July 29, 2016
SGI is notifying customers of a privacy breach by an employee at an independent motor licence issuing office in Vonda, Sask. We investigated and took action as soon as the breach was discovered. We’ve determined that an employee at the issuing office looked up customer information without a business reason. This individual’s access to SGI’s computer systems has been permanently terminated.
Our investigation concluded that the individual was snooping. The searches were random and we do not believe there has been, or will be, any harm to any customer as a result of this breach. We also believe that no information was disclosed to another party or used maliciously. The information accessed was photo, email address, date of birth, customer number, customer name, mailing address, date of birth, height and eye colour. No medical information or driver records were accessed.
Anyone with access to SGI’s computer system must complete privacy training every two years and sign privacy and confidentiality agreements. The agreements acknowledge that all users and SGI understand the need to keep customer information safe, and share a commitment to doing so.
SGI has zero tolerance for accesses to customer information without a business reason, and individuals who do so have their access to SGI systems terminated. There are many procedures, checks and audits in place to reduce the risk of unauthorized access to customer information, and we are taking steps to strengthen protections further:
- We are implementing automated data analysis to monitor unusual activity in a more sophisticated way
- We’re implementing additional audits
- We will be using this situation to reinforce with all those accessing our customers’ information that this behaviour is completely unacceptable and will have serious consequences for anyone we discover who has failed to respect that
- We are also communicating again with issuers about privacy policies and the consequences of not adhering to them. We will be following up with in-office meetings with every issuer.
Customers affected by this breach will be contacted.
The Office of the Information and Privacy Commissioner has been made aware of this situation.
Saskatchewan Government Insurance (SGI) is the province's self-sustaining auto insurance fund. SGI operates 21 claims centres and five salvage centres across Saskatchewan with a head office in Regina. SGI also works with a network of nearly 400 motor licence issuers across the province. Customers can now do some transactions online. Look for the MySGI link under Online Services on your motor licence issuer's website or SGI's website.