The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Saturday, July 15, 2006

Edmontonian writes about his data breach experience 

In today's Edmonton Sun, Timothy le Riche writes about his recent experience of having his information compromised when an investment advisor lost his laptop:

Identity indemnity

It's been a tough a day at work, traffic was crazy getting home, and there you find a letter waiting that warns: "An incident has occurred which may have compromised the security of a file containing some of your personal information."

Great. Just what you need.

The letter that arrived at my house recently was from one of my investment dealers. A laptop computer was stolen, and, unfortunately, it contained client details such as my name, age, month of birth, address, home and office phone and fax numbers, e-mail addresses and some asset information.

They note that the information did not include my day of birth, social insurance number (S.I.N.) nor any banking details.

Even if this thief is able to hack through the password protection to get at the data, I don't think he'll be too impressed with my account. What I'm more concerned about is, of course, identity theft. So that's what I set out to deal with.

Now I'm not too pleased with this investment dealer in that a sensitive laptop could go missing, but I'll give them good marks for how they moved on it. They began by establishing exactly what information was on the computer and then took a series of actions.

First, they sent out a letter to affected investors like me, beginning with apology. Apologies don't solve much but at least offer an appropriate demeanour.


Then, they notified the police - and the letter I received includes the police file number. I can refer to this number in any dispute over future fraudulent charges against me, the letter explains.

My account with the dealer has been flagged. I am assured that extra measures will be applied to ensure validity of any requests on my account.

The dealer notified TransUnion of Canada Inc., one of two main credit reporting agencies, where a fraud warning was placed on my file. This one is important. In addition, the letter suggests that I contact Equifax, the other big credit agency, and flag my name there.

With my name flagged, those agencies will contact me first before issuing any credit under any application with my name on it.

My dealer has also notified the Alberta Privacy Commissioner, and pledges a security review with outside consultation. Finally, they offer phone numbers of top staff - including the chief privacy officer - whom I immediately called the next morning. Again, kudos to them. I was called back quickly. The privacy officer offered some more details and urged me to contact Equifax.


I also called the police. Unfortunately, no single officer is assigned to the report number - it's a generic file. I am directed to the police website for information on identity theft:

Equifax, it turns out, is one of those organizations that doesn't like to talk to people; they would rather have you press a series of phone buttons to deliver information.

I keyed in my S.I.N. and other details, as requested, and then I was informed my account is flagged. A computer voice said they will send me a copy of my credit report.

It is recommended that you check your credit report at least once a year.

Even though my investment dealer had no credit card information, I decided to call MasterCard for more information on identity theft and fraud.

It turns out they provide a free legal advice service to card holders. Top marks to MasterCard as well.

It seems I've tagged all the bases.

Now all I can do is wait.

And brace myself for that credit report - and whatever bad news it might reveal.

Labels: , , ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs