Ex-privacy commissioner to lead UVic theft probe
Jan 21 2012
The Administrative Services Building at the University of Victoria. Thieves broke in and stole a storage device that contained employee names, payroll information and social insurance numbers.Photograph by: Adrian Lam, timescolonist.com
A former B.C. privacy commissioner will lead an independent review of a major security breach at the University of Victoria earlier this month.
David Flaherty will probe events leading to the breach in which unencrypted personal information of nearly 12,000 employees was stolen
from an administration building.
Flaherty will try to determine how thieves were able to obtain the names, payroll information and social insurance numbers of UVic employees and will look at the university's response and whether it is doing enough protect sensitive personal information.
"We wanted to make sure we got an outstanding expert to lead this review and David Flaherty's the guy to do it," university president David Turpin said in announcing the appointment Friday.
The review is expected to take four months. Flaherty will submit a report to the university's board of governors.
Turpin has also said the report's findings will be made public, although some material may have to be withheld for privacy and security reasons.
He said it was too soon to say how much the review will cost, but promised to make that information public as well.
The university has appointed law professor Jamie Cassels to assist Flaherty by getting input from people at the university and gathering information on existing security policies and practices.
"It's part of a single process, but there's a need for somebody internally to really lead and co-ordinate all the activities of the university as a result of this external review," Turpin said.
The university notified employees of the breach Jan. 9 and advised them to contact their banks and credit agencies.
Turpin has said the data stolen from an administration building was backup information to ensure that employees could be paid in the case of a catastrophic event such as an earthquake.
"It was in a locked box within a locked safe, which was bolted to the floor, in a locked room in a locked building," he said last week.
The material was stolen along with laptops, handheld electronics, cheques and a small amount of cash.
B.C.'s Information and Privacy Commissioner Elizabeth Denham has also launched an investigation
to determine whether the university contravened
any standards by keeping unencrypted personal information on a mobile device.
Turpin said the university is co-operating fully with Denham's investigation.