The Attorney General of Missouri has been successful in his effort to get a restraining order to prevent Locatecell.com from selling phone records of Missouri residents. See: Missouri Shuts Down Locatecell.com.

In related news, Verizon got a similar order from a federal judge in Trenton, NJ. See: Verizon wins injunction in privacy fight: Financial News - Yahoo! Finance.

Technorati tags: Privacy :: Security :: Phone Records :: Missouri :: Verizon.

Labels: information breaches

Labels: australia, information breaches

The recent controversey over subpoenas of high-profile search engines has spurred a lot of discussion about what search engines know about you. For example, John Battelle was able to get confirmation from Google of what a lot of people have probably always suspected:

1) "Given a list of search terms, can Google produce a list of people who searched for that term, identified by IP address and/or Google cookie value?"

2) "Given an IP address or Google cookie value, can Google produce a list of the terms searched by the user of that IP address or cookie value?"

I put these to Google. To its credit, it rapidly replied that the answer in both cases is "yes." Just FYI.

What else does Google know? Given that Google operates

• one of the most widely used advertising networks,
• one of the most widely used webmail services,
• one of the most widely used mapping services,
• one of the most widely used website statistics services,
• one of the most widely used browser toolbars,
• one of the most widely used news aggregators,
• one of the most widely used online group services,

they know a heck of a lot. Every time you visit a site that uses adwords, your computer connects to google and tells them what you're viewing and probably what got you there. And all this can be matched by your google cookie or your IP address.

The question is, other than for personalized services, why should a company maintain information that is personally identifiable? Why keep logs that have your ip address down to the last digit when the same value can be obtained from the data by only keeping the first three units (192.168.168.* compared to 192.168.168.111)? The level of trust that consumers have for companies like Google is eroding and businesses should take heed of this. If you don't need the information in personally identifiable form, don't keep it.

It will not be long before the cost of keeping this stuff is prohibitive if you have to spend valuable personel time responding to subpoenas. I can imagine the FBI or some other three-letter-agency having a form subpoena that will seek all the records from Google, Yahoo!, DoubleClick and others about the supposed "owner" of a suspicious IP address. What did you search for? What did you read? When were you online? All this info is mantained by a small handful of companies.

UPDATE: While you're thinking about this, check out Google's data minefield by Mark Rasch (via robhyndman.com).

Technorati tags: IP address :: privacy :: tracking :: logs :: retention :: personal information :: Google :: Search Engines

Labels: doubleclick, google, information breaches, ip address, law enforcement, privacy, retention

First - as we have seen many times before, a prompt and proper response to any alleged privacy breach is crucial. Every person in every business that has customer contact must be trained to spot privacy issues, and immediately bring them to the attention of the business's privacy officer.

Second - what should be the proper response when something like credit cards or documents with personal information is sent to the wrong person? Is telling them to cut them up or shred them sufficient? Or should they request they be returned? At least if they are returned, the business will know exactly what was sent.

Technorati tags: Privacy :: Personal Information :: incident :: Credit Card

Labels: information breaches

Michael Geist's weekly LawBytes column is about the Risks and Rewards of Data Retention.

Labels: information breaches, retention

Adam Fields' blog has a good post about the "big fuss" over IP addresses, which is particularly relevant in light of the fight over search logs and subpoenas from the US Department of Justice:

Adam Fields (weblog) - What's the big fuss about IP addresses?:

Given the recent fuss about the government asking for search terms and what qualifies as personally identifiable information, I want to explain why IP address logging is a big deal. This explanation is somewhat simplified to make the cases easier to understand without going into complete detail of all of the possible configurations, of which there are many. I think I've kept the important stuff without dwelling on the boundary cases, and be aware that your setup may differ somewhat. If you feel I've glossed over something important, please leave a comment.

First, a brief discussion of what IP addresses are and how they work. Slightly simplified, every device that is connected to the Internet has a unique number that identifies it, and this number is called an IP address. Whenever you send any normal network traffic to any other computer on the network (request a web page, send an email, etc...), it is marked with your IP address....

I don't think there can be much doubt that an IP address is "personal information" for the purposes of PIPEDA or the Personal Information Protection Acts of BC and Alberta, particularly as it appears in a server log. The information does not have to "identify" an individual, but must be "information about an identifiable individual". George Radwanski, when he was federal Privacy Commissioner held, in Case Summary #25, that a PC's NetBIOS information is "personal information" for the purposes of PIPEDA because it can lead to iformation that is traceable to an identifiable individual. Whether that interpretation would hold up in court is debateable, but any business in Canada should proceed on the assumption that a user's IP address is their personal information.

Technorati tags: IP address :: privacy :: tracking :: logs :: retention :: personal information

Labels: alberta, information breaches, ip address, privacy, retention

The Ontario Privacy Commissioner is up in arms over the growing requirement that citizens hand over their ID and get entered into police databases to engage in entirely legal conduct, such as sell used stuff to second-hand stores. According to the Toronto Star, the Commissioner has made inquiries after hearing of a new bylaw in Oshawa that would require those selling to pawn shops to provide three pieces of government-issued ID (I'm not sure I even have three pieces of government-issued ID). All the information is entered into a database that is handed over to the local police, along with the photo of the vendor.

Here's the gist:

TheStar.com - Database on goods sold angers privacy watchdog

The privacy commissioner says she was spurred to investigate after reading a Toronto Star story about a legal battle between the 24-store franchise chain Cash Converters Canada Inc. and the City of Oshawa.

"It opened my eyes to all this stuff that was going on," says Cavoukian. "From privacy perspective this is extremely invasive, and who pays the price for this erosion of rights? It's the average lay person; you and I. The people contemplating crimes, selling (stolen) goods to these shops, are going to learn of this and they are going to use fake ID."

On Monday, Cash Converters asked the Superior Court of Justice to quash amendments to an Oshawa bylaw that would require it to send clients' personal information in electronic format to Durham Regional Police Services, and to pay Oshawa up to $1 per transaction to cover the cost of storing and inspecting data. (A lawyer for the city says Oshawa has no contract yet with BWI to store data.)

Justice Edward P. Belobaba reserved judgment on Monday after lawyer David Sterns presented his multi-pronged attack on the bylaw, but the judge promised a ruling shortly.

He warned Sterns he was not impressed by the argument that a municipality does not have constitutional authority to help police enforce the criminal code offence of possession of stolen property.

The court received a factum from the Ministry of the Attorney General in support of Oshawa's authority, within the umbrella of provincial responsibility, to raise a barrier to criminals and protect local shop owners and their customers from acquiring stolen property, a criminal offence. Belobaba spent more time exploring the arguments that Oshawa would be collecting an improper tax if it collected an unsupported fee per transaction that could cost the local Cash Converters franchisee more than $8,000 a year.

After some discussion, Belobaba also heard Stern's argument that the bylaw would force shop owners to breach federal and provincial privacy laws that require informed consent about the use of private information.

Cavoukian said she is only at the preliminary stages of exploring her concerns about privacy in second-hand shops. She said she sent letters by courier to Oshawa's mayor, clerk and director of legal services on Wednesday.

Oshawa's bylaw will require local shops to request three pieces of government identification from customers selling used goods, including one with a photograph. Shops would then have to copy the photograph digitally, and send it electronically to the police along with a description of the goods sold, the seller's name, address and telephone number, gender, birth date and approximate height.

"Where is (their) legal authority to collect this information?" asks Cavoukian, who reports directly to the speaker of the provincial legislature. "I want them to demonstrate this to me."

Previously, Oshawa shop owners were only required to keep paper record of the names, addresses and a description of customers who sell goods, to make it available to police for inspection, and to report daily to police on items purchased.

Cavoukian says it's one thing for a shop to acquire your personal information in order to stay in touch, or for the police to collect information if you have done something wrong. But she says it's quite another thing for police to get your information if you are just trying to get rid of some clutter around the house.

"Once it gets on a police database, do you really think it's going to get destroyed?" she asks rhetorically. "In this day and age, you don't want your name and address improperly in any database. It could potentially be harmful out of context."

Technorati tags: Privacy :: Ontario :: Pawnshops

Labels: information breaches, ontario

According to the Associated Press, the Government of Rhode Island's online services website has been hacked, leading to the compromise of up to 53,000 credit card numbers. Check it out: SignOnSanDiego.com > News > AP News.

Thanks to Techdirt for the link: Techdirt:Will The Government Now Fine Itself For Leaking Credit Card Data?.

Technorati tags: Privacy :: Personal Information :: incident :: Government :: Hackers :: Credit Card

Labels: information breaches

After the soon-to-be Prime Minister, Stephen Harper, was spotted at an Ottawa hospital overnight, there is some discussion in the media about how much privacy a Canadian politician can expect. In this day and age, the answer is likely less and less.

Check out The Globe and Mail: We get more info about George Bush's health than our own leaders' and Harper's aides vow to be more open about his health.

Technorati tags: Privacy :: Health :: Canada :: politics :: Stephen Harper

Labels: information breaches

The New York Times, in the last couple of days, put out a special outlook section on technology that includes two interesting articles on privacy and technology. Check 'em out:

• A Growing Web of Watchers Builds a Surveillance Society - New York Times
• The New Security: Cameras That Never Forget Your Face - New York Times

Technorati tags: Privacy :: Technology :: Surveillance

Labels: information breaches, surveillance

Thanks to Bruce Schneier for leading me to this great RFID Cartoon.

It's funny because it's true.

Labels: humour, information breaches, rfid, schneier

The latest fuss over MSN and Yahoo! handing over information to the US Department of Justice spurred on the Ponemon Institute to find out what ordinary internet users know about their own personal data trail. Well, 77% have no clue that companies like Google collect information that can be traced back to them.

The obvious lesson from this? Internet users are, on average, clueless.

But what does that really mean to your business? Don't assume they are savvy enough to know what information your organization collects, uses and discloses. Implied consent is, in many cases, a fallacy because you simply cannot assume that they know what's going on. You need to tell them. And, in my experience, the more open, honest and forthright you are, the more otherwise suspicious customers will trust you. It's strange, but true.

See The Register's summary of the survey: 77% of Google users don't know it records personal data.

Technorati tags: Privacy :: Surveys.

Labels: google, information breaches, privacy

The FTC has imposed a record-breaking $10 million dollar penalty on ChoicePoint after the very high-profile incident that saw criminals obtain the personal information of 163,000 Americans. The FTC also ordered that the company pay an additional $5 million to compensate affected individuals.

This one incident has cost the company untold millions. They have paid lawyers, consultants, paid for credit monitoring for each affected individual, paid to deal with the investigation, paid to deal with the media, their share value has tanked and is only just recovering. I don't really think there is a better example for the proposition that bad security and bad privacy are bad for business.

Check out the FTC press release:

Choicepoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress:

For Release: January 26, 2006

Choicepoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress

At Least 800 Cases of Identity Theft Arose From Company’s Data Breach

Consumer data broker ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026.

“The message to ChoicePoint and others should be clear: Consumers’ private data must be protected from thieves,” said Deborah Platt Majoras, Chairman of the FTC. “Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America.”

ChoicePoint is a publicly traded company based in suburban Atlanta. It obtains and sells to more than 50,000 businesses the personal information of consumers, including their names, Social Security numbers, birth dates, employment information, and credit histories.

The FTC alleges that ChoicePoint did not have reasonable procedures to screen prospective subscribers, and turned over consumers’ sensitive personal information to subscribers whose applications raised obvious “red flags.” Indeed, the FTC alleges that ChoicePoint approved as customers individuals who lied about their credentials and used commercial mail drops as business addresses. In addition, ChoicePoint applicants reportedly used fax machines at public commercial locations to send multiple applications for purportedly separate companies.

According to the FTC, ChoicePoint failed to tighten its application approval procedures or monitor subscribers even after receiving subpoenas from law enforcement authorities alerting it to fraudulent activity going back to 2001.

