Security assessments are always interesting. I know, I do them all the time. You can never guess what you'll find when you're investigating a breach and a federal agency recently found that to be true.
Human Resources and Skills Development Canada lost a USB key with personal information on some 5000 Canadians. As is the case with things you're looking for, those are precisely what you don't manage to find. While investigating the missing memory stick the agency discovered the disappearance of an entire hard drive containing personal information on more than half a million student loan borrowers.
It's an embarrassing incident and the Human Resources Minister has 'expressed disappointment' even as the RCMP is 'assisting with the incident'. The federal Privacy Commissioner's Office is now investigating.
The complicated part now that the agency's reputation has taken a direct hit is that the personal information required to notify potential victims happens to be the very information that is most likely to have changed. While social insurance numbers, dates of birth and full names may remain the same, changes in address make it tricky to contact the victims whose lost records date back more than a decade. Individuals are invited to call a toll free number to determine if they are affected.
Is it embarrassing for the HR Minister? You bet. But imagine you were one of the staffers whose lapse of awareness created the embarrassing mess in the first place.
In a situation loosely reminiscent of the nurse that recently took her own life after falling for a radio prank targeting the Duchess of Cambridge (http://bit.ly/X3heZ5), a former Ministry of Health employee was found dead this past week, after being investigated and fired over an internal privacy breach.
In another similar situation, a talented young man and ardent advocate for freedom of information has taken his own life after a long legal battle against allegations of hacking into an online repository that sold academic research papers with intent to distribute them for free. He was facing 35 years in jail and a one million dollar fine. Ironically, the site he hacked recently started distributing the papers for free.
Different situations that seem similar to me. Talented people facing an enormous degree of depression, anxiety and indeed, the prospect of severe repercussions. A dedicated nurse and mother of two, a Canadian PHd student just days from completing his term, an Internet whiz kid known for co-creating the ubiquitous RSS feed mechanism that powers many Internet news feeds.
We've gotten really good at investigating security and privacy breaches. We have frameworks in place to point fingers at the guilty and impose punishments designed to act as a strong deterrent to script kiddies and other curious hackers. But if indeed this is what the evolution of intangible assets has come to, it is a sad reality. Even if other factors played a major part, the value of lost data is never equal to the loss of human life. However severe, the damage of an organization's reputation can never be worth the loss of dignity of a human being. Not if that person is led to feel that they only have a choice between watching powerlessly as their life is destroyed (by the media circus or a hard charging legal process) or ending it before someone else has a chance to do so.
As for the damage to large organizations, TJX, Equifax, CIBC and dozens of other publicly traded companies repeatedly demonstrate that even the largest, most embarrassing breaches have little effect on stock prices. In the public sector, of the 80 (!) privacy breaches reported by Canadian federal agencies last year a quarter were the responsibility of Human Resources and Skills Development.