The 2014-2015 Annual Report on the Privacy Act revealed that federal institutions reported 256 data breaches for the period, up from the 228 breaches reported in 2013 which itself was double the figures reported for the year before that.
The report, which was tabled before parliament on Thursday, highlighted a large number of federal government data breaches reported to the privacy commissioner’s office and the results of an audit of the government’s management of portable storage devices.
The audit, which covered 17 government institutions, was prompted by concerns over a number of federal government data breaches involving portable storage devices, including a 2012 incident in which a portable hard drive containing the personal information of almost 600,000 student loan recipients went missing
As in previous years, the leading cause of the breaches was “accidental disclosure” which according to the report is “a risk that can often be mitigated by more rigorous procedures.”
“Many institutions have made some strides to better protect personal information,” said Commissioner Daniel Therrien in a statement yesterday. “That being said, the breach reports we’ve received, the results of our investigations and our latest audit all suggest there is still much room for improvement.”
Last year marked the first time institutions were required to report data breaches to the Privacy Commissioner. Until then, reporting was voluntary.
The recently completed audit found that gaps in the federal government’s management of portable storage devices, such as memory sticks, are potentially putting the personal information of Canadians at risk.
The audit concluded that, while federal institutions do have policies, processes and controls related to portable storage devices, there is significant room for improvement in order to reduce the risk of privacy breaches.
“These devices can be easily lost, misplaced or stolen. Without proper controls, federal institutions are running the risk that the personal information of Canadians will be lost or inappropriately accessed,” the commissioner said.
The audit identified a number of concerns including:
- More than two-thirds (70 per cent) of the institutions had not formally assessed the risks surrounding the use of all types of portable storage devices.
- More than 90 per cent did not track all portable storage devices throughout their lifecycle.
- More than 85 per cent did not retain records verifying the secure destruction of data retained on surplus or defective portable storage devices.
- One-quarter did not enforce the use of encrypted USB storage devices.
- Two-thirds did not have technical controls in place to prevent the connection of unauthorized portable storage devices (for example, privately owned device) on their networks, and more than half (55 per cent) had not assessed the risk to personal information resulting from the absence of such controls.
Weaknesses in the security settings to protect data held on smartphones at some of the audited entities were also found. These included, for example, a lack of encryption, strong password controls, or controls to prevent users from installing unauthorized applications.
“We hope all federal institutions will take note of the audit and its recommendations with respect to portable storage devices,” Therrien said. “The audit highlights some preventive steps that can and must be taken to curtail breaches. There is a need for greater vigilance when it comes to protecting the personal information that Canadians entrust to their federal government.”
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…