UVic had policies in place to secure confidential data

Greater Victoria employers using data breach as a learning opportunity

Stolen information affecting the bank accounts of thousands of people would never have ended up in the hands of thieves if an existing policy was followed at the University of Victoria.

Before assigning blame, the school wants to wait for two reviews looking into whether an employee failed to follow policy by backing up confidential employee information to a device stolen 10 days ago.

According to UVic’s Information Security Policy, data such as social insurance numbers and financial information must be stored within a controlled-access system with the file being password protected or encrypted. The device must also be locked away.

The university has said the information on the stolen device was not encrypted or password protected, though it was locked up.

Regardless, UVic’s vice-president of finance and operations says she’s waiting on the reviews before determining if policy was breached.

“I think what we’re going to be looking at is: what’s in the policy? What are the specific procedures? And to what extent did this fit in with what was in that policy?” said Gayle Gorrill.

Employees at the university receive periodic training on how to properly handle private information, she added.

In 2009, more than 400 employees that have access to secure information went through a three-hour session on information security and privacy.

“We’ll be re-looking at this and asking, ‘do we need to do a refresher?’ I expect we will,” Gorrill said.

Ryan Berger, an executive in the Canadian Bar Association’s freedom of information and privacy subsection, says he anticipates UVic isn’t the only employer reviewing its security policies.

“When you see significant breaches that affect so many people, and it’s a well known public institution, it will raise the privacy profile and the importance of encrypting sensitive information and ensuring that organizations are appropriately protecting privacy,” said Berger, a partner with the Vancouver law firm Bull, Housser & Tupper.

That’s exactly what’s happening at the Vancouver Island Health Authority, which has nearly 18,000 employees and almost 2,000 physicians on its payroll.

“We’re really using this unfortunate situation as an opportunity for learning,” said Cathy Yaskow, director of information access and privacy.

Yaskow, whose department focuses much of its work on the protection of confidential patient information, said VIHA’s current system to protect its employees is secure and thorough.

“The majority of our information, including employee and banking information, is stored (in an encrypted network),” she said.

Any data that is saved to an external device is fully encrypted and stored in a locked safe, she said.

Camosun College, with slightly more than 1,000 employees, is also taking heed of the UVic breach.

“We have a database where this (similar type of) information is and it’s encrypted. We are not feeling like we’re in jeopardy,” said Denis Powers, executive director of human resources.

“We have not stored anybody’s personal, confidential information on devices or in modems that could be easily stolen.”

Unlike at UVic, there doesn’t exist any unencrypted (or encrypted, for that matter) file at Camosun that contains employee banking information and social insurance numbers.

Each individual piece of confidential information at Camosun is encrypted and stored separately on large, internal servers, Powers said.

Saanich police are continuing an investigation into a fraud, which stems from a break-in and theft at UVic on either Jan. 7 or 8.

The university is also conducting internal and external reviews into its policies. Additionally, the Office of the Information and Privacy Commissioner is looking into the release of information.