The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Saturday, April 30, 2005
The privacy incidents that have gotten the most press recently in Canada have been related to misdirected faxes. To name just a few:
I've seen loads of "Faxing Guidelines" produced by organizations and privacy commissioners that include some pretty common sense suggestions to minimise the likelihood of problems. But problems almost always will occur simply because accidents to happen. (Luckily, in most cases it will be a one-off mistake.) Guidelines need to be implemented to make sure that the right people are informed of the issue and know how to practice safe faxing.
Below is a set of faxing tips I've developed over the last little while. A couple, which I've highlighted, do not appear in any other guidelines I've seen and are the results of lessons learned from various incidents I've seen or been involved with.
Implementing all of the above should significantly reduce the likelihood of problems and should also allow you to identify any problems before they get out of control.
The Information and Privacy Commissioner of Alberta has sent a pharmacy back to the drawing board after it attempted to charge an additional $40.00 "professional fee" to process an access request. Read Order H2005-002 here. As is the practice in Alberta, the Commissioner named the offending pharmacy.
Friday, April 29, 2005
As an aside, the DMNews' lists make interesting reading. My fave so far is a list of people who have recently purchased a firearm or have inquired about purchasing a gun for personal protection. That list might be useful for someone who wants to do something other than selling gun locks.
Labels: information breaches
What a day for privacy incidents. Brigham Young University is reporting that some nefarious character (or characters) installed keystroke loggers on systems in a campus computer lab, taking students' information: BYU NewsNet - Hackers breach Widstoe security.
Labels: information breaches
MSNBC is reporting on what is characterised as the largest breach of security and leak of personal information is US banking history. Employees are implicated in providing information on 500,000 customers to bill collectors:
Massive bank security breach uncovered in N.J. - Nightly News with Brian Williams - MSNBC.com:
"Bank employees implicated in conspiracy; 500,000 victims alleged
By Tom Costello, Correspondent
Updated: 7:22 p.m. ET April 28, 2005HACKENSACK, N.J. - In court Thursday, Orazio Lembo was described as the alleged ring leader of what police say was a massive scheme to steal 500,000 bank accounts and personal information, then sell it to bill collectors.
Lembo's alleged accomplices included branch managers and employees from some of New Jersey's biggest banks, including Bank of America, Wachovia and Commerce Bank.
All of them are accused of turning over customer bank account numbers and balance information for a profit of $10 per account. Even a state employee is accused of providing private information from state employment files...."
Labels: information breaches
Yet another American university has been hit by a breach of confidential personal information. This time, it is Georgia Southern University:
AP Wire | 04/28/2005 | Students' personal information compromised by hackers:
"STATESBORO, Ga. - Hackers broke into a Georgia Southern University server that contained thousands of credit card and Social Security numbers collected over more than three years.
The Saturday breach puts anyone who made a purchase at the university bookstores between Jan. 1, 2002, and April 25 of this year at risk of identity theft or unauthorized credit card usage, the university said Wednesday...."
A Florida television station has paid a visit to two jailed identity thieves to get their advice on how to avoid becoming a victim. Until they got caught, their job was suprisingly easy and the article is an interesting read: WFTV.com - Action 9 - ID Theft: Thieves Tell How To Avoid It.
Labels: information breaches
I've discovered that a number of corporate firewalls block access to blogspot domains, so I've decided to create a mailing list for those who would like to follow this blog but can't reach it in a conventional way. Also, there may be some who would rather that blog postings just appear in their inbox or on their BlackBerry or whatever. To susbscribe, send an e-mail to firstname.lastname@example.org.
New Yahoo! Group for PIPEDA and Canadian Privacy Law:
The Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
Group Email Addresses
Post message: email@example.com
List owner: firstname.lastname@example.org"
Finally some clarity on the privacy aspects of independent medical examinations since PIPEDA. I've had to deal with a number of these over the last year and though all my files are still winding their way through the OPC's system, it's good to see some clarity on the issue.
In this finding, a complaint was made against a physician who was working for an insurance company doing medical examinations of insurance claimants. The individual asked for access to his/her records and was denied as the physician did not keep any records provided to him/her. The individual also complained that the doctor disclosed his/her medical information without consent. The Assistant Commissioner found that both complaints were not well founded.
Commissioner's Findings - PIPEDA Case Summary #294: Denial of access and inappropriate disclosure allegations are made against a physician - March 17, 2005 - Privacy Commissioner of Canada:
An individual alleged that a physician refused to provide him with access to his personal information and disclosed a medical report about him to an insurance company without his consent. The complainant in this case also filed two complaints against the insurance company, which are discussed in greater detail in Case Summary #293.
Summary of Investigation
The complainant had been absent from work for medical reasons, and was insured under the terms of a group insurance policy between his employer and an insurance company. The physician, an independent medical consultant under contract with the insurance company, provided it with a report on the complainant's medical condition. After obtaining a copy of this report from the insurance company, the complainant wrote to the doctor requesting a copy of his file, including copies of the materials provided to the doctor by the insurance company and an independent medical examiner.
The doctor works as a non-treating medical consultant on the premises of the insurance company, approximately one day a week. His position was that he was hired by the company to provide medical opinions on disability files and that these files are owned by the company. As a result, he was not in a position to grant or deny access to them. He states that he does not keep his own files or copies of any records relating to his work for the insurance company. He dictated his report for the company, which was subsequently typed by one of its employees. The company confirmed that its employees type the reports dictated by doctor, and the report also indicated that it was first dictated and later typed.
The College of Physicians and Surgeons of Ontario has a policy for its members, governing the standards of care for non-treating physicians who prepare reports for third parties. Where the doctor is providing a report to a third party based on a file review, which was the case with the physician in question, the policy states that there is no obligation to keep notes or records. The duty to provide a copy of the report will vary according to the nature of the agreement with the third party. The policy also states:Physicians who are given... documentation to review should make a comprehensive list of all materials reviewed in preparation of the report... Once a comprehensive list of materials is prepared and the report has been submitted to the third party, the physician may keep a copy of this material in his or her file but is not obligated to do so. This background material can be returned to the third party without making a copy....
The doctor's practice appeared to be consistent with the guidelines of the Ontario College of Physicians and Surgeons.
As for the inappropriate disclosure allegation, the doctor stated that, as per his contractual obligations, he prepared a report summarizing his review of the complainant's file, which was under the control of the insurance company. In his view, he was acting as an agent of the company and thus there was no disclosure.
We reviewed the consent form the complainant signed when applying for disability benefits, and noted that he consented to the provision and exchange of information between any physician and the insurance company for the purpose of assessing his claim and providing rehabilitation assistance.
Issued March 17, 2005
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate; and Principle 4.9 stipulates that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.
The Assistant Privacy Commissioner deliberated as follows:
With respect to the denial of access complaint, the Assistant Commissioner was satisfied that the information the complainant requested from the doctor was neither in his possession nor under his control, and that as a result he could not provide the complainant with access to his personal information. The Assistant Commissioner found that the doctor had not contravened Principle 4.9. She therefore concluded that the access complaint was not well-founded.
As for the disclosure complaint, the Assistant Commissioner noted that even if she did not accept the doctor's claim that he was acting under contract to the insurance company, it nevertheless was the case that the complainant had provided his consent to the exchange of personal information between the physician and the company for the purpose of assessing his claim for benefits. She therefore found that there was no contravention of Principle 4.3.
The Assistant Commissioner concluded that the disclosure complaint was not well-founded."
Apparently private companies are soon going to enter the market offering to host people's health records. This can be an obvious benefit for those who want to keep all this info in one place. Of course there are privacy risks that have to be addressed; It'll be self-regulation or buyer beware because HIPAA will not apply to the services:
World Peace Herald:
" Companies are expected soon to begin offering the public personal health record or PHR services, allowing individuals to maintain copies of their health records online, regardless of which doctor they may be using.
Such services could make it easier to obtain records in an emergency, and they could make life simpler for busy families that move frequently or face complicated medical situations, such as several young children on different vaccination schedules, or an elderly parent on multiple medications.
Data from such records also could be very valuable to pharmaceutical companies seeking to market new products, to researchers studying health trends or to public health officials monitoring the population for spikes in illness.
Officials are concerned, however, that data submitted to private PHR services could be packaged and sold commercially without appropriate privacy precautions or the informed permission of those submitting the data. Third-party services are not necessarily covered by the Health Insurance Portability and Accountability Act of 1996, which, among other provisions, limits the sharing of health data without the patient's express permission.
'Because of the HIPPA [sic] loophole, third parties, whether they are profit or non-profit, are not covered by HIPPA[sic],' said Paul Tang, chief medical information officer at the Palo Alto Medical Foundation in California. 'In other words, consumers and patients do not have (legal recourse and) I think that is a real concern.'..."
A teacher with the Halifax Regional School Board apparently put a confidential student list on an accessible website. It wasn't linked to from anywhere, but someone e-mailed the URL to the Halifax Chronicle Herald:
Student information posted on Internet: "
Teacher at Dartmouth school unaware confidential file could be accessed
By BARRY DOREY / Staff Reporter
School webmasters can expect a stern warning and a reminder about the dangers of their online duties after a detailed Dartmouth student list was left accessible on the Internet.
A teacher at Bicentennial School on Victoria Road posted a spreadsheet that listed the name, address, birthdate and phone number of every student.
It was posted in an area where she believed nobody would find it and there were no links to the page on the school website. But provided with the web page address, anyone could download the file.
"That information should have never been able to be accessed," said Doug Hadley, spokesman for the Halifax regional school board.
"We will be following up, we will talk to our schools this week."
Alerted to the situation by this newspaper, board officials located and removed the file within an hour Thursday night.
Mr. Hadley said the board is looking into the possibility that a hacker located the file, which was created last summer and was stashed in a private folder on the board's servers. But it was not protected by any passwords or other safeguards, meaning anyone with the URL could view the page.
"It's possible it may have been accessible for the entire year," Mr. Hadley said.
An e-mail including the web address was sent to this newspaper Thursday.
Board officials will use the incident as a "teaching moment" for all teachers or administrators who act as webmasters, he said. They will be reminded of the board's acceptable-use policy and will be warned of the perils of posting confidential information.
"This type of breach was not done with any type of (malicious) intent in mind, but we have to treat it seriously," Mr. Hadley said.
"The teacher was likely going beyond (the call of duty) and carrying the work home," where she could access information online.
The warning to webmasters, who receive general training but little in the way of followup or skills upgrading, is clear.
"Files may not be just for their eyes" if a hacker finds the page or "if someone knows what they are looking for," Mr. Hadley said.
He wouldn't speculate on any discipline that may be meted out to the teacher who made the mistake.
"I'm sure that the principal will follow up with the staff person," he said.
One parent of a Bicentennial student said the school board should be doing more to train and oversee teachers.
"It's unfortunate and I think the school board has to be more vigilant," said the father of two students.
"It's disappointing that it was not more secure."
Board policy forbids the posting of any student information without the written consent of a parent or guardian. And any files containing personal information must be protected with user names and passwords."
Labels: information breaches
Thursday, April 28, 2005
From the ZDNet IT Facts Blog:
Theft might cut Indian call center growth by 30% by ZDNet's IT Facts -- A Forrester Research report has warned that personal information theft might curb the booming Indian BPO industry's growth by as much as 30%.
Labels: information breaches
From the Vancouver Province, the City of Vancouver is considering a proposal to install a network of CCTV cameras in the downtown. There's just a bit of opposition, with civil liberties groups calling it a waste of resources:
Police raise spectre of cameras in downtown's troubled spots: Police board to hear results of British study before deciding CCTV's fate:
"....A proposal to install 23 cameras in the Downtown Eastside was shelved in 2004, pending the results of the British study.
Barwatch, an organization that works with police to try to ensure patron safety in downtown establishments, is also onside with a CCTV system.
'They did it in Kelowna and it's been very effective,' said vice-chairman Vance Campbell.
Barwatch talked with police about a downtown system in the mid-1990s, but the idea was abandoned because of privacy concerns, Campbell said.
Meanwhile, the B.C. Civil Liberties Association is opposed to the cameras as a 'colossal waste of resources' and an inexcusable invasion of privacy.
Those who claim otherwise are 'full of baloney,' said executive director Murray Mollard.
'They actually don't make a difference from an empirical point of view. I'm not even sure they make people feel safer,' Mollard said. 'It just displaces crime.'
The British study appears to support Mollard's views.
It looked at 14 systems with hundreds of cameras and evaluated their effectiveness. In the majority of the areas, crime rates actually increased.
Just two areas reported a statistically-significant reduction in recorded crime and only in one is it 'plausible that the role of CCTV was a significant factor in this reduction,' the report states.
After a legal battle pitting former federal privacy commissioner Don [sic] Radwanski against the city, Kelowna installed a permanent camera to watch a section of its downtown.
The case against the camera was tossed out of court in the summer of 2003. Mayor Walter Gray said the monitoring device is an effective crime reduction tool."
Alberta Information and Privacy Commissioner Frank Work isn't being shy about letting his feelings be known about random drug testing in the workplace, according to the Canadian Press:
Alberta's privacy commissioner concerned about random on-the-job drug testing - Yahoo! News:
"EDMONTON (CP) - Any plan by Alberta to legislate random workplace drug and alcohol testing must be based on hard evidence that testing makes worksites safer, says the province's privacy commissioner.
Frank Work made the point to Human Resources Minister Mike Cardinal in a letter earlier this month after a government-appointed committee recommended that random testing be approved.
'Any consideration of legislative change must be preceded by a thorough study of the evidence on drug and alcohol testing and workplace safety,' Work said in the letter, obtained by The Canadian Press.
'At this point, it is not even clear to what extent drug and alcohol impairment plays a role in workplace accidents. This is a classic case of the need for solid, evidence-based decision making.'..."
Here's an interesting one, via Boing Boing... a chain of spray-on tanning salons in the United States is requiring thumbprints from customers to make sure that you aren't using someone else's "unlimited session" plan. The thumbprint is even required for one-time users: Boing Boing: Arkansas salon requires thumbprint to get a tan. Of course, privacy advocates aren't too keen on the idea.
Labels: information breaches
I would have thought that issues affecting share price and the future of the company are fair game at an annual general meeting, but the organizers of ChoicePoint's AGM didn't think so. A question about the high-profile breach that are leading to regulation of their industry were considered out of order, according to ABC News and the Associated Press:
ABC News: ChoicePoint CEO Won't Discuss Breach:
"NEW YORK Apr 28, 2005 — ChoicePoint CEO Derek Smith refused to answer questions on Thursday about the security breach that allowed criminals to access the company's database, telling shareholders at the company's annual meeting that the matter was the subject of pending litigation.
