Human Resources, Labour and Employment
January 25, 2008
Province Investigates Information Exposure
The Provincial Government and Workplace Health, Safety and Compensation Commission (the Commission) have moved quickly to determine the full extent of an information exposure of personal information on a laptop computer owned and operated by a private company conducting contract work on behalf of the public sector.
On January 22, a computer security company contacted the Provincial Government to inform of a possible information exposure related to files obtained via an Internet file sharing program. The Provincial Government and the Commission moved swiftly to ensure a complete forensic investigation is conducted to determine the type and volume of information exposed. The Commission undertook action to ensure the private company secured its electronic files on the laptop and as well as its electronic data system.
"Our government treats incidents such as this very seriously and has taken all the appropriate steps to understand the extent of this exposure," said the Honourable Jerome Kennedy, Minister of Justice and Attorney General. "I want to assure the people of Newfoundland and Labrador that their personal and confidential information is treated with respect and in accordance with the Access to Information and Protection of Privacy Act."
A laptop computer owned and operated by a private company was connected to a file sharing program and exposed information to the Internet. Once the Provincial Government and the Commission became aware of this situation, the Office of the Chief Information Officer and the Commission investigated and located the source of the exposure. The Commission, in consultation with the Provincial Government, then contacted a Canadian technology company to conduct a forensic investigation of the computer.
The Office of the Chief Information Officer has taken numerous steps to ensure the integrity of the Provincial Government�s information technology infrastructure such as prohibiting the use of file sharing and �chat� programs on government-owned computers, implementing a new firewall and educating employees about appropriate uses of computers. The Commission has undertaken similar steps to ensure the integrity of their information technology infrastructure. As well, the Provincial Government and the Commission are committed to examining their protocols for confidentially agreements with all private companies they conduct business with to enhance the protection of personal and private information.
"The Commission shares the Provincial Government�s view that private and confidential client information must be safe guarded both at the Commission and with service providers. Until the forensic investigation is complete, the extent of the exposure is not known and we are unable to determine how many, if any, of the Commission�s clients may be affected," said Leslie Galway, Chief Executive Officer, Workplace Health, Safety and Compensation Commission. "The Commission was not the source of the breach but nevertheless has taken measures to ensure the integrity of its network system was intact, as well as address the network system concerns with the private company involved."
All occupational rehabilitation providers, physiotherapists, chiropractors and physicians, who deal with the Commission, are under a Memorandum of Agreement (MOA) which directs them to observe the confidentiality and the Commission�s policy on information protection and access. In addition, the MOA states that the contractor should maintain professional standards in terms of confidential information.
The Canadian technology company conducting the forensic analysis believes it can provide further details on the information shared during this exposure within approximately a week. More details about this exposure, such as the types of files shared and the length of the exposure will be known then.
2008 01 25 3:45 p.m.
All material copyright the Government of Newfoundland and Labrador. No unauthorized copying or redeployment permitted. The Government assumes no responsibility for the accuracy of any material deployed on an unauthorized server.