Not all Ontario schools follow this cyber security rule

Some former school board employees can still look at children’s records – including address and date of birth – over the Internet because their access to this system has not been revoked, the Auditor General of Ontario suggested in a recent report.

Each school child gets an Ontario Education Number. A computer system administered by the provincial education department stores data – including the child’s name, date of birth and gender, address and educational records. This data can be accessed by some ministry staff and local school board employees.

Inactive user accounts are “not always being cancelled after workers leave their jobs,” auditor general Bonnie Lysyk wrote in her 2018 annual report, tabled Dec. 5 in the legislature. “These accounts are accessible on the Internet, creating a risk that confidential student information may be exposed to the public.”

Public-sector privacy breaches are a concern to underwriters because liability insurance can kick in if an organization is named in a negligence lawsuit.

An alleged privacy breach is the subject of two proposed class action lawsuits before the Ontario Superior Court of Justice. The lawsuits allege that staff working for the Rouge Valley Health System sold contact information about women who had given birth at the hospital to people selling registered educational savings plans. The plaintiffs are seeking damages of about $450 million. Their allegations have not been proven in court.

“Cybersecurity is the protection of computer systems and data from theft of, or damage to, their hardware, software or electronic data, as well as from disruption of the services they provide. It also includes protection against the misdirection of data to the wrong servers or recipients,” the 2018 Ontario auditor general’s states.

For school boards, there is a risk of identity theft perpetrated by cyber-criminals. Nearly three in four Ontario school boards that replied to an Auditor General survey said they did provide formal information security awareness training to teachers and staff with access to their computer systems.

“As the methods and techniques used by attackers to manipulate school board staff into divulging sensitive information become increasingly sophisticated, the importance of providing updated cybersecurity awareness training continues to grow.”

Recent privacy breaches affecting Canadians include an attack on Marriott International Inc. and Starwood Canada ULC hotels. Hackers stole contact information as well as credit card, passport and travel information belonging to as many as 500 million guests over four years, The Canadian Press has reported.