The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, March 31, 2006
Remember the fuss over the Department of Justice's subpoenas of Google, MSN and Yahoo! search? (The Canadian Privacy Law Blog: US DOJ has subpoenaed Google's search records) It appears they also subpoenaed a wide range of internet service providers:
InformationWeek Justice Department Subpoenas Reach Far Beyond Google March 29, 2006:
In its effort to uphold the Child Online Protection Act, the U.S. Department of Justice is leaving no stone unturned. In addition to America Online, MSN, and Google, the government has demanded information from at least 34 Internet service providers, search companies, and security software firms, InformationWeek learned through a Freedom of Information Act request. "
Thursday, March 30, 2006
According to Computerworld, a hacker has exploited a known vulnerability to get into a database containing pension records of over 570,000 people at the Georgia Technology Authority. An investigation is ongoing.
Labels: information breaches
Computerworld is reporting that the Secret Service has made at least 21 arrests in connection with the recent surge in debit card fraud: Arrests made in debit card fraud case - Computerworld.
Labels: information breaches
Tuesday, March 28, 2006
Here's a limited time offer to apply to be the Freedom of Information and Protection of Privacy Review Officer for Nova Scotia:
CareerBeacon.com: Freedom of Information and Protection of Privacy Review Officer (Halifax):
Published Date: 2006-03-24
Ad #: PSC–FOIPOP–SR20-CB
Competition #: PSC–FOIPOP–SR20-CB
The Review Officer is appointed by the Governor in Council, in accordance with Section 33 of the Freedom of Information and Protection of Privacy Act, for a term of between five to seven years. The Review Officer is responsible for managing and directing the day-day activities of the Review Office, which is an independent body, to ensure a high quality of investigative recommendations made in Accordance with the Freedom of Information and Protection of Privacy Act, Municipal Government Act and Regulations. The incumbent will provide policy advice, case consultation, strategic and operational leadership, and will direct the development of systemic activities and research agendas respecting government policies and legislation affecting access and privacy issues. The incumbent will provide professional and consultative services to and on behalf of the public with respect to the public's right of access to information held by government departments, agencies, boards, commissions and municipalities.
As an ideal candidate, you hold an Undergraduate or Graduate Degree (business, information management or administrative law or related discipline); or equivalent experience and education, you also have experience in progressively more responsible leadership and management roles. This position requires an individual with knowledge and an understanding of the principles relating to fair information and handling practices, administrative fairness, openness, accountability and government policies and procedures. You must have an ability to read, comprehend, interpret and apply legislation. You will also bring to this position comprehensive knowledge of the Nova Scotia Freedom of Information and Protection of Privacy Act, Municipal government Act and Regulations. Direct experience in the access and privacy field would be considered an asset, as would training and/or experience in mediation or alternate dispute resolution.
The closing date for this competition is April 8, 2006. Please forward your resume and a letter of introduction, in confidence, to:
Executive Recruitment, Strategic Support Services, NS Public Service Commission, One Government Place, 1700 Granville Street, PO Box 943, Halifax, NS B3J 2V9 Fax: (902) 424-0631 Email: PSC-Job-Apps@gov.ns.ca
One provincial politician doesn't like the job description because he thinks it is meant to attract a career bureaucrat:
"MLA criticizes criteria to pick FOI watchdog
By AMY SMITH Provincial Reporter
Graham Steele fears the province is looking for a different type of information watchdog this time around.
The New Democrat MLA said the ad for the next Freedom of Information and Protection of Privacy review officer, the person who deals with appeals for information held by the provincial government, school boards and hospitals, is geared toward bureaucrats.
The job description says the ideal candidate holds an undergraduate or graduate degree in business, information management, administrative law or related discipline or has equivalent experience and education.
Darce Fardy, the man who retired in January after 11 years as the province’s review officer, was a former CBC journalist.
Mr. Steele said under the current description, he doubts Mr. Fardy would fit the job specifications.
"And Darce was not just a good review officer, he was brilliant. I think he was superb and we were very, very fortunate to have him," the Halifax Fairview MLA said Monday. "It just takes me aback to see a job description that this brilliant review officer probably wouldn’t qualify for." ...
"I’d hate to see somebody promoted into that position who’d spent their life inside the bureaucracy," he said.
Colleen Gareau, spokeswoman for the Public Service Commission, said the province consulted Freedom of Information and Protection of Privacy offices across the country to come up with the job description....
Monday, March 27, 2006
Commissioner decides that physician not required to attach patient's statement of disagreement to record
March 27, 2006
Commissioner decides that physician not required to attach patient's statement of disagreement to record
Information and Privacy Commissioner Frank Work has issued his first decision about statements of disagreement under the Health Information Act (HIA).
HIA allows a person to ask a custodian, such as a physician, to correct or amend the person's health information. If the custodian refuses, the person can ask to have a statement of disagreement attached to the record that the person asked to be corrected or amended.
The statement of disagreement must comply with the requirements set out in HIA. The patient's statement of disagreement in this case did not comply with those requirements. Therefore, the Commissioner decided that the physician was not required to attach the patient's statement of disagreement to the record.
- 30 -
To obtain a copy of Order H2005-005, contact Office of the Information and Privacy Commissioner.
March 27, 2006
Commissioner upholds Custodian's decision to withhold information
Information and Privacy Commissioner Frank Work has upheld a decision to refuse to provide an individual with the names, initials, signatures, position titles, professional designations and credentials of other individuals under the Health Information Act (HIA).
The HIA allows a custodian to refuse to provide an individual with access to that individual's own health information where the disclosure could reasonably be expected to threaten the mental or physical health or safety of other individuals.