The FTC charged that ChoicePoint violated the Fair Credit Reporting Act (FCRA) by furnishing consumer reports – credit histories – to subscribers who did not have a permissible purpose to obtain them, and by failing to maintain reasonable procedures to verify both their identities and how they intended to use the information.

The agency also charged that ChoicePoint violated the FTC Act by making false and misleading statements about its privacy policies. Choicepoint had publicized privacy principles that address the confidentiality and security of personal information it collects and maintains with statements such as, “ChoicePoint allows access to your consumer reports only by those authorized under the FCRA . . . ” and “Every ChoicePoint customer must successfully complete a rigorous credentialing process. ChoicePoint does not distribute information to the general public and monitors the use of its public record information to ensure appropriate use.”

The stipulated final judgment and order requires ChoicePoint to pay $10 million in civil penalties – the largest civil penalty in FTC history – and to provide $5 million for consumer redress. It bars the company from furnishing consumer reports to people who do not have a permissible purpose to receive them and requires the company to establish and maintain reasonable procedures to ensure that consumer reports are provided only to those with a permissible purpose. ChoicePoint is required to verify the identity of businesses that apply to receive consumer reports, including making site visits to certain business premises and auditing subscribers’ use of consumer reports.

The order requires ChoicePoint to establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers. It also requires ChoicePoint to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. ChoicePoint will be subject to standard record-keeping and reporting provisions to allow the FTC to monitor compliance. Finally, the settlement bars future violations of the FCRA and the FTC Act.

This case is being brought with the invaluable assistance of the U.S. Department of Justice and the Securities and Exchange Commission.

The Commission vote to accept the settlement was 5-0.

NOTE: A stipulated final judgment and order is for settlement purposes only and does not constitute an admission by the defendant of a law violation. Consent judgments have the force of law when signed by the judge.

Also check out:

• FTC imposes $10M fine against ChoicePoint for data breach - Computerworld
• FTC fines ChoicePoint over data breach
• Security Fix - Brian Krebs on Computer and Internet Security - (washingtonpost.com)
• U.S. Settles With Company on Leak of Consumers' Data - New York Times

Technorati tags: Privacy :: Security :: Choicepoint :: Identity Theft :: FTC

UPDATE: Added NYT link (20060127)

Labels: choicepoint, identity theft, information breaches

From today's New York Times:

Ameriprise Loses Data on 230,000 Customers and Advisers - New York Times

Ameriprise Financial, the investment advisory unit spun off from American Express last year, said today that lists with the personal information of about 230,000 customers and financial advisers were potentially exposed to fraud.

The breach occurred in late December after a company laptop was stolen from an employee's car. It contained lists of reassigned customer accounts that were being stored unencrypted on a computer in violation of Ameriprise's rules.

The information on the laptop included the names and Social Security numbers of more than 70,000 current and former financial advisers and the names and internal account numbers of about 158,000 customers. The data was being stored in separate lists, but it is possible that there could be some overlap between the two.

Andy MacMillan, an Ameriprise spokesman, said that it was unlikely the thief knew that the customer and employee data were being stored on the laptop and the risk of "any data being used or discovered is very low." He said no other personal information was exposed.

Labels: identity theft, information breaches, laptop

The Information and Privacy Commissioner of Alberta has just chastised a large retailer for reselling a computer without wiping the hard-drive. You've got to have a policy and consistent practices. The retailer has promised to address this issue in every province in Canada, not just Canada. See: Investigation Report P2006-IR-001.

Technorati tags: Privacy :: Personal Information :: Alberta :: PIPA.

Labels: alberta, information breaches, pipa

Google's mantra apparently is "don't be evil". While Google has been generally applauded around the blogosphere for fighting the subpoena from the Department of Justice for search records, there are also a number of folks who are concerned that Google's privacy practices are less than transparent.

The general public are paying much more attention to the privacy practices of companies, particularly as government agencies are getting more and more inquisitive about records that are maintained by the private sector. In Europe, for example, governments are requiring companies to keep records for much longer than usual on the hope that they'll come in handy for tracking down terrorists (and file-sharers) (EU Data Retention Directive). Right now, MSN and Yahoo! are in the crosshairs for handing over data to the US Department of Justice. MSN has even posted its own defence of their cooperation with the US government (see: The Canadian Privacy Law Blog: Microsoft responds to subpoena controversey). Recently in Canada, a number of internet service providers went to great expense to resist handing over customer information in the face of the recording industry's demands (see: The Canadian Privacy Law Blog: The new test for disclosure of identities after BMG v John Doe).

How can companies avoid being drawn into this no-win situation? It is incredibly simple (and happens to be the law in Canada):

1. Don't collect any information that you do not need

If you don't need information that is personally indentifiable for your legitimate business purpose, simply do not collect it.

2. Don't keep any personally identifiable information that you do not need

If you no longer need information in personally indentifiable form, don't keep it. Or if the information is still of use, don't keep it in personally identifiable form. Remove all identifiers. Irretrievably sever the link between the data and the individual. Aggregate it. Whatever you need to do, do it.

Being the custodian of information about identifiable individuals carries risk. It can be stolen. It can be hacked. It can be mis-used. It can be lost. And, it can be the subject of a subpoena. In the former examples, it can render a company subject to liability for any losses suffered by the individual. In the latter case, you can either fight disclosing the data or you can deal with the adverse publicity that may ensue.

In short, if you don't want to look like a stooge for the authorities or zealous litigants, or you don't want to pay the legal fees associated with fighting the disclosure request, don't keep the information in the first place. If you don't need it, don't collect it. If you no longer need it, get rid of it. (Securely, of course.)

Technorati tags: Privacy :: Google :: Search Engines :: Subpoena :: Data Retention :: PIPEDA :: how-to.

Labels: google, information breaches, privacy, retention

As evidence of the increasing concerns of internet users about their privacy, the New York Times is running a piece of the growing popularity of software that protects online privacy: Privacy for People Who Don't Show Their Navels - New York Times.

Technorati tags: Privacy :: Anonymity.

Labels: information breaches

The University of Notre Dame is investigating a server hacking that may have exposed confidential information related to an unreported number of donors to the university. See: University of Notre Dame investigating server hack - Computerworld.

Technorati tags: Privacy :: University :: Hacking :: Donors

Labels: information breaches

Computerworld is reporting that T-Mobile is following Cingular's suit by seeking an injunction against call record dealers. See: T-Mobile seeks halt to cell phone record sales - Computerworld

Technorati tags: Privacy :: Security :: Phone Records.

Labels: information breaches

Search Engine Watch's blog has a very interesting article on the digital tracks that search engine users leave behind. Check it out: Protecting Your Search Privacy: A Flowchart To Tracks You Leave Behind.

Technorati tags: Privacy :: Search Engines.

Labels: information breaches

Paul McNamara in Network World writes about how companies that sell phone records get the info. Apparently, many use the little info they collect to get a fuller profile on ChoicePoint or Lexis. With all that info, they can fool customer service reps into believing they are dealing with the actual customer. Some use corrupt phone company employees, some of whom advertise their availability on websites frequented by the record brokers. Check it out: How phone records are stolen

Technorati tags: Privacy :: Security :: Phone Records.

Labels: choicepoint, information breaches

Michael Zimmer is passing along an announcement that Verizon is planning to offer a GPS tracking service, presumably to keep track of one's kids. Or others. "Hi honey, I got you a new phone ..."

Check it out: michaelzimmer.org - Verizon Plans GPS Tracking Service.

Technorati tags: Privacy :: Tracking :: Location-based :: Cellular :: GPS.

Labels: information breaches

MSN Search's WebLog : Privacy and MSN Search

Over the summer we were subpoenaed by the DOJ regarding a lawsuit. The subpoena requested that we produce data from our search service. We worked hard to scope the request to something that would be consistent with this principle. The applicable parties to the case received this data, and the parties agreed that the information specific to this case would remain confidential. Specifically, we produced a random sample of pages from our index and some aggregated query logs that listed queries and how often they occurred. Absolutely no personal data was involved.

With this data you:

CAN see how frequently some query terms occurred.

CANNOT look up an IP and see what they queried

CANNOT look for users who queried for both “TERM A” and “TERM B”.

At MSN Search, we have strict guidelines in place to protect the privacy of our customers data, and I think you’ll agree that privacy was fully protected. We tried to strike the right balance in a very sensitive matter.

Now that you have more information, you can be the judge.

Thanks to beSpacific for the link: beSpacific: MSN Blog Post Explains Search Data Provided to DOJ.

Technorati tags: Privacy :: Privacy :: Search Engines :: Department of Justice :: Microsoft :: MSN

Labels: information breaches

Engadget is pointing to an intersting service from the UK that appears to let you track the cell phone of your employee, spouse, mistress, next victim, etc. via a handy Google maps internet interface.

World Tracker turns anyone into a cellphone spy - Engadget:

Forget those piddly wiretaps. The next frontier in warrant-free surveillance is upon us, and it's open to everyone. A UK service called World Tracker apparently uses cell tower data (or GPS, when available) to track the location of just about any GSM cellphone. Just enter the number you want to track into the service's handy Google Maps-based interface, and you'll be able to zoom in on the device's location, with accuracy somewhere between 50 and 500 meters. The first time you try to track a phone, a text message is sent to the owner, who must reply in order to enable tracking (we'll leave it to you to figure out how to work around this if you need to track a spouse, kid or employee). The service is currently compatible with O2, Vodafone, Orange and T-Mobile in the UK, and has plans to expand to other markets including Germany, Spain, Norway and the US. If, that is, privacy advocates don't shut it down first.

I checked out the site. The most appealing bit is the ability to be alerted when your loved one has strayed beyond the "geo fence" that you've set for her. Sign me up.

Hmm. What'll they think of next?

And if they have any expansion plans into Canada, they'll need to know that location based information is personal information and -- thanks to PIEPDA and PIPA -- it can only be collected and disclosed with consent.

Technorati tags: Privacy :: Tracking :: Location-based :: Cellular :: GPS

Labels: google, information breaches, pipa, privacy, surveillance

The state of Missouri, through its Attorney General, has filed for a temporary restraining order against Data Find Solutions Inc. and 1st Source Information Specialists to prevent them from selling calling records. This follows in the footsteps of a similar application made in another court by Cingular. See: Kansas City Star 01/21/2006 State tries to protect cell-phone records.

Technorati tags: Privacy :: Security :: Phone Records :: Cingular :: Missouri.

Labels: information breaches

Today's Vancouver Sun is running a rather lengthy article on Canadian angle of the current "phone records for sale" controversey. It covers a number of important points, starting with the unsettling reality that Canadian privacy laws are currently impotent when it comes to how companies outside Canada deal with the personal information of Canadians. Michael Geist make the point pretty strongly. The author also intereviewed reps from Bell Canada and Telus, all of whom say that security is being beefed up in light of the attention this is getting. See: Privacy laws not protecting phone records.

Technorati tags: Privacy :: Security :: Phone Records :: Canada

Labels: information breaches

Off topic, but ...

This past week, a colleague and I gave a presentation on blogs and blogging to the Halifax Association of Law Librarians. We covered the usual topics, including an overview of some of the good legal blogs out there, RSS, aggregators, etc.

But I also talked about an issue that has been a concern to me since I started this blog but I really haven't heard any discussion of it among the dozens of legal blogs that I follow: conflicts and blogging. Legal ethics say that a lawyer can't reveal the identity of a client or do anything that may be prejudicial to a client, except with the client's consent. See Rule 22 of the Nova Scotia Legal Ethics and Professional Conduct Handbook.

In this blog, I usually post about articles and incidents of interest that have a privacy angle. If I see an article or another blog post that deals with privacy, I'll post a link to it. I hope that this blog is "one stop shopping" for everything of interest related to Canadian privacy law. But it simply can't be. From time to time, a story hits the media that involves a client of my firm. Also, from time to time, I'll get a call from someone in the media asking to comment on a privacy story that involves a client. I always decline to link to the story or to make the comment. Unless I have the client's OK. (Which I've gotten from time to time, particularly if the result of the matter is public knowledge.)

