The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Saturday, December 31, 2005

ID thief trolled sex offender registry for targets 

Here's an interesting one: Police in Arkansas have arrested a man for using information gleaned from the state's sex offender registry to get credit cards and tax refunds in the names of those offenders. He was busted at a routine traffic stop when the police officer noticed unusual files in the person's car.

See: Police: Ark. Man Stole Sex Offender IDs - Yahoo! News.

Labels:

New privacy laws come into force in the US at midnight 

January 1 is a convenient time to bring new laws into effect. It seems like only two years ago that PIPEDA came fully into force for those of us in Canada. (And almost two years since this blog came into being.) The Associated Press has a summary of new US state laws, some of which are in reaction to the high-profile privacy breaches of the last year. Check it out:

New Year Brings Array of New State Laws - Yahoo! News

...This year, several states will take action to guard against the theft and misuse of personal information as more and more commerce moves to the Internet; several companies admitted in 2005 that hackers got into their supposedly secure databases. New Jersey and Virginia will bar making public a person's Social Security number, while Minnesota will require businesses that hold such information to quickly notify clients if there is a breach of security.

Labels: ,

David Canton's PIPEDA predictions for 2006 

David Canton, in his regular London Free Press Column, is making a few predictions for 2006. He leads off his column with predictions about privacy in Canada:

London Free Press - Business - Expect PIPEDA debates

The Personal Information Protection and Electronic Documents Act (PIPEDA) is slated for review in 2006. Expect to debate to rage on controversial issues such as whether individuals should be notified if their personal information is compromised.

Another issue is processing data outside Canada, common in a connected world. It raises issues regarding the ability of foreign governments to view our personal information -- without our knowledge, without judicial oversight, and despite contractual arrangements to the contrary.

A privacy issue that may come before the privacy commissioner is the printing of full credit or debit card numbers on receipts. This matter has not been the focus of a complaint to the privacy commissioner's office.

Many privacy commentators, myself included, believe that putting full credit or debit card numbers on either the customer's or the company's copy of a receipt is a violation of PIPEDA. The printing of those numbers serves no purpose and increases the risks of fraud.

Labels: ,

Thursday, December 29, 2005

2005 worst year for breaches of computer security 

USA Today is reporting that 2005 has been the worst year yet for computer security and security of personal information. Maybe... Equally likely: it was the year that we heard about breaches that otherwise would have been swept under the carpet. The only difference is the range of laws following in California's footsteps. See: 2005 worst year for breaches of computer security - Yahoo! News.

Labels:

Automated fare system upsets some in Boston 

The ACLU is getting a bit hot and bothered about a new fare system about to be implemented by the Boston area transportation authority. Tokens are being phased out and replaced by debit-type fare cards. Riders can purchase a pre-loaded fare card that is discarded when used up, but others can opt for a reloadable pass that is connected to their bank account. The system will track where and when the cards are used (a sensible auditing function). The ACLU is concerned that riders who opt for this choice will be sacrificing privacy for convenience since their records will be available if the transit authority is served with a subpoena or a search warrant. It seems a little overblown, as long as consumers know they have the choice of an anonymous option and make the decision knowingly. See: T defends automated fare system against privacy concerns - The Boston Globe.

Labels:

Files on welfare-to-work clients found in dumpster 

After someone found files containing personal information on welfare-to-work clients (including names, addresses, SSNs) in a dumpster, the San Joaquin County Office of Education in California is investigating. Apparently they were left in a car sold by a former department employee who didn't care enough to collect them when informed by the buyer that a box of stuff was left in the car. See: County probes confidential files in trash.

Labels:

Edmonton pawnshop owner takes a stand over electronic reporting of personal information of customers to police 

As of January 1, 2006, pawnshop operators in the City of Edmonton will be required by a city bylaw to enter information about customers into a database that will be electronically transmitted to the police. He has always collected this sort of information, as required by law, but Kelly Buryuniuk is not at all happy with having to send it to the cops, particularly via a private contractor. He is concerned about the security of that data, he says. The pawnshop operator says he will defy the bylaw, even if it gets his license suspended. The Information and Privacy Comissioner of Alberta is reviewing the system. See: edmontonsun.com - Edmonton News - Standoff brewing.

Labels: ,

Wednesday, December 28, 2005

Incident: Marriott missing backup tapes with records of 206,000  

Marriot International's timeshare division has started to notify customers, employees and credit card companies that backup tapes with records (including SSNs) of two hundred six thousand individuals is missing. There is no info on whether the data has been used for nefarious purposes and Marriott cannot determine whether it is just missing or stolen. See: Marriott Discloses Missing Data Files.

Labels:

Privacy concerns about online library service: patron records available for others to see 

Mary Minnow, at the Library Law Blog has recently posted about a service called Library Elf. This service plugs into your local library's computer system so you can see what books you have checked out, when they are due back and what is the status of any holds you have. In using the system, Mary has found that you can see other patrons' records. She isn't happy about that.

See: LibraryLaw Blog: "This card is viewed by other accounts" - an update on the Library Elf and your privacy and LibraryLaw Blog: Breaking Discovery - Library Elf blasts a giant hole through privacy - and why I terminated my account.

Labels: ,

Monday, December 26, 2005

Legal Analysis of the NSA Domestic Surveillance Program: 

Orin Kerr at the Volokh Conspiracy has a lengthy Legal Analysis of the NSA Domestic Surveillance Program that is worth a read. The post also has hundreds of intelligent (and a few not so) comments from readers who are taking a close look at the legality of the recently-revealed and White House ordered NSA domestic surveillance operations.

Labels: ,

Breach notification law debate continues in the US 

Today's Los Angeles Times is running a lengthy article on the debate over federal legislative responses to security breach violations involving personal information. On on hand are organizations like EPIC and Consumers Union, which do not want the federal law to override stronger state laws and want to keep the threshold for notification low. On the other hand are banks and information brokers who want the federal law to preempt state laws and to only require notification if there is a "significant risk of fraud" using the compromised information. Othwise, it is argued, consumers will begin to ignore the flurry of notices they'll likely receive.

The article is also interesting because it sheds additional light on a study released this fall that suggested there is a low risk of fraud when information is compromised. I noted the study in this blog (The Canadian Privacy Law Blog: Study on data breach fallout), and noted that there was nothing in the original about its methodologies. The LA Times articles suggests it was flawed and may not actually measure anything particularly useful:

Data Brokers Press for U.S. Law - Los Angeles Times:

"It's an area of policy in which legislation is driven by hysteria," Cate said. "There's just very little theft of data going on that is actually being used to commit identity theft."

Another study was announced this month by San Diego-based ID Analytics Inc., which described its findings in House testimony, to senators on two relevant committees and to the media. That generated news stories with such headlines as "ID Theft Fears Overblown, Study Says" and "Good News on ID Theft."

The firm earns money by helping banks figure out whether credit card applications might be fraudulent, and banks are among the institutions most actively opposed to new notification requirements.

The company said it studied four major losses of personal information, which it didn't identify or explicitly claim were representative, and found that less than one person in 1,000 was victimized by fraud as a result.

But ID Analytics looked only for what it called signs of "organized misuse" — for example, if a criminal gave himself away by using the same contact telephone number for two people whose information had been obtained in the same breach. In an interview, ID Analytics Vice President Mike Cook said he didn't know what proportion of fraud would leave that sort of fingerprint.

He also acknowledged that to be detected by the study, a criminal needed to seek credit or make a purchase from a client of ID Analytics — largely unnamed banks and cellular phone companies.

"If someone steals identities and created checks, passed bad checks at a supermarket, we probably wouldn't catch that," Cook said.

Labels: , ,

A to Z in techlaw (with some privacy for good measure): 2005 in review 

Michael Geist continues his annual tradition with Apple to Zundel, the year in tech law.

Labels:

Credit card info taken from Guidance Software is used in fraudulent activity 

I reported last week that Guidance Software Inc.'s customer database had been hacked (The Canadian Privacy Law Blog: Incident: Computer forensics firm hacked; credit card info of 3800 customers compromised). Now, there are some reports that some of the credit card numbers taken have been used in fraudulent activity:

The ChronicleHerald.ca: Hackers infiltrated key police database

...John Colbert, chief executive of Guidance, said the attack "is ironic, but it highlights that intrusions can happen to anybody. It’s not a matter of if, but of when, so nobody should be complacent about their (computer network) security."

The Los Angeles Electronic Crimes Task Force is leading an investigation, along with the U.S. Secret Service and FBI, Colbert said. He said the breach has led to "a few instances of fraud" involving the stolen credit card numbers.

.

For additional coverage, see:

Labels: ,

Sunday, December 25, 2005

First-hand account of info leak scare 

Today's Dallas Fort Worth Star Telegram has a first hand account written by a recipient of a letter from ABN AMRO warning that his personal information was among that temporarily lost by a courier company. The author, Dave Lieber, did a bit of digging around and found he wasn't alone. In fact, he was among 57 million individuals affected by more than 142 recently-reported data breaches/losses. As it turns out, his information was soon found but he's going to be keeping a more watchful eye on his bank statements and credit reports.
 

The best preventive measure is to regularly check your credit report for suspicious activity.

A Web site - www.annualcreditreport.com - lets you request a free credit report from each of the three major credit bureaus each year. Chris Hoofnagle, senior counsel with the Electronic Privacy Information Center, suggests you ask for one report every four months.

"You end up monitoring your credit so if something bad happens, you can quickly intervene," he said.

What are you looking for? "Anything that appears out of the ordinary," he said. Credit card "accounts that do not belong to you. Also, addresses and personal information that do not pertain to you. If there are errors, you call the credit reporting agencies and try to correct them."

Frederick Scholl, a security expert in New York, told me that he monitors his credit reports and his bank statements.

"People have gotten too lax," he said. "If you have Internet access, you can go in and check your statements on a regular basis and look for charges on your accounts. It just means you need to look at your own personal information statements on a regular basis more than you did in the past."

Hoofnagle says: "There's little an individual can do to prevent crime, but there are things you can do to reduce the risk.

Labels:

Identity theft of hospital patients and the recently deceased 

The Red Tape Chronicles from MSNBC.com recently ran an article on identity theft that is connected to hospital stays and what patients can do to protect themselves. The article itself is interesting, but there are dozens of comments that are equally iluminating:

Hospital ID theft: How to protect yourself - The Red Tape Chronicles - MSNBC.com

Stories of nurses, patients, and visitors stealing identities from the sick can be ripped from the headlines across America, like the story of a nurse in a Philadelphia hospital who gave terminally ill patients' identities to a crime ring. They drained the patients' accounts and obtained $10 million in fraudulent mortgages using the stolen personal information.

"They’re like vultures. You wonder how people can be so horrible," said Mari Frank, an ID theft victim lawyer and author of two books on the subject. "They think, 'Who cares, he's going to die anyway.' "

It's hard to imagine, particularly if you trust your doctor and your hospital. But do you trust the patient across the hallway? And all his visitors? The grim reality is, identity theft is a peril for hospital patients, another concern sick and dying people, and their families, must put on their checklists.

Fortunately, there are some things you can do to protect the privacy of people you love while they’re recovering in the hospital....

Thanks to Privacy Digest for the link.

Labels: ,

Incident: Personal information of Iowa State University donors and employees hacked 

Saturday, December 24, 2005

New TSA passenger screening guidelines, courtesy of the Onion 

New TSA Guidelines - click for full versionHere are the latest TSA guidelines for the traveling public, courtesy of The Onion, which bills itself as America's finest news source. Thanks to Schneier on Security for the link.

Labels: ,

Story about feds visiting after request for Mao book is a hoax 

From the same source that originally reported the story comes news that the story about a visit from federal agents following an interlibrary loan request for Mao's Little Red Book is a hoax. The student now admits making up the story:

Federal agents' visit was a hoax: 12/ 24/ 2005

Student admits he lied about Mao book

By AARON NICODEMUS, Standard-Times staff writer

NEW BEDFORD -- The UMass Dartmouth student who claimed to have been visited by Homeland Security agents over his request for "The Little Red Book" by Mao Zedong has admitted to making up the entire story.

The 22-year-old student tearfully admitted he made the story up to his history professor, Dr. Brian Glyn Williams, and his parents, after being confronted with the inconsistencies in his account.

Had the student stuck to his original story, it might never have been proved false.

But on Thursday, when the student told his tale in the office of UMass Dartmouth professor Dr. Robert Pontbriand to Dr. Williams, Dr. Pontbriand, university spokesman John Hoey and The Standard-Times, the student added new details.

The agents had returned, the student said, just last night. The two agents, the student, his parents and the student's uncle all signed confidentiality agreements, he claimed, to put an end to the matter.

But when Dr. Williams went to the student's home yesterday and relayed that part of the story to his parents, it was the first time they had heard it. The story began to unravel, and the student, faced with the truth, broke down and cried.

It was a dramatic turnaround from the day before.

For more than an hour on Thursday, he spoke of two visits from Homeland Security over his inter-library loan request for the 1965, Peking Press version of "Quotations from Chairman Mao Tse-Tung," which is the book's official title.

His basic tale remained the same: The book was on a government watch list, and his loan request had triggered a visit from an agent who was seeking to "tame" reading of particular books. He said he saw a long list of such books.

In the days after its initial reporting on Dec. 17 in The Standard-Times, the story had become an international phenomenon on the Internet. Media outlets from around the world were requesting interviews with the students, and a number of reporters had been asking UMass Dartmouth students and professors for information....

I reported on the original story (The Canadian Privacy Law Blog: Borrow the wrong book and get it personally delivered by the feds) as did hundreds of other blogs, assuming it to be true. Well, it simply was not which shows the risk of believing what you read about on a blog, or in the conventional media (since the story originated with the South Coast Times of Massachusetts).

I tend to agree with most of what Bruce Schneier observes on this latest turn of events:

"I don't know what the moral is, here. 1) He's an idiot. 2) Don't believe everything you read. 3) We live in such an invasive political climate that such stories are easily believable. 4) He's definitely an idiot."

I won't tell which parts I agree with most ...

