The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Tuesday, January 20, 2009

Heartland data breach could be bigger than TJX's 

Heartland Payment Systems has announced that it suffered a significant data breach last year after it was discovered that hackers had installed software on their systems to capture credit card information. The firm apparenly processes over 100 Million tranactions a month, leading to speculation that this may dwarf the 2007 TJX breach. See: Heartland data breach could be bigger than TJX's.

Labels: , , ,

Tuesday, June 20, 2006

Europe to continue sharing passenger records with US 

According to Computerworld, European authorities have supposedly found a way around European privacy laws to allow the continued sharing of air passenger personal information with American law enforcement:

Europe to continue sharing passenger records with US:

June 19, 2006 (IDG News Service) -- Two weeks after Europe’s highest court overturned a European Union agreement to share passenger data with American authorities, the European Commission has proposed a new law that does much the same as the one that was annulled.

The Commission, the Union’s executive body, agreed Monday to propose a new law that uses different legal grounds to have the same effect: it will allow European airlines to share personal information about their passengers flying to the U.S. with U.S. customs and security officials.

Normally it would be illegal under Europe-wide privacy laws for a company to share European citizens’ personal data with a country with weaker data protection laws such as the U.S. However, after the attacks of Sept.11, 2001, mounted using commercial airline flights, American authorities demanded the information.

Airlines would be fined or worse, denied landing slots by American aviation authorities if they failed to provide the information, which includes details such as name, address and credit card information. But they would be sued in Europe for breaking data protection law if they did provide the Americans with the information.

To avoid havoc in the airline industry and a potential disruption of transatlantic flights, the Commission and the 25 national governments passed a law allowing the handover of most of the information the U.S. demanded....

For a bit o' background, check out: The Canadian Privacy Law Blog: European court blocks passenger data sharing deal with US.

Labels: , , ,

Discussion about data theft and corporate irresponsibility 

An unlucky slashdotter has started a discussion thread on data thefts and possible consumer recourse. Unfortunately, some of the advice involves burning buildings to the ground and moving to Nigeria, both of which may not be the most prudent course of action. In any event, check it out:

Slashdot Data Theft and Corporate Irresponsibility?

"Today, I received a letter from a student loan provider notifying me that my name and social security number had been stolen along with a contractor's computer. This makes -four- agencies that have lost my personal information, in the last year. Today's letter was the most disappointing yet: the company, Texas Guaranteed, did not offer any credit report monitoring like the previous three had. Their advice? Send a letter to the credit bureaus. Gee, thanks. Clearly, mass identity theft is completely out of hand and there doesn't seem to be any government regulation for handling these situations, nor does there seem to be any punitive action against businesses that lose customers' data. Do we, as consumers, have any recourse against these businesses?"

Thanks to Rob Hyndman for passing along the link.

Labels: , ,

Monday, June 19, 2006

Fake Name Generator 

Some people who are concerned about their privacy are understandably nervous about giving their names, addresses, and whatnot to random websites just to look at an article, etc. Many use fake info, but websites are catching on by trying verify the info by matching the address to the US ZIP code. If you are one of those people, you may be interested in the Fake Name Generator, which will produce a name, address, date of birth and mother's maiden name. It's all random. Here's what I got:

Joesph T. Villanvera
129 North Street
Grand Rapids, MI 49546

Phone: 231-394-0713
Mother's maiden name: Mogle
Birthday: March 18, 1964

But you can call me Joe.

Labels: ,

Win fabulous prizes! 

Sorry for the misleading headline, but if you are a student and you wrote a great paper on technology law issues this year (or ever), think about submitting it for the Canadian IT Law Association Student Writing Competition. The deadline is June 30, 2006 so you'd better hurry.

If you aren't a student, you're out of luck. Sorry.

Labels: ,

Ontario Commissioner introduces RFID Guidelines 

Ontario's Information and Privacy Commissioner has just produced a set of guidelines for implementing RFID technology to better protect privacy in its implementation. The guidelines are here and are being released along with a companion Practical Tips for Implementing RFID Privacy Guidelines. Earlier this month, the Commissioner released Worried about RFIDs? in video and paper form.

