Elections Ontario and Security
This week the news emerged that Elections Ontario has improperly managed the data of 2 million or so Ontario voters and has “lost” our personal data. Apparently back in April, a couple of USB drives went missing from an Elections Ontario office, and they contained information collected about voters provided during the election last fall.
First, we’re going to set aside the issue of timing – that this breach occurred back in April and the news is only coming out now. This feels to me like a pretty big gap in accountability, but that’s a topic for another day
Second, we’re also going to ignore the notion that the likelihood of the data being misused is low – apparently due to the specialized software used to manage this data. While this possibly is true, I would never underestimate the capabilities of a determined hacker to be able to decode the data. Further, what data was lost and how much damage can be done with it is not really the point, particularly if you happen to be one of the people whose data was on the drives.
But more practically, what happened here?
It seems that a number of “paper procedures” had been established but were not followed by employees. And no audits appear to have been done to ensure the procedures were being followed. And finally, it seems that the significance of securing this data was not sufficiently impressed on at least a couple of Elections Ontario employees.
What does this mean for your organization?
First, have some security procedures – including but by no means limited to:
Personal data about customer or clients or citizens should not be put on a USB drive as a matter of policy, and if there are some exceptional circumstances, they should be depersonalized or encrypted at minimum.
Strong passwords should be required to get into any system containing personal data, and users should be forced to change them regularly.
Encryption software for laptops should be installed and activated.
Materials should be secured when users are not there – screen locks, laptops and USB devices stored in locked drawers, and so on.
Secondly, test the procedures and audit users behavior. If that means something as silly sounding as walking around the office and checking, just do it. If phones or blackberries are supposed to be password protected, check them to make sure.
Finally, ensure staff know the procedures, understand why they are there and the implications of them not being followed (both to the organization and to them personally) as it is at the personal level that security is most effectively implemented.