It is a real challenge and something to be very mindful of. I work in a firm with almost 200 lawyers, with six offices in four jurisdictions. We also are Atlantic Canadian counsel to many of the largest companies operating in North America. Our securities group does agency work on behalf of loads of public companies that require registration in Atlantic Canada. If a lawyer in one of our New Brunswick offices does work for the Canadian subsidiary of a huge insurance company, that company is a client and I have to keep my mouth shut. Even if it may be borderline or in a grey area, I have to err on the side of caution.

I would be very interested to hear the thoughts of other legal bloggers out there on this topic. I think this is an important topic that could bear some informed discussion.

UPDATE:

I solicited Alan Gahtan's thoughts on this subject, which he has posted on Gahtan's Technology and Internet Law Blog:

"My view is that lawyers who publish, whether through a blog or through more traditional print media, operate under a disability. They must not disclose client confidences and must not advocate a position that is contrary to their client’s interests. The magnitude of the disability is proportionate to the size of the firm that a particular lawyer practices with since conflicts are “shared” among the lawyers of a firm. It is less of a problem when the lawyer’s publishing activities involve ad hoc articles as opposed to the operation of a website or blog that tries to cover all developments in a particular area. I’m not a legal ethics expert but my view is that simply reporting other information that is already public should not create a legal conflict (although I can see that it could create a business conflict with a particular client). However, it does mean that the blogging lawyer will be limited in their ability to comment on a particular news item if such comment would be detrimental to the interest of a client of the firm. It likely also means that any third party comments will also need to be filtered so that they do not contain any content that is detrimental to any such client. "

I like the use of the term that we lawyers are blogging "under a disability." Our hands our tied and our lips are always sealed, but this isn't unique to the blogging environment. Lawyers always have very juicy gossip but have to keep their mouths closed at cocktail parties. Blogging lawyers also have to be mindful not to aliente present and prospective clients with their blog content. I try to be as even-handed and balanced as possible, with the minimum of personal and political opinion (which is distinct from professional opinion).

There have been a number of times when I've had to remain silent when clients have appeared in the news, even though I have no immediate knowledge of the incident (for example, if its US branch is in the news). There have also been cases when the clients have had positive privacy-related publicity, but it is not my place to speak for or about them without permission. But when it does not inovolve a client, I think I am free to link to public information even though my firm has clients in the same industry with similar business issues.

Thanks Alan, Rob, David and DP Thinker for the comments, above and below.

Technorati tags: legal ethics :: blogging :: blogs :: lawyers :: legal profession

Labels: information breaches, presentations, privacy

Rob Hyndman weighs in on the recent concerns over the ease with which some companies are able to get calling records from various phone companies:

robhyndman.com: ... What I find particularly troubling about pretexting is that it pulls back the covers on what must be profoundly lax security precautions taken by the phone companies, and suggests that they are still - even after all of 2005's controversy over poor data security - remarkably unconcerned with building data security in as a core value of their corporate cultures (quite apart from the obvious failure to build sensible data protection measures into business processes). At some point, data security just has to be recognized as a mission-critical obligation of these organizations, and there ought to be serious and punitive consequences if they are not up to this challenge. "

Technorati tags: Privacy :: Security :: Phone Records

Labels: information breaches, pretexting

I blogged earlier today that the US Department of Justice subpoenaed a huge amount of data on search requsts from Google. Google said no and is challenging the request in court (see: The Canadian Privacy Law Blog: US DOJ has subpoenaed Google's search records). It now turns out that the other major search engines handed over the data. See: Boing Boing: DoJ search requests: Google said no; Yahoo, AOL, MSN yes.

Technorati tags: Privacy :: Privacy :: Search Engines :: Department of Justice :: Google

Labels: aol, google, information breaches, privacy

First comes the publicity. Then comes the investigation. Then comes the lawsuit. Now, it's the Congress to the rescue: House chairman promises bill banning sale of phone logs - Computerworld. I will not speculate on what happens next.

Technorati tags: Privacy :: Security :: Phone Records :: Cingular.

Labels: information breaches

Rutgers University in New Jersey is joining the hundreds of universities that have already made the switch from Social Security Numbers to more random student ID numbers. See: New IDs prevent identity theft - University.

Technorati tags: University :: Privacy :: Personal Information :: Social Security Number

Labels: identity theft, information breaches

Health News Article Reuters.com

"In medical research there are thousands, if not tens of thousands, of unnecessary deaths occurring each year in the UK alone through the misinterpretation of these laws and guidelines," [Professor Rory Collins] added.

The same general argument has been raised by Canadian and US researchers about privacy laws in those countries.

Technorati tags: Privacy :: Data Protection :: Research

Labels: europe, information breaches, uk

The US Government is seeking to enforce a subpoena served on Google for a huge bit of the search giant's database. From the Mercury News:

MercuryNews.com 01/18/2006 Feds want Google search records:

"The move is part of a government effort to revive an Internet child protection law struck down two years ago by the U.S. Supreme Court. The law was meant to punish online pornography sites that make their content accessible to minors. The government contends it needs the Google data to determine how often pornography shows up in online searches.

In court papers filed in U.S. District Court in San Jose, Justice Department lawyers revealed that Google has refused to comply with a subpoena issued last year for the records, which include a request for one million random Web addresses and records of all Google searches from any one-week period."

Google didn't comply when the subpoena was issued in the first instance and is challenging the request in court on the grounds that it is invasive of privacy and would reveal trade secrets.

Thanks, Boing Boing: Boing Boing: DoJ demands user search records from Google.

Technorati tags: Privacy :: Privacy :: Search Engines :: Department of Justice

Labels: google, information breaches, privacy

In the ongoing saga over sales of phone records, Mobile Mag and others are reporting that Cingular Wireless has obtained a temporary restraining order against two vendors of customer calling records. See: Cingular Wireless gets TRO against mobile phone record sites and destinationCRM.com: Cingular Wireless Battles 'Data Burglars'.

Technorati tags: Privacy :: Security :: Phone Records :: Cingular.

Labels: information breaches

According to the Washington Post, the FCC has begun an investigation into the widely-reported sales of confidential phone records. Interesting what happens when these issues get loads of publicity.

See: FCC Probes Selling of Cell Phone Records

Technorati tags: Privacy :: Security :: Phone Records.

Labels: information breaches

After last week's fuss about iTunes reporting back to Apple about users music libraries (see: The Canadian Privacy Law Blog: Is iTunes reporting your listening back to the mothership?), Apple is now doing what it should have done in the first place. It is telling users what it wants to do and is asking for their OK. Check out Boing Boing: Apple changes iTunes, now obtains consent before collecting info.

Businesses that want to collect information about their users and those who want to provide features that require information from their users must be transparent about what they are doing and why. This reminds me of the expression that "it is not the crime, but the coverup." Consumers want to trust the companies they deal with. They expect to know what's going on. If they don't, consumers assume the worst and the suspicion snowballs. Consumers fall into three groups: those who don't care about privacy, those who care about privacy but will trade personal information for value or convenience, and those who are borderline paranoid. Other than the tinfoil hat, they are hard to tell apart but the middle group is the majority. If a company is transparent, accountable and appears to be honest, the first two groups will trust it with personal information. The latter group will never be happy, but if you are transparent they will just not use your product. If you aren't, they will be very loud with their suspicions. Even a company as trusted as Apple can have the paranoid descend on them and the middle-of-the-road types voice suspicions.

Moral of the day: be open and transparent from the beginning and you'll have many more satisfied customers.

Technorati tags: iPod :: iTunes :: privacy :: apple :: Media Player :: MiniStore

Labels: information breaches

Adam Shostack at Emergent Chaos takes a look at what is actually encoded on hotel room key cards: Emergent Chaos: Hotel Room Keys. There are a number of urban legends floating around, suggesting that loads of personal information is hidden in the mag strip.

Technorati tags: Privacy :: Key Cards :: Mag Stripes

Labels: information breaches

Thank you to a loyal reader who brought this case to my attention.

The Ontario Superior Court of Justice recently had an opportunity to consider whether you can sue for an alleged invasion of privacy in Ontario. More accurately, the Court considered whether you can even try to sue on this basis. In Somwar v. McDonald's Restaurants of Canada Ltd., 2006 CanLII 202 (ON S.C.), Stinson J. considered a defendant's application to strike a plaintiff's claim for invasion of privacy. The defendant argued that it disclosed no reasonable cause of action.

In the result, the Court let the plaintiff's pleading stand. This does not meant that there is or is not an independent tort of invasion of privacy, but it does suggest that the courts in Ontario will at least hear the plaintiff out.

The facts in this case involve an employer who carried out a credit check on an employee without the employee's knowledge or consent. The plaintiff sued. Because the courts of Ontario have gone both ways on whether you can sue for this, the plaintiff was not thrown out of court.

Stinson J. had some interesting things to say:

Is it fully settled in the jurisprudence that there is no common law tort of invasion of privacy?

[8] I begin my analysis with this question for the simple reason that if the answer is "yes" that is the end of the plaintiff's case.

[9] In a law review article written in 1960, the leading American torts scholar, William Prosser, listed four distinct kinds of invasion of privacy interests as follows: (i) intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs; (ii) public disclosure of embarrassing private facts about the plaintiff; (iii) publicity which places the plaintiff in a false light in the public eye; and (iv) appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness: see William L. Prosser, “Privacy” (1960) 48 Cal. L. Rev. 383 at 389. Although Dean Prosser's article was intended as an overview of the American jurisprudence in this area, his analytical framework is helpful in trying to understand the approaches taken by Canadian courts when dealing with these types of claims.

[10] The complaint in the case at bar concerns the conduct of a credit bureau check on an employee by his employer, without the employee’s consent. This complaint falls within Prosser’s first category of invasion of privacy, i.e. “intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs.” Prosser further described such intrusion as follows:

• there must be something in the nature of prying or intrusion;
• the intrusion must be something which would be offensive or objectionable to a reasonable person;
• the thing into which there is prying or intrusion must be, and be entitled to be, private; and
• the interest protected by this branch of the tort is primarily a mental one. It has been useful chiefly to fill in the gaps left by trespass, nuisance, the intentional infliction of mental distress, and whatever remedies there may be for the invasion of constitutional rights.

[11] In The Law of Torts in Canada, 2nd ed. (Toronto: Carswell, 2002) G.H.L. Fridman discussed different classifications of torts and observed that courts, in the limited circumstances where damages are awarded for “invasion of privacy”, tend to treat such invasion as an intentional tort. At pp. 20-21 he wrote:

Acceptance by the courts … of the possibility of liability for certain kinds of “invasion of privacy,” limited though this may be, suggests that the courts are groping their way towards the idea that, where one person acts in a manner that is known and intended to be injurious to another, liability should ensue, even though no nominate tort such as … intimidation, trespass, or defamation, has been committed, unless the circumstances reveal that there was what can be accepted as a lawful reason, justification or excuse for the perpetration of the act and the infliction of the harm.

[12] Based on Prosser’s description of intrusion of privacy interests and Fridman’s observations on treatment of “invasion of privacy” by courts, I conclude that the plaintiff’s complaint concerning the invasion of his privacy could be categorized as an intentional tort.

[13] The potential existence of a common law intentional tort of invasion of privacy has been discussed on various occasions in the jurisprudence of the courts of Ontario. Many of these cases involved intrusion into the plaintiff's seclusion or private affairs and thus fall within Prosser's first category of invasion of privacy interests.