Labels: ,

US News reports that law enforcement monitored mosques and muslim homes for radioactivity without warrants 

More information is coming out about the use of warrantless surveillance in the United States as part of the war on terrorism. One of the latest revelations comes from US News and World Report, which reports that US law enforcement have used radiation monitors to look for radioactive materials at mosques and the homes of muslims in the US. See: USNews.com: Nation and World: EXCLUSIVE: Nuclear Monitoring of Muslims Done Without Search Warrants (12/22/05).

This sort of surveillance raises some different issues than wiretapping or wholesale surveillance of communications. Is there an expectation of privacy in incidential emissions from your property? Is this different from infrared imaging (Supreme Court of Canada considers different species of personal privacy) or alcohol detectors (Alcohol sensor an invasion of privacy?)?

Labels: ,

Handle your incident well and good publicity may follow 

Being involved in an incident in which the records of two million customers go astray is not at all pleasant. But the good news is that, if you handle it right, you may actually get some good publicity. Case in point:

Three Cheers for ABN - Yahoo! News:

... So now for the good news: ABN AMRO is run by a bunch of standup folks, and the gents at DHL aren't far behind. True, I could criticize ABN for failing to, say, task a VP to personally cart its data tapes from warehouse to warehouse, and for instead shipping this valuable information like so many pounds of unwanted fruitcake. I could also place DHL in the same butterfingers basket at UPS. But in honor of the holiday season, I'll say instead what these companies did right.

DHL, for its part, upon learning on Nov. 18 that a data tape had gone missing, left no stone unturned trying to find it -- and ultimately did find it after a monthlong search. ABN gets credit for helping in the search and for (relatively) quickly informing its at-risk customers of the loss. But ABN gets extra credit for what it did after DHL found the tape.

Although the package containing the data tape was discovered apparently unopened, ABN volunteered to pay for one full year of credit monitoring for each of its 2 million clients who might conceivably have had their data compromised. That beats out Citigroup's June offer by 275 days, and it matches the offers from Ameritrade, ChoicePoint, and Reed.

Finally, ABN has determined that it will not let this situation ever happen again. For here on out, the company announced last week that it will discontinue outsourced shipping of sensitive personal data on tapes and switch to using only encrypted electronic means to transfer such data. Welcome to the 21st century, ABN. I just wish you had more company.

Labels: ,

Incident: personal information-containing PC stolen from Ford Motor Co. 

Seventy thousand employees of the Ford Motor Company are affected by the theft of a PC that contained employee data, including social security numbers, according to CNN: Tech crime gets personal at Ford; computer files stolen - Dec. 22, 2005. So far, investigations haven't shown any fraudulent use of the data.

Labels:

Analyst calls for more action to protect consumer information 

From Line 56, an eBusiness Executive Daily:

Line56.com: Data Loss Incidents:

After a lull during which there weren't many high-profile data loss/theft incidents, 2005 is finishing with a couple of embarrassments. This month, ABN AMRO Mortgage Group, Ford, and Sam's Club went through such incidents. ABN AMRO lost computer tape with information on roughly 2 million customers, Ford reported the theft of a company computer containing data about 70,000 current and former employees, and Sam's Club disclosed that 600 gas cardholders who had bought gas from the company had been hit by credit card fraud.

The bottom line, says Gartner Analyst Avivah Litan, is that 'despite more than a year's worth of highly publicized security breaches, not nearly enough has been done to protect U.S. consumers' data.' She points out that the problem begins at the top: 'Identity-theft-related legislation is currently stalled in Congress. Moreover, third-party data brokers remain entirely unregulated, so it is likely that many more serious breaches have not been brought to public attention.'

It isn't just a question of government regulation, though. Litan points out that many different groups can do more when it comes to fighting the problem....

Labels:

Domestic surveillance by the NSA much more widespread than first reported, according to the New York Times 

There has been a huge amount of press in the last little while addressing the revelation that, since September 11, 2001, George Bush authorized interception of domestic communications by the National Security Agency without review by the Foreign Intelligence Surveillance Court. Now, the New York Times is reporting that the National Security Agency has collected much more information than originally reported and is using data mining techniques on the amassed trove of data:

Spy Agency Mined Vast Data Trove, Officials Report - New York Times:

WASHINGTON, Dec. 23 - The National Security Agency has traced and analyzed large volumes of telephone and Internet communications flowing into and out of the United States as part of the eavesdropping program that President Bush approved after the Sept. 11, 2001, attacks to hunt for evidence of terrorist activity, according to current and former government officials.

The volume of information harvested from telecommunication data and voice networks, without court-approved warrants, is much larger than the White House has acknowledged, the officials said. It was collected by tapping directly into some of the American telecommunication system's main arteries, they said.

As part of the program approved by President Bush for domestic surveillance without warrants, the N.S.A. has gained the cooperation of American telecommunications companies to obtain backdoor access to streams of domestic and international communications, the officials said.

Labels: ,

Friday, December 23, 2005

All the best for the holidays from The Canadian Privacy Law Blog 

To the readers of the Canadian Privacy Law Blog,

Merry Christmas, Happy Chanukah and all the best for 2006!

The above were drawn by two of the three best kids in the world. I haven't explained creative commons to them yet, so if you want to re-use either of them, you should probably drop me a line.

Labels:

High visibility for Canadian law bloggers 

Lately, Canadian blogging lawyers have been getting a lot of press in the more conventional media. Alan Gahtan's recent article in The Law Times (reproduced on his great blog) is a case in point, as is this recent article in the CBA's PracticeLink: New Media Marketing, Part I - Blogs--How Lawyers Can Become Thought Leaders in a Niche Market.

The CBA article in particular contains a bunch of pointers for any lawyers who are thinking about hopping on the bandwagon. It truly is amazing how easy it is to get started. Don't be intimidated because the technology lawyers were the first onboard. It is not because of any technical expertise prerequisite.

And blogging means you'll likely get to know some of the greatest lawyers around, like David Canton, Rob Hyndman, Alan Gahtan, Michael Geist, Johannes Schenk, and Michael Fitzgibbon.

Labels: ,

Alcohol sensor an invasion of privacy? 

Police in Florida (and elsewhere, I am sure) are adding to their arsenal against drinking and driving by deploying something called a Passive Alcohol Sensor. It looks like an ordinary flashlight, but it sucks in a sample of the air where it is pointed and analyses it for the presence of alcohol. Some are calling it an invasion of privacy while others say it is just an extension of a police officer's nose.

See some coverage from NBC-2 from Southwest Florida: NBC2 News Online - Alcohol sensor an invasion of privacy?. There's also a link to video of the story.

The Passive Alcohol Sensor is made by PAS International, which describes the technology thusly:

PAS IV:

The P.A.S. IV Alcohol Screening System combines: a) high-intensity, super-beam flashlight technology with b) a dynamic sampling system and c) a miniature alcohol sensor. It “sniffs” ambient air, the breath, open containers, or enclosed spaces for the presence of alcohol. The P.A.S. functions as a non-intrusive “extension of the operator’s nose.

The P.A.S. is a hand-held, rapid alcohol detection instrument using a platinum electrochemical fuel cell sensor of high alcohol specificity, accuracy and stability. Designed for law enforcement, industry, corrections, transportation agencies, and educational facilities. The operator-controlled sampling system guarantees accurate detection of alcohol, and is especially suited for quick subsequent measurements.

The P.A.S. is used to check alcohol presence/absence with or without a subject’s direct participation. When used without the subject’s direct participation it is known as passive sampling, as opposed to active testing where the subject blows directly into a mouthpiece or the intake port. The P.A.S. can also be used to detect open containers of alcoholic beverages, or to detect low, ambient levels of alcohol in enclosed spaces such as vehicles, jail cells, or classrooms.

Labels:

Police track text message senders in Sydney riot investigation 

The investigation of the recent racial riots in Sydney, Australia, are another reminder that text messages sent by cell phone are logged and are useful for police investigations: Police track text message senders - National - smh.com.au.

Labels: ,

Thursday, December 22, 2005

Update: Tape containing information on 2M mortgage customers found 

An update to my earlier post: The Canadian Privacy Law Blog: Incident: Tape containing records of 2 million mortgagors lost ...

The tape in question has been found, the company has announced. It apparently was in the local courier facility without its airbill attached. See: ABN Amro US mortgage unit retrieves lost data tape.

The company has also announced that it has suspended moving customer data by tape and will switch to encrypted, electronic communications.

Labels:

Wednesday, December 21, 2005

Incident: Computer forensics firm hacked; credit card info of 3800 customers compromised 

This has got to be a pretty embarrassing letter to write ...

More than three thousand customers of Guidance Software Inc. have been told that the company's network has been hacked, compromising credit card and personal data of customers.

Computer forensics firm’s database hacked
The credit card numbers of 3,800 Guidance Software people were exposed

DECEMBER 21, 2005 (COMPUTERWORLD) - The customer database of computer forensics firm Guidance Software Inc., a provider of software that diagnoses computer break-ins, has been hacked.

The Pasadena, Calif. company said in a Dec. 13 letter to its customers that the breached database contained credit card numbers of 3,800 people. The database also contained the expiration dates and card verification numbers of those credit cards as well the names, addresses and telephone numbers of the customers, according to the letter from Guidance CEO John Colbert. The database did not contain any customer financial data that could put them at risk of identify theft, he said.

“Guidance is taking this matter very seriously,” Colbert said in the letter. “Upon learning of the incident on December 7, we have been working quickly to investigate the unauthorized network activity and remediate the person’s method of access. The next day (December 8) we referred this incident to the U.S. Secret Service, who have begun their own investigation. Of course, our investigation is ongoing, and we will continue to cooperate fully with law enforcement in its investigation as well. To prevent any further unauthorized access of your personal information, we have also deleted all of your credit card information from our customer database.”

The letter from Colbert was provided to Computerworld by Michael Kessler, president of Kessler International, a New York-based computer forensics investigation company. A Guidance spokeswoman confirmed the information contained in the letter, but declined to comment further because of the ongoing investigation....

Labels:

Well-respected US judge calls for wholesale electronic surveillance of US citiziens 

This is one of the more interesting and surprising Op-ed pieces I have seen in a while. While most commentators are upset over the most recent revelations about domestic surveillance in the US, Justice Richard Posner of the US 7th Circuit Court of Appeals has written an opinion piece for the Washington Post calling for more widespread electronic surveillance of Americans. He argues that the review by computers is not an invasion of privacy, since it is only sifted by a computer rather than an actual person.

Our Domestic Intelligence Crisis

These programs are criticized as grave threats to civil liberties. They are not. Their significance is in flagging the existence of gaps in our defenses against terrorism. The Defense Department is rushing to fill those gaps, though there may be better ways.

The collection, mainly through electronic means, of vast amounts of personal data is said to invade privacy. But machine collection and processing of data cannot, as such, invade privacy. Because of their volume, the data are first sifted by computers, which search for names, addresses, phone numbers, etc., that may have intelligence value. This initial sifting, far from invading privacy (a computer is not a sentient being), keeps most private data from being read by any intelligence officer.

I expect we'll be hearing a lot about this piece as Justice Posner is not prone to ill-conceived or knee-jerk statements.

For some discussion and review, see Concurring Opinions: Judge Posner's Troubling Call for Massive Surveillance.

Labels: ,

US FDIC releases information security guide for small entities under FACTA and GLB 

The US FDIC has just released a compliance guide for small-entities to comply with the information security standards under Gramm-Leach-Bliley and the Fair and Accurace Credit Transactions Act. Here's the summary from the compliance guide:

Interagency Guidelines Establishing Information Security Standards
Small-Entity Compliance Guide
:

This Small-Entity Compliance Guide is intended to help financial institutions comply with the Interagency Guidelines Establishing Information Security Standards (Security Guidelines). The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs.

Although this guide was designed to help financial institutions identify and comply with the requirements of the Security Guidelines, it is not a substitute for the Security Guidelines. Moreover, this guide only addresses obligations of financial institutions under the Security Guidelines and does not address the applicability of any other federal or state laws or regulations that may pertain to policies or practices for protecting customer records and information.

For a good summary and some additional background, also check out the Privacy and Security Law Blog: Federal Bank and Thrift Regulatory Agencies Publish Guide to Help Financial Institutions Comply with Information Security Guidelines.

Labels:

Tuesday, December 20, 2005

Manitoba opposition politicians introduce security breach notification bill 

The opposition Conservatives in Manitoba have introduced a bill in the provincial legislature to be substantially similar to PIPEDA and to be the first general application statute to provide for security breach notification. The CBC article on the bill (CBC Manitoba - Proposed law forces companies to report information leaks) quotes Brian Bowman, Manitoba's leading privacy lawyer, who himself has been a victim of identity theft.

The relevant sections of Bill 207 read:

The Personal Information Protection and Identity Theft Prevention Act:

"Notice if control of information lost

34(2) An organization must, as soon as reasonably practicable and in the prescribed manner, notify an individual if personal information about the individual that is in its custody or under its control is stolen, lost or accessed in an unauthorized manner.

Exception re law enforcement agency investigation

34(3) The requirement to notify an individual under subsection (2) does not apply where

(a) the organization is instructed to refrain from doing so by a law enforcement agency that is investigating the theft, loss or unauthorized accessing of the personal information; or

(b) the organization is satisfied that it is not reasonably possible for the personal information to be used unlawfully.

Right of action

34(4) An individual may commence an action in a court of competent jurisdiction against an organization for damages arising from its failure to

(a) protect personal information that is in its custody or under its control; or

(b) provide an individual notice under subsection (2), if it was not reasonable for the organization to have been satisfied that the personal information that was stolen, lost or accessed in an unauthorized manner would not be used unlawfully.

Other rights not affected

34(5) The right of action under this section is in addition to any other right of action or remedy available at law. But where the court deems it just, damages awarded in an action under this section may be taken into account in assessing damages in any other proceeding arising out of the failure of the organization to protect personal information in its custody or under its control.

Retention of information

35 Notwithstanding that a consent has been withdrawn or varied under section 9, an organization may for legal or business purposes retain personal information as long as is reasonable."