The Commissioner's press release is here:

Commissioner Cavoukian issues RFID Guidelines aimed at protecting privacy

TORONTO, June 19 /CNW/ - Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, today released privacy Guidelines for the growing field of radio frequency identification (RFID).

These Guidelines flow from her earlier work in 2003 when the Commissioner first identified the potential privacy concerns raised by RFID technology. Following a history of ground-breaking work on building privacy into the design of emerging technologies, these Guidelines are a natural progression of this pragmatic approach.

"I have always found it beneficial to assist those working on emerging technologies, and to be proactive whenever possible - to develop effective guidelines and codes before any problems arise," said Commissioner Cavoukian. "These made-in-Canada Guidelines provide guidance and solutions regarding item-level consumer RFID applications and uses."

EPCglobal Canada, an industry association that sets standards for electronic product codes, has been collaborating with the IPC in the development of these Guidelines, and will be seeking Board approval by its member companies to signify the association's endorsement of the Guidelines.

"This technology offers exciting benefits to consumers and businesses alike. As the trusted source for driving adoption of EPC/RFID technology for increased visibility within the supply chain, privacy is as important as anything else we are doing," said Art Smith, President and CEO, EPCglobal Canada. "We promote an environment that encourages ongoing innovation while respecting privacy issues."

RFID tags contain microchips and tiny radio antennas that can be attached to products. They transmit a unique identifying number to an electronic reader, which in turn links to a computer database where information about the item is stored. RFID tags may be read from a distance quickly and easily, making them valuable for managing inventory but pose potential risks to privacy if linked to personal identifiers. RFID tags are the next generation technology from barcodes.

Although RFID technology deployed in the supply chain management process poses little threat to privacy, item-level use of RFID tags in the retail sector, when linked to personally identifiable information, can facilitate the tracking and surveillance of individuals. The goal of these Guidelines is to alleviate concerns about the potential threat to privacy posed by this technology and to enhance openness and transparency about item-level use of RFID systems by retailers.

The Guidelines address key privacy issues regarding the use of RFID technology at an item-level in the retail sector, said Commissioner Cavoukian.

The Guidelines are based on three overarching principles, including:

  • Focus on RFID information systems, not technologies: The problem does not lie with RFID technologies themselves, but rather, the way in which they are deployed that can have privacy implications. The Guidelines should be applied to RFID information systems as a whole, rather than to any single technology component or function;
  • Build in privacy and security from the outset - at the design stage: Just as privacy concerns must be identified in a broad and systemic manner, so, too, must the technological solutions be addressed systemically. A thorough privacy impact assessment is critical. Users of RFID technologies and information systems should address the privacy and security issues early in the design stages, with a particular emphasis on data minimization. This means that wherever possible, efforts should be made to minimize the identifiability, observability and linkability of RFID data; and
  • Maximize individual participation and consent: Use of RFID information systems should be as open and transparent as possible, and afford individuals with as much opportunity as possible to participate and make informed decisions.

A companion piece to the Guidelines - Practical Tips for Implementing RFID Privacy Guidelines, is also being released by the Commissioner to help organizations put the Guidelines into practice.

The Guidelines and Practical Tips for Implementing RFID Privacy Guidelines are available on the IPC's website (www.ipc.on.ca).

Labels: , , , ,

Sunday, June 18, 2006

Incident: Laptop with D.C. workers' data stolen 

Too many data breaches 

It is increasingly difficult to stay on top of all the security/privacy breaches as of late. Thanks to the Privacy Rights Clearinghouse, all the latest are set out in a handy table at http://www.privacyrights.org/ar/chrondatabreaches.htm and includes these recent additions:

Ohio University

Innovation Center

(Athens, OH)

a server containing data including e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes was compromised.

A breach was discovered on a computer that housed IRS 1099 forms for vendors and independent contractors for calendar years 2004 and 2005.

