Columns

Your Information is Not Secure: Thousands of Government Privacy Breaches Point to Need for Reform

As Canadians focused last week on the aftermath of the Boston Marathon bombing and the RCMP arrests of two men accused of plotting to attack Via Rail, the largest sustained series of privacy breaches in Canadian history was uncovered but attracted only limited attention.  Canadians have faced high profile data breaches in the past – Winners/HomeSense and the CIBC were both at the centre of serious breaches several years ago – but last week, the federal government revealed that it may represent the biggest risk to the privacy of millions of Canadians as some government departments have suffered breaches virtually every 48 hours.

The revelations came as a result of questions from NDP MP Charlie Angus, who sought information on data, information or privacy breaches in all government departments from 2002 to 2012.  The resulting documentation is stunning in its breadth.

My weekly technology column (Toronto Star version, homepage version) notes that virtually every major government department has sustained breaches, with the majority occurring over the past five years (many did not retain records dating back to 2002). In numerous instances, the Privacy Commissioner of Canada was not advised of the breach.

Some of the most vulnerable departments are those that host the most sensitive information. For example, Citizenship and Immigration Canada suffered 161 breaches in 2012 – more than three per week – affecting hundreds of people. The department only disclosed the breaches to the Privacy Commissioner of Canada on five occasions.

Human Resources and Skills Development Canada famously suffered a massive breach last year – 588,384 individuals were affected – but less well known is that the department has had thousands of other breaches over the past few years. In 2007, a breach affected 28,651 people, yet the Privacy Commissioner of Canada was not informed and the department is unsure of whether the breach resulted in criminal activity.

Virtually no department has been immune to security breaches with nearly 100,000 individuals affected by breaches at Agriculture and Agri-Food Canada since 2008, almost 5,000 individuals hit at Fisheries Canada with no reporting to the Privacy Commissioner of Canada, and just under 200 breaches at the RCMP affecting an unknown number of people.

If a similar situation occurred involving a major Canadian bank, retailer, or telecom company, there would be an immediate outcry for tougher rules on mandatory disclosure of security breaches. Yet the federal government plays by different rules, with no liability and no legal requirements to disclose the breaches.

Successive federal privacy commissioners have urged the government to reform the badly outdated Privacy Act to at least hold government to the same privacy standard that it expects from the private sector. But those calls for reform have been repeatedly ignored.

Most recently, Privacy Commissioner of Canada Jennifer Stoddart identified twelve seemingly uncontroversial reforms, including strengthening annual reporting requirements by government departments, introducing a provision for proper security safeguards for the protection of personal information, and creating legislated security breach notification requirements. None of the recommendations have been implemented.

In fact, Canadian privacy failures dot the legislative landscape. Bill C-12, the Canadian private sector privacy bill intended to implement reforms that date back to hearings conducted in 2006 lies dormant in the House of Commons. A review of the private sector privacy law that was required by law in 2011 has seemingly been forgotten. Anti-spam legislation passed in 2010 and touted as a key part of the government’s cybercrime strategy is stuck as Industry Minister Christian Paradis dithers on the applicable regulations.

No institution has greater access to the personal information of Canadians than the federal government. The public entrusts it to keep their information secure and to take all appropriate action should a security breach occur. The latest revelations indicate that the failure to live up to that trust is spread across virtually all government departments and to the political leaders that have failed to introduce much-needed legislative privacy safeguards. 

8 Comments

  1. MIke Bloom says:

    Security Breaches
    I’m curious as too your source. You claim all of these breaches exist and yet you do not provide any evidence or sources for the numbers you’ve obtained pertaining to the security breaches…

    Another issue is the government uses constantly outdated software and equipment… It’s not suprising; I did a casual contract with a department and was shocked and appalled that the main database for that department was still based off DOS. Terrible!

    Anyways more innovation, security and responsibility are required everywhere! Good luck changing things!

  2. Devil's Advocate says:

    Read it again
    “You claim all of these breaches exist and yet you do not provide any evidence or sources …”

    @Mike:

    You need to re-read the post.
    Dr. Geist didn’t make the claim.
    It was the Government admitting to it all, through its own documentation.

  3. Breach of Privacy or Enabling Security?
    What really boggles my mind is while we are seriously concerned (and rightfully so) about the scope and number of privacy breaches from our government, this is precisely what it has been trying to do with numerous recent bills.

    Need I remind you of our own C-30 online spying bill and PIPA, SOPA and now CISPA from our neighbours to the south, all aimed not only at making all private information open to governement but also to any corporation we have entrusted it to?

    The bottom line is not only does government already have the technical means to breach our privacy and deliberately violates it as a matter of course (the extensive private questions of the long census being a perfect example), but it wants to do it in total impunity, without any oversight whatsoever and furthermore, what’s even more distressing with CISPA, with the help of the major corporations that we’ve entrusted our private information with, corporations that already have control of government agenda through its powerful lobbies! If that is not a perfect definition of fascism, what is?

    I ask you this: what is it going to take for citizens to wake up to this ‘brave new world’ and reverse this disastrous trend before the machinery becomes too monstrous that it becomes impossible to stop it? Civil War? What is it going to take for citizens to realize that Democracy means they OWN the government and not the other way around and that without citizens, government has no legitimacy? Suspension of Right to Protest in Public (we’re almost there in Quebec) and Martial Law? What is it going to take for citizens to realize that NOW is the time to complain while we still can, before our rights have all been stripped away for our ‘own security’?

    Whenever there is a breach of privacy and government responds by trying to pass laws that would give it not only immunity but the power to actively do so for our own security, remember what Benjamin Franklin said: “They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.”

    It’s high time we stood up to tyrants, especially those in three piece suits that call themselves our ‘Right Honourable’ leaders and make them realize who the work for: us, the citizens of this country, not the special interests who control government lobby.

    If we despise privacy breach and cherish liberty, it is not only our right but our duty to rebel against tyranny.

  4. What it is going to take…
    @Chris C — What will it take? It will take people using encryption to control their own privacy. It will take pirates winning seats of power so that governments will not be allowed to outlaw encryption (or require surveillance, which is the same thing). And it will require that we recognize fascism, like with Steven Harper, and have it “nipped in the bud.” Also, never pay for content from mainstream media, cut the TV cord, jailbreak the phone, and join anonymous.

  5. Cool!
    When the process is broken, the simple solution is to start afresh. Nature will find a way.

    You must be young, Annie. Love your attitude. Your common sense, straight answer bodes well for the future. The old guard eventually always falls đŸ™‚

  6. Capt. Kirk says:

    Government incompetence.
    Great comments Chris. C and Annie!

  7. You must be new here
    > federal government plays by different rules

    Uhm, yeah. They all do. All levels of government in Canada make up different (better) rules for themselves than they expect the constituency to abide by.

    The Ontario government did the same thing years ago when they passed laws limiting people from being able to convert company retirement plans into RRSPs — instead requiring them be locked into LIRAs[1]. The MPPs that voted for that regulation specifically excluded themselves from it, allowing themselves to convert their pensions into RRSPs while forcing the constituency into LIRAs.

    That kind of different, better rules for government and the MP[P]s than the general population should be outright illegal IMO.

    [1] You know, those accounts that hold your money but the government limits how much you can withdraw from them so that they end up spoonfeeding it to you until you are 90. No matter that you won’t live that long, you’ll be eating cat-food until you do die because you can’t even get the money that is rightfully yours out of your own fucking account!

  8. Mansour M says:

    Embarrassing
    The opposition should just skip the middleman and ask China about the security of Canadian government systems.