Information and Privacy Commissioner Elizabeth Denham has released her final report into B.C. Lottery Corporation’s (BCLC) privacy breach of customer information that occurred on July 15, 2010.
The investigation determined that the cause of the breach had been property identified and remediated. However, a second, broader investigation identified a number of security gaps when the PlayNow.com online casino platform was launched, the cumulative effect of which resulted in inadequate protection of customers’ personal information.
The investigation identified inadequate user-access controls and malicious code controls, unencrypted data transmission and gaps in BCLC’s privacy management framework.
“The inherent nature and high profile of online gaming websites expose customer personal information to increased risk,” the commissioner said.
“Gambling attracts the attention of organized crime and these individuals or groups have the means and the inclination to test the security of online gaming platforms.”
The commissioner’s report recommended that BCLC:
• Develop privacy impact assessments at the earliest possible stage of a proposed program that are reviewed and updated at the conceptual, design and implementation phases of any new program.
• Develop and implement mitigation strategies to address all risks identified in the privacy impact assessment process.
• Add a standard contract term to allow it to audit and inspect how service providers handle and store personal information.
• Create and implement effective privacy policies.
• Create a schedule setting out when personal information of former customers will be destroyed.
BCLC accepted all Denham’s recommendations to upgrade the system’s security and has made improvements to its policies and processes. The system is now adequately secured.
“Public bodies entrusted with citizens’ personal information carry a very high level of responsibility for ensuring that data security measures are always in place to protect the personal information of citizens,” Denham says.
“Those measures include constant monitoring and testing of security architecture as well as implementing processes and procedures to respond and adapt immediately to newly identified risks and reasonably anticipated risks.”
Visit www.oipc.bc.ca to read the commissioner’s report.