A laptop stolen from a Memorial professor’s home may have led to a breach of private information. Michael Burns, Faculty of Business Administration, recently returned home from an out-of-province trip to discover that his home had been burglarized and a laptop stolen.

Mr. Burns used the personally-owned laptop occasionally for university-related purposes and reports that it may have contained class lists from: Business 1000, Section 2 and Section 4, which were taught in the fall 2006 semester; and Business 7302 which was taught in the fall 2007 semester.

The class lists may have contained student names, student numbers, and partial, though not final, grades. The laptop was stolen sometime between Jan. 15-18, 2008.

While Mr. Burns could not confirm that the information from those courses was actually on the stolen laptop, the university has decided to contact all 150 students who may have been affected to advise them of the possible breach.

“We are obviously very concerned about the possibility of such privacy breaches,” said Rosemary Smith, the university’s information access and privacy protection co-ordinator. “Our first priority has been to advise our students of what’s happened. We remain confident that the information that may have been exposed by this theft was minimal and cannot lead to further problems for the students affected,” she said. “Still, we are reminding all faculty and staff at the university, and anyone who teaches at the university and who may handle private information, to use password protection and/or data encryption on all laptops and removable media devices.”

Since last spring, Memorial’s Information Access and Privacy Protection (IAPP) office has been working on the development of a privacy strategy and privacy compliance tools for the university.

“Memorial’s strategy for privacy compliance is comprehensive,” Ms. Smith said. “We have tools to check university programs and systems for compliance with privacy legislation; new policy and procedures are being finalized and an education and training program is under development.”

Stolen laptops are among the most frequent types of privacy breach, according to Ms. Smith. She is reminding employees who are using portable storage devices like laptops and USB flash drives to use password protected access. “Blackberries, too, can carry copies of e-mails and documents but also offer the option of setting a password,” she said. “If you are not sure how to set a password for your laptop or other storage device, consult an IT support person who can assist you. As well, ask about data encryption to further secure personal information.”

Memorial recently retained a privacy consultant to assist in the development of the enterprise privacy strategy. The Memorial Privacy Project Report, together with findings and recommendations, are available on the IAPP web site: www.mun.ca/iapp.

In accordance with Memorial’s privacy strategy, appropriate security measures must be used to secure the confidentiality, integrity and accessibility of personal information. Access to personal information will be restricted to duly authorized persons and organizations. Security safeguards will protect the data against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. Methods to protect personal information include:

• Physical measures (e.g. locked filing cabinets and restricted access to offices; after hours alarms and monitoring systems).
• Organizational measures (e.g. security clearances and other measures to limit access to personal information on a “need-to-know” basis).
• Technological measures (e.g. the use of encryption, role-based user authorization and authentication, transaction logging, intrusion detection, etc.)