Report says UVic failed in its legal duty to protect personal information
Mar 29 2012
The University of Victoria failed in its legal duty to protect personal information when a “significant” security breach in January led to the theft of data from a campus building.
That is the conclusion reached by Elizabeth Denham, B.C.’s information and privacy commissioner, in a report released Thursday. Denham was called on to investigate after a computer flash drive with names, social insurance numbers and banking material was stolen from the Administration Services Building.
UVic president David Turpin responded by saying the university accepts Denham’s “thorough and thoughtful” report, and that a number of preventive steps have already been taken. Further, noted privacy expert David Flaherty has been commissioned to conduct an external review of various security issues, and will be reporting on his findings later in the spring.
The flash drive is still missing, and people whose information was compromised by the theft remain concerned about possible consequences.
“Since our investigation was launched, my office has heard from current and former university employees who are deeply worried about their exposure to bank fraud, identity theft and other harms,” Denham said in a statement.
“What is unfortunate is this privacy breach was both foreseeable and preventable. Instead of a simple theft of a mobile device, the incident resulted in enormous costs and stress for those affected and the university.”
No confirmed cases of fraud or other problems related to the theft have arisen.
Denham said encryption of the material contained in the flash drive was not done, even though it is a “minimum standard” for such devices, and for other equipment like laptops.
UVic’s response to the theft met all of the legal requirements that emerged, Denham said. She said UVic officials took immediate action to contain the breach, notified those affected and set about creating strategies to prevent a similar incident from happening again.