The information withheld from the patient's mental health records fell within this exception to access. Therefore, the Commissioner upheld the decision to withhold the information.
- 30 -
To obtain a copy of Order F2004-005 & H2004-001, contact Office of the Information and Privacy Commissioner
Sunday, March 26, 2006
An employee of a Canadian company with a LiveJournal nickname of Vivace ma con Grazia is writing about his experience dealing with a request for access to personal information under PIPEDA. He's not happy.
Vivace ma con Grazia - The PIPEDA Saga, Part 1
In January 2004, some absolutely lovely Canadian legislation came into effect, known as The Personal Information Protection and Electronic Documents Act (or, more concisely PIPEDA). The whole thing is maddeningly complex from my point of view, but in short it serves to both prevent the sharing of an individual's personal information by corporations, and to allow individuals to request of Canadian corporations a complete disclosure of all personal information held by that corporation about the individual in question. At work, I am currently working on my share of a response to one of these information requests. And let me tell you, it's one royal pain in the ass....
Over the course of a few postings here, I'm going to try to share some of the techniques we develop for handling this search. I'll likely skip over how we manage the search of our paper records, since I'm not very involved with that, but I will try to provide some technical details of our electronic searches, and hopefully (when I can get approval to do so) some of the details of our decision making process. I'm hoping this will be useful to some poor sysadmin in the future.
Saturday, March 25, 2006
Just in case you had a stereotypical image of who is likely to be an identity thief, here's a interesting investigation: Priest investigated for identity theft. Of course, this is just an investigation and no charges have been laid, let alone a conviction entered.
Friday, March 24, 2006
Earlier this month, the Privacy Commissioner of Canada released a set of guidelines for the use of video surveillance by law enforcement. The fourteen principles do not, however, bind any law enforcement agencies and nobody is required to follow them. See: OPC Guidelines for the Use of Video Surveillance of Public Places by Police and Law Enforcement Authorities (March 2006).
The Canadian IT Law Association blog has some discussion on the topic. Check it out here: IT.Can Blog - Police Monitoring of Public Spaces with Video Cameras: Privacy Commissioner and RCMP Guidelines.
About a year ago, Justice Moseley of the Federal Court of Canada ruled that the Privacy Commissioner of Canada has the power to compel the production of documents for which solicitor client privilege is claimed in order to review the privilege claims (Blood Tribe (Dept. of Health) v. Canada (Privacy Commissioner), 2005 FC 328 (CanLII)). It is now being appealed to the Federal Court of Appeal and the Law Society of Alberta has been granted leave to intervene in the appeal (Blood Tribe Department of Health v. Canada (Privacy Commissioner), 2006 FCA 101).
Thursday, March 23, 2006
The March 2006 edition of the Canadian Privacy Law Review is out and it includes the following article:
(Reprinted by permission of LexisNexis Canada. Inc., from Canadian Privacy Law Review,. edited by Michael Geist, Copyright 2006.)
With so much focus on PIPEDA, the PIPAs, the HIAs, PHIPA and others, the notion that there’s an independent tort of invasion of privacy has been somewhat lost in the shuffle as of late. Newfoundland, Manitoba, Saskatchewan and British Columbia, with their statutory torts for invasion of privacy have settled the debate in those provinces. Observers in the other common law provinces are left, from time to time, scratching their heads as to whether there even is an ability to bring a civil suit for invasion of privacy, independent of any wrong that is addressable under the personal information protection statutes or independent of another actionable wrong, such as trespass.
To use Newfoundland as an example, the Privacy Act makes it an actionable wrong if someone violates the privacy of another:
Violation of privacy
3. (1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of an individual.
(2) The nature and degree of privacy to which an individual is entitled in a situation or in relation to a matter is that which is reasonable in the circumstances, regard being given to the lawful interests of others; and in determining whether the act or conduct of a person constitutes a violation of the privacy of an individual, regard shall be given to the nature, incidence, and occasion of the act or conduct and to the relationship, whether domestic or other, between the parties.
The Act further clarifies what circumstances are presumed to be an invasion of privacy and also establishes specific defenses to the tort.
In the remaining common law provinces, including Ontario and the Maritimes, the court decisions have gone both ways about whether there is an independent tort of invasion of privacy. The recent case of Somwar v. MacDonald’s Restaurants of Canada Ltd. opens the door further to this possibility in Ontario.
The facts in Somwar are relatively simple: The plaintiff, Mr. Somwar, was a MacDonald’s employee. The company carried out a credit check on Mr. Somwar without his knowledge or consent, and Mr. Somwar brought an action against MacDonald’s for invasion of privacy, seeking general damages and an award of punitive damages to dissuade the company from repeating this again with other employees. The defendant made an application under the Ontario Rules of Civil Procedure to have the plaintiff’s statement of claim struck out as it disclosed no reasonable cause of action. It was argued that the laws of Ontario do not include the common right of action for invasion of privacy.
At this stage in litigation, the task of the Justice sitting in chambers is not to determine liability or even to decide whether the actions complained of are actionable. The sole task is to determine whether it is “plain and obvious” that the plaintiff’s claim could not proceed if the matter were to go to trial. The striking out a plaintiff’s claim is reserved for those circumstances where proceeding any further would be a waste of time for the parties and the courts. If there is a simple possibility that the plaintiff might succeed at trial, the Civil Procedure Rules are designed to allow it to run its course. Any pronouncements from the bench at this stage in the proceeding must be interpreted in light of this context. The question is not whether there is a common law tort of invasion of privacy, but rather whether there might be. In the result, Stinson J. determined that there might be and goes even further to say there should be.