A breach of a computer that hosted a variety of Web-based forms, including some that processed on-line business transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration.

330,000 [Updated 6/16/06]

June 11, 2006

Denver Election Commission (Denver, CO)

Records containing personal information on more than 150,000 voters are missing at city election offices. The microfilmed voter registration files from 1989 to 1998 were in a 500-pound cabinet that disappeared when the commission moved to new offices in February. The files contain voters' Social Security numbers, addresses and other personal information.

June 13, 2006

Minn. State Auditor (St. Paul, MN)

Three laptops possibly containing Social Security numbers and other personal information on some employees of local governments the auditor oversees have gone missing.

Oregon Dept. of Revenue (Portland, OR)

Electronic files containing personal data of Oregon taxpayers may have been compromised by an ex-employee's downloaded a contaminated file from a porn site. The "trojan" attached to the file may have sent taxpayer information back to the source when the computer was turned on.

U.S. Dept of Energy, Hanford Nucear Reservation

Current and former workers at the Hanford Nuclear Reservation that their personal information may have been compromised, after police found a 1996 list with workers' names and other information in a home during an unrelated investigation.

Labels: , ,

Encrypt it 

ABC News could be accused of stating the obvious in Encryption Can Save Data in Laptop Lapses, but the article does have some interesting info on specific lessons that the VA, EDS and Ernst & Young have recently learned the hard way.

Labels: , ,

Friday, June 16, 2006

Incident: Porn-surfing employee compromises personal information on 2,300 Oregon taxpayers 

Incident: Computerworld is reporting that an employee of the Oregon Department of Revenue downloaded trojan software along with porn videos, apparently compromising personal information about 2,300 Oregon taxpayers: Trojan horse captured data on 2,300 Oregon taxpayers from infected gov't PC.

Lesson: Practice safe surfing or you might get infected.

Labels: , , , ,

Tory backbencher introduces bill to criminalize pretexting 

Conservative backbencher James Rajotte has introduced a private members' bill, Bill C-299: An Act to amend the Criminal Code, the Canada Evidence Act and the Competition Act (personal information obtained by fraud). It is intended to criminalize pretexting and obtaining personal information by fraud. Here's a summary:

SUMMARY

This enactment amends the Criminal Code to create the following criminal offences:

(a) obtaining personal information from a third party by a false pretence or by fraud;

(b) counselling a person to obtain personal information from a third party by a false pretence or by fraud; and

(c) selling or otherwise disclosing personal information obtained from a third party by a false pretence or by fraud.

It also amends the criminal offence of “personation with intent” to include fraudulent personation with intent to obtain any record containing personal information about a third party.

As well, the enactment amends the Canada Evidence Act to prohibit the admission into evidence of any personal information obtained by fraud, false pretence or fraudulent personation.

Finally, it amends the Competition Act to

(a) characterize the business of fraudulently obtaining personal information as an illegal trade practice;

(b) characterize the promotion of a product that is provided by means of fraud, false pretence or fraudulent personation as a false or misleading representation to the public; and

(c) provide for the recovery of damages from corporations within Canada affiliated with corporations outside Canada that have obtained personal information from third parties in Canada by fraud, false pretence, or personation.

Whether it will have any legs is anyone's guess.

Thanks to Michael Geist for the link:

Labels: , ,

Wednesday, June 14, 2006

Beware of hidden digital camera metadata 

I've posted on a number of times about something called metadata. It is hidden information in different kinds of digital files that may reveal information about the document, its author or information that the distributor did not want to disclose. For example, Microsft Word is notorious for the metadata that can be hidden in documents but we've also seen information leakage through Adobe Acrobat files (See: The Canadian Privacy Law Blog: More on metadata, The Canadian Privacy Law Blog: Document meta-data FAQ and risk information, The Canadian Privacy Law Blog: Security problems with hidden data in Acrobat PDF files).

I've known for some time that most digital cameras generate metadata (in the EXIF format), such as information about when the photo was taken, whether a flash was used, the exposure, lens focal length, etc. Flickr shows most metadata associated with photos. Check this out for an example: Flickr: More detail about leave.