"As we have previously disclosed, the company is continuing to investigate the recent fraudulent data access and other matters," Smith told about a dozen shareholders at the Waldorf-Astoria Hotel in Manhattan.
The Alpharetta, Ga.-based company announced in February that the personal information of 145,000 Americans may have been compromised when thieves posing as legitimate small business customers gained access to its database. Authorities say at least 750 people were defrauded in the scam. The scandal has fueled consumer advocates' calls for federal oversight of the loosely regulated data-brokering business, and Capitol Hill hearings are likely soon on the issue.
Smith and ChoicePoint President Douglas Curling earned $16.6 million from ChoicePoint stock sales after the company learned last fall of the security breach and before that was made public on Feb. 15.
During Wednesday's brief meeting, the shareholders voted in four new directors and approved the appointment of Deloitte & Touche as the company's independent auditor.
After reading prepared remarks, Smith answered written questions submitted by shareholders. A question relating to the security breach was deemed inappropriate and was not read aloud...."
Thanks to PrivacySpot for pointing me to this great table of state legislative iniatives to follow in California's lead in allowing consumers to put a "freeze" (not just a fraud alert) on their credit file: 2005 Consumer Report Security Freeze Legislation.
Labels: information breaches
The Federal Court of Canada has been given the opportunity to consider the powers of the Privacy Commissioner under PIPEDA to compel the production of information for which solicitor-client privilege is claimed. In Blood Tribe (Dept. of Health) v. Canada (Privacy Commissioner), Justice Mosley concluded that the Commissioner does have the power to compel information for the purposes of determining whether it is privileged:
" Having regard to the overall scheme of the statute and the Commissioner's responsibility to conduct an effective investigation, the principles enunciated by the Supreme Court of Canada in Lavallee do not, in my view, require that section 12 of the PIPED Act be given the restrictive interpretation called for by the applicant. The production order issued by the Commissioner will not limit or deny any solicitor-client privilege that the applicant may enjoy in the questioned documents. I am satisfied that in order to complete her investigation it is necessary that the claim of privilege be assessed by the Commissioner to determine whether it properly applies to the questioned documents or not. That will not prevent the applicant from continuing to assert the claim in any other proceedings that may arise in relation to the complaint.
 Accordingly, the Commissioner correctly exercised her authority to issue the production order and this application will be dismissed. As the question of interpretation of the scope of the PIPED Act in relation to solicitor-client privilege appears to have arisen for the first time in these proceedings, I will exercise my discretion to make no order of costs in favour of the successful party."
This was a judicial review of the Commissioner's order and the standard of review applied in this case was correctness.
Thanks to David Akin, who left a comment on my previous post about errant faxes from the Bank of Montreal (PIPEDA and Canadian Privacy Law: BMO investigating faxes sent to wrong machine) correcting me ... it was Mike King with the Montreal Gazette who broke this story.
There's no shortage of articles and incidents on this topic, but it bears repeating over and over again: don't chuck your computers without wiping the hard-drives:
The Globe and Mail: Don't leave your company secrets in the trash:
"Whether your business is operating on a single computer or you have an office full of equipment, eventually you'll have to buy new gear. The question is: When you get rid of the old computers, are you giving away more than you think?..."
Labels: information breaches
The Washington Post is reporting on the interesting practice of a Canadian online retailer that has been demanding social security numbers from American customers. Weird.
Whoa, Canada: SSN Request Doesn't Add Up:
"Gaithersburg reader Denise McQuighan was ordering a pair of $269 Mission D3C roller hockey skates for her son, Patrick, from an online Canadian sports-equipment retailer recently, but she stopped cold when the order form required her Social Security number.
'The Web site indicated that this was needed by the U.S. Customs agents for some reason,' says McQuighan, who knows better than to hand out her Social Security number (SSN) to just anyone who asks for it.
McQuighan told Patrick to find different skates -- from a U.S. company. 'But could you tell me,' she asks via e-mail, 'is there some requirement to provide a SSN to order something from Canada?'
The policy statement at the retailer's Web site, http://www.hockeygeeks.com , says: 'We require a Social Security number for U.S. customers or else products cannot cross the border and failure to provide this information will result in delayed or even non-shipment.'..."
Labels: information breaches
More than 100 women were sufficiently upset to complain to the Saskatchewan Privacy Commissioner after finding out their cancer test results are routinely shared with the province's cancer agency. The Commissioner's report is available here and CBC's coverage is below:
CBC Saskatchewan - More than 100 women complain after test info shared:
"Last Updated Apr 27 2005 04:38 PM CDT
REGINA – Women in Saskatchewan should have the option of keeping their Pap test results to themselves, rather than having the data go to the province's cancer agency automatically, Privacy Commissioner Gary Dickson says.
On Wednesday, Dickson said more needs to be done to protect women after more than 100 complained of receiving copies of their test results in the mail.
Many women had no idea their private health information and cervical cancer test results were sent to the Saskatchewan Cancer Agency.
"I opened it up and was shocked," recalled Anemarie Buchmann-Gerber of Saskatoon, who thought she received a piece of junk mail. "There was my information from an agency I had never heard of. There were the results of my test."
Thousands of other women received their cancer test results the same way. In some cases, the results were sent to a woman's ex-husband or parents.
"The agency did not have in place what I determined would be all the safeguards," Dickson concluded after a year-long investigation.
Dickson's report recommends doctors do a better job of telling women that their test results will be shared with the province's cancer agency.
Women who don't want to participate in the cancer agency's research should be able to opt out, Dickson said.
Other women said they didn't mind receiving a letter notifying them of their results, or reminding them to get tested.
Hilary Craig has been cancer-free for more than 10 years, but wishes a health professional suggested having a mammogram years ago.
"I would have gone and had my mammogram," the Regina resident said. "Instead, I realized with a terrible sinking heart when I felt the lump. I wondered how much growth happened between when I hadn't went for a mammogram and the time that I had the lump found."
Early detection is critical to many cancer treatments. The cancer agency notes the information they collect is saving lives, but it acknowledges it will have to factor in privacy concerns in using the statistics."
The Alberta Information and Privacy Commissioner has released his report following an investigation of police using their information systems to target two individuals for an "improper purpose":
OIPC:This incident was originally reported at PIPEDA and Canadian Privacy Law: Edmonton cops investigated for misusing law enforcement databases. The Calgary Herald is also covering this story: Commissioner says police violated privacy laws.
"Investigation Report F2005-IR-001
Investigator finds EPS members used personal information in contravention of the FOIP Act. It was alleged that members of the Edmonton Police Service (EPS) inappropriately used the service's information systems and the Canadian Police Information Centre (CPIC) in relation to two individuals for an improper purpose.
Click to view more information Investigation Report F2005-IR-001"
Wednesday, April 27, 2005
Video surveillance has its detractors, many of whom point to accusations like this one from a Casino in Atlantic City: ABC News: Casino Camera Operators Accused of Ogling.
Labels: information breaches
Tuesday, April 26, 2005
PrivacySpot is reporting that patient information from a Houston hospital was on a stolen computer being used by a service provider to digitize records. Though the information was encrypted and password-protected, the hospital has terminated its contract with the service provider: St. Joseph Hospital Medical Records Stolen | PrivacySpot.com - Privacy Law and Data Protection. See also Health Care Blog Law : Theft of Computers from Texas Hospital Involve 16,000 Patient Records.
CTV is breaking another story about misdirected faxes affecting another chatered bank: CTV.ca | BMO investigating faxes sent to wrong machine.
Labels: information breaches
Monday, April 25, 2005
In many cases, employees are the weakest privacy link. Police in Washtington DC have arrested a Blockbuster clerk for stealing the identities of customers, based on information used to apply for Blockbuster membership cards: nbc4.com - News - Blockbuster Clerk Charged In Identity Theft Case.
Offshoring of medical information processing is not only a concern in North America ... Australians are also raising it as an issue:
Alarm as private medical files go offshore - Next - http://www.smh.com.au/technology/:
"... Lyndie Arkell, CEO of Melbourne-based Ozescribe, believes sending such sensitive information overseas could breach Australia's national privacy legislation and certainly puts that information at risk. Ms Arkell points to a recent case in the US in which a woman in Pakistan who had been transcribing medical documents for doctors in America threatened to post patient details on the internet unless she was paid money that she claimed was owing to her...."
Labels: information breaches
Computerworld is reporting that credit card issuers in the United States are about to implement tougher security standards for their merchants:
Merchants Face Deadline for Data Safety - Computerworld:
"APRIL 25, 2005 (COMPUTERWORLD) - Companies that manage credit card information have just over a month to comply with new data-protection requirements being pushed by MasterCard International Inc. and Visa U.S.A. Inc. amid growing concerns about identity theft and fraud...."
Bill to require notification when info illegally accessed :
"... Legislation pending before the Illinois Senate calls for companies to reveal when such breaches occur. House Bill 1633, which would create the Personal Information Protection Act, passed the Illinois House by a vote of 96 to 12 on April 14. It's now in the Senate rules committee. So far, it has 37 Republican and Democrat sponsors, including Rep. Naomi Jakobsson, D-Champaign, and Rep. Bill Black, R-Danville...."
The New York Times is reporting that a private equity firm is about to buy DoubleClick, a company that has repeatedly been in the privacy crosshairs: The New York Times > Business > Equity Firm Is Set to Buy DoubleClick.
Rob Hyndman is blogging about the resolution to the battle over a dead Marine's e-mail account: robhyndman.com - Yahoo Settles Dispute Over Deceased Marine's Data.
Labels: information breaches
Shaw Communications Inc. appears to see its approach to protecting customer privacy to be a competitive advantage and important to its customers. It has issued the following press release, just to make sure you know what side they are on:
Shaw will Continue to Defend Customer Privacy: "
Monday April 25, 8:05 am ET
CALGARY, Alberta--(BUSINESS WIRE)--April 25, 2005--Shaw Communications Inc. announced today that it strongly opposes an appeal by the Canadian Recording Industry Association ("CRIA") in the Federal Court of Appeals that would require the Company to disclose personal information about its Internet customers who share or swap music files. Shaw appeared in front of the Federal Court of Appeals to reaffirm this position.
In March 2004, the Federal Court of Canada confirmed that Canadian Internet Service Providers ("ISPs") like Shaw are not required to disclose personal information about their Internet customers to representatives of the CRIA. The Court's decision fundamentally underscored the importance of protecting the privacy of Canadian Internet users. CRIA is seeking to overturn the decision.
"We will continue to defend and safeguard the privacy of our customers," said Jim Shaw, Chief Executive Officer of Shaw. "We have a responsibility to our customers to ensure that their privacy is respected and protected and we will remain steadfast in this position."
Shaw Communications Inc. is a diversified Canadian communications company whose core business is providing broadband cable television, Internet, Digital Phone and satellite direct-to-home ("DTH") services to approximately 3.0 million customers. Shaw is traded on the Toronto and New York stock exchanges and is a member of the S&P/TSX 60 index (Symbol: TSX - SJR.NV.B, NYSE - SJR).
Shaw Communications Inc. (TSX:SJR.NV.B - News; NYSE:SJR - News)
Shaw Communications Inc.
FCW, which bills itself as your "Government IT Resource", is running an article on the US government's use of the services of data aggregators. It also has a summary of legislative initiatives to regulate them, incuding the following:
Shopping for data:
"Federal lawmakers have introduced 18 cybersecurity bills and state legislators have offered 30 bills to regulate the use of personal information and to respond to growing online threats stemming from spyware, phishing and other pernicious activities on the Internet.
Here are a few highlights from bills proposed by Sen. Dianne Feinstein (D-Calif.) and Sens. Charles Schumer (D-N.Y.) and Bill Nelson (D-Fla.):
S. 751 (Feinstein):
Would require any agency or company that collects personal information to notify potential victims of identity theft when a security breach is discovered.
Would impose a fine of up to $50,000 a day for each day that a company fails to notify victims about unauthorized access to personal information. S. 768 (Schumer-Nelson):
Would create an Office of Identity Theft at the Federal Trade Commission to help victims of identity theft.
Would require any company that holds sensitive personal information to take reasonable steps to protect it. "
Sunday, April 24, 2005
Today's New York Times Magazine has a piece on identity theft and risks to personal information: The New York Times > Magazine > The Security Adviser: You've Been Sold:
"... To fight thieves and terrorists, maybe Congress needs to come up with an identity-protection bill of rights. Of course, companies that have insecure networks and databases, or those that make money with sensitive data about you, may disagree."
Labels: information breaches
Saturday, April 23, 2005
Today Rob Hyndman asks: Is Your Shoe Spying on You?. Looks like we'll need to ditch the cell phone, pay cash, wear wooden shoes and take the batteries out of our toques to make sure we aren't generating discoverable evidence...
Labels: information breaches
Friday, April 22, 2005
According to the Globe and Mail, the Genuity and CIBC litigation has been turned up a notch by inlcuding a claim by former employees that CIBC invaded their privacy. The employees are seeking a million dollars in damages each from the bank: The Globe and Mail: Genuity fires back at CIBC.
This is the grossest privacy incident I've chronicled on this blog. Medical information, including blood and stool samples, have been stolen from a medical clinic in Chicago. Apparently, social security numbers were also part of the haul: ABC7Chicago.com: Blood, medical records stolen.
Labels: information breaches
Thursday, April 21, 2005
From the Daily Yomuiuri On-Line:
DoCoMo staffer held over leak :
"The Metropolitan Police Department has arrested a 41-year-old temporary employee who formerly worked for NTT DoCoMo Inc. over a leak of clients' personal data. "
Interesting. I seem to recall a Canadian case that held data is not property and therefore can't be stolen. You'd have to find some sort of breach of trust to actually arrest someone.
Another interesting comment from the article:
"According to NTT DoCoMo, the walls of the secure room are glass and six security cameras record the movements of everybody who enters or leaves all day, every day.
To enter the room, a person must pass security checks, including an iris biometric identification system, company executives said.
Security analysts said the incident showed that the most advanced security systems could not prevent an insider from stealing data."
Labels: information breaches
It's interesting to learn that the ISPs are not unanimous in the Federal Court of Appeal battle over the disclosure of subscriber information to the recording industry. One of them is siding with the recording industry:
Videotron says it's ready to ID owners of IP addresses accused of song piracy:
"Producing the identities of Internet users alleged of wrongdoing happens so regularly, says a lawyer for Videotron, that he's bewildered as to why other ISPs are fighting a motion from the music industry to hand over the names of people who share large volumes of songs online.