Lacking any clear pronouncement from the appellate courts, Justice Stinson of the Ontario Superior Court of Justice canvassed a range of lower-court decisions dealing with alleged invasions of privacy. To this end, Stinson J. borrowed from the analytical framework set out by Dean William Prosser in his seminal California Law Review article, “Privacy” and considered Ontario cases that addressed “intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs.”
The cases cited by Stinson J. in Somwar that fall into this category do not provide unequivocal guidance on whether the such a tort exists. A handful of decisions from Ontario’s lower courts have allowed claims or have at least allowed actions to proceed to trial based upon alleged intentional invasions of privacy, many of which are also associated with other causes of action, such as nuisance. On the motion to dismiss the plaintiff’s claim, the cases reviewed provide sufficient grounds for Stinson J. to conclude that it cannot clearly be said that there is no common law tort of invasion of privacy.
The foregoing is sufficient to dismiss the defendant’s motion, but the Court goes further and offers the conclusion that the time is right for a clear recognition of a common law right to privacy. Stinson J. begins this part of his analysis by posing the question: “is there a right to privacy in Canada and how is it protected?”
In the age of the Charter, the Supreme Court of Canada has been explicit that the common law must evolve to become consistent with “Charter values”. The leading case on this point, Hill v. Church of Scientology of Toronto, is cited by Stinson J., who quotes from Cory J.’s majority decision:
Historically, the common law evolved as a result of the courts making those incremental changes, which were necessary in order to make the law comply with current societal values. The Charter represents a restatement of the fundamental values which guide and shape our democratic society and our legal system. It follows that it is appropriate for the courts to make such incremental revisions to the common law as may be necessary to have it comply with the values enunciated in the Charter.
Section 8 of the Charter provides individuals with a constitutional right that is analogous with the “right to be let alone”: “Everyone has the right to be secure against unreasonable search or seizure.” While the Charter only applies to individuals vis-à-vis the state, the Supreme Court’s pronouncements on Section 8 lead to the conclusion that Charter values require that the common law recognize a “right to be let alone” between individuals.
Stinson J. refers to the judgement written by La Forest J. in R. v. Dyment, in which the Court identifies three zones of privacy, one of which is privacy of personal information. La Forest J. rooted this privacy interest in “the notion of the dignity and integrity of the individual.” Recent advances in technology that can be used to collect and disseminate personal information also prompt Stinson J. to recommend that the common law make the incremental changes to keep up with Charter values and with potentially-intrusive technology:
 With advancements in technology, personal data of an individual can now be collected, accessed (properly and improperly), and disseminated more easily than ever before. There is a resulting increased concern in our society about the risk of unauthorized access to an individual’s personal information. The traditional torts such as nuisance, trespass, and harassment may not provide adequate protection against infringement of an individual’s privacy interests. Protection of those privacy interests by providing a common law remedy for their violation would be consistent with Charter values and an “incremental revision” and logical extension of the existing jurisprudence.
While the importance of the Somwar case should not be overstated, keeping in mind that it relates to a motion to strike a statement of claim and is not a final, determinative judgement at trial. The test to be applied is only whether there could be such a cause of action, rather than whether there is one. However, the Court made the notable step of going beyond this simple question by propounding that the Charter and advancing technology may necessitate the updating of the common law to incorporate a clear right “to be let alone” between two private actors. Whether Justice Stinson’s decision will be followed by other lower courts and whether the appellate courts will concur are both open questions, but the decision should not be ignored as a simple interlocutory judgement on a low-threshold question. It likely represents part of a trend toward recognizing a free-standing right to privacy in those provinces where the legislatures have not stepped in to provide a statutory one.
* David T.S. Fraser is the chairman of the privacy group at McInnes Cooper and is also a part-time member of the Faculty of Law at Dalhousie University.
 R.S.N.L. 1990, c. P-21.
 2006 CanLII 202 (Ont. C.J.) (http://www.canlii.org/on/cas/onsc/2006/2006onsc10045.html) (“Somwar”).
 R.R.O. 1990, Reg. 194, Rule 21.01(1)(b).
 William L. Prosser, “Privacy” (1960) 48 Cal.L.Rev. 383.
 Prosser’s article classifies invasions of privacy in the following categories: “(i) intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs; (ii) public disclosure of embarrassing private facts about the plaintiff; (iii) publicity which places the plaintiff in a false light in the public eye; and (iv) appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness”. Quoted in Somwar, at para. 9.
 Stinson J. refers to the following cases in this group: Capan v. Capan,  O.J. No. 1361 (H.C.J.) (application to strike statement of claim; defendant did not establish that stalking, harassment and entry into the plaintiff’s home could not found a cause of action); Saccone v. Orr (1981), 34 O.R. (2d) 317 (Co.Ct.) (recording of a private telephone conversation that was subsequently broadcast at a municipal council meeting and then published in a local newspaper; Court concluded that the plaintiff “must be given some right of recovery” for actions of the defendant); Roth v. Roth, (1991), 4 O.R. (3d) 740 (Gen. Div.) (action related to blocking access to property and shutting off electricity of the plaintiff’s cottage; Court concluded that whether the case is actionable depends upon the circumstances and the rights in conflict; invasion of privacy is not derived from a property right and the interests of both the individual and society are served by proceeding); Lipiec v. Borsa,  O.J. No. 3819 (Gen. Div.) (Court awarded damages related to removal of a fence between properties and erection of a surveillance camera pointed at the defendant’s (plaintiff by counterclaim’s) yard); Tran v. Financial Debt Recovery Ltd.,  O.J. No. 4293 (S.C.J.) (reversed on other grounds,  O.J. No. 4103 (Div. Ct.)) (collection agency making repeated collection calls to plaintiff’s workplace after being advised to only call home number; plaintiff recovered under defamation, intentional interference with economic interests, intentional infliction of emotional suffering, and invasion of privacy); Garrett v. Mikalachki,  O.J. No. 1326 (S.C.J.) (dispute between neighbours leading to recovery under “intentional infliction of emotional distress, nuisance or invasion of privacy, and harassment”) and Rathmann v. Rudka,  O.J. No. 1334 (S.C.J.) (harassment amounting to nuisance and invasion of privacy).
