Human Resources, Labour and Employment
January 31, 2008
Minister Provides Update on Information Exposure
The Honourable Jerome Kennedy, Minister of Justice and Attorney General, along with Leslie Galway, Chief Executive Officer of the Workplace Health, Safety and Compensation Commission (the Commission), today released further information relating to a recent information exposure.
"We all recognize that we live in a very small global community where the security of information on the Internet is a concern and instances similar to this one are a common occurrence," said Minister Kennedy. "While some organizations may choose not to inform the public of such incidents we believe in openness and transparency and that the people of Newfoundland and Labrador have a right to know of such occurrences."
On January 22, the Provincial Government was advised by a computer security company of a possible information exposure via an Internet file sharing program by a private company conducting work on behalf of the public sector. The Provincial Government, the Commission and the private company acted immediately to investigate and understand the nature and extent of the exposure. A Canadian technology company, Electronic Warfare Associations (EWA), was engaged to conduct a forensic analysis of a laptop computer owned by the private company involved in the exposure.
"The forensic analysis and the review by officials with the Provincial Government, the Commission and the private company are complete," said Minister Kennedy. "The processes undertaken have been thorough and I am confident that both EWA and our officials have done a commendable job in identifying the individuals who had their information exposed."
As a result of this process, it has been determined that the personal information relative to 153 individuals was accessed via an Internet file sharing program. In total 694 files containing personal information were exposed. A total of 111 individuals relate to public bodies with 108 of these being individuals clients of the Commission, two are employees of Eastern Health and one an employee of the Department of Human Resources, Labour and Employment. The remaining 42 individuals are other clients of the private company. The scope of information varies for each individual; it includes information such as name, address, medical history, work history, gender and date of birth.
Officials with the Access to Information and Protection of Privacy Office have worked with the public bodies involved to develop a protocol for notification of the individuals. The notification process is now underway.
While the public bodies have taken appropriate actions to identify and notify the 111 individuals, unfortunately the potential for identify theft exists for those affected by the exposure, said Minister Kennedy.
"It is important for those who receive notification to take steps to protect themselves such as speaking with their financial institution and maintaining a watchful eye on documents, such as credit card statements, for any activity out of the norm," said Minister Kennedy. "Also, they are advised to contact a credit bureau and ensure their files are marked to reflect potential identity theft and not to give personal information to telephone solicitors."
"As Chief Executive Officer of the Workplace Health, Safety and Compensation Commission I am concerned about this incident, however, I want to assure clients of the Commission that we have taken the necessary action to investigate and understand what has taken place," said Ms. Galway. "We have identified the number of clients who have had their information exposed and we are now taking steps to notify them of this exposure and the types of information that was made available. I have complete confidence in the capable staff and information systems of the Commission."
The Office of the Chief Information Officer takes many precautions to protect the integrity of the information technology infrastructure such as prohibiting the use of file sharing and "chat" programs on its computers, upgrading firewalls, monitoring of internet traffic, and educating employees and contractors about appropriate uses of computers.
"Since the establishment of the Office of the Chief Information Officer in 2004, our government has taken numerous steps to enhance our security measures and we take this latest situation very seriously," said Minister Kennedy. "All private companies that enter into contracts with the Provincial Government must now follow appropriate protocols and use certain protection programs that will restrict the likelihood of this happening again. Further, all agencies, boards and commissions that report to the Provincial Government will be directed to implement, as a minimal standard, the steps we have undertaken for security purposes if they have already not done so."
Steps taken by the Provincial Government and the Office of the Chief Information Officer (OCIO) to Protect Personal and Confidential Information
The Provincial Government is now implementing a policy where all private companies that wish to enter into contracts with the Provincial Government must follow appropriate protocols and use protection programs.
All agencies, boards and commissions that report to the Provincial Government are being directed to implement the actions undertaken by the Office of the Chief Information Officer as a minimal standard if they have not already done so.
As well OCIO has instituted a "lock down" on certain types of programs that can no longer be used on government-owned computers such as file sharing programs and ‘chat’ programs.
The OCIO requires each and every sub-contractor working for the OCIO to have confidentially agreements in place and/or sign Oaths of Secrecy in order to continue to do work for the OCIO on government systems.
A new firewall system will soon be implemented and a project has recently been initiated to acquire and install an industry-leading enterprise encryption technology for use within Provincial Government departments.
OCIO has also commenced an awareness and education campaign for public employees to ensure they are aware of the risks associated with the usage of file sharing programs, chat programs and the protection of private information.
Through the Manager of Networks/Security, in conjunction with Electronic Warefare Associates, the OCIO has developed a Security Framework which will help drive security and information protection priorities over the next number of years.
OCIO is implementing a ‘managed desktop’ that will restrict installation of non-approved applications by Provincial Government departmental employees.
OCIO are in the process of implementing a new internal firewall that will have enhanced intrusion detection/prevention features. This firewall device will allow for enhanced inspection of internet traffic.
As well, OCIO recently hired an Information Protection Architect with a focus to ensure information technology infrastructure is architected in a manner consisted with the objectives of Information protection.
All material copyright the Government of Newfoundland and Labrador. No unauthorized copying or redeployment permitted. The Government assumes no responsibility for the accuracy of any material deployed on an unauthorized server.