What I did not know until today is that digital cameras will often embed a small thumbnail image of the photo as originally taken. In many cases, if you subsequently edit the photo, the original thumbnail remains. If the image is edited to cut out someone who didn't want to be photographed or if you blur the face of someone to protect their privacy, that information may still be available to anyone who gets the image.

There is no better illustration of the problem than the website created by Tonu Samuel. His site pulls images off the 'net then shows the original thumbnail and the modified image. One image generated by Samuel's site is a very vivid demonstration of why this is an issue: Hidden EXIF thumbnail security problem (may not be safe for work - it shows a young woman in a bikini whose face was obscured but is clearly identifiable in the thumbnail).

In short: Be very careful when you distribute modified digital images.

Thanks to michaelzimmer.org - The Hidden Photos Within Photos for the link.

UPDATE: I was browsing some of the photos that hav been put through Tonu Samuel's EXIF extractor and came upon this great demonstration of why this can be a risk. The photos on this page are from the US Federal Bureau of Investigation (http://www.fbi.gov/wanted/seekinfo/erienote1.jpg). The published version shows a letter with significant portions blacked out. The embedded thumbnail is missing all the blacked out portions.

Labels: , , ,

Tuesday, June 13, 2006

Ok. Somebody must be paying attention 

When The Onion, America's Finest News Source makes fun of the Hotels.com breach, you know that these are getting widespread coverage:

Hotels.com Information Stolen The Onion - America's Finest News Source

Hotels.com Information Stolen

A laptop containing sensitive information about Hotels.com customers was recently stolen from an Ernst and Young employee's car. What do you think?

Old Man

Doodles McKennan, Costume Designer "Great, now everyone at work will know about my thing for amenities."

Young Woman

Tina Garland, Lens Grinder "Dogs, toddlers, laptops with credit-card information—this list of things not to leave locked in a car on a hot day just keeps getting longer and longer."

Asian Man

Chris Benning, Receptionist "Forget the confidential client information. Have you ever seen so much Rick Astley on a single iTunes collection?"

Labels: , ,

Vendors sync up IP wiretapping tools 

I'm sure it warms the hearts of many to see two vendors of IP wiretapping software holding hands and working on interoperability and compatibility: Vendors sync up IP wiretapping tools.

Labels: ,

Incident: Massive personal information leak at Japanese telco 

Japan's second largest mobile phone operator has reported that personal information on almost four million subscribers has been compromised. Two arrests have been made in the breach, which was apparently an inside job and an attempt to blackmail the company.

KDDI reports massive personal data leak - Yahoo! News

Tue Jun 13, 7:53 AM ET

TOKYO (AFP) - KDDI Corp, Japan's number two mobile operator, said that private information on nearly four million subscribers to its Internet service had been leaked.

Police said extortionists tried to sell the data which included the names, addresses, contact numbers, sex, birthdate and e-mail addresses of those who applied for KDDI's Dion Internet service by December 18, 2003.

But information such as their passwords, bank account information and communications logs has not released, the company said.

Tadashi Onodera, KDDI president and chairman, offered a public apology at a press conference.

'We consider that this will hurt our company's credibility. We will do our best to restore customers' trust by explaining the issue,' Onodera told reporters, although he said there were no plans for compensation.

Information seems to have been leaked by KDDI employees or a vendor who had access to the system because it is impossible to access it from the outside, Onodera said.

Police said they arrested two men who attempted extortion in the case, reportedly demanding KDDI pay five million to 10 million yen (43,700 to 87,000 dollars) for the data.

Onodera declined to comment on the issue as it is under police investigation.

KDDI learned about the leak through an anonymous phone call on May 30 and the next day a person handed a CD-ROM with data from 400,000 customers to its headquarters' reception desk, he said.

Labels: , ,

Incident: Files Of 150,000 Voters Missing 

Whatever you do, don't let that 500 pound cabinet out of your sight.

