Elections Ontario ignored security policies and went right back to using memory sticks without enabling the encryption software just days after personal information for as many as 2.4 million voters – contained on two USB keys without the necessary safeguards – vanished from one of its warehouses, the province’s privacy commissioner has charged.
Ann Cavoukian, Ontario’s Information and Privacy Commissioner, took aim at Elections Ontario managers for not properly training workers on security policies, saying she was “deeply disturbed” that such a privacy breach could occur.
“On what planet do you do the same thing again, and you don’t encrypt the data again? It’s baffling to me,” Ms. Cavoukian told reporters on Tuesday at Queen’s Park as she released her investigative report on Elections Ontario’s privacy breach. “Front-line staff remain ill-informed on the meaning of encryption or how to deploy the encryption capabilities.”
Two USB keys that were not encrypted and contained the names, addresses, genders and birth dates for residents of as many as 25 ridings and information on whether they voted in the last election disappeared in late April – and have not been located. Elections Ontario has warned voters to be vigilant for identity theft.
The privacy breach raised broader questions about how securely the government and its agencies store personal information. The Ontario Provincial Police is investigating.
“The implications of this massive data breach are considerable both in terms of the possibility for identity theft and other deceptive practices, which often do not arise for well over a year after a breach has transpired,” Ms. Cavoukian said, adding that the source of the data makes it all the more valuable.
In the second incident, managers discovered other USB keys not being used correctly and quickly took steps to encrypt the data. But Ms. Cavoukian said what was just as distressing is that Elections Ontario staff did not understand what encryption entailed, and confused it with compressing files.
Among Ms. Cavoukian‘s recommendations was appointing a chief privacy officer and developing a privacy-training program to be given to Elections Ontario staff annually. “The absolute key is,” she said, “that which is contained in your policy should be reflected in your practice.”
A spokeswoman for Elections Ontario said the agency is reviewing the privacy commissioner’s report and will address changes by the end of the year, once all investigations are complete. Brendan Crawley, a spokesman for the Ontario Ministry of the Attorney-General, said the government is also reviewing the recommendations.
Elections Ontario said that in the case of the USB keys that went missing, two staff members working in a warehouse in late April updating the permanent register of electors for Ontario did not follow the rules. Policies dictate that memory sticks containing personal information must be password-protected and encrypted, and be in the custody of staff at all times.
The two were supposed to secure the USB keys at the end of the work day, but failed to do so.
The next morning when they returned to work, the keys were gone.
Both workers are no longer employed by Elections Ontario.