The University of Victoria failed in its legal obligation to protect the privacy of thousands of employees stored on a stolen computer memory card, B.C.'s privacy commissioner has ruled.

Information and Privacy Commissioner Elizabeth Denham said when the USB flash drive containing the names, social insurance numbers, and banking information of nearly 12,000 current and former employees was stolen, the information on it was not even encrypted.

"Encryption is the minimum standard for devices like laptops and USB drives," Denham said in a statement issued on Thursday morning.

hi-bc-120112-uvic-4col

B.C.'s privacy commissioner is recommending UVic upgrade its security policies for laptops and mobile devices and reassess the security of key buildings. (CBC)

"What is very unfortunate is that this privacy breach was both foreseeable and preventable. Instead of a simple theft of a mobile device, the incident resulted in enormous costs and stress for those affected and for the University," said Denham.  

"The university was aware of their obligation to safeguard sensitive personal information using a range of protective measures including readily available and widely used encryption solutions."

Thieves broke into the university's administration building on Jan. 7 and stole the device holding the personal and banking information. It was never recovered. 

"Since our investigation was launched, my office has heard from current and former university employees, who are deeply worried about their exposure to bank fraud, identity theft and other harms.

Denham said the university acted quickly and warned those who might be affected to change their bank accounts and alert credit bureaus to possible fraud, but she made several recommendations for UVic to tighten its security including:

  • Reviewing privacy and security policies every three years.
  • Re-assessing the physical security of campus buildings.
  • Developing a comprehensive policy and training program on laptop and mobile device security.