The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Tuesday, February 28, 2006
Bars seem to be on the cutting edge of identification technology. Regular readers of the blog probably have noted references to bars scanning identification documents of visitors and some using external databases to keep track of banned patrons. (see Swiping driver's licenses - instant marketing lists?, Calgary student challenges nightclub over scanning ID, Alberta bar to continue scanning IDs despite Commissioner's advice not to, New technologies for scanning IDs.) Now, Wired News is reporting on facial recognition software that takes a picture of visitors to bars and matches them against a database of banned patrons. The technology was born in Toronto, Canada:
Wired News: BioBouncer Might Make Bars Safer
Privacy watchdog groups, however, don't like the sound of it, and it's not clear club patrons will dig it, either. Many people are already accustomed, or oblivious, to cameras recording their every move at ATMs and 7-11s. But in a bar's let-loose environment the sign Dussich wants posted at the entrance announcing that BioBouncer is recording their faces might send customers running.
Lee Tien, a staff attorney with the Electronic Frontier Foundation, said people may find BioBouncer insulting or invasive. Facial recognition software is notoriously inaccurate, he said, and he is concerned that data-sharing could be used to blackball innocent partiers.
"Think about it: Someone doesn't like you, your photo gets in there, you walk in someplace and they're telling you, 'You're a troublemaker, you got bounced from that other bar.'"
BioBouncer was born when a Toronto club owner asked if Dussich could help curb a burgeoning crime problem. Dussich may be on to something, as crime is plaguing the club scene nationwide, said Robert Smith, a police officer and nightclub security expert, who runs the Hospitality and Security Alliance.
Update: Bruce Schneier has some things to say about this:
Schneier on Security: Face Recognition Comes to Bars:
And the data will be owned by the bars that collect it. They can choose to erase it, or they can choose to sell it to data aggregators like Acxiom.
It's rarely the initial application that's the problem. It's the follow-on applications. It's the function creep. Before you know it, everyone will know that they are identified the moment they walk into a commercial building. We will all lose privacy, and liberty, and freedom as a result.
Privacy is not always about identity theft and widespread eavesdropping. Sometimes it's a bit weird.
According to the Associated Press, a hospital in Baton Rouge, LA is about to spend $25,000 to test the DNA of a bunch of employees to figure out who peed in another employee's toolbox. Since nobody has stepped forward, there's no smoking gun and the trail has gone cold, the hospital administration is forcing 25 employees to provide a DNA sample or be terminated. Not surprisingly, some think it's an invasion of privacy.
DNA Tests Ordered for Urine Toolbox Prank - Yahoo! News:
'We checked with our legal counsel first and this is the next step in using technology to help solve a workplace incident,' hospital supervisor Stan Shelton said Monday.
The DNA testing, to be conducted by ReliaGene Technologies of New Orleans, will cost the hospital $25,000, he said.
Attorney Jill Craft worked with litigation involving swabs taken during the investigation into the South Louisiana serial killer cases. Craft fought for the rights of those swabbed during the probe that eventually resulted in the arrest of Derrick Todd Lee.
Craft said she believed the employees' rights are being violated. 'It's the intrusion by finding out what your DNA looks like, your unique pattern, which in my opinion, violates someone's right to privacy,' she said.
Thanks to a reader who passed this along ...
According to the Philadelphia Inquirer and the Associated Press, a US Federal judge has struck down Pennsylvania's requirement that prospective firearm purchasers provide their social security numbers. The PA law was found to violate the US federal Privacy Act. Here's the gist:
Philadelphia Inquirer 02/28/2006 Judge rejects Pa. gun-buying terms
...Sanchez's ruling noted that the right of privacy as to Social Security numbers exists under a federal law, not as a right the U.S. Supreme Court had interpreted as protected by the Constitution.
Still, Robert Ellis Smith, publisher of the Privacy Journal in Providence, R.I., said yesterday's ruling was "significant because it comes at a time when most government agencies are requiring more and more information from people."
"The decision is part of a trend in the last 10 years as courts realize the importance of keeping Social Security numbers confidential because of identity theft," Smith said. Smith, who is also a lawyer and journalist, was a paid expert for Michael Stollenwerk, the retired Army officer who brought the case in federal court in Philadelphia.
Stollenwerk said yesterday he hoped the ruling would inspire others to challenge government demands for Social Security numbers. He also said he hoped it would encourage local and state officials to review application requirements.
"A lot of state governments have blown off this law," said Stollenwerk, now a law student at Georgetown University. "I think someone had to stand up to the government and say, 'I'm going to challenge this.' "
Stollenwerk, 42, has pressed the matter on gun permits in other states, he said. In California, without going to court, he said, he was able to convince state authorities that their gun-purchase law violated the Privacy Act. In Virginia, he said, he was victorious in state court....
I blogged earlier this month about the theft of some computer backup tapes from a vehicle owned by an employee of Providence Home Services, a division of Providence Health System (The Canadian Privacy Law Blog: Correction: Information stolen from Providence Health System employee used fraudulently).
Here's a bit of an update: The company is reported by Computerworld to have carried out a thorough investigation of the incident. As a result, one employee has been fired and three have resigned. The company has also revised its security and backup policies so that data is not taken to employees' homes for offsite storage and data is routinely encrypted. From all appearances, the company has been very open about the incident and has issued a number of press releases on its website. This is critical, as trust is essential in the healthcare sector.
Labels: information breaches
By now, we've all heard about identity theft in which someone assumes another's identity to obtain credit or other financial benefits. It is, we are told, the fastest growing crime in North America. Well, now Americans have to worry about "medical" identity theft. This is where someone (presumably uninsured) assumes another's identity to obtain medical services. That's what happened to Joe Ryan of Littleton, Colorado. Ryan unexpectedly received a bill for $44,000 for surgery and then the collection agents started calling. It appears that someone used his name to have a significant piece of surgery and Ryan is left holding the bag. At least one group of hospitals in Denver has information about fifteen such cases a year.
Where ID theft can put your credit rating in jeopardy, medical ID theft can do all that and kill you: victims' medical records now reflect conditions they don't have. Somewhat ironically, the hospital in Ryan's case refused to provide him with information about the services used by the impostor since HIPAA apparently prevented them from disclosing it to him. Check out the report on Ryan's case by Colorado 9News' I-TEAM: ID theft that could be deadly. There's a video link on the 9News site, as well.
Monday, February 27, 2006
Montana will be the next US state to have a security breach notification law when the state's new privacy law, HB 732, comes into force on Wednesday. The new law also requires companies to securely dispose of personal information and to only print the last five digits of credit card numbers on receipts. Check out New privacy law takes effect March 1.
According to the LA Times (and CBS and Canoe), three photographers have been fined one Euro each for invasion of privacy after the three took pictures of Princess Diana and Dodi al-Fayed on the night they both died in Paris. All three were found to be pursuing the Princess at the time her Mercedes crashed.
Labels: information breaches
Sorry for the light blogging over the last little while. I've just come back from four days in Pasadena, California where I was attending the "Winter" Meeting of the Licensing Executives Society. (I've put winter in quotes because it was sunny and in the mid-twenties (c) the whole time.) There wasn't much there on privacy, but it did provide a lot of mental nourishment for the other side of my practice, IT and IP law.
While I was there, I met a fellow legal blogger, Bill Heinze of Atlanta, Georgia. He writes a blog entitled I/P Updates - News and Information for Intellectual Property Practitioners, which is one of the top ranked IP blogs and newsletters in the US. If your practice strays into that arena, you should check it out. If you need an incentive to visit the blog, Bill has written two posts about the content presented at the meeting: Asian Licensing Negotiating Tips and Music Licensing Update.
