Skip to content

Clock counting down on privacy breach website

1502infobreach921
A screenshot of infobreach.ca on February 13, 2019. Once the timer runs out, MacDougall says he will use the website to 'tell his story.'

Remember the story about the mysterious website? NNSL Media spoke with the man behind the website about its purpose and what would happen when the clock on the countdown runs out Thursday.

Photo courtesy of Donn MacDougall's Facebook. MacDougall, a former GNWT employee is pushing for change after an information breach.

Donn MacDougall worked at the Department of Justice as a manager of securities in corporate registries from 2006 to 2014.

But after MacDougall left his position in March 2014 he was still receiving automated emails to his personal email through PeopleSoft, the territorial government’s human resources software. Because he was previously a manager with the department, he had access to sensitive information, such as employees’ pay raises and time off.

“I’ve been dealing with this for four years,” said MacDougall. “Going back and forth with the GNWT saying why was I given access to this information?”

In late 2017, he filed a complaint with the Information and Privacy Commissioner (IPC) of the Northwest Territories who in turn investigated and made recommendations in a report.

But last month MacDougall sent postcards to local news outlets directing them to his website, www.infobreach.ca, for what he called a ‘case study’ for when employees leave and privacy for themselves and their former colleagues and staff. There he had posted screenshots of that sensitive information before the GNWT ordered him to take it down.

“If there’s one thing I want to impress on you, it’s that there will never be personal information posted on that site again,” said MacDougall. He said he only needed to do that once, to prove the breach was real, so the GNWT couldn’t claim plausible deniability. For the territorial government their employees’ information was confidential, but once they gave him unauthorized access to it, that confidentiality was lost, MacDougall reasoned. And although he was obliged to keep that information confidential during his employment, there is no such requirement for information acquired after it ended, MacDougall explained.

“I’ve got a story to tell,” he said. “And I think that I’m already being taken seriously because I’ve published what they consider to be sensitive information.”

According to MacDougall, the GNWT threatened to sue him for notifying the people whose personal information he accessed. But Martin Goldney, deputy minister of the Department of Justice clarified the department didn’t threaten to sue for disclosing the issue with the software.

“It did seek and obtain an interim order from the Alberta Court of Queen’s Bench directing the former employee to refrain from making public by posting online on his website or on any other website, or in any other manner disclosing confidential and personal records or information about individuals that he obtained during or following the termination of his employment with the GNWT, ” stated Goldney in an email.

The Information and Privacy Commissioner was notified quickly after the department became aware of MacDougall’s website.

“The Department of Justice was already working with the Information and Privacy Commissioner in relation to this former employee’s unauthorized access prior to the creation of this website, and will continue to work with her office to resolve this issue,” Goldney said.

The issue of MacDougall's access to the government's PeopleSoft program was originally identified in 2014, and steps taken at that time were thought to have addressed the issue that later led to his unauthorized access, Goldney explained.

“It was later discovered that this was not the case,” he stated.

“In November of 2017, when the Department of Justice became aware that personal information held in PeopleSoft had been accessed without authorization in 2014, our review of this matter indicated that a procedural issue in the off-boarding process had led to this error. A technical solution (a request for a manual override) was ultimately implemented.”

The department said it agreed to all the recommendations from the IPC’s report and they have been implemented, except the final one.

“The former employee was specifically asked to return the personal information he had accessed without authorization, or to confirm destruction of the information,” stated Goldney. “To date, he has refused to do so.” The department has applied for an Order from the Alberta Court of Queen’s Bench directing him to do so.

 

Privacy breaches in the GNWT

In the GNWT, a breach involving personal information is often referred to as a ‘privacy beach’, whereas a breach that does not include personal information may be considered an ‘information incident’, Goldney explained.

“In either case, both refer to an incident that is an unwanted or unexpected event that threatens the privacy and/or security of our information,” said Goldney.
Currently, GNWT Information Incident Reporting falls under a government directive and responses to incidents are handled through the Department of Finance, Office of the Chief Information Officer.

The justice department is continuing to work on a GNWT privacy framework and management program, Goldney added.

“The privacy framework for the GNWT consists of an overarching GNWT Protection of Privacy Policy, Guidelines for Privacy Management Programs, dedicated privacy training for staff, and a series of privacy related tools and resources which will include an updated privacy breach reporting protocol,” said Goldney.

