ALBERTA INFO AND PRIVACY COMMISSIONER FRUSTRATED WITH SECURITY Info and privacy commissioner frustrated with security

Info and privacy commissioner frustrated with security

David Howell, edmontonjournal.com

Published: Tuesday, November 13

EDMONTON - Alberta's information and privacy commissioner says he can't describe his mounting frustration with organizations that fail to protect personal information stored on laptops and other portable devices.

"It's just nuts that we're not looking after this stuff better," Frank Work said Tuesday after releasing an investigation report into the theft this May of four laptop computers from a Capital Health office in downtown Edmonton.

"We're into the information age and we can do all these electronic marvels, and yet the most basic issue we just can't seem to get our heads around."

The laptops stolen from Capital Health contained health information. More than 20,000 individuals had to be notified, and in some cases it took nearly three months to track them down.

Work's investigation concluded that Capital Health contravened the Health Information Act by failing to protect the information with adequate administrative and technical safeguards.

The laptops had two levels of password protection and were locked with cables to desks. But Capital Health did not require its laptops to be protected with encryption programs, despite being advised twice by Work's office in 2006 that such programs were required.

Encryption programs convert data into a secret code to prevent unauthorized access.

Work said Tuesday he has opened an investigation into the theft of a memory stick - a small device used to store computer data - containing names, addresses and phone numbers of 560 students in Edmonton Catholic schools. An employee of a school-bus transportation company had the memory stick in her purse. The purse was in her car when the vehicle wasstolen.

Work said the memory-stick theft, which came to light on the weekend, is another example of information that should have been encrypted. Many memory sticks come with such programs, he said.

"If it was rocket science . if it took some kind of incredible effort to protect the information, then I might be a little less frustrated," he said.

"But we're talking about what must be common knowledge - that portable things go away. They get stolen or they get lost.

"Therefore, assume that they're going to get stolen or they're going to get lost, and take it from there, which means you just have to encrypt them."

Work said he finds it "unbelievable" that organizations still aren't taking necessary steps even after several high-profile incidents.

Last year, after a laptop was stolen containing the personal and financial data of 8,000 Edmonton-area doctors, Work found financial services firm MD Management in breach of the Personal Information Protection Act for not taking adequate steps to safeguard the information.

"That was the case where we said, very clearly, that the standard is a portable (computer) plus personal information means you've got to have encryption," Work said.

He said organizations don't recognize that protecting personal information must be a priority.

"They don't see it as . part of their core business or something. And yet, when someone signs the cheque to pay someone for doing 20,000 individual notifications, I mean, that's going to cost some money. So, how can that not be an organizational priority to mitigate those losses? I would think any auditor would tell them in terms of risk management that you've got to do this."

Capital Health has agreed to several recommendations.

It will find and implement an appropriate encryption solution and ensure that the new system is used on all types of mobile devices that contain personal or health information.

It will provide Work's office with a detailed implementation plan that includes "aggressive targets and timelines." It will also review and revise its incident-response procedure, in particular its process of notifying individuals about privacy breaches.

Capital Health spokesman Steve Buick said the health region will have encryption programs in portable computing devices by January.

"We have, in fact, been working toward moving to encryption for the past year, but it's a big undertaking and we were not ready to move to it at the time the laptop theft happened," Buick said.

"We remain satisfied, in our own minds at least, that it was a crude smash-and-grab kind of theft, which like most of these thefts probably had little or nothing to do with the information in the machines.

"It's the case with most of these thefts of small portable information storage devices. The kind of person who is hooking one of these devices from a purse or a locker probably has no interest in what's on them. But that doesn't change the potential for a breach, which has to be taken seriously."

The Catholic school district now requires that bus carriers encrypt student information stored on memory sticks.

A new policy requiring that information on school district laptops be encrypted will be implemented in the next couple of months, district spokeswoman Lori Nagy said.