British Columbia’s (Canada) Information and Privacy Commissioner has slammed the University of Victoria for a data breach that exposed information on over 11,000 university employees. It was a situation that could have been easily avoided with the use of full disk encryption like AlertBoot, as I noted in my previous coverage of the story.
The Commissioner went on to note that (cbc.ca):
Encryption is the minimum standard for devices like laptops and USB drives,” Denham said in a statement issued on Thursday morning.
“What is very unfortunate is that this privacy breach was both foreseeable and preventable. Instead of a simple theft of a mobile device, the incident resulted in enormous costs and stress for those affected and for the University”
The vancouversun.com site covered the story from a different angle
The type of security breach that led to the January theft of personal information from the University of Victoria is part of an “epidemic” that must be addressed, B.C.’s information and privacy commissioner said.
The Commissioner went on to note (my emphases):
We’ve investigated over 500 data breaches in the last few years in B.C.,” Denham said. “I would say a good 30 per cent of those data breaches involved unencrypted mobile devices. I think this is an enormous problem.
“You can just see the vulnerability of these small devices.”
Denham said that encryption, or conversion of data to a secure form, is an “absolute minimum” for protection. She said the security problems her office has seen have come up at schools, businesses, public bodies and private-sector organizations.
If I recollect correctly, there’s nothing in the Canadian data breach and privacy laws that specifically require an organization to use encryption software to secure personal, private data. But, some things are meant to be commonsense.