Reports slam province for failing to protect information in N.S. privacy breach
By The Canadian Press
HALIFAX — Last year's breach of Nova Scotia's freedom-of-information website was entirely preventable, according to a pair of reports released Tuesday that slammed the Liberal government for failing to protect the public's personal information.
By The Canadian Press
The reports released by provincial auditor general Michael Pickup and privacy commissioner Catherine Tully said risk management around the web portal was inadequate and the problems that led to the breaches were well known and should have been foreseen.
“It is astounding,” Tully said of findings related to what she called “the largest known breach” in the history of the province’s public sector.
“It took the contribution of quite a few people doing a poor job for this to happen.”
Tully said the immediate cause of a series of 12 breaches by two individuals between Feb. 27 and April 3 of last year was a design flaw in the freedom-of-information website portal.
She added the breaches were ultimately preventable and were caused by a “serious failure of due diligence” in the deployment of a new technology tool.
The initial breach on March 3 wasn’t detected until a month later, when it was inadvertently discovered by a government worker who reported it.
As a result of the breaches, Tully says almost 7,000 records containing personal information were downloaded and more than 600 have not yet been located. She also said an unknown number of people who were affected by the download of the “600 plus” documents haven’t been notified by the province.
Pickup’s report says the inappropriate download included child custody documents, medical information, and proprietary business information.
Police arrested a 19-year-old man in connection with one of the breaches on April 11, however the case was dropped in May after police determined the teen didn’t intend to commit a crime by accessing the information.
Tully said she received two public complaints as a result of her investigation and one served as an example of how damaging the breaches were.
She said one individual requested access to a child protection information file involving their child that contained details of an abuse investigation. It included the child’s name, the community of residence, the name and location of the child’s school, and details of the family’s life and the challenges they face.
“Understandably the fact that this information was available publicly caused the individual intense anxiety and upset,” Tully told reporters.
“There is sufficient information about the family, the child’s circumstances and vulnerabilities, that if a predator were to come across this information it could be used to locate and target this child.”
Tully said the lack of oversight meant the government had broken the law as it pertains to the Freedom of Information and Protection of Privacy Act (FOIPOP). The act requires public bodies to make reasonable security arrangements to protect personal information.
“The Department of Internal Services failed to make reasonable security arrangements for the FOIA website as required by (the act),” said her report.
Pickup’s report said the breach was a “very clear example” of what can happen when government doesn’t protect the personal information entrusted to it.
“The inappropriate disclosure of personal information is actually not surprising given the extent of the failures found during our audit,” said Pickup.
Pickup found that the processes used to develop and implement the new software and website were poorly managed and didn’t adequately consider the risks involved.
“Security assessments which include penetration testing might have identified security vulnerabilities that could have been addressed before the systems went live, but security assessments were not required or completed,” Pickup said.
Both reports said the department relied too heavily on its relationships with both the company that designed the system, CSDC, and the company that provided project management and configuration services, Unisys.
In its response to Pickup, the department said it takes the findings seriously and is working to improve its performance around the protection of privacy.
Of the information disclosure, the department said: “This was not due to a single decision or oversight failure by the government, but rather a series of decisions, governance issues, and design shortfalls within a complex IT environment.”
Minister Patricia Arab resisted a call by the Opposition Progressive Conservatives Tuesday to resign as a result of the breach.
Arab also deflected Tully’s call to change privacy laws to give Tully order-making power and to improve offence provisions she described as “very weak.” The minister said it was a matter for the Justice Department.
However, Arab said she doesn’t dispute Tully’s findings.
“We need to take action,” she said. “I think we need to make sure that we learn from this event and that we do better in the future and that can only happen with a working relationship and a collaboration with both the auditor general and the privacy commissioner.”
The department accepted Tully’s six recommendations and the five made by Pickup aimed at strengthening leadership and oversight.
It also said the initial cost of responding to the breach was $84,795, while the costs associated with work to enhance the website are $66,217. Arab said a $15,000 post-incident review is also being conducted by Deloitte and would be released publicly following its completion in February.
Meanwhile, Tully’s report said 11 of the 12 breaches were from IP addresses assigned to the Atlantic School of Theology and it’s believed they involved only one individual.
She found that overall, the department lacks a “comprehensive and methodical plan” to prevent a similar occurrence in the future.
Tully told reporters she is worried the government’s culture won’t change to the extent needed and said the public needs to get involved by contacting their local members of the legislature.
“If the public cares enough about privacy they need to express that,” she said. “They need to express that this wasn’t good enough from their perspective because change won’t happen otherwise.”
— Keith Doucette