|
|
As news stories evolve over time, it can become difficult to keep focus on the big picture. Reflection in hindsight can reveal interesting - sometimes startling - patterns in an otherwise rapid, chaotic event. PRIVA-CTM Research follows such news stories, the commentary on which may prevent others from repeating past mistakes in privacy management.
|
|
|
NOTE: Some external news stories may expire over time, resulting in dead links.
|
|
 |
January 23, 2003
The Saskatchewan Government reports that a hard disk drive containing personal information had been stolen from ISM Canada. The public was told that "More than 100 people are being called to let them know information about a visit to their doctor may now be in someone else's hands" and also included on the drive were "Almost 90 people who made worker's compensation claims". [More…]
January 28, 2003
Saskatchewan Department of Finance admits that pension data for about 60,000 public servants was on the missing hard drive. [More…]
January 30, 2003
Co-operators Life warns more than 180,000 customers about possible identity theft after it was found that personal records of Co-operators' customers was on the same hard drive stolen from ISM Canada. [More…]
January 31, 2003
Co-operators Life offers to compensate customers who are victims of identity theft. [More…]
January 31, 2003
SaskPower warns 10,000 customers of risk of identity fraud and admitted that personal information of more than 400,000 customers was on the stolen hard drive. [More…]
February 3, 2003
Investors Group warns 750,000 customers that their personal information may have been on the hard drive stolen from ISM Canada. [More…]
February 3, 2003
A law firm files class action suit on behalf of people whose personal information was contained on the missing hard drive. [More…]
February 5, 2003
Police charge ISM employee with theft of the hard drive containing personal information. [More…]
February 6, 2003
Police acknowledge that "they cannot be sure what happened to the personal, financial and medical records", but they "are satisfied that the information has not been used unlawfully". The suspect was charged with "theft under $5000". [More…]
February 6, 2003
Media report suggests that the Saskatchewan Freedom of Information and Privacy Commissioner does not have the resources necessary to adequately address privacy issues such as the ISM breach. [More…]
February 7, 2003
Co-operators Life and the Saskatchewan Workers Compensation Board report an increase in telephone calls from worried customers. The number of lines at the Co-operators call centre was doubled to cope with demand. [More…]
February 10, 2003
Saskatchewan's Privacy Commissioner is "doing a review just to ensure that proper security procedures are in place and, more importantly, to ensure this type of situation doesn't happen again". [More…]
February 20, 2003
Police reveal the identity of individual charged in theft of the hard drive. [More…]
February 21, 2003
Province agrees to overhaul privacy policies and procedures. [More…]
|
From all accounts, the organizations involved in the incident appear to have handled the situation well. It is very difficult to stop a rogue or malicious employee whose intent is to cause damage. ISM Canada and law enforcement agencies were successful at catching the thief and recovering the stolen hardware. Organizations whose data was compromised were quick to notify clients and mitigate damages.
What should health organizations do to avoid or manage similar situations? Consider the following:
 Have a comprehensive inventory of all hardware held by the organization, including removable components inside computer workstations and servers. If you don't know you have it, you won't notice when it goes missing.
Know what information is held on every piece of storage media including hard drives, magnetic tapes, magnetic disks, optical storage media, paper, etc.
Have clauses in any contract with third parties such as outsourcing organizations to ensure that appropriate levels of security are provided. Establish procedures to be followed in the event of a breach.
Conduct regular checks (or ensure that your outsourcer conducts regular checks) to ensure that sensitive assets have not been stolen or otherwise gone missing.
Have a security incident handling procedure in place, including a protocol to call in law enforcement agencies when criminal activity is suspected.
Be prepared to identify and notify any clients who may be impacted by a loss or disclosure of personal information.
Be ready to respond to a flood of inquires by concerned clients by beefing up your contact centre and communications capacity. Be ready to offer solutions to mitigate client concerns.
Brief the Privacy Commissioner as soon as possible after discovery of the incident. Keep the Commissioner informed as the investigation progresses.
Be prepared to deal with the media. Have a coordinated communications strategy in place.
Ensure that all staff have been trained on security and privacy policies and procedures, including the consequences of breaches or criminal behavior.
Encrypt all data on hard drives and other forms of storage media to protect confidential data in the event of a theft.
|
|
|