Labels: , , , ,

Privacy commissioner calls on Yukon gov't to act 

I think that Information and Privacy Commissioners in Canada are used to being ignored by the governments they keep tabs on. It is a bit of a thankless task. But the Yukon ombudsman is speaking out. CBC is reporting that Hank Moorlag is disappointed that, a year after filing his 2004 report the government has yet to respond to his recommendations. The ministers responsible for the various legislation say the recommendations are being addressed, including a review of the Access to Information law which is taking place behind closed doors. Mr. Moorlag is not too impressed. See CBC North - Privacy commissioner calls on Yukon gov't to act.

Labels:

Data Privacy Issues to Persist Next Year 

On the data privacy front, the new year will bring more of the same, according to eWeek:

Data Privacy Issues to Persist Next Year:

"People may remember 2005 as the year that corporate America woke up to the problem of data breaches and the importance of data privacy. Data leaks at Bank of America Corp., LexisNexis' Seisint division, ChoicePoint Inc. and CardSystems Inc. fed headlines for months, spawned countless lawsuits on behalf of aggrieved consumers and provided the impetus for federal legislation--still pending--to protect consumer data. But what will 2006 bring?

More of the same, say leading security experts.

More than ever before, enterprise IT managers will have to fight a battle on two fronts next year. On one side, more sophisticated and targeted attacks from organized, online criminal groups will test networks in new ways that are hard to detect...."

Labels: , ,

Incident: Police supplier database hacked, credit card and other info compromised 

According to Security Fix - Brian Krebs on Computer and Internet Security, a supplier of nametags to law enforcement (Reeves) recently had its database hacked, and credit card numbers of customers are now circulating among IRC groups devoted to trading such info.

Labels:

Monday, December 19, 2005

Thanks ... slaw.ca 

I have to offer Simon Chester a very public thank-you for the incredibly kind words he wrote about this blog in his recent posting to Slaw.ca and an article in the OBA magazine.

Slaw | Archive | My Take on Blogging - and Slaw:

"... When a young lawyer in Halifax started building his practice in a novel area, he noticed that there was no single place to track new developments in the Canadian law of privacy. Now the Canadian Privacy Law Blog has been running for two years, and David Fraser has become the leading privacy lawyer in Atlantic Canada, with a thriving practice and an enviable presence...."

Simon is an incredible gentleman whom I first met about a year or so ago, thanks entirely to my blog. Blogging as a lawyer has many benefits, primary among them are meeting some very interesting and well respected colleagues at the bar (and colleagues in the bar).

Labels:

NYT notices CMA Journal controversy  

This morning's New York Times is covering the controversy over the Canadian Medical Association's attempt to pull an article on privacy in the CMA Journal. See: Journal Faults a Medical Group in a Dispute Over Independence - New York Times.

For other coverage, see The Canadian Privacy Law Blog: CMAJ charges editorial interference over privacy-related story.

Labels:

Sunday, December 18, 2005

Borrow the wrong book and get it personally delivered by the feds 

One of the problems with widespread monitoring is the huge incidence of "false positives". This example from the University of Massachusetts is instructive and a bit chilling to those who have commented upon it.

A senior at UMass Dartmouth was doing a research paper on communism in a class on fascism and totalitarianism. As part of his research, he requested a copy of Chairman Mao's Little Red Book using the interlibrary loans system. (Why a major univeristy library does not have its own copy of the book raises completely different questions.) Instead of the book, he received a visit from officials from the Department of Homeland Security. The agents told the students that the book is on a "watch list". Actually, the agents brought the book with them, but did not leave it with him.

Privacy advocates aren't generally pleased with any watching of what people read, but the chilling effect of this is significant. The professor who teaches the class has decided against teaching a planned class on terrorism because he does not want to put his students at risk of this sort of surveillance and profiling.

Read the coverage here: Agents' visit chills UMass Dartmouth senior: 12/ 17/ 2005, Student Gets Surprise From Mao's Book. Some comment here: Gardistan in Vision: Political censorship in Bush's USA, The Dark Wraith Forums: Special Report: Feds Question Student for Requesting Book of Mao Tse-Tung Quotations, Villa Beausoleil: Fascism comes to New Bedford, David Farrar: Book Monitoring.

UPDATE: There is speculation at Boing Boing that this story is a hoax. Boing Boing: DHS agents visit student over Little Red Book - HOAX DEBATE. As I hear more, I'll post here.

UPDATE 2: The Canadian Privacy Law Blog: Story about feds visiting after request for Mao book is a hoax.

Labels: , , ,

Meth addicts' other habit: Online theft 

USA Today is running a lengthy article on the intersection between methamphetamine addiction and identity theft. The article, Meth addicts' other habit: Online theft, chonicles investigations that began in Edomonton and Calgary, Alberta and forcefully brought this connection to the attention of Canadian law enforcement.

Intersection of crimes

... What's happening in Edmonton is happening to one degree or another in communities across the USA and Canada — anywhere meth addicts are engaging in identity theft and can get on the Internet, say police, federal law enforcement officials and Internet security experts.

Internet Relay Chat channels, private areas on the Internet where real-time text messaging takes place, are rife with communications between organized cybercrime groups and meth users and traffickers discussing how they can assist each other. "It's big time," says San Diego-based security consultant Lance James, who monitors IRC channels.

Such collaboration seems almost preordained. "This hits at the intersection of two of the more complex law enforcement investigations: computer crimes and drug crimes," says Howard Schmidt, CEO of R&H Security Consulting and former White House cyber-security adviser.

Identity theft has fast become the crime of preference among meth users for three reasons: It is non-violent, criminal penalties for first-time offenders are light — usually a few days or weeks in jail — and the use of computers and the Internet offers crooks anonymity and speed with which to work. Meth is a cheap, highly addictive street derivative of amphetamine pills; it turns users into automatons willing to take on risky, street-level crime.

Meanwhile, global cybercrime groups control e-mail phishing attacks, keystroke-stealing Trojan horse programs and insider database thefts that swell the pool of stolen personal and financial information. They also have ready access to hijacked online-banking accounts. But converting assets in compromised accounts into cash is never easy. That's where the meth users come in.

Sophisticated meth theft rings, like the one in Edmonton, control local bank accounts — and underlings who are willing to extract ill-gotten funds from such accounts. The two men at the seedy motel were helping outside crime groups link up with local accounts under their control when a tipster guided police to them in December 2004....

The article is worth the read.

Labels: , ,

Theft of scanning equipment from Pittsburgh-area hospital compromises patient names, DOBs and SSNs 

I am not sure why a bone density scanner would contain the names, dates of birth and social security numbers of patients, but apparently they do. And when such a scanner is stolen, the bigger issue is the theft of that data:

Theft at hospital - PittsburghLIVE.com:

Patients who underwent bone density scans at Mercy Jeannette Hospital have been notified that personal information may be compromised due to a theft of scanning equipment.

According to a news release issued by the hospital, the theft took place during the week of Nov. 21. While the computer component used with the scanning equipment did not contain medical diagnoses or test results, it did contain patients' names, birth dates and Social Security numbers, according to the release.

Officials at the hospital were not available for comment Friday and provided the press release instead....

Labels:

Incident: Tape containing records of 2 million mortgagors lost 

Another missing tape incident. No evidence of fraud, but notable nevertheless:

ABN AMRO data lost:

"Homeowners should monitor credit reports

December 17, 2005

If you have a home mortgage through LaSalle Bank or the former Standard Federal Bank, look out for a letter from your lender warning you about a missing computer tape -- a tape that includes your Social Security number and payment history.

Friday, ABN AMRO Mortgage Group, a subsidiary of LaSalle Bank Corp., announced that a computer tape containing data for about 2 million mortgage customers had been lost.

About 320,000 homeowners in Michigan would have been included on that tape.

The homeowners could have gotten an ABN AMRO mortgage through LaSalle Bank branches, the former Standard Federal Bank, outside mortgage brokers or ABN AMRO's own Mortgage.com.

Thomas M. Goldstein, chairman and chief executive officer of ABN AMRO Mortgage Group in Chicago, said the lender deeply regrets the mix-up but has seen no signs of identity theft or misuse of the information at this point....

Update: The Canadian Privacy Law Blog: Update: Tape containing information on 2M mortgage customers found.

Labels: ,

Meth users and identity theft go together like rats and garbage 

Evidence linking methamphetamine addiction and identity theft is getting more compelling all the time. The San Jose Mercury News is running an AP story on the connection between the two, particularly focusing on California.

AP Wire | 12/17/2005 | Meth users turning to identity theft to pay for their habit:

RIVERSIDE, Calif. - Stealing mail. Digging through trash. Days spent in front of a computer trying to unlock financial information.

All to score methamphetamine.Authorities are discovering that more and more desperate users of the drug are turning to identity theft to pay for their habit, creating a criminal nexus costing Americans millions of dollars.

The trend is sweeping the West and spreading to other parts of the country, with one hub of activity in the garages and trailer parks of Riverside and San Bernardino counties on the fringe of suburban Los Angeles.

The region was the site of a third of California's nearly 500 meth lab busts in 2004 and is home to the second-highest number of identity theft victims in the nation.

'It's been said the two crimes go together like rats and garbage,' said Jack Lucky, a Riverside County prosecutor who nearly became a victim of identity theft himself before his personal information was found at a meth lab.'It's a pervasive problem,' he said...

Drug addiction and crime have always been linked as addicts are in need of quick cash to fuel their habits. Muggings and burglaries have generally had a strong connection with drug abuse. As addicts move to ID theft and similar forms of fraud, the amount of money they are able to get is greater and the risk of violence is much lower. Some might even say that this is a good thing.

Labels: ,

ABC News asks: Why Do They Want My Phone Number? 

ABC News online considers the increasingly common practice of stores asking for consumers' phone numbers. Part of the answer to the question quoted above is to track customers. Phone numbers provide more detailed information than zip codes, which are also often asked for. Stores are able to take the phone number and "enhance" it with additional data gleaned from database providers. All the stores interviewed in the article will go ahead with the transactions if you refuse to provide the number, so the conclusion is to just say no. See: ABC News: Why Do They Want My Phone Number?.

While this is a very common practice in the US, it is much less so in Canada because of consumer-protecting privacy laws. Companies in Canada can ask for the info, but have to tell you why they want it and what they'll do with it.

Labels:

Friday, December 16, 2005

Every Move You Make, Part Three: Why Law Enforcement Should Have to Get a Warrant Before Tracking Us Via our Cell Phones 

Check out Anita Ramasastry's latest Cyberlaw column at Findlaw. Good reading:

FindLaw's Modern Practice - Every Move You Make, Part Three: Why Law Enforcement Should Have to Get a Warrant Before Tracking Us Via our Cell Phones:

We have a reasonable expectation of privacy with respect to our movements, as we go about our daily business. Though sometimes we may be seen by passersby and by security cameras, at other times we will not be; and sometimes, we will be in the privacy of our own homes or offices when we carry our cell phones. Our expectation of privacy should be honored, as the Texas and New York courts held.

But other courts in other jurisdictions have held otherwise. For that reason, Congress should now step in and ensure, by statute, that the warrant requirement applies under these circumstances.

The balance of privacy and security is a delicate one - and the warrant requirement is an appropriate check on law enforcement's ability to track, via cell phone data, every move we make....

Thanks to Sabrina Pacifici's beSpacific for the link: beSpacific: Commentary on Privacy and Cell Phone Tracking.

Labels:

Thursday, December 15, 2005

'Tis the season for returns 

Chris Hoofnagle at EPIC West is today discussing the use of drivers' license swiping and returns tracking database Verify-1. The database tracks your returns and categorizes customers based on whether they "abuse" returns. He raises an interesting point about the database and how it may fit in American consumer reporting laws:

EPIC West: Electronic Privacy Information Center West Coast Office: Return Exchange Database Tracking:

... The Return Exchange database skates right on the edge of the Fair Credit Reporting Act's definition for a consumer reporting database. If Return Exchange is sharing data on consumers across retailers (not just across chains within a certain retailer), the data it issues will be a 'consumer report,' and all sorts of rights will kick in to protect shoppers. Until then, a big black box system will have your driver's license data and make decisions about you with no transparency. ...

The same conclusion may apply with respect to similar provincial laws in Canada.

Labels: ,

OPC and Ontario pharmacists release new guidelines on dispensing Plan B emergency contraception 

This just came over the wires ...

New Privacy-Protective Guidelines for the Provision of 'Plan B' Emergency Contraception by Pharmacists in Ontario:

TORONTO, Dec. 15 /CNW/ - New guidelines for pharmacists have been issued in record time through a highly successful collaboration between the Ontario College of Pharmacists, the Ontario Pharmacists' Association and the Information and Privacy Commissioner of Ontario.

Dr. Ann Cavoukian, Ontario's Information and Privacy Commissioner, stated, "Within a short week of voicing my concerns, I am delighted to say that our joint working group has successfully collaborated and reached an agreement on made-in-Ontario guidelines for pharmacists providing Plan B."

These guidelines follow the issuance of the College's December 8, 2005 notice advising pharmacists not to use the "Screening Form for Emergency Contraceptive Pills (ECPs)," developed by the Canadian Pharmacists Association, which recommended the collection of detailed personal information.

Ontario's new guidelines (available at www.ocpinfo.com) emphasize that pharmacists should continue to seek information from the patient only as necessary to clarify the appropriateness of providing Plan B, keeping in mind the need to respect the individual's right to remain anonymous and to decline responding to personally sensitive questions.

"I was assured by the College that pharmacists do not routinely collect personally identifiable information with regard to the provision of Schedule II products," said the Commissioner. Personally identifiable information should not be recorded except when requested by the patient for reimbursement purposes or in those rare instances where it is deemed important for continuity of care of the patient.

Under the Personal Health Information Protection Act (PHIPA), which was enacted last year to protect the health information of Ontarians, health information custodians must minimize their collections of personal health information and must not collect identifiable information if other information will serve the same purpose.

The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is an independent officer of the Legislature. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act, and commenting on other access and privacy issues.