[14] In Capan v. Capan, [1980] O.J. No. 1361 (H.C.J.), the plaintiff commenced an action against her husband for damages for continuing mental and physical harassment and invasion of privacy. The defendant allegedly stalked the plaintiff during a separation, harassed her with persistent telephone calls at home and at her work place, and forced his way into her apartment. The defendant moved to strike out the plaintiff’s statement of claim based on the absence of a reasonable cause of action. Osler J. dismissed the motion stating (at paras. 14-15):

What is complained of here is, in its very essence, an abuse of personal rights to privacy and to freedom from harassment. … [I]t has not been demonstrated that the rights referred to will not be recognized by our courts nor that their infringement will not found a cause of action. In my view, it would not be right, on a motion of this kind, for the court to deprive itself of the opportunity to determine, after hearing the evidence, whether such right exists and whether it should be protected.

[15] In Saccone v. Orr (1981), 34 O.R. (2d) 317 (Co. Ct.), the defendant recorded a private telephone conversation with the plaintiff without the plaintiff’s consent. The defendant then played the tape at a municipal council meeting. A transcript of the tape was subsequently published in a local newspaper. The court rejected the defendant’s argument that no tort of invasion of privacy existed in Ontario common law. Jacobs Co. Ct. J. said:

[I]t’s my opinion that certainly a person must have the right to make such a claim as a result of a taping of a private conversation without his knowledge, and, as against the publication of the conversation against his will or without his consent. Certainly, for want of a better description as to what happened, this is an invasion of privacy and despite the very able argument of defendant’s counsel that no such action exists, I have come to the conclusion that the plaintiff must be given some right of recovery for what the defendant has in this case done.

[16] In Roth v. Roth reflex, (1991), 4 O.R. (3d) 740 (Gen. Div.), the court held that the defendants’ acts such as locking a gate on an access road, interfering with and blocking the use of the road by the plaintiffs in getting to and from their cottage, and removing a shed, pump and dock with the concomitant shutting off of electricity in the plaintiffs’ cottage at a time when they were not there constituted a harassment of the plaintiffs in the enjoyment of their property. Mandel J. also found that the defendants’ actions amounted to an invasion of the plaintiffs’ privacy. He further rejected the view that privacy flowed from property rights. He wrote (at p. 758):

In my view, whether the invasion of privacy of an individual will be actionable will depend on the circumstances of the particular case and the conflicting rights involved. In such a manner the rights of the individual as well as society as a whole are served.

It is also noteworthy that Mandel J. reached the foregoing conclusion after he observed that there is no legislated remedy for invasion of privacy in Ontario, unlike some other provinces.

[17] In Lipiec v. Borsa, [1996] O.J. No. 3819 (Gen. Div.), the defendants’ counterclaim against the plaintiffs was based on nuisance and trespass. The plaintiffs and the defendants were owners of adjoining residential properties. The court found that the plaintiffs had greatly reduced the defendants’ enjoyment of their property by removing the fence between the two properties and erecting a commercial type surveillance camera aimed at the defendants’ yard. McRae J. noted that intentional invasion of privacy had been recognized as actionable in Ontario in several cases. He found that there was intentional invasion of the defendants’ right to privacy and awarded damages to the defendants.

[18] In Tran v. Financial Debt Recovery Ltd., [2000] O.J. No. 4293 (S.C.J.) (reversed on other grounds, [2001] O.J. No. 4103 (Div. Ct.)), the plaintiff had outstanding student loans. Employees of the defendant debt collection agency began calling the plaintiff about the loan, several times an hour, at work. The plaintiff disputed the amount outstanding, but he was never provided with particulars. Despite the plaintiff’s request to be contacted at home, the defendant’s employees continued to call him at work. The court found that the defendant had invaded the plaintiff’s privacy by placing repeated and vexatious calls to the plaintiff’s place of employment. Molloy J. awarded damages to the plaintiff for the torts of defamation, intentional interference with economic interests, intentional infliction of emotional suffering, and invasion of privacy.

[19] Other cases in which trial judges have found liability based on invasion of privacy falling within Prosser's first category include Garrett v. Mikalachki, [2000] O.J. No. 1326 (S.C.J.) and Rathmann v Rudka, [2001] O.J. No. 1334 (S.C.J.).

[20] The courts of Ontario have not been unanimous concerning the existence of a common law tort of invasion of privacy. In Haskett v. Trans Union of Canada Inc. (2001), 10 C.C.L.T. (3d) 128 (Ont. S.C.J.), aff'd 15 C.C.L.T. (3d) 194, (Ont. C.A.), the plaintiff alleged that the defendant credit-reporting agencies had unlawfully included his pre-bankruptcy debts in consumer reports and incorrectly reported them as collectible debts. He sought to bring a class proceeding against the defendants for damages based on breach of fiduciary duty, invasion of privacy, and negligence. The defendants moved to strike the statement of claim on the ground that it did not disclose a reasonable cause of action. With respect to invasion of privacy, Cumming J. found that it was plain and obvious that the complaint of wrongful inclusion of inaccurate information in a credit report did not amount to a reasonable cause of action in tort. Cumming J. quoted with approval from Professor Klar in his text Tort Law (Toronto: Carswell, 1991) where he stated at p. 56 as follows:

Despite some encouraging suggestions from a few courts, it would be fair to say that the Canadian tort law does not yet recognize a tort action for invasion of privacy per se. Rather “privacy” rights have been protected under the umbrella of other traditional tort actions, and by legislative interventions.

Cumming J. acknowledged, however, that “more recently, there has been some recognition of invasion of privacy as an embryonic tort where there is harassing behaviour or an intentional invasion of privacy.” [Emphasis added.] On appeal, the appellant limited his claimed cause of action to negligence. Thus, the Court of Appeal did not address the ruling of the motion judge with respect to the issue of invasion of privacy.

[21] In T.W. v. Seo, [2003] O.J. No. 4277 (Ont. S.C.J.) (varied on other grounds at [2005] O.J. No. 2467 (C.A.)), the defendant was an ultrasound technician who videotaped the plaintiff while she was in the change room. The plaintiff’s claim included a claim for damages based on the tort of invasion of privacy. Siegel J. refused to put any questions to the jury relating to this cause of action as he found that “insofar as a common law tort of invasion of privacy was recognized in Canada, it did not extend to these facts.”

[22] In light of the trial decisions listed in this brief survey of Ontario jurisprudence, and the absence of any clear statement on the point by an Ontario appellate court, I conclude that it is not settled law in Ontario that there is no tort of invasion of privacy.

Is it plain and obvious that the plaintiff’s action cannot succeed, or despite the novelty of the cause of action, is there a chance that the plaintiff might succeed?

...

[28] Provinces such as British Columbia, Manitoba, Newfoundland, and Saskatchewan have created a statutory tort of invasion of privacy. See John D.R. Craig, “Invasion of Privacy and Charter Values: the Common-Law Tort Awakens” (1997) 42 McGill L.J. 355, footnote 2. In Quebec, s. 5 of the Charter of Human Rights and Freedoms, R.S.Q., c. C-12, which provides that “every person has a right to respect for his private life”, is directly enforceable between citizens. In Ontario, however, there is no statutory remedy for unreasonable intrusion into an individual’s private affairs.

[29] With advancements in technology, personal data of an individual can now be collected, accessed (properly and improperly), and disseminated more easily than ever before. There is a resulting increased concern in our society about the risk of unauthorized access to an individual’s personal information. The traditional torts such as nuisance, trespass, and harassment may not provide adequate protection against infringement of an individual’s privacy interests. Protection of those privacy interests by providing a common law remedy for their violation would be consistent with Charter values and an "incremental revision" and logical extension of the existing jurisprudence.

[30] Such a development in the common law has been viewed as appropriate by many legal commentators: see, for example, the articles by Bell, and Craig, supra. Bell wrote (at p. 235):

The emerging social realities of twenty-first century life in Canada include the use of technology that “increasingly facilitates the circulation and exchange of information”, cellular phones that can be used to take photographs, and the seemingly ever-increasing desire by the public at large for media stories, to name but a few examples. A broad embracement of a common law tort of invasion of privacy would reflect an updating of the common law to reflect these emerging social realities….

[31] Even if the plaintiff's claim for invasion of privacy were classified as "novel" (which, in any event, is not a proper basis for dismissing it) the foregoing analysis leads me to conclude that the time has come to recognize invasion of privacy as a tort in its own right. It therefore follows that it is neither plain nor obvious that the plaintiff's action cannot succeed on the basis that he has not pleaded a reasonable cause of action.

UPDATE: Check out Michael Fitzgibbon's post on this case, in which he offers some helpful comments on the test for striking out a pleading and on what this case may mean: Thoughts from a Management Lawyer: It's Alive (for now) The Tort of Invasion of Privacy in Ontario. (Added 20060118)

Technorati tags: Privacy :: Employees :: Privacy Law :: Credit Checks :: Torts :: Ontario

Labels: bc, information breaches, ontario, surveillance, tort

A recent survey by the NRF Foundation polled US consumers to see how much personal information consumers are willing to give up in exchange for benefits as part of loyalty programs. The results are interesting, since they show what information is considered most personal by consumers:

...While consumers do want to pledge their loyalty, retailers are going to have a tough time figuring out just how to build their allegiance. That's because consumers state they are only willing to share a small portion of the much needed personal information that retailers need to develop traditional loyalty programs. According to the study, the most acceptable information shoppers were willing to give retailers include their name (89.8%), e-mail address (78.1%), street address (60.7%), and past transactions (46.8%). Consumers were least likely to allow retailers to track weight (14.4%), income (12.5%), job title (12.1%), employer (10.9%) and net worth (8.2%).

The more intrusive a company wants to get, the greater value they have to provide. This also suggests that a company that wants a widely-adopted program will have to limit the information collected and provide assurances about how it will be protected and used.

Via CRM Today.

Technorati tags: Privacy :: Retail :: Loyalty Programs :: Personal Information

Labels: information breaches, loyalty cards, privacy, retail

Wired News is running an article by Kim Zetter on the sale of phone records. The article is notable because it discusses at least one of the tactics used by these "services" to get phone records:

Wired News: Devious Tactic Snags Phone Data

According to the suit, online cell-phone record vendors placed hundreds of thousands of calls to Verizon customer service requesting customer account information while posing as Verizon employees from the company's "special needs group," a nonexistent department. The caller would claim to be making the request on behalf of a voice-impaired customer who was unable to request the records himself. If the service representative asked to speak with the customer directly, the caller would impersonate a voice-impaired customer, using a mechanical device to distort his voice and make it impossible for the service representative to understand him -- a variant of a widely used social-engineering technique known as the "mumble attack."

Rob Douglas, a private investigator turned privacy activist, says federal authorities have known about the sale of private phone records since at least 1998 but have done little to address the problem. In the absence of federal action, phone companies have been resorting to civil lawsuits to prevent sellers from obtaining and selling records.

Technorati tags: Privacy :: Security :: Phone Records

Labels: information breaches

Ohio joins the growing list of American states that require notification of data breaches, effective February 17, 2006. See: Data-breach notification soon a matter of Ohio law - 2006-01-16.

Technorati tags: Privacy :: Privacy Law :: Security :: Breach :: Ohio

Labels: breach notification, information breaches

Michael Fitzgibbon at Thoughts from a Management Lawyer is blogging about a recent decision from New Jersey in which the court there held that employers have a duty to protect third parties from porn surfing employees. And "[n]o privacy interest of the employee stands in the way of this duty on the part of the employer." Interesting stuff. See: Thoughts from a Management Lawyer: Internet Surfing and the Workplace, who got it from Employee's Surfing Pornographic Web Sites At Work Land Employer In Hot Water WLF May it Please the Court Law Weblog.

Technorati tags: Privacy :: Workplace Privacy :: Porn :: Employment Law :: New Jersey

Labels: information breaches

Crown prosecutors in Nova Scotia have secured the conviction of Eugeniu Micolai Moldovan on 77 counts of fraud, stemming from a scam in which Moldovan and an accomplice placed a card skimmer and PIN reader on automated ticketing machines at a local movie megaplex. The accomplice previously pleaded guilty.

