Send this page to someone via email

B.C.’s privacy commissioner ruled the University of Victoria failed to protect personal information in a privacy breach involving current and former employees.

In January, it was reported a USB flash drive containing the names, SIN numbers and banking information of nearly 12,000 current and former University employees was stolen.

Commissioner Elizabeth Denham said the breach was both foreseeable and preventable, and has caused deep worry to those affected.

Denham ruled the University was required by law to protect the information on the stolen flash drive, but failed to implement reasonable safeguards to protect data stored on the USB drive. Such safeguards are a legal requirement under the Freedom of Information and Protection of Privacy Act.

“Encryption is the minimum standard for devices like laptops and USB drives,” said Denham. “The University was aware of their obligation to safeguard sensitive personal information using a range of protective measures including readily available and widely used encryption solutions.”

Story continues below advertisement

Denham did say, however, that the University of Victoria took immediate steps to contain the breach. They quickly recognized the risk to employees, notified affected individuals and came up with a plan to prevent a similar breach.