Labels: information breaches
The Electronic Privacy Information Center (aka EPIC) has been waging war on the practice of "pretexting", which is most popularly associated with private investigators calling under under a fake identity with a fake rationale to get information about somebody they are investigating. Now, EPIC is taking it to the state bar associations in the US as they have concluded that lawyers are some of the prime consumers of pretexting services. In a letter sent to all the state bars, EPIC is calling upon the ethics bodies each state to issue an advisory opinion to prevent lawyers from using investigators who employ pretexting:
State Ethical Boards Must Take Action to Protect the Integrity of the Profession
We urge you to take action to review these practices under the ethical rules of your state. Pretexting involves using fraud to trick a company into releasing private personal information. We believe that hiring investigators or other services to engage in pretexting implicates ABA Model Rules 1.2, 3.4, 4.1, 4.4, and 8.4. We urge you to analyze the practice of pretexting under the ethical rules in force in your State.
We realize that attorneys may unwitting participants in this practice. They may hire investigators to locate witnesses or perform other functions without being aware that pretexting was being employed. Accordingly, issuing an advisory opinion or highlighting this issue in communications to members of the Bar may be appropriate action to addressing use of pretexting.
Sunday, February 26, 2006
Adam Shostack often has interesting things to say about privacy. He's posted, at Emergent Chaos, about the recent incident involving the University of Texas and their voluntary notice for the loss of encrypted patient information. Here Adam's take on their response:
Emergent Chaos: Analysis of University of Texas, 4,000 encrypted SSNs, Laptop:
Since Choicepoint, there's been a dramatic shift in the way these incidents are perceived. Assertions of caring about privacy have transformed into a moral duty to report, even when the law doesn't require it. Work to undercut the 21 state laws in place by groups like the American Bankers Association misses the point. When there's a breach of personal data, the risk is on the citizen or consumer, not on the organization that lost control of the data. The organization has demonstrated that their risk management decisions don't have the results that customers want. That means the risk analysis must be done by the person, not the organization. For the person to do the risk analysis, they need to know what's happened.
We like transparency. We accept apologies (when they're not tortured or convoluted). We prefer to work with organizations that don't keep us in the dark, `for our own good.' Finally, we don't trust anyone who has lost control of data to get the next analysis right. Whatever bad laws happen to come out of Congress, there's a new social consensus, and the University did exactly the right thing.
It looks like the City of Toronto is planning to follow in the footsteps of municipalities like Oshawa, ON and New Westminster, BC by requiring dealers of second-hand goods to enter sellers' information into a large database maintained by a private company (see: CTV.ca New T.O. bylaw being called a privacy threat). While these dealers have always had to verify the ID of sellers, critics are concerned that the database will be used for fishing expeditions by the police. Also, once the information is collected, there is very little control over how it is used.
It appears that the federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), does not limit what can be done with the information once it is collected. The general rule of PIPEDA is disclosure and consent. An organization has to disclose to the invididual why they want the information and has to get your consent to use and disclose it for that identified purpose. But Section 7 of PIPEDA allows organizations to dispense with that consent. In this case, an organization can collect information without your consent if it is required by law (s. 7(1)(e)(ii)). Once information is collected without consent under that section, it can be used without the individual's consent (s. 7(2)(d)) and there does not appear to be any limit on the purposes for which it can be used. Theoretically, a second hand goods vendor or the database company can use the information for any other purpose without running afoul of PIPEDA.
The relevant provisions are:
Collection without knowledge or consent
7. (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if ...
(e) the collection is made for the purpose of making a disclosure
(i) under subparagraph (3)(c.1)(i) or (d)(ii), or
(ii) that is required by law.
Use without knowledge or consent
(2) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only if ...(d) it was collected under paragraph (1)(a), (b) or (e).
Disclosure without knowledge or consent
(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...(i) required by law.
Use without consent
(4) Despite clause 4.5 of Schedule 1, an organization may use personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection (2).
Disclosure without consent
(5) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances set out in paragraphs (3)(a) to (h.2).
The purpose for bylaws such as these may be 100% compelling, but the fear that the information can be reused without the knowledge or consent of the individual without any legal recourse seems legitimate.
The MD Anderson Cancer Center at the University of Texas is reporting that a laptop containing personal insurance claims of thousands of patients was stolen. The good news? It was all encrypted. More good news? The hospital thought it was still important that they notify individuals whose data was on the computer. See: Chron.com Stolen laptop puts M.D. Anderson patients' info at risk.
Computerworld is reporting that an auditor of McAfee lost an unencrypted CD containing sensitive information on thousands of that company's employees. The CD, which was unlabeled, was left in the seat pocket on a plane in December. McAfee was notified the following month and has just begun to inform the affected employees. The information includes names, addresses, social security numbers and stock holdings. See: Auditor loses data on thousands of McAfee employees - Computerworld.
Labels: information breaches
Saturday, February 25, 2006
The US Federal Trade Commission has settled its complaint against CardSystems after a breach at the company comproised the personal information for forty million credit and debit card users. The company had, against its agreement with the card-issuers, kept information related to transactions it was processing and failed to secure it adequately.
Somewhat oddly, the LA Times article says that the FTC could not levy any civil damages or penalties, as it did with ChoicePoint, without mentioning why.
CardSystems Settles Charges
From Associated Press
February 24 2006
WASHINGTON — A data breach that left 40 million customer accounts vulnerable to hackers will lead to tighter security measures to protect millions of credit and debit card users, Federal Trade Commission officials said Thursday.
CardSystems Solutions Inc. has settled charges that the company broke the law by failing to ensure adequate safeguards for sensitive customer information. The breach resulted in millions of dollars in fraudulent purchases, the commission said.
The settlement calls for better safeguards to protect consumer data.
The FTC could not seek civil penalties under the law it accused CardSystems of violating.
Atlanta-based CardSystems processed credit card and other payments for banks and merchants. Last summer, it was disclosed that tens of millions of mostly MasterCard and Visa accounts were exposed to possible fraud after a hacker broke into the company's computer system.
"CardSystems kept information it had no reason to keep and then stored it in a way that put consumers' financial information at risk," FTC Chairwoman Deborah Platt Majoras said.
CardSystems' assets have since been bought by San Francisco-based Pay by Touch. The settlement requires Pay by Touch to implement a comprehensive security program and obtain independent audits every other year for 20 years.
I don't think anyone in the privacy community, regardless of what side they usually fall on, thinks that the privacy watchdogs in Canada have enough resources to do their jobs quickly and efficiently. The Saskatchewan Information and Privacy Commissioner, Gary Dickson, is the subject of an article on CBC Saskatchewan's website. His three person office is having a hard time keeping up with the workflow and is still wrangling with files from 2003.
The Information and Privacy Commissioner of Alberta has released his report into the impact of outourcing of public sector services on the privacy of Albertans. The report, entitled Public Sector Outsourcing and Risks to Privacy, follows in the footsteps of similar report issued by the BC Commissioner last year.
Here is the press release and the backgrounder issued by the Commissioner:
Information and Privacy Commissioner releases report into Security Risks associated with Outsourcing
Alberta's Information and Privacy Commissioner has released a report into Public Sector Outsourcing and security concerns associated with the practice, and has developed recommendations for public bodies to follow. In his report, the Commissioner makes it clear it is the responsibility of the Public Body to ensure due diligence in awarding outsourcing contracts.
The report and survey of outsourcing practices was done in partnership with the Ministry of Government Services.
Frank Work wants to ensure that proper security measures are in place to protect information handled by companies in charge of outsourcing agreements. In recent years outsourcing of information and communications technology (ICT) has become common practice for many public bodies, and includes payroll administration, health care insurance and other information technology based services.
Work says Public Bodies in Alberta are doing a reasonably good job of protecting information, but a networked and security conscious world presents a number of issues and challenges.
Work says the report was prompted by concerns raised in other jurisdictions. "The Patriot Act in the United States raised many concerns about the information held by outsource providers and the protection of that information, and I wanted to make sure that outsourcing agreements in Alberta provide protection to individuals. Issues around the Patriot Act are just one type of risk that needs to be addressed in outsourcing agreements".
