CASE STUDY: Employee Offboarding and Privacy

How the Government of the Northwest Territories failed to recognize, respect, and protect personal information.      


Before getting into the particular facts of this case, let's first consider what an appropriate protocol for dealing with an information breach might look like: 

Recognize

Know which information requires protection, actually take steps to protect that information, and be aware that any circumstance where that information can leave the organization or be accessed from outside of the organization, there is an opportunity for breach. 

Contain

Having recognized that a breach has occurred, the first step is to take adequate steps to contain the data to ensure no further loss or vulnerability. If this requires shutting your systems down and locking your doors, do so.

Secure

Identify where the breach occurred, where the data went, and then secure the return of that data.

Notify

Assess the risk of harm that may result from the loss or exposure of the data in question. If there is real risk, notify the persons involved. 

Fix

Eliminate the vulnerability. Learn from the experience. Continue to be vigilant and be ready to recognize when future breaches occur.

Well, that looks simple, clear, and easy...what could possibly go wrong?

Failure at any one of the above steps means that your breach may not be adequately addressed, which brings me to my story

MY STORY

This website is for educational purposes only


Recognize>Contain>Secure>Notify>Fix