Editorial: Update: City of Victoria Confirms 4th Privacy Breach Involving Isitt Took Place in 2020
The City of Victoria has confirmed the existence of a fourth privacy breach involving Victoria Councillor Ben Isitt’s email access that occurred in 2020, moving back the timeline over which a series of repeated privacy breaches relating to Isitt’s email practices have taken place in 2020 and 2021.
“…the Red Cedar Café privacy breach occurred in 2020,” City of Victoria Head of Engagement Bill Eisenhauer replied when asked for comment in relation to information contained in a letter authored by a City of Victoria privacy analyst and obtained by CFAX 1070.
The newly obtained letter is dated January 14, 2022, and was sent the day following the broadcast of CFAX 1070’s coverage of three confirmed privacy breaches in 2021 involving Isitt’s councillor email access and provisions of the Freedom of Information and Protection of Privacy Act (FOIPPA). The new letter contains seven recommendations intended to prevent future privacy breaches from occurring.
“The City conducted and has concluded privacy breach investigations in response to the incidents of emails sent by Councillor Isitt regarding the Red Cedar Café, the City budget on November 17, 2021 and Councillor’s Isitt’s work as a councillor on December 14, 2021,” the document reads. Privacy breaches were found to have occurred involving the use of email addresses that had been improperly collected without consent through Isitt’s access to council emails.
The 2020 Privacy Breach: Questions Remaining
The City of Victoria has already acknowledged the existence of a privacy breach involving Isitt’s non-consensual publishing of the personal information of a multiple sclerosis advocate during a twitter dispute in early 2021 after she criticized Isitt’s dual participation in a meeting of Victoria council’s Committee of the Whole while Isitt was also overseeing a delivery at the Red Cedar Café Community Care Kiosk in Beacon Hill Park. Isitt later revealed to the public that he had founded the Red Cedar Café non-profit earlier in the pandemic but had avoided public association with Red Cedar for fear of politicizing its services, which were funded in part by substantial amounts of public money. However, the 2021 Red Cedar incident is not the same Red Cedar incident referenced in this newly obtained document.
The letter references the “2020 Red Cedar Café” email incident in the third of seven recommendations proposed to prevent future privacy breaches under “FOIPPA,” the Freedom of Information and Protection of Privacy Act:
“3. That Councillor Isitt no longer disseminate emails that are not about his work as a councillor with the City of Victoria. For example, the 2020 Red Cedar Café and the December 14th electioneering email did not comply with FOIPPA even if the correct consent was obtained by all recipients.”
While the City has not confirmed the precise date upon which the email that caused the newly confirmed privacy breach was sent, CFAX 1070 has obtained an email sent by Isitt May 4, 2020 in which Isitt advises the recipient that he is “volunteering” with a new non-profit. The email solicits recipients for financial donations that can be sent by e-transfer or by cheque to Red Cedar Cafe's initial 2020 location on Johnson Street, but it also includes Isitt’s physical mailing address at Victoria City Hall.
Isitt has not responded to requests for comment to confirm the May 4, 2020 email was the specific 2020 Red Cedar Cafe email referenced in the new recommendations being made by the City, or whether the breach was caused by the distribution of a different 2020 email involving Red Cedar Cafe.
Preventing Future Breaches
CFAX 1070 contacted the Office of the Information and Privacy Commissioner for British Columbia to seek comment on the contents of the story published January 13, 2022 but CFAX 1070 was advised at that time that the commissioner was “not in a position to speak to the specifics of this case as he is not able to discuss active or potential files before the office.”
However, the commissioner’s office did advise at that time that when a privacy breach occurs, organizations are generally advised to follow four key steps:
- Contain the breach by stopping the unauthorized practice, recovering the records, changing access codes, or correcting weaknesses in security that led to the privacy breach in the first place.
- Evaluate the risks: identify the type and sensitivity of the compromised personal information, the cause and extent of the breach and if is it systemic or isolated, determine how many individuals are affected and anticipate the potential future harms of the breach (e.g. identity theft, security risk, risk to public health/safety?).
- Notification – affected individuals should be notified if it is necessary to avoid or mitigate harm. There may be others who are notified at this stage, depending on the circumstances (e.g. police/RCMP, third parties).
