The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Monday, February 28, 2005
In the fallout of the ChoicePoint incident, legislators are turning their eyes to other data aggregators. Senator Schumer (D NY) held a press conference to show the kind of information that is available to subscribers of Westlaw's People-Find database. He dredged up personal information on high profile folks, including Paris Hilton (won't they leave the poor - I mean unlucky - girl alone?):
The New York Times > Business > Senator Says Data Service Has Lax Rules for Security:
"As the fallout continued to spread from the news of a security breach at ChoicePoint, a company that inadvertently sold sensitive consumer data to thieves last year, Senator Charles E. Schumer, Democrat of New York, took aim at another data search service, Westlaw. He promised to introduce broad new legislation aimed at curbing identity theft.
At a news conference in Washington yesterday, Mr. Schumer complained that any employee - from high-level managers to interns - of a company subscribing to Westlaw's databases could access sensitive records on millions of people, including Social Security numbers, previous addresses, dates of birth and other data that is valuable to identity thieves.
Mr. Schumer presented a parade of posters of well-known individuals whose information was available on Westlaw, including the former attorney general John Ashcroft, Vice President Dick Cheney, Gov. Arnold Schwarzenegger, the actor Brad Pitt and the heiress Paris Hilton. The posters obscured their personal data...."
The author of this article, Tom Zeller Jr., also had an excellent article on February 24th that is well worth reading: The New York Times > Business > Breach Points Up Flaws in Privacy Laws
Wired News is reporting that a "script kiddie" simple exploit was responsible for the breach of T-Mobile system last year that allowed a hacker to, among other things, read Secret Service e-mail and view celeb private photos: Wired News: Known Hole Aided T-Mobile Breach. It is unclear whether this is connected to the most recent Paris Hilton incident.
Labels: information breaches
While committee hearings don't guarantee action, I will be very interested to see what is said during hearings before the Senate Judiciary Committee on the topic of identity theft and data aggregators. Such a hearing is being hastily scheduled, according to Cox News Services:
Hearings set as congressional concern grows over identity theft:
"WASHINGTON - The Senate Judiciary Committee will hold a hearing on identity theft and data brokers, its chairman announced Thursday.
The announcement reflected mounting concern in Congress over revelations that criminals were able to buy personal information on hundreds of thousands of individuals from ChoicePoint, an Alpharetta, Ga., consumer data company.
Senate Democrats, including Charles Schumer of New York, Dianne Feinstein of California and Patrick Leahy of Vermont, are pushing for legislation to tighten access to such data and have called for hearings.
'I got a letter from Senator Leahy yesterday on the identity theft issue, and I immediately said we can hold a hearing,' Sen. Arlen Specter, R-Pa., said at a news conference. A date for the hearing has not been set.
Specter's comments came just before Schumer announced that he is urging Westlaw, a Minnesota research company, to close an 'egregious loophole' on its Web site that could let anyone buy an individual's Social Security number and other personal information.
In a letter to Westlaw, Schumer urged the company to 'immediately suspend' its service, People-Find(cq), which provides subscribers with personal information about millions of individuals over the Internet.
'Westlaw's People-Find service might as well be the first chapter of 'Identity Theft for Dummies,'' said Schumer. 'Criminals no longer need to forage through dumpsters for discarded bills. They just need to send Westlaw a check and they're in business.'
As an example, Schumer said his staff was able use People-Find to obtain the Social Security numbers of Vice President Dick Cheney and celebrities Jennifer Anniston, Brad Pitt and Paris Hilton.
Schumer said he knew of no case in which Westlaw's service had been used to illegally obtain a person's personal data.
The senator said he would introduce legislation to establish federal rules limiting who can provide or sell access to private information.
Thomson West, which operates the Westlaw online legal research service, said in a statement, "We share Senator Schumer's serious concerns about identity theft. We have been working with his office on this issue, communicated our mutual concerns, and provided information on our strict policies regarding access to Social Security numbers."
The company said its under its policies, sensitive public information is limited to "a very limited number of specialized customers, such as legislative, regulatory and government agencies."
Scott Bradner (a consultant with Harvard University's University Information Systems) recounts in NWFusion what are, in his view, the failings of ChoicePoint brought to light in the latest incident and hopes that it will lead to national mandates to protect personal information:
Dumber decisions - safer world?:
- "The company's validation procedures for permitting access to its databases was clearly inadequate. Maybe the company decided that it was too expensive to do things correctly - for example, by visiting all companies before granting access?
- ChoicePoint didn't tell any of the people whose data was stolen that that they were at risk for identity theft for almost five months. The company said it was the cops who didn't give a hoot about warning people that their good names were in eminent danger and told ChoicePoint not to tell anyone. Maybe, but ChoicePoint's later actions indicate that it was not exactly eager to do what was right.
- When ChoicePoint finally admitted that something had happened, the company downplayed it and said that the only people who were at risk were 35,000 or so Californians. Perhaps not coincidentally, California by law is the only state where people whose private information is exposed by such breaches must be notified .
- Only after considerable pressure, including a letter from 38 state attorneys general demanding that people at risk in their states also be notified, did ChoicePoint belatedly say it would send letters to 110,000 additional people. (One wonders if the attorneys general of the other states think that identity theft is OK.) Since that expansion, there have been news reports that the number of people whose data was accessed might exceed 500,000.
- ChoicePoint includes information that it doesn't need to in the reports it provides - such as a Social Security number in its personal property and personal auto reports (samples of which are on the company's Web page ). I understand the company might want to include the ability to look someone up using a Social Security number, but I don't understand why "
Sunday, February 27, 2005
The most recent Sunday New York Times has an article on the past week in privacy. Both the Paris Hilton and ChoicePoint incidents are discussed. The Times also quotes Bruce Schneier, the author of Schneier on Security.
The New York Times > Week in Review > Some Sympathy for Paris Hilton:
"...But the implications of the problem at ChoicePoint are enormous, said Daniel J. Solove, an associate professor of law at George Washington University and author of 'The Digital Person: Technology And Privacy in The Information Age.' The company, he noted, has collected information on practically every adult American, and 'these are dossiers that J. Edgar Hoover would be envious of.' Government has looked into ways to mine commercial data to detect patterns of suspicious activity, he noted, and it will continue to do so. But who watches the watchers? Lawmakers like Senators Charles Schumer of New York and Dianne Feinstein of California are calling for tighter regulation of data brokers. That would be a good idea, said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington. 'It's a big, largely unregulated industry that doesn't bear consequences when things go wrong.' Even those who pursue fame, he noted, deserve a measure of privacy...."
Since I started this blog in January 2004, I have noted a few incidents related to inappropriate release of personal information. After an e-mail exchange with Rob Hyndman, I thought it would be interesting to figure out how many incidents I've blogged about. So here is a brief catalog of what I've picked up over the last year and a bit.
Hacking and inappropriate disposal rank highly as the reasons for ending up on this list. But, if there is one thing to learn from all of this: inadequate security of personal information is the one practice that is the most likely to put your company on the front pages of the paper and to destroy any customer trust you've managed to develop.
- 200401- Incident: Hackers may have accessed personal info for 20,000 Georgia students
- 200401 - Incident: Computer containing airline ticketing info stolen
- 200402 - Incident: Computers (likely containing personal information) stolen from Whitehorse probation office
- 200402 - Incident: Softbank Says Data on 4.52 Million Subscribers Leaked
- 200402 - Incident: Shred first, then discard!: "Files containing property tax information and receipts for parking tickets and business licences were mistakenly left overnight Thursday in a recycling bin outside Port Coquitlam city hall"
- 200402 - Incident: Computers (likely containing personal information) stolen from Whitehorse probation office
- 200403 - Incident: Net firm admits leak of data about 1.4 M clients
- 200403 - Incident: Equifax admits that more than a thousand credit reports have been compromised
- 200405 - Incident: Computer System at U.C. San Diego Hacked: " Hackers broke into the computer system of the University of California, San Diego, compromising confidential information on about 380,000 students, teachers, employees, alumni and applicants. "
- 200407 - Article: Suit charges Prozac privacy violations -: "A deposition filed in a privacy suit brought by some of the recipients of the anti-depressant said the companies got the names and addresses from physicians."
- 200407 - Incident: Intuit warns of credit card risk: "'Intuit is warning 47,000 customers that their credit card data may be at risk after computers were stolen from a company office."
- 200408 - Incident: Highly Personal Information Found In Trash - Collection agency throws out personal information
- 200408 - Incident: Highly Personal Information Found In Trash: "personal information found behind a Columbus collection agency."
- 200408 - Incident: Identity theft alert for CSU students and staff: "The auditor of California State University lost a hard-drive, containing 23,000 names and social security numbers."
- 200409 - Not again: Medical records found on street: "The medical records of about three to five patients at San Diego's Kaiser Hospital were found in the street outside of the hospital. According to a hospital representative, the papers fell out of a recycling bin that was being picked up by the Edco Recycling company. Kaiser is reviewing its contract with Edco and working to prevent any future incidents. "
- 200409 - Incident: Hacker taps into CSUH Server: "HAYWARD -- A computer hacker somehow gained access to the records of about 2,000 Cal State Hayward students earlier this month, prompting campus officials to send out letters warning students that their personal information may have been compromised. "
- 200410 - Incident: Purdue computers hacked - General systems hacked into and users are urged to change their passwords
- 200410 - Data protection watchdog distributes email mailing list (The Register): "In a recent incident, slightly tinged with irony, the Dutch Data Protection Authority did the same thing: "
- 200410 - UC Berkeley reports massive security/privacy breach: "'The FBI is investigating the penetration of a university research system that housed sensitive personal data on a staggering 1.4 million Californians who participated in a state social program, officials said Tuesday. "
- 200410 - Incident: Confidential Medical Records Found In Dumpster Behind Building: "'Suspected burglary at the Community Counseling Center leaves boxes of confidential files exposed. News 3 Investigator Darcy Spears tells us about the unlikely place the files were found. Counseling center staff were shocked when we showed them dozens upon dozens of private files in a wide open dumpster behind their building. They recovered everything, then called police to find out who would want to hurt those in the business of helping. "
- 200410 - Dutch prosecutor leaves crime files on dumped PC: "'Dutch public prosecutor Joost Tonino was condemned yesterday for putting his old PC out with the trash. It contained sensitive information about criminal investigations in Amsterdam, and also his email address, credit card number, social security number and personal tax files."
