Five months after losing a box of microfiche containing personal and financial information, the B.C. Pension Corporation finally broke the bad news to 8,000 College Pension Plan members last week.
The breach prompted the Information and Privacy Commissioner to renew his call for the Legislature to make it illegal for government and its branches and agencies to delay or conceal the disclosure of a privacy breach to authorities and affected persons.
“Reporting privacy breaches is not mandatory in B.C. My office has long called on government to add breach notification requirements to B.C.’s privacy laws,” said Commissioner Michael McEvoy. “With mandatory breach notification in place, public bodies and organizations would be required to report breaches or suspected breaches to my office within days of discovery. In this case, B.C. Pension Corporation would have been required by law to report the breach in October.”
As it approaches mid-term, the B.C. NDP government has not fulfilled promises to improve privacy laws. In a reply to the B.C. Freedom of Information and Privacy Association’s 2017 election questionnaire, John Horgan’s party criticized the BC Liberals after the OIPC found privacy breaches increased 56% over five years. The NDP vowed to take action, if it won power.
“We agree that mandatory breach notification would benefit the public by enhancing accountability and transparency, and helping to mitigate the serious fallouts of privacy breaches and as government we will take action,” read the NDP’s April 27, 2017 letter to B.C. FIPA. “We will consider best practices both across Canada and internationally for breach notifications in both the public and private sectors to determine a made-in-BC policy.
One of those affected by the pension plan breach is John Martin, the BC Liberal MLA for Chilliwack who is on leave from his position as an associate professor of criminology at the University of the Fraser Valley. Martin received a March 29 letter from the B.C. Pension Corporation on April 3 that said his personal information was on the missing microfiche.
“We believe the risk is low that someone will use your personal information inappropriately as a result of this incident, however, we want to provide you with the details of what happened,” said the form letter.
The form letter said the corporation “declared” the breach on Jan. 28, but it did not notify the province’s information and privacy regulator until March 8. What the letter does not say is that the box went missing in an office move last September.
“I’m concerned,” Martin told theBreaker.news. ” If you look at those nine variables that are in there [including full name, birthdate and social insurance number], that’s enough to open up credit in someone else’s name.” He wonders if that is what happened last month when a retailer notified him of suspicious activity on his account a day-and-a-half after the transaction. His card was canceled and replaced overnight.
Martin said he has asked staff to review NDP statements and promises about improving privacy, to “see if there is something there worth pursuing with the minister, Jinny Sims,” Martin said.
McEvoy said citizens need to know as soon as possible that their personal information has been lost, stolen or compromised, so that they can take steps to mitigate any harm. He suggested affected individuals check their credit activity since September 2018.
The College Pension Plan told several media outlets that it considered this a low risk incident because microfiche is an outdated medium. However, most libraries still have microfiche readers. Microfiche reading and digitizing devices are also for sale through Amazon and several other e-tailers.
The College Pension Plan is one of five public sector pension plans under the B.C. Pension Corporation, which counts a total 560,000 members. It pays out $4.2 billion a year to over 181,000 retirees.
Meanwhile, B.C. FIPA slammed the NDP for breaking its election promise to enact a strong duty to document law with fines.
On April 1, the government announced it added 41 agencies to the list of those under the Information Management Act. That is the same law that the NDP called ineffective when it was in opposition. The NDP repeatedly hammered the BC Liberals for their 2015 triple delete scandal, but has been found mass-deleting information since coming to power. Horgan’s office even defended ex-Christy Clark spokesman Ben Chin, who was found mass-deleting his email on the day that the Ombudsperson’s report on the health firings scandal was released in April 2017.
Support theBreaker.news for as low as $2 a month on Patreon. Find out how. Click here.