Human Resources and Skills Development Canada was alerted to several security concerns months before breaches last November in which the department lost data belonging to more 500,000 recipients of student loans, CPP and disability benefits, CBC News has learned.
In June 2012, the department's security plan, obtained by CBC News Network's Power & Politics under Access to Information, concluded: "To continue building a strong culture of security and a robust security program for the department, additional resources will need to be made available.
"Security program does not yet have the capacity to fully comply with existing requirements, notably the demands imposed by the (Departmental Security Plan). As the security program matures, it is increasingly evident that facets of security are not being met and, as noted in the previous sections, some areas of security could be improved."
Last fall, the department had two major security breaches:
- On Nov. 5, it lost a USB hard drive containing the names almost 583,000 student loan recipients.
- On Nov. 16, a department list on a USB key containing the names of 5,045 Canadians who receive Canada Pension Plan payments and disability benefits went missing.
In response to the breaches, the department tightened up the rules banning the use of external USB hard drives and limited the ones that can be used.
Specifically, with regards to the security plan, an official with the department told CBC News that the department is conducting "risk assessments" to figure out what weaknesses must be addressed first. The department expects those assessments to be completed by the fall. In the meantime, HRSDC is developing an online survey to determine the employees' knowledge of security issues.
"Human Resources and Skills Development Canada completed its departmental security plan and has since put in place specific and concrete measures to address risks and gaps identified in the plan," spokesperson Pamela Wong said in an email. "The department is committed to safeguarding the personal information Canadians entrust to us. We will continue to update and adapt our integrity and security controls to reflect a rapidly changing environment."
But critics aren't so sure. David Fraser is a lawyer who specializes in privacy issues. CBC News sent Fraser a copy of the departmental review. He says that given the extent of the problems it identified, he's not sure if the department will be able to fix its long-standing security problems in the near future.
"It certainly says the right things, but also showed a lot of gaps," he said of the HRSDC security plan. "Filling those gaps would certainly reduce the risk of things going wrong, but obviously things went wrong. And I think it is probably safe to assume that not much progress was made on the training and awareness portions of the plan.
"It is also interesting that there is a lot of mention of not having enough resources, which doesn’t reflect well on the government and the department," Fraser added.
The department is being sued by law firms representing students whose information went missing. The case is scheduled to go before a federal court judge in December.
"In a nutshell, we say that the government entered into an agreement with each student when the students signed the legal paperwork for a loan," said Theodore Charney, one of the lawyers acting for the complainants, "where the government promised to keep their private, personal information protected in accordance with the Privacy Act, and the students believed that their information would be kept confidential.
"And the loss of the information (on the USB hard drive), constitutes a breach of contract, and they’re entitled to have damages for that breach of contract," Charney said.
"Many of the students have spent hours with the federal government call line. They've had to contact their bank and credit card company to change their information. … They don't know what will happen in the future in terms of identity theft. The hackers and other people who (get) this information can wait years before they use it. So we won't know for some time what the ultimate effects will be of this privacy breach."
The federal government said Monday it will submit its statement of defence by the end of the month.
That wasn't the first time the department faced a major security breach. In a written response to a question by Charlie Angus, the NDP's critic for ethics, the department revealed that in October 2011, a laptop containing 1,192 Old Age Security clients was stolen.