 Somwar at para. 23.
  2 S.C.R. 1130.
 Quoted in Somwar at para 26, from Hill at para 92.
  2 S.C.R. 417 (“Dyment”).
 Quoted in Somwar at para 24, from Dyment at para 22.
The Privacy Commissioner of Canada's contributions program has been renewed for another year. Check out the press-release:
Privacy Commissioner's Office renews its cutting-edge privacy research program:
Ottawa, March 22, 2006 – The Privacy Commissioner of Canada, Jennifer Stoddart, today announced the renewal of funding through her Office's Contributions Program which, for the last three years, has allowed some of Canada's brightest privacy experts to develop a wealth of information on various privacy challenges of the 21st century.
"Knowledge is the ultimate currency, and with the research developed through our Contributions Program we will be in a position to further strengthen our mission of safeguarding and preserving privacy rights that are cherished in our democracy," said Ms. Stoddart. "It will also shed light on new approaches to dealing with critical privacy issues."
This is the third year of the Program, which was launched in June 2004 to further the development of a national research capacity in Canada on the broad spectrum of issues that have an impact on privacy. The Office is mandated to undertake and publish research related to the protection of personal information, and the Program was set up as part of the Office's budget pursuant to its program/legislative authority under federal private sector privacy legislation.
- The protection of personal health information
- Strategies for making individuals more aware of their privacy rights. Do we need more consumer friendly privacy policies? Do organizations need to do a better job of disseminating their policies?
- The professionalization of privacy specialists—what requirements or standards exist and what processes are in place to accredit and certify these individuals?
- The storage and retention of personal information—the Personal Information Protection and Electronic Documents Act requires that information only be retained as long as necessary to fulfill the stated purposes. What does this mean in practical terms and how should this requirement be assessed?
- Aspects of surveillance:
- New technologies: What does the public comprehend about the collection, use, and transmission of personal data generated from new technology?
- What use is made of transactional data generated by retail transactions, telecommunications devices, or video surveillance?
- Workplace surveillance
- The tracking of individuals’ interactions with the Internet
The Office will also consider requests to fund research on issues that fall outside the priority areas.
According to Michael Geist, a leading privacy expert and member of the Office's External Advisory Committee, the continuation of the Contributions Program will advance and foster the promotion and understanding of privacy rights of Canadians.
“There is an increased burden on us to be aware of threats to our privacy before they become realized. Research projects funded through this Program will go a long way in promoting greater knowledge,” said Mr. Geist.
Professor Geist is a law professor at the University of Ottawa where he holds the Canada Research Chair in Internet and E-commerce law. He is also a nationally syndicated columnist on technology law issues and the author of the Canadian Privacy Law Review.
Organizations that are eligible for funding under the Program include not-for profit organizations, such as educational institutions and industry and trade associations, as well as consumer, voluntary and advocacy organizations.
The maximum amount that can be awarded for any single research project is $50,000. Organizations are eligible to receive funding for only one project.
Projects must be completed within the fiscal year in which the funding was provided. The deadline to submit applications is May 5, 2006.
Links to the projects completed under the previous Contributions Programs are available on the OPC Web site at http://www.privcom.gc.ca/information/cp/index_e.asp.
The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.
Wednesday, March 22, 2006
Another stolen laptop story, this time containing personal information on almost two hundred thousand employees of Hewlett Packard. The laptop was owned by Fidelity, which was providing services to HP. According to CNet, the information included names, addresses, social security numbers, dates of birth and employment info. See: Laptop with HP employee data stolen CNET News.com.
Tuesday, March 21, 2006
The Nova Scotia Department of Justice is hosting an information gathering and consulation session about potential amendments to the Nova Scotia Freedom of Information and Protection of Privacy Act to address concerns raised by the USA Patriot Act. The session is open to companies that operate in the ICT sector in Nova Scotia and provide services to public bodies.
Passed by the United States Congress in the wake of the terrorist attacks of September 11, 2001, the USA Patriot Act significantly expands law enforcement and intelligence access to personal information. The Act requires companies to provide certain information to law enforcement upon request – in some cases without a warrant or court order – and prohibits the company from telling anyone that the information was requested.
Though this is a US law, these powers would apply to information about Canadians that is being processed in the United States and likely applies to information about Canadians being processed by US companies in Canada.
The British Columbia government has amended its public sector privacy law and the government of Nova Scotia is contemplating doing the same. Amendments to Nova Scotia’s privacy law would affect companies that provide services to Nova Scotia public bodies, including the government, municipalities, hospitals, universities and colleges.
All affected companies are invited to an information session with the Nova Scotia Department of Justice on Friday, March 31, 2006 at 2:00 p.m. in the Commonwealth B Room at the Westin Hotel in Halifax. To expedite arrangements for seating and refreshments, please RSVP by e-mailing Ms. Dominika Thompson at email@example.com, or by phoning 424-5585 before Tuesday, March 28, 2006.
Note: Updated 20060323 to clarify the intended audience and invitees of the session.