- 200411 - Incident: Massive leak of personal information in Edmonton, Alberta: "Police in Edmonton, Alberta are investigating a curious (and scary) leak of personal information when forms containing sensitive information related to the provinces top bureaucrats was discovered at the scene of a meth bust. "
- 200411 - Incident: Candian bank's internal faxes went to West Virginia for three years
- 200411 - Incident: New York schools dump sensitive records on sidewalk (NY Daily News)
- 200411 - Woman's medical file used as a prop; woman sues
- 200411 - Documents sent for shredding left blowing around in Toronto
- 200411 - Incident: UK online bank security glitch exposes customer accounts: "'A security loophole at internet bank Cahoot briefly allowed customers to access other people's accounts, a BBC investigation has revealed. '"
- 200412 - Canadian Privacy Firsts: Misdirected faxes leads to joint investigation and report by Alberta and Federal Commissioners: "In July 2004, it was reported in the Edmonton Journal that a couple who managed an apartment building had received facsimile transmissions in error from various sources. These transmissions contained personal medical information. "
- 200412 - Red cross employee implicated in ID theft of blood donors: "'A Red Cross employee and two other people were accused Friday of stealing the identities of about 40 blood donors and using the information to obtain about $268,000 in cash and merchandise.... '"
- 200412 - Glitch lets you mess with the phone book
- 200412 - Another privacy breach to round out the week: "twenty seven thousand welfare cheques were distributed this week with the social insurance numbers of others written on them"
- 200501 - Incident(s): Hacker breaches T-Mobile systems, reads US Secret Service email
- 200501 - Incident: Identity Theft Concerns Over UNC Lost Hard Drive
- 200501 - Incident: More hacking of university computers containing personal information - UCSD computers hacked into, compromising PI of 3500 university students and alumni
- 200501 - Incident: Harvard Hacked - Harvard University that allowed access to student numbers and student drug prescriptions
- 200501 - Another university hacked; personal information breached: "'Campus administrators detected a low-level breach of computers within the UCSD Extension network, which has stored more than 4,800 files of students' personal information. "
- 200501 - Incident: Identity Theft Concerns Over UNC Lost Hard Drive
- 200502 - Incident: Impostors obtain personal information on thousands of Americans - ChoicePoint Hacking Incident
- 200502 - Incident: Personal data on nearly 25,000 subscribers leaked by Japanese Telco
- 200502 - Incident: Bank of America loses data on 1.2 MILLION customers
- 200503 - Incident: Personal information of 32,000 stolen from LexisNexis
- 200503 - Incident: Shoe chain says customer data stolen
- 200503 - "Disgruntled" employee said to have posted confidential personal health information of insureds online - Kaiser Permanente employee said to have posted member personal information online
- 200503 - Incident: Personal information taken in Nevada DMV office break-in
- 200503 - Incident: Boston College alumni database breached
- 200503 - Incident: NWU's Kellog School of Management systems hacked
- 200503 - Incident: Purdue warns hackers hit some computers
- 200503 - Incident: Stolen Berkeley Laptop Exposes Data of 100,000
- 200503 - Incident: Data from 270,000 Japanese bank accounts lost
- 200503 - Incident: Encrypted tapes containing health information on hundreds of thousands of Albertans missing or tampered with
- 200504 - Incident: Chico, Berkeley and now Davis: UC-Davis computer hacked, personal information compromised
Last updated - 20050405
While T-Mobile tries to sort out the mess following the hacking of Paris Hilton's T-Mobile account, the comany has issued a press release urging that customers take some steps to protect themselves.
While the pointers are sensible, I am surprised that none of the big online services force consumers to do this. I know that when I have to change my password at work, it cannot be fewer than X characters, it has to be a mix of uppercase and lowercase, it must contain a specified number of non-alphanumeric characters and it cannot be a password that I've already used. Services like T-Mobile, Gmail, Yahoo, Hotmail, etc. can easily be configured to require the same, I am sure. Perhaps they are concerned that customers will balk at not being able to set their passwords as "password"?
T-Mobile Statement on Security and Privacy:
"Along with the considerable resources T-Mobile has and will continue to dedicate to customer security, there are some specific actions we recommend customers take to help protect their mobile phone accounts and personal data.
-- T-Mobile customers should ensure they utilize passwords and change them frequently to safeguard personal information in the following three areas:
-- On my.t-mobile.com - the Web self-service tool.
-- Attached to their account, when calling a Customer Service Representative.
-- On their voicemail box.
-- Be sure the password to access my.t-mobile.com has a combination of letters and numbers.
-- Change passwords at least every 60 days; never give out passwords, even to friends or family; and memorize passwords.
-- If a device is lost, or notice suspicious activity on an account, call T-Mobile immediately.
If a T-Mobile customer has a question about service, or would like further password assistance, simply visit my.t-mobile.com; or a T-Mobile representative can help you by dialing 611 from a T-Mobile phone, or calling 1-800-937-8997."
Labels: information breaches
PrivacyDigest is reporting that consumer confidence in electronic commerce is falling:
"The BBC and ZDNet are reporting on an RSA poll of 1,000 users about failing confidence in ecommerce. 43% of respondents were reluctant to give details to online sites and 70% said that firms were not doing enough to keep their data secure. The BBC goes on to quote experts who back up the perception, ZDNet claims that action is being taken and is well." [Slashdot]5:57:15 PM PermaLink
In light of the most recent privacy/security incidents, it is not a surprise.
Labels: information breaches
Saturday, February 26, 2005
In his blog today, Canadian technology lawyer Rob Hyndman asks: "Momentum Building Against Database Aggregation of Personal Data?"
I'm very interested to see how the latest round of incidents are going to play out in the United States. Apparently the Bank of America incident specifically involves the personal information of US legislators who carry a special Visa card for government employees. This may hit a little close to home for those with their hands on the levers of power.
There's an interesting dynamic in the United States at the moment. Consumers are increasingly worried about identity theft. The growth of this sort of crime is spurred by the inadequate security of personal information and security breaches (such as Choice Point and BoA). Agglomerating all this sensitive financial information by data aggregators dramatically increases the risk of significant consequences if security is breached.
But, at the same time, there is pressure to have higher quality personal information available to so-called legitimate businesses, such as credit grantors.
This data is also used to prevent credit fraud (see PIPEDA and Canadian Privacy Law: Identity-verifying questions are getting personal). Biometrics and big databases can also be used to positively verify the identity of those applying for credit. If, for example, there were a reliable database of biometric identifiers available to financial institutions, a credit card company can make sure that someone applying for credit in the name of Bob Smith is the Bob Smith and not someone who happened to snatch a pre-approved credit card mailout from Bob's mailbox.
(As an aside, I think that ID theft would drop dramatically if it were illegal to open a credit facility for anybody whose identity is not positively identified.)
There's also a sense that these databases are useful to prevent terrorism and lesser crimes. They are routinely used to run background checks and, according to Choice Point, law enforcement are significant customers of these systems. There will be continued pressure to make these databses available for such use.
We will never see the end of these databases, but I am waiting to see how the contrary pressures will eventually play out.
So what's the solution? I think the ten principles from the Canadian Standards Association Model Code for the Protection of Personal Information are a good start (see the Code as Schedule I to PIPEDA), coupled with a positive obligation to report any breach of security related to one's personal information.
The exceptions to the ten principles of the CSA Model Code that are in PIPEDA are generally sensible, recognizing that there are circumstances where consent should not be required or where access can be denied.
But will the US implement anything like this on a national basis? Probably not, but if they want my opinion they are welcome to it.
Friday, February 25, 2005
I was searching Slate and happened upon this interesting article, which discusses how your movements (current and historical) can be tracked using your cell phone.
How Do Cell Phones Reveal Your Location? By Brendan I. Koerner:
"...Location data extrapolated from tower records is frequently used in criminal cases. It was vital, for example, to the prosecution of David Westerfield, who was convicted of murdering 7-year-old Danielle van Dam in San Diego. The killer's cell-phone usage revealed a bizarre travel pattern in the two days following the girl's disappearance, including a suspicious trip to the desert. In cases like this, wireless providers will not release a user's records without a court order, save for rare instances in which a kidnapping has taken place and time is of the essence...."
One thing that the article did not highlight is that as long as your phone is on, it is regularly communicating with the local towers, generally checking into the netwok and checking for messages. This information can be logged and often is. So even if you aren't talking on the phone, it can reveal your location.
Labels: information breaches
MSNBC is reporting that the Bank of America has lost computer backup tapes containing very sensitive personal information about 1.2 million US federal employees. One point two million. 1,200,000. One million two hundred thousand. That's a lot of data to lose, a lot of letters to send out and a lot of mea culpas.
MSNBC - Bank of America loses customer data:
"CHARLOTTE, N.C. - Bank of America Corp. has lost computer data tapes containing personal information on up to 1.2 million federal employees, including some members of the U.S. Senate.
The lost data includes Social Security numbers and account information that could make customers of a federal government charge card program vulnerable to identity theft.
Sen. Pat Leahy, D-Vt., is among those senators whose personal information is on the missing tapes, spokeswoman Tracy Schmaler said...."
I've just read the Statement of Claim filed in the recent class action lawsuit filed against CIBC in connection with the "faxing fiasco". If you are a privacy nerd, it makes interesting reading ...
Slashdot has a discussion of yet another incident that has resulted in the potential exposure of highly sensitive personal information of thousands of Americans:
http://it.slashdot.org/article.pl?sid=05/02/25/2028242 from the that-why-we-use-these-password-things dept.
ThinkComp writes "PayMaxx, Inc. is a web-based payroll processing company, and they recently notified me that my on-line form W-2 was available. And so it was, along with the W-2 (including SSN and salary data) of every other one-time PayMaxx customer dating back at least five years, possibly 100,000 in all. Through news.com, PayMaxx reports, 'PayMaxx has made and continues to make every effort to secure its system against any breach,' which is why part of their site has been down now for several days."
For Canadians, W-2 forms are the same as our T4 tax forms that employers issue, which includes the name, address, social insurance number, income, deductions, etc.
A summary of the problem is reported in a Think Computer Whitepaper:
It is this feature of the PayMaxx system that is gravely flawed. While PayMaxx’s programmers took care to ensure that their system’s authentication software worked well, they took less care to protect the code that dynamically generated form W-2, and each form includes a person’s home address, aggregate payroll, and Social Security number. Perhaps the team that created it lost sight of the sensitivity of this information; as a programmer, it is easy to become focused on the detailed mechanisms that make your program work and forget about the “big picture,” but in any event, it is still not a very good excuse. The result of this mistake was that when Pay-Maxx announced the availability of 2004 W-2s on-line, the home address, aggregate payroll, and Social Security number of each and every one of PayMaxx’s customers became available to us here at Think. By simply changing one number in a hyperlink on PayMaxx’s “secure” web site, it was possible to scan through PayMaxx’s entire W-2 database for the year 2004.
PayMaxx stored each employee’s data record sequentially in a table—a perfectly normal and acceptable practice, and one that Think uses frequently in its own software, but also one which made it possible to always guess the ID of the next record by simply adding 1. In software based on the Think Lampshade platform, each HTTP request is checked against a security array to verify that the user signed in actually has access to the data being requested. In PayMaxx’s software, this process simply didn’t exist. Anyone with access to the system could view the W-2s of employees with whom they had had no connection whatsoever. Furthermore, by simply subtracting the first ID from the last ID that allowed this behavior, it was possible to ascertain the number of W-2 forms that PayMaxx had printed for the 2004 tax year: 25,468. In other words, a glitch on a single web page made it possible to access the Social Security numbers and salaries of 25,468 individuals nationwide.
Update: CNet news is reporting that PayMaxx has closed its service while it figures out how to fix the problem - Payroll site closes on security worries CNET News.com.