One of the key recommendations in the report includes ensuring that a public body has a template or check list in place to ensure that an outsource provider has proper contractual and administrative mechanisms in place for the protection of information.
The report also recommends that Public Bodies should consider a provider's physical location as a factor. "We should keep as much information as possible in Alberta. If there is no provider in Alberta the next logical step is to keep the information in Canada. If we keep personal information within our borders, it is easier to ensure it doesn't fall into the wrong hands", concluded the Commissioner.
- 30 -
All recommendations in the report are included in the attached background document. For a copy of the report, visit our web site at: www.oipc.ab.ca Backgrounder
February 24, 2006
Background Information - Outsourcing Report Office of the Information and Privacy Commissioner
The Office of the Information and Privacy Commissioner has issued a report on Public Sector Outsourcing and the security risks involved in outsourcing. In this report, the Commissioner has developed recommendations to protect information held by outsource providers:
It is important that the Government make a strong and unequivocal assertion of the value it places on the privacy and security of the personal information of Albertans. This does not need to extend to a complete ban on foreign disclosures.
- Amend applicable legislation (i.e. Freedom of Information and Protection of Privacy Act) to clearly define responsibility for outsourcing personal information. The onus for due diligence in outsourcing should be clearly placed on the outsourcing organization (i.e. the public body).
- Amend section 40(1)(g) of the Freedom of Information and Protection of Privacy Act and section 35(1)(i) of the Health Information Act to make it clear that personal information can only be disclosed pursuant to an order of a Canadian court having jurisdiction.
- Increase the penalties for breach of the FOIP Act and the HIA.
- Ensure that the offence provisions of the FOIP Act and the HIA can be reasonably sustained, that is, the standard is not so high as to preclude a reasonable chance of conviction. The current standard is "willful".
- Consider the advisability of making similar amendments to the Health Information Act.
First, there should be a checklist or template of matters to be considered in making the decision to outsource. This could be done via a privacy impact assessment. Secondly, develop a model outsourcing contract and a checklist of contractual provisions to be considered in outsourcing arrangements. Such contract or checklist should address at least the matters referred to in sections 2.3 and 4.1 and should include provisions dealing with:
- A prohibition on assignment or subcontracting of the outsourcing contract without written consent.
- A requirement for notification by the outsourcer in the event of notice of creditor's remedies or Court applications for bankruptcy or protection from creditors.
- A requirement of notice on any demand for access to or disclosure of personal information received by the outsourcer.
- A requirement of notice of any loss of or unauthorized access to personal information by the outsourcer or its employees.
- Right to audit, not only for compliance with the contract but compliance with any legislation stipulated to be applicable to the contract.
- In addition to the right to audit, the outsourcer may be required to have in place a system which monitors or audits the outsourcers' use and disclosure of the personal information. The outsourcing entity may require access to those logs on certain conditions.
- Stipulate consequences for breach. In addition to right of termination and damages, provision should be made for: return of personal information and any copies of it; assistance in recovering lost or otherwise disclosed personal information.
Retain, as a first principle, that personal information only be outsourced within Alberta first, Canada second, and anywhere else third, depending on the specific circumstances. This policy may only be deviated from where the requirements of program delivery, such as cost, service, security, cannot reasonably be met within Alberta or Canada. The outsourcing organization should bear responsibility for making this decision and for the consequences of having made it. Whether to make such policy into law poses a dilemma, as discussed. As stated, the decision to outsource is based on a large number of factors. The decision to outsource outside of Canada requires reconsideration of these factors in light of the fact that the public body is that much more removed from the outsourcer:
- Different laws;
- Different customs (are laws pertaining to fraud, theft of information and so on regarded or enforced differently?)
- Different workforces (are the outsourcer's employees more transient, less reliable, more difficult to hold accountable, etc.?)
The gains realized from outsourcing have to be weighed against the risks presented by the nature (sensitivity, value) and the volume of the information outsourced.
- Require preparation of a privacy impact assessment (which would include issues of security) for all outsourcing arrangements involving "significant" amounts of personal information. We debated recommending that this be put into law. Legislated provisions can be inflexible. For example, it would not make sense to prepare a privacy impact assessment every time a single sample of genetic material is sent to another country for analysis.
- Require outsourcing organizations to keep a master list (inventory) of outsourcing agreements. This could be accomplished by requiring privacy impact assessments. This list should be accessible to the Chief information/Chief Privacy Officer for the public body. The purpose of the list is to: know what personal information is outsourced where and to who; enable timely action in the event that the outsourcee becomes insolvent; and to enable agreements to be updated when they end to include state of the art privacy and security provisions.
- Someone in the public body must be specifically responsible for each outsourcing agreement. This person should know the outsourcer and the contract. There should be regular contact, check ups, and queries. Scheduled or spot audits may be advisable.
With respect to foreign outsourcers, consider having a trusted agent in the jurisdiction to monitor social/legal developments respecting the outsourcer. The entire report is available on our Web site: www.oipc.ab.ca.
Wednesday, February 22, 2006
On Sunday, I listened to and blogged about a panel on privacy that was being broadcast on CBC's Sunday Edition. The panel now has its own page at the Sunday Edition (CBC Radio | The Sunday Edition | Just Watch Us - The End of Privacy) and there's now a link to the audio in real audio.
Thanks to Michael Geist for the link.
Labels: information breaches
Mark Rasch at Security Focus is discussing whether there should be strict liability for data breaches so that those whose information is compromised may sue for damages: Strict liability for data breaches?.
I just recently gave this a bit of thought for an upcoming article for the Ontario division of the Canadian Bar Association's privacy section. Unless there is an actual misuse of the information leading to a loss, the biggest impediment under traditional tort law is going to be proving an actual injury. The tort of negligence requires there to be (i) a duty of care, (ii) a breach of the standard of care and (iii) an injury of some sort directly related to the breach. For most individuals whose information is lost, the injury is an increased likelihood of identity theft or other fraud, and quantifying that risk is mostly speculative. The courts of Canada generally have not been very amenable to compensating bare risks.
PIPEDA itslef contains provisions that allow an aggrieved individual to seek damages in the Federal Court, but there is no mention in the statute that it creates a strict liability tort or waives the usual requirement for demonstrating injury. So far, nobody has taken their complaint seeking damages that far.
We may get some clarity about this if the class action lawsuit against CIBC ever makes it to court in Ontario. Much of the injury claimed in the statement of claim relates to the time and expense related to more vigilant credit and account monitoring. (There is also a claim related to emotional distress and the class is seeking punitive damages.) Hopefully the court will address this question, if it does get to court.
While American legislators are thinking about this issue more than Canadians, it is worth thinking if there should be an entitlement to statutory damages for a failure to notify individuals if sensitive personal information (the disclosure of which can be harmful) is compromised without giving the individuals notice. This would avoid tussles in the court rooms and would give businesses some certainty of their actual exposure. We may even hear about it at the upcoming five year review of PIPEDA.
In the meantime, anybody advancing a claim under this sort of theory of liability will be taking a gamble on the possibility of recovering anything.
Tuesday, February 21, 2006
The Ottawa Citizen is reporting that the editor and deputy editor of the Canadian Medical Association Journal has been fired without explanation. Speculation has it that John Hoey was relieved of his post in the wake of criticism following an investigative piece in the CMAJ on privacy and dispensing of the "morning after pill." A summary of the Citizen article is here: Top editors fired at leading medical journal.
Labels: information breaches
The CRTC is about to embark on crafting Canada's "do not call" regime. The regulator is seeking input from interested parties at hearings to be held in May in the Ottawa region. See http://www.cbc.ca/mobile/story/national/2006/02/20/crtc-060220.
