Human Resources Committee on Feb. 14th, 2013

Thank you, Chair.

Members of the committee, I'm Ian Shugart, the deputy minister of HRSDC. With me are the associate deputy minister, Ron Parker, the ADM of the learning branch; Al Sutherland, the head of our legal services, here to discuss issues of the statutes that govern our work; and the chief information officer of the department, Charles Nixon.

I just want to say that given the seriousness of these events and the issue before the committee this morning and before the department over the last several weeks, I had asked Mr. Parker, as the associate deputy minister, to take personal charge of the response, the follow-up, and the oversight of all of these matters. For many days over the last couple of months this has been virtually a full-time preoccupation for our associate deputy minister.

Chair and members of the committee, as the chair has said, we're here before you in regard to two security incidents in the department involving missing electronic storage devices containing personal information.

As my minister has said, and I repeat for the management of the department, the incidents are unacceptable. Sensitive personal information was stored on unencrypted portable storage devices and not properly secured. This should not have occurred.

The minister has also announced the measures we are taking to prevent these types of incidents from reoccurring.

On behalf of Human Resources and Skills Development Canada, I say to the committee that I apologize for the incidents.

I wish today to take this opportunity to offer to the committee a detailed account of what happened in the two cases, describe the actions we took in reaction to them, and the measures we have since put in place to mitigate impacts and prevent such incidents from happening again.

Let me begin with a chronology regarding each event. In both cases the activities were related to confirming the incidents, investigating the incidents, strengthening practices, and informing Canadians.

First, let me address the missing hard drive. On November 5, 2012, an HRSDC employee at national headquarters in Gatineau discovered that an external hard drive was missing and reported it to their manager, who was the only other person who knew the exact location of the device. The manager confirmed that they had not removed the hard drive. Other employees on the floor were then asked if they had seen or borrowed a hard drive. They had not.

The external hard drive was in a secure-access building, in a secure-access area, and was stored in a cabinet with a lock.

The team undertook multiple efforts over many days to search for the missing hard drive, including speaking to all members of the team and a number of searches of the employee's office, the employee's floor, and other floors in the building.

The missing hard drive was brought to the attention of the director on November 22, who then asked all managers and employees within the division to undertake additional searches for the hard drive. Again, efforts were focused on the recovery of this missing asset.

Former employees, and one former manager, from the same group as the employees were also questioned. Commissionaires and the local area network technician were also contacted and asked if a hard drive had been turned in, or picked up by someone. No device had turned up.

On November 26, the Director General was advised that the missing hard drive was the one used to create a backup of files from a network drive as part of a process to migrate files from one area of the server to another. Some personal information on clients and employees was stored on the network drive, and as a result, senior program management was advised immediately of the missing drive.

Search efforts by branch employees continued, and the departmental security officer was advised of the missing drive on November 28. As well, corporate security then began a number of activities to locate the missing drive, including detailed sweeps of the physical premises and interviews with current and former employees in the area from which the hard drive had gone missing. There was no evidence of malfeasance, and it was considered most likely that the hard drive was somewhere on the premises of the building.

At this time senior management requested that an analysis be undertaken of all the files located on the hard drive in order to determine what information had been lost. As a result of the analysis, completed on December 6, it was discovered that the external hard drive contained personal information on approximately 583,000 Canada student loans borrowers, including student names, dates of birth, social insurance numbers, telephone numbers, addresses, and Canada Student Loans balances. It also contained the personal contact information of 250 departmental employees. It was not password-protected or encrypted.

Extensive search efforts at the building where the hard drive was stored continued from December 8 to December 14, including additional comprehensive sweeps of the building's ground floor by the regional security office and the analysis of all of the Learning Branch's existing hard drives' contents. These efforts failed to recover the hard drive, and the department first informed the Office of the Privacy Commissioner on December 14 that an external hard drive containing personal information was missing.

From mid-December to the end of December there were further management interviews with employees and building management, and other similar hard drives were collected for analysis.

In the first week of January, a formal internal investigation was launched. Simultaneously, corrective measures were developed and Canadians were informed of the loss of the hard drive on January 11.

At this time, there is still no evidence of malfeasance or an indication that the personal information has been accessed or used for any fraudulent purpose.

In a separate and unrelated incident, a USB key with personal information also went missing.

On November 14, 2012, personal information was put on the USB key and given to an employee working on a secure floor in HRSDC.

The USB key was used on November 15, but on November 16 the employee could not locate the USB key and informed management. The same day departmental security officials were notified that the USB key could not be located. Extensive searches of the employee's office and the affected floor were undertaken by departmental security officers and by commissionaires from November 16 . The employee searched their home, and the taxi driver with whom the employee travelled home on November 15 was contacted and the taxi was checked. A team of employees also searched all files, filing cabinets, washrooms, furniture, and offices on the affected floor. Cleaners working on the floor were interviewed.