December 15, 2005

Notice to Pharmacists

Re: Ontario Guidelines for Provision of Plan B (Schedule II)

Following the issuance of an Ontario College of Pharmacists Notice to Pharmacists last week concerning a specific form being used in some cases when the Schedule II product, Plan B, was requested, a working group was formed, consisting of staff from the College, the Ontario Pharmacists Association, and the Office of the Information and Privacy Commissioner of Ontario.

The goal of the group was to develop and agree on guidelines which could be used by pharmacists in Ontario to ensure that their ongoing practice with respect to the sale of this product meets all applicable legislation, including Standards of Practice. The attached document will serve to clarify the expectations of the College that pharmacists will continue to serve their patients well by providing appropriate information and counselling and to add value to the sale of Plan B as they would for any Schedule II product.

It is suggested that existing tools and practice be examined at this time to ensure compliance with these guidelines.

Yours truly,

(signed)

Anne Resnick, R.Ph., B.Sc.Phm

Associate Director, Professional Practice Programs

Attachment


Ontario College of Pharmacists - December 15, 2005

Ontario Guidelines for Provision of Plan B (Schedule II)

Pharmacists are health care professionals whose practice is guided by the Code of Ethics and Standards of Practice established by their regulatory body, the Ontario College of Pharmacists (OCP). Pharmacists practice in accordance with all applicable legislation and regulations including Ontario's privacy legislation, the Personal Health Information Protection Act, 2004 (PHIPA). These guidelines are the result of the joint efforts of the OCP, the Office of the Information and Privacy Commissioner of Ontario (IPC), and the Ontario Pharmacists' Association (OPA). These guidelines follow the issuance of OCP's December 8, 2005 notice which advised pharmacists not to use the "Screening Form for Emergency Contraceptive Pills (ECPs)," developed by the Canadian Pharmacists Association (CPhA).

As there are already educational resources available to pharmacists for Plan B, these guidelines will not duplicate those efforts, but will outline the appropriate application of OCP's Standards of Practice and Code of Ethics and PHIPA in the context of providing Plan B.

The IPC recognizes the important health care services pharmacists provide. The IPC's mandate is to ensure that personal health information is collected, used and disclosed in the most privacy protective manner possible. Specifically, under PHIPA, health information custodians shall not collect, use or disclose personal health information if other information will serve the purpose. Moreover, PHIPA restricts the collection, use and disclosure of personal health information to that which is reasonably necessary to meet the purpose of providing health care. OCP's Code of Ethics and Standards of Practice provide the framework for pharmacists' practice. Many components of the Code of Ethics and Standards of Practice protect patient privacy and reinforce the Ontario health privacy legislation, PHIPA.

For the provision of Plan B, as with any other Schedule II product, the pharmacist must always be involved in the decision to provide the medication. As with other medications, prior to its sale, the pharmacist has a professional responsibility to be assured of the appropriateness of the drug for the individual.

Pharmacists should continue to seek information from the patient only as necessary to clarify the appropriateness of providing Plan B, keeping in mind the need to respect the individual's right to remain anonymous and to decline responding to personally sensitive questions. As with all Schedule II products, if a pharmacist makes a decision not to sell Plan B, reasons should be communicated to the patient.

Pharmacists do not routinely collect personally identifiable information as it relates to the provision of Schedule II products. In the case of Plan B, personally identifiable information should not be recorded except when requested by the patient for reimbursement purposes or in those rare instances where it is deemed important for continuity of care of the patient.

For some background, see

Labels: , , ,

EU Data Retention law passed 

This news is a little late, but the European Parliament has passed the data retention directive that has been the subject of some debate.

For more info, see:

Labels: ,

Federal Court on biometric voice authentication: Turner v. Telus Communications Inc. 

The Federal Court has recently released its decision in the application made by certain employees of Telus Communications, complaining about the use of voice recognition technology for some of its internal management systems. (For more info, see my post on the original complaint: The Canadian Privacy Law Blog: PIPEDA Case Summary #281: Organization uses biometrics for authentication purposes.)

A group of employees refused to consent to the use of the technology and were threatened by Telus with "progressive disclipline". The applicants (including the union) sought an order preventing the use of this system and for unspecified damages. Justice Gibson of the Federal Court dismissed the application.

The judge concluded:

  • the use of biometric voice authentication in these cirucmstances is reasonable;
  • the threat of progressive discipline is not withholding goods or services contrary to principle 4.3.3;
  • the categories of consent exceptions ("except where inappropriate") may not be a closed list set out in Section 7; and
  • an employer can implement progressive discipline for those who do not consent to collections, uses and disclosures of their information that are reasonable.

The judge also declined to order costs against the union or the individual applicants.

Below is a condensed version of the conclusion reached by Justice Gibson:

Turner v. Telus Communications Inc., 2005 FC 1601 (CanLII):

[52] On the facts of this matter, Telus sought to obtain voice prints from a substantial number of its employees and the vast majority of that number consented. Those who did not consent knew that Telus wished to obtain their consent. They continued to refuse to consent so that their consent could not be obtained in "...a timely way". They exercised their right to complain to the Commissioner. They received a report from the Commissioner which concluded that Telus' wish to obtain their consent was reasonable. The non-consenting employees exercised their right to come to this Court for a de novo review of the situation. Assuming that they will be unsuccessful in this Court, and they will be, it would not be in the interests of justice that a stalemate result.

[53] I am satisfied that this is one of the circumstances to which paragraph 7(1)(a) of PIPEDA is directed. While that paragraph will not enable Telus to proceed with full and complete implementation of e.Speak and to force employee enrollment, it will, I am satisfied, enable Telus to continue with the implementation of e.Speak at its current level and, if persons such as the Individual Applicants continue to withhold their consent, it will entitle Telus to proceed with "progressive discipline" in relation to all or any of them that is reasonable in all the circumstances.

[54] By contrast, I am satisfied that paragraph 7(1)(d) of PIPEDA is of no assistance to Telus in the current circumstances. While it is arguable that voice characteristics are "publicly available", that form of personal information is not specified by any regulations made under the authority of PIPEDA.

[55] If I am determined to be wrong in my analysis regarding the scope of paragraph 7(1)(a) of PIPEDA, there remains, I am satisfied, an alternative solution to the impasse that I perceive might flow from an absolute requirement to obtain consent from each and every individual affected. My analysis in that regard follows.

[56] It was not in dispute before the Court that three (3) of the Individual Applicants have never consented to take part in the Nuance Verifier enrollment process. While the fourth Individual Applicant did consent and did take part, he withdrew his consent as he was entitled to do under Principle 4.3.8.

[57] Counsel for the Individual Applicants urges that consent to disclosure of biometric personal information is a term or condition of employment and that, as such, given the collective agreement in force between Telus and TWU representing certain of its employees, including the Individual Applicants, even if the Individual Applicants had consented, that consent is of no force or effect since "...terms and conditions of employment must be negotiated with The Telecommunications Workers Union and that had not taken place in respect of the disclosures for which consent is sought in the context of this proceeding."

[58] Counsel for Telus urges that consent to the disclosure of the personal information here at issue is simply not a term or condition of employment and that therefore Telus' efforts to obtain consent directly from the Individual Applicants was entirely appropriate and TWU had no role to play regarding the consents.

[59] I accept the position urged on behalf of Telus in this regard. That being said, in circumstances where it is a matter of public knowledge that was clear to the Court, that the relationship between Telus and TWU on behalf of a significant number of Telus' employees was, at all relevant times, less than cordial, it was at least surprising and, perhaps more appropriately, astonishing, that Telus had apparently not engaged TWU in the process of attempting to achieve consents to the implementation of e.Speak.

[60] It was not in dispute before the Court that, while the three Individual Applicants had not consented to provide voice samples, and the fourth withdrew his consent, by far the vast majority of their colleagues at Telus in respect of whom Telus sought to implement e.Speak had consented and had provided voice samples for the purposes of Nuance Verifier. It was also not in dispute that one individual who had volunteered to provide a voice sample was incapable, for medical reasons, of fulfilling the appropriate requirements. In her case, special arrangements had been made to accommodate her situation. Finally, it was also not in dispute that, although Telus had "threatened", "progressive discipline" for those from whom it sought enrollment and who refused to consent to enrollment, no such discipline had been imposed and there was no evidence before the Court that such discipline would reach the level of dismissal, thus making the discipline imposed effectively reach to the level of a term or condition of employment.

[61] I am satisfied on the evidence before the Court that Telus was somewhat high handed in its efforts to achieve consent to enrollment and had been, since the commencement of the enrollment process, something less than forthcoming as to what it meant by "progressive discipline". That being said, I am satisfied that Telus was reasonably forthcoming in other respects in its consultations with its employees that it sought to enroll, that it was reasonably patient in that process and that, generally speaking, it neither bullied nor harassed its employees towards enrollment.

[62] The issue then reduces itself to the question: "What are the implications where Telus fails to achieve consent from a small minority of affected employees, such as the Individual Applicants, to enrollment in the e.Speak programme, where implementation of "progressive discipline" for failure to consent is not only implied but expressed, and where there is absolutely no evidence before the Court that Telus will escalate such "progressive discipline" to the point of termination, thus effectively making consent a term or condition of employment?

[63] I am satisfied that the foregoing question remains an issue for another day. Telus has, to a very large extent, implemented e.Speak. A very small minority, perhaps only the Individual Applicants, but perhaps also others, remain principled hold-outs. There is no basis on which to conclude that "progressive discipline" that might be implemented against hold-outs will reach the level of termination. To this point, I adopt the urgings of counsel for Telus that Telus has simply engaged, in what it considers to be the best interests of its business and, thus, arguably of its employees, including the Individual Applicants, in the exercise of its residual management rights. I cannot conclude that the obligation on the part of Telus to obtain consent to the implementation of the e.Speak system, in respect of the Individual Applicants, precludes Telus from implementing that system in respect of the vast majority of its employees to which it wishes to make the e.Speak system applicable.

[64] Counsel for the Individual Applicants cites Principle 4.3.3 against the conclusion I have reached in this regard. That principle, reproduced in the Schedule to these reasons, is reproduced here for ease of reference:

An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.

With great respect, I am not satisfied that Telus' efforts to achieve the consent of the Individual Applicants to participate in the e.Speak system is being sought as "...a condition of the supply of a product or service,...". In the result, while my conclusion in this regard does not affect the result herein, I am not satisfied that the Individual Applicants are entitled to rely on Principle 4.3.3 in respect of this matter.

[65] The foregoing being said, quite apart from my analysis regarding the interpretation of paragraph 7(1)(a), of PIPEDA, I nonetheless conclude that Telus has fulfilled its consent obligations under PIPEDA in respect of the implementation of e.Speak. In introducing e.Speak applicable only to those who consented to enrollment, Telus acted within its residual management rights. The impact of "progressive discipline" against the small minority who have withheld their consent, as they are entitled to do, is for another day and for another forum.

d) Additional issues raised on behalf of the Commissioner

[66] As earlier indicated in these reasons, counsel for the Commissioner raised issues including the appropriate weight to be given to the factors taken into consideration by the Commissioner in her Report leading to this proceeding, whether this Court should apply the legal analytical framework and factors considered by the Commissioner in balancing the interests of the parties as required by subsection 5(3) of PIPEDA, the role of TWU in the process of seeking consent from the Individual Applicants and the appropriate principles in assessing whether the Individual Applicants consented to the collection and use of their personal information.

[67] To some extent, these issues have been addressed, directly or indirectly, in the foregoing analysis. To the extent that they have not been so addressed, I am reluctant to respond to them because they indirectly invite the Court to answer questions that would only be appropriate if this matter were in the nature of judicial review. Where the foregoing issues have not been addressed, the Court's response is that it must be guided by jurisprudence from the Federal Court of Appeal and where no such guidance exists, by guidance provided by other decisions of this Court in an appropriate context and, further, where that guidance is also lacking, the Court must act in accordance with what it, itself, considers to be required by PIPEDA. Put another way, and more briefly, it is not for the Commissioner, however knowledgeable and informed she or he might be with respect to the issues here coming before the Court, to set the agenda of this Court where hearings such as this are in the nature of de novo proceedings.

[68] In the result, I decline to address the issues raised on behalf of the Commissioner, to the extent that they have not already been addressed in these reasons.

CONCLUSION

[69] These applications will be dismissed. As earlier indicated, orders will go striking out The Telecommunications Workers Union as a party Applicant in each proceeding."

Labels: ,

Wednesday, December 14, 2005

PHIPA declared substantially similar 

Thanks to a regular correspondent for pointing this out ...

The Personal Health Information Protection Act of Ontario has been declared to be substantially similar to PIPEDA:

Canada Gazette:

Health Information Custodians in the Province of Ontario Exemption Order

P.C. 2005-2224 November 28, 2005

Whereas the Governor in Council is satisfied that the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Schedule A, of the Province of Ontario, which is substantially similar to Part 1 of the Personal Information Protection and Electronic Documents Act (see footnote a), applies to the health information custodians referred to in the annexed Order;

Therefore, Her Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to paragraph 26(2)(b) of the Personal Information Protection and Electronic Documents Act (see footnote b), hereby makes the annexed Health Information Custodians in the Province of Ontario Exemption Order.

HEALTH INFORMATION CUSTODIANS IN THE PROVINCE OF ONTARIO EXEMPTION ORDER

EXEMPTION

1. Any health information custodian to which the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Schedule A, applies is exempt from the application of Part 1 of the Personal Information Protection and Electronic Documents Act in respect of the collection, use and disclosure of personal information that occurs within the Province of Ontario.

COMING INTO FORCE

2. This Order comes into force on the day on which it is registered.

Labels: , , , ,

The year in review in data security 

CNET News is running a retrospective of their major privacy/security articles from the last year. What a year it has been: Year in review: Insecurity over ID theft | CNET News.com.

Labels:

Churches and the federal privacy law 

Focus on the Family is running the following article in their "Today's Family News":

Churches fear breaching privacy laws

December 14, 2005

Recent privacy legislation is causing some churches to fear they could be breaking the law simply by circulating the addresses of members, praying aloud for people by name, and – at least in Ontario – making hospital visits, the Ottawa Citizen reported.

