The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Thursday, March 01, 2007
In addition to my weekly New Yorker magazine, today's mail contained a plain envelope with a PO Box return address. From a mile away, I could tell it was a credit card. Like many people recently, my bank has sent me a new credit card in the mail because I shopped at Winners. According to the letter, there is reason to believe my credit card was compromised in the Winners/TJX breach. The form letter tells me that there's been no evidence of fraudulent activity, but this is just in case.
When the TJX story broke, I attempted to contact their privacy officer through the address on the website. What I was looking for was a fax number becuase I did not want to communicate with them, particularly about my credit card, via e-mail. That was months ago and no contact and no reply. Not impressive.
Going directly to the TJX website provided a working link:
As TJX’s President and Chief Executive Officer, I want our customers to know how much I personally regret any difficulties you may experience as a result of the unauthorized intrusion into our computer systems. We are working with leading computer security firms to investigate the problem and enhance our computer security in order to protect our customers’ data. We are dedicating significant resources to evaluate the issue. Given the nature of the breach, the size and international scope of our operations and the complexity of the way credit card transactions are processed, the evaluation is, by necessity, taking time.
Since we learned of the probability of a breach in mid-December 2006, we have cooperated with law enforcement as well as with the banks and credit card companies that process our customer transactions. Further, we have established customer helplines in three countries and are making available a great deal of helpful information on our company websites.
We are committed to continue to address the situation and to provide periodic updates as we learn more. We have reported updated information in a press release which you will find below.
Additionally, I encourage you to access the information we are providing on this website to learn more about steps you can take to protect your credit and debit card information, or to contact our special customer helplines.
With the help of computer security experts, we have strengthened the security of our computer systems and we believe customers should feel safe shopping in our stores. We value the trust our customers place in us and again, I’d like you to know that we sincerely apologize for any difficulties you may be caused. Thank you for continuing to shop at our stores and for your years of loyal patronage.
President and Chief Executive Officer
Those affected may seek some perverse comfort that TJX may face significant penalties under the PCI Data Security Standard.
It will be interesting (but certainly not remedial in any way) to see what the Privacy Commissioner concludes about this investigation.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.