Daniel Solove, professor at George Washington University School of Law and one of the authors of Concurring Opinions, has released a new article that asks the question "what is privacy?" Privacy means different things to different people and Prof. Solove's article tries to break down and organize the concept of privacy. Here's the link and the abstract:
Daniel J. Solove, A Taxonomy of Privacy, 154 U. Pa. L. Rev. 477 (2006)
Privacy is a concept in disarray. Nobody can articulate what it means. As one commentator has observed, privacy suffers from an embarrassment of meanings. Privacy is far too vague a concept to guide adjudication and lawmaking, as abstract incantations of the importance of privacy do not fare well when pitted against more concretely-stated countervailing interests.
In 1960, the famous torts scholar William Prosser attempted to make sense of the landscape of privacy law by identifying four different interests. But Prosser focused only on tort law, and the law of information privacy is significantly more vast and complex, extending to Fourth Amendment law, the constitutional right to information privacy, evidentiary privileges, dozens of federal privacy statutes, and hundreds of state statutes. Moreover, Prosser wrote over 40 years ago, and new technologies have given rise to a panoply of new privacy harms.
A new taxonomy to understand privacy violations is thus sorely needed. This article develops a taxonomy to identify privacy problems in a comprehensive and concrete manner. It endeavors to guide the law toward a more coherent understanding of privacy and to serve as a framework for the future development of the field of privacy law.
Here's a odd bit of synchronicity ...
Today, just after I entered my debit card PIN at a point of sale, my blackberry buzzed. I thought, "Hey! Wouldn't it be a good idea if my bank would send me a message each time my debit/credit/etc card was used? That way you'd catch bad stuff before you get your statement."
The Bank of America apparently has beat me to it:
Bank launches anti-fraud alert service:
by Tash Shifrin
Monday 20 March 2006
The US's largest bank has launched an anti-fraud text and e-mail alert service, following a series of high profile data security breaches.
Last month, the Bank of America was forced to cancel some customers� debit cards following a data security breach at an undisclosed company.
In October last year users of its Visa Buxx pre-paid debit card service were told sensitive personal information may have been compromised when an unencrypted laptop used by one of the bank�s service providers was stolen.
In March 2005, the bank confirmed that information on 60,000 customers had been stolen by an identity theft ring, just a month after revealing it had lost back-up tapes containing the credit card account records of 1.2 million US federal employees.
Now, in the fourth major security initiative of the past year, the bank is offering its online banking customers a series of alerts by e-mail or text message to mobile phones or PDAs.
Customers will receive automatic notification of changes in sensitive information such as passwords, although these can be switched off. They can also choose dollar limits, above which they would be notified of any potentially suspicious debit transactions or irregular credit card activity. A daily e-mail about available account balances is also on offer.
The bank has the largest number of online banking customers in the world, with its 15 million customers making up more than a third of all people who use online banking in the US.
Monday, March 20, 2006
Securityfocus.com has published an article that suggests the lack of disclosure related to the recent spate of debit card fraud can be traced to a loophole in the California privacy law and the other state laws that are based upon it:
Debit-card fraud underscores legal loopholes:
Despite security-breach notification laws on the books in 23 states, credit-card companies and financial institutions have not named the sources of the breaches.
"There are few details of these leaks because credit-card companies do not want people to lose confidence in debit cards," said Beth Givens, executive director of the consumer advocacy group Privacy Rights Clearinghouse.
The mystery surrounding the data breaches underscores loopholes within the state laws which aim to mandate the disclosure of security breaches. Moreover, the silence over responsibility for the breaches contrasts consumer advocates' warnings that a federal law currently being considered by Congress will ironically roll back protections even further.
There are three cases in which a company suffering a breach can bypass current notification laws, all of which have some basis in the legislation first drafted in California, security and legal experts told SecurityFocus.
A company suffering a data breach can delay notification during a criminal investigation by law enforcement. If the stolen data includes identifiable information--such as debit card account numbers and PINs--but not the names of consumers, then a loophole in the law allows the company who failed to protect the data to also forego notification. Finally, if the database holding the personal information was encrypted but the encryption key was also stolen, then the company responsible for the data can again withhold its warning.
In those cases, "they have no obligation to notify," said Avivah Litan, vice president of security and privacy research for business analysis firm Gartner. "The bottom line is that they escaped the disclosure law--at least for now."
Moreover, it's unlikely that credit-card companies will risk harming their clients by disclosing the identity of companies that fail to take responsibility for breaches, Litan said. While major credit-card companies and banks have warned partners and consumers of recent breaches in general terms, business pressures leave the companies unlikely to out partners, even if the companies are violating the spirit of disclosure laws."
The latest chapter in the series of lawsuits over the sale of phone records: Sprint Nextel has filed a lawsuit against a PI firm that was allegedly acquiring phone records on behalf of online record brokers. Here's the press release:
Sprint News Detail Print Page
Sprint Nextel Files Lawsuit Against Fraud Source in Ongoing Effort to Protect Consumer Privacy
Latest Action Aims to Wipe Out Threat Posed by Private Investigation Firm Responsible for "Pretexting" on Behalf of Online Data Brokers
Sprint Nextel Media Contact:Jennifer Walsh, firstname.lastname@example.orgMore information on Sprint Nextel's Commitment to Customer Privacy
RESTON, Va. — 03/20/2006 Sprint Nextel Corp. (NYSE: S) announced today that it has filed a lawsuit against a private investigation firm that employs deceptive practices to illegitimately obtain customer call detail records, and then sells the confidential information to online data brokers. In its complaint against San Marco & Associates of St. Petersburg, Fla., Sprint Nextel states that the company employs fraudulent tactics such as pretexting, the practice of obtaining personal information under false pretenses, to access cell phone logs and phone numbers.