Labels: information breaches
Sabrina at beSpacific is pointing to some great stuff on patient privacy and public attitudes in the United States.
beSpacific: Privacy and E-Health Records:
Press release: "U.S. adults are divided right down the middle on whether the potential privacy risks associated with a patient electronic medical record system outweigh the expected benefits to patients and society, according to Dr. Alan F. Westin, Professor of Public Law & Government Emeritus, Columbia University and Director of a new Program on Information Technology, Health Records & Privacy at Privacy & American Business (P&AB)."
- Dr. Alan Westin's February 23, 2005 testimony (PDF) before HHS's National Committee on Vital and Health Statistics Subcommittee on Privacy and Confidentiality at the Hearings on Privacy and Health Information Technology.
- How the Public Views Health Privacy: Survey Findings from 1978 to 2005 (PDF)
Mathew Englander sent me the following, which he has allowed me to post ...
Canada (Minister of National Revenue) v. Toronto Dominion Bank
The case arose from the investigation of a tax debtor, "J.M.". MNR [the Minister of National Revenue] found out about a cheque for $10,000 which someone had written to J.M., and which J.M. had endorsed and deposited to a certain numbered account at Toronto Dominion Bank. MNR wanted to know whether J.M. had tried to reduce his property at the expense of his creditors. Therefore MNR sent the Bank a requirement to provide information about the account, under subsection 231.2(1) of the Income Tax Act. The branch responded that the account-holder was not J.M., and refused to name the account-holder. MNR sent two more notices under subsection 231.2(1) but the Bank still refused to comply. Thus MNR brought an application in Federal Court under subsection 231.7(1) of the Income Tax Act, seeking an order compelling the Bank to provide the name and contact information of the account-holder.
Justice Tremblay-Lamer dismissed the application. MNR's appeal was dismissed with Justice Décary writing for the panel of the FCA.
Under the holding, MNR needs prior judicial authorization to seek information relating to an *unnamed* individual. Subsection 231.2(1) allows MNR to issue a requirement-to-provide-any-information-or-document and does not require prior judicial authorization if the information or document relates to a *named* individual. However, as the FCA held, where MNR does not know the name of the individual about whom it seeks information, it must obtain judicial authorization under subsection 231.2(3). That subsection requires that the judge be satisfied that the requirement is made to verify compliance by the individual with a duty or obligation under the Income Tax Act (http://canlii.com/ca/sta/i-3.3/sec231.2.html). Here, MNR would not have been able to satisfy that criterion because it had no reason to believe that the account-holder had contravened the Income Tax Act.
From a privacy-law viewpoint, it is good to know that MNR is held to stringent compliance with the statute when it seeks information or documents about someone from a bank. On the other hand, one might ask why the statute permits MNR to require a bank to provide information about a named individual, without prior judicial authorization and without notice to the individual.
MNR had argued that unless its appeal was allowed, its power of issuing a requirement-to-provide-any-information-or-document would be "seriously compromised". Reading between the lines, I infer that in the past, financial institutions have provided MNR with information relating to unnamed individuals, without the requisite prior judicial authorization. Kudos to Toronto Dominion Bank for successfully fighting MNR in court on this issue, and for protecting its customer's privacy in this case by refusing to disclose the information to MNR without clear statutory authority for the demand. (In theory, the Bank could have been prosecuted under subsection 238(1) of the Income Tax Act for failing to comply with MNR's demand for information.)
The FCA's decision is dated October 25, 2004, but the English-language translation just recently became available. MNR did not seek leave to appeal to the Supreme Court of Canada.
Labels: information breaches
Thursday, February 24, 2005
Girard Law Office in Toronto has inititated a nine million dollar class action lawsuit against the Canadian Imperial Bank of Commerce. Read the press release here: Class Action Against CIBC for Disclosure of Clients' Confidential RRSP Information.
Update: You can see the statement of claim here.
Wednesday, February 23, 2005
This article is reprinted from the February 2005 edition of the Canadian Privacy Law Review (2:5), Michael Geist, editor-in-chief.
Canada's federal privacy law is already hobbled by the country’s constitutional division of powers. By relying upon the federal parliament’s “general trade and commerce” powers, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) cannot apply to the provincially regulated workplace. Likewise, it cannot apply to the non-commercial operations of charities and the “MUSH” sector, meaning municipalities, universities, schools and hospitals. While there are sectors beyond PIPEDA’s reach, the question of whether PIPEDA applies to commercial activities that take place outside Canada's borders remains.
Until recently, the putative position of officials from the Office of the Privacy Commissioner has been that PIPEDA can apply to the collection, use and disclosure of personal information about Canadians by foreign companies. The issue has ceased to be theoretical thanks to an unpublished finding of the Assistant Privacy Commissioner dealing with a complaint brought by the Canadian Internet Policy and Public Interest Clinic (“CIPPIC”), associated with the University of Ottawa Law School. In the Assistant Commissioner’s letter to CIPPIC, her office declined to initiate an investigation because the company involved had no presence in Canada. This represents a complete reversal from the previous (unofficial and hypothetical) position of the Office of the Privacy Commissioner.
The letter from the Assistant Commissioner was issued in response to a complaint under PIPEDA launched by CIPPIC against Abika.com, a U.S. company that harvests databases and public sources to produce reports that allegedly include personal information up to and including psychosexual profiles of individuals. This service provides information on Americans and Canadians. CIPPIC filed its complaint in June, claiming that Abika collects, uses, and discloses the personal information of Canadians without consent in violation of Canada's national privacy law.
In its response, the Office of the Privacy Commissioner noted that the company does not have a physical presence in Canada. This led to their conclusion that “while the organization may well be collecting information on Canadians, our legislation does not extend to investigating organizations located only in the United States. We are, therefore, unable to investigate this matter under PIPEDA.” This conclusion came as a surprise to many because of the unofficial position taken by the Office of the Privacy Commissioner when the question was merely theoretical.
At the risk of only minimal controversy, the Office of the Privacy Commissioner could have asserted jurisdiction to investigate and then dealt with the challenges of enforcement. Modern Canadian principles of conflict of laws, following such seminal cases as Morguard Investments v. De Savoye, Tolofson v. Jensen, and Hunt v. T & N PLC provide a strong basis to argue that Canada’s privacy laws can reach beyond its borders where there is a clear and substantial connection with Canada. Such a decision would at least have left the complainant with the ability to take the finding to the Federal Court of Canada to explore whether the Court would fashion a remedy and whether the cooperation of U.S. authorities could be obtained. Declining to accept jurisdiction left the complainant with one option: to seek judicial review of this decision, completely separate from the merits of the original complaint.
At least in its origins, PIPEDA was designed to be a piece of an international system to protect the privacy of consumers and citizens. All privacy statutes in Canada trace their roots back to an initiative undertaken by the Organization for Economic Cooperation and Development (“OECD”) to establish basic levels for the protection of personal information among member states. The 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data was signed by Canada in 1984 but was never formally adopted into Canadian law, though they eventually found their way into the Privacy Act that governs personal information in the custody of the federal government and certain crown agents. According to the former Canadian Privacy Commissioner:
[a]mong the most influential modern formulations of the desire to protect against excessively curious governments and businesses has been the OECD's 1980 Guidelines for the Protection of Privacy and Transborder Flows of Personal Data. In 1984, Canada joined 22 other industrialized nations by adhering to the guidelines. The guidelines were intended to harmonize data protection laws and practices among OECD member countries by establishing minimum standards for handling personal data. The guidelines were not themselves enforceable, but they became the starting point for data protection legislation in countries around the world, including Canada.
The OECD guidelines contain eight fundamental principles of national application dealing with the collection, use, disclosure and retention of personal information.
Following the OECD guidelines, the European community decided to implement and harmonize private sector privacy legislation throughout the continent. The result of this initiative was the European Data Protection Directive which required all member countries of the European Union to implement legislation protecting personal information, hopefully to provide a seamless privacy regime throughout Europe. Most notably, the European Directive included a provision that prevented the transmission of any personal information outside of the European Union unless the recipient country had legislation in place that would offer substantially similar protections. While this provision does not purport to operate extraterritorially, it is demonstrative of an attempt to specifically regulate the cross-border movement of personal information. There is also little doubt that it had an extraterritorial effect.
In the absence of similar and recognized legislation in Canada, the European Data Protection Directive would have prevented the free flow of personal information between Canada and member states of the European Union. The modern economy is predicated on the flow of personal information, either as a good in and of itself or ancillary to other transactions. The prohibitions contained in the European Directive would have amounted to a non-tariff trade barrier between Europe and Canada.
In response to the European Directive and a perceived need to boost electronic commerce, the Canadian government introduced legislation that, it was hoped, would be considered by Europe to be sufficiently similar to the Directive. Both the OECD Guidelines and the European Directive provide the international context in which PIPEDA was born.
In disposing of questions such as the one considered by the Office of the Privacy Commissioner, Canadian courts consider whether there is a “real and substantial” connection between the matter at issue and Canada. If the answer is “yes”, the courts may assume jurisdiction. The “real and substantial connection” test has been more recently used by the Supreme Court of Canada in Society of Composers, Authors and Music Publishers of Canada v. Canadian Association of Internet Providers. In the SOCAN decision, Justice Binnie reviewed the general principles of the extraterritoriality of Canadian laws and concluded that the Canadian Copyright Act may apply to cross-border activities where there is a “real and substantial connection” with Canada:
¶54 While the Parliament of Canada, unlike the legislatures of the Provinces, has the legislative competence to enact laws having extraterritorial effect, it is presumed not to intend to do so, in the absence of clear words or necessary implication to the contrary. This is because "[i]n our modern world of easy travel and with the emergence of a global economic order, chaotic situations would often result if the principle of territorial jurisdiction were not, at least generally, respected"; see Tolofson v. Jensen,  3 S.C.R. 1022, at p. 1051, per La Forest J.
¶55 While the notion of comity among independent nation States lacks the constitutional status it enjoys among the provinces of the Canadian federation (Morguard Investments Ltd. v. De Savoye,  3 S.C.R. 1077, at p. 1098), and does not operate as a limitation on Parliament's legislative competence, the courts nevertheless presume, in the absence of clear words to the contrary, that Parliament did not intend its legislation to receive extraterritorial application.
¶56 Copyright law respects the territorial principle, reflecting the implementation of a "web of interlinking international treaties" based on the principle of national treatment (see D. Vaver, Copyright Law (2000), at p. 14).
¶57 The applicability of our Copyright Act to communications that have international participants will depend on whether there is a sufficient connection between this country and the communication in question for Canada to apply its law consistent with the "principles of order and fairness ... that ensure security of [cross-border] transactions with justice"; see Morguard Investments Ltd., supra, at p. 1097; see also Unifund Assurance Co. v. Insurance Corp. of British Columbia,  2 S.C.R. 63, 2003 SCC 40, at para. 56; R. Sullivan, Sullivan and Driedger on the Construction of Statutes (4th ed. 2002), at pp. 601-602.
