How a lack of employee disposal education led to a CRA privacy breach

A CRA employee who copied thousand of pieces of taxpayer data onto several CDs indicates the need for proper disposal training at the corporate level

When a company fails to educate employees on proper information disposal and enforce a strict corporate document destruction policy, employees may resort to dangerous behavior that could lead to dire consequences and embarrassment.

This issue surfaced in the news in late 2011 after an employee of the Canada Revenue Agency (CRA) reportedly compromised the personal tax information of nearly 2,700 Canadian citizens.

According to reports, a CRA auditor asked a member of the IT department to download thousands of documents onto multiple CDs in early 2006. While the files were encrypted in line with CRA policy, there was no explicit protocol dictating that the information should be destroyed before leaving the agency headquarters.

Consequently, the auditor took the CDs home with her and allowed a friend to download one of the CDs onto his laptop. This one CD was later found to contain 2,660 pieces of confidential taxpayer data.

Once the auditor's behavior was uncovered after she brought up a dated email stored on one of the CDs at an unrelated trial in 2008, a probe into the safety of taxpayer information began. However, the laptop on which the data was downloaded years prior could not be located, constituting a significant privacy breach.

According to an article in CTV, a consequent investigation found that "the facts gathered during the investigation determined reasonable grounds to believe that the information copied to the laptop had been erased in such a way that an average user could not access through a normal operating system."

However, this is not sufficient enough to guarantee to data security of the taxpayers whose information was breached. While it does not appear any damage was caused, the company should have taken safeguards to ensure this information never left the CRA office.

To avoid similar instances of employee-caused privacy breaches in the future, business owners should consider deploying the services of a certified paper shredding and document destruction service. These experienced consultants can train employees on the most useful document disposal practices to better protect the integrity of a company's data resources. 

No related posts.