Privacy breach possibly affects 100s of Yukon gov't workers: Department spokesperson

Roughly 400 Yukon government employees may have been affected by a recent privacy breach, according to a spokesperson at the Department of Finance. 

"The Government of Yukon takes privacy matters very seriously," said Eric Clement, the department's director of communications, in an email to CBC News. "As soon as the government became aware of this issue, it took immediate action by undertaking an internal investigation, notifying affected individuals and reporting the issue to Yukon's Information and Privacy Commissioner."

According to a government-issued notice obtained by CBC, a problem occurred during the processing of T4 and T4A slips that may have caused information such as Social Insurance Numbers to become visible. 

"The final risk status of the breach is significant," it says.

The issue appears to revolve around the formatting of the slips, which didn't line up correctly with an "automatic envelope stuffing machine."

"In order to prevent the display of information, staff used black ink to obscure the potentially exposed information, but this may not have addressed the issue in all cases or if the envelope was manipulated," the notice states.

"No containment measures were implemented as the information had already left the premises."

Diane McLeod-McKay, Yukon's information and privacy commissioner, confirmed the Yukon government notified her office about the breach. 

Fraud and identity theft are the possible harms associated with breaches that involve information of this kind, she said in an email to CBC News.

"As part of our review, we will be making recommendations as may be appropriate in the circumstances to mitigate the risk of harm to those affected by the breach and to prevent recurrence of a similar type of breach," McLeod-McKay said.

Clement said the breach was reported twice — on March 18 and April 9.

The problem affected a "small portion" of T4As, he said. 

Asked if any disciplinary measures were taken, Clement said additional training is being conducted to ensure the issue doesn't happen again. Performance issues are kept confidential, he added. 

"In this instance, there is no indication that any data has been accessed and there is no need for any of those affected to take any further action at this time," Clement said.

'Not a no harm, no foul, whoopsie-daisy sort of situation'

David Fraser, a Halifax-based privacy lawyer with McInnes Cooper, said once sensitive information is in the mail, there's no going back. When it reaches this stage, mitigation efforts must be initiated, he said.

"Exposing to public view your full name, your home address and your Social Insurance Number is information that can be used to cause significant harm to an individual, and so it's not a no harm, no foul, whoopsie daisy sort of situation," Fraser said.

The first course of action is notifying those affected by the breach, Fraser said. 

But it doesn't stop there, he said — people whose information could be compromised through a privacy breach should be provided with credit monitoring and insurance.

"I advise companies that have data breaches and that's one of the things I advise them to do because, really, it's not that expensive for the organization or the government to offer and it does mean that if something does go wrong, there's a mechanism there to detect it and to remedy it," Fraser said.

Clement said the department doesn't provide credit monitoring or insurance, adding it will review recommendations that come out of the information and privacy commissioner's report.