A massive data breach has affected the employees of the Edmonton Public School Board. Over 7,000 employees’ information was saved to a USB memory stick which has gone missing. It doesn’t appear that the device was protected with disk encryption like AlertBoot.
A Techie Did It
The memory stick device was used by a computer technician who was working on a HR department computer. He used it to download data — perhaps as a backup? It’s never really specified — and somehow the USB device went missing. It was revealed that Edmonton’s policies require that sensitive data be protected with encryption software, something that was not done in this case.
Normally, an unencrypted USB stick being used wouldn’t surprise me except that in this case it was actually someone working with the computer department that perpetrated the breach. Now, I’m not saying that all techies follow their own policies: I’ve certainly met my fair share of techies who suffer from god-complex. However, it’s still pretty jarring.
It’s also stupid. For starters, a techie can’t claim or feign ignorance when something goes awry with unprotected data.
Privacy Commissioner Makes Observations
This is what the provincial privacy commissioner had to say about the situation, according to cbc.ca:
Provincial privacy commissioner Frank Work said the school board violated its own policies.
“First of all, according to school board policy, you’re not supposed to use an unencrypted stick,” said Work. “They did.”
“Second of all … they’re supposed to keep a list of what they download … onto a portable device, like a stick. They did not. And the third way they breached their own policy was they had kept too much information too long.”
And yet, the board will not be penalized financially because “it has already spent thousands of taxpayer dollars to sort out the mess.”
I agree. It seems like they should be penalized in some other way; after all, fining the board only means that tax payers not associated with this case will bear responsibility for the incident. Instead, someone ought to be disciplined for this latest breach: a demotion, a termination, cut wages, etc. Otherwise, it just creates moral hazard.
Related Articles and Sites: