On the balance of probabilities, the potential privacy breach revealed Tuesday by the B.C. government likely won’t ruin anyone’s life.
Citizens’ Services Minister Amrik Virk revealed Tuesday that the government has misplaced an unencrypted hard drive containing extensive files and databases on millions of B.C. students from 1986 to 2009.
There’s no sign of malicious intent — yet — and the data could have been missing for a few years by now. Also, the information is so arcane it suggests that targeted theft is unlikely. This isn’t North Korea romping through Sony’s email system. It’s more likely to be an unlabelled data drive sitting in the wrong box in the wrong warehouse.
What the revelation about the lost data will do is introduce nagging uncertainty in the backs of countless people’s minds about whether deeply personal, confidential information about them is going to stay the way the government promised it would — private.
But there’s not much doubt about the fallout. Mopping up this mess could get fantastically expensive. In all the scrambling underway to investigate this botch, somebody should keep a running tab on the cost of responding to it, starting with the 50 Education Ministry staff who spent weeks combing through hundreds of boxes in a warehouse looking for the drive. An official said they took the place apart and couldn’t find the drive.
Staff also scrambled to search all the electronic records in the ministry looking for a data trail that might lead to the drive. Another big bill, for work that turned up nothing.
Looking ahead, there will be the cost of the government’s chief information officer’s full-scale investigation of this latest breach. It will be conducted on a crisis basis, always the most expensive way. You can also add the cost of a similar but independent investigation by information and privacy commissioner Elizabeth Denham. She deemed it a serious major case and launched what looks to be an equally major investigation.
The CIO review will include a quick threat assessment about the dangers to the privacy of the people who are now at risk.
That’s where the bills could really start piling up. If it’s determined that notification of all the affected individuals is required, it would take personal letters or calls to every one of them. The work it would take to identify the people, find their current addresses and mail out notices would be huge.
In the meantime, there’s also the expense of the Service B.C. call centre, to which people are being directed if they want to inquire. Given the magnitude of the potential breach, a hike in traffic could be expected.
The issue of notifying those affected after a breach has been a point of contention for several years. B.C. information and privacy law has no requirement on any public body to notify anyone about breaches. A protocol has been worked out that involves Denham being routinely notified, as she was in this case.
She’s been advocating for much clearer regulations about the need to notify individuals. There have been recommendations to make notification mandatory for the private sector, and Denham is mulling over a similar recommendation for the public sector.
Her office published an informal guideline about notifications and the government has its own, similar guidelines. Reading them in light of what the government admitted, it’s clear the loss of the drive is a major event that could require full notification as soon as possible.
Most of the items on the checklist — potential for hurt and humiliation, damage to reputation, risk of loss of employment, risk of loss of confidence in the public body — are present in this case.
The creation of the drive in the first place looks to be a violation of policy. The incredible fact that it was unencrypted is another violation. And now the fact that it is missing is a third strike.
There are volumes of policies and procedures about how to deal with data in government. There was lots of talk at Virk’s news conference about how rigorous they are in dealing with it, and how hard they’re going to work on making it even better.
The only thing missing was an apology to all those people who now have something new to worry about, because the government got sloppy with their privacy.