UCP members 'at risk for identity theft' after laptop stolen, expert says
Party says computer had addresses, names and phone numbers for tens of thousands of members
The United Conservative Party's privacy policies are being questioned after a party laptop was stolen out of an employee's car in a parkade.
The laptop contains the names, addresses and contact information of 40,000 UCP members.
Experts say the language used in the memo to inform members was confusing and didn't answer important questions.
"This is clearly a matter that the party needs to improve their information protection practices," said Sharon Polsky, president of the Privacy and Access Council of Canada, adding the party will have to regain public trust.
"The only way of garnering and maintaining public trust is if you can genuinely assure people that you are properly taking care of their personal information."
Polsky said in general any organization needs to first look at all the information it's collecting.
"And not collect more information than they actually have need or reason to," she said. "The more you collect, the bigger the risk, because the more attractive a pack of information it is."
Letter sent to members
The party informed members of the theft in an email Wednesday.
"The laptop in question did not contain any personal financial data," reads the letter in part. "Rest assured that we take the integrity of your financial information seriously and under no circumstances does the party store that kind of information."
Emily Laidlaw, an associate law professor at the University of Calgary, said the party's email didn't give enough detail to members.
The law professor said it wasn't clear in reading the message what standards and protocols the party has in place.
UCP privacy policies
When asked what their policies surrounding protecting personal information of members is and if there was training, the party did not respond directly.
"Staff are informed about privacy requirements regarding membership data. This was unfortunately a criminal incident outside of staff's direct control," read the response. "That said, we are undertaking additional measures and protocols going forward following this experience."
They did not elaborate on what those additional measure and protocols would be.
Laidlaw said the fact that the laptop was left in a car at all speaks volumes about what those standards are.
"It is quite commonly advised that you should not be keeping any laptops in your car with sensitive information," said Laidlaw, who specializes in privacy issues.
'At risk for identity theft'
Laidlaw said it's lucky there was no financial information on the computer, but noted there is enough for concern.
"It certainly puts the individuals at risk for identity theft," she said.
"If whoever stole it actually gains access to this information, I mean, you could figure out who the people are, what their home addresses are. These are the people donating to the party and this is where they live."
Training key to prevention
Polsky said the key to preventing these things is training and education.
"They need to train people, and this isn't unique to us. It is commonplace," she said.
"There is remarkably little valid information and public awareness about how to properly protect information — personal, health, political, corporate."
And according to Laidlaw, one-time training isn't sufficient.
"Not just at the beginning," she said.
"Followup with that training to ensure that everyone still recalls what the particular rules are, that they're aware of certain updates, that systems and practices are audited, so that we have a clear sense on the kind of A to Z about information security, where the vulnerabilities are — and often those vulnerabilities are human."
The UCP said that although they are not required to, they've informed the privacy commissioner of the incident and an additional 20,000 members whose information was not compromised.