"We do it on a regular basis. It's not very complicated," said Serge Sasseville, following the conclusion of weighty Federal Court of Appeal hearings about file-swapping, which could lead to the start of lawsuits against so-called music pirates.
Videotron has aligned itself with the music industry's motion saying it agrees that putting songs in a shared directory on peer-to-peer networks like Kazaa and IMesh constitutes copyright infringement because it allows users to copy and download the material for free...."
Labels: information breaches
Another week, another university privacy incident. This time, it's Carnegie Mellon University in Pennsylvania:
Carnegie Mellon Says Computers Breached:
"Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network..."
Labels: information breaches
A box of documents, labeled as "Material for Shredding" was left in front of a recycling bin at a Thunder Bay landfill. In the box were documents related to student loan applicants, including social insurance numbers, financial statements and other sensitive information. The Information and Privacy Commissioner of Ontario has begun an investigation:
Privacy botched: Copies of OSAP documents land at dump (Thunder Bay Chronicle-Journal):
"By Stephanie MacLellan - The Chronicle-Journal
April 21, 2005
The Ontario privacy commissioner’s office is investigating after confidential information from the Thunder Bay office that runs Ontario’s student loan program turned up in the John Street landfill Tuesday.
Some papers found in the landfill listed social insurance numbers, income information and home addresses for Ontario Student Assistance Program applicants.
Four boxes from the student support branch of the Ministry of Training, Colleges and Universities, located in the Ontario government building on Red River Road, were discovered by a custodian Tuesday at about 3:30 p.m. They were stacked in front of a paper recycling bin at the landfill.
The boxes were labelled, “Material for shredding,” but the papers were intact. The boxes have been retrieved and the Office of the Information and Privacy Commissioner has launched an investigation, said office spokesman Bob Spence.
“We look into what did happen and make a series of recommendations,” he said Wednesday.
Charges won’t be laid unless it’s shown someone intentionally violated the Freedom of Information and Protection of Privacy Act, he said.
The student support office runs the provincial student loan program, known as OSAP. Two boxes contained “garbage,” and the other two held filed copies of correspondence between staff and OSAP applicants that included personal information, ministry spokeswoman Linda Nicolson said.
“Those were not the original documents, but the working copies the staff works with,” she said.
Those copies were to be shredded before they were thrown out, she said.
She said it wasn’t clear what was included in the “garbage” boxes, or how long the boxes sat in the landfill.
Office staff notified the ministry after the boxes were found, and the ministry immediately contacted the privacy office, Nicolson said. The ministry has also launched its own investigation into the incident.
“We want to make sure that we’re following the best practices, in terms of the records that are kept in the OSAP office,” she said. “We want to make sure that this doesn’t happen again, and that we do whatever we have to do to ensure that.”
Documents that arrive at the student support office are scanned into a computer imaging system, with the paper copies stored for six months, Nicolson said. After that, they are transferred to a government records storage facility, where they are stored for 20 years, then destroyed.
Reino Viitala, a custodian at a Thunder bay seniors’ home, discovered the boxes Tuesday afternoon when he made his weekly stop at the landfill. They drew his attention because they were sitting in front of a paper recycling bin, which was overflowing.
He was hoping to reuse the file boxes, until he realized they contained personal information.
“Social insurance numbers, addresses, names, financial statements, the whole bit,” he said. “I was concerned. . . . I know how sensitive that information is.”
He said one of the boxes was partially open and papers were escaping.
Viitala called the phone number on one of the forms and reached the student support office. He reported the boxes and waited at the landfill for over an hour until someone showed up to collect them, he said. He left after he helped her load the boxes into an SUV.
Spence said there is a danger of identity theft if this kind of information ends up in the wrong hands.
“Identity theft rarely happens, but it can happen, and that’s one of the reasons care has to be taken in the destruction of records,” he said."
Hmm. Not sure if identity theft "rarely happens"...
Arguably, the title of this article should be "Health care providers stop facilitating ID thefts": Health care providers help foil ID thefts - 04/15/05.
Labels: information breaches
Wednesday, April 20, 2005
Scott Granneman, in The Register, joins the chorus of those calling for stronger privacy laws in the United States:
Privacy from the trenches | The Register:
"... I hate to involve the government unless it's necessary, but I think something's got to give here. We can't rely on companies, schools, and organizations policing themselves. That's obviously a terrible failure. We need federal legislation to mandate that organizations that experience data thefts must notify those affected by the breach in a timely manner. As Mark Rasch stated earlier this week, recent legislation was passed that requires this for all financial institutions in the U.S., but all other companies are still off the hook. Right now, a few states have such a law -- California is one, which is why ChoicePoint even had to make its embarrassing revelation in the first place -- but there is no federal, all-encompassing requirement for anything but financial institutions (and even that law is very recent). This needs to change, and soon. Other states have proposed legislation, but it varies from state-to-state. A new federal law would be a great start. Right after that, a few class-action lawsuits against particularly egregious carelessness might also wake companies and schools up to the necessity of protecting data. Again, I don't like bringing in the lawyers, but to paraphrase the great Dr. Samuel Johnson, 'Depend upon it, sir, when a man knows he is to be sued in a fortnight, it concentrates his mind wonderfully.'..."
Wired News is reporting that a recently-acquired division of embattled ChoicePoint is changing its practices by notifying individuals if a negative criminal records check has been disclosed:
Wired News: ChoicePoint Division Changes Tack:
"...On Tuesday, the company sent an e-mail to customers announcing that it is implementing 'a new compliance policy.' Effective April 25, whenever a customer runs a background search on someone through the Rapsheets database for employment- or volunteer-screening purposes and the search unearths a criminal record for that person, Rapsheets will automatically notify the person and provide him or her with a copy of the background report and the name and address of the organization that requested it...."
Earlier this week, the GAO of the United States reported that problems with the Internal Revenue Service's computer systems may threaten the privacy and security of taxpayer information. Computerworld coverage: IRS security flaws expose taxpayer data to snooping, GAO finds - Computerworld.
Labels: information breaches
According to Inside Bay Area, a band of ID thieves has been targeting San Francisco area car dealerships to acquire personal information: Protecting consumers' personal information may not be possible
Labels: information breaches
The Security Rule under the Health Insurance Portability and Accountability Act goes into effect today in the United States:
Jacksonville.com: Metro: Patient privacy law on data takes effect 04/20/05:
"...Today's deadline applies to the law's Security Rule, which requires that doctors' offices, hospitals and health insurance companies establish rigid programs to ensure the privacy of personal health information of their patients and clients. The rule specifies three types of safeguards that must be put in place -- administrative, physical and technical -- as well as a risk analysis which each entity must perform to guarantee the system works...."
Universities in Illinois are joining the twenty-first century by taking social security numbers off student cards and using them as student numbers: AP Wire | 04/18/2005 | Illinois universities take steps to combat identity theft.
Tuesday, April 19, 2005
When I give presentations and teach about privacy, I always start with a discussion of "what is privacy". The concept means very different things to people, depending upon their background and the baggage they bring to the discussion. to help us wade through this, Daniel Solove, of George Washington University Law School has written an article in the U. Penn Law Review that addresses the vocabulary and taxonomy of the slippery concept of privacy:
SSRN-A Taxonomy of Privacy by Daniel Solove:
"Privacy is a concept in disarray. Nobody can articulate what it means. As one commentator has observed, privacy suffers from 'an embarrassment of meanings.' Privacy is far too vague a concept to guide adjudication and lawmaking, as abstract incantations of the importance of 'privacy' do not fare well when pitted against more concretely-stated countervailing interests.
In 1960, the famous torts scholar William Prosser attempted to make sense of the landscape of privacy law by identifying four different interests. But Prosser focused only on tort law, and the law of information privacy is significantly more vast and complex, extending to Fourth Amendment law, the constitutional right to information privacy, evidentiary privileges, dozens of federal privacy statutes, and hundreds of state statutes. Moreover, Prosser wrote over 40 years ago, and new technologies have given rise to a panoply of new privacy harms.
A new taxonomy to understand privacy violations is thus sorely needed. This article develops a taxonomy to identify privacy problems in a comprehensive and concrete manner. It endeavors to guide the law toward a more coherent understanding of privacy and to serve as a framework for the future development of the field of privacy law. "
Thanks to Bruce Schneier for the link: Schneier on Security: A Taxonomy of Privacy.
MSNBC is reporting that DWS Shoe Warehouse under-reported the impact of their earlier privacy incident by a factor of ten: 1.4 million exposed in shoe data breach - Consumer Security - MSNBC.com. For the posting of the original reports, see PIPEDA and Canadian Privacy Law: Incident: Shoe chain says customer data stolen.
MSNBC is reporting that online brokerage Ameritrade has begun warning two hundred thousand current and former customers that their personal information (including social security numbers) is on a lost backup tape: Ameritrade warns 200,000 clients of lost data - Consumer Security - MSNBC.com.
Labels: information breaches
Monday, April 18, 2005
Organizations, large and small, must make sure that all employees are aware of their privacy obligations. There has to be a mechanism to ensure that all privacy-related incidents, large and small are brought to the attention of a senior officer, whose job includes constant awareness of the big picture and what is going on. The problem at CIBC was that each individual fax was a "minor incident" that was probably easy to dismiss as a "one off". When this happens hundreds of times, and nobody thinks to report it to senior management, it can quickly turn into a major disaster. There hasn't been any suggestion (yet) that anyone has been harmed as a result of this incident, but the bank has been working overtime to address customer concerns.
The Commissioner also notes, in her press release:
In light of these events and other current investigations by the Office of the Privacy Commissioner into similar cases involving misdirected faxes within the banking sector, we strongly urge all organizations subject to PIPEDA to assess their policies and privacy management practices and address any shortcomings.
The current environment of identity theft and increased concern about privacy among the general public means that this is no longer an issue that businesses can afford to become complacent about. "Can this incident happen to us?" is a question that has to be asked. For too many businesses, the answer is yes and, for some, it is merely a matter of time.
For more coverage, see
Sunday, April 17, 2005
Thanks to Rob Hyndman for pointing me to David Akin's blog, where he is reporting that the Privacy Commissioner is going to release her report on the CIBC faxing incidents tomorrow: David Akin's On the Hill :: Privacy Commission on CIBC missing faxes.
For some background, see the following previous postings:
Should be interesting reading ...
Labels: information breaches
Saturday, April 16, 2005
USA Today has a breathless article about legislative initiatives to fight the recent wave of "cybercrimes". Hmm. They cite the Lexis-Nexis and ChoicePoint incidents, but fail to mentin that neither was a "cybercrime." Good old fashioned fraud. If you want, give it a read:
Yahoo! News - Rules aimed at digital misdeeds lack bite:
"Federal and state lawmakers, compelled by headlines of a computer-crime wave, are scrambling to introduce bills that would tighten cybersecurity and make it easier for prosecutors to file charges and impose stiffer penalties.
Digital thieves have rarely been so audacious. Data breaches at ChoicePoint, LexisNexis, the University of California and elsewhere, in which the personal records of thousands of Americans were pinched, underscore the brazen tactics of criminals marauding like gunslingers on a lawless Internet, security experts say...."
CNET's Security Blog says that a representative of Polo Ralph Lauren called CNET to tell them that the recent incident was the result of inappropriate storage of customer information in their point-of-sale software:
Credit card debacle centers on Polo sales software | News.blog | CNET News.com:
"Following Thursday's news that both MasterCard and Visa were informing some customers that a U.S. retailer -- now positively identified as Polo Ralph Lauren -- had experienced a security mishap that may have compromised card holders' data, the issue has been confirmed as a technology-related problem. In a statement phoned in to News.com overnight, Polo said that the credit card data in question was inappropriately stored in its point-of-sales software system...."
Techdirt is reporting that IBM has been given a contract to install a sophisticated telematics system in all official cars in the United Arab Emirates to keep tabs on drivers and to rat out the bad ones.
Techdirt:Cars In The UAE Will Have IBM-Installed Back Seat Drivers:
"Contributed by Dennis on Friday, April 15th, 2005 @ 12:42AM from the as-if-i-need-yet-another-voice-nagging-at-me dept.
In an effort to stem a rising tide of automobile-related accident deaths, the UAE has contracted IBM to install telematics 'black boxes' in tens of thousands of emergency and government vehicles. The systems will be connected to a nationwide wireless network, making it the largest telematics network in the world. In addition to tracking vehicle speed and location, the system will also vocally warn the driver if they are speeding. While this is a huge win for IBM in its big bet on becoming the world's high-end services and business process vendor, will this system actually make the roads any safer? We've discussed numerous times here that speed cameras don't work. Also, in the case of traffic light cameras, thinking that big brother is watching makes for some nervous, brake-happy drivers -- which, in turn, results in a higher number of rear-end collisions at camera equipped traffic signals. With the telematics system, the UAE could end up with a nation full of enraged drivers, not paying attention to the road because they're busy being nagged by their cars for driving too fast. Just because big brother is watching doesn't mean it's safer. "
Links in the original post.
Labels: information breaches
Friday, April 15, 2005
"American Century Investments is working around the clock to notify customers after someone stole two laptop computers with thousands of people's personal information on them.
KMBC's Jim Flink reported that the break-in happened at the company's downtown office on Main Street April 6...."
Business Week is usually pro-business, but it has an unusual take on the issue of companies leaking personal information. Give people the ability to sue, individually and in class actions. It may be a blunt instrument, but it speaks the language that business understands.
Personal Data Theft: It's Outrageous:
"... At a time when the Bush Administration and the Republican majority in Congress have put tort reform high on their agenda, talking about new tort rights is distinctly unfashionable in Washington. But creating liability for companies that fail to take proper care of the data entrusted to them is probably the most efficient way to get businesses to do the right thing.
SEE YOU IN COURT? Companies possessing personal data should be required to take all reasonable steps to protect it along the lines already in place for financial data under the Sarbanes-Oxley Act and for medical records under the Health Insurance Portability & Accountability Act. Individuals whose information is lost because a custodian has failed to protect the data adequately should have the right to bring individual suits or class actions for damages.
Tort suits, especially class actions, are a blunt instrument for enforcing good behavior, and they can be abused. But liability is a language that business understands, and monetary disincentives are something corporations respond to. And cumbersome as the court system is, it can be faster and more effective than government civil penalties (criminal sanctions should be reserved for the most egregious cases). This is by no means a magic bullet, but would at least create a monetary incentive, where none now exists, for data companies to be careful.