¶58 Helpful guidance on the jurisdictional point is offered by La Forest J. in Libman v. The Queen,  2 S.C.R. 178. That case involved a fraudulent stock scheme. U.S. purchasers were solicited by telephone from Toronto, and their investment monies (which the Toronto accused caused to be routed through Central America) wound up in Canada. The accused contended that the crime, if any, had occurred in the United States, but La Forest J. took the view that "[t]his kind of thinking has, perhaps not altogether fairly, given rise to the reproach that a lawyer is a person who can look at a thing connected with another as not being so connected. For everyone knows that the transaction in the present case is both here and there" (at p. 208 (emphasis added)). Speaking for the Court, he stated the relevant territorial principle as follows (at pp. 212-13):I might summarize my approach to the limits of territoriality in this way. As I see it, all that is necessary to make an offence subject to the jurisdiction of our courts is that a significant portion of the activities constituting that offence took place in Canada. As it is put by modern academics, it is sufficient that there be a "real and substantial link" between an offence and this country ... [Emphasis added.]
¶59 So also, in my view, a telecommunication from a foreign state to Canada, or a telecommunication from Canada to a foreign state, "is both here and there". Receipt may be no less "significant" a connecting factor than the point of origin (not to mention the physical location of the host server, which may be in a third country). To the same effect, see Canada (Human Rights Commission) v. Canadian Liberty Net,  1 S.C.R. 626, at para. 52; Kitakufe v. Oloya,  O.J. No. 2537 (QL) (Gen. Div.). In the factual situation at issue in Citron v. Zundel, supra, for example, the fact that the host server was located in California was scarcely conclusive in a situation where both the content provider (Zundel) and a major part of his target audience were located in Canada. The Zundel case was decided on grounds related to the provisions of the Canadian Human Rights Act, but for present purposes the object lesson of those facts is nevertheless instructive.
¶60 … From the outset, the real and substantial connection test has been viewed as an appropriate way to "prevent overreaching ... and [to restrict] the exercise of jurisdiction over extraterritorial and transnational transactions" (La Forest J. in Tolofson, supra, at p. 1049). The test reflects the underlying reality of "the territorial limits of law under the international legal order" and respect for the legitimate actions of other states inherent in the principle of international comity (Tolofson, at p. 1047). A real and substantial connection to Canada is sufficient to support the application of our Copyright Act to international Internet transmissions in a way that will accord with international comity and be consistent with the objectives of order and fairness.
¶62 Canada clearly has a significant interest in the flow of information in and out of the country. Canada regulates the reception of broadcasting signals in Canada wherever originated; see Bell ExpressVu Limited Partnership v. Rex,  2 S.C.R. 559, 2002 SCC 42. Our courts and tribunals regularly take jurisdiction in matters of civil liability arising out of foreign transmissions which are received and have their impact here; see WIC Premium Television Ltd. v. General Instrument Corp. (2000), 8 C.P.R. (4th) 1 (Alta. C.A.); Re World Stock Exchange (2000), 9 A.S.C.S. 658.
¶63 Generally speaking, this Court has recognized as a sufficient "connection" for taking jurisdiction, situations where Canada is the country of transmission (Libman, supra) or the country of reception (Canada v. Liberty Net, supra). This jurisdictional posture is consistent with international copyright practice.
¶76 Accordingly, the conclusion that Canada could exercise copyright jurisdiction in respect both of transmissions originating here and transmissions originating abroad but received here is not only consistent with our general law (Libman, supra, and Canada (HRC) v. Canadian Liberty Net, supra) but with both national and international copyright practice.
¶77 This conclusion does not, of course, imply imposition of automatic copyright liability on foreign content providers whose music is telecommunicated to a Canadian end user. Whether or not a real and substantial connection exists will turn on the facts of a particular transmission (Braintech, supra). It is unnecessary to say more on this point because the Canadian copyright liability of foreign content providers is not an issue that arises for determination in this appeal, although, as stated, the Board itself intimated that where a foreign transmission is aimed at Canada, copyright liability might attach.
PIPEDA is not explicit about whether it is intended to apply extraterritorially, but there is some guidance in Section 4, the basis of the law’s application:
4. (1) This Part applies to every organization in respect of personal information that(a) the organization collects, uses or discloses in the course of commercial activities; or
(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
The application section is entirely silent with respect to its intended territorial application. The only reference to specific jurisdictions are contained in the transitional provisions and the definition of “federal work, undertaking or business”. The transition provisions begin with Section 30:
DIVISION 5 TRANSITIONAL PROVISIONS
Application 30. (1) This Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration.
Application (1.1) This Part does not apply to any organization in respect of personal health information that it collects, uses or discloses.
Expiry date *(2) Subsection (1) ceases to have effect three years after the day on which this section comes into force.
*[Note: Section 30 in force January 1, 2001, see SI/2000-29.]
Expiry date *(2.1) Subsection (1.1) ceases to have effect one year after the day on which this section comes into force.
*[Note: Section 30 in force January 1, 2001, see SI/2000-29.]
These provisions were temporary (and expired on January 1, 2004), as part of the gradual implementation of PIPEDA, providing individual provinces with the ability to put in place substantially similar legislation during the period in which the law only applied to the federally regulated private sector and cross-border sales of information. It may be notable that the cross-border reference says “outside the province” and not “to another province”.
In the absence of clear guidance from the statute, one can interpret it to apply in all circumstances where there exists a “real and substantial link” to Canada, following the Supreme Court's guidance in SOCAN and the cases to which Binnie J. refers. In any event, there is nothing in the statute that would prevent the Office of the Privacy Commissioner from assuming jurisdiction in the circumstances set out above if one takes the more modern and progressive view of jurisdiction that is currently being applied by the Canadian courts.
In the past, Officials with the Office of the Privacy Commissioner have advised that the Commissioner likely would assume jurisdiction where the collection of personal information is about Canadian residents or where the collection originates in Canada. This appears to no longer be the case. The Commissioner’s office used to be of the view that PIPEDA is part of an international scheme of privacy protection that could reach over borders. The Privacy Commissioner has an arguable basis to make this second assertion and assume jurisdiction. As mentioned above, Canada implemented PIPEDA following the OECD Guidelines and in light of threatened restrictions on cross-border data flows caused by the European Directive.
While Canada is not bound by either the European Directive or the OECD Guidelines, it appears to be the spirit of PIPEDA that the Canadian law fit within this general scheme of international data protection. This, in and of itself, would give support for investigating the complaint brought by CIPPIC. Nevertheless, modern Canadian conflict of law jurisprudence clearly gives a Canadian adjudicative body, tribunal or investigator jurisdiction over activities that take place outside of our frontiers if there is a “real and substantial” connection to Canada. Whether that connection exists in the CIPPIC’s complaint is both a question of law and a question of fact, two questions that the Assistant Commissioner appears not to have pursued. Unless CIPPIC seeks judicial review of the Assistant Commissioner’s decision not to investigate, it may be some time before the question in judicially considered.
* David T.S. Fraser is the chairman of the Privacy Practice Group at McInnes Cooper, Atlantic Canada’s largest single law partnership, principal legal advisor to National Privacy Services Inc. and the author of “PIPEDA and Canadian Privacy Law”, a privacy law weblog found at http://pipeda.blogspot.com/.
The genesis of this article is a presentation given by the author to the Canadian Bar Association Annual Meeting and Conference, August 2004.
 Available online at http://www.cippic.ca/en/projects-cases/privacy/opcc_response_30nov04.pdf.
  3 S.C.R. 1077.
  3 S.C.R. 1022.
  4 S.C.R. 289.
 Organization for Economic Co-operation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (adopted 23 September 1980).
 Privacy Act, R.S.C. 1985, c. P-21.
 Speech by Bruce Phillips to the Canadian Bar Association, “The Evolution of Canada's Privacy Laws” (January 28, 2000). Available online http://www.privcom.gc.ca/speech/archive/02_05_a_000128_e.asp.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
 2004 SCC 45 (“SOCAN”).
 Copyright Act, R.S.C. 1985, c. C-42.
Bruce Scheier has a good comment on the ChoicePoint fiasco and the lessons to be learned about incident response:
Schneier on Security: ChoicePoint:
"...This story would have never been made public if it were not for SB 1386, a California law requiring companies to notify California residents if any of a specific set of personal information is leaked.
ChoicePoint's behavior is a textbook example of how to be a bad corporate citizen. The information leakage occurred in October, and it didn't tell any victims until February. First, ChoicePoint notified 30,000 Californians and said that it would not notify anyone who lived outside California (since the law didn't require it). Finally, after public outcry, it announced that it would notify everyone affected...."
After having her cell phone hacked, Paris Hilton was the target of last night's Top Ten List on the Late Show with David Letterman:
CBS | Late Show with David Letterman : Top Ten:
"Top Ten Messages Left On Paris Hilton's Cell Phone
10. 'You probably don't remember me, but we had sex about 3 weeks ago.'
9. 'Consider switching to Verizon, we rarely let hackers steal our personal information.'
8. 'So this is the second most embarassing thing that's ever happened to you?'
7. 'Uh yes, I'd like to book a room for next Wednesday night at the Detroit Hilton.'
6. 'It's Bill Clinton. I've been meaning to call you for some time.'
5. 'Hey it's Pauly Shore--thanks for getting my name in the newspaper.'
4. 'Sorry I missed you, you must be at work...just kidding.'
3. 'Hi, it's Christo. Wanna get freaky in Central Park?'
2. 'You have a collect call from Dave Letterman, will you accept?'
1. 'Is there anything of yours NOT on the internet?'"
No real privacy law content, but hey ...
Labels: information breaches
A short time ago, Industry Canada gazetted its notice of the proposed order-in-council to deem the Personal Health Information Protection Act to be substantially similar to PIPEDA. (See PIPEDA and Canadian Privacy Law: Industry Canada proposes PIPEDA exemption for Ontario "health information custodians".) If passed by cabinet, this would exclude "health information custodians" in Ontario from the application of PIPEDA. The notice in the Gazette requested comments on the proposed order.
The Canadian Internet Policy and Public Interest Clinic has provided its comments, limiting its review to the weak research exemption of PHIPA. The impguned provision doesn't jibe with PIPEDA in that it only requires a research ethics review board to "consider" certain factors before allowing a researcher to have access to personal health information. See the letter to Industry Canada here.
How secret is your "secret question" when you are famous for being famous and your life is an open book. It is looking more and more like Paris Hilton's Sidekick II was hacked into thanks to really, really bad password protection. Or, as MacDevCenter points out, a really obvious "secret question" to make it really easy for users who have fogotten their passwords.
"Like many online service providers, T-Mobile.com requires users to answer a 'secret question' if they forget their passwords. For Hilton's account, the secret question was 'What is your favorite pet's name?' By correctly providing the answer, any internet user could change Hilton's password and freely access her account. "
Apparently her dog, Tinkerbell, is almost as famous as her. He is an author (The Tinkerbell Hilton Diaries: My Life Tailing Paris Hilton), a fashion accessory and a dog-about-town. Anybody with more interest in inane celebrities than I would have been able to get her secret question and log into the T-Mobile system.
For a good review of the inherent weakness of these systems, see Schneier on Security: The Curse of the Secret Question.
