The Case of the Missing Computers: Lessons Learned from Health Canada
The Case of the Missing Computers: Lessons Learned from Health Canada
An audit of Health Canada’s information technology (“IT”) systems (the “Audit”) found a long list of problems, including, among others, insufficient or inefficient tracking of IT assets, lack of proper maintenance of IT hardware assets, outdated IT hardware assets decommissioning processes, and overall inadequate governance and support for planning and engagement for IT asset management.[1] This bulletin aims at the lessons companies can learn from the Audit and highlights the importance of having and implementing a robust internal IT and cybersecurity program.
The Audit and Its Findings
The Audit included the examination and assessment of systems, records, personnel, and physical properties related to IT assets of Health Canada and the Public Health Agency of Canada (collectively, the “Department”) up to June 2019. Although the Audit was completed in 2019, it was not made public until June 2022. The Audit was not the first audit of the Department’s IT assets; an initial 2009 audit found several issues, and a subsequent 2013 audit found that improvements had been insufficient and the management of the applicable IT assets had not been adequately improved. These earlier audits led to an overhaul of the Department’s IT related protocols in 2017, which the Audit was intended to evaluate.
Material findings from the Audit include the following:
- Insufficient documentation and tracking of IT hardware assets, with certain IT hardware assets not tracked at all. Ultimately, the auditors could not confirm the existence and location of approximately 74% of the IT hardware assets or a total of 35,000 devices;
- Insufficient and error-prone tracking of software assets, where the purchase orders for 51% of the software assets tested could not be located;
- Lack of process to ensure the management of low dollar value IT assets such as USB sticks, servers, laptops, tablets, computers, and monitors;
- Insufficient controls for the maintenance of IT hardware assets; and
- Lack of adherence to the Department’s requirements and process for decommissioning IT assets and lack of oversight of the said process.
Risks for Companies
Poor IT inventory management and a lack of robust IT and cybersecurity program can lead to massive risks to both public and private organizations, including the following.
- Loss of data: Poor IT asset tracking and management reduce organizations’ ability to accurately account for, maintain, and properly safeguard their IT assets, which can lead to the loss of both confidential information of the organizations and personal information in the organizations’ custody. This can lead to both financial and legal liabilities to the organizations.
- Breach of contractual obligations: Many agreements, whether related to IT assets, have requirements to properly safeguard confidential information and personal information. As soon as such information is exposed to poorly managed IT assets, it is at risk of theft and/or misuse, which may lead to substantial liability to organizations. Further, the use of software is governed by software licenses. The absence of appropriate tracking of the use of software assets can lead to breach of software licenses and intellectual property infringement claims.
- Privacy complaints: Under Canadian privacy laws, individuals can complain to the applicable privacy commissioners about organizations for their mishandling of personal information, failure to provide access to personal information, or failure to correct mistakes in personal information. Poorly managed IT assets reduces organizations’ ability to handle personal information in accordance with applicable privacy laws and increases the likelihood that a complaint is filed against the organizations.
- Breach of privacy laws: Under private sector privacy laws, businesses are responsible for personal information in their custody. Under public sector privacy laws, these obligations are also owed by service providers to public entities. Failing to properly safeguard personal information as a result of poorly managed IT assets may amount to a breach of these obligations, which may lead to reputation loss as well as financial and legal liabilities.
In sum, failing to properly track, maintain, manage, and dispose of IT asset, whether laptops, mobile devices, servers, or USB drives (among others), increases the risk that an organization will be in breach of any applicable agreements tied to those assets, and any data residing on such assets cannot be appropriately monitored, maintained, or safeguarded.
Takeaways
Proper management of IT assets is a critical component of a robust IT and cybersecurity program. All businesses should ensure that their IT and cybersecurity policies and procedures extend to IT asset management, and address the risks of not properly tracking and safeguarding any device containing personal, confidential or proprietary information. This may include IT inventory tracking systems, regular audits of IT assets, and policies and/or procedures for managing the lifecycle of IT assets.
If you have any questions about any IT and cybersecurity related policies, practices or procedures, or Canadian privacy laws more generally, a member of our Privacy & Data Protection Group would be happy to assist you.
[1] Health Canada, Audit of Information Technology Asset Management (2022 June), online: Government of Canada.
by Robert Piasentin, Yue Fei, and Kristen Shaw
A Cautionary Note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© TRC-Sadovod LLP 2022
Insights (5 Posts)View More
Corporate Counsel CPD Webinar | Essential Leadership Practices: Supporting the resilience, engagement, and impact of your team
Join professional coach and certified stress management educator, Marla Warner, for an engaging program that will help you focus on elevating performance outcomes, while supporting your team’s engagement and wellbeing. You will learn how to foster trust and respect in your team, the benefits of “coaching”, and why gratitude, empathy and compassion are the superpowers for leaders in 2023 and beyond.
TRC-Sadovod’s Employment and Labour Webinar 2023
Join us for TRC-Sadovod's annual Employment and Labour Webinar as we review and discuss current trends, emerging employment legal issues and provide practical solutions to help you manage your workforce.
Enforcing Arbitration Agreements: Ontario Superior Court Raises a ‘Clause’ for Concern
This bulletin discusses a recent decision that found that an arbitration clause that contracts out of applicable employment standards legislation is invalid.
Transparency for Talent: Proposed Legislation Would Mandate Salary Range and Artificial Intelligence Disclosure in Hiring Process
Ontario will propose legislation aimed at providing additional transparency to Ontario workers, including salary ranges and use of artificial intelligence.
Environmental Obligations Trump Lenders: The Trend Continues
Re Mantle Materials Group, Ltd continues a recent trend in Alberta in which environmental remediation obligations are found to have a super priority.
Get updates delivered right to your inbox. You can unsubscribe at any time.