The incidents of wrongfully obtained data from ChoicePoint and LexisNexis are only the most prominent in what's increasingly a mass assault on the privacy and security of our information. Clearly some government action is needed, mainly to give law enforcement better tools to prosecute obvious cybercrimes such as phishing...."
Thanks to Rob Hyndman for the link.
According to CNET (via PrivacySpot.com), Comcast is being sued by a woman whose personal information was disclosed to RIAA in connection with a lawsuit. She says no court ordered the disclosure, which only came to her attention when she was contacted by a collection agency pushing her to pay up on behalf of the RIAA. See: Comcast sued for disclosing customer info | CNET News.com
Labels: information breaches
Thursday, April 14, 2005
In the aftermath of the most recent incident involving Polo Ralph Lauren, Forbes Magazine is asking whether companies should be held liable for identity theft if their lax security is to blame.
Forbes.com: Are Companies Liable For ID Data Theft?:
"A case could be made that [companies whose data is stolen] do have a responsibility," says Anita L. Allen, Henry R. Silverman professor of law at the University of Pennsylvania School of Law. Publicizing private facts about people is a tort, she says, and companies can be held liable even if the victim hasn't suffered a monetary loss. "If they recklessly failed to protect the information, that might be seen by a jury or judge as highly offensive conduct," she says.
Insecure databases of online retailers and information brokers are fueling the problem, providing huge batches of potential identities to steal. So consumers are increasingly asking that businesses be held responsible for securing the personal information they maintain.
In the wake of its security breach, ChoicePoint offered one year's worth of free credit monitoring to the consumers affected. But attorney Peter A. Binkow says consumers deserve more, even though most have not yet been the victim of fraud.
"While that might be a step in the right direction, our belief is that [ChoicePoint's offer] is not enough," he says. One year "is not enough time to see if someone has misused their information."
Binkow's firm, Glancy, Binkow & Goldberg, has filed a class-action suit against ChoicePoint on behalf of consumers who had their information exposed, and he plans to ask for an extension of the one-year monitoring, as well as for the establishment of a system to help consumers who do get hit by fraud. They may also seek monetary damages.
ChoicePoint became aware of the problem when Eileen Goldberg, the mother of one of the company's partners, received a letter from ChoicePoint saying that her personal information had been exposed. She didn't know what to do and took it to her son.
Binkow says ChoicePoint needs to take responsibility for the consumers who don't have those sorts of resources and will likely be confused about how to protect themselves. "I'm an attorney, and I'm fairly confused by this stuff," says Binkow. "If I found out my identity had been stolen, I wouldn't know where to start."
It's unlikely that a court would award monetary damages, unless a judge or jury wanted to make an example of the offending company, according to attorney Allen. But a court might well order remedies like added security precautions or help with credit monitoring.
Unlike ChoicePoint, retail businesses like DSW and Ralph Lauren Polo don't trade in sensitive information like Social Security numbers. But they still might be held responsible for exposing credit-card numbers, particularly if the breach occurred because of poorly implemented or maintained security technology.
Companies are free to establish their own privacy and security policies (most if not all online businesses, including Forbes.com, state their privacy policies online), but all are mandated by the U.S. Federal Trade Commission to follow their stated policies. If they do not, says Allen, they could be charged with fair trade violations. Beyond that, a court might force a company to pay damages if it's clear it didn't do everything it could to protect its customers.
"If some company is extremely negligent in the way they handle data, they could be liable for damages," says Allen. "Any business that exists online has to worry about this.""
I blogged earlier today about an incident involving an "unnamed retailer" connected with a huge number of stolen credit card numbers. (See PIPEDA and Canadian Privacy Law: Incident: GM MasterCard holders exposed to possible ID theft.) Apparently the retailer involved was Polo Ralph Lauren:
Polo Ralph Lauren Customers' Data Stolen:
"Data apparently stolen from the popular clothing retailer Polo Ralph Lauren Corp. is forcing banks and credit card issuers to notify thousands of consumers that their credit-card information may have been exposed...."
Thanks to Secondary Screening for the link.
A large number of credit card holders are being notified that their information may have been compromised after a large number of the cards were used at an undisclosed retailer:
GM MasterCard holders exposed to possible ID theft:
"About 180,000 General Motors rewards credit cardholders will be notified that someone might have stolen their personal information in a data breach that could affect an even bigger number of MasterCard and Visa customers.
Cards by HSBC, the bank that issues the GM MasterCard to about 6 million customers, were used at a U.S.-based retailer that neither MasterCard nor Visa would identify Wednesday.
HSBC has been sending out letters this week to the 3 percent of those cardholders whose plastic was used at the anonymous retailer between June 2002 and December 2004. The letters notify them of the problem and offer new replacement cards to any customers who want them...."
Labels: information breaches
Wednesday, April 13, 2005
According to testimony before the Senate Judiciary Committee today, both ChoicePoint and Lexis-Nexis admitted to previous incidents in which the individuals involved were not informed. Read more about it at Computerworld:
Data brokers didn't notify consumers of past breaches - Computerworld:
"APRIL 13, 2005 (IDG NEWS SERVICE) - WASHINGTON -- Two large data brokers that recently reported data breaches potentially affecting hundreds of thousands of U.S. residents have been compromised in the past and have not notified victims, executives from the two companies told a U.S. Senate committee today...."
Things are looking worse and worse for the data aggregation industry in the United States.
The United States Senate Judiciary Committee had a blue ribbon panel testifying on privacy and security today. I haven't seen any testimony posted online yet, but when I do I'll point to it. (The prepared statements are, however, available on the page below.)
United States Senate Committee on the Judiciary:
"NOTICE OF COMMITTEE HEARING
The Senate Committee on the Judiciary has scheduled a hearing for Wednesday, April 13, 2005 at 9:30 a.m. in Room 226 of the Senate Dirksen Office Building on 'Securing Electronic Personal Data: Striking a Balance Between Privacy and Commercial and Governmental Use'.
Senator Specter will preside.
By order of the Chairman
Hearing before the Senate Judiciary Committee
"Securing Electronic Personal Data: Striking a Balance Between Privacy and Commercial and Governmental Use"
Wednesday, April 13, 2005
9:30 a.m. Senate Dirksen Building, Room 226
Deborah Platt Majoras
Federal Trade Commission
Assistant Director for the Criminal Investigative Division
Federal Bureau of Investigation
Larry D. Johnson
Special Agent in Charge
Criminal Investigative Division
U.S. Secret Service
William H. Sorrell
National Association of Attorneys General
Douglas C. Curling
President, Chief Operating Officer and Director
Kurt P. Sanford
President & CEO, U.S. Corporate & Federal Markets
Jennifer T. Barrett
Chief Privacy Officer
Little Rock, AR
James X. Dempsey
Center for Democracy & Technology
Steamboat Springs, CO "
Thanks to Michael Fitzgibbon of Thoughts from a Management Lawyer fame, for sending me a link to the following article on the Littler Mendelson website.
Hot on the heels of the finding of liability against a trade union for not protecting members' information, the Michigan state government has enacted legislation to require employers to protect employee personal information:
"In early 2005, Michigan became the first state in the nation to enact legislation requiring that every employer maintain a policy for safeguarding employee social security numbers. During the same time frame, the Michigan Court of Appeals became the first appellate court to allow the victims of identity theft to recover damages (totaling $275,000) from an organization that failed to adequately safeguard personal information that was subsequently used for identity theft. These national precedents expose Michigan employers to liability for failing to safeguard employee personal information, and open the door to employer liability for workplace identity theft in other jurisdictions that likely will follow Michigan's example...."
Apparently North Dakota has passed a law which says auto black box data can only be taken with a court order. See David Canton's eLegal Canton blog post.
Labels: information breaches
Tuesday, April 12, 2005
In his eLegal blog, David Canton reports that the next round of BMG Canada v John Doe will fought out at the Federal Court of Appeal next week. This is the case in which the Federal Court refused to make a number of internet service providers hand over personal information about suspected file-sharing miscreants. See: eLegal Canton: Download wars continue.
Labels: information breaches
In the United States, citizens are more often concerned about the information held by government. After a huge range of privacy breaches in the private sector, Newhouse news has an interesting take on how the US federal government secures personal information in its custody:
Government Surpasses Business in Protecting Citizens' Privacy:
"WASHINGTON -- Here's a surprise:
In the face of increasingly intrusive information-gathering technology, many experts on privacy are convinced the U.S. government does a better job than business when it comes to protecting data compiled on hundreds of millions of Americans.
Federal agencies including the Internal Revenue Service, the Social Security Administration, the Census Bureau and the Centers for Medicare & Medicaid Services routinely collect and store detailed personal information about each citizen.
They keep a security lid on it with stiff criminal and civil penalties for improper disclosure. Leaks have been rare.
"That is because the federal government inherently is not in the business of moving information around to make the economy and commerce flow," said Robert Atkinson, a technology expert at the Progressive Policy Institute. "They use information for very narrow purposes, and in those situations it's a lot easier to protect data."
In the private sector, citizens often simply are viewed as consumers, their personal information a valued commodity to be bought and sold and exploited in a marketplace where data mining is the rage, and where identity theft has become widespread.
While laws on the subject have varied from state to state, effective April 20 tighter new federal privacy guidelines will cover private-sector electronic transactions handled by most health plans, care providers and health data clearinghouses. The rules were drafted by the Centers for Medicare & Medicaid Services, responsible for the confidentiality of health care records of 82 million citizens.
Still, federal authorities fear that public reaction to abuses in the private sector will damage faith in the government and interfere with its efforts to perform assigned functions.
"We think privacy is essential in building trust," said Gerald Gates, chief enforcement officer at the Census Bureau.
"We have a strict confidentiality statute, with penalties of five years in prison and $250,000, and training for employees on an annual basis. In 35 years there has never been a violation that has come to my attention."
The IRS, which processes 130 million individual and family tax returns annually, takes a back seat to no other agency in respecting the confidentiality of taxpayer records, said spokesman John Lipold.
"We never, ever disclose anybody's personal privileged information except as authorized by law, and there are stringent access rules," he said.
Then there's the Social Security Administration, which each year keeps track of some 160 million people reporting their wages and paying Social Security taxes, another 50 million collecting retirement benefits, and 50 million more aged, blind and disabled Americans getting Supplemental Security Income payments.
"Nobody has access to our computer records," said spokesman Mark Hinkle, adding that the agency enforces a "zero tolerance" policy for privacy violations...."
In the wake of a recent incident in San Jose involving the leak of personal information from a medical clinic, the San Jose Mercury News is running a story about how privacy fears affect patients:
MercuryNews.com | 04/12/2005 | Medical data thefts spur worry:
"The recent theft of two computers from the San Jose Medical Group could have repercussions beyond the 185,000 people whose billing records were on those machines.
Privacy advocates worry that this case, and a rash of others involving the loss of personal data, will make people afraid to get the medical care they need.
``It has a devastating impact on the way people seek health care,'' said Emily Stewart, a policy analyst for the non-profit Health Privacy Project in Washington, D.C.
In a 1999 survey, she said, one out of six people said they were so worried that their medical or financial details would leak out that they withheld information from their doctors, skipped from doctor to doctor to avoid having all their records in one place or paid cash to avoid dealing with insurance companies.
Emma Burgess, 34, a former patient of San Jose Medical Group, said the break-in ``really irks me in a big way'' -- especially since she left the group four or five years ago...."
If anyone has a copy of that survey, please e-mail me at david.fraser (at) mcinnescooper.com.
Hot off the wires....
Apparently internal investigations by LexisNexis related to the original security breach announced in March has revealed that 310,000 more people are affected than originally stated:
Yahoo! News - LexisNexis Data on 310,000 People Feared Stolen:
"NEW YORK/AMSTERDAM (Reuters) - Data broker LexisNexis said Tuesday that personal information may have been stolen on 310,000 U.S. citizens, or nearly 10 times the number found in a data breach announced last month.
An investigation by the firm's Anglo-Dutch parent Reed Elsevier determined that its databases had been fraudulently breached 59 times using stolen passwords, leading to the possible theft of personal information such as addresses and Social Security numbers.
LexisNexis, which said in March that 32,000 people had been potentially affected by the breaches, will notify an additional 278,000 individuals whose data may have been stolen.
Of the initial group contacted, only 2 percent asked the company to conduct an investigation of their credit records. LexisNexis has found no cases of identity theft, such as using a stolen Social Security number to apply for a credit card.
'We need to write to them and offer the same kind of support and investigation we offered the original 32,000,' a Reed Elsevier spokeswoman said.
'Of the original group, it's somewhat encouraging that none of them has suffered identity theft.'
Law enforcement authorities are assisting the company's investigations, which coincide with a rash of similar break-ins at other companies handling consumer data...."
For information on the original breach, see PIPEDA and Canadian Privacy Law: Incident: Personal information of 32,000 stolen from LexisNexis.
More coverage and update:
Thanks to HIPAA Blog for pointing me to this interesting article in a local paper that chronicles what community businesses and organizations are doing in in Muscatine, Iowa to protect personal information. For example, city hall is shredding like crazy:
"...City Hall, schools
David Casstevens, director of Administrative Services for the city of Muscatine, says there are three paper shredders in City Hall, where shredding receipts and personnel information has been practiced for at least five years.
Nearly every county office has at least one shredder. Check stubs and vendor claims are destroyed after two years; primary and general election materials are destroyed after 22 months; and city, school board, and county supervisor election results are destroyed after six months.
Current school records are all that's stored at the respective schools in the Muscatine School District. Superintendent Tom Williams says that space for records is limited and older records are stored on microfiche and CDs. The paper copies are stored in bins until June when staff can begin to shred them.
Muscatine Power & Water, does its own shredding and also uses a boiler in the power plant to burn some of its sensitive documents, according to MPW spokesman Gary Wieskamp. He said accounts payable and invoices are recorded on microfilm...."
The article discusses the local police, a number of local merchants and other organizations. Interesting to see a community paper take such an interest.
Labels: information breaches
Yet another university is contacting students and alumni about a possible privacy breach. This time, it is Tufts University in Boston, which has noticed suspicious activity on one of its computer systems that contains sensitive personal information:
Boston.com / Business / Technology / Tufts warns alumni on breach:
"... Tufts University last week began sending letters to 106,000 alumni, warning of ''abnormal activity' on a computer that contained names, addresses, phone numbers, and, in some cases, Social Security and credit card numbers.