The Australian privacy commissioner is concerned that HealthConnect, a federal health network, is lumbering toward implementation without adequate privacy protections:
Australian IT - Alarm raised over health network (Karen Dearne, FEBRUARY 23, 2005):
"'Given the magnitude of the project and the sensitive nature of health information, a robust privacy framework needs to be established as a priority,' the OFPC says in its submission on the roadmap HealthConnect Business Architecture.
'The architecture includes many references to privacy protocols or rules which will apply to HealthConnect, although their substance and standing is unclear.'
While the OFPC regulates the private health sector and handling of personal information by federal and ACT government agencies, the privacy of health information within the states is regulated at the state level. "
Tuesday, February 22, 2005
Michael Geist is reporting, in privacyinfo.ca, that the Canadian lawful access initiative is creeping back onto the government's agenda:
"The Toronto Star today reports what has been an open secret for a couple of months now -- the Canadian government is moving forward with its lawful access agenda. For those new to the issue, lawful access would require network providers to establish new capabilities to allow for real-time network surveillance. Failure to do so is punishable by significant fines and jail time. The big issue for the ISPs revolves around cost, as in who should pay for this. Given the enormous privacy implications, one would hope that the government would make a case demonstrating a real need for these new powers, rather than just crossing items off a wish list."
On the weekend, the Washington Post hosted an online discussion with Robert O'Harrow, the author of "No Place to Hide: Behind the Scenes of Our Emerging Surveillance Society". They've posted a transcript their site:
'No Place to Hide' (washingtonpost.com):
"The post-9/11 marriage of private data and technology companies and government anti-terror initiatives has created something entirely new: a security-industrial complex. In his new book, reviewed in Sunday's Book World, Post reporter Robert O'Harrow shows how the government now depends on burgeoning private reservoirs of information about almost every aspect of our lives to promote homeland security and fight the war on terror. "
This morning, I gave a presentation on privacy and investigations by professional regulators as part of an InfoNex conference on professional regulation and discipline. A PDF of the materials are here for all who may be interested.
Labels: information breaches
Monday, February 21, 2005
In the aftermath of the ChoicePoint incident, Privacy Rights Clearinghouse has produced a lengthy page on what the incident means to you and what data aggregators like ChoicePoint may have on you:
Alert: The ChoicePoint Data Security Breach: What It Means for You, and How to Find Out What ChoicePoint Knows about You:
"San Diego, CA -- Data aggregators compile in-depth dossiers of personal information on almost everyone, even though many have never heard of them, have never had an account with them, nor have given them permission to obtain personal information. Until recently, many Americans had never heard of ChoicePoint, one of the largest data aggregators. But with recent information coming to light that identity thieves opened 50 accounts to access ChoicePoint's databases of personal information, many people are just realizing that companies like ChoicePoint exist. (See www.washingtonpost.com/wp-dyn/articles/A30897-2005Feb16.html)..."
Labels: information breaches
The Internet is abuzz this morning with the exciting contents of Paris Hilton's T-Mobile Sidekick. It appears that someone hacked into the T-Mobile system and was able to get the contents of her address book, notepad and the photos she had take with the gadget. Most of the links earlier today were to the photos themselves, which are not "safe for work".
Most of the discussion about it suggests that it may be related to the recent hacking of T-Mobile's systems (see PIPEDA and Canadian Privacy Law: Incident(s): Hacker breaches T-Mobile systems, reads US Secret Service email), but it could just have easily been a result of someone guessing her password and accessing the system via the T-Mobile login page. I wouldn't be surprised if her password was "password".
This incident does, however, highlight the vulnerability of personal information when it is in possession of third parties. Our e-mail and address books are held by Yahoo! or Hotmail or whoever. Our voice mail resides on some telco server and our instant messages are archived. It used to be that the bad guys had to break into our homes and offices for this stuff. Now they just have to hack into one of dozens of systems. (See Schneier on Security: T-Mobile Hack).
For (safe for work) coverage of the incident, see Paris Hilton's Sidekick gets hacked. What is T-Mobile going to do about it? - Engadget - www.engadget.com and Hackers post Paris Hilton's address book online - Computerworld:
"Hackers post Paris Hilton's address book online
A copy of her T-Mobile USA cell phone address book appeared on the Web
News Story by Paul Roberts
FEBRUARY 21, 2005 (IDG NEWS SERVICE) - Hackers penetrated the crystalline ranks of Hollywood celebrity Saturday, posting the cellular phone address book of hotel heiress and celebrity Paris Hilton on a Web page and passing the phone numbers and e-mail addresses of some of Tinsel Town's hottest stars into the public realm.
A copy of Hilton's T-Mobile USA Inc. cell phone address book appeared on the Web site of a group calling itself 'illmob.' The address book contains information on over 500 of Hilton's acquaintances, including super celebrities such as Eminem and Christina Aguilera. It is not known how the information was obtained, but the release of the contact book may be further fallout from a hack of T-Mobile's servers that came to light in January...."
From the Palm Beach Post:
E-mail gaffe reveals HIV, AIDS names:
"WEST PALM BEACH - A highly confidential list of the names and addresses of 4,500 Palm Beach County residents with AIDS and 2,000 others who are HIV positive was e-mailed Thursday to more than 800 county health department employees.
Health department statistician John W. 'Jack' Nolan, who compiles data on HIV/AIDS cases for the county, sent the e-mail containing his monthly cumulative statistics report and inadvertently attached a file with the identities and addresses of AIDS patients and others who have tested HIV positive. Health department spokesman Tim O'Connor confirmed the incident...."
Labels: information breaches
The London Free Press is reporting that an Alberta military surplus store has received surplus computers that still contain information on Canadian soldiers:
London Free Press: News Section - Probe sought over military laptops:
"EDMONTON -- Alberta's privacy commissioner is calling for a federal investigation into why personal information about soldiers was on laptops turned in to an army surplus store. 'It would appear the military may have breached the federal Privacy Act and so the federal commissioner would be interested in that,' Frank Work said yesterday...."
Saturday, February 19, 2005
The Toronto Star, which has the best privacy coverage of any Canadian daily newspaper, is running an article by Thomas Walkom that highlights the amount of data about Canadians that may be in the hands of American authorities. It begins with a discussion of Canadian tax records that found their way into the possession of an American prisoner, via the Department of Homeland Security. The article also discussed the Arar case and the use of No-Fly Lists by Canadian airlines.
TheStar.com - Uncle Sam's steely glare:
"... It's safe to say she never expected to find her name, Canadian income tax summaries and social insurance number in the files of the U.S. Homeland Security Department. Indeed, if it weren't for a fluke, she probably never would have...."
Thursday, February 17, 2005
Michael Geist, in his latest Toronto Star column, argues that PIPEDA should be amended in line with California's example that requires companies to notify customers if the security of their personal information has been compromised:
TheStar.com - Revise privacy law to protect public, not offenders:
"... Recognizing that companies have an incentive to keep privacy and security breaches private, the State of California has adopted a law that requires organizations to publicly disclose privacy breaches to their customers. Although opposed by business, the law, known as SB1386, has proven wildly successful since its enactment just over 18 months ago.
The law requires companies and agencies that do business in the state, or possess personal information of state residents, to report breaches in the security of personal information in their possession. Companies must act quickly, notifying customers in writing, electronically, or by prominently posting the information on their website.
The law's impact on business practice has been dramatic. The State's Office of Privacy Protection recently surveyed California companies and found that 76 percent of surveyed companies changed their communications polices as a result of the new law; about one third of the surveyed companies changed security procedures; and almost half changed the way they used social security numbers (the U.S. equivalent of Canadian social insurance numbers)..."
All too often, it's an inside job. All to often, it's the most vulnerable who are targeted. In this case, a nurse has been convicted of stealing the identity of a patient to obtain credit:
AP Wire | 02/17/2005 | Former nurse pleads guilty to identity theft:
"ST. LOUIS - A former nurse at a St. Louis suburban hospital has pleaded guilty to using patient information to obtain credit, U.S. Attorney James Martin said Thursday.
Doris Odebunmi, 53, of St. Louis pleaded guilty to misusing a Social Security number, and faces up to five years in prison and/or a fine of $250,000. She is required to make restitution. She'll be sentenced on June 8...."
The Miami Herald has an interesting article, commenting on the irony of ChoicePoint not doing due diligence on its own customers, allowing criminals to have access to their huge cache of personal information:
AP Wire | 02/17/2005 | ChoicePoint's mission turned on head in personal info breach:
"ATLANTA - Consumer data collector ChoicePoint Inc.'s mission is to arm customers with the information necessary to verify that the people they are doing business with are who they say they are.
That selling point has been turned on its head by bandits who were given access to the company's massive database by duping it into thinking they were someone they were not.
'The irony appears to be that ChoicePoint has not done its own due diligence in verifying the identities of those 'businesses' that apply to be customers,' said Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit consumer advocacy group in San Diego. 'They're not doing the very thing they claim their service enables their customers to achieve.'...."
Labels: information breaches
Wednesday, February 16, 2005
In conversation with industry analysts, Google CEO Eric Schmidt indicated that Google may soon require usernames, passwords and personal information to use their services.
Google Discusses Strategy With Analysts - BizReport:
"- Google is likely to require its users to begin providing personal information to use some of its products and services, said CEO Eric Schmidt. Requiring people to provide their identity and a password to gain service access is common at many Web sites, but would be new for Google. Having more personal information would enable Google to offer more useful improvements, Schmidt said. He didn't provide a timetable or specify which services might require registration."
Thanks to beSpacific: User Registration Down the Road for Google? for the link.
"'Implementing PIPEDA: A review of Internet privacy statements and on-line practices'
March 18, 2005
9:00am - 5:00pm
The University of Toronto's Centre for Innovation Law and Policy at the Faculty of Law and the Faculty of Information Studies will be hosting a conference on the implementation of the Personal Information and Electronic Documents Act (PIPEDA): A review of Internet privacy statements and on-line practices.
Daniel Solove, an associate professor of law at the George Washington University Law School and an authority in the areas of information privacy law and cyberspace law, will be the keynote speaker for the conference.
The conference will take place March 18 in the Bennet Lecture hall inside Flavelle House at the Faculty of Law. There is no cost to attend the conferrence, but registration is required. A tentative timetable and speaker's list is now available.
For more information, contact:
Rajen Akalu - email@example.com "
I have heard that one of the panelists may be Mathew Englander.
The RFID Journal is carrying an article by Dr. Reuven R. Levary (a Professor of Decision Sciences, Cook school of Business) and three JD/MBA students from Saint Louis University on the legal and privacy aspects of RFID technology:
RFID Journal - RFID, Electronic Eavesdropping and the Law:
"Feb. 14, 2005--As radio frequency identification enters the mainstream, consumer advocates are raising concerns about the potential use of the technology for electronic eavesdropping. In Europe, there are strong laws governing the use of data gathered on consumer. In the United States, no such overarching legislation exists. So the question is: What laws currently on the books, if any, in the United States could protect consumers against invasion of privacy using RFID systems? And what are the legal ramifications for companies that use the technology in a retail setting?. ..."
