OTTAWA — The federal department at the centre of a massive data breach says it is banning the use of portable data devices in its offices, using new technology to prevent information from being easily removed from the network and warning any staff that violation of the new rules could mean the loss of their job.
Human Resources and Skills Development Canada (HRSDC) said Monday that it will start using “data loss technology,” which would allow the department to restrict when, where and which staff can remove information from government systems. Reviews have already started to see what risks the use of secured, portable data devices, such as USB memory sticks, carry in the department’s work and whether there are enough safeguards to prevent another massive breach of personal information from happening again.
Should the “strict codes of privacy and security” not be followed, the department said, staff will face “disciplinary measures … up to and including termination.”
However, HRSDC wouldn’t say what has happened to the staff Human Resources Minister Diane Finley has said are facing disciplinary measures for their involvement in the loss of an external hard drive that contained the personal information of 583,000 Canada Student Loan borrowers.
Staff noticed the hard drive was missing on Nov. 5 but didn’t alert the department’s security officer until Nov. 28. It took until Jan. 11 before the public was made aware of the loss of personal information, including names, birth dates and social insurance numbers of those who received student loans between 2000 and 2006.
“We are analyzing this incident and we are treating this matter very seriously,” the department said in an email to Postmedia News. “The loss of sensitive information such as personal data is completely unacceptable. We will take all appropriate actions to avoid such occurrences in the future.”
The data breach, which observers say is one of the worst in Canadian history, is the subject of at least four class-action lawsuits, with actions underway in Ontario, Alberta and Manitoba. A fourth lawsuit has been filed in Federal Court. The lawyer overseeing the Federal Court application told Postmedia News Friday that his office has received more than 12,000 calls since the lawsuit was announced with some affected Canadians claiming to be the victims of identity theft, although it’s unclear if the claims are connected to the loss of the hard drive.
The hard drive was used as a “back up storage option,” according to the government, and was not encrypted — an additional layer of security required under federal guidelines.
The government says it has no evidence that the hard drive has been accessed. The RCMP and federal privacy commissioner are both investigating the breach.
A toll-free number for those concerned they might be affected by the breach was set up last week. Since it went live on Jan. 14, more than 110,000 calls have been made to the call centres across Ontario and Quebec. The toll-free number is 1-866-885-1866, or 1-416-572-1113 for those outside of North America.
Also last week, the department ordered all regional offices to send in USB memory sticks that weren’t allowed to be connected to the government’s network. Use of those memory sticks allowed anyone to download large amounts of data and physically carry it — and potentially lose it. The department said that “collection points” have been set up across the country and that sticks will be shipped to headquarters in Ottawa before making their way to a government facility in Belleville, Ont., “for physical destruction.”
Department employees will have to attend mandatory training touching on the government’s policy about securing and handling information, and managers have been told to “reinforce the proper handling of information” with their staff.