From: AlanBaggett@volcanomail.com   
      
   Canada Revenue Agency fails to stop employees from snooping on YOU! :CRA SOTW   
      
   $10.5 million spent to prevent tax-file snooping, but at least nine workers   
   caught breaching privacy in 2016   
      
   By Dean Beeby, CBC News    
      
   Canada Revenue Agency workers continue to snoop on the confidential tax files   
   of businesses, acquaintances and others, despite at least $10.5 million spent   
   so far to try to stop them.   
      
   CBC News has uncovered nine significant cases reported since Jan. 1 in which   
   tax workers improperly poked around the government's electronic records to   
   extract sensitive private information about income, deductions, benefits,   
   payments and employment.   
      
   It's a long-term, chronic problem at the agency, exposed in 2009 and again in   
   2013 by Canada's privacy commissioner, who was assured that managers were   
   taking tough action to prevent the breaches.   
      
   But more than three years later, confidential tax files are still susceptible   
   to nosy workers armed with passwords and CRA-supplied computers.   
      
   On Feb. 18, for example, the agency reported that a "CRA employee made   
   unauthorized access to the accounts of 90 acquaintances and family members, 1   
   business and his/her own account."   
      
   In another breach reported on Feb. 22, an employee improperly accessed the   
   accounts of 227 businesses and individuals.   
      
   CBC News obtained records detailing the latest crop of privacy breaches,   
   altogether affecting about 500 Canadians, under the Access to Information Act.   
      
   Deliberate snooping   
   Federal government departments are responsible for hundreds of significant   
   privacy breaches each year, but most are inadvertent, such as mail sent with   
   the wrong address or misplaced memory sticks.   
      
   Most cases at CRA, on the other hand, are the result of deliberate snooping by   
   employees.   
      
   The agency has spent $10.5 million since 2013 to make its computers more   
   secure against its own workers, and more money is earmarked for next year to   
   comply with recommendations from the federal privacy office, including   
   enhancing system controls so    
   employees can only access information they need to do their jobs.    
      
   Privacy Commissioner Daniel Therrien's latest annual report, delivered in   
   September, said his office was assured that CRA has implemented almost all the   
   safeguards recommended in the 2013 audit.   
      
   "The agency reports that it has made several important improvements to its   
   management of personal information including introducing new policies,   
   increasing corporate oversight and ensuring more timely assessment of privacy   
   and security risks," he wrote.   
      
   CRA has been voluntarily reporting breaches since at least 2011. Since May   
   2014, federal government policy has required all departments and agencies to   
   report material breaches to both the privacy commissioner and to the Treasury   
   Board Secretariat.   
      
   The government defines "material" breaches as "those that involve sensitive   
   personal information and could reasonably be expected to cause injury or harm   
   to the individual."   
      
   The number of breaches rose from seven in 2011 to 30 in 2015, but experts say   
   that's likely the result of greater vigilance in spotting rogue employees   
   rather than more snooping. The total for 2016 is not yet available, but CRA   
   says it's down from last    
   year.   
      
       
   CRA manages one of the biggest confidential databases in Canada, and about   
   two-thirds of some 40,000 workers have electronic access. The agency is the   
   fourth worst offender for material privacy breaches among some 240 federal   
   institutions that are    
   subject to the Privacy Act, behind only Veterans Affairs Canada, Immigration,   
   and Corrections Canada.   
      
   The agency typically notifies taxpayers whenever their information has been   
   compromised, though this year's victims included several deceased Canadians.   
      
   CRA says it has fired eight of the nine workers caught so far this year.   
      
   "CRA systems are strong, tight controls are in place, and we continue to   
   assess and improve our controls on an ongoing basis," spokeswoman Lisa Damien   
   said in an email.   
      
   High-profile cases   
   CRA has seen at least three other high-profile privacy controversies in the   
   past three years.   
      
   In April 2014, a hacker managed to exploit the so-called Heartbleed computer   
   vulnerability to access about 900 social insurance numbers.   
      
   The so-called Heartbleed vulnerability in CRA's computers allowed a hacker to   
   extract the social insurance numbers of some 900 Canadians in 2014.   
      
   A mailroom mix-up at CRA later that year sent a CD full of confidential   
   taxpayer information to CBC News.   
      
   And earlier this year, a federal oversight body reported CRA had been turning   
   over confidential taxpayer information to the Canadian Security Intelligence   
   Service, even though the spy agency had not first secured the necessary court   
   warrant.   
      
   Follow @DeanBeeby on Twitter   
      
   ----------------------------------------------------------    
   Miss a Tax Tale Miss a lot!    
   Visit the CRA SOTW Library at http://canada.revenue.agency.angelfire.com    
      
   ------------------------------------------------------------    
   Alan Baggett - http://www.taxcollectorsbible.com/ - Tax Collector's Bible    
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)