Human Resources committee  Only approved USB keys will be allowed, and the department is acquiring a large number of encrypted USB keys. As a result, portable hard drives are no longer allowed to be plugged into the network, nor are personal devices that use a USB connection. We are monitoring the network and accessing the network on a regular basis and moving to ensure that none of these devices are connected, which is a big step in preventing the movement of data off of the network, which is encrypted.

Human Resources committee  We have not looked at that particular issue at this time.

Human Resources committee  We feel that the response is appropriate and that it is a strong response. It's a two-fold response through the contract with Equifax. The specialized, customized contract that we have will flag any attempt to increase credit or change credit information, and coupled with the monitoring of the social insurance registry—

Human Resources committee  Mr. Chair, we are exploring the possibility of arrangements with other credit bureaus and financial institutions.

Human Resources committee  The contract with Equifax and its value are commercially confidential. The reason the cost is commercially confidential is that the competition would be able to break it down to a per-unit cost. Thus, we've agreed to keep it commercially confidential.

Human Resources committee  No, there is no information on the parental side.

Human Resources committee  Thank you, Mr. Chair. Overall in the major programs that HRSDC administers, there are about 28 million clients per year who are in our databases. We deal with roughly 84 million transactions per year across those major groupings, including Canada Student Loans, the Canada education savings program, the Canada Pension Plan, old age security, and employment insurance.

Human Resources committee  Okay. We'll come back to it.

Human Resources committee  We've examined the data carefully. There are some former students outside of the 2000-2006 period, about 2,800 students overall. They fall mainly in 2007. There are about 2,600 students in 2007, and after—

Human Resources committee  We have answered 200,000 calls overall, and of that amount in total, about 65% are affected clients. Prior to the notification letters going out, it was running about 50-50 in terms of affected students versus non-affected students, and since that time, since the letters were received, the contacts have been—

Human Resources committee  The principal way of dealing with this is through the contract that we have established with Equifax. About 50,000 affected former students have enrolled in that service. We have no evidence thus far that there has been any fraud or other inappropriate activity. There is a special 1-800 number that is set up for affected clients to phone.

Human Resources committee  On the Privacy Commissioner side, we informed the Privacy Commissioner's office on December 14, followed up with a written contact on the next Monday, and have consulted the Office of the Privacy Commissioner throughout the piece to work to find the appropriate ways to manage the incident and to inform Canadians.

Human Resources committee  In terms of the immediate actions, initially the incident, as the deputy explained, was treated as a case of a missing asset—something to be found—with the belief that it was on the premises, still in the building. As that set of searches became less likely, it pointed to a lower likelihood of the drive being found.

Human Resources committee  In response to your question, there were two particular policies that are relevant here: first, employees have a responsibility to report incidents; second, data that's sensitive should be encrypted before it's put on any particular portable storage device.

Human Resources committee  As the deputy said, it seems the employees did not encrypt the data as would have been required.