Apparently a half-ton filing cabinet containing records of 150,000 voters in Colorado has "gone missing". It didn't walk away, but might have been misplaced when the Denver Election Commission moved offices. So if you see a lonely, lost filing cabinet, give them a call.

All Headline News - Files Of 150,000 Voters Missing - June 13, 2006:

Files Of 150,000 Voters Missing

June 11, 2006 8:38 a.m. EST

Mary K. Brunskill - All Headline News Contributor

Denver, Colorado (AHN) - Police were notified Saturday that records containing personal information on over 150,000 voters are missing at Denver election offices, and officials are investigating to find whether the files were lost, moved or stolen.

A 500-pound cabinet containing microfilmed voter registration files from 1989 to 1998, which contained voters' Social Security numbers, addresses and other personal information, disappeared in February when the commission moved to new offices.

Officials were not aware the records were missing until June 1 and the Denver Election Commission is trying to determine why officials did not learn the files were missing earlier, the AP reports.

Commission spokesman Alton Dillard told the Rocky Mountain News in Saturday's edition, 'We will get to the bottom of it.'

Dillard said staffers are searching the commission's new and old offices and its warehouse and employees of the moving company are being questioned.

Thanks to a correspondent from Vancouver, who led me to Interesting People, which linked to Hard To Do Any Worse, which in turn persuaded me to click on All Headline News.

Labels: , ,

Americans increasingly concerned about privacy and outsourcing 

The Ponemon Institute has undertaken a very interesting survey of Americans' attitudes toward outsourcing and privacy. What I find particularly interesting is that the survey revealed that Canada is the most trusted outsourcing destination. (India came in third, though the Indian media has been putting an interesting spin on it: US consumers give top trust ranking to India - The Times of India).

Here's the press release about the survey:

Survey Finds Americans Increasingly Concerned About Outsourcing Personal Data:

Up to 83% of Respondents Don't Want Sensitive Data Sent Off Shore

NEW YORK, June 6 /PRNewswire/ -- A new survey sponsored by global law firm White & Case LLP, and developed by independent privacy think tank Ponemon Institute, found that the majority of American consumers do not want US companies sharing personal information with outsourcing companies overseas.

Fifty-one percent of those US adults surveyed said that they did not want a US organization to send sensitive personal information such as social security or driver's license numbers to a local company in another country. Opposition was higher when it came to sharing even more sensitive information: 60 percent didn't want their credit or debit card account numbers shared with an offshore company; 64 percent opposed having their employee records shared; 73 percent opposed having their banking or home mortgage information shared; and a whopping 83 percent opposed having their health records shared with a local company in another country.

"That so many Americans are concerned about sensitive personal data going overseas isn't surprising given the growing threat of identity theft and general misperceptions about outsourcing itself," said White & Case partner Steve Betensky, who regularly advises companies on outsourcing issues. "But what makes this so challenging for US companies is that while consumers don't want their information sent oversees, 73 percent of US adults surveyed also said they are unwilling to pay higher prices for products or services if that would ensure that their personal information would not be outsourced offshore."

Betensky adds that the problem is further compounded by the fact that 82 percent of survey respondents felt that new US regulations were needed to ensure that offshore companies had adequate security and privacy safeguards in place -- despite the fact that many industries such as healthcare and financial services are already strongly regulated.

"When customers aren't willing to pay more for security safeguards, they automatically turn to government for relief. That leads to increased regulations, which generally leads to higher costs for companies in order to comply or risk fines. So the real message I take away from this survey is that companies better be prepared to pay more one way or the other. The best thing that companies can to do is negotiate their outsourcing contracts carefully so that the offshoring entity assumes some of the risk and costs associated with privacy safeguards and takes responsibility for ensuring that those privacy safeguards are effective," said Betensky.

