Nova Scotia’s response to a data breach on one of its websites earlier this year cost more than $84,000, according to figures released under the province’s freedom of information legislation.
The Freedom of Information and Protection of Privacy Portal (FOIPOP) website was originally breached from March 3-5, and the site was taken down on April 5 by officials with the Department of Internal Services, which is responsible for the FOIPOP website.
As a result of the data breach, more than 7,000 documents were inappropriately downloaded, including 369 documents containing “highly sensitive” personal information such as social insurance numbers, birthdates and personal addresses.
The figures released by the province are limited to Sept. 30 and could now be higher than what is accounted for in the documents.
The largest expense appears to have been the credit-monitoring service made available to those who had their personal information breached. According to the breakdown provided by the province, the service cost $30,167.
The redesigned FOIPOP website, which only allows an individual to download previously completed FOI requests, cost $29,925.
The new website, designed by Red Sky IT Solutions Ltd., was launched on Sept. 5 — 152 days after the original website was taken offline.
The old website allowed individuals to file and pay for a FOIPOP request as well as review all of the documents released by the government in response to other requests. The province has told Global News they expect to issue a Request for Procurement (RFP) in the first quarter of 2019 for a program that will manage the intake of requests online and the processing of requests by staff.
The new website will “likely” continue to remain separate.
WATCH: Privacy ombudsman offers rebuke of N.S. premier’s claim to most transparent province in Canada
Other large costs released by the province include an $11,603 expense to hire a temporary Information Access and Privacy administrator, $5,734 for employee overtime and $5,462 for XPressPost services from Canada Post for notification letters sent out to individuals affected by the data breach.
In a statement, the province said its top priority during the incident was to move quickly and secure the breach while reaching out to inform and support those who had been affected.
“A significant portion of the cost is associated with the efforts to inform and support those affected, including the offered credit monitoring,” said Brian Taylor, spokesperson for the Department of Internal Services.
“Efforts then turned to providing a secure site to allow access to the publicly available, previously disclosed packages as quickly as possible.”
In addition to these expenses, Unisys, the company in charge of the portal, has been offered a one-year extension at a cost of $120,000.
The new contract separated control of the public disclosure portion of the site, and Unisys is no longer operating that aspect of the portal.
“We didn’t feel that it was an appropriate partnering,” said Internal Services Minister Patricia Arab at the end of June.