Human error is arguably one of the biggest threats to any company’s or organization’s security. Nothing drives that point home more strongly than a data storage mishap involving Ontario voters.
The personal information of 2.4 million Ontarians disappeared when two Elections Ontario employees lost two USB data keys on which the information was stored. To make matters worse, the data was neither encrypted nor password protected, and the employees, apparently, didn’t keep the USB data keys in a locked drawer, cabinet or box. To add further insult to injury, Ontario’s chief election’s officer Greg Essensa knew in April 2012 that the data keys had been lost but waited until July 2012 to publicly announce the breach.
Even if the information is backed up somewhere else and fully recoverable, it doesn’t change the fact that 2.4 million Ontario voters have their names, addresses, birthdates, genders and whether or not they voted in the previous election on those USB data keys. For an identity thief, those lost data keys provide a smorgasbord of source data.
A similar breach occurred in Durham, Ontario in 2009 when a USB data key with the health information of 84,000 patients was swiped from a health clinic.
You can almost hear the cloud advocates saying, “If those records had been stored in the cloud,” this never could have happened. It doesn’t help that they’re absolutely right. Yes, networks get hacked, but let’s face it. Human error is far more common. There are considerably more basically honest people who make disastrous mistakes like the one made by Elections Ontario’s, now, former employees than there are mischievous or malicious hackers.
As Ontario Privacy Commissioner Ann Cavoukian said after the 2009 health clinic breach, “No personal … information should be transported on mobile devices, unless the information is encrypted.”
A lot of people are worrying about who should be held accountable. The two employees who lost the USB data keys no longer work for Elections Ontario. That risk, at least, has been minimized. The next step is to devise a way to prevent such a disaster from happening again, not cast about for more people to blame.
The biggest lesson that all business leaders can learn from this is the importance of not only establishing strict policies for protecting sensitive company and client information but also teaching employees how to adhere to those policies automatically.
Implementing some kind of cloud solution probably wouldn’t hurt either. What if the USB data keys had been encrypted and locked in a drawer in the Elections Ontario headquarters? Now, let’s say that headquarters got destroyed by fire or an explosion. Would that information have been any less lost than it is now? It might have been safer; as of July 2012, no one has any idea who may have taken the USB data keys.
Elections Ontario has a lot of work to do in the coming weeks. It would be ideal if by some miracle, it turned out that the USB data keys were picked up by someone who had a legitimate need for the information stored on those keys. Since the odds against that are astronomical, now would be a good time for Elections Ontario officials to add finding a better way to store voter data to their list of things to do.
Always an IT guy, Ernie Sherman has been fulfilling the needs of Ottawa small businesses as a member of the Fuelled Networks, Ltd. (formerly Harris Computer Services) team since joining the company in 1998.
Sherman’s commitment to excellence is evident in his achievements and memberships. From 2007 to 2012, he was a member of the advisory council for SonicWALL. He’s been a member of the business executive peer group organization HTG since 2008 and won the Microsoft Impact Award in 2011. In 2003, Sherman was honored to be named Ottawa’s 40 under 40 winner. He is a Microsoft Gold Partner who also sat on the board of IAMCP Canada.
Sherman also enjoys giving back to the community and currently serves on the board of It’s A New Day Golf Tournament, which has so far raised more than $1.2 million for the Ottawa Hospital Foundation.