The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Sunday, June 04, 2006

Incident: customer info on laptop stolen from auditor in February 

OK. Now I'm a little mad. Another laptop reportedly stolen from an auditor. These have gotten too routine.

But this time, there's a good chance my personal information may have been on the stolen laptop. The data is from, a subsidiary of This company also handles hotels booked through the Air Canada website using their Destina service. This is a service I've used in the past.

I haven't gotten a letter, but with information on 243,000 customers, I expect this is a subset of customers from 2002, 2003, 2004.

It is particularly rich that and Ernst & Young is suggesting that customers "take appropriate action to protect their personal information". Hello? You're suggesting that I take appropriate action to protect my personal information? How about you and your auditors taking appropriate action to protect my personal information. You can start by not letting it leave the building on a laptop. But if you don't follow that basic step, you could think about encrypting the information.

Here's the story from the Associated Press: customer info may be at risk - Yahoo! News:

SEATTLE - Thousands of customers may be at risk for credit card fraud after a laptop computer containing their personal information was stolen from an auditor, a company spokesman said Saturday.

The password-protected laptop belonging to an Ernst & Young auditor was taken in late February from a locked car, said Paul Kranhold, spokesman for, a subsidiary of based in Bellevue, Wash.

"As a result of our ongoing communication with law enforcement, we don't have any indication that any credit card numbers have been used for fraudulent activity," Kranhold said. "It appears the laptop was not the target of the break-in."

Both and Ernst & Young mailed letters to customers this past week encouraging them to take appropriate action to protect their personal information.

The transactions recorded on the laptop were mostly from 2004, although some were from 2003 or 2002, the companies said. The computer contained personal information including names, addresses and credit card information of about 243,000 customers. It did not include their Social Security numbers.

Ernst & Young, which has been the outside auditor for for several years, notified the company of the security breach on May 3.

"We deeply regret this incident has occurred and want to apologize to you and for any inconvenience or concern this may cause," said the unsigned memo from Ernst & Young dated May 2006.

Ernst & Young invites those affected by the incident to enroll in a free credit monitoring service arranged by the auditor.

"We sincerely regret that this incident occurred and we are taking it very seriously," said the letter signed by general manager Sean Kell.

The letter from said "Ernst & Young was taking additional steps to protect the confidentiality of its data, including encrypting the sensitive information we provide to them as part of the audit process."

Labels: , ,

6/04/2006 08:36:00 AM  :: (2 comments)  ::  Backlinks
David -

What's particularly troubling is that an auditor was taking inadequate measures. Perhaps you've seen other incidents involving the big (what is it now - 5, 4, 3?) auditors, but this is a first for me.

What's next, Skadden Arps? Clifford Chance?

Thanks for the comment, Rob.

There have been other auditors involved in privacy/security breaches. The best catalog of incidents is maintained here by PrivacyRights.Org.

It includes the following:

Feb. 23, 2006
Deloitte & Touche (McAfee employee information)
External auditor lost a CD with names, Social Security numbers and stock holdings in McAfee of current and former McAfee employees. 9,290

Mar. 15, 2006
Ernst & Young (UK)
Laptop lost containing the names, dates of birth, genders, family sizes, Social Security numbers and tax identifiers for current and previous IBM, Sun Microsystems, Cisco, Nokia and BP employees exposed. Unknown

May 19, 2006
American Institute of Certified Public Accountants (AICPA)
(New York, NY)

An unencrypted hard drive containing names, addresses and Social Security numbers of AICPA members was lost when it was shipped back to the organization by a computer repair company.
Post a Comment

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs