Dozens of improvements suggested after province's security breach

The accounting firm Deloitte is suggesting the Nova Scotia government make dozens of improvements after a review of how officials handled the largest security breach in Nova Scotia's history.

A 19-year-old man was able to download thousands of pages of government information, many containing personal details, from an unsecured website originally designed as an access-to-information portal.

The province's auditor general and privacy commissioner issued reports highly critical of how that portal was designed and launched.

Catherine Tully, the privacy commissioner, recommended the Nova Scotia government conduct "an internal post-incident review."

On Thursday, cabinet minister Patricia Arab did just that on Thursday when she tabled a review in the Nova Scotia legislature.

The Halifax firm was paid $15,000 to facilitate "a no-fault, lessons learned discussion" with those who were involved in the creation of the portal.

In its list of 35 "improvements desire" from government officials, Deloitte included:

•  Guidance to define "responsible parties."
•  Ensure stronger functionality (what a program should do) vs. anti-functionality (what it should specifically not do).
• Determination of potential impacts of a breach.
• Determine an incident leader earlier than in this incident.
• Consider correcting misinformation in the media.
• Risk should be top of mind and staff should consider impacts of potential incidents when dealing with sensitive data.

Arab called the information useful but not surprising given previous reviews.

"It's all about making sure that we are as tight within our process as with our contract processes, with our RFP processes, as possible," Arab said.

She said the review in combination with the two other reports "really marry well together [in] making sure that we have a fulsome understanding of not just where the mistakes were made but how we move forward [in] a really productive and secure way."