Canterbury University in New Zealand has shut down its online registration service after a student discovered that anybody with a student number could obtain access to any other student's information, including personal information about disabilities, financial aid, etc. The university does not think the glitch was misused, but have taken the site down in the meantime.
Posted from my Blackberry, so please forgive the formatting, etc.
Monday, February 20, 2006
Check out David Canton's most recent article from the London Free Press: Internet privacy doesn't exist.
Labels: information breaches
I blogged a little while ago about the conviction in Nova Scotia of Eugeniu Micolai Moldovan on 77 fraud charges, stemming from a card skimming scam. (See: The Canadian Privacy Law Blog: Conviction in Nova Scotia card skimming case). Moldovan has now been convicted to two years' imprisonment. He will also likely be deported. See Bank scammer cries before being jailed for two years.
Labels: information breaches
Sunday, February 19, 2006
"This morning, we broadcast a public forum, recorded on Monday at the Library and Archives Canada in Ottawa, titled Just Watch Us - The End of Privacy. We look at the increasing use of information in our daily life by the government and businesses and whether we're willing to give up our privacy for security in this post 9/11 world.
Joining Michael were:
Senator Raynell Andreychuk, former deputy chair of the Senate's special committe on the Anti-Terrorism Act, a Progressive-Conservative from Saskatchewan, a former lawyer and judge.
Michael Geist, Canada Research Chair of Internet and E-Commerce Law, Faculty of Law, University of Ottawa
Janice L. Kephart, counsel to the 9/11 Commission and expert on the Western Hemisphere Travel Initiative, based in Washington, D.C.
Liz McIntyre, co-author Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID (Nelson Current, 2005), based in Austin, Texas
Reid Morden, former director, CSIS, President of Reid Morden & Associates, a security consultancy group in Toronto
Jennifer Stoddart, Privacy Commissioner of Canada"
You can listen online at from the links here: http://www.cbc.ca/listen/index.html. The show starts at 9:11am in each Canadian time zone. It doesn't look like it will be available unless after the fact.
Saturday, February 18, 2006
This is a chilling story: A convicted murderer employed at a car dealership in Salt Lake County, Utah, used information from a female customer's credit application to track her down to her home and rape her. See: deseretnews.com Salesman accused of raping customer.
There is no mention in the article of whether the employee should have had access to that information in connection with his job. It does mention that the employee, who had previous convictions and an oustanding warrant in California, managed to get a clean bill of health during the criminal records check part of the state's screening for car salesmen.
Yet another incident involving a university:
"The University of Northern Iowa has notified about 6,000 of its employees to protect themselves from identity theft by contacting credit reporting agencies and initiating fraud alerts after a security breach was detected last week on a laptop computer at the university, officials said Friday.
The laptop, for UNI's Office of Business Operations in Cedar Rapids, contained Internal Revenue Service W-2 forms for student employees, faculty and staff.
UNI officials said a virus was detected on the laptop, which was being used to review how the forms would appear when printed.
Tom Schellhardt, vice president for administration and finance, said officials found no evidence suggesting that personal information was accessed.
Even so, everyone with data on the computer was sent an advisory letter.
A. Frank Thompson, a professor of finance, said he didn't think the forms should have been on the computer. 'It simply opens up the possibility of that information being inappropriately accessed,' he said."
Sabrina Pacifici at beSpacific (beSpacific: Google Responds to DOJ 's Motion to Comply With Data Demand) has posted a link to Google's response to the US Department of Justice's demand for its search data.
The Google Opposion to Motion is actually very interesting reading. Though part of Google's opposition is based on the argument that complying with the government's request would compromise its trade secrets, the document itself provides some interesting insights under the hood at Google and also argues that bare URLs can be very misleading.
The Privacy Commissioner's office has recently released a new finding (Commissioner's Findings - PIPEDA Case Summary #319: ISP's anti-spam measures questioned (November 3, 2005)) after a subscriber to a residential high-speed internet service complained that its anti-spam measures violated PIPEDA. In this case, the ISP filtered outgoing packets and blocked any access to outgoing mail servers (SMTP) that are not part of the ISP's service. This is part of the ISP's anti-spam measures. The complainant alleged that by "reading" his outgoing e-mail, the ISP was collecting and using his personal information without consent.
The Assistant Commissioner disagreed. Here's the gist:
In making her determinations, the Assistant Privacy Commissioner deliberated as follows:
- The first issue the Assistant Commissioner considered was whether any of the information under discussion in this complaint could be considered “personal information” as defined in section 2.
- In her view, an IP address can be considered personal information if it can be associated with an identifiable individual.
- In the complainant’s case, he is assigned a dynamic IP address, which means that it changes each time he logs on. This IP address was associated with the particular computer he was using.
- The ISP does not identify the user before he or she is allowed to send e-mail, but ensures that the user is directly connected to the ISP network and is therefore a customer of the ISP.
- For the purposes of this complaint, which involved the sending of e-mail by the complainant, the Assistant Commissioner accepted that the originating IP address identified the complainant and was therefore his personal information, as per section 2.
- The ISP needs to know the destination IP address in order to deliver the message that is being sent. A port address, however, is not personal information as it is not linked to an identifiable individual.
- The complainant accepted the terms of the service agreement, which specify that the ISP collects and uses personal information for the purpose of providing service. By virtue of sending e-mail, the complainant also consented to the ISP reading the IP addresses to route the mail.
- She therefore did not find the ISP in contravention of Principle 4.3 when it reads the originating IP address.
- As for the allegation that the ISP reads the contents of the entire e-mail packet without the complainant’s consent, the Assistant Commissioner determined that there was no evidence to suggest that this was the case.
- The ISP denied that it reads anything apart from the IP and port addresses (the latter is not personal information). When the port information on the address is read, it is read by the ISP’s mail servers, electronically. No person actually reads the e-mail in this process.
- The process of reading and routing e-mail address information does not require the servers to access or read the user portion of the e-mail. The software program is set to access a predetermined portion of the address, and therefore this is the only portion of the address that is read.
The Assistant Commissioner therefore found that the ISP did not contravene Principle 4.3. She therefore concluded that the complaints were not well-founded.
Joanne VanAuken at Government Enterprise has written about The 10 Biggest Network Security Myths. Check it out.
Labels: information breaches
The Houston Police Chief has stirred up controversy by suggesting that surveillance cameras should be mandatory for all shopping malls, apartment complexes, public streets and perhaps even private homes. The Houston Police is facing a personnel shortage and the Chief appears to think that the technology will offset the lack of human resources. Not surprisingly, some people think this really isn't a great idea (particularly in the private home part). Check out the Seattle Post-Intelligencer: Houston eyes cameras at apartment complexes.
The folks over at Slashdot have a thing or two to say about it, as well: Slashdot Houston Police Chief Wants Cameras in Homes.
Canada's new conservative Public Safety Minister is musing that a new national ID card may be on the horizon, perhaps incorporating biometrics and smart-card technology. The topic came up in a phone conversation between Stockwell Day and his American counterpart, Homeland Security Secretary Michael Cherkoff.
Labels: information breaches
Wednesday, February 15, 2006
Here's an interesting case from the US:
Incidents involving missing and stolen data have regularly been in the news and reported on this blog. In many cases, the first question asked is whether the data was encrypted. Or, the company missing the data will very loudly say "don't worry. It was encrypted." In this particular case, a laptop was stolen from an employee's home that contained information on thousands of student loan account holders. The data was not encrypted and there was no evidence that the data was used in connection with any other criminal activity.
One of the individuals involved sued the company that owned the data, arguing that the data should have been encrypted and, by not encrypting it, the company was negligent. Well, a US District Court Judge has thrown out the lawsuit, concluding that Gramm-Leach-Bliley legislation does not mandate encryption. And besides, the laptop was in a house in a low-crime neighbourhood.
See Declan McCullagh's report from CNet News: Judge: Firm not negligent in failure to encrypt data CNET News.com.