''We have no evidence that information was retrieved or misused,' the letter said. But it urged alumni to notify their banks and check their credit reports for signs of illicit activity. The school also set up a website, www.tufts.edu/security, to provide alumni with more detailed information..."
Monday, April 11, 2005
Jay Cline in Computerworld has taken a scoot around the web to see how the most popular sites stack up with respect to privacy. The yardstick he used to measure are the Safe Harbour principles for compliance with the European Union Privacy Directive. I'd suggest that he use the ten principles from the Canadian Standards Association Model Code for the Protection of Personal Information, but the Safe Harbour Principles are a good place to start.
Safest Places On the Web - Computerworld:
His findings are well worth the read.
Labels: information breaches
The Motley Fool is wading into the outsourcing and privacy debate after the most recent CitiBank incident. The author's conclusion is that outsourcing is not the problem, but criminals are the problem.
How Dangerous Is Outsourcing? [Fool.com: Motley Fool Take] April 11, 2005:
"...Exaggerating the dangers of outsourcing and sending data abroad won't make our data any more secure. On the contrary, the facts of the Mphasis case suggest that in some cases, data may be safer once sent abroad. Reflect for a moment on how quickly the alleged criminals in Pune were caught. Consider for a second the fact that they were caught by the 'cybercrime unit' of the Pune police force. Ponder for a minute the fact that a place most of us have never even heard of before (really? 'Pune?') even has something called a 'cybercrime unit.' I know my hometown doesn't.
Then come to the correct conclusion: Outsourcing wasn't the problem here. The problem was criminals, plain and simple. And those can be found the world over."
The only thing I'd add is you want to make sure your customers' data goes somewhere that you can expect assistance in dealing with the issue. Like beautiful Nova Scotia, for example....
Labels: information breaches
Michael Geist, in his most recent Law Bytes column, writes that he believes Canadian privacy law is soon to enter a third stage. Self-regulation (stage one) and weak enforcement (stage two) will give way to more aggressive enforcement, particularly after the Personal Information Protection and Electronic Documents Act comes up for review next year. There is no doubt that the enforcement of the law has been very low key up to this stage, leading to very uneven compliance and many businesses dismissing the necessity to become compliant with the law.
The Three Stages of Canadian Privacy Law:
"Canadian privacy law has developed in three stages. Stage one involved the adoption of a self-regulatory approach to privacy protection, as the Canadian Standards Association brought together industry, government, and public interest groups in the early 1990s to develop a non-binding code of privacy best practices based on international standards.
While CSA Model Code was initially hailed a self-regulatory success, within a few years it became apparent that few companies were willing to bind themselves to the Code’s principles.
With the growing interest in privacy protection, Ottawa moved to stage two by introducing the first national private sector privacy statute (PIPEDA) in 1998. That law, which took effect in 2001, directly incorporates the CSA Model Code into the legislation, supplemented by a series of enforcement provisions.
The result is a light regulation model that emphasizes mediation of privacy disputes. Administration rests with the Privacy Commissioner of Canada who issues “findings” that are not binding on the parties. Unlike some of her provincial counterparts, the Federal Commissioner does not currently enjoy order-making power. Rather, she must apply to the federal court, which is not bound by her findings, for enforcement. In addition to the statutory shortcomings, the Commissioner has been reluctant to engage in an aggressive application of the law, protecting the targets of privacy complaints by refusing to disclose their identity.
As Canada heads toward a review of the current law led by Industry Minister David Emerson, it is likely moving toward the third stage of privacy law that will be characterized by greater emphasis on transparency and aggressive enforcement.
Recent developments point to three potential reforms that illustrate this evolution. First, as frustration mounts over the Commissioner’s lack of order making power as well as the policy of shielding the targets of privacy complaints, the third stage of privacy law will feature growing pressure to address these issues through a statutory amendment. Although order making power might result in more contentious investigations and challenges to the Commissioner’s findings, it would also send a much-needed message about the importance attached to privacy protection in Canada.
Moreover, a commitment to disclosing the names of organizations that breach Canadian privacy law would create an important incentive for greater compliance. According to a recent, unreleased finding involving spam, the Commissioner reminded the target of the complaint that failure to abide by Canada’s privacy legislation created “a risk that its business reputation will be tarnished.” This statement will only become reality if the Commissioner begins to name names.
Third, the B.C. outsourcing case points to the need for increased statutory protections for personal information that may be secretly disclosed to foreign law enforcement authorities. Although the recent court case was a nominal victory for the outsourcing company, a careful examination of the decision reveals a dramatic change in the protections afforded to the personal information in question.
The B.C. judge affirmed the importance attached to privacy protection but allowed the outsourcing arrangements largely because of a series of significant new protections introduced by Maximus in response to the public outcry. These included a $35 million penalty for breach of confidentiality, extensive provisions to ensure that the data remained in the province, and a contractual term prohibiting disclosure of the data.
The Maximus case will set the benchmark for future outsourcing arrangements in Canada with similar safeguards likely to be introduced on a national level in the months ahead. If accompanied by order making power and greater transparency, it will go a long way to ushering a new age for Canada’s privacy law framework. The days of light regulation for Canadian privacy appear to be numbered."
Aeroplan is once again in the privacy hot-seat, according to this article from the Globe and Mail. This time, it is for inadequate security that allowed an Aeroplan member's boss to review and modify his account information. The article has some pretty strong words from Heather Black, the Assistant Privacy Commissioner of Canada:
The Globe and Mail: Aeroplan rapped over data security:
"By PAUL WALDIE
Monday, April 11, 2005 Page B1
The Office of the Privacy Commissioner has sharply criticized security at Air Canada's popular Aeroplan frequent-flyer program and told the airline to better protect members' account information.
"On the whole, there was a clear lack of diligence on the part of Air Canada with respect to its handling and protection of customer personal information," Heather Black, assistant privacy commissioner, said in a recent ruling involving a Vancouver businessman whose Aeroplan account was accessed, and changed, by his former boss.
While noting the airline has taken some steps to tighten security, she said key data is still too easily available. "If someone with access to an account number calls the system, he or she [is able to access] the account holder's name, the number of miles recently credited to the account, and the account balance."
"This information is not password protected. I remain concerned about the accessibility to the information that is still on the system."
Aeroplan has six million members and has reward program partnerships with retailers such as Future Shop Ltd., Imperial Oil Ltd.'s Esso gasoline chain and Bell Canada's phone services.
Michele Meier, an Aeroplan spokeswoman, said the company has already acted on recommendations made during the investigation, "We're in the process of evaluating whether any further measures will be taken or will be necessary," she said.
The case dates back to March 14, 2002, when the businessman, Danny Yehia, received a duplicate copy of his previous Aeroplan statement.
When he contacted Aeroplan for an explanation of why he was sent the additional statement, he was told that someone had requested the information and changed the e-mail address on his account.
At the time, Mr. Yehia was involved in a lawsuit with his former boss, Joel Berman, a Vancouver glass designer. Mr. Berman alleged Mr. Yehia and his partner had taken company secrets when they left his glass business months earlier. Part of the lawsuit centred around a trip Mr. Yehia took to Australia allegedly to meet a rival glass company.
Mr. Berman admitted to the privacy officer that he obtained detailed information about Mr. Yehia's account from Aeroplan's computerized telephone information system and through an Air Canada agent. "Air Canada states that he could do this because there was no personal identification number required," Ms. Black said in her decision.
She said Mr. Berman did not misrepresent himself or pretend to be Mr. Yehia. In fact, he provided the agent with his name in order to pay a processing fee to change the account.
The lawsuit was eventually dropped, but Mr. Yehia complained about Aeroplan's actions to the privacy commissioner.
In her decision, released last week, Ms. Black said she was "disturbed by Air Canada's lack of co-operation with respect to [Mr. Yehia's] complaint."
She also said the agent who changed the account had not been properly trained in privacy issues and "it did not appear to concern her that she was not speaking to the account holder." The agent "did not even seem to be aware of the importance of maintaining the confidentiality of personal information."
She added that, given the number of people who have access to Aeroplan members' numbers, such as employers, travel agents, and Aeroplan workers, "I do not believe that having account information readily available, without any protection on it, constituted an adequate safeguard."
Ms. Meier said Aeroplan regrets "this unfortunate incident," and noted that it has restricted the information on the automated phone service. It has also updated privacy procedures and introduced more training for staff.
But Ms. Black questioned whether the changes go far enough. She said the automated system still provides access to account holders' names, the number of miles recently credited to the account and the account balance.
"Many individuals have credit cards that are partnered with Aeroplan. Anyone with access to the Aeroplan account number could potentially know from the number of miles credited to the account how much money was charged against the account holders' credit card in a month."
She recommended password controls should be placed on all account information that is accessible though the automated system.
Mr. Yehia said Aeroplan should be doing much more to protect information.
"You'd think that after [the Sept. 11, 2001 terrorist attacks] security would be an important issue," he said.
When asked if he is still an Aeroplan member, he laughed and replied: "I am. Because where I travel, I don't really have much choice."
Presently, passwords are required to view and modify account information. Also, phone agents are requiring more proof of identity before assisting Aeroplan members.
Labels: information breaches
Sunday, April 10, 2005
PrivacySpot is reporting that the state of Texas is considering a privacy breach notification law, similar to the law already in place in California:
One Million Dollars: Texas Considering Security Breach Notification Law | PrivacySpot.com - Privacy Law and Data Protection:
"...The law would require a person 'that owns or licenses computerized data that includes identifying information of a resident of this state' to notify the resident of any computer security breach if the resident's unencrypted identifying information was, or was reasonably believed to have been, obtained by an unauthorized person.
Notification would be required within a reasonable time after the data controller discovered the security breach, taking into consideration any law enforcement agency requests to delay the notification and any measures necessary to determine the scope of the breach or restore the reasonable integrity of the data system. A data controller that has notification procedures built in to its data security policy could use those notification procedures so long as they were not inconsistent with the timing requirements of the law...."
Today's Palm Beach Post is running a feature article on the data broker industry. There's not too much to learn here for those who follow the industry, but it's a good introduction for newcomers.
Identity complex: Data brokers' files are extensive, as are their destinations:
"... The personal information these firms have collected on virtually every American is staggering.
ChoicePoint has 19 billion documents; LexisNexis and its Boca business, Seisint, have 33 billion records. InfoUSA Inc. -- targeting companies with consumer and business data -- runs a database containing information on 250 million consumers and 14 million businesses. Another company, Acxiom Corp., says its consumer database covers 95 percent of U.S. households.
These records encompass more than just Social Security and driver license numbers. They include telephone numbers, birth and death records, personal addresses, vehicle ownership, criminal records, marriage and divorce records, liens and judgments, mortgages, property taxes individuals paid, personal bankruptcies and professional and business licenses. They include demographic data, consumer purchasing behavior and lifestyle interests...."
Saturday, April 09, 2005
The Bourse de Montreal has disciplined a representative of National Bank Financial Inc. for using access to personal information to impersonate the holder of an inactive account to obtain the funds held in that account. The findings of the Bourse include that the subject of the investigation used a fake drivers' license in the name of the account holder with a fake address to cash the cheque.
The press release is below:
Canada NewsWire Group:
"MONTREAL, April 6 /CNW Telbec/ - On November 13, 2003, following an investigation made by the Investigation Department of the Regulatory Division, Bourse de Montréal Inc. (the Bourse) filed a complaint against Paul Robert, a person approved by the Bourse.
Following a hearing, the Disciplinary Committee of the Bourse (the Committee) issued a decision imposing to Paul Robert a fine of $25,000 and requiring that he refunds the total costs and expenses, including professional fees, paid or incurred by the Bourse for an amount of $8,096. In addition, Paul Robert has been permanently prohibited to be approved in any capacity for an approved participant of the Bourse.
The Disciplinary Committee concluded that during the period from August 12, 2002 to November 9, 2002 Paul Robert contravened article 4101 of the Rules of the Bourse.
Subparagraph a) ii) of article 4101 of the Rules of the Bourse prohibits any act, conduct, practice or proceeding unbecoming an approved person, inconsistent with just and equitable principles or detrimental to the reputation of the Bourse or to the interests or welfare of the public or of the Bourse.
During the above-mentioned period, Paul Robert, while being registered as a representative and officer for National Bank Financial Inc. (NBF), used its position as a compliance analyst responsible for the daily monitoring of clients accounts to gain illicit access to personal information relating to inactive accounts and more particularly on an account that had been inactive for a few years and whose holder could not be traced. Pending the eventual transfer of its assets, as required by law, to the Curateur public du Québec, this account, which had a cash balance of $16,190.98, was under the responsibility of National Bank Correspondent Network (NBCN), a subsidiary of FBN.
Paul Robert impersonated the holder of the account and manoeuvred to fraudulently misappropriate the funds. Using illicitly obtained personal information on the holder of the inactive account, Paul Robert communicated by phone with NBCN customers' services falsely presenting himself as being the holder of the account and attempted to misappropriate a part of the balance, that is $4,000. Thereafter, always under false representations, he asked NBCN to close the account and attempted to claim the total balance of the account.
He succeeded to have NBCN issue two cheques to the order of the account and to forward them to a false address. However, he was unable to take possession of these cheques as he expected to. After further actions, he succeeded in having a third cheque issued and being able to take possession of it.
Once the cheque in his possession, Paul Robert presented himself to a cashiering services provider with a false driver's licence identifying him as being the beneficiary of the cheque and indicating a false address that he had given to NBCN. The provider's employee, suspecting some irregularity, called the police who came to arrest Paul Robert and imprisoned him. Later on, he was charged with fraud attempt and use of forgery.
Paul Robert was dismissed by NBF shortly after having been charged.
In its analysis, the Committee considered the amount involved, the fact that the fraudulent acts of Paul Robert were among the most serious that exist for an approved person and that his acts and deeds were planned and carried on over a period of many months thus showing a very clear determination to carry his project to completion. There was even a gradation of the fraudulent maneuvers as he initially attempted to misappropriate $4,000 and later on the total balance of the account. He even used the services of an accomplice to obtain false identification documents in order to complete the misappropriation of the funds under the custody of NBCN. The Committee also considered that Paul Robert position as a compliance analyst with NBF as an aggravating factor. While in such position Paul Robert should have acted as a guardian of the compliance with legality and with the justice and fairness principles governing the securities industry, he rather took advantage from his position to abuse the trust of his employer and of the public.
