In late December 2018, an ODSP (Ontario Disability Support Program) office worker was sending out an email newsletter filled with news about updates made to their website.
***Scroll to the bottom for the latest updates***
Unfortunately, they had also attached an Excel spreadsheet to this plain-text email that included data on 45,000 Ontario citizens who receive disability support payments. This data breach is unlike others because it was caused by an accidental email but it is still a disclosure of information that should be remaining private.
Lawyers with the Toronto law firm Rochon Genova LLP served notice Wednesday to the ministries of social services and the attorney general, indicating that they plan to take legal action on behalf of the thousands of people whose data was compromised.
If you are in Ontario and have been affected you can view the class action suit here: https://www.rochongenova.com/Current-Class-Action-Cases/ODSP-Data-Breach.shtml
According to the CP24 article on this, the Minister of Children, Community and Social Services responded like this:
Reacting to news of the breach Tuesday, Minister of Children, Community and Social Services Lisa MacLeod said she has apologized for the breach
“We have taken aggressive and decisive action and I have apologized to the 45,000 people who were part of the breach.”
She said it underlines the need to improve the government’s use of current technologies.
“It proves we need to reform our social assistance model to keep up with modern day technology,” MacLeod said.
MacLeod’s ministry did not return calls for comment on the lawsuit Wednesday. Neither did the Ministry of the Attorney General nor the Premier’s Office.
There are a lot of questions here:
- What exactly is “aggressive and decisive action”? Is this “aggressive and decisive action” also being applied in the case of the Highway 407 data breach that was caused by a member of the Progressive Conservatives who leaked customer data for 60,000 customers?
- Why are attachments with this personal information on clients (names, client identification numbers, email addresses) being passed around as Excel files? At least with Google Drive and other cloud-based storage solutions there is some kind of audit trail.
- Why is the Minister trying to turn this into a political statement on the “social assistance model”? The social assistance model itself works, it doesn’t need to “keep up”, it’s just an issue of having more protections in place for personal data which applies to all government departments and to businesses too.
- Why isn’t the government of Ontario swiftly giving compensation to those affected by the data breach?
- Why is the Ontario government avoiding phone calls on the lawsuit?
- Why isn’t the Ontario government making visible and transparent the process of improving cybersecurity (whether it’s through technology or more training)?
23 July 2019 article on the Toronto Star site suggests that
a new “comprehensive privacy training plan” is being developed for 1,600 staff who handle personal information at the ministry, along with a password access system for spreadsheets and encryption for any now being sent by email, the commissioner’s office said, calling the measures “satisfactory.”
Also in the article, the class action lawsuit is still going through the courts:
The breach of information from the ODSP could be the subject of a class-action lawsuit against the province, for which Toronto lawyer Ron Podolny of Rochon Genova LLP is now seeking certification.
“It’s working its way through the courts,” Podolny told the Star. “We’ve had inquiries from hundreds of people.”
Steps taken by MCCSS to remedy the breach included:
– staff education;
– privacy training;
– ensuring that all spreadsheets created containing information of its clients require a password to access them, and if sent by email are sent using encryption;
the MCCSS has also implemented a MyBenefits portal which allows staff to communicate securely with recipients which will, in time, replace email communication and help in avoiding future errors.
The ministry is also developing a comprehensive privacy training plan that will target programs that handle large amounts of personal information as part of their mandate.
Is this a good enough result for the citizens of Ontario and the people whose privacy was breached?
I will say this, it is refreshing to see the change from using email to a properly secured communication channel. However it is saddening and frustrating that more institutes and organizations and companies don’t take advantage of the cybersecurity tools for encryption that are available.