Tuesday, February 15, 2005
The Boston Channel WCBV-TV is carrying a report about intrusive and more than slightly creepy questions that credit card companies are asking to verify the identity of card holders. After a string of "suspicious" purchases prompted a credit card company to put a fraud alert on a consumer's card, the customer was required to answer a number of unexpected questions to prove she is who she says she is:
TheBostonChannel.com - Money - Are Credit Card Companies Getting Too Personal?:
"... 'And they said, 'In order to get your card reactivated and take the fraud protection off, we're going to have to ask you some questions.' And she said, 'I want to warn you that some of these questions might sound a little unusual,'' Santilli said.
Unusual and, according to Santilli, invasive.
'Well, the first question was the age group of a former husband of mine,' Santilli said. 'But then the next question that came up was about my former husband's sister. And they asked me, 'In which county is she likely to live,' and they asked her name specifically.'
'I said, 'I can't believe you're asking me this.' And then she apologized again,' Santilli said.
Santilli answered the questions; Providian removed the fraud alert. But the experience left Santilli shaken.
'I was expecting to be asked my mother's maiden name, my Social Security number, maybe what I purchased that day and for what amounts. Anything else but questions about a past relationship,' Santilli said.
WJAR-TV contacted Providian. It reported Providian uses a security system that gathers information about card holders.
'When the customer calls in, we use an electronic system. It automatically generates verification questions using public sources,' Providian spokeswoman Beth Haiken said.
Where do they get that information? The station reported that companies like Providian can get it at city and town halls or anywhere else public records are available. It's all legal because they're public records, according to the station."
It's probably worth noting that this wouldn't fly in Canada. Publicly available information may be used without consent, but only for the purposes for which it is made available in the first place. I can't see that municipal records are made available for this purpose.
Labels: information breaches
This one is a biggie. One of the largest traders in personal information in the US, ChoicePoint, allowed criminals masquerading as legit businesses to trawl the personal records of thousands of Americans. ChoicePoint has notified thousands of Californians that their security has been compromised. Because only California has a law requiring such disclosure, this leads to the question of how many peope are affected but are not aware of it?
MSNBC - Database giant gives access to fake firms:
"Criminals posing as legitimate businesses have accessed critical personal data stored by ChoicePoint Inc., a firm that maintains databases of background information on virtually every U.S. citizen, MSNBC.com has learned.
The incident involves a wide swath of consumer data, including names, addresses, Social Security numbers, credit reports and other information. ChoicePoint aggregates and sells such personal information to government agencies and private companies...."
Labels: information breaches
The personal information of twenty five thousand Japanese telco customers have had their data leaked, according to Agence France Press:
Yahoo! News - Personal data on nearly 25,000 subscribers leaked: NTT DoCoMo:
"TOKYO (AFP) - Japan's top mobile operator NTT DoCoMo (news - web sites) Inc. said it has found a leak of personal information linked to nearly 25,000 subscribers, with someone within the company likely to blame.
Private data such as names, addresses, mobile and fixed-line telephone numbers of 24,632 clients kept by the company were found to have been taken by an outsider, NTT DoCoMo said in a statement...."
Labels: information breaches
Monday, February 14, 2005
Michael Geist's LawBytes column in the Toronto Star is devoted to why he believes PIPEDA should be revised:
TheStar.com - Revise privacy law to protect public, not offenders:
"...The time has come to lift the veil of secrecy surrounding privacy and security breaches in Canada. For every case that comes to light, there is little doubt that there are many more that remain hidden from public view.
From a privacy compliance perspective, experience illustrates that mandatory reporting requirements provide an effective motivation for organizations to take their privacy and security obligations seriously. With identity theft at an all-time high, they also ensure that the public is kept informed about the security of their personal information and better positioned to monitor their credit reports and credit card activity for suspicious activity.
Former IBM CEO Louis Gerstner once noted that 'people don't do what you expect, they do what you inspect.' For Canada's privacy legislation to meet expectations, we need more inspection and better disclosure practices. A mandatory self-reporting system on privacy and security breaches would be a step in the right direction."
Sunday, February 13, 2005
SAIC, one of the leading employee-owned R&D companies in the US, has experienced a theft of computers containing personal information of its shareholders (and employees). The company does a huge amount of military work, which mak es the information additionally sensitive. Not only is there a risk of identity theft, there may also be national security issues as well. As reported in the Washington Post (registration required):
Break-In At SAIC Risks ID Theft (washingtonpost.com):
"Some of the nation's most influential former military and intelligence officials have been informed in recent days that they are at risk of identity theft after a break-in at a major government contractor netted computers containing the Social Security numbers and other personal information about tens of thousands of past and present company employees.... "
Labels: information breaches
Saturday, February 12, 2005
The Charlotte Observer (registration required) has an article on foreign outsourcing and customer information. Not unrealistically, companies and their customers are concerned about privacy when sending customer data overseas for processing:
Charlotte Observer | 02/12/2005 | Outsourcers are anxious to safeguard your privacy:
"Foreign companies fear bad publicity could cut into their business
Ensuring the security of customer data and other sensitive information remains a top concern of U.S. companies increasingly sending call center and computer work to lower-wage nations.
And it's a matter of survival for the foreign firms providing outsourcing services.
'If you have even one minor breach that makes it into the press, it's over,' said Rick Rossow, IT policy director at the U.S.-India Business Council in Washington. 'It's not going to take a lot for companies to pull back.'
Foreign outsourcing already is a controversial trend, blamed for eroding America's middle class by sending information-technology work overseas. Critics say it also puts consumers at risk because other countries have inadequate security and legal protections. Consumers have little recourse, critics say, if they are harmed financially by unauthorized access to their accounts and personal information."
Labels: information breaches
Friday, February 11, 2005
The first issue of the CIPPIC Bulletin has been released, but the links are unfortunately broken. Check back and hopefully it will be fixed shortly: English and French. The CIPPIC Bulletin provides an update on CIPPIC projects and activities, many of which involve advocacy and policy work on Canadian privacy law.
Labels: information breaches
It continually drives me bonkers when I read about how some organizations implement privacy laws (see below). Granted, these laws are not always easy to understand, but they usually can be implemented without completely shutting down normal business operations or even normal personal interactions.
A huge part of the problem is that the laws are not very easy to understand, particularly if you sit down a read them from beginning to end. Most laypeople have a hard enough time staying awake during the process and it is rare to actually make it through the law in one sitting. But even if you can manage to make it that far, there in little in the laws themselves to help you in translating theory to practice. (You're not alone: I've dealt with lawyers who have little understanding of the law itself, let alone how it should be implemented. A law degree does not automatically confer an ability to figure it out.)
So what's to be done? People need to be trained about what the law means and how it needs to be integrated into their operations. Front line employees don't need to memorize section 7(3)(c)(ii), but they do need to know how to do their job in this new regulatory environment. They need to know how to meet customer expectations. They need to know how to deal with circumstances where privacy laws may entail a bit more process for their customers. And they need some common sense.
On this front, I have to give full marks to the Nova Scotia Department of Justice, which recently held a series of workshops for department administrators of the Freedom of Information and Protection of Privacy Act throughout the province. And they had the good sense to include a unit on PIPEDA. Though this law doesn't generally apply to the same organizations subject to FOIPOP, it has been a major source of confusion.
CBC Manitoba - Ombudsman slams province over privacy laws:
"Tuckett says there are many cases where public officials do not use common sense in providing people with access to their own personal information.
'I had a call from somebody where they were talking to somebody in a medical doctor's office and asking about the condition of the person and the doctor came up and said, 'You know, you can't talk about your medical condition with other people in our office because it's contrary to PHIA,'' he says.
'I call it 'PHIAnoia' because, you know what it is, it's this, 'I can't share that, I can't do this.' Privacy laws were never intended to be applied so rigidly that all of a sudden you can't have normal human relations with people.'
Tuckett recommends the government should set up a training program to help its employees understand privacy and access laws. This report will be Tuckett's last as ombudsman; he is retiring as of Feb. 11."
Tyler Hamilton, a technology journalist from Toronto, has written in his blog about the practice of some retailers who still print full credit card info on sales slips. Check it out:
Tyler Hamilton: Why retailers are contributing to identity theft:
".... Word of advice: If you get a credit-card slip back from a retailer and notice that your full credit-card information is published on it, speak up. Let them know that's not acceptable, and that you may just shop somewhere else if they don't stop doing it. Otherwise, don't be surprised if you find some strange charges on future credit-card statements. "
Thursday, February 10, 2005
According to Mathew Englander's website, the Federal Court of Appeal today issued its decision with respect to his remedy. There was no order issued, but the Court did declare that Telus had contravened PIPEDA. Stay tuned for a link to the decision and some commentary on it.
Mathew Englander, privacy advocate:
"UPDATE: On February 10, 2005 the Court issued its decision on remedy. The Court declined to order Telus to comply with the Act in future, but issued a judicial declaration that Telus had contravened the Act in the past.
The Court held that Telus has infringed PIPEDA in not informing its first-time customers, at the time of enrolment, of all the purposes for which their personal information is collected and in not informing them at that time of non-published number service. On the other issue, the Court held that the fee Telus charges does not infringe the Act.
This is the first time a court has ruled that an organization breached PIPEDA."
Update: Mathew has put the decision on his site at http://www.mathew-englander.ca/fca-order-09feb2005/
A rural school in the US is planning to make their students wear RFID-embeded tags to track their movements. As a client of mine just mentioned to me, "Is this to get them used to being surveilled while they're young?"
Yahoo! News - Parents Protest Student Computer ID Tags:
"SUTTER, Calif. - The only grade school in this rural town is requiring students to wear radio frequency identification badges that can track their every move. Some parents are outraged, fearing it will take away their children's privacy. ..."
The Canadian federal government commissioned a study of Canadians' attitudes to the Anti-Terrorism Act, which is summarized in the following CP story:
Yahoo! News - Anti-terror laws spark concerns about abuse, trampling of freedoms:
"OTTAWA (CP) - Canadians worry federal anti-terrorism powers could be used to invade personal privacy, unfairly target minorities or turn neighbours into snitches, a government study has found. ...."
Labels: information breaches
Wednesday, February 09, 2005
Investigations find Alberta businesses failed to protect personal information from identity thieves
Recent investigations by the Office of the Information and Privacy Commissioner (OIPC) found that three Alberta businesses failed to protect personal information in their custody.
On November 24, 2004, Edmonton Police Service (EPS) notified the OIPC that documents containing personal information from a number of Alberta businesses were found during a police investigation. Some of the records were found in a motel room; others were subsequently turned over to police by two individuals charged with credit card fraud. The records included return of goods slips, debtor account files from a collection agency, and cell phone contracts. Personal information in the records included Social Insurance Numbers, bank account information, credit card numbers, and customer signatures.
In response to the information from EPS, Information and Privacy Commissioner Frank Work initiated investigations of Linens ‘N Things, Nor-Don Collection Network Inc., and Digital Communications Group Inc., under the Personal Information Protection Act (PIPA).
PIPA applies to private sector organizations in Alberta, and requires them to protect personal information against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction.
The investigators found that these businesses failed to protect personal information in their custody.
