The Student Loan Data Breach
A topic I find particularly interesting is the student loan data breach of 2012. The incident involves a dataset containing personal information of 583,000 Canada student loan borrowers, stored on an external hard drive. The dataset was not encrypted and the hard drive was stored in an unlocked filing cabinet. The hard drive was reported missing in 2012, this kicked off a series of events including a public statement concerning the breach, an RCMP investigation, and a class action lawsuit against the government.
The government also launched an internal investigation into the breach and produced a special report for Parliament. The majority of the reports’ findings and recommendations focus on two major points of the case, encryption of the data, and secure storage of the hard drive. Tucked away near the end of the report we find something very interesting though. On page 15 we have these findings:
“Employment and Social Development Canada (ESDC) also has a responsibility to ensure it disposes of personal information in accordance with the requirements of the Act, which includes a requirement that the information be disposed in accordance with any directives or guidelines issued by the designated minister (i.e., the President of the Treasury Board).
In this regard, the TBS Directive on Privacy Practices requires that government institutions dispose of records containing personal information in accordance with the provisions of the Library and Archives of Canada Act and according to government security standards.
Given that the hard drive in this case is lost, ESDC is not in a position to demonstrate that it complied with these requirements to properly dispose of the personal information contained on the hard drive.”
And here is what an OSAP student loan agreement contained in regards to collection and storage of personal information.
“I agree that until my loans, overpayments and repayments are repaid, MTCU, HRDC and the NSLC can disclose to and collect from any branch of the federal or any provincial government (including any agencies identified on my OSAP application […]), my educational institutions, my lenders, or financial institutions, consumer credit grantors, credit reporting agencies, credit bureaus and any collection agencies that may be operated or retained or on behalf of MTCU or HRSDC any personal information, including my Social Insurance Number, necessary to administer and enforce my Canada-Ontario Integrated Student Loans. “
Notice the first part of the OSAP agreement that I highlighted for clarity. It clearly states that the government has the right to collect and store this information but only until the loan is repaid. There is a bigger issue here than an improperly stored hard drive. It would appear that some of that data on the hard was in violation of the contract between the government and the borrower; this means that the data should have been destroyed when the loans were repaid, and therefore should not have even been on that hard drive.
So why is this important?
This is important because it is often an overlooked risk in most organizations whether they are public, private, or non-profit. If you have personal information about your customers you need to make sure it is in compliance with the agreement under which you collected it, and that you are still entitled to store and use it.
Do you really need to keep that data?
Even if you are entitled to the use and storage of the information, should you keep it? Business Intelligence processes require data in order to be effective, but do you need to store the level of detail that makes the data private or sensitive? Very few BI processes require you to actually pinpoint specific customers; most trends are analyzed by customer segment. This means you may not need customer numbers, names, account numbers, etc. in anything but your transactional systems.
The less personal data you store, the lower your risks for breaches. An aggregated data set is a valuable asset to the company, but if it is lost or stolen from someone’s laptop you do not need to release a press statement. If the government had reduced the data set down to City, Postal Code, Original Loan Amount, and Original Loan Date they would not have been required to issue a public announcement about the breach or have the RCMP investigate. Many organizations can reduce risks this way as well.
Learn from the Governments Mistake
Your data management strategy should include provisions for evaluating the risk level of the data being stored, and it should also actively monitor the age and purge cycles for your data to ensure you are in compliance with the agreements under which you collected the data.
If you are a Director, CIO, or CTO don’t wait until you have a data breach to examine your data management policies, by then it is too late. There is a common practice when a large data breach happens, someone gets fired or resigns. Assess your current data position to see what kind of risks you have, and store only the level of detail that you need.