Canadian Underwriter

Saskatchewan Government Insurance notifies customers of a privacy breach

August 2, 2016   by Canadian Underwriter

Print this page Share

Saskatchewan Government Insurance (SGI) has notified customers of a privacy breach by an employee at an independent motor licence issuing office in Vonda, Sask.Computer crime concept

SGI, Saskatchewan’s self-sustaining auto insurance fund, said in a press release on Friday that their investigation found that an employee at the office “looked up customer information without a business reason” and, as a result, “this individual’s access to SGI’s computer systems has been permanently terminated.”

The investigation concluded that the individual was “snooping,” that the searches were random and SGI does not believe that there has been, or will be, any harm to any customers as a result of this breach. “We also believe that no information was disclosed to another party or used maliciously,” SGI said in the release. The information accessed was photo, email address, date of birth, customer number, customer name, mailing address, height and eye colour, SGI said, adding that no medical information or driver records were accessed.

Anyone with access to SGI’s computer system must complete privacy training every two years and sign privacy and confidentiality agreements. The agreements acknowledge that all users and SGI understand the need to keep customer information safe and share a commitment to doing so.

SGI pointed out that it has zero tolerance for accesses to customer information without a business reason, and individuals who do so have their access to SGI systems terminated. There are many procedures, checks and audits in place to reduce the risk of unauthorized access to customer information, and the insurer said it is taking the following steps to further strengthen protections:

  • Implementing automated data analysis to monitor unusual activity in a “more sophisticated way”;
  • Implementing additional audits;
  • Using the privacy breach to reinforce with all those accessing our customers’ information that “this behaviour is completely unacceptable and will have serious consequences for anyone we discover who has failed to respect that”; and
  • Communicating again with issuers about privacy policies and the consequences of not adhering to them; and
  • Following up with in-office meetings with every issuer.

Customers affected by this breach will be contacted and Saskatchewan’s Office of the Information and Privacy Commissioner has been made aware of the situation, SGI said.