The Committee also tempered its analysis by taking into account the fact that Paul Robert had finally not succeeded to misappropriate the account holder funds and that, as a consequence, neither the account holder nor his assigns had incurred a loss. The Committee also took into account the absence of disciplinary history for Paul Robert, the fact that he had been dismissed by his employer and that the reasons for his dismissal would follow him for a significant part of his career and, finally, that he had cooperated with his former employer and with the personnel of the Bourse all along the disciplinary process.
Paul Robert is not currently employed in the securities industry.
Based on the facts and circumstances disclosed during the investigation, the Regulatory Division of the Bourse determined that there was no cause for initiating disciplinary complaints against NBF.
To access the full text version of the Committee, please refer to the following link: http://www.m-x.ca/f_publications_fr/050215_decision_disciplinaire_02_fr.pdf (available in French only).
For further information: Jean-Charles Robillard, Communications, (514) 871-3551, or by e-mail at ????????@m-x.ca."
Labels: information breaches
A medical lab in Windsor, Ontario was broken into on January 1, 2005 and the thieves made off with a computer containing personal health information. The lab only issued a notice this week after they incorrectly assumed they needed the OK from the Information and Privacy Commissioner of Ontario. (In fact, the new Ontario Personal Health Information Protection Act requires that such disclosures be reported to affected patients.) The lab says they informed the IPC right away, a fact that the IPC's office disputes.
Fort St. John - canada.com network:
"Patients kept in dark over theft of lab files: Information taken during break and enter in Windsor
April 9, 2005
Ontario's Ministry of Health wants to know why it took more than three months for a Windsor medical lab to begin reporting the theft of personal and medical information to affected patients and their doctors.
"Eventually, the ministry would want some kind of justification for the delay," ministry spokesman John Leatherby said. "Those who are affected need to be in the know."
Friday, Medical Laboratories of Windsor Ltd. (MLW) issued a news release reporting a computer containing patients' names, addresses, health card numbers and health information was stolen from its 1428 Ouellette Ave. office Jan. 1.
Windsor police have been investigating the theft but report no success.
"As soon as we discovered the theft, we contacted authorities," company spokeswoman Jennifer Yee said.
As required by law, the company notified Ontario's Office of the Information and Privacy Commissioner, but spokesman Bob Spence said Friday it wasn't until early March -- two months after the B&E -- that it was made aware of the theft. He said the privacy commissioner has also launched an investigation into the theft.
According to police, one or more suspects broke into the front door of the Ouellette Avenue office building that night and then smashed through MLW's medical office door on the third floor, leaving with a computer, flat-screen television, a computer monitor and petty cash.
The missing computer was used to collect and transmit ECG information from patient tests to family physicians and cardiologists, Yee said.
She said she "wouldn't want to speculate" on the number of patients affected by the theft, but added more than 100 doctors in the Windsor-Essex area were sent letters Thursday advising them of the theft.
"We sincerely regret this situation," Yee said.
Staff Sgt. Ed McNorton said Windsor police believe the suspects targeted the computer for its hardware value and not the personal and private medical information it contained.
Nevertheless, said the ministry's Leatherby: "Those individuals who have had their personal information stolen -- they should be next to the first persons to be advised."
Asked why MLW, which has operated locally the past 43 years, waited three months to alert doctors, patients and the public to the possible theft of personal data, Yee said it was only Thursday that the company received the required approval from the privacy commissioner's office.
But commissioner spokesman Spence told The Star Friday there is no need for such approval.
"We do not tell organizations not to advise people -- or announce to the public -- that information may have been lost," he said.
Though there are four other MLW offices across the county, Yee said, only the ECG test results and patient information of those attending the Ouellette Avenue office were affected.
The private company said it launched its own internal investigation and is also working with the Ontario Ministry of Health and Long-Term Care on the case.
"We have ... taken a number of steps to ensure MLW's security and data protection measures meet or exceed current health industry standards," company president Dr. George Yee said in Friday's news release.
The Health Ministry will wait until the conclusion of the police investigation before launching a probe into the reporting delay, Leatherby said.
Any patients requiring additional information are asked to call MLW at 258-1991."
Today's Washington Post, via Yahoo! News, is running a story on the various state legislative initiatives related to protecting personal information:
Yahoo! News - States Scramble To Protect Data:
"Legislatures in more than two dozen states are considering ways to give consumers more control over personal information that is collected and sold by private firms, but many of the proposals are drawing fire from financial services companies...."
Labels: information breaches
From today's Palm Beach Post:
ChoicePoint scandal driving tougher global privacy standards:
"WASHINGTON - U.S. corporations are sending more personal data for processing overseas in a 'race to the bottom' for lower costs. But a consumer-driven 'race to the top' for tougher privacy standards should help protect that information, one expert said Friday.
The trend toward stricter rules has gotten a big boost from the ChoicePoint scandal, Privacy Times editor Evan Hendricks said Friday....
Hendricks discussed the case's impact at a seminar, "Offshoring and Privacy: Consumer Data in the Global Economy," sponsored by the Brookings Institution, a research group.
"In the long run, I'm optimistic" about improving privacy because the ChoicePoint scandal has so dramatically underscored the risks of failing to protect consumers, he said. The company, which sells data including Social Security numbers, property records, bank accounts and criminal histories, has been hit by dozens of lawsuits as its stock has dropped.
In recent years, a growing number of U.S. companies have been using the Internet to send financial and other personal information to contractors operating in India, the Philippines and other countries where wages are lower.
One of the speakers defending the practice was Kiran Karnik, president of the National Association of Software and Services Companies, which promotes India as a trusted outsourcing destination.
Karnik said it's natural for people to question the wisdom of sending sensitive data far away, especially across borders. People in the industry "very much understand" that people often distrust foreigners, and "deep down" don't want them seeing personal data, he said.
But he said U.S. companies require their contractors to follow the same laws as if they were based in America.
In addition, he said, India is revising its domestic privacy laws to satisfy concerns of its European and U.S. customers. Karnik's group and the Information Technology Association of America held a conference in New Delhi in October on this topic.
The same pressures are likely to lead to even tougher rules in the future. Hendricks said that in a global economy, European companies will want to be able to do business with contractors in the United States, India and other countries."
Friday, April 08, 2005
For quite some time, a list of names, frats and social security numbers has been publicly available on a University of Mississippi web server. Only after notified by MSNBC did the university take it down:
Mississippi joins list of colleges leaking data - Spam, Scams & Viruses - MSNBC.com:
"Ray was just surfing the Internet looking for information on an old friend. Instead, he found a gold mine for identity thieves -- a Web site full of documents listing hundreds of student names and Social Security Numbers. It was posted right on the University of Mississippi's Web site, there for anyone to see.
'I was just looking up an old college friend when I stumbled on this page,' said Ray, who requested his last name be withheld. 'I know this isn't something I should be able to see.'
There were about 20 documents listing fraternity and sorority members. Some had as few as five entries. The list of Phi Mu members included 189 names and Social Security Numbers. In all, about 700 students were listed in the documents.
After a call from MSNBC.com, the university shut down access to the Web page Wednesday. Jeff Alford, assistant vice chancellor for university relations, said the files had likely been exposed on the Internet since 2003...."
Thanks to PrivacySpot.com for the link.
Leak of UM data 'mistake' - The Clarion-Ledger:
"Students' info accidentally posted on server
The Associated Press
OXFORD - University of Mississippi officials say there was no malicious intent by a former staff member who backed up student information onto a document that could have made the data available to anyone over the Internet.
Jeff Alford, assistant vice president for university relations, said Friday that the names and Social Security numbers of about 300 students have been taken off the school's Web server.
Alford said MSNBC contacted the university on Wednesday after it broadcast a report that a man used the Internet to look up a college friend...."
Labels: information breaches
This Sunday's New York Times Review of Books contains (or will contain) a review by William Safire of "No Place to Hide" and "Chatter: Dispatches From the Secret World of Global Eavesdropping". It clearly discloses Safire's take on the privacy issue and gives a good review of both titles, firmly within the context of current events.
The New York Times > Books > Sunday Book Review > Goodbye to Privacy:
"... In the past five years, what most of us only recently thought of as ''nobody's business'' has become the big business of everybody's business. Perhaps you are one of the 30 million Americans who pay for what you think is an unlisted telephone number to protect your privacy. But when you order an item using an 800 number, your own number may become fair game for any retailer who subscribes to one of the booming corporate data-collection services. In turn, those services may be -- and some have been -- penetrated by identity thieves.
The computer's ability to collect an infinity of data about individuals -- tracking every movement and purchase, assembling facts and traits in a personal dossier, forgetting nothing -- was in place before 9/11. But among the unremarked casualties of that day was a value that Americans once treasured: personal privacy.
The first civil-liberty fire wall to fall was the one within government that separated the domestic security powers of the F.B.I. from the more intrusive foreign surveillance powers of the C.I.A. The 9/11 commission successfully mobilized public opinion to put dot-connection first and privacy protection last. But the second fire wall crumbled with far less public notice or approval: that was the separation between law enforcement recordkeeping and commercial market research. Almost overnight, the law's suspect list married the corporations' prospect list...."
Anthony Cerminaro's Deal Attorney blogis pointing to a very good and useful compendium on online privacy issues prepared by Hughes Luce. I'm planning to keep it handy as I have to deal with privacy issues with an American aspect on a regular basis.
Labels: information breaches
Presumably thanks to the California privacy law that requires notification of privacy breaches, the Mercury News is reporting that personal information related to almost two hundred thousand individuals was stolen along with two computers from a San Jose medical clinic.
MercuryNews.com | 04/08/2005 | 185,000 medical group patients warned of security breach:
"In one of the largest cases of stolen medical and financial information nationwide, San Jose Medical Group is alerting 185,000 current and former patients that their sensitive personal data may have been on computers taken during a recent break-in.
In a first-class letter to patients dated Monday, CEO Ernie Wallerstein said two computers were taken March 28 from the physician group's administrative offices. The computers, he wrote, ``contained names, addresses, confidential medical information and Social Security numbers, perhaps including yours.''
While there is no evidence the data has been misused or disclosed to others, police have no suspects in the early-morning break-in, in which the Dell computers were snatched from a locked area of a computer room....."
I've recently started following Tamara Thompson's PI blog (that's "private investigator", not "personal information") at http://yourpinews.blogspot.com/. The Contra Costa Times is running an interesting profile of her, including her comments on the privacy culture and its impact on PIs. Good reading.
ContraCostaTimes.com | 04/08/2005 | Private investigator offers information via blogs:
"Tamara Thompson sits down at her computer each day and opens a window into a famously secretive profession.
As a veteran private investigator she has had some cloak-and-dagger adventures, but she saves those stories for late-night bull sessions with fellow PIs. On her trio of blogs, Thompson chronicles the intricate methodology of the investigator and what she sees as the threats to the field in an increasingly paranoid society.
Privacy has been a contentious national issue in the wake of the Sept. 11, 2001, attacks and resulting legislation such as the Patriot Act. Thompson's writing brings to light another important question that has received less attention: as the government gathers more information, has it also gone too far in restricting such access for private citizens?
'The government and the privacy extremists have overreacted,' Thompson said...."
I'm guessing it's not an honour to even be nominated...
Privacy International has announced the finalists for its "Big Brother Awards", given to the individuals or organizations that are considered to be the most invasive of privacy. More than one fifth of the nominations were for ChoicePoint. Unfortunately, their website at http://www.privacyinternational.org/ doesn't list all the nominees, so we'll have to rely on the Wired News report:
Wired News: ChoicePoint Top Big Brother Pick:
"Two major data brokers, a California elementary school and Google's Gmail service are leading contenders for the Big Brother Awards -- a dubious prize spotlighting organizations with egregious privacy practices.
Award recipients will receive a statue of a golden boot stomping on a human head.
The nominees were among those on a list made public Wednesday by Privacy International, the British watchdog group that runs the annual U.S. Big Brother Awards. The group plans to announce winners on April 14.
Simon Davies, Privacy International's director, predicts that this will be an extraordinarily difficult year for selecting a winner, given that there are so many strong candidates.
He said the group received nominations for hundreds of companies, organizations and government agencies. "People have gone out of their way to investigate and come to intelligent conclusions about the balance of public interest and private rights," Davies said.
Nominees are selected by the public, after which a panel of judges, mostly privacy advocates, chooses the winners.
There are some clear front runners. Davis estimated that at least one in five nominations submitted named ChoicePoint, the data broker that generated headlines earlier this year after selling personal information for about 145,000 people to criminals.
ChoicePoint already received Big Brother's Greatest Corporate Invader award in 2001. This year, it could receive the Lifetime Menace award, previously granted to Osama bin Laden, Adm. John Poindexter and the National Security Agency, among others.
ChoicePoint declined to comment on the nomination.
Several government agencies and initiatives appear likely to get a prize, including the Transport Security Administration for its controversial airline passenger-screening program. The US-Visit fingerprinting and data system, which seeks to fingerprint all foreign visitors to the United States, also made the short-list for awards.
Brittan Elementary School in Sutter, California, is an unlikely candidate, but received a sizeable number of nominations for its attempt to make students wear ID badges containing radio-frequency identification devices.
A second data broker, Acxiom, is also a strong contender for an award, for lobbying to water down key federal privacy laws immediately after the Sept. 11 terrorist attacks...."
Thursday, April 07, 2005
Computerworld is reporting that twelve people, inlcuding three former employees of an Indian outsource service provider, have been charged with fraud following the misuse of a New York Citibank customer's personal financial informtion:
Indian call center workers charged with Citibank fraud - Computerworld:
"Twelve arrested, including three ex-employees of outsourcing company
News Story by John Ribeiro
APRIL 07, 2005 (IDG NEWS SERVICE) - BANGALORE, India -- Former employees of a call center in Pune, India, were arrested this week on charges of defrauding four Citibank account holders in New York, to the tune of $300,000, a police official said."
Labels: information breaches
Rob Hyndman is linking to a Wall Street Journal article describing how organized identity thieves are becoming: robhyndman.com >> Identity Thieves Organizing.
Labels: information breaches
I will be leading a special two-day training program on behalf of National Privacy Services entitled "Privacy Risk Management: Exceeding expectations, building trust and avoiding privacy disasters". It will be held on May 11-12 at First Canadian Place, in downtown Toronto. The full brochure is available from the National Privacy Services website, but the highlights are below:
Privacy Risk Management: Exceeding expectations, building trust and avoiding privacy disasters.
