How to avoid an Elections Ontario style data breach fiasco

It’s every business’ worst nightmare.

But just days ago it happened to a large provincial government agency.Elections Ontario fessed up to a major data breach: two USB drivescontaining unencrypted personal data – including names, addresses and birth dates – on over 2 million voters havegone missing.  The breach took place in the sprng and policewere notified on June 13. The public was officially made aware thispast week.

Ontario privacy commissioner Ann Cavoukian called it “thelargest databreach that has occurred in the province.” Despite its massive scale,the breach is also shocking because it could have been stopped quicklyand affordably, says security expert Nandini Jolly.

“My knee jerk reaction is oh no, this is so sad,” said Jolly, presidentand CEO of Toronto cyber security firm CryptoMill Technologies Inc.“This so easily preventable.”

Ontario’s chief electoral officerGreg Essensa confirmed that USB drives with personal data on 2million voters are missing.

In fact, Jolly explained that even small and medium sized businesses(SMBs) can now use the latesttechnologies to protect their data fromsecurity breaches in ways that are both time and cost efficient. Thekey, she emphasized, is that businesses must take a holistic,preventative approach to protect all of their data systems andprocesses (not just parts of them) before disaster strikes.

“We’re addressing this data protection on a large scale, not just onthe small level,” Jolly said. “It’s all about putting a solution inplace not only after (but beforehand).”

CryptoMill offers its clients SEAhawk, a software-based solution thatencrypts data on desktops,networks and portable devices, then allowscontrolled access to that data only by approved users. Since theprocess covers removable devices as well as desktops, the informationremains encrypted even if it’s in transit – or, as in the ElectionsOntario case, it gets lost or possibly stolen.

“If you’re allowing someone to take that information from a desktop ona USB or removable device, that will be allowed by SEAhawk but only(by) the people with accredited credentials,” Jolly said. “If I lose(the USB drive), I have peace of mind that that data is encrypted…itsimply won’t decrypt.”

“So even if there’s a data loss, there’s no data breach,” she added.

SEAhawk even includes a point-and-click tool to quickly encrypt adocument before sending it to a third party via email or a cloud-basedstorage and collaboration. The person receiving the document can thendecrypt it using a link provided through software such as Adobe Reader,Jolly said.

Is all of this expensive? Jolly said it costs “well below $100 per (user) licence,” and volume discounts can kick in as the number of licences purchased goes up.

“It’s extremely cost effective. For 150 to 200 employees it’s totallyamenable to their environment and expenditure (level),” Jolly said.

The most important cost to Jolly is the one that can’t be quantified indollars.

“It’s reputation, it’s the forensic cost, all of that. In an SMB, ifthey have a data loss it can actually kill them. And SMBs thrive ontheir intellectual property. So if they have that (IP) out incompetitive hands….”

As Jolly trails off pondering the potential IP losses that SMBs cansuffer through data breaches, Michael Sachse is able to share his SMB’sown real experience of adopting Privacy by Design (PBD), a set ofprinciples and practices formulated by Cavoukian that stresses the sameholistic, proactive approach Jolly recommends.

Sachse is general counsel and vice-president of regulatory affairs atOpower, a U.S. software firm that helps over 70 utility companiesworldwide operate more efficiently and communicate potential energysavings more clearly to their customers. With 270 employees, theWashington, D.C.-based firm resides within the SMB realm. Opowerrecently announced that it has deployed PBD in its operations, aprocess it undertook with direct guidance from Cavoukian’s office.(Sachse and Cavoukian met when both spoke at the same conference; hepursued PBD at his own firm after being inspired by her example there.)

The verdict?
So what is Sachse’s verdict? For Opower, embedding PBD was relativelypain-free and low-cost. Opower used Cavoukian’s PBD as a framework,meshed it with corporate privacy practices it was already using orpursuing internally, then tweaked PBD for the nuances of its owncompany, industry and clientele.

“I’d say it (took) about two months,” Sachse said. “The only cost wasour internal employee time and we don’t really track that on an hourlybasis. But I’d say for a company that’ s interested in privacy andcommitted to following best practices for privacy, the effort ofcomplying was low and the cost was not high.”

Compared with mandatory security audits – a fairly routine yet rigorousprocess that many businesses of all sizes are required to undergo atsome point – embedding PBD at Opower was no biggie, Sachse said.
“We’ve worked on security type issues where there’s a very specificstandard and you get audited to it and it has hundreds of steps andit’s very costly to complete the audit. This was very different, morefocused on high level principles and making sure our practicesconformed with them. And it’s voluntary so it’s not something we’regoing to be audited on. But the power is in the public commitment (toprivacy).”

If a company with just 270 employees can do this in only a couple ofmonths, why didn’t the government of Ontario and its elections branchdo the same thing? Jolly can only scratch her head at that one.

“I don’t have an answer to why,” she said. “My idea is: what can we doon this now to preserve the city and the province and the country goingforward?”

Christine WongChristineWong is a Staff Writer at and CDN. E-mail her at [email protected],connect on Google+,follow her on Twitter,and join in the conversation on the IT BusinessFacebook Page.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Christine Wong
Christine Wong
Christine Wong has been an on-air reporter for a national daily show on Rogers TV and at High Tech TV, a weekly news magazine on CTV's Ottawa affiliate. She was also an associate producer at Report On Business Television (now called BNN) and CBC's The Hour With George Stroumboulopoulos. As an associate producer at Slice TV, she helped launch two national daily talk shows, The Mom Show and Three Takes. Recently, she was a Staff Writer at and is now a freelance contributor.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs