Privacy Breaches Often Caused by Simple Things

Privacy breaches are often caused by simple things that should be easy to avoid. Take, for instance, the Elections Ontario lost USB keys. The Ontario Privacy Commissioner’s recent news release points to “systemic failures“, and failure to build privacy into their routine information management practices. The details point to a series of simple failures, including failure to follow a policy that required encryption, a lack of understanding of front line staff of how to encrypt or what that meant, and a continuation of the same practices after the loss. The Commissioner recomended that Elections Ontario retain a third party privacy auditor to look at their policies and procedures, develop a staff training program, and create accountability through a Privacy Officer.

Privacy is something that we all have to take some ownership of. Lost or stolen media is a common problem. Take, for example, this excerpt from a recent neighbourhood watch report about several cars being broken into where stolenitems included “Oakley sunglasses, Maui Jim sunglasses, an ipod, gps, … various other items including a external hard drive with important business info on it.” It would seem to be an easy matter to just not leave anything visible in your car – and to never leave hard drives or other devices in a car even if they are hidden. But nobody thinks it will happen to them.

Comments

  1. Here’s a Harvard Business Review blog post from yesterday called “Autonomy or Compliance?” that relates to this topic and may be of interest.

    I agree with David’s suggestion that everyone in an organization should be responsible for data security, but disagree with the premise that achieving the standard of care is easy. It’s simple enough to have a rule that prohibits taking classified information out of a secure system, but achieving adherence to the rule is a complex matter of organizational behavior. The HBR post talks about creativity as a positive force that pulls employees away from adherence to rules. Convenience is a less positive force that drives employees to put data at risk – often by using personal computers and devices and consumer based cloud services for work purposes. Resisting this force is so difficult that organizational computing models are giving way to convenience. The adoption of BYOD is an example of this (though I acknowledge there’s also a cost rationale).

    Managing people is hard, and requires commitment from the top and not just the bottom. My full take in the issue (and Elections Ontario) is explained here.

  2. Interesting article. Dan, I think we are closer in philosophy on this that it would appear at first blush. While the steps themselves should be easy, it is clearly not easy to make them happen, as the same basic things keep happening. That is true whether it is an employee making a privacy faux pas, or our cars getting broken into because we leave things visible inside them.

  3. I sensed we were close in philosophy David and used your provocative theme to have my say. Thanks for this post and your regular contribution, which follow. Dan.