Credit for catching the scammers goes to a vigilant bank employee who noted a pattern of fraud and tipped off the Halifax police that the scammer would likely be at a particular movie theatre on a particular date. I wish I knew which bank or who the employee is to give proper credit.

The scammer used a card reader and a pin-pad overlay to catch both the mag stripe info and the customer's PIN. The hardware used was pretty good and users couldn't tell it was there.

Moldovan will be sentenced on February 16 and the Crown Prosecutor said he'd be seeking a lengthy sentence.

See: The ChronicleHerald.ca

Technorati tags: Privacy :: Card Skimming :: Fraud :: Credit Card :: Credit Card Fraud :: Debit Card :: Debit Card Fraud :: Nova Scotia

Labels: information breaches

Last June, I blogged about an incident in which a journalist reported that he had purchased personal information about British residents from the employee of an outsourcing operation in India (see: The Canadian Privacy Law Blog: Undercover UK reporter buys personal information from Indian call centre).

At the time, the UK Information Commissioner said that the banks involved may face prosecution under the Data Protection Act. Following an investigation by the Information Commissioner, it is now said that there is no evidence that any personal information was compromised and there will be no prosecution. (I am not sure if this means there was no evidence or they didn't find any evidence.)

The UK police also said that they did not have any jurisdiction to investigate and financial regulators didn't bother to investigate. Somewhat troubling was the statement at the time that "Our concerns are whether adequate security controls were in place but a determined fraudster is always going to get through."

See: UK banks escape punishment over India data breach - Law & Policy - Breaking Business and Technology News at silicon.com

Technorati tags: Privacy :: Outsourcing :: India :: United Kingdom :: Data Protection Act :: Data Protection

Labels: information breaches

Both the Information and Privacy Commissioners of Alberta and BC are sponsoring and participating in an upcoming conference in Calgary. As you can guess, "PIPA 2006: Customers, Employees & Privacy: An educational Forum for Business" is about business and the private sector privacy laws of both provinces. Check out the site, from Verney conference management: Personal Information Protection Act Conference 2006: April 26-27 2006, The Westin, Calgary, Alberta.

Technorati tags: Privacy :: Conference :: PIPA :: Privacy Law

Labels: alberta, information breaches, pipa

I expect we'll see some strong legislative action in the US to stop the sale of calling records if bloggers follow AMERICAblog's footsteps and buy the phone records of prominent Americans. AMERICAblog bought the phone records of General Wesley Clark, the former Supreme Allied Commander of NATO. They apparently did it to prove a point: "We wanted to see if it was possible to buy the phone records of someone high profile in order to prove that this is a problem with serious national security implications, and frankly, we didn't want to pick a Republican since we thought such a choice would be perceived as partisan or mean-spirited, and that is not our intent for exposing this. Our intent is to get this problem fixed so that we all can benefit." Check it out (and the hundreds of comments) here: AMERICAblog: Because a great nation deserves the truth.

Thanks to EPIC West for the link: EPIC West: Electronic Privacy Information Center West Coast Office: Blogger Buys General Clark's Cell Phone Records.

Technorati tags: Privacy :: Security :: National Security :: Phone Records

Labels: information breaches

If you were looking for evidence that some people take privacy pretty seriously, look no further than the situation that has befallen Cheryl Gallant, a Conservative candidate for Member of Parliament for Renfew-Nipissing-Pembrooke. A short while ago, I blogged about a fuss that has been kicked up after her constituency office sent birthday cards to constituency residents. It appeared that the only place that the MP's staffers could have gotten the citizens' birthdays was from passport applications processed through her office. At least two people were upset then (see: The Canadian Privacy Law Blog: Birthday Cards lead to investigation by the Privacy Commissioner).

The story continues: The candidate began her remarks at a recent debate by wishing everyone there a happy birthday. (Some in the audience booed the reference, though they might have been Liberal plants.) Her remarks have been taken as being a bit flippant.

ottawasun.com - Election - Gallant vows privacy probe

Asked if constituents' privacy was a joking matter, she said people have been complaining they didn't get a card, so she thought she'd simply send greetings to everyone at once.

On Monday, Gallant said, the number of people calling her office requesting cards crashed the office's phone system.

She intends to conduct a probe and said that although her office is not covered under the jurisdiction of the privacy commissioner, they've always conducted business as if it was.

"If one person can get so upset and make such a hullabaloo, we want to ensure no one else's feelings are hurt," she said.

"What we did was a courtesy, a gesture of kindness."

Deep River resident Leslie White, who has no affiliation to any political party, said her husband and mother both received birthday cards from Gallant last month. Both had recently had passports processed through Gallant's office. Other constituents have come forward with similar stories, including a 19-year-old man. Gallant couldn't explain how he came to get a card, but said they are sent out on request and most people are happy to get one.

"In the five years I've been a member of Parliament, two days into this election was the first time I had ever received a complaint about receiving a birthday card," Gallant said. "So I almost wonder if somebody gave us the referral and knew that she didn't like it and that it would put her off her rocker, so to speak."

Privacy is an emotional issue. Some people are very sensitive and are not shy about going to the press when they feel they've been "violated". What might have appeared to be a gesture of kindness on the part of the sender may be a very creepy experience for the recipient of the gesture. Anyone dealing with personal information or thinking about it has to keep in mind that privacy is a very sensitive issue for a lot of people and you should look at your proposed actions through the eyes of your most privacy sensitive customer. If it'll upset them, it probably is not worth doing since the fallout often consumes your energy and detracts from whatever beneficial effect you might have hoped for.

Technorati tags: Privacy :: Passport :: Politics :: Canada

Labels: information breaches

In the wake of the (ultimately false) report that the federales had visited a student becuase he requested Mao's Little Red Book (See: The Canadian Privacy Law Blog: Borrow the wrong book and get it personally delivered by the feds; and then The Canadian Privacy Law Blog: Story about feds visiting after request for Mao book is a hoax), the UMass Dartmouth and Penn libraries are trying to reassure patrons that their records are safe. In fact, they say that once you return the book you've checked out, the title is no longer connected to your borrowers' record. Check out the Daily Pennsylvanian: Checking out Mao? No need to worry.

Technorati tags: Privacy :: Libraries :: Security :: Personal Information :: Patriot Act.

Labels: information breaches, libraries, patriot act

The New York Times reports that Visa and Mastercard have been quietly meeting to discuss setting up an open standards body to set best pactices for the processing of electronic and payment card transactions. See: Credit Card Rivals to Unite in Data Protection Effort - New York Times.

Technorati tags: Privacy :: Credit Cards :: Electronic Payments :: Open Standards :: Security

Labels: information breaches

The Nova Scotia Auditor General released his report for 2005 in December. The fourth chapter is entitled Electronic Information Security and Privacy Protection.

In his report, he reviews the privacy and information security practices of a number of departments, including Justice and Community Services. He also touches upon the USA Patriot Act and its possible impact on the personal information of Nova Scotians. Data processing and information storage services for the province are provided by wholly-owned subsidiaries of American companies, which are undoubtedly subject to American laws. The province has carried out a study of the situation, but refused to provide it to the Auditor General, citing solicitor-client and cabinet privilege. In an interview by the Canadian Press, the provincial Minister of Justice hinted that Nova Scotia will be introducing a law in the spring sitting of the Legislature to mirror that passed by British Columbia to better protect personal information from being disclosed to foreign law enforcement.

Read the CP article here: N.S. auditor concerned citizens information could be leaked to U.S. agencies - Yahoo! News.

Technorati tags: privacy :: Patriot Act :: Nova Scotia :: privacy law.

Labels: bc, british columbia, information breaches, nova scotia, outsourcing, patriot act, piidpa, public sector

As reported here on Saturday (The Canadian Privacy Law Blog: Nova Scotia's FOIPOP Review Officer to step down), Nova Scotia's Freedom of Information and Protection of Privacy Review Officer will be stepping down from his post on January 23, 2006 when his term concludes. Today's Halifax Chronicle Herald reports on the retirement and mentions that Darce will not be disappearing into the sunset. He is planning to start a "Right to Know" coalition to educate people about access to information laws and to lobby for greater openness. See: Freedom of information protector leaving his post: Fardy plans to start citizens coalition called Right to Know

Technorati tags: privacy :: access to information :: nova scotia.

Labels: information breaches, public sector

Another bank data tape lost in transit on its way to a credit bureau. This time, it is People's Bank of Connecticut and the tape had the personal information of 90,000 customers. Check it out: Bank tape lost with data on 90,000 customers - Computerworld

Technorati tags: Privacy :: personal information :: incident :: bank

Labels: information breaches

Boing Boing passed along to its readers (Boing Boing: iTunes update spies on your listening and sends it to Apple?) a report that the latest version of Apple's iTunes is reporting back to Apple the music that users are listening to (see: since1968.com: iTunes Update: Apple's Looking Over Your Shoulder). This "feature" is via the MiniStore, which presents info about the performer whose song you are listening to and "other users also bought ..." information. The author was concerned that info about current listening was being passed back to Apple without telling users about it.

Other commentators have pointed out on Boing Boing that iTunes does not "phone home" if the MiniStore pane is closed.

This looks a lot like the feature in Windows Media Player which does something very similar, but I note that Microsoft at least asks you when you install if you mind having your info passed along to Microsoft. Apple the good doesn't look so good next to Microsoft.

Technorati tags: iPod :: iTunes :: privacy :: apple :: Media Player :: MiniStore

Labels: information breaches

According to Computerworld, a high-clas island resort's databases have been hacked, leading to the exposure of personal information of 55,000 customers. The report says that the information compromised included "names, addresses, credit card numbers, Social Security numbers, driver's license numbers and bank account numbers."

What possible reason would a hotel have for collecting Social Security Numbers from guests? And if it had a reason to collect this sort of info, why would it keep it?

Personal information is like an underground tank, half full of oil. If you don't need it, get rid of it. The more of them you have and the longer you have 'em, the higher the risk of disaster.

Here's the gist of the Computerworld article:

Data for 55,000 customers stolen from Bahamas hotel - Computerworld

Data for 55,000 customers stolen from Bahamas hotel The upscale Atlantis Resort has acknowledged an apparent database break-in

JANUARY 11, 2006 (IDG NEWS SERVICE) - Travelers who stayed at the upmarket Atlantis Resort in the Bahamas should keep a close eye on their bank statements in the months ahead. The hotel has acknowledged an apparent database break-in in which personal information for 55,000 guests may have been stolen, including credit card and bank account numbers.

The resort said it is notifying affected customers in writing so that they can "take steps to protect themselves from possible identity fraud."

Kerzner International Ltd., which operates the 2,000-room "ocean-themed" resort on Paradise Island, reported the theft last week in a U.S. regulatory filing. An internal investigation revealed that the information had been stolen from a database of Atlantis customers.

...

The information stolen includes names, addresses, credit card numbers, Social Security numbers, driver's license numbers and bank account numbers. Approximately 55,000 customers may have been affected, the resort company said.

Technorati tags: Hacking :: Privacy :: Personal Information :: Social Security Number

Labels: information breaches

The Ottawa Citizen is reporting that Cafe Henry Burger in Ottawa is closing down. According to the owner, the restaurant suffered a loss of business as fallout from the Radwanski scandal that lead to the downfall of the then Privacy Commissioner and opened all entertainment spending by public officials to much greater scrutiny.

Iconic eatery Cafe Henry Burger shuts its doors after 83 years

It made headlines of a different kind in 2003 when it was revealed that some public servants had run up huge bills at Cafe Henry Burger, including then-privacy commissioner George Radwanski. Mr. Bourassa concedes that the repercussions of that hurt sales at his restaurant.

"Following that, there was greater expense-account scrutiny and a greater call for access to information. This resulted in a loss of clients."

Despite the obvious sadness he feels at the closing of his restaurant, he is focusing on the many good experiences he has had.

