Good response to Edmonton Catholic School District breach
Technorati Tag: Security Breach
Date Reported:
11/12/07
Organization:
Edmonton Catholic School District
Contractor/Consultant/Branch:
R.L. Smith Transportation Inc.
Victims:
Kindergarten, Hand in Hand program and Special Needs students of the Edmonton Catholic School District
Number Affected:
560
Types of Data:
Names, addresses and telephone numbers
Breach Description:
The car of an R.L. Smith Transportation employee was stolen and later recovered. During the course of the investigation it was discovered that the employee's purse was missing and in the purse was a memory stick containing personal information about certain Edmonton Catholic School District students.
Reference URL:
Official Edmonton Catholic School District Press Release
Report Credit:
Edmonton Catholic School District
Response:
From the sources cited above:
The Edmonton Catholic School District was notified last week that one of the five bus carriers contracted to transport students to and from school, had personal information of numerous students stolen.
R.L. Smith Transportation Inc. notified the District on the afternoon of November 5th that the purse of one of its employees, containing a memory stick with student information, had been stolen. The employee left the memory stick in her purse in the trunk of her car, which was stolen. When the car was recovered, the purse and its contents were missing.
R. L. Smith indicated that a back-up copy of information was routinely sent home with an employee as part of their data security process.
[Comfyllama] Say what? What kind of sound data security process includes carrying confidential data home on a memory stick? Answer, this is NOT a good security process.
The employee is no longer with the bus carrier.
[Comfyllama] I found it interesting that this was mentioned. I wonder why exactly.
The names, addresses and phone numbers of 560 Kindergarten, Hand in Hand program and Special Needs students of the Edmonton Catholic School District were on the memory stick.
Letters have been sent home to all affected parents, and additional security methods have been put into place.
The District has requested that, effective immediately, bus carriers will not allow employees to transport any personal information of clients outside their office
All information must now be encrypted on memory sticks and also password protected.
[Comfyllama] One free data encryption program that is easy to use that I have recommended numerous time is AxCrypt.
The safety of all children is our first priority at Edmonton Catholic Schools and we have the same high expectations of our bus carriers. In contracts with bus carriers, the District legally requires that the bus carriers and their employees treat all personal information as confidential and abides by the provisions of the Freedom of Information and Protection of Privacy Act. The District has also advised the Office of the Privacy Commissioner and will seek their advice and direction.
Commentary:
I am pleased to read that the only data exposed was names, addresses and telephone numbers, which are relatively easy to obtain anyway. It is a good thing that there wasn't additional personally identifiable data. Could very easily have been worse.
I applaud the school district on their response to this breach. #1 "not allow employees to transport any personal information of clients outside their office" and #2 "All information must
now be encrypted on memory sticks and also password protected". These two mandates will significantly reduce the risk of data exposure on memory sticks, assuming employee education and enforcement are carried out adequately. Other organizations should take note.
Past Breaches:
Unknown
Date Reported:11/12/07
Organization:
Edmonton Catholic School District
Contractor/Consultant/Branch:
R.L. Smith Transportation Inc.
Victims:
Kindergarten, Hand in Hand program and Special Needs students of the Edmonton Catholic School District
Number Affected:
560
Types of Data:
Names, addresses and telephone numbers
Breach Description:
The car of an R.L. Smith Transportation employee was stolen and later recovered. During the course of the investigation it was discovered that the employee's purse was missing and in the purse was a memory stick containing personal information about certain Edmonton Catholic School District students.
Reference URL:
Official Edmonton Catholic School District Press Release
Report Credit:
Edmonton Catholic School District
Response:
From the sources cited above:
The Edmonton Catholic School District was notified last week that one of the five bus carriers contracted to transport students to and from school, had personal information of numerous students stolen.
R.L. Smith Transportation Inc. notified the District on the afternoon of November 5th that the purse of one of its employees, containing a memory stick with student information, had been stolen. The employee left the memory stick in her purse in the trunk of her car, which was stolen. When the car was recovered, the purse and its contents were missing.
R. L. Smith indicated that a back-up copy of information was routinely sent home with an employee as part of their data security process.
[Comfyllama] Say what? What kind of sound data security process includes carrying confidential data home on a memory stick? Answer, this is NOT a good security process.
The employee is no longer with the bus carrier.
[Comfyllama] I found it interesting that this was mentioned. I wonder why exactly.
The names, addresses and phone numbers of 560 Kindergarten, Hand in Hand program and Special Needs students of the Edmonton Catholic School District were on the memory stick.
Letters have been sent home to all affected parents, and additional security methods have been put into place.
The District has requested that, effective immediately, bus carriers will not allow employees to transport any personal information of clients outside their office
All information must now be encrypted on memory sticks and also password protected.
[Comfyllama] One free data encryption program that is easy to use that I have recommended numerous time is AxCrypt.
The safety of all children is our first priority at Edmonton Catholic Schools and we have the same high expectations of our bus carriers. In contracts with bus carriers, the District legally requires that the bus carriers and their employees treat all personal information as confidential and abides by the provisions of the Freedom of Information and Protection of Privacy Act. The District has also advised the Office of the Privacy Commissioner and will seek their advice and direction.
Commentary:
I am pleased to read that the only data exposed was names, addresses and telephone numbers, which are relatively easy to obtain anyway. It is a good thing that there wasn't additional personally identifiable data. Could very easily have been worse.
I applaud the school district on their response to this breach. #1 "not allow employees to transport any personal information of clients outside their office" and #2 "All information must
now be encrypted on memory sticks and also password protected". These two mandates will significantly reduce the risk of data exposure on memory sticks, assuming employee education and enforcement are carried out adequately. Other organizations should take note.
Past Breaches:
Unknown
Posted by Evan Francen at 11/21/2007 9:51 AM 
Categories: Stolen Device, Edmonton Catholic School District
Categories: Stolen Device, Edmonton Catholic School District
Posts Atom 1.0
Comments