Recommendations from the investigations required all three organizations to contact the individuals whose information was, or may have been, exposed to identity theft. In at least one case this meant contacting hundreds of customers. Additional recommendations required the organizations to:
- ensure all records containing personal information are stored securely,
- limit access to personal information to staff on a “need-to-know” basis,
- develop procedures for storage, retention and destruction of personal information, and
- provide privacy and security training/awareness for employees.
One organization was also required to obtain computer equipment to obscure credit card numbers printed on receipts and return slips. Along with the affected individuals, these three businesses were victimized in these incidents, but each is responsible under PIPA for securing personal information.
The OIPC is advising other businesses not to put themselves in the same situation.
To obtain a copy of an Investigation Report, click the following links:
Investigation #P2005-IR-001 http://www.oipc.ab.ca/ims/client/upload/P2005_IR_001.pdf (Linens ‘N Things)
Investigation #P2005-IR-002 http://www.oipc.ab.ca/ims/client/upload/P2005_IR_002.pdf (Nor-Don Collection Network Inc.)
Investigation #P2005-IR-003 http://www.oipc.ab.ca/ims/client/upload/P2005_IR_003.pdf (Digital Communications Group Inc.)
Up to now, one of the loudest advocates of having the Privacy Commissioner "name names" has been Michael Geist (see Geist: Revise privacy law to expose offenders, block snoops, Article: Weak enforcement undermines privacy laws). Two additional voices have been added to the chorus, according to this article in the The Toronto Star:
TheStar.com - Pressure builds to name privacy-law offenders:
"Canadians had high expectations of a new privacy act that came into force on Jan. 1, 2004, designed to safeguard personal information in the private sector.
But the high hopes have not been fulfilled, according to two recent critical reports.
The Personal Information Protection and Electronic Documents Act (PIPEDA) "has not been kind to consumers," says the Public Interest Advocacy Centre.
People who bring a complaint to the privacy commissioner are free to make the full findings public.
But few do.
Similar arguments are made by Chris Berzins, a lawyer with the Ontario labour ministry, in an article published in the Canadian Journal of Law and Technology.
"The all but categorical refusal to reveal the names of complaint respondents," he says, "has a number of unfortunate results."
- It greatly undercuts the instructive value that complaint investigations might have.
- It deprives companies of the recognition they deserve when they comply with the law.
- It unjustly rewards companies that flout the law.
- It penalizes consumers who are unable to make informed privacy decisions.
- It prevents the market from rewarding or penalizing companies based on the public's awareness of privacy practices.
- It makes it difficult to assess the effectiveness of the commissioner's office in promoting compliance.
I am of two minds on this issue. I have acted for a number of companies that have been complained about. In most cases, the matters complained about are relatively minor and the situation that gave rise to the complaints were inadvertent mistakes. In at least one case, they resolved the matter long before complaint ever went to the Commissioner, leaving us scratching our heads as to why they decided to proceed in that manner. It would be unfair to penalize companies acting in good faith that make an honest mistake, fix it and move on. But in cases where the consequences of the violation is significant or was a result of not being concerned about customer privacy, naming names may provide a wake-up call.
Tuesday, February 08, 2005
The Electronic Frontier Foundation has just released an interesting software product to assist online service providers in limiting the information that they collect from users. I'd describe it, but I might as well let EFF speak for itself:
EFF: Best Practices for Online Service Providers:
"Online service providers (OSPs) are vital links between their users and the Internet, offering bandwidth, email, web, and other Internet services. Because of their centrality, however, OSPs face legal pressures from all sides: from users, industry, and government. Here we offer information for people who run and use OSPs in order to help them make sound, ethical decisions about how to safeguard private data and preserve freedom of expression online.
Legal and Technical Policy Suggestions for Data Logging
As an intermediary, the OSP finds itself in a position to collect and store detailed information about its users and their online activities that may be of great interest to third parties. The USA PATRIOT Act also provides the government with expanded powers to request this information. As a result, OSP owners must deal with requests from law enforcement and lawyers to hand over private user information and logs. Yet, compliance with these demands takes away from an OSP's goal of providing users with reliable, secure network services. In this paper, EFF offers some suggestions, both legal and technical, for best practices that balance the needs of OSPs and their users' privacy and civil liberties. "
Monday, February 07, 2005
Alessandro Monteleone has sent me a link to his site http://www.dataprotection.it. The front page is mostly in Italian, but his site includes an English version of the Italian personal data protection code, along with some commentary. Worth bookmarking.
Labels: information breaches
Sunday, February 06, 2005
The Washington Post (via Yahoo! News) is carrying a lengthy story about errant bank statements and tax documents. A fellow in Minnesota has been receiving piles of mail from a bank that was meant for various others of its customers. Despite repeatedly sending it back marked "Return to sender. Don't send me other people's banking information," the problem persisted.
While accidents do happen, the bigger problem is the inattention to the problem on the part of the bank and the amount of effort that it finally took to get it to stop.
Yahoo! News - Your Statements Went Where?
...Because of a few wayward keystrokes by a clerk at a bank processing center, Pirozzi has for nine months received the financial statements of scores of strangers, many of whom are Washington area residents and all of whom had had Wachovia Corp. escrow accounts.
Pirozzi tried desperately to get the problem fixed once the first batch arrived last spring, but he says that no one at the bank or at a local title company that helped establish the accounts took action on his repeated calls. It was only in the past few weeks, after Pirozzi began receiving strangers' tax forms and after inquiries from a Washington Post reporter, that both companies began to investigate.
"I potentially have access to their Social Security (news - web sites) numbers and their names. I also have their bank account numbers. That's very private information," Pirozzi said. "I don't know what I could do with all of that -- I don't have a criminal mind. But there are definitely opportunities."
Privacy experts agree.
"This is a raft of sensitive financial information that would be an identity thief's dream," said Travis Plunkett, legislative director of the Consumer Federation of America.
Experiences like Pirozzi's are rare in an industry that depends on sophisticated computers and software to shuffle billions of transactions a day. But it nevertheless points to the vulnerabilities in systems that have become so highly automated that small errors in the management of databases can quickly become amplified into major security breaches, consumer advocates say. They say, too, that the lack of a prompt response from the companies involved reflects a broader problem with financial institutions not doing all they can to safeguard their clients' private information.
Labels: information breaches
Saturday, February 05, 2005
If you put it online -- anywhere -- odds are that Google will find it. Students of Johns Hopkins have found out the hard way. Student information was put online, but in an obscure place, but it wasn't obscure to Google. The school is renumbering more than two thousand students as a result of the leak. According to one student:
The Johns Hopkins News-Letter - J-CARD numbers leaked on Internet:
'For some reason, I don't have much confidence in the security measures at this school,' said Matt Bassett, a junior. 'This is just another example of a security failure; they can't even keep our personal information safe on the Internet.'
Industry Canada has gazetted its proposed cabinet order exempting Ontario's "health information custodians" from the application of Part I of PIPEDA. It is no surprise that the federal goverment considers that the Personal Health Information Protection Act to be "substantially similar" to PIPEDA.
The notice in the Canada Gazette is soliciting comments within the next fifteen days.
"Vol. 139, No. 6 — February 5, 2005
Health Information Custodians in the Province of Ontario Exemption Order
Personal Information Protection and Electronic Documents Act
Department of Industry
REGULATORY IMPACT ANALYSIS STATEMENT
(This statement is not part of the Order.)
Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) establishes rules to govern the collection, use and disclosure of personal information by organizations in the course of commercial activity. Part 1 of the Act was implemented in two stages. On January 1, 2001, the Act applied to the collection, use and disclosure of personal information in connection with the operation of federal works, undertakings or businesses and to the disclosure of personal information for consideration outside a province. On January 1, 2004, the Act's reach was extended to all collections, uses and disclosures of personal information in the course of commercial activity, either within, or outside a province. Pursuant to paragraph 26(2)(b) of the Act, the Governor in Council may, by order, if satisfied that legislation of a province that is substantially similar to PIPEDA applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of PIPEDA in respect of the collection, use and disclosure of personal information within the province.
Under the trade and commerce power conferred on Parliament by subsection 91(2) of the Constitution Act, 1867, PIPEDA establishes a set of economy-wide principles and rules for the protection of personal information. The Act helps to build trust and confidence in the Canadian marketplace, while encouraging provinces and territories to develop their own privacy laws in a manner that addresses their particular needs and circumstances. To this end, the Government of Canada included provisions in PIPEDA to exempt from the federal Act organizations or activities subject to provincial or territorial laws that are deemed to be substantially similar.
On August 3, 2002, Industry Canada published the policy and criteria used to determine whether provincial or territorial legislation would be considered as substantially similar. PIPEDA provides a standard around which provinces can legislate. Under the policy, laws that are substantially similar provide privacy protection that is consistent with and equivalent to that in the federal Act; incorporate the ten principles in the CSA Model Code for the Protection of Personal Information, CAN/CSA-Q830-96, found in Schedule 1 of PIPEDA; provide for an independent and effective oversight and redress mechanism with powers to investigate; and restrict the collection, use and disclosure of personal information to purposes that are appropriate or legitimate. In recognizing such laws as substantially similar, PIPEDA provides a common standard for privacy protection across both federal and provincial domains.
The Ontario Personal Health Information Protection Act, 2004 (PHIPA) which came into force on November 1, 2004, sets rules that health information custodians must abide by when collecting, using and disclosing personal health information within the Ontario health care system. PHIPA is substantially similar to PIPEDA. The purpose of this Order is thus to exempt from PIPEDA those health information custodians, as defined in PHIPA, in respect of the collection, use and disclosure of personal health information that occurs within the province of Ontario, in the course of commercial activity. PIPEDA will continue to apply to the collection, use and disclosure of personal health information outside the province, in the course of commercial activity.
The legislative framework in Part 1 of PIPEDA requires that exemptions for organizations, classes of organizations or an activity or class of activities subject to provincial or territorial laws that are substantially similar to the federal Act be done through Order in Council. There are no alternatives to exempt from PIPEDA health information custodians subject to the Ontario PHIPA.
Benefits and costs
The alignment of federal and provincial/territorial legislative regimes for the protection of privacy makes privacy laws easier for individuals to understand and simpler for organizations to implement. Harmonization of privacy rules within the Ontario health care system creates a consistent and seamless set of rules with regard to the protection of personal health information, covering all custodians operating in the province, thereby increasing the efficiency with which they collect, use and disclose personal health information as part of their care and treatment activities.
The Order will have no adverse cost impact on the activities of health information custodians in Ontario. To the extent that they collect, use and disclose personal health information within the Ontario health care system, health information custodians are expected to comply with the privacy rules established by PHIPA. These privacy requirements are based on the national standard set in the CSA Model Code for the Protection of Personal Information, CAN/CSA-Q830-96 that is embedded in PIPEDA and in the Ontario PHIPA. Both laws establish a set of ten fair information principles, and both have set up an independent oversight and redress mechanism.