I'm sure some would suggest that it was the loss of Radwanski's business that did it in.

Labels: information breaches, radwanski scandal

Many of the blogs I follow were abuzz yesterday with discussion of the Declan McCullagh column on CNet News entitled "Create an e-annoyance, go to jail". (I wrote about it here: "Anonymous 'net annoyers headed to jail".)

There are widely divergent opinions all over the 'net on what this poorly drafted provision actually means. Some suggest that it attacks all anonymous speech that is annyoing, including blog postings and comments. Others suggest that it is very restricted and might not even cover e-mail. Some discussions worth checking out:

• Boing Boing: Flame someone anonymously, go to jail? No, say BB-reading lawyers - Boing Boing printed comments from a number of readers, including me and Daniel Solove (see below).
• Concurring Opinions: Annoy someone online (anonymously); go to jail, which includes a comment from Daniel Solove and a dozens of others.
• Kip Eqsuire: A Stitch in Haste New VAWA "Annoying" Clause is Indeed Annoying -- But Not to Blogs
• SIVACRACY.NET: Anonymous Trolls Beware?
• Slashdot Crank Blogging, Like Phone Calling, Now Illegal

The original McCullagh article is also followed by a bunch of reader comments, so check that out too.

Technorati tags: [Anonymity] :: [First Amendment] :: [Specter] :: [Law] :: [Privacy] :: [Cyber Stalking]

Labels: information breaches

A minor incident: A county clerk in Rockford, IL has apologized after releasing a list of election officials without blacking out the social security numbers, presumably in response to an Freedom of Information request. The unwitting recipient of the information is a little upset. See: AP Wire | 01/10/2006 | Winnebago County Clerk apologizes for releasing personal information

Technorati tags: [Incident] :: [Privacy] :: [Freedom of Information] :: [Illinois] :: [Incident] [Social Security Number]

Labels: information breaches

The Saginaw News ran an interesting feature-length article in its Sunday edition about privacy in the retail system. It touches on loyalty programs, RFID, advertising and security of personal information. And it is balanced, with good comments from both business and privacy activists. Check it out: A peek into your privacy: Retailers increasingly ask for personal information.

[Personal Information] :: [Privacy] :: [Retail]

Labels: information breaches, loyalty cards, privacy, retail, rfid

A five star hotel in Brighton, UK, has switched into damage control mode after a passer-by found loads of customer registration cards in the a dumpster. The cards had names, addresses, signatures and valid credit card numbers. The BBC notes that the hotel often hosts high profile conferences and the details of some Members of Parliament were on cards found. See: BBC NEWS | England | Southern Counties | Private hotel cards found in skip.

[United Kingdom] :: [Privacy] :: [Security] :: [Personal Information] :: [Identity Theft] :: [Security Incident] :: [Privacy Incident]

Labels: identity theft, information breaches

Be prepared to fork over your personal information if you visit the website for "Grandma's Boy", an upcoming movie from 20th Century Fox. If you want to see the film's trailer, view clips and enter to win fabulous prizes, be prepared to fork over your name, date of birth and zip code. That's what it says on the front page, and there's no privacy policy link to tell you what the website will do with it. No notice. Nothing. Nada. Zilch.

According to DM News and New York Newsday, the site takes your data and matches it against a huge database compiled from US drivers' licenses. If your details match, you get in.

Once you get in, you can then read the 20th Century Fox privacy policy, which seems to say they'll never do what they just did. Read on:

Effective as of July 1, 2005

PRIVACY POLICY

...

2. NOTICE - FOX FE WILL PROVIDE YOU WITH NOTICE ABOUT ITS PII COLLECTION PRACTICES:

When you voluntarily provide PII to Fox FE, we will make sure you are informed about who is collecting the information, how and why the information is being collected and the types of uses Fox FE will make of the information.

At the time you provide your PII, Fox FE will notify you of your options regarding our use of your PII, including whether we will share it with outside companies (See "Choice" below). This Policy describes the types of other companies that may want to send you information about their products and services and therefore want to share your personal information, provided you have given Fox FE permission to do so (See "Use" below).

Sometimes we collect PII from consumers in manual format or off-line, such as a post card or subscription form. Providing detailed notice in those situations often proves impractical, so consumers will instead be provided with a short notice that describes how to obtain the full text of this Policy and other relevant information from us.

...

3. CHOICE - FOX FE WILL PROVIDE YOU WITH CHOICES ABOUT THE USE OF YOUR PII:

Fox FE will not use the PII you provide to us for purposes different from the purpose for which it was submitted, or share your PII with third parties that are not affiliated with Fox FE (i.e., not a part of the News America Group), unless we obtain your permission.

...

7. REMEDIES AND COMPLIANCE - HOW TO CONTACT FOX FE ABOUT PRIVACY CONCERNS:

If you have any issues or complaints regarding this Privacy Policy, please contact:

Foxmovies.com Privacy Officer
P.O. Box 900
Beverly Hills, CA 90212

(888) 369-0687

feedbackus@fox.com

© 2005 Twentieth Century Fox. All Rights Reserved.

It's enough that there is no notice on at the time that very personal information is collected, but there is no mention anywhere what would be done with the info. Is is kept? Where does it go? Is it matched to anything else collected by the company or anyone else? It is so easy to just tell people why the information is being collected and what will be done with it.

Age verification may be a reasonable purpose to collect information like this, but doing it without notice or any reassurance makes it very easy for others (perhaps less reputable others) to follow suit. People may simply get more used to handing over sensitive personal information without knowing where it is going.

As an aside, I'm not sure how well their system works. Just try John Smith, 03/03/1970 living in Beverly Hills 90210.

[Movies] :: [Privacy] :: [Security] :: [Personal Information] :: [Identity Theft] :: [Anonymity]

Labels: identity theft, information breaches

Declan McCullagh at CNet has a very interesting article (Create an e-annoyance, go to jail Perspectives CNET News.com) on a new bill that has recently been signed into law in the United States. HR 3402, titled an Act to authorize appropriations for the Department of Justice for fiscal years 2006 through 2009, and for other purposes (emphasis on the "for other purposes") just became law. It is otherwise a standard appropriations bill that renews funding for the federal Department of Justice, except Senator Arlen Spector added a little bit of additional law for good measure. The provision, that in an earlier incarnation was meant to address anonymous stalking and harassing, has the potential for making it a crime to anonymously use the internet to merely annoy somebody.

If you take a look at the bill as passed, you can't find the "annoying part", but it comes from the way it amends an existing telephone harassment law (US CODE: Title 47,223. Obscene or harassing telephone calls in the District of Columbia or in interstate or foreign communications). As amended, that section will look like this:

(a)        Prohibited acts generally

Whoever—

(1)        in interstate or foreign communications— ...

(C) makes a telephone call or utilizes a telecommunications device, whether or not conversation or communication ensues, without disclosing his identity and with intent to annoy, abuse, threaten, or harass any person at the called number or who receives the communications;

…

shall be fined under title 18 or imprisoned not more than two years, or both.

…

(h)        Definitions

For purposes of this section—

(1)        The use of the term “telecommunications device” in this section—

(A)       shall not impose new obligations on broadcasting station licensees and cable operators covered by obscenity and indecency provisions elsewhere in this chapter; and

(B)       does not include an interactive computer service. ; and

(C)       in the case of subparagraph (C) of subsection (a)(1), includes any device or software that can be used to originate telecommunications or other types of communications that are transmitted, in whole or in part, by the Internet (as such term is defined in section 1104 of the Internet Tax Freedom Act (47 U.S.C. 151 note)).'.

[Corrected - see below]

As you can guess, more than a few people are up in arms about this. Just google "annoy declan" and you'll get at least seventy results.

UPDATE: Thanks to an astute commenter (thanks, Sean) who noticed that I had printed subparagraph (A) and not (C), I've corrected it above. It originally read:

(a)        Prohibited acts generally

Whoever—

(1)        in interstate or foreign communications—

(A)       by means of a telecommunications device knowingly—

(i)         makes, creates, or solicits, and

(ii)        initiates the transmission of,

any comment, request, suggestion, proposal, image, or other communication which is obscene, lewd, lascivious, filthy, or indecent, with intent to annoy, abuse, threaten, or harass another person;

…

shall be fined under title 18 or imprisoned not more than two years, or both.

[Snip]

[Anonymity] :: [First Amendment] :: [Specter] :: [Law] :: [Privacy]

Labels: google, information breaches, privacy

Michael Geist recenly gazed into his crystal ball and has made some predictions for technology law in 2006. Here's what he said about privacy and security:

TheStar.com - Geist: Tech laws we need

Privacy and Security

The privacy law we need: 2005 was labelled the worst year ever for security breaches, with more than 50 million people in North America directly affected by the dozens of breaches that placed their personal information at risk. The growing awareness of security vulnerabilities stems from U.S. laws that compel companies to inform customers that their information was subject to a breach. Similar legislation is needed in Canada.

The privacy law we will get: The government introduced its so-called "lawful access" package last fall. The expression "lawful access" sounds benign; the goal isn't. It would give intrusive new powers of surveillance to law-enforcement authorities without needed judicial oversight.

Canadians can expect to see it revived whichever party forms the next government. While lawful access is better characterized as anti-privacy legislation, its re-emergence will force the privacy community to rally around appropriate oversights to guard against privacy abuse.

[Privacy] :: [Predictions] :: [Privacy Law] :: [PIPEDA] :: [Canada]

Labels: information breaches, lawful access, privacy, surveillance

According to China Radio International, China is on the verge of adopting a general privacy law to protect citizens from "theft of information" and other such things:

China CRIENGLISH

China Drafts Law to Protect Personal Information

The State Council, China's Cabinet, has launched legislation procedures on personal information protection law in a bid to better safeguard citizens' privacy.

Media reports said a Chinese website publicly put nine thousand pieces of detailed personal data on sale, causing widespread social concern. The disclosure of private phone numbers, home and work place addresses and financial records seriously infringes on the privacy and life of the general public.

The current draft stipulates that personal information, as a part of a person's right of privacy, is a citizen's "intangible property", and those who steal other's personal information for financial gain are in violation of the law and shall be dully [sic]punished.

[Privacy] :: [China] :: [Privacy Law] :: [Identity Theft] :: [Personal Information]

Labels: China, identity theft, information breaches

MSNBC is reporting that a retired professor in the US is shocked that a recent letter from a regular correspondent in the Phillipines was opened and examined by the Department of Homeland Security. The letter arrived with a piece of green tape on it, indicating that the letter was opened "by Border Protection." I don't think this is a new phenomenon, but is being reported on in the wake of the warrantless wiretap scandal in the US.

One thing I find interesting from the story is that the retired professor used to do the same sort of "mail inspection" during the war:

Goodman is no stranger to mail snooping; as an officer during World War II he was responsible for reading all outgoing mail of the men in his command and censoring any passages that might provide clues as to his unit’s position. “But we didn’t do it as clumsily as they’ve done it, I can tell you that,” Goodman noted, with no small amount of irony in his voice. “Isn’t it funny that this doesn’t appear to be any kind of surreptitious effort here,” he said.

Would he prefer that this be hidden?

Read the MSNBC article here: Homeland Security opening private mail - U.S. Security - MSNBC.com.

Privacy :: Homeland Security :: Mail :: National Security

Labels: information breaches

I've blogged recently about the current debate over privacy and identity theft in Minnesota. Here's some more on what's going on in this midwest state:

Governor Pawlenty is proposing to use biometrics to make drivers licenses more secure, which Attorney General Hatch wants the state to stop selling DMV records in bulk. The Governor is also proposing other reforms:

These include stiffening penalties for unauthorized access to personal data, going after hackers who secretly gain access to private data but don’t steal, making it unlawful to use encryption to hide a crime.

Ranging afield, Pawlenty argued that current state data practice law is flawed and upsidedown— data presumed private unless deemed public, he explained.

