Elections Ontario Lost Data – Fails To Safeguard Personal Data

Human error is arguably one of the biggest threats to any company’s or organization’s security. Nothing drives that point home more strongly than a data storage mishap involving Ontario voters.

The personal information of 2.4 million Ontarians disappeared when two Elections Ontario employees lost two USB data keys on which the information was stored. To make matters worse, the data was neither encrypted nor password protected, and the employees, apparently, didn’t keep the USB data keys in a locked drawer, cabinet or box. To add further insult to injury, Ontario’s chief election’s officer Greg Essensa knew in April 2012 that the data keys had been lost but waited until July 2012 to publicly announce the breach.

Even if the information is backed up somewhere else and fully recoverable, it doesn’t change the fact that 2.4 million Ontario voters have their names, addresses, birthdates, genders and whether or not they voted in the previous election on those USB data keys. For an identity thief, those lost data keys provide a smorgasbord of source data.

A similar breach occurred in Durham, Ontario in 2009 when a USB data key with the health information of 84,000 patients was swiped from a health clinic.

You can almost hear the cloud advocates saying, “If those records had been stored in the cloud,” this never could have happened. It doesn’t help that they’re absolutely right. Yes, networks get hacked, but let’s face it. Human error is far more common. There are considerably more basically honest people who make disastrous mistakes like the one made by Elections Ontario’s, now, former employees than there are mischievous or malicious hackers.

As Ontario Privacy Commissioner Ann Cavoukian said after the 2009 health clinic breach, “No personal … information should be transported on mobile devices, unless the information is encrypted.”

A lot of people are worrying about who should be held accountable. The two employees who lost the USB data keys no longer work for Elections Ontario. That risk, at least, has been minimized. The next step is to devise a way to prevent such a disaster from happening again, not cast about for more people to blame.

The biggest lesson that all business leaders can learn from this is the importance of not only establishing strict policies for protecting sensitive company and client information but also teaching employees how to adhere to those policies automatically.

Implementing some kind of cloud solution probably wouldn’t hurt either. What if the USB data keys had been encrypted and locked in a drawer in the Elections Ontario headquarters? Now, let’s say that headquarters got destroyed by fire or an explosion. Would that information have been any less lost than it is now? It might have been safer; as of July 2012, no one has any idea who may have taken the USB data keys.

Elections Ontario has a lot of work to do in the coming weeks. It would be ideal if by some miracle, it turned out that the USB data keys were picked up by someone who had a legitimate need for the information stored on those keys. Since the odds against that are astronomical, now would be a good time for Elections Ontario officials to add finding a better way to store voter data to their list of things to do.