The RCMP lost a USB key containing personal information about victims, witnesses and informants, and later learned it was being offered for sale by criminals, the federal privacy watchdog says.
A detailed report from the Office of the Privacy Commissioner of Canada reveals the RCMP told the watchdog about the breach in March 2022, prompting a lengthy investigation.
The RCMP determined that the unencrypted storage device contained the personal information of 1,741 people, also including subjects of interest, informants, police officers and civilian employees.
“The RCMP’s investigation also established that only some of the documents on the device were password protected and that the device itself was not encrypted nor password protected,” the privacy watchdog’s report says.
The Mounties learned from a confidential source three weeks after the loss that the data on the device was being offered for sale by members of the criminal community.
“Given the nature and sensitivity of the information that the RCMP handles on a daily basis, [our office] would have expected the RCMP to have strict security measures in place to safeguard its information holdings,” the privacy commissioner’s report says.
“We also would have expected for those measures to be stringently monitored and that the RCMP would take prompt action where non-compliance, whether accidental or not, is discovered.”
Privacy Officer Philippe Dufresne’s office found the RCMP violated the Privacy Act, given that the personal information of individuals was disclosed without their consent.
The privacy watchdog also concluded that RCMP personnel failed to report the loss of the USB storage device to the force’s authorities in a timely manner.
However, once aware of the breach, the RCMP’s notification to affected individuals and the steps taken to manage the risk of further harm to them were “generally appropriate in the circumstance,” the report says.
Finally, Dufresne’s office found the RCMP failed to take appropriate measures to safeguard the personal information.
The privacy watchdog recommended the RCMP adopt strict security measures for the use of USB storage devices.
This included measures not only to ensure that only approved USB devices are used, but also audits to confirm that devices are returned when no longer needed, as well as additional training, the report says.
The commissioner reports that the Mounties agreed in principle to the recommendations but did not commit to implementing them within a specific timeline.
RCMP spokesperson Robin Percival said Monday the force initiated a review of its security and privacy policies, as well as its awareness program, to ensure employees were reminded and sensitized of their continual responsibilities to protect sensitive information.
“The program also addresses the immediate actions to be taken in case of a security breach,” Percival said in a written response.
The RCMP remains committed to preventing the use of unauthorized and unencrypted USB storage devices and to implementing appropriate measures and solutions across the country, she added.
