Derek Kilbourn
Sounder News
The Gabriola Fire Protection Improvement District has formed a select committee to figure out what level of data breach may have occured due to a District computer being taken out of the Fire Hall for a period of at least three years.
The computer in question was used by the District’s corporate officer prior to 2015.
Information on the computer went back as far as 1998.
Anyone who was a member of the Gabriola Volunteer Fire Department during that time potentially has private information contained on that computer.
Fire Trustees discussed the matter at their regular meeting on December 3.
Chair Erik Johnson started to explain that the Board didn’t know exactly the day the computer left the hall, or what year, and said there had been, “mumblings through various people” that three years ago it had been removed.
Trustee Wayne Mercier corrected the Chair saying that was not what the Board had been told, identifying himself as being the Trustee to whom the computer was turned in to.
So far there has been no naming of the person who turned the computer into Mercier. That person has requested to stay anonymous. Mercier and Trustee David Chorneyko both know who the person is, and said at the Dec. 3 meeting they would not be disclosing the name of that person.
Mercier said, “that person told me the device was placed in the kitchen, accessible to the firefighters, and told it was up for grabs.
“That’s what I was told, and that’s what I told the police, and that’s what that person reported to the police.”
Johnson said, “that doesn’t hold any water with me.”
Mercier clarified, “I am not saying that is correct, but that is what I was told.”
Mercier outlined the timing of the return of the computer.
On October 10 (the Friday of the Thanksgiving weekend), Mercier (who was still the Fire Board Chair at the time) received the device at his home.
On October 13, Mercier notified the Office of the Information and Privacy Commission (OIPC) that he was in possession of the device.
He notified the Board, including the interim Corporate Officer on Oct. 14. At the same time that he did this, Mercier requested the Corporate Officer establish secure storage for the device.
Mercier said, “to the best of my knowledge, there is no secure storage that is not accessible to various staff people.”
It was on Oct. 22 that Mercier turned in his resignation as Chair to the Corporate Officer. He then went home picked up the device, brought it into the training room at the Fire Hall, and left it there.
Mercier explained to the Sounder that, “My inability to organise secure storage for the returned device, at the firehall, contributed to my decision to resign [as Chair]. It was not the precipitating incident.
“I resigned from the chair because I felt that I did not have the confidence of staff and key board members.
“As a result, I felt myself unable to fulfill my duties as Chair of the Board and Head of the Public Body. These are important responsibilities, and, given my incapacity, I stepped aside to allow someone more able to take the helm.”
According to Chair Johnson, the device is now in the fire hall, locked in the file room. Johnson said in terms of a data breach, “we don’t know for sure where that computer has been.”
He identified it has having been the computer used by the then-Corporate Officer and Administrative Assistant.
“By nature of this, it contained Social Insurance Numbers.”
Mercier said when he did a preliminary look at the device, he discovered three dozen records of social insurance numbers of island residents – not all of them firefighters.
A cursury evaluation of the machine also revealed the scan of a drivers license, a draft will for a previous employee, and personal banking and tax information.
Mercier said there was employment information relating to several former and current employees, including discplinary evaluations and payroll information, and a large number of personal photos and documents that he did not personally look at.
He said there was also a copy of the tax roll – now dated – which provincial officials say should have been destroyed.
Johnson said he has contacted the RCMP as required, and RCMP have completed an investigation, with no charges currently being considered.
He explained that RCMP had told him the only charge that may have been brought would have been theft under $1,000.
Other Trustees expressed concerns that the person who returned the computer would be charged with theft.
The next step, according to Johnson, would be to have a forensic audit done of the computer, to see if it had been accessed at any time between when it left the Fire Hall, and when Mercier turned it on to do the initial evaluation of what data was on it.
He said the one auditor he spoke to said that work was quoted as costing between $12,000 and $15,000.
He said the next steps are to determine how much – if any – of a data breach has occured, saying he’d love to hear that it sat in someone’s closet for years until it was brought to Mercier.
Mercier said, “the fact that it left our care and control, constitutes a data breach.”
Johnson said in speaking with the RCMP, as far as they were able to get with their investigation, “they felt there wasn’t much chance of a data breach….but we have to satisfy the membership, that the information wasn’t used in any particular way.”
Trustee John Moeller asked, “we’re not sure all the information on there has been found.
“Are we going to spend this kind of money to get this examined by a professional, or do it ourselves?”
He also asked how they would contact all those persons who may have been effected.
Johnson said, “if you were on the department between 1996 and 2015, that data has been breached.
“We don’t know what was done with it. We hope it was a silly mistake.”
Trustee Diana Moher said if someone could assess the risk, if the computer just sat there, and the next time it was started was when Mercier opened it, there has been no breach.
Mercier was asked by former Trustee Charlene Wells (sitting in the audience) if he had made any written copies of the information he found.
Mercier said he kept no written documents other than a briefing note which he provided to the board.
He also did not copy any files off of the device.
“No information was copied off the device at any time,” said Mercier.
Former Trustee Penelope Bahr – also in the audience – asked why the computer wasn’t wiped.
Johnson said, “we’ll get into that.”
Mercier said, “in any case, part of the required response to a prviacy breach is setting out steps to ensure that [another] breach doesn’t take place.”
One of the additional steps that the Board has approved being taken was the expenditure of up to $2,000 for a data exposure response package that can be provided to those persons who’s data may have been breached. This will track if their data is being utilized by other persons.
In addition, the insurance company for the District has been informed of the situation.
Mercier explained the insurance company is notified of any situation in which there is a risk which may require the involvement of the insurer.
Recent Comments