Watchdogs find lax management of smartphones and tablets by BC government
Lost or stolen devices were reported by employees several months after going missing according to report
By Bob Mackin
British Columbia, Canada government workers sometimes waited months to report a lost or stolen smart phone or tablet, according to a report by the Acting Information and Privacy Commissioner.
Drew McArthur’s report on mobile device management in the BC government examined five ministries — Children and Family Development, Finance, Forests, Lands and Natural Resource Operations, Justice and Health — and the Office of the Chief Information Officer.
“Investigators found instances of employees reporting a device lost or stolen several months after the device was first noticed missing,” McArthur said in the report. “On average it took employees two to six days to make a report. At one ministry, employees were advised not to report lost devices for up to three days in case the device was found.”
Investigators also found that records of lost and stolen devices were not properly maintained or analysed, so management missed an opportunity to provide additional training.
McArthur said investigators found policies were often overlapping, inconsistent and confusing. The ministries also did not keep track of personal information stored on mobile devices or categorise sensitivity of such personal information.
“Government is not meeting its statutory obligation to protect personal information stored on mobile devices,” said the report.
Privacy training was not specific to mobile devices nor was it conducted frequently. Risk assessments were poor and breach and incident protocols were not consistently followed when privacy breaches happened.
“Rules need to be established and government employees must be trained on how to use portable tools while protecting information that might be accessed or stored on their mobile devices,” McArthur wrote. “Furthermore, where technical controls cannot be implemented, then education must be provided to ensure employees do not inadvertently compromise personal information.”
McArthur is a retired Telus chief privacy officer who took over from Elizabeth Denham last summer after she was hired as the United Kingdom’s information and privacy commissioner.
Auditor General Carol Bellringer also released a report looking at the security aspects of government mobile device management.
She noted the size and portability of devices makes them easy to lose or steal and they often become obsolete, meaning fewer security updates as they age. Unlike desktop or laptop computers, mobile devices often remain connected around the clock, putting them in jeopardy of unauthorised access, she wrote.
Bellringer found there were policy gaps, the full life cycle of mobile devices is not well managed, appropriate security controls are not always in place and there is no central monitoring and logging by government of mobile device activity.
“Any loss, theft or exposure of sensitive government information – to which these devices have access – could have serious implications for both government and the people of British Columbia,” Bellringer said in the report. “If such a breach were to occur it could also spark a lack of confidence in government’s ability to protect the information under its control.”
Both reports said that the government began to make improvements to its policies and procedures while the investigations were underway.