UVic more ready for quake than data breach
Jun 02 2012
The University of Victoria is better prepared for a hazardous waste spill or major earthquake than it is for a breach of personal data like one that occurred in January, according to a report written by former privacy commissioner David Flaherty.
Flaherty, whose report was commissioned by UVic, commended the university for acting swiftly following the breach to alert 12,000 current and former faculty, staff and students affected so they could take steps to avoid fraud. No confirmed cases of fraud have been identified so far.
On the night of Jan. 7, 2012, offices in the administrative services building were broken into and laptop computers and a flash drive containing unencrypted payroll data were stolen.
UVic notified those affected of the breach the following Monday and urged them to open new bank accounts and report any unauthorized withdrawals to police.
The breach was "a firstclass, consciousness-raising experience for staff and faculty," said Flaherty, one which resulted in anger, anxiety and loss of trust for many staff, faculty and students.
"The trust factor is a critical one. The university cannot afford another significant breach of trust with its ensuing bad publicity, consumption of human resources and remediation costs," Flaherty said.
"Potential sources of serious data breaches are comparable to the prospective release of hazardous wastes or a lack of earthquake response measures.
"The university appears to be much better prepared for the latter than the former."
UVic is learning from its mistakes, a spokeswoman said Friday.
The break-in "obviously shouldn't have happened and other measures should have been in place to prevent that from happening," said UVic communications manager Denise Helm.
"[UVic] is a complex, decentralized organization and I think there's always room for improvement and change. Sometimes it's not until there's an unprecedented challenge that those opportunities are identified."
The incident prompted UVic to review its handling of sensitive material in departments across campus, she said.
Flaherty pointed out that the breach would not have occurred if UVic had followed its already established policies and that everyday practices needed to be addressed.
The stolen flash drive containing payroll data should not have been stored on campus in the first place, he said, because its purpose was to provide business continuity in case of a natural disaster, labour dispute or other disruption.
UVic no longer backs up payroll information on an unencrypted flash drive, he said.
Some people Flaherty interviewed "were shocked that the breach could ever have occurred and feel a loss of trust in the university to do the right things."
The university needs a cultural change in how it handles the personal information of its 25,000 faculty, staff and students, he added.
Each member of staff and faculty should remove unnecessary personal information, such as student grades or email about students, from computers and mobile devices, he said.
UVic has already addressed many concerns raised in this and earlier reviews, Helm said.
"The university is doing everything it can to make sure it has the best possible practices in place and people are trained to follow those practices," said Helm.
An earlier review by Information and Privacy Commissioner Elizabeth Denham found that UVic failed to protect personal information as required by law, calling the privacy breach "significant."