A two-day workshop
Identity theft. Privacy laws. Misdirected faxes. Class action lawsuits. Spam. Customers are increasingly concerned about their personal information and businesses are legally required to do something about it.
National Privacy Services, a leading provider of compliance solutions, is offering a two-day workshop to provide the knowledge and the tools to exceed your customers’ expectations and avoid high-profile privacy disasters. Using real-world case studies, participants will gain a thorough knowledge of how to comply with Canada’s privacy laws and – perhaps more importantly – how to meet or exceed the demands of privacy-conscious consumers.
If you handle personal information in the course of commercial activities, the law requires that you:
- Designate a privacy officer;
- Develop and make a privacy statement available;
- Follow the law’s rules for adequate consent for the collection, use and disclosure of personal information;
- Train staff on compliance;
- Safeguard personal information; and
- Provide individuals with access to their own personal information.
A growing segment of the population is very concerned about their privacy and whether they can trust the organizations they deal with. Exceeding your customers’ privacy expectations can be a real competitive advantage.
Our Privacy Risk Management Workshop is specifically designed to provide the background and the know-how to incorporate the best practices of the Personal Information Protection and Electronic Documents Act in a way that does not interfere with your business. Instead, a properly designed privacy program can be a competitive advantage.
Who should attend: Privacy Officers, business owners & managers, IT managers, CIOs, in-house counsel, customer service supervisors, consultants.
$1499 + GST (two full days, lunch and refreshments included)
May 11 & 12 – 9:00 – 4:00
Toronto Board of Trade – Downtown Centre
1 First Canadian Place
For more information about National Privacy Services and our compliance programs, visit www.privlaw.com.
David T.S. Fraser, BA, MA, LL.B.
Legal Counsel, NPSiDavid Fraser is an experienced educator and a nationally-recognized authority on Canadian privacy law. David is one of a rare breed: a lawyer who can make complicated legal concepts readily accessible to non-lawyers. He has trained the privacy officers of hundreds of organizations. He has designed the privacy compliance programs for a wide range of organizations, including many that are household names.
David provides specific legal and privacy expertise in the development of NPSi’s privacy solutions and regularly leads the company’s training courses.
Extensive “takeaway resources”At the conclusion of the course, participants will have a thorough understanding of how privacy laws affect their organizations and what concrete steps must be taken to comply. In addition, participants will use real-world case studies to consider how to exceed the expectations of your privacy-conscious stakeholders. All training participants will be provided with a certificate of attendance and practical resources that will remain useful long after the course is concluded.
About Us:NPSi provides guidance and support to organizations in adopting mandatory privacy best practices that can be easily and efficiently adopted. In addition, NPSi offers full support to its clients, with toll-free, on-call expertise and our unique Privacy Officer Solution. NPSi brings together the nationally-recognized privacy law practice of McInnes Cooper and the information security expertise of Thor Solutions Inc.
Course content:Our training provides clear and concise guidance on how privacy best practices should be applied in the real world. Our instructors have hands-on experience in applying privacy principles in a way that does not interfere with the delivery of quality services. We combine lecture-style instruction with collaborative workshops, case studies and group learning to make sure that the key concepts of privacy best practices are demonstrated in action, not just in theory.
The Associated Press, via Yahoo! News, is reporting that the Centers for Disease Control are looking for bulk, electronic access to arline passenger lists in an effort to stem the spread of diseases.
Yahoo! News - Delta Shares Flier Data in Health Effort:
"WASHINGTON - Although privacy experts worry about the government gathering personal information on airline travelers, Delta Airlines is handing over electronic lists of passengers from some flights to help stop the spread of deadly infectious diseases...."
This should be elementary to most people: if you sell your hard drive, you should make sure to completely erase its contents. At least one police department didn't know that since a student in Potsdam, Germany, bought their hard drive on ebay and it contained loads of very sensitive police information.
Opening eyes to hackers:
"Europeans bracing for rise in data theft
BERLIN Last month, a student in Potsdam, southwest of Berlin, got more than he bargained for after buying a used computer hard drive for [Euros] 20 on the eBay auction Web site.
The hard drive, worth about $26, contained confidential data from the local police, including procedures for hostage-takings, SWAT-team staffing and an analysis of current threats..."
Labels: information breaches
MSNBC (among others) is reporting that a sheriff in Orange County, Florida used a police database to track down a person who had been critical of him in a letter to the editor:
Called fat, sheriff tracks down reader - U.S. News - MSNBC.com:
"ORLANDO, Fla. - Orange County's sheriff used driver's license records to contact a woman who wrote a letter to the editor of a newspaper criticizing his staff's use of Taser stun guns and describing him as fat...."
Labels: information breaches
Wednesday, April 06, 2005
I noted this article a little while ago, but forgot to blog about it. The proposal is raising some concern among privacy folks. Canadians may be surprised to hear that we already have this database in Canada ... and it uses the Social Insurance Number as part of the tracking code. (I'll post a cite or a reference to the database, if I can remember where I saw it first.)
Alma Mater As Big Brother (washingtonpost.com):
"A proposal by the Education Department would force every college and university in America to report all their students' Social Security numbers and other information about each individual -- including credits earned, degree plan, race and ethnicity, and grants and loans received -- to a national databank. The government will record every student, regardless of whether he or she receives federal aid, in the databank.
The government's plan is to track students individually and in full detail as they complete their post-secondary education. The threat to our students' privacy is of grave concern, and the government has not satisfactorily explained why it wants to collect individual information...."
Labels: information breaches
MSNBC, via HIPAA Blog, reports that a bunch of medical records were scattered around Cleveland after a box of records fell off a truck yesterday.
Patient privacy goes blowing in the wind - Health Care - MSNBC.com:
"About 3,000 highly detailed patient hospital statements blew across busy downtown streets and sidewalks Tuesday after a box fell off a delivery truck, the Cleveland Clinic said...."
Labels: information breaches
This has nothing to do with privacy, but I thought I'd post it in any event because it may be of interest to some of this blog's readers.
The current controversey of the publication ban related to the the testimony of Jean Brault before the Gomery Inquiry into the Sponsorship Scandal (and the circumventing of the publication ban by an American blogger) has generated some questions about the interaction between public inquiries and criminal prosecutions. In second year of law school, I wrote a paper on issues raised by requiring individuals to testify at inquiries, even though they may also be a criminal defendant in a prosecution related to the same facts. The paper was subsequently published in the 2000 edition of the Dalhousie Journal of Legal Studies. For those who are interested, I've posted the article here: Collision Course: Public Inquiries and Criminal Prosecutions.
Labels: information breaches
Security Pipeline | Privacy Pays For Banks:
"A study released today finds that trusting customers are the most profitable for banks, but only if customer privacy is respected.
'In the past, online banking was all about who had the best features and functions,' says Mike Weider, founder and CTO at risk-management solutions company Watchfire Inc. 'Now, issues of trust, privacy, and security are more and more a differentiator between the leaders and the laggards.'
According to the 2005 Privacy Trust Survey for Online Banking, customers with a high degree of trust in their bank are more likely to use online financial services, which generate more profit for banks than offline transactions. The study, sponsored by Watchfire and conducted by the Ponemon Institute, a management-practices research organization, also finds that trusting customers are loyal, with 55% claiming they've never visited another bank's Web site.
The price of that loyalty is an expectation of privacy. Among those with a high level of trust in their bank, 57% indicated that they would stop using online services in the event of a single privacy breach. More than 82% of respondents cited identity theft as their biggest concern should a privacy breach occur. "
Tuesday, April 05, 2005
Another new finding from the Office of the Privacy Commissioner. This one concludes that asking for four -- four -- pieces of ID to set up a cellular phone account is requiring more information than reasonably necessary, contrary to PIPEDA: Commissioner's Findings - PIPEDA Case Summary #288: Identification requirements for cell phone services - February 1, 2005 - Privacy Commissioner of Canada.
A new finding released by the Office of the Privacy Commissioner of Canada deals with the theft of a bank laptop containing personal information. A laptop was stolen from a bank employee's car in an underground parking garage. The info was on the laptop so that a financial advisor could market additional services to the complainant. After the laptop was stolen, the bank proactively notified the individuals whose information was compromised.
One affected individual complained that the bank violated PIPEDA's "use" and "safeguard" principles. Oddly, the Assistant Commissioner found that the bank had his implied consent to "use" the information, but then criticised the bank for not following the Commissioner's guidelines for getting adequate consent. No surprise, the bank fell down on the job of safeguarding personal information.
Commissioner's Findings - PIPEDA Case Summary #289: Stolen laptop engages bank's responsibility - February 3, 2005 - Privacy Commissioner of Canada:
"Application: Principle 4.5, which states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law; and Principle 4.7, which stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
On the matter of inappropriate use of his personal information, the Assistant Privacy Commissioner noted that the reason the complainant's personal information was on the laptop was that the bank intended to market other bank products and services to him. The bank had sent the complainant two privacy notices that described this practice and offered clients the opportunity to have their names suppressed from the bank's marketing lists. As the complainant had not requested suppression, it would appear that the bank had his implied consent to include his name on such a list, and was acting in accordance with Principle 4.5. When the complainant informed the bank after the theft of the laptop that he wanted his name removed from the list, the bank suppressed it.
She therefore concluded that the use complaint was not well-founded.
As for the safeguards, the Assistant Commissioner noted that, with respect to laptop computers, the bank had policies and procedures in place that required passwords and safe physical storage of the computers. Although these policies and procedures appeared to meet the requirements of Principle 4.7, the financial planner in this instance did not follow the bank's recommendations regarding physical security, and left the laptop unattended on the seat of her vehicle. The Assistant Commissioner therefore found the bank in contravention of Principle 4.7.
The Assistant Commissioner concluded that the safeguard complaint was well-founded.
Hot on the heels of privacy incidents at other University of California campuses, the UC Davis Enterprise is reporting that a hacking of a biology computer may have compromised the personal information of more than one thousand people.
The Davis Enterprise:
"The names and Social Security numbers of about 1,100 UC Davis students, faculty, visiting speakers and staff may have been compromised when someone hacked into a main computer in the university's plant biology section last month.
Letters were sent to notify everyone whose personal information was stored on the computer. University officials said there's no evidence that any unauthorized individuals have actually retrieved or used any personal data on the computer..."
My running tally of privacy incidents, Summaries of incidents cataloged on PIPEDA and Canadian Privacy Law, just might collapse under its own weight...
Thanks to the ever-useful beSpacific for the link to a new US Treasury Department Report on The Use of Technology to Combat Identity Theft. A pretty hefty 116 pages, but an interesting addition to the library.
On a related note, thanks to Schneier on Security for leading me to an equally-lengthy publication by London School of Economics research report on the proposed national ID car scheme for the UK. Tops the scales at 117 pages and also promises to be a good read while I curl up in front of the fireplace this evening.
Thanks to Michael Fitzgibbon at Thoughts from a Management Lawyer for e-mailing me a link to the following article on the coming wave of civil liability related to identity theft. The article is a good read, not only talking about the threat of class action lawsuits, but also the damage to a corporation's reputation from privacy incidents and preparing for the worst.
Identity Theft: The Next Corporate Liability Wave:
"Your phone rings. It's Special Agent Bert Ranta. The FBI is investigating a crime ring involved in widespread identity theft. It has led to millions of dollars of credit card and loan losses for lenders, and havoc in the lives of the 10,000 victims. By identifying links between the victims, the FBI has discovered where the personal data appear to have come from: your company. The victims are some of your customers.
Your mind begins to whirr. Are there other customers affected who haven't been identified yet? Is it a hacker or an inside job? Is your company also a victim here, or could it be on the wrong end of a class action lawsuit?
You recall reading that each identity theft victim will on average spend $1,495, excluding attorneys' fees, and 600 hours of their time to straighten out the mess, typically over the course of a couple of years. For out-of-pocket costs alone that is, say, $2000 per victim. Multiplying that by 10,000 customer victims equals $20 million. Adding as little as $15 per hour for the victims' time and you get $11,000 per case or $110 million in total even before fines and punitive damages are considered. And that's on top of the potential impact on your company's future sales.
The nation's fastest growing crime, identity theft, is combining with greater corporate accumulation of personal data, increasingly vocal consumer anger and new state and federal laws to create significant new legal, financial and reputation risks for many companies...."
Even without laws like PIPEDA, the courts are beginning to recognize that there is a duty of care in some circumstances that extends to taking reasonable measures to protect against facilitating indentity theft. (See HEALTH CARE ASSN WORKERS COMP FUND V BUREAU OF WORKERS DISABILITY from the Michigan Court of Appeals; We'll have to wait and see how the CIBC class action fares here in Canada). For those of us who advise corporations, this is certainly a risk to be aware of.
John Oltsik, an analyst for Enterprise Strategy Group, has in opinion piece in ZDnet about security basics and how elementary steps can be taken to avert privacy disasters. He mentions training as a critical component of securing systems:
Black eye for privacy Tech News on ZDNet:
"... The other elementary security action item is user training. Employees need to know how to recognize and report threats, not act as a patsy. If I want to break into the payroll system, the easiest way to proceed is simply to ask someone in finance for their password. With a bit of 'social engineering'--that is, flim-flam--you'd be surprised how many people will volunteer confidential information. Only 25 percent of companies provide employees with security training; I'd say this is a fundamental problem...."
I have to agree that training is critical for avoiding security disasters. But privacy is not just about security. In too many companies, I have seen the "privacy issue" handed over to the CIO as a technical issue. This may work in the United States where there are no laws governing companies like ChoicePoint and LexisNexis. But this does not fly in Canada.
In Canada, companies have to address the Personal Information Protection and Electronic Documents Act (often known by its snappy acronym, PIPEDA). Security is only one of ten principles that must be followed. The other principles involve accountability, communicating purposes, obtaining consent, limiting collection, use, disclosure and retention, providing access, providing redress.
In Canada, privacy is a multi-disciplinary issue that requires the CIO, HR, internal audit, marketing and just about every other division. I've seen companies that "lock down" all their data, but still let marketing collect way more information than they reasonably need without telling the consumer how the information would be used, in violation of the limiting collection, indentifying purposes and consent principles. I've seen the credit department demand social insurance numbers, which is a no-no under the law. I've also seen well-intentioned people disclose waaaaaayyyyy to much information, resulting in lost jobs and other ill effects.
The companies that do well under PIPEDA are those who see it as a customer service issue and a risk management issue, needing to be integrated into the company's culture and part of its mission to its customers. Everyone who touches customers or customers' information needs to know what they are doing, and how to properly treat and protect customer information. It's a team effort.
