Email Message from Newsline:
As you may know from a MUN Today article, a laptop stolen from a Memorial professor's home may have led to a breach of private information. The professor, on returning home from an out of province trip on Jan. 18, discovered that his home had been burglarized and a laptop stolen. The professor reports that the laptop computer may have contained students' personal information. Please go to www.today.mun.ca/news.php?news_id=3531 to read the full story.
As a result of this possible breach of students' personal information and as the privacy officer for Memorial, I want to remind all faculty and staff that they must secure all personal information (of students, employees, alumni, donors, research subjects and others) against unauthorized access. Please ensure in particular that portable storage devices (including laptops, USB flash drives/memory sticks, and blackberries) are password protected against unauthorized access. Individual files containing personal information should additionally be password protected/encrypted. However, in doing so, please remember to escrow your passwords - if you lose a password, you may lose access to these devices and documents, since re-setting a password may not be possible.
The privacy provisions of the Access to Information and Protection of Privacy Act were proclaimed into force on Jan. 16, 2008. For further information about access and privacy at Memorial, please visit www.mun.ca/iap.
Since last spring, Memorial's Information Access and Privacy Protection (IAPP) office has been developing a privacy strategy and privacy compliance tools for the university, with the assistance of a privacy consultant. The report, together with findings and recommendations, compliance tools, and draft policy and procedures, are available on the IAPP website www.mun.ca/iap. Finalizing policy, procedures and planning for implementation of most of the recommendations is now under way.
Thank you for your cooperation.
Article from today.mun.ca:
Stolen laptop may have led to possible breach of private information
A laptop stolen from a Memorial professor’s home may have led to a breach of private information. Michael Burns, Faculty of Business Administration, recently returned home from an out-of-province trip to discover that his home had been burglarized and a laptop stolen.
Mr. Burns used the personally-owned laptop occasionally for university-related purposes and reports that it may have contained class lists from: Business 1000, Section 2 and Section 4, which were taught in the fall 2006 semester; and Business 7302 which was taught in the fall 2007 semester.
The class lists may have contained student names, student numbers, and partial, though not final, grades. The laptop was stolen sometime between Jan. 15-18, 2008.
While Mr. Burns could not confirm that the information from those courses was actually on the stolen laptop, the university has decided to contact all 150 students who may have been affected to advise them of the possible breach.
“We are obviously very concerned about the possibility of such privacy breaches,” said Rosemary Thorne, the university’s privacy officer. “Our first priority has been to advise our students of what’s happened. We remain confident that the information that may have been exposed by this theft was minimal and cannot lead to further problems for the students affected,” she said. “Still, we are reminding all faculty and staff at the university, and anyone who teaches at the university and who may handle private information, to use password protection and/or data encryption on all laptops and removable media devices.”
Since last spring, Memorial’s Information Access and Privacy Protection (IAPP) office has been working on the development of a privacy strategy and privacy compliance tools for the university.
“Memorial’s strategy for privacy compliance is comprehensive,” Ms. Thorne said. “We have tools to check university programs and systems for compliance with privacy legislation; new policy and procedures are being finalized and an education and training program is under development.”
Stolen laptops are among the most frequent types of privacy breach, according to Ms. Thorne. She is reminding employees who are using portable storage devices like laptops and USB flash drives to use password protected access. “Blackberries, too, can carry copies of e-mails and documents but also offer the option of setting a password,” she said. “If you are not sure how to set a password for your laptop or other storage device, consult an IT support person who can assist you. As well, ask about data encryption to further secure personal information.”
Memorial recently retained a privacy consultant to assist in the development of the enterprise privacy strategy. The Memorial Privacy Project Report, together with findings and recommendations, are available on the IAP web site: www.mun.ca/iap.
In accordance with Memorial’s privacy strategy, appropriate security measures must be used to secure the confidentiality, integrity and accessibility of personal information. Access to personal information will be restricted to duly authorized persons and organizations. Security safeguards will protect the data against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. Methods to protect personal information include:
- Physical measures (e.g. locked filing cabinets and restricted access to offices; after hours alarms and monitoring systems).
- Organizational measures (e.g. security clearances and other measures to limit access to personal information on a “need-to-know” basis).
- Technological measures (e.g. the use of encryption, role-based user authorization and authentication, transaction logging, intrusion detection, etc.)
January 31, 2008