The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Sunday, June 04, 2006
OK. Now I'm a little mad. Another laptop reportedly stolen from an auditor. These have gotten too routine.
But this time, there's a good chance my personal information may have been on the stolen laptop. The data is from Hotels.com, a subsidiary of Expedia.com. This company also handles hotels booked through the Air Canada website using their Destina service. This is a service I've used in the past.
I haven't gotten a letter, but with information on 243,000 customers, I expect this is a subset of customers from 2002, 2003, 2004.
It is particularly rich that Hotels.com and Ernst & Young is suggesting that customers "take appropriate action to protect their personal information". Hello? You're suggesting that I take appropriate action to protect my personal information? How about you and your auditors taking appropriate action to protect my personal information. You can start by not letting it leave the building on a laptop. But if you don't follow that basic step, you could think about encrypting the information.
Here's the story from the Associated Press:
Hotels.com customer info may be at risk - Yahoo! News:
SEATTLE - Thousands of Hotels.com customers may be at risk for credit card fraud after a laptop computer containing their personal information was stolen from an auditor, a company spokesman said Saturday.
The password-protected laptop belonging to an Ernst & Young auditor was taken in late February from a locked car, said Paul Kranhold, spokesman for Hotels.com, a subsidiary of Expedia.com based in Bellevue, Wash.
"As a result of our ongoing communication with law enforcement, we don't have any indication that any credit card numbers have been used for fraudulent activity," Kranhold said. "It appears the laptop was not the target of the break-in."
Both Hotels.com and Ernst & Young mailed letters to Hotels.com customers this past week encouraging them to take appropriate action to protect their personal information.
The transactions recorded on the laptop were mostly from 2004, although some were from 2003 or 2002, the companies said. The computer contained personal information including names, addresses and credit card information of about 243,000 Hotels.com customers. It did not include their Social Security numbers.
Ernst & Young, which has been the outside auditor for Hotels.com for several years, notified the company of the security breach on May 3.
"We deeply regret this incident has occurred and want to apologize to you and Hotels.com for any inconvenience or concern this may cause," said the unsigned memo from Ernst & Young dated May 2006.
Ernst & Young invites those affected by the incident to enroll in a free credit monitoring service arranged by the auditor.
"We sincerely regret that this incident occurred and we are taking it very seriously," said the letter signed by Hotels.com general manager Sean Kell.
The letter from Hotels.com said "Ernst & Young was taking additional steps to protect the confidentiality of its data, including encrypting the sensitive information we provide to them as part of the audit process."
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.