The Federal Justice Minister today issued the following press release, announcing changes to the Access to Information Act:
Justice Minister Presents Comprehensive Framework for Reform of the Access to Information Act:
"OTTAWA , April 5, 2005 - The Minister of Justice and Attorney General of Canada, Irwin Cotler, today presented a comprehensive framework for Access to Information reform to the Standing Committee on Access to Information, Privacy and Ethics. The discussion paper outlines the Government's views on access reform issues for the Committee's consideration before the Government proceeds with proposed amendments.
"The Government of Canada is committed to reforming the Access to Information Act (ATIA) so that it meets the needs of Canadians and further strengthens the integrity, accountability and transparency of government operations," said Minister Cotler. "Our reform initiative is organized around two basic principles: first, that freedom of information is a cornerstone of a culture of democratic governance, and second, that the Access to Information Act is a pillar of democracy which the Supreme Court of Canada has described as quasi-constitutional in nature."
The comprehensive framework for reform set forth in the Discussion Paper has been guided and inspired by the work done by the ATI Review Task Force, by proposals put forth in Private Members' Bills, and by proposals made by others. Highlights include:
- Expanding coverage under the ATIA to more Crown Corporations and other entities, such as Alternate Dispute Delivery Organizations.
- Proposing the possible extension of the ATIA to the Office of the following Agents of Parliament: the Information Commissioner, the Privacy Commissioner, the Commissioner of Official Languages, the Chief Electoral Officer, and the Auditor General.
- Modernizing exclusions and exemptions relating to such matters as Cabinet confidences, among others.
- Updating current Access to Information processes such as fee collection and t ime limits for processing Access to Information and Privacy requests.
- Introducing new administrative reforms such as providing specific training in information management and disclosure of information to executives and public servants, and upgrading tools to assist institutions in processing access requests or to track timelines.
"Considering the magnitude and impact of the ATI Act, we must come together as Parliamentarians to discuss it, we must hear from expert witnesses, we must consider all elements, all perspectives, all people," said Minister Cotler. "We all share a common goal: to have the most comprehensive and workable access legislation possible. The Committee plays an invaluable role in the reform of legislation, and its input is essential indeed, a prerequisite before tabling amendments"
While the Government of Canada agrees in principle with many of the proposals made in the Private Members' Bills and recommendations contained in the Task Force report, the proposed changes are complex and require further study and Parliamentary and public input. The comprehensive framework provides the vehicle for launching this dialogue.
For more information about the Access to Information Act, visit:
To read the discussion paper "A comprehensive Framework for Access to Information Reform: A Discussion Paper, April 2005," visit: http://canada.justice.gc.ca/en/dept/pub/ati/index.html
To read the "Report of the Access to Information Review Task Force ," visit: http://www.atirtf-geai.gc.ca/report2002-e.html
Director of Communications
Office of the Minister of Justice
Media Relations Office
Department of Justice Canada
Labels: information breaches
In the aftermath of the Berkeley laptop theft (see PIPEDA and Canadian Privacy Law: Incident: Stolen Berkeley Laptop Exposes Data of 100,000), the University Chancellor has sent a letter to all affected individuals. (Secondary Screening has a copy of the letter online.) It is a good example of damage control and worth reading.
The letter also outlines what the University is doing about the problem and I have to applaud them for taking the initiative to adopt a policy of mandatory encryption of computer systems containing personal information:
Secondary Screening: Berkeley Chancellor on Data Theft:
"2. While this expedited audit is underway, we will move quickly to require the full encryption of all personal information stored on departmental computer systems. We will also require all units on campus to review again personal data stored on departmental machines and to remove all unessential data."
As I've mentioned before (PIPEDA and Canadian Privacy Law: Managing privacy risks using basic technology), encryption can often be your last line of defence if everything else breaks down.
Monday, April 04, 2005
Bob Sullivan, on MSNBC, hits the nail right on the head: the reason why personal information is so valuable and why ID theft is so easy, is that it it can be used by an impostor to get instant credit. I'm starting to believe that if companies did more to verify the identity of borrowers, the torrent of ID theft would slow down and maybe even dry up.
MSNBC - Is your personal data next?:
"... Theft of personal data is prevalent for one simple reason: the data is incredibly valuable. It's time Congress and U.S. financial institutions take an honest look at why that it is, at the only reason anyone wants to steal all that personal data in the first place: the free-flowing, overflowing issuance of instant credit.
Today, consumers can walk into virtually any electronics store with an empty wallet and walk out with a $3,000 television set in a few moments. Often, all that's required is a Social Security number that happens to be attached to a decent credit rating. As long as these stolen nine digits are worth $3,000 or more, criminals will always find a way to take them.
Only meaningful reform of the way our nation distributes instant credit will change this equation. Hackers will always steal what's valuable; only by de-valuing personal information like Social Security numbers will the rash of high-tech data thefts stop...."
Labels: information breaches
Thanks to Rob Hyndman for sending me this link.
The New York Times has been noticing that universities offer a plentiful supply of privacy incidents, not only related to student information but also information about research subjects. The article does a good job of noticing the problem and thinking about its root cause:
The New York Times > Technology > Some Colleges Falling Short in Security of Computers: "... Data collected by the Office of Privacy Protection in California, for example, showed that universities and colleges accounted for about 28 percent of all security breaches in that state since 2003 - more than any other group, including financial institutions.
'Universities are built on the free flow of information and ideas,' said Stanton S. Gatewood, the chief information security officer at the University of Georgia, which is still investigating a hacking incident there last year that may have exposed records on some 20,000 people.
'They were never meant to be closed, controlled entities. They need that exchange and flow of information, so they built their networks that way.'
In many cases, Mr. Gatewood said, that free flow has translated into a highly decentralized system that has traditionally granted each division within a university a fair amount of autonomy to set up, alter and otherwise maintain its own fleet of networked computers. Various servers that handle mail, Web traffic and classroom activities - 'they're all out in the colleges within the university system,' Mr. Gatewood explained, 'and they don't necessarily report to the central I.T. infrastructure.'..."
Labels: information breaches
Should parents be able to see children's library records? Amanda Welsh points out an article about a bill in Maine, sponsored by Rep. Randy E. Hotham, that would require public libraries to tell parents what books their children have checked out.
The bill is definitely part of a trend ... what do librarylaw blog readers think? Should parents be able to see their children's records, and if so how should "parents", "children" and "records" be defined? My thoughts, generally, on the topic are here.
For more on this topic, see PIPEDA and Canadian Privacy Law: Privacy and Public Libraries, which links to a presentation on the topic and has a bit of a dialogue with Mary in the comments.
Privacy Violation in Italian Media Giant. orzetto writes "Italian newspaper La Repubblica is reporting that Silvio Berlusconi's company, Mediaset (that owns three of the six main TV stations in Italy), has been tagging employees with Rfid chips since last December (for English version, ask the fish).
The chips would allegedly be able to track the movements of any worker, even if Mediaset spokesmen say it's only to automatically open some doors to authorized personnel only and such things. Trade unionists from CGIL have reported the company's behaviour to the authorities, as it would be in violation of the Italian workers' charter (again, fish). This would probably be small news (yet another bad employer) if Silvio Berlusconi were not the Italian Prime Minister, violating the same laws he should enforce." [Slashdot: Your Rights Online]
Professor Michael Geist, in his blog, is reporting on the BC union's loss in the courts in the battle against the provincial government's outsourcing of medicare processing services. The court opined on the adequacy of privacy protection in the oursourcing arrangement: B.C. Government and Services Employees' Union v. British Columbia (Minister of Health Services), 2005 BCSC 446.
www.MichaelGeist.ca - B.C. Court Dismisses Privacy Claim Over Data Outsourcing :
"The British Columbia Supreme Court has dismissed a claim by a B.C. union challenging the outsourcing of the management of health information to a U.S. company. The court emphasized the importance of privacy protection, but concluded that 'the contractual provisions, the corporate structure, and the legislative provisions provide more than reasonable security with respect to records in British Columbia.' It also noted that 'all reasonable steps to ensure the confidentiality of the information which Maximus will receive in order to discharge its contractual obligations. Privacy is not absolute.' Case name is BC Govt Serv. Empl. Union v. British Columbia (Minister of Health Services).
A very interesting decision since it may set the standard for the privacy issues and protections to consider when creating a data outsourcing to the United States. The case is part of an ongoing battle dating back to last summer over the Patriot Act and the protection of Canadian personal information. As I argued with Milana Homsi, the real issue is not the outsourcing of data to the U.S. Rather, it is the ability of U.S. courts to assert jurisdiction over Canadian organizations with even a small U.S. presence, which, notwithstanding PIPEDA, effectively limits the privacy protection enjoyed in Canada."
Sunday, April 03, 2005
Discussion of RFID enabled passports has been going on for some time in the privacy community, but it is starting to hit the mainstream press:
Yahoo! News - Privacy Advocates Criticize Plan To Embed ID Chips in Passports:
"... State Department officials said the chips are part of a global effort to prevent passport fraud. Each chip will contain a digital record of all information printed on the passport, including the holder's name and document number. The chip will also contain the passport holder's photograph, enhanced by facial recognition technology. That way, even if the paper passport is altered, customs agents would be able to compare the information on the chip with the person presenting it....
"If you're walking around in Beirut, it would be well worth Al Qaeda's money to use one of these readers to pick out the Americans from the Swedes without any problem," said Barry Steinhardt, director of the American Civil Liberties Union's technology and liberty program...."
Saturday, April 02, 2005
Couldn't help but post this, from Cagle's Cartoon Index:
RAND has released an interesting report on the use of RFID in the workplace. While the future and potential uses of RFID has gotten a lot of press lately, not much discussion has taken place about the thousands of companies that are currently using the technology for controlling access to buildings. Few companies have policies about how the information collected will be used and how long it will be maintained. In short, companies need to give this matter some thought, document their practices and let their employees know about it.
RAND | Privacy in the Workplace: Case Studies on the Use of Radio Frequency Identification in Access Cards:
"Companies use RFID workplace access cards to do more than just open doors (e.g., for enforcing rules governing workplace conduct). Explicit, written policies about how such cards are used generally do not exist, and employees are not told about whatever policies are being followed. Using such systems has modified the traditional balance of personal convenience, workplace safety and security, and individual privacy, leading to the loss of "practical obscurity." Such systems also raise challenges for the meaning and implementation of fair information practices."
Thanks to the Surpriv blog for the link: Surpriv: RFID Surveillance and Privacy: RAND Study of RFID Access Badge Data Policies and Practices.
Adam Shostack's Emergent Chaos is carrying an extract from an extensive interview with Richard Baich, the CISO for ChoicePoint. The article is from a "subscribers only" site, but Adam has reproduced much of it in his posting: Emergent Chaos: Information Security Magazine on Choicepoint.
Friday, April 01, 2005
A minor controversey is brewing here in Halifax over surveillance on Spring Garden Road, Halifax's principal shopping street. (See PIPEDA and Canadian Privacy Law: Surveillance cameras coming to Halifax's public places.) Merchants on the street are increasingly distressed by the number of young 'uns and panhandlers who hang out on the street, intimidating the shoppers. A lack of police on the street has led them to hire their own rent-a-cops. Now the merchants association wants to install their own video cameras to monitor the sidewalks and other public spaces. This has led to some comment, including an editorial from Bruce Wark in The Coast:
Upfront - Columnists - The Coast (MARCH 31 - APRIL 7 2005):
"The friendly folks at the credit union want to “see” my face and eyes, but they also have designs on my ears. The lobby with the cash machines is filled with the din of a happy voice informing me from overhead speakers about the incredibly low rates the credit union charges for loans. I do not want any more loans thank you, just reasonable fees, decent service and at least a tiny bit of interest on my savings. But the happy voice says nothing about that—at least, not as far as I can tell. A couple of weeks ago, the sound system went to rat shit. When I visited last Sunday, there was still a happy-voiced roar but it was so muffled, I couldn’t make out any words. Call me bitter and twisted, but as far as I can tell, the folks at the credit union do not “see” my face at all—the face of a longtime customer and financial supporter. No, to them, I look like either a potential criminal, or a stupid fool they can peddle loans to.
I guess I shouldn’t be too hard on the friendly folks at the credit union. They’re merely following the latest surveillance and marketing trends. In some Nova Scotia high schools for instance, administrators with expensive cameras spy on teenaged students while also selling the teenage thirst for soft drinks and fruit juices to the cola companies. (The high schools get kickbacks from the vending machines in exchange for giving the companies exclusive access to their students.) Some of our fine universities charge young adults sky-high tuition fees, then watch them with cameras and peddle them to big corporations. Ah yes, the morning Ethics 1000 class (enrollment 800) will be held in the Dominion Petroleum Building, in the Bank of Big Profits Lecture Hall, just down the corridor past the spy cams. And students, don’t forget to buy lunch cooked up by International Plasti-Foods Inc. in the Chemical Corporation Dining Room. Happy learning!
Now some Spring Garden merchants are yammering about the need for surveillance cameras on Halifax’s main drag where “young hooligans” have been swarming and robbing. As I see it, the call for spy cams is part of the ongoing campaign against panhandlers, the homeless and otherwise down-at-the-heel citizens, too poor to spend serious coin in Spring Garden boutiques, beauty parlours, eateries and watering holes. Mind you, as a solid middle-class burgher with a big, no-interest savings account at the Heritage Credit Union, I’m not defending swarming and robbing. But I can’t see how surveillance cameras will solve our social problems. Call me bitter and twisted, but I’d say some Spring Garden merchants see those of us on the public sidewalks as either criminals-in-waiting who need to be spied on, or gullible fools who can be made to believe that a few spy cams will make the world safe. I can just see the signs now: “We love to see your faces... and for security reasons, please remove all hats, helmets and sunglasses when ambling down our lovely Spring Garden Road.”""
There does not appear to be any malevolence at play in this incident. According to CNET, one of the largest banks in Japan has lost hundreds of thousands of customer records as a result of combining different IT systems. I call it an "incident" because the code of fair information practices requires a custodian to protect information against loss.
Lost: Data from 270,000 bank accounts | CNET News.com:
"Japanese bank Mizuho said it has lost the confidential data of 270,000 account holders. Mizuho Financial Group, which owns the retail bank, said it had lost customer account numbers and names at 167 branches over several years, according to a Financial Times report on Wednesday. The bank is said to have suffered problems integrating systems and managing data since it was formed three years ago...."
Labels: information breaches
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.