File breach at electronic spy agency prompts mandatory privacy training

Communications Security Establishment (CSE) building in Ottawa (Photo from Wikipedia/Eshko Timiou)

OTTAWA – Canada’s electronic spy agency introduced mandatory privacy awareness training for all employees in March following an internal breach involving personal information.

When Greta Bossenmaier became chief of the Communications Security Establishment in February, the ultra-secret eavesdropping outfit was under intense public scrutiny over alleged spying on citizens.

But less than two months into the job, Bossenmaier was informing the spy agency’s staff of a privacy violation inside its own walls.

“I seriously regret that we are in this situation and never want it to be repeated,” Bossenmaier told employees in a March 20 email. “As such, we must use it as a learning opportunity so that we can prevent any further incidents from occurring.

”

The Ottawa-based CSE, which employs about 2,000 people, uses highly advanced technology to intercept, sort and analyze foreign communications for information of intelligence interest to the federal government.

Documents leaked in 2013 by former American spy contractor Edward Snowden revealed the U.S. National Security Agency – a close CSE ally – had quietly obtained access to a huge volume of emails, chat logs and other information from major Internet companies, as well as massive amounts of data about telephone calls.

As a result, civil libertarians, privacy advocates and opposition politicians have demanded assurances the CSE is not using its extraordinary powers to snoop on Canadians. The agency insists it scrupulously follows the law in protecting Canadians’ privacy.

On July 31, 2014, someone notified CSE’s corporate security officials that a file containing personal information related to security clearances was mistakenly given public-access permission markings, making it accessible to CSE personnel, according to Bossenmaier’s email to staff.

An edited version of her classified message was obtained by The Canadian Press under the Access to Information Act.

By November an internal probe determined the breach had potentially affected the personal information of 146 people. However, further examination led the agency to conclude in January that the sensitive personal information of just five individuals – four CSE employees and one member of the public – was deemed to be at risk.

“The investigations determined that the incident was caused by a combination of technical and human errors,” Bossenmaier told staff. “Several of CSE’s existing security safeguards mitigated the risk of the information being further compromised or removed from CSE premises.”

CSE spokeswoman Lauri Sullivan declined to elaborate on the nature of the information.

The CSE advised the Treasury Board Secretariat, the federal privacy commissioner and the watchdog that keeps an eye on the spy agency.

In February and March, the CSE informed the five individuals, Sullivan said in written answers to questions. “This involved extensive co-ordination between CSEs Privacy Office, senior management, security, labour relations, and CSE’s Counselling and Advisory Program.”

The CSE ushered in a new policy last September on administrative privacy breaches, asked managers to review access permissions on remaining documents, and introduced mandatory privacy awareness training for all staff in March.

The federal privacy commissioner’s office told the CSE In April that the steps taken were reasonable and that no further action was required, Sullivan said.

Valerie Lawton, a spokeswoman for the commissioner’s office, confirmed that it was aware of the incident, but added the Privacy Act prevented her from saying more.

Bossenmaier sent the March 20 email to staff shortly before a brief account of the breach was tabled in Parliament as part of a broader written answer to a formal question about federal data lapses from New Democrat MP Charlie Angus.

Sullivan said the timing of Bossenmaier’s message “was directly related to completing the process of notifying the five impacted individuals.”

In her note, Bossenmaier urged staff to review the new privacy protocol, take the mandatory training, exercise care when assigning access permissions to documents, remain alert to any “serious anomalies” in information management, and immediately report any problems.

“We all have a role to play in safeguarding information, and I am reminding you to apply it seriously to all information held by CSE.”