The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

Privacy Calendar

Links

RSS FEED for this site

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Thursday, January 18, 2007

Incidents: Rash of info breaches with Canadian connections

This has been a crazy week for privacy breaches in Canada and the week isn't over yet. I can't recall the last time I had so many media inquiries.

In addition to those below, I've been asked about two other incidents that will likely break in the next few days. (Since I heard about them from journalists, it would be rude to scoop them on the blog.)

Today we've heard of a significant announcement made by Talvest Mutual Funds

Talvest Mutual Funds issues statement regarding missing back up computer file
MONTREAL, Jan. 18 /CNW/ - Talvest Mutual Funds today announced that a backup computer file containing client information has recently gone missing while in transit between its offices.
The backup file contained information relating to the process used to open and administer approximately 470,000 current and former Talvest client accounts and may have included client names, addresses, signatures, date of birth, bank account numbers, beneficiary information and / or Social Insurance Numbers. Talvest has retained original copies of their files on its secure website.
While Talvest has no evidence to suggest this backup file has been inappropriately accessed, the manager of Talvest Mutual Funds, CIBC Asset Management, has taken precautionary measures to protect its clients. These actions include:
Notifying all affected clients by letter.
Compensating any affected Talvest clients for monetary loss that arises directly from unauthorized access of personal information contained on this file.
Providing affected Talvest clients the opportunity to enrol in a credit monitoring service at no cost. This service will provide added security on client credit files at major Credit Reporting agencies.
Establishing a dedicated call centre and website to deal with any affected Talvest client inquiries.
Advising affected Talvest clients to regularly review activity on all their financial accounts and report any unauthorized activity immediately to their financial institution.
Working with the police to investigate this incident and retrieve this backup file.

"We are in the process of contacting affected Talvest clients by letter to advise them of this issue and to detail the steps we are taking to safeguard their information," said Steve Geist, President of CIBC Asset Management. "Although, we have no evidence that the information contained in the backup file has been accessed in any way, we are acting out of an abundance of caution and want to assure our clients that we are taking all steps possible to address this matter. Any issue that causes disruption to our clients is of great concern to us and we regret the inconvenience this may cause our Talvest Mutual Fund Clients."
For more information on this matter, Talvest Mutual Fund clients are advised to visit www.talvest.com.

And with a report from the CBC:

CIBC loses data on 470,000 Talvest fund customers
CIBC Asset Management says a backup computer file containing information on almost half a million of its Talvest Mutual Funds clients has gone missing.
The company says the missing data was in a file that disappeared "while in transit between our offices." The file had personal and financial details on current and former clients of Talvest Mutual Funds, which is a CIBC subsidiary.
The information may have included client names, addresses, signatures, dates of birth, bank account numbers, beneficiary information and/or Social Insurance Numbers.
Talvest says there's no indication that the missing backup file has been "inappropriately accessed," but says CIBC will be taking a number of precautions.
"We are in the process of contacting affected Talvest clients by letter to advise them of this issue and to detail the steps we are taking to safeguard their information," said Steve Geist, president of CIBC Asset Management.
Computer fraud expert Thomas Keenan from the University of Calgary said there's good reason for the company to alert their customers. "Because what's on there [the missing file] is everything you need to know to do identity theft," he told CBC News.
The privacy commissioner of Canada, Jennifer Stoddart, announced that she is launching an investigation.
"Although I appreciate that the bank notified us of this incident and that it is working co-operatively with my office, I am nevertheless deeply troubled, especially given the magnitude of this breach, which puts at risk the personal information of hundreds of thousands of Canadians," Stoddart said in a statement.
Talvest has set up special phone lines for clients who want more information.
The report follows news of a potential corporate privacy breach that could affect as many as two million Visa credit card holders in Canada.
The owner of Winners and HomeSense stores warned Thursday that hackers gained access to its computer system and credit card numbers may have been improperly accessed.

Also, a breach involving TJX, the parent of TJ Maxx, Winners and Homesense, may have exposed the personal information of Canadian customers of that store:

globeandmail.com: Computer breach exposes TJX shoppers to fraud
SECURITY
Parent of Winners, HomeSense targeted
MARINA STRAUSS AND SINCLAIR STEWART
Tens of millions of credit card customers in Canada and the United States may have been exposed to fraud during a computer security breach at discount retailer TJX Cos., the U.S. parent of Winners and HomeSense.
TJX, which also owns T. J. Maxx and Marshalls, said yesterday it discovered the "unauthorized intrusion" in mid-December and has been working with police and security experts on both sides of the border to investigate the incident and tighten security procedures.
The retailer declined to say exactly how many customers are affected. But sources close to Visa said the company notified banks and other issuers last week that approximately 20 million of its cards around the world may have been involved. Some in the financial industry estimate the number in Canada could be as high as two million. It's not clear how many customers of other credit card companies have been left vulnerable.
The problem was tied to the computer systems that process and store information about customer transactions involving credit cards, debit cards, cheques and merchandise returns -- some of them going back to 2003. The Royal Canadian Mounted Police and the U.S. Secret Service have been called in to investigate.
"While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers is not yet known," the Framingham, Mass-based retailer said in a statement.
...
"I was stunned," said retail analyst John Chamberlain at Canadian Bond Rating Service. "That's not what you expect from a big retailer. You really expect that they would have stronger systems than that. You get to the point that you trust a retailer to keep that information."
Customers consider the shopping at TJX stores as a "treasure hunt," never quite sure what they'll find, he said. As a result, customers probably use plastic there more often because they don't always know how much they'll spend, he said.
Company officials didn't return calls. Their statement said the retailer kept the matter secret until yesterday at the request of law enforcement. The company said it promptly notified credit card companies and firms that process customer transactions.
An intruder grabbed information dealing with credit and debit cards sales in TJX stores during 2003 and part of 2006, according to the company. However, a source said that the debit transactions were confined to the U.S. market. TJX has been able to identify "a limited number" of credit card and debit card holders whose information was taken.
Canadian banks are scrambling to assess the potential damage. Tania Freedman, a Visa spokeswoman, said the company is forwarding information to banks. "These accounts were potentially exposed, [but] not all accounts that are exposed will experience fraud," she said, adding that customers are protected by the card's zero-liability policy.
...
In Canada, TJX runs 184 Winners and 68 HomeSense stores.