Information commissioner, AG slam McNeil government over privacy 'breach'
Two separate reports highlight problems with oversight of freedom-of-information portal
Nova Scotia's privacy watchdog is taking the McNeil government to task for a "serious failure of due diligence" related to its problem-plagued online freedom-of-information portal, comments that come as the province's auditor general says the government failed to adequately assess and manage the "vulnerabilities" of the system.
The criticism follows nine-month investigations by the offices of both Information and Privacy Commissioner Catherine Tully and Auditor General Michael Pickup into a "breach" of the relatively new online access-to-information request and disclosure system.
More than 7,000 documents were downloaded on March 3, 2018, including several hundred with highly personal information, but the breach wasn't detected until a month later when a government worker inadvertently discovered the weakness in the system and alerted his boss.
Police traced the download back to a Halifax-area family home, raiding the residence and arresting a 19-year-old man. They threatened to charge him with "unauthorized use of a computer," an offence that carried a possible 10-year prison sentence.
Three weeks later, investigators announced they would not be charging the man because he "did not have intent to commit a criminal offence."
Auditor general's report
In a report issued Tuesday, Pickup concluded the government didn't fully assess the risks associated with the venture, nor did it conduct routine security measures before the website's launch.
"The Department of Internal Services did not ensure that the website was secure before using it," Pickup said in a video summary of his report. "For example, the Department of Internal Services did not ensure security assessments were done before the website went live.
"These types of assessments are standard before systems are available to the public and users."
Pickup also expressed concern about the fact the province is storing information outside its own control.
"Implementing something that has never been used before, as well as using it in a cloud, comes with a high degree of inherent risk," Pickup noted in his report. "Use of a cloud-based service means the data stored in it is not protected by the province's corporate network."
The auditor general also noted the government's reliance on its relationship with CSDC, the company that designed the system used by the province to create the portal, noting "regardless of how familiar government is with an individual vendor, we believe it is unreasonable to ever put full responsibility for project management, risk assessment and due diligence on a private-sector partner."
In an admission of guilt, of sorts, the provincial government said in a written response to the auditor general's report that it failed to protect the personal information of hundreds of Nova Scotians.
"This was not due to a single decision or oversight failure by government, but rather a series of decisions, governance issues and design shortfalls within a complex IT environment," Pickup said.
Information commisioner's report
Meanwhile, the provincial privacy commissioner also released a report Tuesday on her investigation, which Tully said included "a few jaw-dropping moments."
"It is astounding," she said of the breaches. "And it took the combination of quite a few people doing a poor job for this to happen."
Tully said a "serious failure of due diligence" when launching the website led to 12 "preventable" breaches between Feb. 27 and April 3, 2018. Those breaches included information such as social insurance numbers, addresses, phone numbers and even medical information and allegations of child abuse, Tully's report said.
She found the Department of Internal Services failed to detect a design flaw in the website "created by a well-known and foreseeable vulnerability."
"Taking the time to diligently assess a tool at all stages of a project is fundamental to ensuring that personal information held by government is respected and protected," she said in the report.
Initially, the freedom-of-information website was expected to be approved and implemented within two and a half months. Although it was launched five months later than planned, "the short time frames created a stressful environment and compromised the quality of system testing," Tully said.
As the department got close to launching the website, staff met with Tully to provide a demonstration, even though minutes of a meeting of senior departmental executives said "there is no possibility to accommodate any change she may request." Tully said during the demonstration, she recommended a security threat and risk assessment be performed, but that wasn't done until a year after the website was launched.
Tully's investigation also highlighted "shortcomings in the project management, security review and privacy impact assessment." They included considering the freedom-of-information website "low risk," failing to do any technical testing, and not recognizing the flaws in how public and private documents were stored. The review also found the privacy impact assessment identified risks and mitigations that were not incorporated into the site.
As part of her investigation, Tully met with employees who described a "culture of high tolerance for cybersecurity risk" across the provincial government. Employees mentioned receiving angry phone calls from project owners if someone raised a risk concern they weren't prepared to deal with. Another employee said when a concern was raised at a meeting, the vendor mocked the employee and no one intervened.
Tully also found the department did not manage the situation well after the privacy breaches.
Out of the 7,000 records that were downloaded by two people in 12 different privacy breaches, nearly 618 were downloaded to an unknown computer using IP addresses at the Atlantic School of Theology and still haven't been located, she found. She said parties affected by that breach still haven't been notified.
Tully determined the department still doesn't have a "comprehensive, methodical plan to prevent a similar occurrence in the future."
The commissioner's recommendations include:
- Stronger leadership when it comes to privacy in the government and more due diligence in the privacy impact assessment process.
- Immediate steps to contain the breaches related to the 618 documents downloaded onto an unknown private computer, which has yet to be secured.
- Notifying people whose personal information was contained in those 618 documents.
- Reviewing internally the incident to understand the causes and prevent future problems.
- Conducting an internal review of technology the government uses to look at vulnerabilities and form a plan to reduce cyber vulnerabilities.
- Clarify and strengthen the role of the province's Architecture Review Board, which approves and monitors technology standards.
In a statement, the province said it accepts all the recommendations in both reports and has created an action plan to implement the recommendations.
Later Tuesday, Premier Stephen McNeil defended Internal Services Minister Patricia Arab. Tim Houston, the leader of the province's Progressive Conservative party, has called for her to resign or be fired.
"Minister Arab has been working hard on behalf of Nova Scotians to deal with this issue since it arose last year, and one of the reports today noted reasonable steps taken by the department at the time," he said.
"Minister Arab has accepted the recommendations in both reports, and I have full confidence in the minister's commitment to make the necessary improvements to ensure the private information of Nova Scotians is protected."
With files from Frances Willick and Elizabeth McMillan