- Prevention – what actions need to be taken to prevent a breach in future? This would include a review of what happened and why, perhaps an audit of technical, physical and administrative security as well as a review and possible update to policies, training, security controls, etc.
It was previously reported January 13, 2022 that new recommendations were forthcoming from the City of Victoria that would “go much further than previous recommendations” issued following previous breaches involving Isitt’s email practices.
New Recommendations Revealed
Following the January 13, 2022 CFAX 1070 report, multiple persons impacted by the privacy breaches were contacted by the City and each received a list of seven proposed recommendations regarding Isitt's councillor email practices. The substance of the text of the recommendations as they appeared in the January 14, 2022 letter is reproduced below:
- Council Isitt suspends use and disclosure of email addresses for any purpose until all these recommendations are implemented and in compliance with FOIPPA
- This draft consent request, or one substantively similar, has been sent to all the individuals on Councillor Isitt’s mailing list. Only those that are returned and affirm consent can remain in his mailing list. Non-responses are to be interpreted as withholding consent. The Information Access and Privacy Analyst (The “Analyst”) will confirm all returned consents comply with FOIPPA.
I am contacting you with regard to the collection, use and disclosure of your personal email addresses to provide you with information from time to time regarding City activities. Your email address will be used for no other purpose and will be protected from unauthorized access in accordance with section 30 of the Freedom of Information and Protection of Privacy Act. You may unsubscribe at any time if you provide consent.
- That Councillor Isitt no longer disseminate emails that are not about his work as a councillor with the City of Victoria. For example, the 2020 Red Cedar Café and the December 14th electioneering email did not comply with FOIPPA even if the correct consent was obtained by all recipients.
- That Councillor Isitt submit procedures, not later than two weeks after a decision is reached on these recommendations, explaining how email addresses of non-subscribers will not be added back on to his mailing list. The procedures will be verified by the Analyst for compliance with FoIPPA.
- Councillor Isitt will implement “reasonable security measures” in accordance with section 30 of FOIPPA that prevent the unauthorized access to the mailing list on his personal devices. These procedures will include:
- a password at least eight characters including a number, symbol and capital letter for each device. The Analyst will verify that the security measures comply with section 30.
- a separate password at least eight characters including a number, symbol and capital letter password protecting the mailing list from being opened by unauthorized individuals
- encrypted transmission of the mailing list
- maintain one copy of the mailing list and one back-up copy on a separate device
- If Councillor Isitt uses a third-party vendor to manage his mailing list, the agreement with the vendor must include in writing how the vendor manages the mailing list in accordance with FOIPPA.
- Many of the complainants noted a lack of information regarding the use of their email address when they contacted the Mayor and Council. Therefore, I recommend this privacy wording by added to the webpage:
“The Mayor and Council email address and their individual email addresses are provided to allow you to correspond directly with the Mayor and/or Councillors. Your email address will only be used for the purpose of responding to your email correspondence. The legislated authority to use your email address is sections 26(c) and (e) of the Freedom of Information and Protection of Privacy Act. If you require further information, please contact firstname.lastname@example.org.
If the Mayor or a Councillor wish to continue corresponding with you on other city issues they must receive your written consent in the prescribed format that complies with FOIPPA. A consent request must include the purpose for collecting your email address and how long the consent will be valid. If you consent, your email address must be protected from unauthorized use, disclosure or access and will not be used for purposes other than the purpose you consented to. You may, at any time, unsubscribe from further correspondence or contact the Mayor or Councillor(s) and withdraw your consent.”
The January 14, 2022 letter indicates that recommendation seven (above) has already been implemented, which is consistent with the recent appearance of new text on the City of Victoria’s contact page on the City website.
Archived versions of the City’s website captured earlier in July of 2021 do not contain that text.
Isitt has not responded to CFAX 1070’s repeated requests for comment regarding the recommendations, but he did advise on January 7, 2022 before he was aware of the outcome of the most recent investigation that the November 17th and December 14th 2021 email complaints related to an error he had made in 2016. Isitt advised at the time “I have been working to resolve the issue and do not anticipate further problems going forward.”