The EQC Privacy Breach – Where’s the Risk Management?

By Jim, on Filed in Blog / Data Breach / Governance / Information Security / Privacy / Risk Management

On Friday, Ian Simpson the Chief Executive of the Earthquake Commission (EQC) held a media conference and announced that a staff member had accidentally sent an email with an attachment containing a spreadsheet with the details of 9,700 Christchurch residents and their claims, to a recipient outside of the organisation.

The EQC acted quickly contacting the recipient requesting that they destroy the email and attachment, requesting that they sign a statutory declaration that the information was destroyed and publicly disclosed the incident.

However, yesterday it was revealed that the spreadsheet actually contained the details of 83,000 claimants not 9,700 as originally thought. Whilst this is not good news, the reality is that impact of the incident has not changed. The email was still sent to a single recipient who has confirmed its destruction and signed a statutory declaration to that effect.

The real questions for me are:

• Why are staff managing cases for 83,000 clients using a spreadsheet instead of a Client Relationship Management (CRM) solution?

• Why does one member of staff have access to the entire record set with the ability to send it via email?

Even a cursory risk assessment would have identified that the confidentiality and integrity requirements of this information required a better set of controls to be implemented.

Whilst there is limited information about how the breach occurred, Ian Simpson has stated that it was caused by the auto-complete functionality of the email client filling in the address of a third party (an EQC contractor). This is eerily similar to the cause of the ACC breach where Bronwyn Pullar was sent an email that included a spreadsheet containing the details of 6,748 ACC clients.

Both incidents are could have been prevented if the agencies had identified the risks associated with using spreadsheets to manage client cases and implemented the following basic controls:

• Provide staff with training on the use of [SEEMAIL] tags and classification labelling to prevent sensitive information being sent outside the agency;

• Include the [SEEMAIL] tag and the appropriate classification label in the body of the spreadsheet to prevent any email with the attachment being sent outside the organisation (unless it is addressed to a recipient at an organisation that has a SEEMail gateway).

(It should be noted that I am assuming that the agency is a participating agency and that the SEEMail gateway has been properly configured.)

Using the [SEEMAIL] tags and classification labels in the body of emails and spreadsheets containing sensitive information would have significantly reduced the likelihood of these incidents occurring. However, it still does not provide the same level of protection against unauthorised disclosure as a Client Relationship Management solution that is appropriately configured and managed.