A senior cybersecurity official at the City of Montreal blithely violated the rules he was responsible for enforcing and which he himself had written, reveals a recent arbitration decision.
Martin Boivin, who had a security clearance from the Service de police de la Ville de Montréal (SPVM), made personal copies of emails and documents of a “highly confidential and sensitive nature” that he received as part of his work. .
In particular, he would have kept on his personal Gmail account or on a USB key documents related to the location of drinking water tanks in Montreal, the City’s plans in the event of a major disaster and the flaws in the municipal computer network. “A valuable source of information for a hacker,” said arbitrator Jean-Yves Brière in his decision rendered last week.
Me Brière confirmed the legality of the dismissal of Martin Boivin, decided by the City of Montreal in 2021.
“The exfiltration of data from City IT departments is a basic IT security violation,” the arbitrator wrote. This is “gross misconduct” made worse by the employee’s lack of transparency and remorse.
Another aggravating factor: the employment of Mr. Boivin. “He was ultimately responsible for compliance with certain specific information security practices,” the decision reads. He was the leader of the group that drafted the new Directive on the use of technological devices and services made available to employees of the City of Montreal. »
“Security Breach”
“The City of Montreal will not make any specific comment, except to specify that there was no cybersecurity accident,” said publicist Gabrielle Fontaine-Giroux. “By not respecting the City’s directives, the employee put data at risk, without an incident resulting. »
The decision, however, specifies that a “security incident form” was completed to report the situation and that his boss described it as a “security breach”.
The arbitrator notes that the data does indeed appear not to have leaked.
Called to comment on its behalf or on behalf of the worker, the Syndicate of municipal professionals and professionals of Montreal (SPPMM) remained silent. “The union will not comment on this,” Lucie Boudreau said by email.
Before arbitrator Jean-Yves Brière, a representative of the SPPMM tried to demonstrate that the City of Montreal itself distributed technical documents through which “computer hackers could cause significant damage”. He even tried to submit to the arbitrator employee records and sensitive documents that he was able to recover. The arbitrator refused to consider this evidence.
“A backup copy”
Mr. Boivin pleaded that he did not know that it was forbidden to remove confidential documents from his employer’s computer environment. He said such a rule could not be enforced anyway, because all employees receive personal documents on their work email address, such as tax documents, performance reviews or congratulatory emails.
“It’s a bit of a blurry area,” he told city investigators who interviewed him.
The cybersecurity specialist said he copied all his emails to keep proof of the work he was doing.
“It’s a backup copy,” he said. It’s because relations are strained with my section chief. I am aware that it is limited, ”he admitted. Mr. Boivin had also been slow to install control software imposed by the City of Montreal on his professional cell phone.
He added that he had gotten into the habit of keeping a copy of his professional mailbox on a personal space during the many years he worked in cybersecurity at the Treasury Board, before arriving at the City of Montreal. “I’ve done this all my life, archives like this, every year,” he said.