In the suit filed March 17, 2006, in U.S. federal court in Florida, Sprint Nextel states that the schemes conducted by San Marco & Associates invade the privacy of Sprint Nextel's customers. Sprint Nextel has requested both temporary and permanent injunctions against San Marco & Associates.
"As we dig deeper into the origins of this fraud, we've determined that, in some cases, companies with no Internet presence whatsoever are handling the dirty work for these online operations," said Kent Nakamura, vice president for telecom management and chief privacy officer for Sprint Nextel. "We indicated previously that we would take any action necessary to eliminate this threat, and we are following through on that promise to our customers."
In addition to this latest legal action, Sprint Nextel secured a permanent injunction against First Source Information Specialists Inc., parent company of www.locatecell.com, www.datafind.org, and others, based on a complaint it filed in January 2006. As a result, First Source will no longer attempt to obtain, sell or distribute call detail records belonging to Sprint Nextel customers. Sprint Nextel also filed a complaint against All Star Investigations Inc. ("ASI"), a company believed to own and or operate web sites including www.onlinePI.com, www.allstarinvestigations.com, www.detectivesusa.com, www.miamiprotection.com and www.privatedetectivesusa.com.
Sprint Nextel strongly encourages its customers to take precautions to protect themselves. In particular, Sprint Nextel recommends that customers regularly change passwords used to access account information on the Sprint.com web site or when calling customer care, and select unique passwords to access voicemail messages on Sprint phones. For additional customer privacy tips, please go to www.sprint.com/privacy.
Thanks to beSpacific for the reference: beSpacific: Sprint Nextel Files Lawsuit Against PI Firm For Sale of Customer Phone Records.
Many who are critical of widespread video surveillance often point to instances where those doing the surveillance use the cameras for purient purposes. Today, The Register is reporting that police in the British community of Tyneside are investigating the leak pictures of participants in Spencer Tunick's mass nude photoshoot that took place last year. The pictures were apparently taken by CCTV operators with pan and zoom capabilities and were made available in local pubs. See: CCTV staff quizzed over nude art shoot footage | The Register.
According to an article on CTV.ca posted over the weekend, the federal government is still studying whether and how to implement a "do not fly list" in Canada. Some of the concerns relate to privacy and others are simply practical: how to compile the list, where the data will come from, oversight, etc. The article also discusses a public opinion poll carried out Ekos Research Associates that found only luke-warm support among Canadians. See: CTV.ca No-fly list may not fly, federal study warns.
Labels: information breaches
Sunday, March 19, 2006
More information about the problems that may underly the recent and significant payment card breach is starting to come in. ZDNet is reporting that Visa has sent a bulletin retailers, warning that a certain brand of point-of-sale equipment may retain personal information, including PINs.
Visa warns software may store customer data Tech News on ZDNet
A popular software that retailers use to control debit-card transactions may inadvertently store sensitive customer information, including PIN codes, says Visa.
Two versions of cash-register software made by Fujitsu Transaction Solutions are under scrutiny, according to a warning Visa issued to the companies that process card transactions for some of the nation's largest retailers. A Visa representative confirmed that the warning was sent.
Some of Fujitsu's retail customers include Best Buy, Staples and OfficeMax, but it is not known which companies use the software Visa claims is flawed.
Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts.
Thanks to Slasdot for the pointer.
Saturday, March 18, 2006
Police in the Vancouver-area suburb of Coquitlam announced they have broken-up an identity theft ring that carried out the crime the old fashioned way: mail theft. The two men arrested are said to have had thousands of house and mail box keys in addition to birth certificates, SIN cards and credit cards. Police also retrieved a number of stolen Canada Post uniforms. See: CBC British Columbia - Identity theft ring broken up.
In what is likely the last chapter in this particular saga, a US federal judge has ordered that Google does not have to provide the government with information about users' search queries. The judge only ordered that Google provide a random list of 50,000 URLs, but no proprietary information. See: InternetWeek | Judge Rules Google Doesn't Have To Turn Over Search Queries.
Wednesday, March 15, 2006
Charges were laid yesterday against George Radwanski in connection with the alleged mismanagement of the Office of the Privacy Commissioner. Radwanksi was forced to resign in late 2003 after a report by the federal Auditor General reported that during his two and a half years in the position, overspending was rampant and cronyism ruled the day. The charges are fraud and criminal breach of trust, which were filed by the RCMP.
The CBC reports on a statement made by Eddie Greenspan, Radwanski's lawyer:
Greenspan said his client is determined to clear his name.
"When he is given a fair opportunity to defend himself, the allegations will be demonstrated to be unfounded," Greenspan said in a statement.
Greenspan said a trial will show that during Radwanski's tenure as privacy commissioner of Canada, "he acted with integrity and in utmost good faith."
See: CBC News: Former privacy commissioner charged with fraud, breach of trust, RCMP charge former privacy commissioner with fraud and breach of trust, CTV.ca | Former privacy commissioner charged with fraud.
Tuesday, March 14, 2006
If your personal information is compromised, the threat of fraud may pale in comparison to being falsely accused of being involved with illegal pornography involving children.
Thousands of people were investigated after credit card information was found when a Texas-based company was busted for selling access to child pornography. Many of the credit cards were stolen, but some aggressive police forces around the world used the mere existence of the credit card information as evidence of illegal conduct. Some lost jobs and at least one other committed suicide.
Canadian police, it appears, were more cautious and set out bait to see if those identified were inclined to actually seek out the child pornography.