Tuesday, February 14, 2006
The Privacy Commissioner of Canada has published a few more findings on her website, including one in which I acted for the respondent.
In case summary #320, the complainants challenged an insurer's right to request an independent medical examination for individuals seeking benefits under Section "B" of the insurance policy. (Interestingly, the insureds were seeking benefits beyond the four-year limit set out in the policy, which the insurer has no obligation to pay.) The complainants wanted to only be exmined by their own physicians, so they refused to submit to an examination by a licensed physician hired by the insurer. It was, they argued, a violation of privacy.
The case hinged on the language contained in the policy of insurance, which is standard for all auto insurers in the province and is approved by the province's Superintendant of Insurance. The policy reads, in part:
Section B – Accident Benefits
The Insurer agrees to pay to or with respect to each insured person as defined in this section who sustains bodily injury or death by an accident arising out of the use of operation of an automobile:
Subsection 1 – Medical, Rehabilitation and Funeral Expenses
(1) All reasonable expenses incurred within four years from the date of the accident as a result of such injury for necessary medical, surgical, dental, chiropractic, hospital, professional nursing and ambulance service and for any other service within the meaning of entitled services in the Hospital Services Act or the Medical Services Payment Act and for such other services and supplies which are, in the opinion of the physician of the insured’s person’s choice and that of the Insurer’s medical advisor, essential for the treatment, occupational retraining or rehabilitation of said person, to the limit of $50,000 per person.
The insurance policy also contains a provision saying that the insured has the right to examine the insured person when and as often as it reasonably requires while the claim is pending. The insurer argued that the individual agreed, by being a party to the policy of insurance, to submit to an IME to support a claim for benefits and submitting to an IME is a condition of receiving benefits.
The commissioner determined that the complaint was not well-founded:
Application: subsection 5(3) [of PIPEDA] states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances; Principle 4.2 requires that the purposes for which personal information is collected be identified by the organization at or before the time the information is collected; and Principle 4.3 stipulates that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information except where inappropriate.
In making her determinations, the Assistant Privacy Commissioner deliberated as follows:
- In keeping with the requirements of Principle 4.2, the automobile insurance policy in question clearly specifies that the insurer has the right to request a medical examination by a physician of the insurer’s choice for the purpose of investigating and processing the insured person’s claim. The policy also states that both the physician of the insured person’s choice and the insurer’s medical advisor must concur with the expenses being claimed.
- In the Assistant Commissioner’s opinion, a reasonable person would likely consider it appropriate for an insurance company to request a medical examination in order to ensure the validity of a claim, and to collect information from the examination and use it to assess the claim. Such a purpose would therefore meet the expectations of subsection 5(3). As all automobile insurance policy language is standard in the province, all insurance companies have this requirement.
- By being a party to the motor vehicle insurance policy and by submitting a claim under the policy, each of the complainants consented to the terms of the policy, one of which is that the insurer has the right to “examine the person of the insured person.” She therefore found that the insurance company did not contravene the consent provisions set out in Principle 4.3 of Schedule 1.
You can read the full finding here: Commissioner's Findings - PIPEDA Case Summary #320: Refusal to undergo an independent medical examination results in termination of insurance benefits (December 5, 2005).
Monday, February 13, 2006
Jon Oltsik at CNet News argues that lost backup tapes really aren't that big of a deal. First of all, they're likely lost and not stolen. Secondly, tapes are fragile and probably won't last long. Third, they are likely part of an incremental set so may not contain all that it could have. Fourth, your average thief will have no clue what to do with it. And finally, the thief likely doesn't have the tools to pilfer the data. In short, Oltsik argues, you'd need a pretty determined, savvy, well-equipped thief to make it something to worry about. Check it out: One less data breach method to fret about: Perspectives CNET News.com.
It may all be true, but if my data's on the tape, I'd rather it was encrypted. Oh, and not lost.
Labels: information breaches
Pharmacies are a hotbed of privacy issues as of late, particularly as the practice of pharmacy continues its transformation from vendors of medication to members of the "healthcare team."
An individual recently complained to the Information and Privacy Commissioner of Alberta after being required to provide personal information to purchase insulin. Insulin is not a prescription medication, but is rather a "Schedule II" drug, meaning that it has to be dispensed by a pharmacist. The pharmacist refused to sell the insulin without the person's name, date of birth and other information. The individual then complained to the Commissioner under the province's Health Information Act.
The individual's complaint was not upheld by the Commissioner in a decision handed down today:
[para 43] The Pharmacist’s practice of collecting the prospective purchaser’s name, address, date of birth and phone number and relevant information pertaining to any allergies or medical conditions for the sale of Insulin is authorized by section 20(b) of the Health Information Act.
[para 44] This investigation was initiated based on a complaint regarding an individual’s attempt to purchase Insulin. The outcome may not be the same for the sale of other drugs listed in Schedule 2 of the Pharmaceutical Profession Act.
The full report is available at the Commissioner's website: Investigation Report H2006-IR-001.
Here is the response from the Alberta College of Pharmacists:
ACP Response to Privacy Commissioner Report:
EDMONTON, Feb. 13 /CNW/ - The Alberta College of Pharmacists (ACP) is pleased that the Office of the Information and Privacy Commissioner has supported a pharmacist's authority to collect health information from an individual under the Health Information Act (HIA).
"Pharmacists are health professionals," says Karen Wolfe, ACP president. "It is our responsibility to ensure your drug therapy is appropriate and safe."
Collecting information to determine whether a medication is right for you means a pharmacist should ask you about your medical condition and about other drugs you are taking, remarks Wolfe.
"Pharmacists need to know about your health status, your symptoms and other related health information to determine if a drug product is the right one for you," she notes.
Wolfe was responding to a report released today by the Office of the Information and Privacy Commissioner indicating that a pharmacist's collection of the prospective purchaser's name, address, date of birth, phone number and other relevant information pertaining to any allergies or medical conditions is appropriate. The report is based on a complaint related to the purchase of insulin, a Schedule 2 drug, i.e., a drug that is held in the dispensary but does not require a prescription.
Wolfe adds, "Many Albertans do not understand that obtaining a Schedule 2 drug is not a simple retail transaction." An appropriate assessment about the patient's condition, selection of the right drug therapy, and advice about using the drug are important parts of the process.
Wolfe comments that pharmacists by law are required to keep your health information private and confidential. "Any information we collect will be used only for patient care," she says.
The Alberta College of Pharmacists is the regulatory and licensing body for pharmacists and pharmacies in Alberta.
Computerworld, which is a consistently a good source of reporting on information security, is running an account of a privacy incident through the eyes of the information security officer of a state agency. Worth reading: Breached! A Security Manager's Nightmare - Computerworld.
Labels: information breaches
Sunday, February 12, 2006
I posted a little while ago about a new trend of pawnshops being required to collect customers' personal information for inclusion in a police database (See The Canadian Privacy Law Blog: Database on sellers of used goods upsets Ontario Privacy Commissioner). We now have a measure of resolution to the legal controversey.
Two different used-goods vendors in two different provinces went to the courts to challenge two bylaws of this sort. Cash Converters in Oshawa, Ontario and Royal City Jewellers & Loans in New Westminster, BC each sought relief before the courts of their respective provinces. Both were shot down. Not too surprisingly, the argument that the bylaws are contrary to the federal privacy law, PIPEDA, and the BC equivalent, PIPA, did not hold water. Both laws allow collection of personal information without consent when, required by law. Even a municipal bylaw satisfies that requirement.
This isn't the end of the debate, as both companies are considering appeals. And, the political debate will continue. Just because it is legal doesn't necessarily make it uncontrovertial. From the Toronto Star: TheStar.com - Courts okay database bylaw
Another great privacy cartoon from the New Yorker: Vet your Date.
