storage devices procured from SSC through the Finance unit and the devices are now encrypted prior to being issued to the requesting member. Further, members are now expected to return the devices to the Finance unit after the purpose of use has been fulfilled.
3. The RCMP has undertaken a review of how it handles disclosures between its detachments and partners (such as Crown Offices) and is exploring solutions that would remove the need for the use of USB storage devices for such disclosures.
4. The RCMP’s ATIP unit completed various privacy related presentations in all RCMP regions to emphasize the importance of protecting the information under the control of the RCMP.
In light of the above, we find that, at the time of the breach, the RCMP had failed to take appropriate measures to safeguard personal information, and in this case highly sensitive personal information stored on the lost USB storage device. Consequently, this aspect of the complaint is well-founded.

Recommendations

In light of the preceding, the OPC made recommendations to the RCMP.
While the corrective measures described at paragraph 37 are steps in the right direction, the OPC found that there were several areas where the RCMP could improve upon to mitigate against a future breach of this nature. In our preliminary report of findings, we recommended that the RCMP:
1. Demonstrate that measures are in place across the RCMP to ensure that only approved (i.e., encrypted, password protected) USB storage devices are used, including the implementation of a system that will alert IT when an unauthorized USB device is connected to RCMP computers. We asked that the RCMP provide the OPC with such evidence (e.g., audit report, description of proposed alert system, unauthorized devices connection logs, etc.) within one year of the issuance of this report of findings.
2. Building on recent improvements to procedures on the tracking of USB storage devices, develop and implement an audit procedure to monitor the adherence to the practice of returning the USB storage device once the purpose of use has been fulfilled. We asked that the RCMP provide to the OPC with a finalized audit procedure within 6 months of the issuance of our report of findings and the outcome of at least one audit within one year of the issuance of this report of findings.
3. Review and revise its security and privacy policies and awareness program to ensure that members and RCMP employees are reminded of their responsibilities on a continual basis, including with regards to breach reporting. We asked that communications be issued from the divisional/detachment level, as well as from its Headquarters. We also asked that the RCMP provide to the OPC its schedule for security and privacy awareness program revisions and related communications within 6 months of the issuance of this report of findings.

RCMP’s response

The OPC sent the above recommendations to the RCMP in March 2024.
It took several follow-ups and discussions between the RCMP and the OPC, including meetings at the Deputy Commissioner and at the Commissioner levels, to finally receive a response from the RCMP. While the RCMP did eventually respond and indicate that it accepted the OPC’s recommendations, it would not commit to the OPC’s proposed timeline for implementation. As such, the OPC considers that the recommendations were not accepted and the matter not deemed conditionally resolved.
In its latest update dated December 20, 2024, the RCMP indicated being in the process of identifying permanent solutions to replace the use of USB storage devices, except in limited and specific circumstances where it is impossible to do so. The RCMP further explained that, while it seeks to identify the best solution, it will be exploring interim solutions to limit the use of USB storage devices.
In this regard, the RCMP noted the imminent launch of a pilot program in its largest division whereby members will be required to use encrypted USB storage devices and return non-encrypted devices that are currently in circulation. Similarly, another division is exploring the use of a secure software for the transfer of protected information, such as sensitive personal information.
Regarding our second recommendation, the RCMP indicated it has yet to explore how it will audit compliance with its existing policies and procedures for the use of USB devices, noting that the pilot project will likely inform its next steps in this regard.
As for training, the RCMP submitted that its ATIP and Security teams initiated a road show in 2023 to conduct in-person presentations and awareness sessions to Divisional employees, including senior leaders, with a particular emphasis on privacy breaches, data security and the onboarding of new technology. The RCMP represented that this security and privacy awareness campaign is on-going both in-person and virtually.
Finally, the RCMP committed to updating the OPC regularly on its progress towards the implementation of OPC’s recommendations, and/or suitable alternatives, along with being open to meeting regularly with the OPC as required.

Conclusion

The OPC would like to acknowledge that the RCMP was generally cooperative throughout our investigation. The individuals we spoke with recognized the grave nature of the situation and took the matter seriously. That said, the RCMP was at times late in responding to the OPC, which contributed to the length of time it took to complete this investigation.
While the RCMP has demonstrated that they are working towards a solution that would permanently remove the use of USB storage devices, except in limited and specific circumstances, it falls short of committing to timelines within which it will have those solutions in place.
Given that the OPC has received subsequent reports of lost unencrypted USB devices and considering the RCMP’s refusal to commit to a timeline for the implementation of the OPC’s recommendation, we therefore find the complaint to be well-founded and unresolved.

Footnotes

Footnote 1

At the time of the breach, the Treasury Board Secretariat defined a material privacy breach as: “A privacy breach is considered material when it involves sensitive personal information and could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals.” This definition was replaced in March of 2024.

Return to footnote 1 referrer

Footnote 2

A detachment is an RCMP post located within a specific division within Canada.

Return to footnote 2 referrer

Footnote 3

A security incident is any event (or collection of events), act, omission or situation that has resulted in a compromise.

Return to footnote 3 referrer

Footnote 4

A 2014 letter from then OPC Commissioner Therrien, to then RCMP Commissioner Paulson recommending that “the RCMP’s protocol for using USB keys containing personal information include password protection and encryption of the information as a standard business practice.”

Return to footnote 4 referrer

Footnote 5

These Guidelines were rescinded and replaced on 26 October 2022 by the TBS Directive on Privacy Practices.

Return to footnote 5 referrer

Footnote 6

TBS’s Guidelines for Privacy Breaches^[6] (the “Guidelines”), at s.4(2).

Return to footnote 6 referrer

Footnote 7

ibid at 1. Pursuant to TBS’s 2022 Guidelines, which were in effect at the time of the breach but have since been replaced, a breach was material if it involved “sensitive personal information” and could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals.”

Return to footnote 7 referrer

Footnote 8

See: OPC’s s.37 review of Veterans Affairs Canada at para 57.

Return to footnote 8 referrer

Footnote 9

See reference to authorized purposes at paragraph 24.

Return to footnote 9 referrer

Footnote 10

The Depot Division is where RCMP members receive their initial police training.

Return to footnote 10 referrer

Date modified:: 2025-06-05

Language selection

Search and menus

Search