It never rains, but it pours. Another data loss story has broken closer to home… well, Newfoundland is not that close but too close for comfort:

It seems that a “private sector consultant” on a provincial government contract (not unlike The Portable Consultant, in fact) took a government PC home and may have exposed personal data to the public Internet.

The initial reports are technically vague, but the reports of the incident seem to point to a situation that is wrong on so many levels that it’s enough to make me want to tear my hair out… umm… so to speak.

Government PC’s should never be taken home… or even invited to drinks and a dinner! What may be a properly behaved PC in a government cubicle becomes a rogue “unmanaged system” when it is removed from the safety of its usual firewalls.

Production data covered by privacy restrictions probably has no reason being on a PC in the first place. Such data should probably be locked up in encrypted databases on secure servers and only access via secure methods.

The consultant should probably have been working with dummy data. In any case, they should be reading Privacy for Dummies and writing a short quiz before they are allowed near restricted data.
The story has a bizarre twist with a so-called “representative of a security company” contacting the consultant to tell them that they were “in possession” of some of the patient records. Since when would anyone in security actually download such data if they came across it? Sounds a bit wierd.

Unfortunately, the news media often don’t have enough resources with the expertise to ask the right questions when a story like this breaks.

Perhaps it’s enough to know that it appears to have been the result of not one, but many lapses of security policies.

Cheers,
-pmh