January 15, 2019 by Keith Doucette - THE CANADIAN PRESS
HALIFAX – A pair of reports slam the Nova Scotia government for failing to protect personal information, saying the risk management around its freedom-of-information website was inadequate and a privacy breach last year was preventable.
In his report released Tuesday following a nine-month investigation, provincial Auditor General Michael Pickup says the breach was a “very clear example” of what can happen when government doesn’t protect the personal information entrusted to it.
“The inappropriate disclosure of personal information is actually not surprising given the extent of the failures found during our audit,” said Pickup.
A second report by Information and Privacy Commissioner Catherine Tully says the immediate cause of what were a series of 12 breaches by two individuals between Feb. 27 and April 3 of last year was a design flaw in the freedom-of-information website portal.
She adds the breaches were ultimately preventable and were caused by a “serious failure of due diligence” in the deployment of a new technology tool.
The initial breach on March 3 wasn’t detected until a month later when it was inadvertently discovered by a government worker who reported it.
“The Freedom of Information and Protection of Privacy Act (FOIPOP) requires that public bodies make reasonable security arrangements to protect personal information,” wrote Tully.
“The Department of Internal Services failed to make reasonable security arrangements for the FOIA website as required by (the act).”
As a result of the breaches, Tully says almost 7,000 records containing personal information were downloaded and more than 600 have not yet been located. She also said an unknown number of people who were affected by the download of the “600 plus” documents haven’t been notified by the province.
Pickup’s report says the inappropriate download included child custody documents, medical information, and proprietary business information.
Police arrested a 19-year-old man in connection with one of the breaches on April 11, however the case was dropped in May after police determined the teen didn’t intend to commit a crime by accessing the information.
Pickup found that the processes used to develop and implement the new software and website were poorly managed and didn’t adequately consider the risks involved.
“Security assessments which include penetration testing might have identified security vulnerabilities that could have been addressed before the systems went live, but security assessments were not required or completed,” Pickup said.
Both reports said the department relied too heavily on its relationships with both the company that designed the system, CSDC, and the company that provided project management and configuration services, Unisys.
“Regardless of how familiar government is with an individual vendor, we believe it is unreasonable to ever put full responsibility for project management, risk assessment, and overall due diligence on a private sector partner,” wrote Pickup. “The private sector is largely driven by their own goals and government must maintain responsibility for the public interest in any dealings with them.”
In its response to Pickup the department said it takes the findings seriously and is working to improve its performance around the protection of privacy.
Of the information disclosure, the department said: “This was not due to a single decision or oversight failure by the government, but rather a series of decisions, governance issues, and design shortfalls within a complex IT environment.”
Tully’s report said 11 of the 12 breaches were from IP addresses assigned to the Atlantic School of Theology and it’s believed they involved only one individual.
“While the department was able to identify activity in 12 instances that appeared to be unauthorized, the full extent of the potential breach of personal information will never be known, Tully wrote.
She confirmed the department’s assertion that the private records were accessed by changing the document identification number in the website’s URL, and she found that documents could be accessed “randomly or in sequence.”
Tully asserts that overall the department lacks a “comprehensive and methodical plan” to prevent a similar occurrence in the future.
She makes six recommendations including: strengthening privacy leadership and due diligence; immediate steps to contain the breaches that resulted in the download of 618 documents with personal information to a private computer that hasn’t been secured by the department; and the conduct of an internal post-incident review.
The department has accepted all six of Tully’s recommendations.