November 12, 2018

By NICOLE JOBES

Students who opted out of Conestoga Students Inc.’s health and dental benefits plan may have inadvertently opted out of standard security protocol as well.

An anonymous email was sent to Spoke Sept. 28 expressing concern about the security of the health plan opt-out website, mystudentplan.ca. It said the online opt-out form did not appear to utilize the proper encryption to protect the data students must submit.

Gallivan & Associates Student Networks Inc. is a for-profit student benefits consultant and benefit buying group that partners with post-secondary student associations to harness their benefits purchasing power. One of its partners is CSI.

In addition to securing a benefits plan for CSI, the company created and manages the opt-out website and its information. The company’s privacy policy states that they are committed to protecting the privacy of their clients and they take reasonable precautions to protect the security of records containing personal information.

The difference between regular HTTP and HTTPS is that the 'S' means secure.

That same privacy policy states that they will ensure the personal information is collected and retained under the Personal Information Protection and Electronic Documents Act (PIPEDA).  Section 4.7.3 of PIPEDA states that the methods of protection should include “technological measures, for example, the use of passwords and encryption.”

According to Gallivan, the information is protected and encrypted in a secure tier 1 hosting facility after transit by their hosting provider, Tenzing Hosting Services. Tier 1 is the simplest classification of a data centre, employing firewalls and deep packet inspections. Redundancy in the systems allows for it to adapt to various levels of traffic and drop any suspicious activities.

However, the information is at risk before it reaches the facility, when it is being inputted into mystudentplan.ca and again while it is in transit to Gallivan’s hosting facility. While the facility adheres to industry standards for data encryption, the information is vulnerable before it gets there.

There are two ways a website is secured: HTTPS and an SSL certificate.  The CSI opt-out website has neither.

According to an article by Jeremy Dotson in BizTech Magazine, the difference between HTTP and HTTPS comes down to the ‘S.’ HyperText Transfer Protocol refers to how information is presented to the user of the computer; it’s really a way of communicating your interactions with the browser. The ‘S’ stands for secure, and differentiates one sender and receiver from another.

Click here to read more. “Opting out on more than just health benefits.” 

 

Leave a Reply