Having your credit destroyed is bad enough, but getting dragged into something like this is off the charts ...
Read the full CBC investigative report here: CBC News: Global child porn probe led to false accusations.
Thanks to Adam at Emergent Chaos for the link: Emergent Chaos: Identity Theft and Child Pornography.
CNet News is reporting that fourteen arrests have been made in New Jersey in connection with the surge of debit card fraud that has swept the United States. The wave of fraud followed security breaches at OfficeMax and other businesses, all of whom apparently retained PIN numbers contrary to payment card standards.
The CNet article has a great quote:
Prosecutor: Debit card crime ring busted CNET News.com
"This is the worst hack to date," [Gartner analyst] Litan said. "All the other hacks were trying to get to this hack. All the previous hacks were leading up to finding a way into your bank account. For the criminal, this is the pot of gold."
Labels: information breaches
Monday, March 13, 2006
The Canadian Imperial Bank of Commerce is involved in a new incident of misdirected faxes. But, I hasten to add, the misdirected faxes do not appear to be the bank's fault. According to the Globe and Mail, faxes from CIBC to a sporting equipment supplier from Toronto have been sent to Christine Soda. The CIBC sent the faxes to the number it had on record for its customer, but the customer had moved and had not advised the bank of the new fax number. Once the number was released by the phone company, it was assigned to Ms. Soda.
Now, to make it more interesting, Ms. Soda has apparently refused to return the faxes to CIBC and both the bank and its customer are taking Ms. Soda to court for their return, according to the Toronto Star. Ms. Soda says her husband needs the documents for his own lawsuit. (He took them to his workplace and says he was fired because the faxes made the employer think he had another job. He is suing the former employer and needs the faxes as evidence.) The Privacy Commissioner is apparently on the case of this retention of personal information.
Here's a free piece of common sense that I routinely share with my clients: Never surrender your fax number. You can usually pay the phone company a reasonable fee so that it is not reassigned to another person for an interval of time.
Another freebie: Make sure your contacts know your updated information.
Here's my two cents' worth: This situation does not seem to engage PIPEDA. The information on the fax was about money transfers between two businesses. PIPEDA only deals with personal information, which means information about one or more individuals, not companies. It may be a breach of policy and a breach of bank secrecy, but it doesn't look like there was any personal information involved.
Sunday, March 12, 2006
According to the CBC, the Information and Privacy Commissioner of Newfoundland and Labrador has given his blessing to a request by the CBC to make physicians' billings public. This is the latest stage in the saga, as the provincial department of health had decided to release the information, prompting an appeal by the medical association to the Information and Privacy Commissioner. Next stop court?
Saturday, March 11, 2006
Chris Walsh has posted a very extensive review of the issues and what's going on in the latest compromise of debit cards in the US: Emergent Chaos: The wall starts to crack.
Note: Updated to reflect that it was Chris Walsh and not Adam Shostack who wrote the posting at Emergent Chaos.
Labels: information breaches
Friday, March 10, 2006
Thanks to David Canton (http://www.canton.elegal.ca/archives/2006/03/index.html#a000617) for pointing me to this article on MSNBC: http://www.msnbc.msn.com/id/11731365/
Banks and others involved in the financial sector have reported a huge surge in ATM fraud in the past little while. The surge has led to speculation that it cannot be tied to traditional scams, such as card skimming and shoulder-surfing. It is reported that a US based retailer has stored the confidential PINs associated with past debit card transactions and this database has been compromised.
Apparently scammers would rather go for cash than credit.
I agree with David Canton that keeping PINs would likely be against PIPEDA in Canada, because you can only keep personal information for as long as reasonably necessary, which would only be the immediate authentication of the transaction in question. For Canadian readers, take note: if you keep this information and it is compromised, you will likely be on the hook for every penny that is lost by consumers and their financial institutions.
(Pardon the formatting and any typos. I'm posting this from my blackberry since I'm stuck in an airport.)
Wired News has posted a followup to its recent story that iBill's database has been hacked and made available online (The Canadian Privacy Law Blog: Incident: Billing information of 17M porn customers compromised). According to the company, the database in question containing names, email addresses, login details, etc. did not come from it:
Wired News: Porn Biller Says It Was Framed
...The databases, examined by Wired News, include names, phone numbers, addresses, e-mail addresses and internet IP addresses of customers making online purchases. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included.
But Spaniak says iBill cross referenced the 17 million transaction database against its own on Wednesday, and that only three e-mail addresses matched between the two.
Additionally, some entries in the stolen databases were identified as purchases on Diner's Club cards, which iBill says it has never accepted in its nine year history. Spaniak says iBill recently passed a security audit that found its databases well secured.
Labels: information breaches
Thursday, March 09, 2006
Canada Post and the Ottawa Police have jointly busted a couple in Ottawa who used a clever trick to get personal information from would-be job applicants and use the information for identity theft. See: Identity-theft scam catches 100 people in net.
I'm going to be interviewed on the Roy Green show (CHML in Hamilton) at 9:05 EST this morning on the story. You can listen live by following this link and then clicking on "listen live" at the right top of the page.
Wednesday, March 08, 2006
Information related to seventeen million users of an online porn payment service has been found to have been compromised, according to Wired News:
Wired News: Porn billing leak exposes buyers
Seventeen million customers of the online payment service iBill have had their personal information released onto the internet, where it's been bought and sold in a black market made up of fraud artists and spammers, security experts say.
The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included.
The breach has broad privacy implications for the victims. Until it was brought low by legal and financial difficulties, iBill was a top credit-card processor for adult entertainment websites -- providing billing services for such outlets as DominaBDSM and Top-Nude.com.