It is also departmental practice to inform the IPC and those affected when a breach occurs, he said.

“The Department has, on two occasions, initiated contact with individuals when it became aware that their privacy rights were or may have been compromised,” stated Goldney. “The first was in 2017 relating to a 2014 unauthorized access. The second was in December 2018 relating to the Infobreach website.”

Mandatory breach reporting

Now that MacDougall has used his website to make his case, he wants to work to make sure breaches like this don’t happen again. On Thursday at midnight, the counter on his website will run out and a new website with a new purpose will appear.

A screenshot of infobreach.ca on February 13, 2019. Once the timer runs out, MacDougall says he will use the website to 'tell his story.'

“What I really want to strongly advocate for is the requirement for mandatory breach reporting in the Northwest Territories,” he said.

Mandatory breach notification means when a breach happens, it must be reported to the privacy commissioner's office and in some circumstances, to the individuals involved.

Although the department of justice said it is their policy to do this, legally, they have no obligation to do so.

Mandatory breach reporting legislation was introduced in Nunavut in 2015 but not in the Northwest Territories, even though they share the same Information and Privacy Commissioner and had the same Access to Information and Privacy Protection (ATIPP) Act until separation in 1999. Bill 29: An Act to Amend the ATIPP Act is currently before the legislative assembly and proposes some amendments to the Act in the Northwest Territories.

The amendments include updating the powers of the Information and Privacy Commissioner so she can initiate a review about a privacy breach without receiving a formal complaint and requiring that the head of a public body report back to her office on the implementation of recommendations outlined in a review report.

“It’s been a long process and in 2015, when I provided the Department of Justice with my suggestions for specific changes, one of the things I recommended was that there be an inclusion for mandatory breach notification,” said Elaine Keenan-Bengts, Information and Privacy Commissioner for the Northwest Territories and Nunavut.

The provision already exists in the NWT’s Health Information Act, which saw 33 breach notifications under the act last year.

“Now that sounds like a lot,” said Keenan-Bengts. “Most of them were minor, most of them were immediately detected and corrected.” A lot of these breaches remained in the healthcare system, for example, between a clinic and the Stanton Territorial Hospital.

But the fact that all breaches are being reported now is a good thing said Keenan-Bengts.

“Because number one, I know now that they’re recognizing breaches when they happen,” she said.  “I’m not convinced that a lot of public bodies, other than health, even recognize breaches when they happen.”

Mandatory breach notification helps these public bodies change processes, procedures and awareness of what constitutes an information breach to help prevent them in the future.

“Once a breach happens you can’t undo it,” said Keenan-Bengts.

“Once the cat’s out of the bag, you can’t put it back in. It’s even harder to correct a breach once it’s happened. But it’s about changing the way we do things so it’s less likely to happen again. And the more breach reporting is required, the more aware people become of it.”

When Nunavut added a breach notification provision to its ATIPP act, it was the first jurisdiction in Canada to do so in general public sector privacy legislation.

But just because the provision exists in law, it doesn’t automatically prevent breaches or even make people aware of how to deal with them.

“In Nunavut, I’m still not getting breach notifications,” said Keenan-Bengts.

“I’m the one who’s finding out about them and taking the public bodies to task for them. They don’t know that when a breach happens they have to report it.”

Work still needs to be done to educate people about what constitutes a breach and what process should be followed in the event of one.

“Changing legislation without education behind it is not the best way to go,” said Keenan-Bengts. “I have been slowly but surely changing that in Nunavut.”

Although privacy legislation can be “esoteric stuff sometimes,” provisions like this are the way of the future and follow a worldwide trend, said Keenan-Bengts.

“Particularly because governments collect so much personal information, and they have to, that’s their job,” she said.

“To provide services to the people, they have to collect information. And information has such value these days, it’s a commodity. There need to be stronger and more rules in place to control how that’s used.”

MacDougall echoed that sentiment, especially after 118 confidential medical records were unearthed at the dump in Fort Simpson in December.

“The point is, the GNWT didn’t even know enough not to throw people’s health information in the dump,” said MacDougall.

“The people who are holding information have a duty to protect it. Protect what’s private.”