I like to think I’m a pretty average person. I work Monday to Friday. I’m married. I have a house, cats, a car, and a motorcycle. I love to watch movies and have a passion for BBQ’ing. Pretty much everything I’ve just written is public knowledge and could be figured out if you did a bit of online research on me. But, I’m careful to keep certain bits of information about me secret such as my credit card number, my full address, phone number and other obvious things that most “average people” would agree with. Yet it seems that every few months I either get an email from a company I do business with, or I hear on the news that “your protected information may have been breached.” Last year around this time I had just received my new credit card after I learned my Sony PlayStation Network account information may have been compromised. That’s a pain, but at least I can change my credit card with a few phone calls. When it comes to the recent breach of my personal information that Elections Ontario may have lost, it gets more serious.
The release posted on their website tells me “Elections Ontario recommends that Ontarians in the impacted electoral districts monitor and verify their personal transaction statements from governments, financial institutions, businesses and any other institutions to detect any unusual activity.” So basically watch out for anyone trying to do anything to me that may be bad. Sad, but I consider that a typical daily activity when it comes to my personal information and transactions. What irritates me is that my information (as I reside in one of 25 electoral districts which may have been impacted) was unsecured in the first place. An article posted on Canada.com states that “Elections Ontario policy dictates that USB keys be password protected and encrypted if they are holding personal information. All USB keys must be in the possession of Elections Ontario personnel at all times.” BUT goes on to say “In this case two USB keys were not password protected or encrypted and have gone missing.” Here’s a question I’d like to ask Elections Ontario – how do they know those two USB sticks weren’t password protected if they aren’t in possession of them? My only theory is that either the employees admitted or it was later discovered with the remaining USB sticks that none of them were password protected?? Let me be clear in stating I have not heard this was the case, and it’s just a question I would ask, because it seems very odd to me. Something else I would like to ask is why put unsecured data like that on an easily transportable USB stick in the first place? Any sort of access governance policies that may exist are pointless once you put my personal information unprotected on a small USB stick. Once that USB stick is in anyone’s hands, there’s nothing stopping someone from accessing it. Why is there not a procedure in place to protect confidential data like that so that people actually have to submit a request it? I find that ironic that if I wanted to get access to the government’s data, I’d have to put in a written request following their procedures outlined here in section 24 of the Freedom of Information and Protection of Privacy Act. So how can the pendulum swing so far one way for me as a non-government employee, and yet internally that data wasn’t even protected at all?
When it comes to privacy and access to my personal data, I want more from my government. Death and taxes are inevitable, but let’s not add security breaches to that list as well please.