At the heart of their concern, which some think is exaggerated, is the Personal Information Protection and Electronic Documents Act, which Parliament passed in January 2004. It primarily affects businesses and would only apply to churches that sold their parish or membership lists or charged for their services.

Even so, it has prompted some pastors to question whether even making public the names and addresses of the people in their congregations might be deemed illegal under the Act.

One church in Halifax, for example, removed a “prayer board” in its foyer listing the names of people in hospital. Others have adopted privacy policies and some have even appointed privacy officers to oversee the correct handling of information.

For clergy in Ontario, the province’s year-old Personal Health Information Protection Act has made it more difficult from them to visit hospital patients, even if they belong to the same denomination.

Patients when being admitted have the option of indicating their faith background, which James Christie, dean of the faculty of theology at the University of Winnipeg, says clergy have assumed indicated they would welcome “some sort of pastoral presence.” But now, as he told the Citizen, “that graciousness is gone.”

But London, Ontario, lawyer Janet Allinson, a specialist in privacy law, believes many churches “are misunderstanding the legislation altogether. I get quite a few calls from people very concerned, they are so afraid of the Privacy Act.”

"I think it's important that they don't lose the spirit and treat it like a business" added Allinson.

The impact of the federal private sector privacy law has been very misunderstood by churches and other non-profits.

The Personal Information Protection and Electronic Documents Act, or PIPEDA as it is commonly known, applies to the collection, use and disclosure of personal information in the course of commercial activities, except in those provinces that have enacted substantially similar legislation. Ontario has not enacted legislation that is substantially similar to PIPEDA (other than the Personal Health Information Protection Act which may hinder the abilities of health information custodians to share information with visiting clergy, but does not regulate churches directly). In short, PIPEDA applies to personal information that is handled in connection with commercial activities, other than in Alberta, BC and Quebec.

The reason for the commercial activity connection is that the Federal Government is relying upon its constitutional jurisdiction over general trade and commerce in Canada to implement PIPEDA. It can use this power to regulate commerce generally, but is not able to regulate the non-profit sector using this power except to the extent that the non-profit organization actually is engaged in commercial activity. There are some activities that a non-profit can engage in that are deemed commercial activities and some activities can be sufficiently commercial to invoke PIPEDA. The deemed activities are generally limited to certain kinds of dealing with membership and donor lists. If a church exchanges, sells, trades or leases its membership list, that is a deemed commercial activity and PIPEDA applies (including requiring consent for the transfer). The key is an exchange of value. If a list is freely given with no expectation of any value in return, there is no commercial activity and PIPEDA is not triggered. Also, if a church veers away from its core not-for-profit objectives, it can be seen to be engaged in commercial activity. Charging admission to a benefit concert for the church is not commercial activity. Operating a business within the church may be commercial. Church fund-raising is not a commercial activity, nor is praying out loud or listing members in a directory.

This does not mean that a church or a non-profit shoudn't follow fair information practices. This is not because it is required by PIPEDA or any other law, but rather because it is just the right thing to do. Churches are entrusted with sensitive personal information. Having a privacy policy that is reasonable and consistently followed sends a positive message to the members of the congregation who are more privacy aware.

Labels: , , , ,

Korea Solves the Identity Theft Problem 

Rob Hyndman is pointing to Schneier on Security: Korea Solves the Identity Theft Problem. Apparently, Korea is about to pass a law placing full responsibility for losses on the banks for identity theft and online financial fraud, even if the bank is only partially responsible. This will provide the incentive to put in place fraud-blocking measures.

The next questions are: (i) will it work? and (ii) will it only be a Korean phenomenon?

Labels: , ,

US court upholds random subway bag searches 

A US Federal Judge has upheld as constitutional the practice of random bag searches in the New York subways: Judge upholds random subway bag searches.

Labels:

Discussion of Canadian Plan B and privacy issues in the BMJ 

The British Medical Journal has an article on the current controversy in Canada over the collection of personal information in connection with dispensing the morning after pill, aka Plan B: Advice to pharmacists on dispensing contraception an "invasion of privacy" -- Spurgeon 331 (7529): 1360 -- BMJ.

There is also a letter to the editor in the December 9 edition that raises one of the most significant issues for pharmacists. Namely, the role of pharmacists in the dispensing of such drugs:

bmj.com Rapid Responses for Spurgeon, 331 (7529) 1360:

Spurgeon's news(1) seems to fall into a recurrent BMJ bias: forgetting the clinical role of the pharmacist. The text seems to state that pharmacists gathering relevant clinical information are invading patient privacy. This leads to a dichotomy: Is a physician invading patient privacy when gathering patient clinical information? Or, do pharmacists invade patient privacy because they should not act clinically?

Obviously, there is no doubt to the first question. Assessing clinical situations requires some information about patient health status, but also about patient life style. So, a healthcare professional needs information to make a decision, and sometimes this information can be considered as private. Thus, confidentiality is expected.

But, what about the second question? Is this the never-ending story? When are we going to shoot(2) the pharmacist? How big should be the evidence of the benefits of the clinical role of pharmacist working together with the other healthcare professionals?

And the most important question, why do not give the right to choice to the patient? If patients want to give that private information to their pharmacists, why should another healthcare professional disagree?

Labels: ,

Internet Geeky hackers replaced by for-profit criminals 

From Canoe's CNEWS:

CANOE -- CNEWS - Tech News: Internet Geeky hackers replaced by for-profit criminals:

Experts in combating cyber threats say they’ve seen a fundamental change in the past year, from the kinds of hacker attacks aimed at bringing down networks to targeted probes by criminals after money.

“I think that probably the overarching theme we’re looking at is that crime for profit motivation has really found the Internet,” says Vincent Weafer, Los Angeles-based senior director of development for Symantec Security Response, which markets the Norton suite of computer security products.

It’s enough to produce nostalgia for the days of basement-dwelling geeks who simply wanted to erase your hard drive for fun.

Today, says Weafer, full-blown thieves lurk in cyberspace armed with tools capable of sucking confidential information out of unprotected computers. They can also turn them into zombies and rent them to organized crime for a few hundred dollars as part of a so-called “bot nets” used to flood the web with dubious spam."

Labels:

Princeton students protest network configuration that discloses their identities 

A group of students at Princeton University has put together a petition, urging the administration to change how their network is configured. The addresses of computers on the DormNet network discloses the userid of the user, in this form: netid.student.princeton.edu. Every website they visit and every ad provider thus knows the identity of the visitor. See their petition: Princeton Dormnet Exposes Student Identities.

Via The Daily Princetonian - Students lobby for Internet privacy and SpywareInfo >> Students lobby for Internet privacy.

Labels:

Tuesday, December 13, 2005

Incident: ID fraudsters target job centre staff using UK tax credit website 

From the Register:

ID fraudsters target job centre staff | The Register:

Crooks may have defrauded the UK tax credit system out of millions after exploiting a lack of safeguards in an internet site designed to service claimants.

HM Revenue & Customs shut down its tax credit portal website at the start of December after uncovering an attempt to defraud the system using the identities of Department of Work and Pensions (DWP) staff.

Initially it was thought that up to 1,500 job centre workers might have had personal information stolen. Now it is feared that up to 13,000 job centre staff might have been exposed to attack, with some reporting fraudulent claims made in their name. Fraudsters are reckoned to have secured the National Insurance numbers, names and dates of birth of thousands of job centre staff working in London, Glasgow, Lancashire and Pembrokeshire.

The information obtained was enough to make fraudulent tax credit claims redirected upon false addresses and accounts controlled by crooks. False claims of up to £1,000 a year appear to have been siphoned into fraudsters' bank accounts, PCS spokesman Alex Flynn told The Independent. 'Some people have had shadow bank accounts set up and their money diverted to that account. Other people have had their accounts hijacked,' he said....

Labels:

We are experiencing technical difficulties. Please stand by. 

Or at least that's what I would have said if I had been able to actually post anything to my blog since Monday morning. My service provider moved their data centre, which caused dodgy connections and then a complete inability to update the site. I am told we are back to normal. I reserve judgement.

Labels:

Monday, December 12, 2005

Incident: Security breach at Sam's Club exposes credit card data 

From Computerworld:

Security breach at Sam's Club exposes credit card data - Computerworld

DECEMBER 12, 2005 (COMPUTERWORLD) - Sam's Club, a division of Wal-Mart Stores Inc., is investigating a security breach that has exposed credit card data belonging to an unspecified number of customers who purchased gas at the wholesaler's stations between Sept 21 and Oct. 2. In a brief statement released Dec. 2, the Bentonville, Ark.-based company said it was alerted to the problem by credit card issuers who reported that customers were complaining of fraudulent charges on their statements.

It's still not clear how the data was obtained, according to the statement. But "electronic systems and databases used inside its stores and for Samsclub.com are not involved," the company said.

Sam's Club is currently working with both Visa International Inc. and MasterCard International Inc. to investigate the breach. The company also has notified the U.S. Attorney's Office for the Western District of Arkansas and the U.S. Secret Service .

Sam's Club officials didn't respond to calls for comment.

In a statement, Visa said it has alerted all of the affected financial institutions, asked them to provide independent fraud-monitoring services to affected customers and requested that they issue new cards as needed.

Labels: ,

Incident: hackers nab details of 2000 donors from UK online charity 

Out-law.com, via the Register, is reporting that hackers recenly breached the website of a UK charity, Aid to the Church in Need, and swiped personal information of about 2,000 donors. Some donors have been contacted by the thieves. See: Hackers target Christian charity | The Register.

Labels:

CMAJ charges editorial interference over privacy-related story 

The Canadian Medical Association Journal, a well-respected medical journal, has accused its parent, the Canadian Medical Association, of censorship as part of the fallout over recent privacy issues surrounding the dispensing of Plan B, also known as the "morning after pill". The Journal has accused the CMA of trying to pressure the journal to not publish its article on the dispensing of Plan B that highlighted questions to be asked of patients (Privacy issues raised over Plan B: women asked for names, addresses, sexual history -- Eggertson and Sibbald 173 (12): 1435 -- Canadian Medical Association Journal.) The CMAJ has released an editorial on the issue and highlights the recent experience with the article in question (The editorial autonomy of the CMAJ). (See the CPhA Patient Screening Form.)

For more coverage, see: Medical journal charges medical association with editorial interference - Yahoo! News; The Globe and Mail: Furor erupts at medical journal. Also, check out the CPhA Patient Screening Form.

Labels:

Credit Card Security: Where Are We Now? 

E-Commerce Times is running a three-part series of articles, the first of which is E-Commerce News: E-Commerce: Credit Card Security: Where Are We Now?. It discusses what credit card companies are doing in the wake of the high profile breaches in the past year or so.

Labels:

Sunday, December 11, 2005

Greater risk of fraud if personal data is stolen in smaller batches 

According to Finance Tech, a recent study suggests that individuals are at greater risk of indentity theft and other fraud if their personal information is compromised in smaller batches. Much of the focus of media attention has been on large breaches, but fraudsters would have to work overtime for years to exploit all that data. See: Small Data Breaches Pose Big Identity Theft Risks.

Labels: ,

Cardsystems acquisition closes 

The acquisition of Cardsystems by Pay by Touch announced in October (The Canadian Privacy Law Blog: Another suitor for CardSystems) has been concluded, according to a release issued on Friday: Pay By Touch Completes Acquisition of CardSystems Solutions: Financial News - Yahoo! Finance.

For those who may have forgotten, Cardsystems was involved in a high-profile data breach earlier this year: The Canadian Privacy Law Blog: Incident: Security Breach at CardSystems Solutions Inc. Could Expose 40M to Fraud.

Labels: ,

Canadian draft guidelines to shield personal information from the USA Patriot Act 

The Canadian Press just released a story about new draft guidelines for Canadian federal government departments designed to (at least try to) shield information about Canadians from the reach of the USA Patriot Act. The guidelines remain in draft form as the election has intervened to prevent them from being tabled in Parliament this fall and more internal consultations are taking place.

Canada drafts proposals to shield personal data from U.S. anti-terror law - Yahoo! News

... The draft guidance document suggests, in the interest of upholding Canadian privacy laws, that federal databases of sensitive personal information created by contractors be located in Canada and be accessible only within the country.

However, it recognizes international trade obligations may make this impossible. In such cases, the government suggests contractors must agree to respect Canadian privacy laws as a condition of contract.

The guidelines say that if the privacy risk is considered high, a federal department might go so far as to cut off the flow of personal information to a foreign firm should it be "presented with an order" - such as an FBI notice - compelling release of data about Canadians.

In general, the guidelines encourage departments to assess each potential contract case-by-case to gauge the possibility of privacy invasion, the expectations of Canadians, and likelihood of injury to a person's "career, reputation, financial position, safety, health or well-being."

Treasury Board spokesman Robert Makichuk said the draft guidelines were undergoing revision following internal federal consultations....

Labels: , , ,

Saturday, December 10, 2005

The fight over mobile phone-derived location information 

Today's New York Times has a good and thorough piece on the fight over location information from mobile phones and other unwired devices:

Live Tracking of Mobile Phones Prompts Court Fights on Privacy - New York Times:

In recent years, law enforcement officials have turned to cellular technology as a tool for easily and secretly monitoring the movements of suspects as they occur. But this kind of surveillance - which investigators have been able to conduct with easily obtained court orders - has now come under tougher legal scrutiny.

In the last four months, three federal judges have denied prosecutors the right to get cellphone tracking information from wireless companies without first showing 'probable cause' to believe that a crime has been or is being committed. That is the same standard applied to requests for search warrants.

The rulings, issued by magistrate judges in New York, Texas and Maryland, underscore the growing debate over privacy rights and government surveillance in the digital age.

With mobile phones becoming as prevalent as conventional phones (there are 195 million cellular subscribers in this country), wireless companies are starting to exploit the phones' tracking abilities. For example, companies are marketing services that turn phones into even more precise global positioning devices for driving or allowing parents to track the whereabouts of their children through the handsets.

