Feds' privacy breach inexcusable

OTTAWA -- Somewhere out there, nearly 600,000 people are wondering if their identities might be at risk.

In one of the biggest -- if not the biggest -- breaches of personal privacy the federal government has ever experienced, the personal information of 583,000 former clients of the Canada Student Loan program has been lost. About 18,000 of them currently live in Manitoba.

The names, birthdates, addresses, social insurance numbers and loan amounts of all loan recipients outside of Quebec between 2000 and 2006 were on a portable hard drive that a government employee had stuck in a filing cabinet.

On Nov. 5, that employee noticed the hard drive wasn't there anymore but didn't tell management at Human Resources and Skills Development Canada about it for two weeks.

And that was only because HRSDC was forced to conduct an internal review after another privacy breach was discovered -- that one was the loss of a USB stick with the same information about 5,000 applicants for disability pensions.

Now, all of this begs an obvious question or two or 80.

Why, in the name of all things logical, is such information even being stored on portable, easily stolen or lost devices? If that is the only way to back up the information, why are these devices not stored somewhere that makes stealing them or losing them a lot harder than it apparently was?

And why, if the government was aware of what was on the hard drive in early December, did it not take any steps to inform the people affected until Jan. 11? And even then, it was done in a press release on a Friday afternoon. Most of the people the Free Press spoke to about it last week found out about it on Facebook from friends.

Human Resources Minister Diane Finley hasn't answered any questions in person about the issue, only released a written statement. In it, she says the right things: She's outraged and this is unacceptable and she's called in the Mounties and heads will roll if it happens again. And if that's not enough, she says, she is reassuring Canadians the government is serious about protecting their personal information.

That's cold comfort to the 583,000 current and former students who will likely spend the next several years worrying whether their information is in the wrong hands.

And what about the other gazillion federal government departments? Are they all making sure they don't have personal data on easily misplaced or stolen portable devices?

Especially since it's not like this is the first time something like this has happened. Last fall, Elections Ontario had to admit it lost two memory sticks containing information about 2.4 million voters. On Friday, a major hospital in Ottawa had to admit it lost a USB stick containing health information on as many as 25,000 patients.

It used to be we'd hear about some government or hospital accidentally tossing patient records or government files into a Dumpster. Now, with the introduction of portable memory devices that can hold thousands -- if not millions -- of names and other data, a government can lose your private information far more easily.

It's likely only a matter of hours before another government somewhere has to admit it too, has messed up.

Sure, it's true the hard drive might have been taken by someone who just wanted a new hard drive. The memory stick may be under piles of garbage in a landfill, unwittingly tossed.

But the risk the information gets into the wrong hands is there, and it's unacceptable.

Governments know how bad it is, yet it seems nothing is done until they themselves lose your information.

HRSDC started to address the issue last spring, when it decided to stop producing SIN cards and advised Canadians who have one not to carry it around in their wallet. But yet it still stored 583,000 of those numbers on a device that easily disappeared.

Getting a hold of someone's social insurance number is the main step to stealing their identity. With someone's SIN, name and date of birth, you could easily get credit cards, bank accounts, loans etc. in their name. If you're savvy enough, you might even be able to drum up a birth certificate, which then opens the door to getting a driver's licence and even a passport.

In short, it's the big whammy of the identity-theft world.

And someone, somewhere, could have 583,000 of them.

mia.rabson@freepress.mb.ca

Republished from the Winnipeg Free Press print edition January 21, 2013 A6