I find this fascinating to watch. This situation is the first time that I can think of that privacy and the protection of personal information has been a significant issue in a political debate. (Both are running for the governorship.) For some of the most recent news, see: Minnesota needs to do more to crack down on identity theives, says Gov. Pawlenty.

[Privacy] :: [Identity Theft] :: [Politics] :: [Minnesota]

Labels: identity theft, information breaches

Just before Christmas, the Ontario Superior Court of Justice released a decision on an interlocutory motion to strike portions of an affidavit. The applicant had not relied upon PIPEDA in its notice of motion, but argued that PIPEDA supported the motion as part of the evidence in question had been collected from a computer without consent. Justice Cullity dealt with the PIPEDA argument and ultimately ruled that the federal privacy law has its own procedure for redress. He also declined to find whether PIPEDA was violated in this case. Once again, the Courts have declined to be persuaded by an applicant's argument that the federal privacy law should exclude evidence in a civil matter.

Osiris Inc. v. 1444707 Ontario Ltd., 2005 CanLII 47731 (ON S.C.)

[83] Finally, I should refer to Mr Belmont's reliance on the provisions of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 in a factum he filed in support of the motion by Osiris. This was not a ground mentioned in the notice of motion. In the factum, and at the hearing, Mr Belmont submitted that VDG had clearly violated the prohibitive provisions of the statute by obtaining, and using, the Documents without the consent of their owners. This violation was said to be an additional ground on which the document should be excluded from the record.

[84] For the following reasons, I do not accept Mr Belmont’s submission. The statute creates a procedure in which complaints of breaches of its provisions are to be received by the federal privacy commissioner and under which hearings maybe conducted in the Federal Court after the Commissioner has made a report. I do not believe that, on this motion, I can properly be expected to bypass that procedure and, in effect, usurp the statutory jurisdiction under the guise of deciding a question of admissibility. Even if I were permitted to do this, it is by no means clear to me that either VDG, or Mr Nasir, has infringed the provisions of the statute.

[85] The general statutory prohibition is contained in section 5 (3) and provides that an "organization" (including a person or a partnership) may collect, use or disclose personal information only for purposes that a "reasonable person would consider appropriate in the circumstances". Personal information is defined as meaning information "about" an identifiable individual. Section 4.3 of Schedule 1 to the statute provides that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, "except where inappropriate". Section 7 (1) (b) and 7(2) (d) indicate that it will be appropriate to collect or use personal information.

... if it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes relating to investigating a breach of an agreement ...

[86] Quite apart from the jurisdictional question - and the question when the contents of communications to or by an individual are to be considered to be information "about" him or her - I would not be prepared to find on the evidence that Nasir was not entitled to collect the information pursuant to section 7 (1) (b), and that VDG was not entitled to use it pursuant to section 7 (2) (d). According to his evidence, Nasir had considered his employment to be protected by an agreement ensuring Mr Albrecht's continued position as President of RealTime 7. He considered that agreement to have been breached by the dismissal of Albrecht, and his purpose in obtaining access to Mr Rajput's computer was to protect himself by investigating "what the Kulkarnis were up to."

[PIPEDA] :: [Evidence] :: [Litigation]

Labels: information breaches, privacy

The employee who was found to be at fault for mishandling information related to welfare-to-work clients of the Department of Education (see: The Canadian Privacy Law Blog: Files on welfare-to-work clients found in dumpster) has been fired, according to a local newspaper. See: County employee fired over sensitive documents found in trash bin.

Labels: information breaches

I've just received a nice note from Darce Fardy, the Nova Scotia Freedom of Information and Protection of Privacy Review Officer. (Roughly the province's equivalent of a privacy commissioner, though most of his time is spent on the access side of his mandate.) His Order-in-Council expires on January 23, 2006 and he has decided not to re-up for any further term. He will stay on in an interim capacity until his successor is appointed.

Darce began his career as a journalist and found himself as the Head of Network Television Current Affairs before he switched gears to the access and privacy file. He has also worked with the United Nations in New York.

On a personal note, I have to say that he has been great to work with. He's a true gentleman and I've always found him to be very willing to see both sides of an issue.

Anybody who knows him knows that he is a "true believer" that access to information is among the most important levers that holds a democratic government accountable to citizens. I think it must be a thankless task and he has lamented in the past that a citizen's right of access to information is not sufficiently well known. His suggestions for reforms of the province's access to information laws have been generally ignored by the parties in power, but he plans to continue to "spread the gospel", as he has called it, after his retirement.

For more info, you can check out the FOIPOP Review Office website.

Enjoy your retirement and all the best, Darce.

Labels: information breaches, public sector

According to the Chicago Tribune, the state of Illinois is planning to be the first state to implement strong measures to protect phone customers from the unauthorized release of their calling information. The proposed law will require phone companies to protect the privacy and security of customer information. Notably, it will also outlaw "pretexting", which is said to be the technique used by most of the companies who trade in this sort of data. See: Chicago Tribune | Gov. fights cell records theft.

Labels: information breaches, pretexting

Out-law, a publication of Pinset Mason's, has a good overview of the recent advisory opinion of the EU Working Party on privacy best practices for privacy and location-based services. The Out-Law article is here: How to triangulate location data, privacy and profit | OUT-LAW.COM. The Working Party's opinion is here.

Labels: information breaches

I've typed the word Minnesota more times in the last week than the entire previous decade. I used to sometimes spell it Minnesoda, but I've gotten much more practice as of late.

Readers will have noted two recent posts on developments in Minnesota, particularly related to the sale of bulk drivers' license data. The AG of the state, Mike Hatch, has proposed to ban the practice. He's also a hopeful for the Governor's office. The incumbent has also been talking privacy and identity theft, paticularly focusing on making ID more secure so that the risk of impersonation is reduced. California is at the forefront of privacy protection in the United States, but I do not recall privacy being a large election issue. Passing those trail-blazing laws was just something that was done by the legislature after it was in power. The situation in Minnesota seems a bit different; the candidates are making privacy an issue and are actually talking about reforms they'd like to see. I wonder if this is based on a belief that consumers now care in large enough numbers to give privacy a real constituency. Is this also the beginning of a trend?

Check out: Governor is seeking privacy law changes. Thanks to Adam at Emergent Chaos: Privacy Competition in Politics for the link and his thoughts on the topic.

[Privacy] :: [Identity Theft] :: [Politics] :: [Minnesota]

Labels: identity theft, information breaches

I blogged briefly about the proposal recently put forward by the Attorney General of Minnesota to stop the bulk sale of access to the state's DMV records (see: The Canadian Privacy Law Blog: Minnesota AG seeks end to bulk sales of drivers' license data). The release on the AG's website is very interesting, as it points out that such data is very useful to fraudsters.

Minnesota Attorney Generals Office

STATE SENATOR ANN REST, STATE REPRESENTATIVE JIM DAVNIE, AND ATTORNEY GENERAL HATCH WANT THE MINNESOTA DEPARTMENT OF PUBLIC SAFETY TO QUIT SELLING DRIVER’S LICENSE DATA

Assistant Senate Majority Leader Ann Rest (DFL-New Hope), Representative Jim Davnie (DFL-Mpls.), and Attorney General Mike Hatch today called upon the legislature to order the Minnesota Department of Public Safety to quit selling driver's license data to commercial companies. They also announced legislation to restrict the commercial distribution of Minnesotans' driver's license information by the Department of Public Safety.

History. In 1991, the State of California stopped selling drivers license data to commercial firms after actress Rebecca Schaeffer was murdered by a stalker who obtained her home address from the state driver’s license bureau. In 1997 the federal government forbade states from selling drivers data, but a federal judge in 1998 ruled that federal law could not order state governments how they classify their own data. The court essentially held that if a state government wanted to ban the sale of driver’s license data, it should adopt its own laws. In 1999 Attorney General Hatch proposed legislation in Minnesota to stop the sale of driver’s license data, and in 2000, the Ventura Administration publicly stated that it was administratively making driver’s license data private unless the licensee expressly waived the right to privacy.

Current Status of Driver’s License Data. At the press conference, Detective Jack Talbot of the South Lake Minnetonka Police Department, who is on assignment to the Minnesota Financial Crimes Task Force, said that identity theft and financial fraud in Minnesota is greatly enhanced because thieves get driver’s license data on Minnesotans from a website, publicdata.com. According to Officer Talbot the website obtains the information from the Department of Public Safety (“DPS”).

“I find driver’s license printouts from publicdata.com when executing a large number of search warrants on identity thieves and financial scam artists,” said Officer Talbot.

Talbot stated that the website sells such data on citizens from about nine states. He asked DPS officials to find out why this data is being distributed by DPS to such websites. Officer Talbot stated that he was told by DPS that it has sold the data to hundreds of companies at varying prices. None of the purchasers appeared to have bought the data at $.50 per name, as was required by the statute in 1999, but subsequently repealed.

“I am surprised that the State of Minnesota imposes fees on virtually every aspect of our lives, but then gives away valuable data to commercial interests that are not even located in this state,” said Representative Davnie. “The result is more identity theft and less protection for our citizens.”

Proposal. Under the Rest-Davnie proposal, DPS would be prohibited from distributing driver’s license data in bulk quantity unless it was to a government agency (i.e. for law enforcement purposes) without a licensee’s express written consent.

“These are obvious loopholes in our driver’s license data laws that need to be changed,” said Senator Rest. “The privacy of our citizens will be greatly enhanced by these proposed policy changes.”

The bill would further limit the circumstances under which DPS could distribute individual licensee data. In most cases, DPS would only be able to disclose individual licensee data if the consumer “opts in” to such sale (e.g., gives written permission), and the State would charge a $5.00 fee per consumer name accessed. When the Department did disclose a consumer’s name, it would report the name of the requester to the citizen whose data has been disclosed. The fees collected would be used to pay for the administration of the driver’s license bureau and fund the budget of the Financial Crimes Task Force. Hatch noted that, while some courts have limited the application of state laws in certain circumstances, they have all permitted the state to charge a fee for the sale of such data.

Thanks to Chris Hoofnagle at EPIC West for the link.

[Privacy] :: [Identity Theft] :: [Politics] :: [Minnesota]

Labels: identity theft, information breaches

A German group has developed what appears to be the first of its kind: a portable RFID chip zapper that will not damage the article on which the chip is attached. Most methods currently known are microwaving or physically damaging the chip. This method uses a modified disposable camera to deliver a pulse of electromagnetic radiation that likely blows the unit's capacitor. I don't have any expertise to say it will work, but they say it does. See: RFID-Zapper(EN) - 22C3. (Via RFID Gazette.)

[Privacy] :: [RFID]

Labels: information breaches, rfid

Some states are happy with one new privacy law, but Chris Hoofnagle passes along the news that California has them all beat with thirteen new laws that relate to privacy: EPIC West: Electronic Privacy Information Center West Coast Office: CA OPP: 13 New Privacy Laws in Effect. Everything may be big in Texas, but everything is private in CA.

[Privacy] :: [Privacy Law] :: [California]

Labels: information breaches

It is old news that your cellular phone records are up for grabs on the internet. Federal Privacy Commissioner Jennifer Stoddart learned this recenly from MacLean's magazine (See: The Canadian Privacy Law Blog: That's a little cheeky: MacLean's Magazine buys Privacy Commissioner's cellphone records off the 'net).

The problem is getting a bit more attetion, including scrutiny from law enforcement who are concerned about what might happen with their cell records. The Chicago Police Department recently warned officers about the issue, cautioning them not to make personal calls from undercover cell phones and to be careful to whom they give their mobile numbers. The FBI is also concerned that criminals may use the service to uncover undercover agents or to harm officers. See: Chicago Sun Times: Your phone records are for sale.