Saturday, February 11, 2006
From the Federal Communication Commission (via beSpacific: FCC Proposes Rulemaking to Prevent Sale of Cell Phone Records):
FCC EXAMINES NEED FOR TOUGHER PRIVACY RULES
Comment Sought On Measures Proposed by EPIC, Commission
Washington, D.C. – The Federal Communications Commission today launched a proceeding to examine whether additional security measures could prevent the unauthorized disclosure of sensitive customer information held by telecommunications companies.
In a Notice of Proposed Rulemaking (NPRM) adopted today, the Commission seeks comment on a variety of issues related to customer privacy, including what security measures carriers currently have in place, what inadequacies exist in those measures, and what kind of security measures may be warranted to better protect consumers’ privacy. The Notice grants a petition for rulemaking filed by the Electronic Privacy Information Center (EPIC) expressing concerns about whether carriers are adequately protecting customer call records and other customer proprietary network information, or CPNI. EPIC claims that some data brokers have taken advantage of inadequate security standards to gain access to the information under false pretenses, such as by posing as the customer, and then offering the records for sale on the Internet. The practice is known as “pretexting.”
In its petition, EPIC proposed five additional security measures that it says will more adequately protect CPNI. The NPRM specifically seeks comment on these five measures, which are:
- Passwords set by consumers.
- Audit trails that record all instances when a customer’s records have been accessed, whether information was disclosed, and to whom.
- Encryption by carriers of stored CPNI data.
- Limits on data retention that require deletion of call records when they are no longer needed.
- Notice provided by companies to customers when the security of their CPNI may have been breached.
Section 222 of the Communications Act requires carriers to take specific steps to ensure that CPNI is adequately protected from unauthorized disclosure. Current rules require carriers to certify compliance with the Commission’s CPNI rules and make that certification available to the public, but the Commission observes that a lack of uniformity in these certifications could be an obstacle to effective enforcement. The Commission seeks comment on a tentative conclusion that it should amend its rules to require carriers to file annual compliance certificates with the Commission, along with a summary of all consumer complaints received in the past year concerning the unauthorized release of CPNI and a summary of any actions taken against data brokers during the preceding year.
The Commission also seeks comment on other ways to protect customer privacy, including whether carriers should be required to take the additional step of calling a subscriber’s registered telephone number before releasing CPNI in order to verify that the caller requesting the information is actually the subscriber.
Action by the Commission, February 10, 2006 by Notice of Proposed Rulemaking (FCC 06-10). Chairman Martin, Commissioners Copps, Adelstein and Tate.
The Alberta Information and Privacy Commissioner has released his report into the province's cervical cancer screening program, which was alleged to not comply with the Health Information Act of Alberta. From the Commissioner's release:
Commissioner releases report into the Alberta Cervical Cancer Screening Program
February 9, 2006
Commissioner releases report into the Alberta Cervical Cancer Screening Program
Edmonton... Commissioner Frank Work ordered an investigation into complaints that the Alberta Cervical Cancer Screening Program (ACCSP) collects, uses and discloses health information in contravention of the Health Information Act. The ACCSP is a program operated by the Alberta Cancer Board (ACB).
The complainants expressed concern that information related to a woman's Papanicolaou (Pap test) is disclosed without consent to the ACCSP, and that there is no ability for a woman to opt-out of the program.
The investigation found that the ACB:
- Has authority to collect, use and disclose health information without consent, to operate the ACCSP
- Completed a Privacy Impact Assessment, and took reasonable steps to maintain safeguards to protect the privacy, confidentiality and security of health information within the ACCSP
- Allowed women to opt-out of receiving further contact from the ACCSP. However, this step was not sufficient to meet the duty to consider an individual's expressed wish about how much health information to disclose
During the course of the investigation, the ACB implemented a change to the program, offering women the ability to opt-out of the ACCSP. In doing so, the ACB now complies with the requirements of the Health Information Act.
The report makes no recommendations, as the ACB has already taken steps required to comply with the Act.
- 30 -
For a copy of Investigation Report H2005-IR-002 or for more information contact:
Wayne Wood Director, Communications(780) 422-6860
From the Information and Privacy Commissioner of Alberta (with link to the report):
Commissioner finds the Workers' Compensation Board had authority to disclose personal information
February 9, 2006
Commissioner finds the Workers' Compensation Board had authority to disclose personal information
Information and Privacy Commissioner, Frank Work, has determined that the Workers' Compensation Board was authorized to release personal information on an individual.
The person had filed a complaint with the Office of the Information and Privacy Commissioner following the release of personal information from the WCB to the Appeals Commission for the Board.
The Complainant objected to the release of the information and also complained about the extent of the information disclosed. The WCB released the information to the Appeals Board regarding an allegation of a reasonable apprehension of bias concerning the complainant.
Commissioner Work has held that the WCB was authorized to release the information under section 40 (1) of the Freedom of Information and Protection of Privacy Act. In his ruling, Work indicated the extent of the disclosure of information was necessary to enable the WCB to carry out the purposes of section 40 (1) in a reasonable manner.
- 30 -
Copyright(c); 2006 Government of Alberta
To obtain copies of F2005-002, contact:
The Electronic Privacy Information Center, west coast office, is reporting on its blog that US telephone carriers are permitted to "share" their subscribers calling information unless the subscriber opts out. It all seems a little unclear, but its surprising if it is true. See: EPIC West: Electronic Privacy Information Center West Coast Office: Your Phone Company Sells Your Call Records. Opt Out Now!.
Labels: information breaches
Friday, February 10, 2006
The State of Texas is joining other states in going after vendors of phone records. Texas is suing USA Skiptrace, alleging their services violate the state's Deceptive Trade Practices Act. See: KWTX Texas Sues Over Sale Of Private Phone Records.
Labels: information breaches
Thursday, February 09, 2006
Here is evidence that some legislators are getting concerned about the amount of pesonal information being retained by companies:
Congressman Edward Markey - February 8, 2006- Markey Launches Legislation to Prevent Industry Warehousing of Consumer Data:
February 8, 2006- Markey Launches Legislation to Prevent Industry Warehousing of Consumer Data
Washington, D.C. –Representative Edward J. Markey (D-MA), the ranking Democrat on the Telecommunications and Internet Subcommittee of the House Energy and Commerce Committee, today introduced the Eliminate Warehousing of Consumer Internet Data Act of 2006 – designed to strengthen consumers’ Internet privacy and prevent companies from storing personal information for indefinite periods of time.
“In this digital information age, personal identifiers are the keys which unlock the personal lives and valuable possessions of millions of Americans. Internet companies are often able to glean personal information through a computer user’s surfing and searching of Internet sites. Such entities should not hoard these personal identifiers in databases that often hold the imprints of millions of individuals and their Internet use. This warehoused personal information about consumers’ Internet use should not be needlessly stored to await compromise by data thieves or fraudsters, or disclosure through judicial fishing expeditions.” said Rep. Markey, who is also the author of H.R. 1078, “The Social Security Number Protection Act,” a bill aimed at protecting consumers from the abuse of the purchase and sale of social security numbers.
“Technology is the engine which will drive our economy into the next century, but the success of this technology balances on the public trust. If 2005 was the year of the data breach, I am going to make sure that 2006 is the year of safeguarding the privacy of American citizens by introducing legislation to prevent the stockpiling of private citizens personal data. My bill will require that the owners of Internet websites destroy warehoused information that is obsolete. We must stop companies from unnecessarily storing the building blocks of American citizens’ private lives,” Markey concluded.
Rep. Markey’s bill would require owners of Internet websites to destroy obsolete data that can be used to individually identify a consumer, including credit card numbers, bank numbers, and date of birth, home address and Social Security numbers. The bill directs the Federal Trade Commission to set standards and enforce this act.
The provision introduced by Rep. Markey is the same standard that Congress has adopted for information gathered by cable companies about individual viewing and subscription habits, and it better balances the tension between the commercial operations of Internet search engines and the privacy concerns of all Americans.