Not surprisingly, law enforcement agencies want to exploit this technology, too - which means more courts are bound to wrestle with what legal standard applies when government agents ask to conduct such surveillance....

Labels: ,

Poorly designed online interfaces make identity theft simple 

Risks Digest is a good source of information on all sorts of risks -- including privacy risks. Recently, Marty Lyons posted the following about a particular experience he had renewing this AAA membership.

The Risks Digest Volume 24: Issue 11:

"I recently had to renew my membership with the American Automobile Association (the equivalent to the CAA in Canada, or the RAC in the UK). In the past there was no web interface, but AAA has now moved online. To sign up for an account, I needed to supply a membership number (printed on your plastic member card), and my name (also printed on the card), along with an email address, and a chosen account name. A few seconds later, I was logged in, and was able to check my account info, including mailing address, and type of credit card used for membership.

There was no verification of identity at all during account establishment. At a minimum, mandating that a user-entered postal code match the AAA database prior to creating the account would have afforded some protection.

So with a AAA member number and name, someone is well on their way to identity theft -- the rest of your wallet not required. Since many places take AAA cards to provide discounted services (hotels, car repair, restaurants, movie theatres, etc.) you can imagine the RISK. I've sent a letter to the organization letting them know their web registration needs to be redesigned."

I am not sure someone can steal your identity using your AAA membership, but interfaces like this attached to something more sensitive may lead to big problems.

Labels: ,

Ontario Information and Privacy Commissioner responds to "Plan B" concerns  

A letter to the editor in today's Toronto Star:

TheStar.com - No problem with giving Plan B info:

Letter, Dec. 9.

In his letter, Tim Lu stated that I recommended pharmacists not ask any questions when dispensing Plan B. Allow me to offer the following correction. I refer him to the Ontario College of Pharmacists notice of Dec. 8, 2005, which states the following: 'the Privacy Commissioner stressed that pharmacists should continue to provide information to patients who request this drug, to gather information and to educate and counsel patients. Pharmacists should ask questions of patients if necessary in the course of providing this service but should not record personal health information in a manner which identifies individual patients.'

My office did not recommend that pharmacists not communicate relevant information to women to ensure the safe and effective use of Plan B. Indeed, I noted that pharmacists provide very important services and guidance. However, in order to protect the privacy of Ontarians, as I am mandated to do under the Personal Health Information Protection Act, I must ensure that identifiable personal health information is only collected when it is necessary and that no more personal health information is collected than is necessary. With this in mind, my office together with the Ontario College of Pharmacists and the Ontario Association of Pharmacists is working expeditiously to develop new guidelines to assist pharmacists when dispensing Plan B.

Again, let me be clear. I have no problem with a pharmacist imparting information on Plan B to patients. My concerns lie with the unnecessary collection and recording of personally identifiable, sensitive health information.

Ann Cavoukian, Ontario Information and Privacy Commissioner, Toronto

Labels: , ,

Friday, December 09, 2005

Canadian Law Blogs List 

A bit off the usual topic, but I have to give a plug for Steve Matthews' list of Canadian law blogs. Check it out: Vancouver Law Librarian Blog: Canadian Law Blogs List.

Also, a belated happy blogiversary to Steve's Vancouver Law Librarian Blog.

Labels:

West Vancouver to require landlords to inspect tenants' apartments 

I don't think this will pass a constitutional challenge ... on both jurisdictional and freedom from unreasonable search and seizure grounds.

My cousin lives in West Vancouver, BC. He just received a notice from his landlord saying that his apartment would be inspected every three months. Apparently The District of West Vancouver Controlled Substance Nuisance Bylaw No. 4417 requires landlords to enter into and inspect the premises of their tenants, supposedly looking for marijuana grow-ops. Granted, grow-ops are a problem in BC but this is the first municipal bylaw (that I know of) that purports to allow a landlord to enter into someone's rented space without any suspicion to check up on them for what are essentially law enforcement purposes. My cousin's a little miffed at this.

Labels:

More on dispensing "Plan B" 

In response to the debate over the dispensing of "Plan B" by pharmacies, a pharmacist has written to the Toronto Star that the controvertial form has already saved one customer of his from taking the drug inappropriately. Perhaps the conclusion to be drawn is that pharmacists should ask the customer if she would like detailed instructions on its proper use? See: TheStar.com - Make `Plan B' form voluntary

Labels:

Beyond the Patchwork of Privacy Regulations 

Kristina Lovejoy at Newsfactor is calling for omnibus privacy legislation for the US. What's interesting is that what she proposes looks a lot like the CSA Model Code that's built into PIPEDA:

NewsFactor Network - Enterprise - Beyond the Patchwork of Privacy Regulations:

...Because terms like privacy, confidentiality, and security often create confusion, the label 'information protection' was coined to encompass the range of mechanisms that guide collection, use, and disclosure of information. An information-protection regulation is one that enforces the right of privacy by dictating, among other things, requirements for maintaining the confidentiality, integrity, and availability of protected data.

In general, a strong information-protection plan would require the following:

1. Establishing ownership and accountability within the organization for confidentiality, integrity, and availability.

2. Identifying the reasons for obtaining private information from an end user and making those reasons available.

3. Establishing mechanisms for gaining consent of the end user before collecting private information.

4. Limiting collection of private information only to that information you need for business purposes.

5. Limiting use and disclosure only for the purposes for which you have gained consent, and limiting retention of information to a period specified by law or by user consent.

6. Ensuring that information collected is accurate.

7. Implementing administrative, technical, and physical controls around information to ensure its confidentiality, integrity, and availability.

8. Creating a culture of openness so that if the confidentiality, integrity, or availability of the information is breached in a significant way, the user is notified.

9. Providing the end user with documented escalation policy and process.

In the U.S., information-protection mandates have generally had impact only in certain market segments, such as the Health Insurance Portability and Accountability Act (HIPAA) in healthcare industry and the Gramm-Leach-Bliley Act (GLBA) in the banking sector.

Will there be increased pressure to regulate other industries? Yes. Will there be impetus for creating an Omnibus Information Protection regulation? Definitely.

Labels: , , ,

Thursday, December 08, 2005

Study on data breach fallout 

This may be the first news about ID theft in a little while. A San Diego company, ID Analytics, has done a computerized study of the effects of four of the highest profile data breaches of the last year or so. They found that of those whose information was leaked, only 0.098% were used in connection with fraud. I don't know anything about the company and its methodologies, but I expect some cynics may think that the timing on this is too coincidental as the conclusion to be drawn from the study is that there is little need to notify individuals if their information is compromised. See: SignOnSanDiego.com > News > Technology -- Good news on ID theft.

Labels:

UWO pension and the USA Patriot Act 

According to an item on the Western News, the University of Western Ontario is entering into an arrangement to have a US-based company administer the faculty pension. That has made at least one person unhappy that Canadian faculty info will be within the reach of the USA Patriot Act.

Communications and Public Affairs

Senator member Mike Carroll wants written assurance faculty pension information will never be turned over to secret U.S.intelligence courts. But he isn't holding his breath.

So why be concerned if you're not a terrorist?

...

The statement seems to be saying that they might well transmit our pension data across international boundaries - and this of course would in itself bring such data within reach of the Patriot Act

Ok, but so what? No terrorists here, right? Why worry? Actually, for several reasons. U.S. FIS courts operate in secrecy with little or no oversight (it's a crime to reveal an action of this court and a felony not to comply with an order to turn over records). As any number of academic bodies in the U.S. (including a number of academic Senates just a tad more activist than ours) have suggested, the wide-ranging authority granted under the Patriot Act poses a threat to civil liberties and creates a climate of fear that undermines academic freedom. In addition, the combination of such wide ranging-power with strict secrecy means that mistakes affecting ordinary (and innocent) people are easy to make and hard to correct (think Ted Kennedy and the "no fly" list).

U.S. academics have no choice at the moment. They are subject to the Patriot Act. But it seems to me entirely inappropriate that the Western Administration should so casually enter into an institutional arrangement that likely puts our personal data within reach of U.S. courts acting under the authority of that Act. At Senate tomorrow, I will be asking the Administration to seek explicit written assurances from Buck Consultants Canada that they will not be shipping our data across international boundaries and would not comply with a FIS court order to turn over data.

Simple. questions that should have straightforward answers. Anyone want to bet we'll ever see those answers? I personally think it unlikely, unless of course someone in SLB decides it might improve our grade on the Globe and Mail scorecard.

Labels: , ,

Alberta Commissioner authorizes an organization under PIPA to disregard an access request. 

The Information and Privacy Commissioner of Alberta, Frank Work, has authorized a company to ignore access requests as being vexatious. PIPA allows the Commissioner to authorize a company to ignore such requests. In this case, the individual had been involved in fifteen years of litigation with Manulife (the applicant). The company said it had no other information on the individual that had not already been handed over as part of the discovery process. The report of the Commissioner is availble here: http://www.gov.ab.ca/acn/200512/19181.pdf.

Labels: , ,

Incident: Misuse of personal information by store clerks looking for bonuses 

WCPO in Cincinatti is reporting that two employees of Fashion Bug have been charged with six counts of "identity fraud" after they applied for credit cards in the names of customers. Apparently they had no intention to use the credit cards, but rather received incentives for the number of people they signed up. Interesting. See: Fashion Bug Employees Charged With ID Theft.

Labels:

Sexual history no longer taken for morning after pill in Ontario 

Futher to my blog posting The Canadian Privacy Law Blog: Morning-after pill privacy concerns raised, the Information and Privacy Comimssioner of Ontario has stepped in to advise the Ontario College of Pharmacists that the interrogation of customers seeking the "morning after pill" was too broad to comply with the Personal Health Information Protectoin Act. From TheStar.com:

Cavoukian said in an interview she was unaware of the form until she read about it in the Star and "I was taken aback. It struck me that a lot of information that was being collected was very personal. It looked excessive and I was alarmed."

The Ontario Personal Health Information Act specifies that no personal identifiable data be collected and "if you must collect it, you collect the absolute minimum," she said. "It's a fundamental principle in privacy.

"You can ask questions but you don't record it," she said. "You don't need those things."

Labels: ,

Wednesday, December 07, 2005

Private member's bill in Ontario calls for security breach notification 

Ontario MPP Tony Ruprecht has introduced a private member's bill (Bill 38) in the provincial parliament calling for security breach notification. The bill is an amendment to the Consumer Protection Act and includes the following provision:

"7. The Act is amended by adding the following section:

Duty to inform consumer of unlawful disclosure

12.1 (1) Every consumer reporting agency shall, immediately on discovering that any of a consumer's information has been unlawfully disclosed, lost or stolen, disclose such discovery to the consumer.

Same, person to whom consumer report provided

(2) Every person supplied with a consumer report by a consumer reporting agency shall, immediately on discovering that any of the consumer's information has been unlawfully disclosed, lost or stolen while the information was in the possession or under the control of the person, disclose such discovery to the consumer. "

Similar bills have been introduced and never passed, but it may be something that will eventually get some traction.

Labels: , ,

With facial recognition available to the masses, privacy through anonymity may go out the window 

Sorting photos is a tedious task. Even more tedious is writing the names of everyone on the back of the print or tagging all of the digital pics so you won't forget who is who. Well, that tedium is now in the past thanks to a new service that brings advanced facial recognition to the masses! You can upload all your pics to Riya, tell them which person in grandma and all pics with grandma in 'em will be tagged. You can tag your sister, your friend and anyone else you like. And if there's a stranger in your photos who you don't know (but Riya does), your photo will be tagged with the stranger's name. What could be cooler than that?

Jennifer Granick over at Wired News (Face It: Privacy Is Endangered) isn't so impressed. Up to now, facial recognition has been only used by law enforcement and some big businesses with large security budgets. Riya brings it to everyone who wants to sign up.

As Granick writes:

Riya also relies on meta tags, but uses facial-recognition software to create them automatically. Subscribers upload photos, and then tell the Riya software who the person is. By repeatedly running the recognition algorithm against multiple photos of the same person, Riya software eventually learns to identify other images of the same face. Once trained, the software will automatically generate meta tags, and users can search their own photos and the photos of other subscribers.

The service currently only searches photos uploaded to its servers. The technology could, however, be deployed across the internet, allowing people to search the web, Flickr, Tribe and Friendster photo sets, regardless of whether the owner or the person photographed wants to be identified. That's where things get interesting.

Mothers could search MySpace.com and find pictures of their children at a party when they were supposed to be studying at a friend's house. Insurers could search and find a photo of a customer bungee-jumping, and raise the daredevil's premiums. I predict that the tool will be invaluable to former (and future) boyfriends and girlfriends checking up on lovers.

In the analog days, when you left your house, there was always a possibility that you might run into someone who would remember what you were doing, and tell anyone who cared enough to ask. In a digital world, you do not know if someone is taking your picture -- with a camera, a webcam or a cell phone -- and the image can be stored forever and searched by people you do not know, at any point in time, without your knowledge and at little or no cost to the searcher.

Even in public, we used to enjoy some privacy, if only in our anonymity. Facial-recognition technology is one reason that's increasingly less true.

You can check out the service at http://www.riya.com. Thanks to David Canton for pointing out the Wired article.

Labels:

Cornell University outlines security and privacy incident response plans 

In response to a new New York law that requires notification of security and privacy breaches, Cornell University has issued the following media release outlining their plans for compliance:

Cornell complies with new state law on notification about stolen data:

By Bill Steele

If someone hacks into a Cornell University computer and pulls out personal and private information about members of the Cornell community, the people whose data has been compromised will be notified promptly, according to Cornell Information Technologies and the University Counsel's office.

Although the exact procedures have not been worked out, notification would be by ordinary mail, according to Norma Schwab, associate university counsel. E-mail notification, she said, is not legally adequate and might be unreliable, especially in an age when users are bombarded with "phishing" messages with subject lines like "your account has been compromised."

The notification plan is being developed by an ad hoc group called the Data Incident Response Team, which includes members from the Office of Information Technologies, the Office of University Counsel, Cornell Police and the University Audit Office. The group meets periodically to consider data security policy and comes together whenever there is a concern that sensitive data may have been accessed.