[Privacy] :: [Identity Theft] :: [Phone Records] :: [Illinois]

Labels: identity theft, information breaches, law enforcement

HIPAA Blog

Another Case of Indentity Theft: This time it's at Kaiser Permanente's South Bay Medical Center near LA. Contract employees copying medical records from the ER and surgery departments used their access to patient names, social security numbers, addresses, and other personal information to establish credit accounts in the patients' names and use the accounts to acquire high-end kitchen supplies. The two employees were caught red-handed and admitted their crimes, apparently. Four patients are known to be victims, but Kaiser sent letters to 25,000 patients who might be at risk.

This incident reinforces a few key items about HIPAA crime. First, it's not the "medical" information that is the big risk in intentional misuse of PHI, it's the financial information. There's not a big opportunity to make money off of information about someone's surgery, but there is a lot of money that can be improperly accessed with information about someone's social security number or bank accounts. Second, it's low-level employees that pose the greatest risk, particularly contract employees who might not be subject to as strict control as direct employees. Third, it's fairly easy for these people to be caught. Fourth, Kaiser points out that it is migrating to electronic medical records, which will eliminate the need for copying the records (and would eliminate these bad employees); of course, the other side of that coin is that these employees only had access to the records they made copies of, whereas if the information was part of an EMR, they might have had access to many more patient records.

His original post has a link to further coverage.

Labels: health information, information breaches

In a recent survey of online retailers, only three percent have reported to passed the assessment and external scan needed to comply with the Payment Card Industry Data Security Standard, which became mandatory on June 1, 2005. A quarter of the vendors haven't even started yet while the majority are in the process.

Sounds a lot like the state of PIPEDA compliance in 2004.

See: InternetRetailer.com - Daily News for Tuesday, January 3, 2006.

Labels: information breaches, privacy, retail

The Washington Times ran a story on January 3, 2006 with an overview of new state privacy/identity theft laws that either came into force on January 1 or are on the horizon. There's also an overview of the debate about federal pre-emption:

New state laws seek to halt identity theft - Business - The Washington Times, America's Newspaper

Twelve states have credit-freeze legislation, which allows residents to block new creditors from accessing their credit reports and helps prevent identity thieves from opening spending accounts using a stolen name.

Credit-freeze laws in Connecticut, Illinois and New Jersey were enacted Sunday, while Maine's will become effective Feb. 1 and Colorado's July 1.

Labels: identity theft, information breaches

Minnesota is one of the states in the US that still sells drivers' license data in bulk. To about five thousand organizations a year. Attorney General Mike Hatch wants to end that practice to protect the privacy of the residents of the states. He doesn't want to close it down completely; he wants the DMV to sell them for $5.00 each but only if you provide a name and notify the individual. See: MPR: Hatch wants end to selling of driver's license info. (Via Privacy Digest.)

[Privacy] :: [Identity Theft] :: [Politics] :: [Minnesota]

Labels: identity theft, information breaches

The Federal Privacy Commissioner has been asked to investigate after two residents of Deep River, Ontario, received birthday cards from Renfrew-Nipissing-Pembroke MP Cheryl Gallant. The individuals involved are not politically active and had not requested to be contacted by Gallant's office. The only way that the MP's office had their birthdays, they think, is by taking them from passport applications that were processed through that office. They are not happy with the idea that the MP took personal information from their passport applications, are storing it and using it without their knowledge or consent. The Commissioner is investigating, but without jurisdiction as MPs are not covered by the federal Privacy Act. For more info, see: ottawasun.com - Election - Surprise birthday cards put Valley MP on the hot seat.

Labels: information breaches

The Information and Privacy Commissioner of Alberta has recently found that the Calgary Health Region violated the province's Health Information Act in the way it responded to an individual's request for access and correction of his health records. The violation was minor and probably resulted from the confusing, multiple access requests made by the individual. See the Commissioner's press release:

Commissioner finds only minor breaches of Health Information Act by Calgary Health Region

January 3, 2006

Information and Privacy Commissioner Frank Work has found that the Calgary Health Region's failure to provide an Applicant with some of the records he requested under the Health Information Act (HIA) within the 30-day time limit imposed by the Act was a minor breach of the HIA.

The Calgary Health Region had provided many of the records to the Applicant in a timely way, but there were delays in providing some of the records, resulting in part from the confusing nature of the Applicant's various requests for records. The Commissioner also found that the Calgary Health Region's failure to centralize and recognize the full scope of the Applicant's various requests for records, which gave rise to the delays, was a minor breach of the duty to assist under the HIA.

As most of the requested records had been provided to the Applicant, the Commissioner found that the Calgary Health Region had conducted an adequate search for records.

Finally, the Commissioner drew the parties' attention to the fact the Calgary Health Region had yet to consider the Applicant's correction request to place information on his chart.

To obtain a copy of Order H2005-004, contact:

Office of the Information and Privacy Commissioner
410, 9925-109 Street
Edmonton, Alberta T5K 2J8
Phone: (780) 422-6860
Fax: (780) 422-5682
E-mail: generalinfo@oipc.ab.ca
Website: http://www.oipc.ab.ca/

Labels: alberta, health information, information breaches

This one is relatively minor, but it's the first one of these of the year ...

H&R Block, the tax preparation company, has alerted some of its customers to keep an eye on their credit reports and bank accounts because some had their social security numbers embedded in a forty-seven digit tracking number on mailed copies of their software. The numbers were just munged in, so probably weren't recognizable as SSNs. If you want to read more, check out: H&R Block blunder exposes consumer data CNET News.com.

Calling this an "incident" that exposes personal information may be ammunition for those who argue companies should only have to notify customers when there is a real risk of identity theft associated with the disclosure.

Update: Techdirt asks what H&R Block is otherwise doing with SSNs if they are including them in tracking numbers? (Techdirt:H&R Block Mails Customers Their Own SSNs... On The Outside Of The Envelope) It certainly suggests they are using the numbers as customer identifiers, which raises a whole host of other issues.

Labels: identity theft, information breaches

The British Columbia association for Consulting Engineers (CEBC) has started advising its members that they should not be using staff salaries as the basis for quoting fees for projects. Salary multipliers are a common method of quoting in the field, but doing so discloses the personal information of the individual employee (namely, their salary). This advice is restricted to British Columbia, where the Pesonal Information Protection Act applies to employee personal information. While PIPEDA does not apply to employees of consulting engineers in the "PIPEDA provices", it is a good practice to follow. See: Canadian Consulting Engineer - 1/3/2006 - British Columbia engineering firms advised not to use salaries as basis for quoting fees.

Labels: bc, british columbia, information breaches, privacy

Lawrence Lessig recently observed a poster on a train in the UK reminding riders that spitting on railway staff is assault and that the UK's national DNA database will be used to track down offenders. I'm not sure that was the kind of offense that was pointed to when the database came into being, but shows how versatile that sort of info really is! See: Lawrence Lessig.

Labels: biometrics, dna, europe, information breaches, uk

As reported here some time ago, the Canadian Privacy Commissioner recently declined to investigate a US-based data broker on the basis of lack of jurisdiction (The Canadian Privacy Law Blog: Office of the Privacy Commissioner responds to complaint against US data-broker: No jurisdiction to investigate outside of Canada). Now, CIPPIC has announced it filed an application in the Federal Court on December 15, 2005 for judicial review of that decision. Should be interesting ...

See: CIPPIC News - CIPPIC.

Labels: information breaches

It's hard to believe that I've been at this for two years. On January 2, 2004 I did the first posting to this blog (The Canadian Privacy Law Blog: Welcome to the Canadian Privacy Law blog). At the time, I was concerned that I wouldn't have the attention span to keep it going for the long term. Now, two years and 1711 posts later (more than two a day), I'm pleased with how it has all turned out. I've met some pretty incredible people through the blog. This summer I had a surreal experience when a stranger recognized me in an elevator and asked if I was "the guy with the privacy website."

At the time, some people thought that privacy was just the flavour of the day and all the hubub would blow over. Either PIPEDA would be declared to be unconstitutional and business would go back to normal or business and healthcare would come to a grinding halt. None of that came to pass. PIPEDA and the PIPAs are completely manageable. Very few reputable companies had much to change; mostly, compliance was putting policies, procedures and accountability in place to support their existing practices. Some had to fine-tune their practices and I'm generally impressed with the number of companies that are recognizing privacy issues and are seeking professional counsel.

I expect the year ahead will also be interesting on the privacy front. PIPEDA will come under review in the federal Parliament and there is much work to be done to clarify the law and make it more manageable. For consumers, privacy continues to be a strong priority and the growth of identity theft makes their concerns all the more acute. The PIPEDA review will bring that concern front and centre. I'm waiting to see whether the legislators will take any action to address this. Some provinces, such as Ontario, may look again at provincial privacy laws of general application. Other provinces may follow Ontario's lead and implement health privacy laws that will harmonize the rules in the public and private healthcare settings. And I am sure that we'll continue to hear about more and more privacy/security breaches, mostly from the US states where laws require disclosure.

For this blog, my plan is to keep it up. The blog's reason for being is to be a useful resource on privacy developments in Canada and elsewhere. I'd be delighted to hear what changes readers would like to see in the year ahead to make it more useful. Please feel free to leave a comment or drop me a note by e-mail: david.fraser@mcinnescooper.com.

Also a special thank-you to the many people over the last two years who have sent me links to privacy-related articles and have pointed out typos.

Happy new year!

Labels: identity theft, information breaches, pipa, pipeda review, privacy

With clients involved in clinical research, I often have to go to meetings at research centres in the local hospitals. One thing that I find off-putting is that the hallways are all common, so that I often pass patients who are being wheeled from one procedure to another. People are pretty vulnerable at times like that and are certainly not at their best. Even though I have a reason to be there, it feels like I'm intruding when I walk down the hall. Apparently a hospital in Maine is sensitive to this and has designed its new facility to take this into account. The new Mercy hospital will have separate hallways for transporting patients and the administration is advertising this feature. See: RedOrbit - Health - Mercy's Plan Will Allow Parking, Privacy and Efficiency in Services.

Labels: information breaches

Among the laws that came into force today is one in California aimed at paparazzi photographers. The law includes treble damages for incidents of "stalkerazzi" antics and the possibility of having the publication of resulting photos prohibited. The constitutionality of the law is under question and hasn't yet been challenged. See:

CNN.com - New law hits�paparazzi in the pocketbook - Dec 30, 2005

...The new legislation amends a bill passed in 1998 that established the concept of "constructive trespass" for photojournalists. It said that using a long lens to capture an image of a person who had "a reasonable expectation of privacy" was tantamount to trespassing.

Ewert, counsel for the California Newspaper Publishers Association, questioned the constitutionality of that law, but it has not been challenged in court, he said. Laws are presumed valid until challenged.

The new legislation, which expands what constitutes invasion of privacy, "is probably even more unconstitutional, if that's possible," Ewert said.

"We don't apologize for the behavior of the paparazzi," he said. "But this law attempts to stop that conduct with a very broad brush."

Labels: information breaches

The appeals court in New Jersey has overturned the conviction of man who refused to provide ID to a state trooper and was subsequently charged with obstruction. The reversal is on a bit of a technicality, as the law in that state requires physical interference, which was not present in this case. The court noted that the defendant did "obstruct", but it was not an offence under state law. See: CourierPostOnline - South Jersey's Web Site.

Labels: information breaches

The New York Times continues to provide strong coverage of privacy issues with its most recent article: What Are You Lookin' At? In this piece, John Schwartz discusses the perceived differences in the US between private and public sector collection and use of information. He also look at generational perceptions of privacy. Worth reading.

Labels: information breaches

Michael Fitzgibbon is pointing to an interesting case out of the US, in which a group of employees sued a union for privacy violations after the union used license plate numbers and motor vehicle records to put together an organizing list. The class certification motion is here: Pichler v UNITE. Check out Michael's post here and follow his links: Thoughts from a Management Lawyer: Another Novel Claim Out of the U.S..

Labels: information breaches