For information on Representative Markey’s work to protect consumer privacy, check out: http://markey.house.gov/.
Of course, the bill may not go anywhere but it is evidence that not only are online paranoids concerned about this stuff.
Thanks to beSpacific for the link and to Steve Matthews for pointing it out.
The Law School Admissions Test now requires a fingerprint from the person being tested. I assume that this is to make sure that you are the person actually writing the test under your own name, rather than a ringer. Now, the BC Information and Privacy Commissioner and the Federal Commissioner are dealing with allegations that the practice is an invasion of privacy, but there are fears that the print and other info will find its way into the hands of US law enforcement under the USA Patriot Act. Check out the CBC story here: CBC British Columbia - Student fingerprinting sets off alarms
Methinks that Google is going to find itself losing a lot of the trust that it has built up with consumers:
AP Wire 02/09/2006 Google's search feature seeks more access to personal computers:
"SAN FRANCISCO - Google Inc. is offering a new tool that will automatically transfer information from one personal computer to another, but anyone wanting that convenience must authorize the Internet search leader to store the material for up to 30 days....
To enable the computer-to-computer search function, a user specifies what information should be indexed and then agrees to allow Google to transfer the material to its own storage system. Google plans to encrypt all data transferred from users' hard drives and restrict access to just a handful of its employees. The company says it won't peruse any of the transferred information.
Once another computer participating in a user's personal network is turned on, Google automatically transfers the information so it's available to be searched.
Google intends to delete the information shortly after the electronic handoff, and will never retain anything from a user's hard drive for more than 30 days, said Sundar Pichai, director of product management.
Despite the privacy concerns likely to be raised, Google executives are confident the product will appeal to many people wanting a way to use a home computer to hunt data stored on an office computer, or vice versa.
"We think this will be a very useful tool, but you will have to give up some of your privacy," said Marissa Mayer, Google's vice president of search products and user experience. "For many of us, that trade off will make a lot of sense."
Wednesday, February 08, 2006
Yet Another Faxing Foul Up.
This time, the well-known Brigham and Women's hospital has been regularly sending a Boston-area investment bank personal health information about recently dicharged maternity patients. The information includes name, address, social security number, religion, attending physician and whether the woman/baby tested positive for STDs. The faxed forms apparently are for billing purposes:
BostonHerald.com - Local / Regional News: Brigham sent bank new moms' records
The faxed data was patient billing information. Hospitals typically send this type of information to medical supply companies for products for patients. The information is used to bill the patient’s insurance company.
While the accidental faxes are the bigger issue, perhaps someone can tell me why a billing form has to include the patient's religion, social security number and STD status? That makes two serious privacy issues.
The City Council for Chilliwack, in British Columbia's lower mainland, has put a controversial bylaw on hold, pending a review from the Information and Privacy Commissioner of BC. The bylaw, if passed, would require stores to demand photo ID from purchasers of hydroponic equipment. In addition, the purchaser's personal information would be entered into a database with the Royal Canadian Mounted Police. Not surprisingly, some have voiced concerns with the initiative. Check out: globeandmail.com : Hydroponics bylaw on hold in Chilliwack.
Also check out:
City of Chilliwack - Notices - City Government:
Public Notice is given that City Council intends to adopt 'Hydroponics and Drug Paraphernalia Bylaw 2006, No. 3223' to regular Hydroponics Equipment and Drug Paraphernalia Dealsers. A Public Information Meeting is scheduled for 7:00 p.m. on Monday, February 6, 2006.
According to Computerworld, an insurer in North Carolina has accidentally printed social security numbers on mailing labels of customers who sought information on a new insurance program. The incident was caused by "human error" and despite the fact that the insurer has replaced SSNs as customer identifiers. See: 'Human error' exposes patients' Social Security numbers in N.C. - Computerworld.
Labels: information breaches
Tuesday, February 07, 2006
I blogged early this morning about an incident being reported by KATU2 of Portland: (The Canadian Privacy Law Blog: Incident: Employee may have stolen personal information from Providence Health System - Original post deleted) Unfortunately, I mis-read the article and reported on this blog that the information in question was stolen by an employee of Providence Health Systems. That apparently was not the case. The personal information in question was stolen from the employee's vehicle on December 31, 2005 and some of it appears to have been used in fraudulent transactions since then. The investgation is still ongoing.
I've linked to Anita Ramasastry's Findlaw columns before, but this one is a must read: FindLaw's Writ - Ramasastry: Whose Credit Report is it, Anyway? It's Time for States to Pass Credit Freeze Laws that Give Consumers Control Over their Credit Profiles. Anita provides an overview of the problem of identity theft and advocates the use of credit freezes to give consumers additional tools to protect their financial well-being. Thanks to beSpacific for the link.
According to the Associated Press and the Oroville Mercury Register a suspected break-in of a computer server on the California State University at East Bay may have compromised the personal information, including social security numbers, of up to 700 faculty and 1600 staff members. It is unclear whether the information was actually obtained in the course of the security breach, but the university has notified the affected employees and has called in the California Office of Information Privacy.
See the report from the Oroville Mercury Register here.
Labels: information breaches
Monday, February 06, 2006
Most Canadians with any interest in privacy are well aware of the very high-profile CIBC faxing fiasco that resulted in hundreds of confidential faxes being sent from dozens of bank branches to one particular junk yard in the United States. When the story broke, it was front-page news and continued making headlines for weeks. It has even spawned a class action lawsuit against the bank, alleging that the failure to notify the indivuduals concerned caused them increased risk of identity theft.
Now there's a similar story coming from the US about hundreds of faxes being accidentally sent to a Canadian manufacturer of herbal remedies. According to Computerworld, a large number of people have trying to send Prudential Financial Inc.'s insurance arm faxes containing confidential patient information. Unfortunately, hundreds went to a company called North Regent RX in Manitoba, Canada. The two toll-free fax numbers only differ by one digit. This is likely to be labeled outrageous, but compounding the situation is that it apparently has gone unchecked for fifteen months.
The company apparently notified Prudential in October 2004 but months passed without any response. Now, Prudential is reported to say that that it is not their problem. They have no responsibility for others who incorrectly fax information. That may be true, but I am sure Prudential will face a storm of criticism asking what it did to protect its customers' information. The Manitoba company offered to sell its toll-free fax number of Prudential, which declined. They simply asked that misdirected faxes be mailed to Prudential as they came in. North Regent had intially contacted the senders, but quickly found they did not have the time and resources to continue to do so.
Legally, Prudential may have no responsibility for the misdirected faxes, but it will still face criticism that might have been avoided had they simply bought the fax number.
Check out Computerworld for the full story: Confidential patient data sent to wrong company -- for 15 months - Computerworld.
Thanks to Michael Fitzgibbon for passing this teaser along from NBC News:
The Daily Nightly - MSNBC.com:
"She was sure someone had stolen her social security number, but nobody -- not her bank or her credit companies -- would give her any information. Then, she got a new ATM card in the mail... with the thief's picture on it! It's an incredible story of identity theft, tonight on NBC Nightly News."
The New York Times continues to lead the pack on reporting on privacy and security issues. On Saturday, the NYT ran an article on the increasing frequency with which law enforcement are seeking information from internet service providers in connection with investigations of all kinds: Increasingly, Internet's Data Trail Leads to Court - New York Times.
As I have said here, if you don't need the data, don't keep it. That data can be stolen, compromised or you could find yourself an information collector for law enforcement and others. Responding to privacy incidents is costly and dealing with subpoenas is also expensive. Check out: The Canadian Privacy Law Blog: Don't keep the data that you don't need.
