An investigation by the Office of the Information & Privacy Commissioner (OIPC) found that MD Management Ltd. contravened the Personal Information Protection Act (“PIPA”) after an incident in which a laptop containing the personal information of 8,000 physicians was stolen from an employee’s vehicle. The investigator determined that MD Management, a financial services subsidiary of the Canadian Medical Association, did not adequately protect the personal information in its custody.
The personal information contained on the laptop was physician name, age, month and year of birth (no day of birth), medical specialty, home address, phone and fax numbers, business address, phone and fax numbers, home and/or business email address, total financial assets with MD Management and shareholder number.
MD Management had policies in place prohibiting employees from leaving laptops in their vehicles. The organization also required employees to only store essential customer information on laptops and to delete files once a task is completed. Although the employee violated corporate policy in all three respects, the investigator found that MD Management’s policies were insufficient, and that the organization did not implement adequate technical safeguards.
The only technical protection measure in place to protect the locally-stored personal information was a log-on password, which was not deemed to be an adequate defense. Beyond the password, which can be easily circumvented, employees were required to keep company laptops in their sight lines. Frequent incidents of publicized laptop thefts, often despite similar policies to never leave them unattended, demonstrate that employees cannot be used as the main line of defense for laptop security in the face of other security options. Although the stolen laptop was equipped with encryption capability, the file in question was not encrypted.
Although the investigator determined that MD Management breached PIPA by failing to implement adequate safeguards, the organization took the incident seriously, reported it to the Commissioner, and responded well in its post-incident action plan. MD Management agreed to adopt the following recommendations, many of which were underway prior to the investigation:
- Install encryption software on laptops (that cannot be disabled by the user)
- Policy enhancement
- MD Management employees receive education session including policy review
- Audit of employee access to personal information
- Laptop audits to ensure compliance with policy
The OIPC recommends that organizations carefully consider the safeguards in place to protect personal information and consider three layers of security: physical, administrative and technical. Encryption is one acceptable technical solution that the OIPC urges businesses to adopt to adequately protect personal information stored on laptops. However, other technologies and combinations of measures are also considered adequate.