The action is in response to a New York state law, the Information Security Breach and Notification Act, passed in August and going into effect Dec. 8. The law requires any business -- including nonprofits -- that maintains personal and private data to provide notification when its systems are invaded and there is a reasonable belief that personal information might have been revealed. The kinds of data involved include Social Security and driver's license numbers and credit card information, and the notification requirement is intended to help consumers fend off possible identity theft.

"It made sense that we should let people know that we are complying with the new law," said Steve Schuster, director of information security. Schuster said he plans to take advantage of the opportunity to make Cornell staff more aware of their responsibilities to protect sensitive data.

"We're still in a state where our data resides in a lot of different areas," he explained. "We all have to take responsibility for it." In other words, sensitive information is not all on one university mainframe, but may also be on ordinary desktop computers in various departments. Schuster plans to require that all new staff members receive a policy and practices briefing -- a short version of the Travelers of the Electronic Highway course required for new students -- before they are issued net IDs. He hopes eventually to set up some sort of annual review of security procedures for all staff. For nontechnical staff, security measures include using strong passwords, protecting those passwords from disclosure and physically securing the computer.

University policies on security are being updated. The venerable Responsible Use of Electronic Communications policy is being expanded as Responsible Use of Information Technology Resources, and it will incorporate policies on data management and security. Data will be broken into three categories: regulated information for which state and federal laws require security, such as Social Security numbers and grades; "Cornell confidential" information, such as salaries and performance reviews; and public data. Security should be tailored to the level of confidentiality of the data. "It will be necessary for departments to inventory where these data reside in their systems," Schuster said.

Despite having very talented people around, higher education institutions are not immune to security breaks, Schuster pointed out. "In the first six months of 2005 there were 72 media-worthy computer compromises in the United States," he reported, "and slightly over half of them were in higher ed. We deal with break-ins here all the time, but we have a really good process in place."

The New York law, patterned on one passed about two years ago in California, was inspired by several incidents in which large corporate databases were compromised. In the most widely publicized case, ChoicePoint, a credential-verifying firm, allowed criminals to obtain personal data on some 140,000 people. At least 15 states have passed similar laws, and legislation is pending at the federal level.

Labels: , , , ,

Incident: Mass school accidentally posts student psychological reports online 

From yesterday's Salem News:

Salem News Online

SALEM — School officials said yesterday they will try to contact the parents of children whose private records were mistakenly posted on the Internet.

Administrators met yesterday morning to plan a response to the disclosure last week that dozens of confidential student psychological reports were available online for months. The documents were removed from the Internet last week.

"We're going to make every effort to put together the chronology and the listing of students in order to contact parents," Superintendent Lawrence Callahan said. "I feel very strongly about that."

He said he had not yet decided whether to take disciplinary action against anyone involved in the posting.

Parents were not notified when the files were first discovered in October, nor were they immediately told when the files were rediscovered by a Salem News reporter two weeks ago. When the discovery became public on Friday, several parents called Callahan to find out whether their children's records were among those that had been on the Internet.

Thanks to Privacy.org for the link.

Labels:

Tuesday, December 06, 2005

Is there a right to privacy in a high school bathroom? 

That's the question being asked by the ACLU and the parents of an eighth grade boy who found a hidden camera in the bathroom of his Georgia high school. He removed the camera the show his parents, who complained. The camera was apparently placed by the principal who then disciplined the student for taking student property.

From WMAZ Macon Georgia: Does The Right to Privacy Extend into the School Bathroom?

Labels:

FTC can't require US lawyers to send privacy notices to clients under GLB 

The US Court of Appeals for the DC circuit has held that the Federal Trade Commission overstepped its authority under the Gramm-Leach-Bliley Act by trying to force lawyers to send privacy notices to clients, as is the requirement for banks and other financial institutions. See: FTC Can't Regulate Lawyers, Court Rules - Yahoo! News. The NY Bar, a party to the court action, has also issued the following press release: New York State Bar Association Wins Lawsuit Over FTC Enforcement of Gramm-Leach-Bliley Privacy Act; Court Exempts Lawyers From Federal Law - Yahoo! News.

Labels:

"Trust is fundamental. Distrust has a devastating impact on profitability." 

At a recent conference in Toronto, reported on by IT Business, Ontario's outspoken Information and Privacy Commissioner, Anne Cavoukian, had some strong words about how companies respond to privacy incidents.

IT Business : EDGE:

With identity theft being the fastest growing form of fraud -- Equifax in Canada reported between 1,400 and 1,800 identity theft-related complaints per month -- companies can no longer say it’s just an external threat that can be remedied by a firewall, for example. The Privacy Commissioner of Ontario, Ann Cavoukian, who also spoke at Tuesday’s event, said businesses need to think of privacy as a business issue rather than an IT-related one. Cavoukian cited several U.S.-based studies that show customers said identity theft-related incidents affected their purchasing decisions.

“If I were a business I would make privacy work for me,” said Cavoukian. “Trust is fundamental. Distrust has a devastating impact on profitability.”

To illustrate her point, Cavoukian mentioned the CIBC faxing fiasco as an example of how not to handle a privacy breach. The U.S. case involved a West Virginia scrapyard owner who had been receiving faxes containing confidential data from CIBC for three years. In April, the Privacy Commissioner of Canada ruled the bank was in violation of PIPEDA principles. CIBC responded to the Commissioner’s findings by creating a national database to track privacy issues and establishing a national privacy office, among other initiatives.

“I’m outraged by CIBC’s response to the faxing fiasco,” said Cavoukian, adding the incident will make it into business studies as an example of how not to handle such a situation. “Everything is in your management of a crisis and your immediate reaction.”

Labels: , ,

Porn business for sale: privacy issues 

Among of the most common questions I get from other lawyers in my firm have to do with privacy issues that crop up in mergers and acquisitions. A purchaser wants to buy a business that includes reams of employee information and, often, significant quantities of customer information. Most businesses hold mundane personal information, but some are more exotic ...

Boing Boing, which truly is a directory of wonderful (and weird and unsual and interesting) things, has linked to an interesting auction on eBay. Apparently, someone in the "adult entertainmnet" business has given in to pressure from family and is selling his porn production company on eBay. (Boing Boing: Porn company for sale on eBay) It is being sold lock, stock and barrel. And, as is required in this industry, the business is also the custodian of information about the performers in the business:

eBay: ENTIRE PORN COMPANY FOR SALE !!! (item 7567775239 end time Dec-08-05 21:30:00 PST):

... An established relationship with all your favorite and current Adult Stars. Company records include there [sic] real names, addresses, phone numbers and other personal information. These records are kept because of Federal laws....

The opening bid is $100,000 and I can just imagine some drooling weirdo buying the company just for the information it holds. I can also just imagine more than a few starlets concerned about who the purchaser will be.

Update (20051208): Apparently eBay has yanked the listing.

Labels:

Privacy concerns raised about morning-after pill rules 

The CBC in Saskatchewan has also picked up the story about privacy and the "morning after pill": CBC Saskatchewan - Privacy concerns raised about morning-after pill rules. See also The Canadian Privacy Law Blog: Morning-after pill privacy concerns raised.

Labels:

Spyware, the Sony Rootkit and Canadian privacy laws 

Greg Hagen at blog*on*nymity has some interesting things to say about spyware, the Sony Rootkit and Canadian privacy laws:

blog*on*nymity - blogging On the Identity Trail:

...Spyware is considered to be objectionable primarily because of the notorious lack of adequate consent provisions in accompanying EULAs and installation procedures. Suppose, however, that Sony BMG attempted to modify its EULA and installation procedures in order to accord with Canadian privacy legislation. Among other requirements, Sony BMG would have to ensure that, pursuant to the applicable consent provisions such as PIPEDA Principle 4.3, any collection, use and disclosure of personal information of an individual is obtained with the knowledge and consent of the individual. The question that immediately arises is whether the supply of CDs can be conditioned upon such consent, permitting Sony BMG to thereby circumvent privacy protections.

Principle 4.3.3 of PIPEDA requires that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes. Does the collection of personal information by XCP serve a "legitimate purpose?" The Canadian Government's Spam Task Force recommendation to prohibit spyware suggests that the use of XCP to protect copyright is not legitimate. If that is correct, then consent that is a precondition to the supply of CDs should be considered vitiated, and one should be able to use a spyware uninstaller to remove XCP with impunity....

Labels: ,

Shifting the risk and imposing statutory damages in identity theft cases 

Kevin Drum, in Washington Monthly, has an interesting proposal for shifting the risk of identity theft from consumers (and the victims) to the credit granting establishment. Just as congress pushed the risk of credit card fraud onto the industry through the Truth in Lending Act, forcing the industry to be creative in fighting fraud, the same should be done with loss of customer information and fraudulently-obtained credit:

"You Own You " by Kevin Drum:

...The same method should be used for identity theft. There's no need to create mountains of regulations, which are uniformly despised by the credit industry. Instead, simply make the industry itself—and any institution that handles personal data—liable for the losses in both time and money currently borne by consumers. The responsible parties will do the rest themselves.

How would this work? Congress could assign specific minimum values—statutory damages—for each of the acts associated with identity theft. Extending credit without conducting adequate background checks, or issuing a faulty credit report thanks to undiscovered theft of identity, might be worth $10,000 per incident. Losing someone's personal information in the first place might be worth less—perhaps around $1,000—since only a small percentage of cases of information loss ultimately lead to a full-fledged theft of identity.

The establishment of statutory damages would allow consumers to bring personal or class-action lawsuits for any of these transgressions. (Currently, such suits are difficult to win because breaches of privacy are extremely hard to value—some courts even flirt with the notion that privacy has no value at all.) And consumers would not need to show that those responsible for the theft acted negligently. When your money is stolen from a bank, the bank is liable no matter how diligently it tried to protect it. That's why banks take care of your deposits. If the credit industry and other data-handlers knew that the legal system would hold them responsible for extending credit to impostors, issuing inaccurate credit reports, or losing data, you can bet they'd figure out better ways to stop those things from happening.

The beauty of this solution is that by giving the credit industry a financial stake in solving the problem, it uses market-based self-interest rather than top-down federal mandates. Instead of relying on a regulatory agency to levy fines—or not levy them, depending on the administration—it gives companies an incentive to change their behavior. Under this plan, credit agencies would no longer charge consumers for “credit protection” services. Rather, they would beg consumers to make use of them, free of charge and with maximum ease of access. Credit issuers and other businesses that offer credit would quickly stop opening up new accounts without adequate background checks. And companies that handle personal data would finally get serious about implementing effective safeguards....

Thanks to Overlawyered for the link.

Labels: ,

Monday, December 05, 2005

US Federal employee busted for misuse of LexisNexis databases 

According to Brian Krebs on Computer and Internet Security, a US federal employee has been busted for misuse of one of the massive databases of personal information made available to law enforcement and other privileged users. Candice Smith of Missouri pleaded guilty after being snared using the databases to find out if anyone was investigating her second job, working as a prostitute. She also admitted to looking up her ex-husband. Thanks to EPIC West for the link. EPIC West also has a link to an interesting tidbit from 2002: Top 10 List of Police Database Abuses.

Labels:

Don't be liable for identity theft 

[A slightly edited version of the article below was just published in the December 2005 edition of Business Voice.]

Don't be liable for identity theft

Identity theft, we are told, is one of the fastest growing crimes in North America, claiming thousands of new victims every year. This crime most often involves using the personal information of unsuspecting victims to obtain goods and services, including credit, in the names of those victims. How the fraudsters obtain personal information varies and, unfortunately, their ingenuity apparently knows no bounds. Identity theft is obviously a problem for its victims but it also presents significant legal risk to businesses.

Every business in Atlantic Canada that handles customer information is subject to the Personal Information Protection and Electronic Document Act (“PIPEDA”). Among its many requirements, PIPEDA requires every business to implement safeguards to protect personal information against inappropriate use and disclosure. The form of safeguards depends upon the sensitivity of the information. If the misuse of the information could lead to fraud or identity theft, the safeguards must be appropriately robust.

Unfortunately businesses are often the weak link in the data protection chain, jeopardizing their customers and their own business reputations. In the first half of this year, the media reported on a series of incidents that resulted in the disclosure or theft of personal information of almost two million Americans. We are not immune here in Canada: Some may recall the attention given to the accidental faxing of the personal information of thousands of bank customers to a junkyard in the United States. More shocking was the discovery made by police in Alberta this past winter: piles of extremely sensitive information, including credit reports, on senior provincial public servants were found in a methamphetamine lab. Further investigations showed that drug addicts are being hired by identity thieves to steal personal information by a number of means, including “dumpster diving” in the trash receptacles and recycling bins of businesses. It would be foolish to assume that this does not occur in Atlantic Canada.

Businesses that do not adequately lock up personal information can find themselves legally and financially liable to the victims of identity theft and other forms of fraud. In April of this year, a number of identity theft victims in Michigan successfully sued a trade union because information of its members to be misused. The high profile misdirected faxes incidents spawned a class-action lawsuit in Ontario, alleging that the bank involved should have to pay compensation for the increased risk of identity theft, plus the actual cost of more vigilant credit monitoring. These lawsuits relate to inappropriate safeguards, but it will not be long before individuals whose identities are stolen will seek recourse against credit grantors and others who offered facilities to the impostors, arguing they did not do enough to verify the identity of the person seeking credit. These plaintiffs will be seeking damages related to the costs of repairing their credit and, perhaps, opportunities they have lost due to an unfavourable credit rating. PIPEDA, to which all Atlantic Canadian businesses are subject, allows individuals to seek damages in the Federal Court for any harm they might have suffered, including any embarrassment that might have been caused by a leak of personal information.

So what does all this mean to businesses? Anybody in possession of personal information that would be useful to commit identity theft or the disclosure of which might be embarrassing to the individual has an obligation to protect that information against all risks. This obligation is already set out in PIPEDA and the common law will likely also impose a duty of care where the risk of identity theft is foreseeable. (In the current climate, it would be difficult to argue that identity theft is not foreseeable.)