Sunday, February 05, 2006
The Information and Privacy Commissioner of BC (and hopefully the police) are investigating the theft of a courier vehicle full of medical records that was left idling and unlocked outside a medical facility in the Vancouver suburb of Langley, BC. See: Medical Records Stolen: CNG Portals Page
The New York Times is running another article on the problem with companies that sell cell-phone records (Lipstick on Your Caller - New York Times), but the most significant "action item" from the piece is a quote from Marc Rotenberg of EPIC:
'The bigger problem is that all this information is lying around,' said Marc Rotenberg, the executive director of the Electronic Privacy Information Center. 'If companies can't keep the information secure, then they shouldn't keep it.'
That's advice that bears repeating: The Canadian Privacy Law Blog: Don't keep the data that you don't need.
Labels: information breaches
According to RCRNews.com and others, the House Commerce Committee is seeking information from online data brokers in the course of investigating the sales of phone records. Their polite letter also threatens subpoenas if they do not cooperate.
Labels: information breaches
The Globe and Mail's technology section has an article on hidden metadata, where it comes from and what Microsoft is trying to do to address the issue. (See: globeandmail.com : Stamping out metadata.)
Here are my own thoughts on the issue:
Metadata is one of the greatest privacy and confidentiality risks for users of Microsoft's Office suite of programs. It has caused innumerable slip-ups, mostly caused by users who are generally oblivious to its presence or how to remove it. It is also compounded by the fact that some of the most obvious meta data (track changes and comments) can be completely inapparent. For example, if someone sends you a document full of markups but their copy of Word is set to only show the "final" version, they won't see it before they send the document on. The setting to not show changes follows the document, so the next person to open it will not see the markups unless they manually change the option. The same goes for "comments", which can be handy but are often not apparent to the viewer of the document.
Like many things, there are features in Word that will help you avoid metadata blunders (Options Security Privacy), but they have to be manually turned on and the average user is completely oblivious. To make things worse, one of the options is misleading. If you click yes to "Warn before printing, saving or sending a file that contains tracked changes or comments" it will not really warn you when you send a file the way that 99.9% of people do. If you attach it to an outlook message, no warning. None. One might think that those two parts of the Office program would talk to one another. Or that the "feature" might be accurately labelled. No such luck.
Even with all the publicity given to metadata issues of late, I have still seen first-hand some metadata blunders that could have had a huge impact on confidentiality. I've seen a closing checklist for a huge transaction that was based on a precedent document. Whoever typed the changes had (likely accidentally) used "track changes" with the markups hidden, so they didn't see that the markups fully identified another client of the firm who authored it. I've also seen documents sent with lawyers' comments embedded that were sent to the other side. I've also seen service agreements with pricing information embedded from a previous customer. This is a serious issue.
So what's the solution? It is not to remove features like comments, track changes and the like. These are all useful features. Those who understand what the metadata problem is and how these applications work are likely pretty about the meatadata issue. The problem is that this is a potential security hole that exists out of the box and uneducated users don't know it is there and what it can do. Program designers need to make sure that the programs they publish are set to be secure and that users are educated about the possibility of compromising confidential information if the features are enabled. And while I'm at it, I'll suggest that the two most-used programs in Microsoft's Office suite, Word and Outlook, need to work together to deal with the issue. Programming a feature to warn users that they are about to e-mail a document with metadata probably wouldn't be impossible. Or have it only throw up a flag if the document is mailed to someone beyond the local exchange server. And have it alert if a document is being copied off a networked drive onto a CD, thumb-drive or other portable media. Finally, if the security setting says it'll warn you when you e-mail a metadata-ridden document, it should at least do so.
Update: Jim Calloway has a great post about metadata and lawyers: The Mysteries (and Magic) of Metadata.
Saturday, February 04, 2006
With all the fuss about search engines and what they know about users, Declan McCullagh of CNET has asked some probing questions of Google, Yahoo!, MSN and AOL. The answers are interesting: FAQ: When Google is not your friend Tech News on ZDNet.
Dutch RFID e-passport cracked -- US next? - Engadget:
"A Dutch television program 'Nieuwslicht' recently worked with local security firm Riscure to successfully crack and decrypt a Dutch-prototype RFID passport. In this case, the data exchange between the RFID reader and passport was intercepted, stored, and then the password was cracked later in just 2 hours on a PC giving full access to the digitized fingerprint, photograph, and all other encrypted and plain text data on the RFID tag -- just perfect for slapping together a cloned passport, eh? The flaw, at least in part, is due to the algorithm used when generating the secret key to protect the data. The key turns out to be predictable given that it is sequentially issued and constructed from the passport expiry date, birth date, passport number, and checksum. But don't kick back in superior isolationism just yet kid. Starting October 2006 the US will issue all new passports using the same ISO 14443 RFID tag and Basic Access Control encryption scheme employed by the Dutch e-passports (and others) and adopted by the ICAO as global standards. It's still not clear at what distance the exchange was intercepted -- while the passive ISO 14443 tag is spec'd with a read distance of only 2-milimeters you'll find claims of reads at several meters. This is important 'cause the greater the read distance in say, the line at airport immigration control, the greater the chance of abuse. Regardless, the Dutch e-passport system is still under development allowing for changes, which makes us wonder, is ours? Wouldn't be the first time we've abandoned RFID passport plans due to technology concerns.
Friday, February 03, 2006
Welcome to the blogging world, Open and Shut. Peter Timmins of New South Wales in Australia works regularly with the freedom of information and privacy legislation down under. He has just started his new blog, Open and Shut. The blog goes hand in hand with his regular FOI Newsletter of the same name and should keep you up to date on what's happening in this area in Australia. Since the Austrailan experience with privacy and access law is similar to what we find in Canada, it's always worthwhile taking a global pespective. Welcome to blogging, Peter.
Thursday, February 02, 2006
The Information and Privacy Commissioner of Ontario has released a handy four page fact sheet on the secure destruction of personal information. Check it out in PDF here: Secure Destruction of Personal Information.
Learn it. Live it. Love it.
Labels: information breaches
Wednesday, February 01, 2006
The Boston Globe is doing a major mea culpa after thousands of bundles of its paper were distributed with subscribers' personal information on the back of paper used to wrap the bundles. From the Globe itself:
Subscriber credit data distributed by mistake - The Boston Globe
Credit and bank card numbers of as many as 240,000 subscribers of The Boston Globe and Worcester Telegram & Gazette were inadvertently distributed with bundles of T&G newspapers on Sunday, officials of the newspapers said yesterday.
The confidential information was on the back of paper used in wrapping newspaper bundles for distribution to carriers and retailers. As many as 9,000 bundles of the T&G, wrapped in paper containing subscribers' names and their confidential information, were distributed Sunday to 2,000 retailers and 390 carriers in the Worcester area, said Alfred S. Larkin Jr., spokesman for the Globe.
In addition, routing information for personal checks of 1,100 T&G subscribers also may have been inadvertently released.
The Globe and T&G, which are both owned by The New York Times Co., share a computer system.
The release of the data is another in a long list of high-profile incidents in which companies, universities, and federal and state agencies have had sensitive financial information lost or stolen.
Globe and T&G officials said the newspapers have notified the four major credit card companies -- American Express, Discover, MasterCard, and Visa -- of the problem. The newspapers will turn over the card numbers of subscribers who may have been affected to the companies upon request. As of last night, Mastercard and Visa have asked for the details. The newspapers are doing the same thing with banks of customers who may be affected.
About 227,000 Globe subscribers pay by credit or bank cards, although it's unclear exactly how many had their information released. Larkin, however, said a reconstruction of the errors suggests a majority of those affected are Globe subscribers.
The newspapers have also set up a hot line, 1-888-665-2644, for customers to call to learn whether their financial information may have been distributed. As an extra precaution, newspaper officials also urged subscribers to contact their credit card companies if they are concerned about unauthorized transactions....
Ok. This is obviously a screw-up, but I'm left scratching my head about how this information went from accounting to bundling without anybody doing anything?
Labels: information breaches
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.