OTTAWA—An internal investigation at the Office of the Auditor General found that about 22 per cent of the encrypted USB drives entrusted to employees were lost, according to newly released documents.
The Star obtained a briefing note through an access to information request that details how the encrypted portable data storage devices were handled by workers at the office of the federal government watchdog, with little done to ensure information technology security measures were followed.
“The management of these USB drives was not strictly enforced. Employees were given IT Security information sessions on how to report stolen or lost devices but there was never any real accountability if a USB drive was lost,” says the Sept. 22, 2014 memo prepared by Jean-Charles Parisé, chief information officer and departmental security officer with the Office of the Auditor General.
“I think it’s troubling,” said NDP MP Charlie Angus. “Where are they? Maybe there is not sensitive data on them, but the kind of work the auditor general does can be politically explosive. So, I certainly would think we need really strong tools in place to keep track of these.”
The Office of the Auditor General said there is no real reason for concern.
“We have always encrypted (since 2008), so we were not worried about losing the data. We couldn’t lose data, but it became a bit troublesome to have to manage those (devices). They’re easy to lose . . . . So, we decided we had to do away with (them),” Parisé said in a telephone interview Wednesday.
The institution has since moved mostly to using a secure file transfer (secure FTP) site to exchange information with outside institutions and has recalled all the USB devices, except for those currently being used in ongoing audits, such as the investigation into Senate expense claims.
“They’re finding something that is better suited to their needs to keep their information protected, which is a good move, in my humble opinion. Anything to protect the information of not only the government but of Canadians is a good move,” said Stephanie Rea, a spokeswoman for Treasury Board President Tony Clement.
Parisé said the USB devices would not have contained anything more sensitive than “Protected B,” which would contain identifying information about individuals or institutions but is not secret or classified.
Parisé also said that data used for an investigation would likely have been cleaned from the USB drive once it was saved to the larger audit file.
Asked whether he was sure the lost USB devices no longer had any sensitive information on them, Parisé said “we can’t be 100 per cent sure of anything,” but said his office was not aware of any incidents where someone has used the data inappropriately.
Still, the briefing note acknowledges public perception over data and privacy breaches played a role in their decision to change the way these portable devices are managed, especially after the department formerly known as Human Resources and Skills Development Canada lost a non-encrypted external hard drive and USB key containing the personal information of more than 500,000 Canadians in November 2012.
“Since the HRSDC incident, the media are more interested in information regarding the loss or theft of portable devices, making the loss of such devices a public relations matter, whether the data is safely encrypted or not,” the memo states.
Parisé said they have not yet reported the loss to Treasury Board or the privacy commissioner, as required by government-wide rules that came into force Sept. 30, 2014.
The briefing note recommends continuing the search for the lost USB drives, including by following up “with the people who have not replied yet, copying their supervisors.”
Parisé said that work is ongoing and they now believe 80 devices will not be recovered.
It also recommends changing the way remaining encrypted USB drives are managed, including potential sanctions for repeat offenders.
A briefing note obtained by the Star contains the results of “an exhaustive investigation” into the state of encrypted USB drives at the Office of the Auditor General. As of September 2014, there were 547 encrypted USB drives in circulation.
347 confirmed as being used by employees
87 confirmed lost
33 deemed to be lost because they are with ex-employees
20 unknown (employees had not yet replied)