Sensitive personal information stored on B.C. government smartphones, tablets and other mobile devices is at risk of falling into the wrong hands due to slack security and privacy measures, a pair of independent watchdogs warned Tuesday.
Auditor general Carol Bellringer and acting information and privacy commissioner Drew McArthur released companion reports that found government safeguards for mobile devices have failed to keep pace with rapid advances in technology.
The watchdogs audited five ministries and the office of the chief information officer, and uncovered gaps in policies, slipshod security controls and poor record-keeping.
“Currently, there is no central record of mobile devices with access to government information,” Bellringer said. “This is concerning because you can’t protect what you don’t know about.”
Auditors discovered that it’s often left to government employees to install anti-malware software or activate security settings on their phones — something that doesn’t always happen.
“For example, inactive devices may be left unlocked for too long, leaving information vulnerable,” Bellringer said. “A short inactivity-until-locked time is by far the most important feature to prevent the unauthorized use of mobile devices.”
McArthur, meanwhile, found that the existing policies were often overlapping and confusing, that employees sometimes took months to report a lost or stolen device, and that staff training made no specific reference to mobile devices.
Based on the findings in the two reports, McArthur concluded that “that government is not meeting its statutory obligation to protect personal information stored on mobile devices.”
The reports urged the province to strengthen its policies, keep an inventory of devices and information, provide training for mobile devices, and make sure that all security settings are working before a device goes into service.
“Any loss, theft or exposure of sensitive government information — to which these devices have access — could have serious implications for both government and the people of British Columbia,” Bellringer said. “If such a breach were to occur, it could also spark a lack of confidence in government’s ability to protect the information under its control.”
Minister of Technology Amrik Virk said government began fixing the problems prior to the release of the reports. A new strategy introduced in July will cover all 12,000 mobile-device users in government by Dec. 31.
“Ministries will be maintaining a detailed inventory of all mobile devices, ensuring additional security settings are applied before a mobile device goes into service, enforcing a maximum inactivity-until-locked time, and installing and maintaining anti-malware software as just some of the additional security enhancements we have planned,” Virk said.
NDP critic Doug Routley, however, said the public should be “alarmed” at the government’s cavalier treatment of personal information despite previous privacy breaches. “It’s more of the same — repeated examples of careless management of people’s information,” he said. “They don’t seem to be able to manage that when it protects people. At the same time, they’re extraordinarily good at preventing people from getting information if it’s information they don’t want you to see.”
The watchdogs also released a list of their “Top 15 Tips” for protecting information on smartphones and other mobile devices, including using a password, locking the screen and encrypting the device.
