There’s been a great deal of chatter around the recent City of Ottawa pension fund data breach.
The City hired Towers Watson to conduct a fund review and, while in the process of transferring the data, unencrypted I might add, to a new computer system, they discovered the hard drive was missing from a safe.
The identifying information of approximately 800 former City of Ottawa staff, including police officers, firefighters and their beneficiaries were impacted. Not a huge disclosure for anyone who keeps up on such incidents, but significant to the 800 former City employees who had their names, birthdates, social insurance numbers and pension amounts lost.
Now while Towers Watson has done its due diligence and sent letters indicating they will compensate these pensioners with a credit monitoring service, it is seemingly stalling until September to provide an update. This event occurred in May; six full months is required to investigate?
It’s important to understand that this breach did not occur in Canada. I know, we all like to think our private information is stored, in a secure fashion, within our own borders, but that was not the case for this group of 800, or for many other Canadians either.
The hard drive in question was being stored in the Philippines.
Again, the chatter in the security community is rife with the normal discussion around contract details and clauses that protect the client from these incidents, and so on. I have seen, read, written, counter proposed and laughed at 1000’s of these contracts over the years and one thing they fail to protect us from is insider abuse.
Having a mitigation plan, or a compensatory set of clauses in the event of an incident might help the two parties (the City and Towers Watson in this case) sleep better at night, but I bet the 800 impacted pensioners aren’t sleeping so well right now. Not with the worry of identity and possibly pension theft to mull over.
Some have indicated that in this age of evolving openness, transparency and the “age of networked intelligence”, that the important aspect is the need for “accountability”.
To a certain extent, that mantra is correct, but I would suggest that the City is fully accountable. They were the ones who decided to sign off on a contract with a vendor who has let this Personally Identifiable Information go across, not only the Canadian and US borders, but to the Philippines.
What verification and due diligence was there to ensure that the resources in the Philippines were trustworthy? All this rhetoric around open Internet is one of the base causes for breaches of PII in the first place. I’ve always stood my ground on the concept of keeping the data in Country when and if you can. There is absolutely no reason why the City of Ottawa could not have found this service in Canada. If they could not, the data could have been kept in Canada.
For the sake of argument though, if they had no other choice but to go outside the country, the due diligence from a privacy and security perspective should have been commensurate with the sensitivity of the data, as should have the mitigation plan and contract details. That said, we all know how poorly the City of Ottawa writes contracts! As a CISM for a Canadian Financial Firm, I face these challenges daily and I am sick of the spun stories, clauses and promises to keep data safe, only to see a meteoric rise in breaches!
Here is a link to the US government news release yesterday announcing US participation in the Asia-Pacific Economic Council’s cross-border privacy-rules system: http://www.commerce.gov/news/press-releases/2012/07/26/acting-us-commerce-secretary-rebecca-blank-announces-us-participation. I wonder how this stacks up against the Canada-US border deal that was the subject of news stories a few weeks ago, for example this one, titled “Border privacy pact puts personal info at risk, says privacy watchdog”: http://www.vancouversun.com/news/Border privacy pact puts personal info risk says privacy watchdog/6863413/story.html. The immediate subject of that concern is the “Border Action Plan: Joint Statement of Privacy Principles”, as announced in a Public Safety Canada news release at: http://www.publicsafety.gc.ca/media/nr/2012/nr20120628-2-eng.aspx.
These efforts outline a set of privacy principles, which of course translate into security controls, that are intent of committing to protecting privacy and ensuring safeguards are in place. There are a dozen of them, all grand to read and give me that warm and fuzzy feeling I need to help me sleep at night.
However, the devil is in the details. While the Governments of Canada and US may consider this a step forward to helping the economic flow, here in Canada I’d suggest we get our legislative ducks in line and provide some additional oversight and prescriptive controls to ensure that Canadian infrastructure, critical or otherwise, enables itself to participate in such grand partnerships.
Then, when it comes time to prepare and review contracts, they will be solid enough for the ink. Moreover, 800 pensioners wouldn’t have to worry about their future!