The USB key contained information on 5,045 individuals and was not password-protected or encrypted. The device contained the following type of information for each individual: social insurance number; surname; generic medical conditions by way of codes from the International Classification of Diseases; birth date; other payers, such as Workers Compensation; level of education; occupation; and Service Canada processing centre.

The department first informed the Office of the Privacy Commissioner on November 22 that a USB key containing personal information could not be located and that search efforts were under way.

Searches have continued since the incident, and another major effort was made on December 7 when an official, along with a team of employees, conducted yet another extensive search of the employee's office.

Notification letters were mailed to 5,000 affected individuals or their guardians on December 19.

I now want to highlight all of the actions we are taking as a result of these two incidents, and the measures we put in place to prevent similar incidents from happening again.

The department has strengthened its policies for the security and storage of personal information. Our actions focus in the areas of information hardware, information software, and our culture regarding the handling of personal information.

In regard to hardware, we have newer, stricter protocols. Portable hard drives are no longer permitted. Unapproved USB keys are not to be connected to the network.

In addition, there have been risk assessments of all portable security devices used in the department's work environment to ensure that appropriate safeguards are in place. These assessments will continue on a regular, ongoing basis.

With respect to software, we will be implementing new data loss prevention technology, which can be configured to control or prevent the transfer of sensitive information, and in regard to our culture of handling information, we are reinforcing the critical importance of the proper handling of sensitive personal information through annual mandatory training to be provided to all employees.

We are increasing awareness, and communication events and disciplinary measures will be implemented for staff, up to and including termination, should the strict codes of privacy and security not be followed. We have also taken actions to mitigate the impact on the Canadians affected.

We have alerted affected clients so that they can take the necessary steps to protect their personal information. This has been done through public announcements, by providing special information on dedicated web pages, by sending out letters to affected individuals and by the establishment of dedicated 1-800 toll-free information lines to respond to questions regarding both the missing USB key incident and the missing hard drive incident.

The affected social insurance number records have been annotated in the social insurance register to indicate that the social insurance number was involved in an incident and to ensure that any requests for changes or modifications undergo an enhanced authentication process. The department will also notify individuals for whom we have current contact information if the department notes any suspicious activity with respect to the client's social insurance number record. As a further caution, the department has purchased a customized package from Equifax Canada, which is a unique solution tailored specifically to this incident and is available to anyone who may have been affected. This credit protection is a reliable and appropriate strategy that will assist in preventing misuse of personal and credit information.

Through its agreement with Equifax, the department is able to offer, free of charge, its customized package to affected individuals who provide their consent to receive this service.

The notation will stay on credit files for a period of six years unless affected individuals choose to have it removed. The notation will alert credit grantors that data may have been compromised, and lenders will then take additional steps to verify the person's identity before granting credit or opening or using accounts.

Mr. Chair, the protection and security of personal information is a cornerstone of the department's mission. We are confident that we have taken the right steps in this situation, and we are making sure that they are followed to safeguard the personal information entrusted to us.

Thank you.

Yes, we confirm that.

I believe—subject to your confirmation, Ron—it's 19, which is down a small, but to us important, two from the previous year.

We regard that as something to be brought to zero and maintained at zero if at all possible.

We do have effectively a threshold that takes into account the nature and the seriousness of a breach, as well as the ability to contain a breach of any kind very quickly. There are, from time to time, incidents of that nature, and if we become aware of an incident, we move very quickly to contain it, but the threshold for informing the Privacy Commissioner is not a high threshold. We are frequently in touch with the Privacy Commissioner.

With respect to our practices, we take advice from the Privacy Commissioner. In this situation, we have, throughout the circumstance, been in touch with the Office of the Privacy Commissioner and taking advice, whether formally given under their terms of reference or counsel or practical direction. If an incident occurs and it is of a small scale and readily containable, we may not in that case inform the Privacy Commissioner.

Thank you, Chair. I'll go as far as I can, given that the advice I give the government is necessarily between my minister and me.

I can't speak for other departments, but I can point to the fact that the Treasury Board itself has directives and policies in place that do apply to all departments, including HRSDC. It is the responsibility of departments to apply those in a manner that is relevant to their mission. For our part, we seek to do that.

I can tell you that there are mechanisms at the officials' level within the bureaucracy to review and stay on top of these issues, and to learn from any incidents that occur in order to adopt best practices and to continue to make the business culture of all departments as sensitive as possible to privacy and IT security. The Treasury Board does have a responsibility to update their policies and directives from time to time. That's, generally speaking, the regime that we live under.

Maybe I could start by asserting, as we may a number of times during this hearing, that culture is at the very individual level, so for all of this to work in a very large organization, all managers, all employees, have to be aware of the policies and directives, and they have to live it.