Breaches: Coverup & Disclosure
There’s an interesting case of breach non-disclosure documented in the Edmonton Sun, “Privacy breach at MacEwan.” It’s interesting for a few reasons. First, the breach wasn’t disclosed:
MacEwan College was cited in the auditor general’s report this week after a tipster told the AG’s office about the security breach in 2006. It mirrored access problems in 2002-2003, the AG’s report confirmed.
The college chose not to tell those whose personal information was included in the accessible journal entries based on an assessment of risk by its Freedom of Information and Protection of Privacy office, said MacEwan spokesman Gordon Turtle.
You’ll note that I’m writing about it anyway.
Secondly, people are upset:
Public institutions engender trust, and that’s just one of several reasons why students should have been told, even if the college was confident the breach was minor, said MacEwan Student Union president Justin Benko.
“Based on what the auditor report says, if bank account information and credit card numbers and signatures were readily available and obvious, there should’ve been something said,” he said.
Benko’s opinion is interesting. There’s no Canadian law explicitly requiring breach disclosure, but there’s an expectation of disclosure. (There are also interpretations by Privacy Commissioners that read disclosure into existing laws.)
It also seems that the risk assessment was wrong. If you’re covering up a breach because of a risk assessment, you might want to have another, and include crisis communication in the assessment.