The transactions documented in the database are dated between 1998 and 2003, spanning a period at the height of iBill's success.
The company didn't respond to repeated e-mail and telephone inquires by Wired News.
Two caches of stolen iBill customer data were discovered separately by two security companies while conducting routine research into malicious software online.
Southern California-based Secure Science Corporation found the first data file containing records on 17 million individuals on a private website set up by scammers. The site was part of a so-called "phishing" scheme, in which a spamming fraudster poses as a bank or online retailer in an attempt to con consumers out of identification and financial information.
Secure Science found that data in February 2005, and reported it to the FBI's Miami field office, the company says. The FBI declined comment.
Important Note: Since publication of this article, iBill has spoken with Wired News. The company now says that the purportedly stolen database did not originate with iBill, and only three of the more than 17 million entries match past iBill customers. Asked to respond, Secure Science says it no longer believes that iBill was the source of the data. Read the full story.
From Metro State College of Denver, Colorado:
President announces computer theft:
"Metro State President Stephen Jordan announced today at an open meeting for the College community and the Denver media that a laptop computer belonging to Metro State was stolen from an employee�s residence on Saturday, Feb. 25, 2006.
The lap top may have contained unencrypted files with the names and social security numbers of any student who was registered for a Metro State course between the 1996 fall semester and the 2005 summer semester. This could include students from UCD or CCD who took pooled courses at Metro State; however the vast majority of names would be those of Metro State students. It is believed that more than 93,000 names would be contained in those files.
The theft was reported immediately by the employee to the Denver Police Department. College officials were notified on Monday, Feb. 27. Jordan explained that Denver Police did not authorize the College to make the public announcement until late on Wednesday, March 1, as they did not want their investigation, which is ongoing, to be comprised.
Jordan was quick to point out that there is no evidence of identify theft at this time. Plus he added, �The employee does not recall whether he had deleted those files from the laptop.
Nevertheless, Jordan said that the College will use every available reasonable avenue to notify the affected parties, including letters to their last-known addresses...."
Labels: information breaches
Doesn't look good for the provincial government at all.
(Sorry for the wonky formatting, I've had to post this from my BlackBerry.)
Labels: information breaches
For readers who are in Halifax:
The Law and Technology Institute at Dalhousie Law School and the McCarthy Tétrault Eminent Speakers Series presents Don McGowan, Corporate Counsel for Microsoft, Redmond, Washington who will be giving a presentation on: “ID THEFT: ON THE INTERNET, NO ONE KNOWS YOU’RE A DOG”.
This Thursday (March 9, 2006) from noon until 1:30 p.m. in Room 105 of the Weldon Law Building.
Saturday, March 04, 2006
I am currently in Vancouver on a business trip, woke up early and stumbled to the nearest Starbucks for my morning coffee and saw the headline "HEALTH RECORDS SOLD AT PUBLIC AUCTION" screaming out from the Saturday Vancouver Sun.
The Saturday Sun is reporting that last year, the BC department responsible for disposing of surplus equipment sold a batch of 41 computer backup tapes along with other equipment that contained incredibly sensitve personal information. The tapes contained the records of individuals who were seeking financial assistance from the provincial government because physical and mental health conditions (such as HIV and sexual abuse issues) were preventing them from working, generated by the Ministry of Social Services and the Ministry of Human Resources. The buyer of the tapes perused their content and later contacted the newspaper.
In addition to the records containing social insurance numbers and medical conditions, there were also hundreds of what appeared to be caseworker entries divulging extremely intimate details of people's lives.
One of those entries details a letter from a woman whose daughter was sexually abused, which provides the woman's name.
"Re: her daughter . . . sexually abused by a tenant living in the basement of her house," said the entry, which was logged in 1996. "No mental handicap . . . RCMP involved."
Because of the sensitive nature of the information, The Vancouver Sun will not publish any details that would directly identify any of the people involved.
Another entry, which included the person's name and phone number, contained the following.
"Wants to recover back pay from MSS because she did not know she had to have a Dr.'s note . . . was beaten by her boyfriend . . . wanting for money from WCB but in the meantime wants to pay her bills."
Among the other files there was also a document containing more than 65,000 names along with corresponding social insurance numbers, birthdays and what appeared to be amounts paid to each person for social support and shelter.
The information on the tapes were completely unencrypted and no special software was required to read them. A tech expert consulted by the paper said that a Windows desktop PC probably could have read them. Apparently no effort whatsoever was made to delete the contents.
Needless to say, the BC Privacy Commissioner's Office is investigating the appalling breach of privacy.
For the full story check out the main article and the two sidebars:
Note: Edited to remove image of font-page, which has cycled to show a different graphic.
Wednesday, March 01, 2006
Brian Bowman, with Pitblado in Winnipeg and the leading privacy lawyer on the prairies, has an interesting column in today's Winnipeg Free Press entitled "NDP should support privacy bill or say why not". The column provides a general overview of Bill 207, the proposed Personal Information Protection and Identify Theft Prevention Act, which has been introduced as a private member's bill in the legislature. The bill is designed to be "substantially similar" to PIPEDA, so that it would apply instead of PIPEDA in the province.
Unfortunately for the bill's advocates, it was introduced by a member of the opposition, which is usually a sure sign that the bill will never see the light of day. But there is some hope since the provincial government has made statements about the need for legislation to protect citizens against identity theft.
Brian argues in his column that Manitoba's NDP government should either support the Bill or provide a reasonable alternative. The column is available on Pitblado's website here: http://www.pitblado.com/lawyer_images/01Mar2006.pdf
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.