BC Pension Plan warns 8,000 people about privacy breach after box goes missing

About 8,000 College Pension Plan members are receiving notification from the B.C. Pension Corporation that their personal information may be at risk after a box went missing during an office move earlier this year.

The box contained microfiche with personal information of members who worked from 1982 to 1997. Some of the information includes, names, social insurance numbers and dates of birth.

"We did an extensive search and because we couldn't find it, we took the safe route and declared a breach," said Sherry Sheffman with the B.C. Pension Corporation.

BC Information and Privacy Commissioner Michael McEvoysaid in a statement that the breach was discovered in October of 2018, after the corporation moved offices in September. However, the public body did not report the missing personal information to his office until March 8.

"The recent breach of personal information at B.C. Pension Corporation clearly demonstrates why British Columbia requires mandatory breach notification,"said McEvoy.

"With mandatory breach notification in place, public bodies and organizations would be required to report breaches or suspected breaches to my office within days of discovery. In this case, the BC Pension Corporation would have been required by law to report the breach in October."

Low risk, sayspension corporation

Microfiches were usedbefore thenew payroll system was implemented, and are maintained forarchival purposesfor data prior to 1999, said Sheffman.

Since the data is in a microfiche and non-digital format,the pension corporation considers the breachlow risk, Sheffman told Daybreak South's Christine Coulter.

"The microfiche is very, very difficult almost impossible to read without special equipment and it's difficult to convert to a medium that could be used online," she said.

High risk, says FIPA

However,Sara Neuert, executive director of the B.C. Freedom of Information and Privacy Association, feels otherwise.

"I would not say that this is a low risk. I think this is a really high risk. In a province where we're fighting such crime as money laundering, the government should be stepping forward and trying to take that stand and protect people's data a little bit more," said Neuert.

"Tohave microfiche out there where anyone who is ingenious enough to figure out how to access what data is on there I think is very high risk. And the fact that 8,000 people have been affected by this breach I think is really staggering."

The association wants the province to update the Freedom of Information and Privacy Act to give the privacy commissioner more oversight, so there are penaltiesfor future breaches, said Neuert.

"This is a public body and I think the government needs to step up and update our legislation in a way that will protect people out there."

'This really isn't acceptable,' says affected member

West Kelowna resident Pamela Stevens is one of the affected members who received a letter dated March 29, informingher of the privacy breach.

"I couldn't believe that it actually had happened. You know this really isn't acceptable," said Stevens.

"The information is out there and there are people that wait around for these things to happen to get people and to use their cards and information to misuse it."

Since the breach, the pension corporation has placed additional security and controls on microfiche records, said Sheffman.

"To protect members from potential unauthorized access, the corporation has enlisted services of a private cyber-security firm to do a search and determine if any information was at risk," said Sheffman.

"To date there is no evidence of any malicious players."