Provincial and territorial governments, along with the general public, the health care sector and the business community have already been made aware of the federal government's commitment to exempt from PIPEDA organizations subject to provincial/territorial laws that are substantially similar to PIPEDA. During parliamentary consideration of the legislation, which included extensive hearings before the Standing Committee on Industry and the Senate Standing Committee on Social Affairs, Science and Technology, taking place between October 1998 and April 2000, and through speeches, press releases and other communications to the public, the Government of Canada has clearly indicated its intention to encourage provinces and territories to develop substantially similar privacy legislation. It further confirmed that PIPEDA would not apply to organizations subject to these laws in respect of the collection, use and disclosure of personal information, including personal health information, taking place within a province or territory.
Information was also provided on the Act's substantially similar provision when Industry Canada published its policy and criteria for determining substantially similar provincial and territorial legislation in Part I of the Canada Gazette in August 2002.
The government of Ontario, as well as the Information and Privacy Commissioner of Ontario made the request to the Government of Canada that the substantially similar nature of PHIPA be recognized and that an Order in Council be passed exempting health information custodians from PIPEDA. The Privacy Commissioner of Canada, Jennifer Stoddart, also communicated with the Government of Canada on the issue, indicating that in her opinion PHIPA meets the criteria for recognizing its substantially similar nature. She also expressed her support for an exemption order exempting health information custodians in Ontario from the federal Act.
Compliance and enforcement
This Order will confirm that Ontario health information custodians will not be subject to PIPEDA in respect of the collection, use and disclosure of personal health information. Compliance with privacy rules and enforcement of the Ontario PHIPA is delivered through the Information and Privacy Commissioner of Ontario. Following the issuance of this Order, complaints and investigations about the practices of health information custodians in respect of the collection, use and disclosure of personal health information taking place within the province in the course of commercial activity will be handled exclusively by the Ontario Information and Privacy Commissioner. The Privacy Commissioner of Canada will continue to be responsible for providing oversight in relation to the collection, use and disclosure of personal health information that crosses provincial boundaries in the course of commercial activity.
Mr. Richard Simpson, Director General, Electronic Commerce Branch, Industry Canada, 300 Slater Street, Room D2090, Ottawa, Ontario K1A 0C8, (613) 990-4292 (telephone), (613) 941-0178 (facsimile), firstname.lastname@example.org (electronic mail).
PROPOSED REGULATORY TEXT
Notice is hereby given that the Governor in Council, pursuant to paragraph 26(2)(b) of the Personal Information Protection and Electronic Documents Act (see footnote a), proposes to make the annexed Health Information Custodians in the Province of Ontario Exemption Order.
Interested persons may make representations with respect to the proposed Order within 15 days after the date of publication of this notice. All such representations must cite the Canada Gazette, Part I, and the date of publication of this notice, and be addressed to Mr. Richard Simpson, Director General, Electronic Commerce Branch, Industry Canada, 300 Slater Street, Room D2090, Ottawa, Ontario K1A 0C8.
Ottawa, January 31, 2005
Assistant Clerk of the Privy Council
HEALTH INFORMATION CUSTODIANS IN THE PROVINCE OF ONTARIO EXEMPTION ORDER
1. Any health information custodian to which the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Schedule A, applies is exempt from the application of Part 1 of the Personal Information Protection and Electronic Documents Act in respect of the collection, use and disclosure of personal information that occurs within the Province of Ontario.
COMING INTO FORCE
2. This Order comes into force on the day on which it is registered.
The FBI has been forced to shut down its non-classified e-mail system due to a potential security breach.
Yahoo! News - Possible Breach Forces FBI To Turn Off E-Mail System:
"The FBI said Friday it has shut down an e-mail system that it uses to communicate with the public because of a possible security breach.
The bureau is investigating whether someone hacked into the www.fbi.gov e-mail system, which is run by a private company, officials said...."
Hot off the presses .... the Alberta Information and Privacy Commissioner has begun an investigation against members of the Edmonton police force for allegedely (mis)using law enforcement databases to target a journalist and the chairman of the police commission.
This is a reminder that employees are often your weakest privacy link and sensitive information in the hands of law enforcement may also be misused by otherwise authorized persons.
From the Edmonton Journal:
Edmonton Journal - canada.com network:
"EDMONTON - The province's privacy commissioner has begun an investigation into the Edmonton Police Service's handling of a drunk-driving stakeout against a journalist and the chairman of the police commission.
Frank Work notified police Chief Fred Rayner of the review Thursday, within hours of a press conference at which the chief announced that six members of the police service violated the use of police databases by querying the names of Edmonton Sun columnist Kerry Diotte or police commission chairman Martin Ignasiak.
Spokesman Tim Chander said the commissioner has launched his own investigation to ensure compliance with the Freedom of Information and Protection of Privacy Act...."
Friday, February 04, 2005
Interesting how this has only now appeared on the US radar screens. When this was only about the British Columbia and Alberta governments, the only coverage was Canadian. Now that there is some small reaction out of Ottawa, it shows up in the US media ...
UPI Intelligence Watch - (United Press International):
"Washington, DC, Feb. 4 (UPI) -- Because of security concerns related to the Patriot Act, the Canadian government will revise the wording of future federal contracts. Ottawa will attempt to blunt U.S. ability, granted under the act to tap into personal information about Canadians. The Canadian government is particularly concerned that the FBI might attempt to view sensitive Canadian data the government supplies to American firms doing business with federal departments in Ottawa. Ottawa has requested that all government agencies and departments conduct a "comprehensive assessment of risks" to Canadian information they release to U.S. companies when fulfilling work under contract. The Patriot Act gave the FBI broader access to the records of U.S. firms. Under its provisions, the FBI can apply to a U.S. court to force a business to allow access to its records, including information about Canadians, to assist with investigations involving prevention of terrorism or espionage. Canadian Privacy Commissioner Jennifer Stoddart says that if a Canadian federal entity hires an American company to process personal information about Canadians, then U.S. laws apply to the data if the work is being done in the United States. The federal Treasury Board is in charge of a working group that is drafting special clauses to be used in future business proposal requests and contracts. According a federal notice recently circulated to departments, the group is consulting with Stoddart's office on clauses "that we believe to be fundamental" to include in future request proposals and contracts. Treasury Board spokesman Robert Makichuk said the changes would "further enhance and clarify existing protection" for such things as establishing custody and control of data, ensuring confidentiality of information and setting conditions related to use and disclosure."
Wired News is carrying a story about the USA Patriot Act and the Canadian reaction to it. It isn't really news to those in the Canadian privacy community, but full points to Wired for bringing the issue to a wider community: Wired News: Canadians Fight for Privacy
Thursday, February 03, 2005
Rob Hyndman has posted a brief discussion of the controversy surrounding what should happened with the e-mail account of a US Marine who was killed in action in Iraq. His family want access to the account, but the service provider is refusing to hand it over. Among his comments, Rob writes, in "What Happens to Your Data When You Die, Redux":
"Finally, it's interesting to me that this debate is in part being presented as a debate about privacy. I don't think it ever would have occurred to me that the private letters of a person's lifetime, stored away in a dusty trunk in an attic somewhere, ought to by default be burned instead of passed on (unless a will said they should be burned), out of a desire to protect privacy. As a society, we are already comfortable with that way of treating information. Electronic information should not be treated any differently. It's not about privacy - we already have the tools to deal with that issue. And now, we have more tools - for example, the ability to offer very customized terms of service to address very specific needs. It's about service providers having failed to consider this issue adequately when they were composing terms of service ...."
I share Rob's opinion. The deceased have privacy rights (at least under Canadian law), so personal information needs to be protected. But ... Someone has to be in a position to authorize the collection, use or disclosure on behalf of the (former) individual. Someone has to be able to exercise the individual's right to access. We can't have a situation where all personal information is locked down as soon as someone dies. Logically, it should be the executor. If it is not the executor, who would it be? If you have a will, certainly the guy you choose to make sure your kids are provided for and to divvy up your stuff is trusted enough to decide what to do with your e-mail. If you want to keep something from your estate or your executor, specifying it in your will is only sensible. Or tell your ISP that you want your account erased if you die. Having to litigate something like this is a bit silly; forcing a grieving family to litigate it is even sillier.
(By the way, if you're interested in privacy and technology, you should bookmark Rob's blog.)
Labels: information breaches
Further to my previous post on the hacking incident at harvard (See: PIPEDA and Canadian Privacy Law: Incident: Harvard Hacked), the most recent edition of the Harvard Crimson has an opinion piece about the potential safety impact of this particular breach of privacy:
The Harvard Crimson Online :: Opinion:
"...Among those who could have been affected by the glitch were students with 'secure flags,' which mandate that their personal information be kept absolutely secret. The purpose of these flags is to protect students who have legitimate reason to fear a leak of this information -- celebrities or those in political asylum, or even students fearing a stalker. Health Services' mistake compromised the safety of these students...."
Tuesday, February 01, 2005
I get to spend a fair amount of time at Halifax's many universities. One thing that I've noticed is that students appear to be getting younger (and I don't think it's just that I'm getting older!) and university is an extension of high school. It's not just students, though; it's also the parents. Many parents try to keep tabs on their kids and remain very active in their lives to the point of calling professors and administrators, looking for information on what their kids are up to. They don't take kindly to being told that they don't have any right to information without their kid's consent. In Nova Scotia, student information is protected by the Freedom of Information and Protection of Privacy Act. In the US, there's the Family Educational Rights and Privacy Act of 1974.
Today's Daily Mississippian has an article on FERPA, as it's known:
The Daily Mississippian - Privacy laws exist for all UM students:
"Some students when entering college are still pressured by parents who try to control their academic affairs by invading privacy which is a violation of Federal privacy laws.
The privacy of students is a top priority for the university's administration and is protected by federal law, administrators said. Student's academic records are private and can only be released with permission from the student.
"First and foremost, we try to be sensitive to the student's privacy," said Provost Carolyn Staton. "We follow federal laws."
Student privacy is protected under the Family Educational Rights and Privacy Act of 1974. Under this act, a student must give the school permission to release any information deemed private by the act. The only information freely available is directory information, such as dates of enrollment or honors and awards received...."
Labels: information breaches
IT Business has an article by Ian Palmer with an overview of many of the projects being funded by the Office of the Privacy Commissioner's contributions program: Privacy research to analyze ID theft, RFID, surveillance. (See also PIPEDA and Canadian Privacy Law: OPC announces recipients of special research funding.)
A downtown branch of the Royal Bank of Canada (aka RBC) was broken into over the weekend, resulting in the theft of a dozen computers. I'm no detective, but it sounds like the thieves were looking for personal information. Luckily, the bank reports that no personal information was compromised.
CBC Montreal - Client info safe after computer theft: Royal Bank:
"MONTREAL - The Royal Bank of Canada says no client information has been compromised in a break-in at a downtown Montreal branch.
Montreal police say thieves broke into the branch near Sherbrooke St. W. and Peel St. over the weekend and made off with about a dozen computers.
'We have instructions not to keep client information on the hard drives,' says Raymond Chouinard of Royal Bank. 'And that's what happened. We've checked. We have a monitoring system and ways to make sure that we had no loss of client information in this case.'
Chouinard says this is the first time he's heard of such a theft. He insists security measures are quite tight at the bank."
Labels: information breaches
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.