Business owners also need to be very careful to supervise employees. Significant portions of fraud committed can be traced to dishonest employees who misuse the information they have access to or even participate in activities such as “card skimming”, where information is taken from credit cards and debit cards. All employers need to be aware that the courts will generally hold them legally and financially responsible for the misdeeds of their employees.

Credit grantors in particular have to be even more vigilant in establishing the identities of those to whom they extend credit. This will not only protect against credit losses, but will reduce the likelihood that your company will be the subject of privacy complaints and litigation. In this effort, privacy laws unfortunately pull businesses in two different directions. On one hand, credit grantors should clearly establish the identity of an applicant. On the other hand, the law says that they can only collect information that is reasonably necessary in the circumstances. To satisfy both, businesses need to establish reasonable policies and practices on how identity will be confirmed and how that information will be subsequently used. Doing so simply makes business sense in this legal climate.

While legal liability may appear remote to many businesses, a single incident can destroy your business reputation that you have worked years to develop. Surveys have shown that customers are increasingly concerned about their personal information and are making buying decisions based upon what businesses they trust. If word gets out that your business is not doing what is necessary to protect customer information, it can be shunned by consumers with dramatic effect on your bottom line.

Tips for Protecting Information

  • Only collect the minimum amount of information that is necessary for carrying on your business. The more information you have, the greater the likelihood of loss and the consequences such as fraud.
  • Information that is no longer required must be securely disposed of. This involves shredding all paper that contains personal information and making sure that all hard-drives of surplus computers are completely wiped clean of data.
  • Carefully screen all employees who will have access to personal information.
  • Carefully restrict employee access to personal information, on a need-to-know basis.
  • Carefully vet all service providers, such as cleaning companies and data processors, and require them to sign non-disclosure agreements and indemnities in case they misuse personal information or allow its disclosure.

Labels: , , ,

US Federal Judge rules that school does not have the right to "out" gay students 

A student and the ACLU have sued an Orange County school district after the school "outed" a gay young woman to her parents. The student was known to be gay to her friends and her school community, but had not told her parents. The Federal Court has refused a motion to dismiss brought by the school board on the basis that the school has a right to out gay kids. See Judge Rejects School Claim It Could 'Out' Gay Students To Parents.

Labels:

Sunday, December 04, 2005

Toronto - MD launches privacy complaint over new special diet application 

An Ontario physician has registered a complaint with the Ontario Information and Privacy Commissioner about a new welfare program that requires social workers to collect detailed health information from social services recipients. Here's the scoop:

Toronto - MD launches privacy complaint over new special diet application

A family physician with St. Michael’s Hospital in Toronto, Dr. Gary Bloch, has filed a complaint with privacy commissioner Ann Cavoukian regarding the new application form for the Special Diet Supplement available to recipients of social assistance.

The new form requires health providers to disclose specific health conditions to social services workers for extra funds to be approved for recipients’ special dietary needs. The supplement has been available for almost a decade, and has always required a health care provider’s assessment in order for the Ministry of Community and Social Services to approve the extra funds. The health provider simply had to state which special diet a client qualified for, and the supplement was approved.

As of November 18, the Ministry amended Ontario Disability Support Program and Ontario Works regulations with a new form which requires health providers to reveal specific health conditions, including such socially charged conditions as HIV, and send this information to social services.

“The new system forces individuals living in poverty to reveal their health conditions to social services workers who have no right to know such information,” said Dr. Bloch. “This constitutes a gross breach of these individuals’ right to privacy. The previous system kept confidential health information where it belonged—between a patient and her health care provider.”

Dr. Philip Berger, chief of the Department of Family and Community Medicine of St. Michael’s Hospital, recalls a similar complaint he filed with Dr. Cavoukian five years ago regarding an application form for recipients of Ontario Disability Support to receive funds for transportation to medical appointments. A negotiated settlement in that case resulted in a change in the form to eliminate the need to reveal confidential health information.

“I can’t believe the Ministry hasn’t learned from its previous mistakes,” Dr. Philip Berger stated. “This looks like another misguided attempt to intrude into the lives of people living in poverty. As a health provider, I am left with an impossible choice: to breach patient confidentiality or to deny my patients their ability to buy food.”

For more information:
Dr. Gary Bloch, (416) 995-7018
Dr. Philip Berger, (416) 867-3712
Janet Maher, (416) 770-1311

[copy of complaint letter attached]

November 22, 2005.

Dr. Ann Cavoukian
Information and Privacy Commissioner of Ontario
2 Bloor St. East, Suite 1400
Toronto, ON M4W 1A8

Dear Dr. Cavoukian:

I am writing to express my concern regarding the privacy implications of the new “Application for Special Diet Allowance and Pregnancy Nutritional Allowance” form implemented by the Ontario Ministry of Community and Social Services this month. I have enclosed a copy of the new form.

My primary concern is that this form requires the disclosure of confidential, private medical information to the Ministry of Community and Social Services. This new requirement will result in social services workers with no direct involvement in an individual’s health care obtaining information about clients’ health conditions. The potential ramifications of this are high, most obviously with a socially charged condition such as HIV, but any unnecessary revealing of a client’s health status constitutes a breach of her or his right to privacy.

The special diet application process has functioned for many years without the need to reveal this information. The process (both old and new) requires an assessment of a client’s eligibility for a special diet by her or his health care provider. There is no additional benefit to client care from a third party’s involvement in this assessment process. In addition, this results in inequitable treatment of individuals already vulnerable due to their poverty.

I feel this new form represents an unnecessary impingement on individuals’ right to privacy. I have attached a letter Dr. Philip Berger, Chief of the Department of Family and Community Medicine at St. Michael’s Hospital, written to you in May, 2000, regarding similar concerns he had about a transportation allowance form for recipients of ODSP. I have also included your commission’s response which outlines the negotiated settlement to address the privacy concerns in that case.

I greatly appreciate your attention to this matter.

Sincerely,

[Original signed by Gary Bloch MD CCFP]

Labels: , ,

Alberta judge: Conditional sentence not sufficient for card skimmer 

In a recent judgement, R. v. Naqvi, 2005 ABPC 339, the Associate Chief Judge of the Alberta Provincial Court has sentenced a convicted card-skimmer to eighteen months in prison. The accused worked in two gas stations and skimmed cards using equipment provided by a high-school acquaintance. He was paid $100 per card he skimmed, for a total of $17,000.

In rejecting the call for a conditional sentence, the judge said:

To describe him as a minor participant is akin to describing a bank robber as a low level participant, and the driver of the getaway vehicle as the primary offender. Without the gathering of information by the accused, and its distribution to his criminal acquaintance, the criminal enterprise that resulted from his participation would not have been possible.

Hopefully this will send a message ...

Labels: ,

NYT Ethicist: Opt-in is a matter of manners as much as it is a matter of morals 

From today's The Ethicist in the New York Times:

I am a fund-raiser at a not-for-profit. Part of my job is building up a list of people we can solicit financial support from. Last summer we worked on a voter-registration drive. My co-workers suggested that we add the names from registration forms to our database, pointing out that they are public information, and people can opt out of our list. Ethical? Anonymous, Tucson

Junk mail is in the eye of the beholder, like conjunctivitis; you should not contribute to the spread of either. Even if you legally obtain public information and use it for only a worthy cause, you should get permission before adding anyone to your mailing list. It's a matter of manners as much as morals. Besides, you'll do your cause little good if you vex potential supporters by bombarding them with unwanted mail.

Worse still, no matter how fastidious your organization, mailing lists have a way of escaping and snaking off to other, less scrupulous, mailers where they proliferate wildly, the kudzu of postbox and cyberspace. To avoid fertilizing this noxious underbrush, you should invite people to opt in to your database, not just allow them to opt out.

Labels:

Identity theft and fraud in the healthcare context 

Jeff, at HIPAA Blog points to an article on ID theft and fraud in the healthcare context put out by the American Health Information Managment Association. He introduces it thusly:

HIPAA Blog

More on identity theft: Here's an article from AHIMA that supports my constant cry that the big risk of improper use/disclosure of PHI isn't about the 'H' but about the 'P'. Unless you're a professional athlete, nobody cares about your knee surgery. But they do care about your name, address and social security number. There's money in that information.

From the into to the article:

Identity Theft and Fraud-The Impact on HIM Operations (Journal of AHIMA):

Identity theft and fraud are the fastest growing crimes today. Healthcare organizations are particularly vulnerable to identity theft due to the wealth of patient personal, demographic, and financial information that is collected, transmitted, and maintained in the course of operations. Healthcare employees with legitimate access to protected health information (PHI) may gather information for later misuse. Credit cards and identification may be stolen while patients are being treated in healthcare facilities. Individuals posing as investigators may contact patients or providers asking for information that allows them to impersonate the patient or provider.

Labels: , ,

Saturday, December 03, 2005

ChoicePoint in the spotlight again; seeking access to California drivers' records on behalf of DHS 

The Los Angeles Times is reporting that the embattled ChoicePoint has garnered some additional publicity as it seeks to have access to the entire database maintained by the California Department of Motor Vehicles. It is seeking to have the usual DMV fees waived as it is seeking the records in order to serve its client, the Department of Homeland Security. A number of Californians are a little reluctant to have the state give access to the company that allowed identity thieves free rein in its other databases. The article also discusses some tussles with the Pennsylvania DMV. Check it out: Big Data Broker Eyes DMV Records - Los Angeles Times.

Thanks to Daniel Solove at Concurring Opinions for the link. Check out what he has to say as well: Concurring Opinions: ChoicePoint Wants Your Motor Vehicle Records.

Labels: , ,

Incident: Income tax records on University of San Diego computer hacked 

Another university privacy/security incident: SignOnSanDiego.com > News > Business -- 7,800 linked to USD told of network security breach.

This also offers some lessons on how not to notify affected individuals:

The undated letter aggravated many recipients, though, because it provided no details about the breach and offered no specific recommendations on steps they could take to protect their personal banking and credit accounts.

"It's one of the worst security breach notice letters I've ever seen," said Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego nonprofit consumer group once affiliated with USD.

Labels:

Morning-after pill privacy concerns raised 

The Toronto Star is reporting on a controversy brewing after the Canadian Pharmacists Society has issued guidelines to its members on prescribing Plan B, also known as the "morning after pill". The guidelines call on pharmacists to collect and hold onto personal information from the patient, including information on sexual history. No other over the counter medication requires this and pharmacists are proposing to add a "consultation fee" of $20 on top of the price of the drug.

I have done a lot of looking at privacy practices in Canadian pharmacies and compliance with privacy laws is spotty, at best. If you accept that this information in necessary for the proper dispensing of Plan B, pharmacists will still need to make sure that this consultation takes place in private. Many pharmacies, particularly in the large chains, have built consultation rooms but I have yet to see one actually used while sensitive health information is routinely discussed over the counter within earshot of other customers.

Read the Star article here: TheStar.com - Morning-after pill privacy concerns raised.

Labels: ,

DSW settles with FTC; promises to beef up security 

DSW, which was the subject of a significant security/privacy breach in May 2005, has settled with the Federal Trade Commission. The settlement requires the company to beef up security. DSW to beef up computer security in FTC settlement - Computerworld. For the original incident: The Canadian Privacy Law Blog: Incident: Shoe chain says customer data stolen.

Labels:

LaForest recommends keeping Info and Privacy Commissioners separate 

In July, 2005 the government asked Mr. Justice Gerard LaForest to inquire into the desirability of merging the Office of the Privacy Commissioner and the Office of the Information Commissioner. While a merged office is the norm in many provices, Justice LaForest's report has recommended not merging the offices. And, he said, if the government plans to do the merger nevertheless, he recommends that it be delayed so that each office can sort out the current challenges they are facing. Read the report here: THE OFFICES OF THE INFORMATION AND PRIVACY COMMISSIONERS: THE MERGER AND RELATED ISSUES and in PDF here.

Here are the recommendations:

SUMMARY OF RECOMMENDATIONS

The major recommendations made in this Report may be summarized in the following manner:

  • There should not be either a full merger of the offices of the Information Commissioner and the Privacy Commissioner or an appointment of one commissioner to both offices. These changes would likely have a detrimental impact on the policy aims of the Access to Information Act, the Privacy Act, and PIPEDA.
  • If the Government and Parliament decide to proceed with a merger or cross-appointment, implementation should be delayed for a considerable period of time. The transition should take place gradually, and only after the challenges facing the current access and privacy regimes have been thoroughly studied and addressed.
  • Caution should be exercised in proceeding with any attempt to share the corporate services personnel of the offices of the Information and Privacy Commissioners. Care must be taken to establish mechanisms ensuring adequate accountability and control.

Government must do much more to foster a "culture of compliance" with access and privacy obligations. With respect to access, it should:

  • make it clear to officials that access should be provided unless there is a clear and compelling reason not to do so;
  • develop better information management systems;
  • ensure adequate training for access officials;
  • create proactive dissemination policies; and
  • provide adequate incentives for compliance

With respect to privacy, it should:

  • pay greater attention to the implications of programs involving the sharing, matching, and outsourcing of personal information;
  • ensure adequate training for privacy officials ; and
  • develop comprehensive privacy management frameworks;
  • The Access to Information Act and the Privacy Act should be amended to specifically empower the commissioners to comment on government programs affecting their spheres of jurisdiction. Ideally, there should be a corresponding duty imposed on government to solicit the views of the commissioners on such programs at the earliest possible stage.
  • The Access to Information Act and the Privacy Act should be amended to recognize the role of the commissioners in educating the public and conducting research relevant to their mandates.
  • The option of granting order making powers to the Information and Privacy Commissioners should be studied in further depth.
  • The Access to Information Act and the Privacy Act should be amended to specifically empower the commissioners to engage in mediation and conciliation.

Labels: ,

Sorry for the break 

Sorry for the lack of blogging for the last three days. I just got back from a whilrwind trip to Winnipeg on behalf of a client to look at biomedical commercialization activities taking place there. The agenda was so packed I didn't have any time to keep on top of what's going on in the privacy world. But I'm back ...

Labels:

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs