EQC Privacy Breaches – “Going Dark” Is Not The Answer

On Thursday it was revealed that about a month ago the EQC had suffered another privacy breach. The breach was the result of 2,200 names and information relating to stopped cheques worth $23 million being emailed to a member of the public.

Stuff.co.nz reports that Gerry Brownlee (the Canterbury Earthquake Recovery Minister) stated “The recipient took the appropriate actions and advised EQC they had received the information in error through EQC’s online complaints process about a month ago. It would appear that email was either not seen by EQC or not acted upon. This is a completely unacceptable situation, but may be as a result of IT system problems.”

The article goes on to report that the Government had:

1. Required EQC to immediately shut down all external email (preventing all email from going into and out of the organisation);

2. Required EQC to immediately shut down all business-to-business systems and data exchanges, as well as access into EQC systems by external parties; and

3. Asked the Government’s Chief Information Officer, Colin MacDonald, to investigate and oversee the solutions for issues relating to information management within EQC. The GCIO “will develop a priority work programme to resolve and manage the issues with EQC’s information systems and bring its processes and procedures up to standard”.

In my opinion this is an extreme response to basic human error.  The issues that lead to the breaches at EQC will not be addressed by preventing the business from functioning. Based on the Gerry Brownlee’s statement in point 3 above, the Government recognises that the privacy issues at the EQC are related to its information management practices and these are unlikely to be addressed quickly (certainly not in the next few days as indicated in the article).

It will not be enough for the EQC to implement the controls that I highlighted in my previous blog post within the next couple of days to reduce the likelihood of sensitive information being emailed to recipients outside the organisation again. Information security (and by extension privacy) cannot be achieved through only implementing technology solutions. Information systems are the combination of people, processes and technology. Therefore to achieve an appropriate level of security organisations must consider each of these elements.

The EQC has experienced exponential growth both in term of staff numbers and Personally Identifiable Information (PII) it handles as a result of the Christchurch earthquakes. The commission has approximately 1250 staff members compared with the 23 it had prior to the February 2011 quake and is processing a staggering 466,000 individual claims.

Organisational change is difficult at the best of times but managing rapid and significant change whilst dealing with a natural disaster must be almost impossible. The information systems and security practices that are appropriate for a small 23-person organisation are unlikely to be adequate for one with 54 times as many.

Addressing any deficiencies in the EQC’s information management practices will take more than a few days. Establishing a security culture does not happen overnight, it requires planning to implement the required governance structures, information security and privacy policies, processes and procedures and deliver security awareness training.

Similarly, switching from an information system based on spreadsheets (this is my assumption based on the information that has been published about the breaches) to a Client Relationship Management or a Claims Management system will take time. However, it is clearly a necessary move to ensure that information is adequately managed and protected.

Therefore in my opinion “going dark” is not the answer and will achieve very little in the short-term. A fact Ian Simpson seemed to acknowledge in an interview on TVNZ yesterday, answering “I can never say never, I don’t think anyone can. However, we will go as far as is humanly possible to protect the information of our customers” when asked if “rebooting” the systems would prevent further privacy breaches.