Friday, December 10, 2010

Missing laptops spark strong reaction from Alberta Privacy Commissioner

A rash of missing or stolen laptops has prompted Alberta's Information and Privacy Commissioner to speak out strongly on the issue of encryption and data security:

CBC News - Calgary - Stolen Alta. laptops held health data

Seven laptops or digital devices with unencrypted health, employee and financial information have been lost or stolen in Alberta in the past month, prompting disbelief Thursday from Alberta Privacy Commissioner Frank Work.

"It just makes me crazy," Work said. "I think that's just utterly irresponsible now in this day and age."

Medical charts belonging to 2,700 pediatric gastroenterology patients participating in a study were on one of the stolen laptops, which belonged to a researcher at the University of Alberta.

A missing digital recorder stolen from Alberta Sustainable Resources contained statements related to wildlife investigations. And a laptop stolen from the same department contained contact information for junior forest rangers, as well as an employee evaluation.

A laptop from an unnamed trust company had emails containing mortgage application information, social insurance numbers, credit bureau reports and other personal financial information for 135 people, a loss that worried Work the most.

"In that case, that's information that can really be used for an identity theft," Work said.

Two laptops containing information about patients, all under six years old, were stolen from a speech pathology office.

Another laptop from a marketing firm that contained information on 27 Alberta employees was left in a European airport. The last missing laptop belonged to a genetic research company. It contained employee information that included social insurance numbers.

Encryption programs easily available

Work says people shouldn't put personal information on laptops if they don't have to. Many internet security companies, such as Norton and Symantec, offer encryption programs that make it easy for people to protect data.

"It's not like we're asking people to do anything incredibly difficult here," Work said, "especially if you weigh that against telling 35 employees that you lost their RSP information, their employment files and so on."

Police have told Work that most laptop thefts involve criminals who try to resell them quickly for $50 or $70 to someone who simply overwrites the files and does little with the personal information.

However, the information is out there, which is still troubling, Work said.

"You have a responsibility to your patients, your clients, your employees to encrypt their information when you're carrying it around with you. And the law says you have to do that."

Alberta law doesn't have any provisions for Work to penalize individuals, organizations or government agencies for privacy breaches. He can only work with offenders on remedial measures.

People who've been the victim of privacy breaches by private sector businesses can sue for damages under Alberta law, Work said.

No comments: