How to avoid an Elections Ontario style data breach fiasco

It’s every business’ worst nightmare.

But just days ago it happened to a large provincial government agency.Elections Ontario fessed up to a major data breach: two USB drivescontaining unencrypted personal data – including names, addresses and birth dates – on over 2 million voters havegone missing.  The breach took place in the sprng and policewere notified on June 13. The public was officially made aware thispast week.

Ontario privacy commissioner Ann Cavoukian called it “thelargest databreach that has occurred in the province.” Despite its massive scale,the breach is also shocking because it could have been stopped quicklyand affordably, says security expert Nandini Jolly.

“My knee jerk reaction is oh no, this is so sad,” said Jolly, presidentand CEO of Toronto cyber security firm CryptoMill Technologies Inc.“This so easily preventable.”

Ontario’s chief electoral officerGreg Essensa confirmed that USB drives with personal data on 2million voters are missing.

In fact, Jolly explained that even small and medium sized businesses(SMBs) can now use the latesttechnologies to protect their data fromsecurity breaches in ways that are both time and cost efficient. Thekey, she emphasized, is that businesses must take a holistic,preventative approach to protect all of their data systems andprocesses (not just parts of them) before disaster strikes.

“We’re addressing this data protection on a large scale, not just onthe small level,” Jolly said. “It’s all about putting a solution inplace not only after (but beforehand).”

CryptoMill offers its clients SEAhawk, a software-based solution thatencrypts data on desktops,networks and portable devices, then allowscontrolled access to that data only by approved users. Since theprocess covers removable devices as well as desktops, the informationremains encrypted even if it’s in transit – or, as in the ElectionsOntario case, it gets lost or possibly stolen.

“If you’re allowing someone to take that information from a desktop ona USB or removable device, that will be allowed by SEAhawk but only(by) the people with accredited credentials,” Jolly said. “If I lose(the USB drive), I have peace of mind that that data is encrypted…itsimply won’t decrypt.”

“So even if there’s a data loss, there’s no data breach,” she added.

SEAhawk even includes a point-and-click tool to quickly encrypt adocument before sending it to a third party via email or a cloud-basedstorage and collaboration. The person receiving the document can thendecrypt it using a link provided through software such as Adobe Reader,Jolly said.

Is all of this expensive? Jolly said it costs “well below $100 per (user) licence,” and volume discounts can kick in as the number of licences purchased goes up.

“It’s extremely cost effective. For 150 to 200 employees it’s totallyamenable to their environment and expenditure (level),” Jolly said.

The most important cost to Jolly is the one that can’t be quantified indollars.

“It’s reputation, it’s the forensic cost, all of that. In an SMB, ifthey have a data loss it can actually kill them. And SMBs thrive ontheir intellectual property. So if they have that (IP) out incompetitive hands….”

As Jolly trails off pondering the potential IP losses that SMBs cansuffer through data breaches, Michael Sachse is able to share his SMB’sown real experience of adopting Privacy by Design (PBD), a set ofprinciples and practices formulated by Cavoukian that stresses the sameholistic, proactive approach Jolly recommends.

Sachse is general counsel and vice-president of regulatory affairs atOpower, a U.S. software firm that helps over 70 utility companiesworldwide operate more efficiently and communicate potential energysavings more clearly to their customers. With 270 employees, theWashington, D.C.-based firm resides within the SMB realm. Opowerrecently announced that it has deployed PBD in its operations, aprocess it undertook with direct guidance from Cavoukian’s office.(Sachse and Cavoukian met when both spoke at the same conference; hepursued PBD at his own firm after being inspired by her example there.)

The verdict?
So what is Sachse’s verdict? For Opower, embedding PBD was relativelypain-free and low-cost. Opower used Cavoukian’s PBD as a framework,meshed it with corporate privacy practices it was already using orpursuing internally, then tweaked PBD for the nuances of its owncompany, industry and clientele.

“I’d say it (took) about two months,” Sachse said. “The only cost wasour internal employee time and we don’t really track that on an hourlybasis. But I’d say for a company that’ s interested in privacy andcommitted to following best practices for privacy, the effort ofcomplying was low and the cost was not high.”

Compared with mandatory security audits – a fairly routine yet rigorousprocess that many businesses of all sizes are required to undergo atsome point – embedding PBD at Opower was no biggie, Sachse said.
“We’ve worked on security type issues where there’s a very specificstandard and you get audited to it and it has hundreds of steps andit’s very costly to complete the audit. This was very different, morefocused on high level principles and making sure our practicesconformed with them. And it’s voluntary so it’s not something we’regoing to be audited on. But the power is in the public commitment (toprivacy).”

If a company with just 270 employees can do this in only a couple ofmonths, why didn’t the government of Ontario and its elections branchdo the same thing? Jolly can only scratch her head at that one.

“I don’t have an answer to why,” she said. “My idea is: what can we doon this now to preserve the city and the province and the country goingforward?”

Christine WongChristineWong is a Staff Writer at ITBusiness.ca and CDN. E-mail her at cwong@itbusiness.ca,connect on Google+,follow her on Twitter,and join in the conversation on the IT BusinessFacebook Page.
Share on LinkedIn Comment on this article Share with Google+
More Articles