Larry Ponemon, CEO and founder of Ponemon Institute, said that the survey also revealed that Americans do not view all countries equally when it comes to offshoring. When asked to select from 47 countries where outsourcing operations occur, US adults felt most comfortable with Canada, Ireland and India, giving them highest overall trust rankings with respect to local companies taking steps to protect or safeguard personal information. Philippines, Mexico, Haiti and Russia received the lowest trust rankings.

"Those statistics seem to confirm what we see in the global market place. India and Ireland have increasingly become some of the most attractive places for outsourcing ventures -- not only due to a well-educated workforce and lower salaries, but because those jurisdictions have made an active effort to establish strong regulations when it comes to outsourcing issues, including privacy," said Ponemon.

The study randomly surveyed 11,729 US adults via the Internet. In total, 1421 respondents completed the survey during an 8 day-research period. Of those, 127 were rejected because of incomplete or inconsistent responses -- results were thus drawn from a total of 1,294 people from every region of the United States.

A complete copy of the survey can be obtained at http://www.whitecase.com/outsourcingandprivacy

About White & Case

White & Case LLP is a leading global law firm with nearly 2000 lawyers practicing in 36 offices in 24 countries. White & Case's Privacy practice operates at the forefront of privacy issues and data protection laws. We advise clients on how to adopt sound privacy practices, avoid privacy risks, and protect their competitive advantage, including in relation to developing outsourcing contracts and policies. We also represent clients in privacy- related litigation. Each year we host an annual Global Privacy symposium, write articles and publish or sponsor surveys related to complex privacy issues. Visit http://www.whitecase.com.

About the Ponemon Institute, LLC

Ponemon Institute is a "think tank" dedicated to advancing responsible information management practices in business and government. To achieve this objective, Ponemon Institute conducts independent research on privacy and information security, educates leaders from the private and public sectors, and verifies the privacy and data protection practices of organizations. The Institute is headquartered in Michigan. For more information, visit http://www.ponemon.org or contact (800) 887.3118.

Labels: , ,

Monday, June 12, 2006

Privacy protection paramount with RFID 

David Canton's latest column is all about RFID and privacy. Check it out on his great glog: Privacy protection paramount with RFID.

Labels: ,

ACLU v NSA in the battle over warrantless wiretaps 

The US Government's warrantless wiretap program is going under the judicial microscope today in Detroit:

Battle over wiretaps to begin today:

The opening salvo of what is sure to be a closely watched and potentially landmark case over whether the U.S. government has the right to eavesdrop on thousands -- and potentially millions -- of telephone and e-mail communications will be fired in federal court in Detroit today.

The American Civil Liberties Union, which filed the lawsuit in January, will ask U.S. District Judge Anna Diggs Taylor to abolish the Bush administration's program of intercepting international phone calls in its fight against terrorism, saying it violates Americans' free speech and privacy rights.

The Justice Department, which represents the National Security Agency, is expected to argue that the program is legal and a key weapon in the administration's war on terror.

Although neither side expects Taylor to rule today, courtroom observers said she might reveal hints on how she will decide the case....

It is probably also safe to assume that this one will be appealed, regardless of the outcome. Stay tuned!

Labels:

Sunday, June 11, 2006

Beware of strangers bearing USB drives 

The fact that Microsoft Windows will automatically run software from a USB drive with no user intervention is a well-known security vulnerability. For example, the autorun function is the way that the infamous Sony rootkit gets its hooks into your system. With this feature enabled (or, rather, not blocked) on PCs, its an easy way for malware to be installed on your desktops via USB. Read this chilling example:

Dark Reading - Host security - Social Engineering, the USB Way - Security:

... Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.

After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.

Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly.

You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.

Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

Also read Bruce Schneier on this avenue of attack: Schneier on Security: Hacking Computers Over USB.

Labels: , ,

Saturday, June 10, 2006

The Practical Nomad on the Expedia/Hotels.com data breach 

The Practical Nomad has a very interesting post on the recent Expedia/Hotels.com privacy and security breach resulting from the loss of an auditor's laptop. (For my previous comments, including the fact that my data may have been on the laptop in question, see: The Canadian Privacy Law Blog: Incident: Hotels.com customer info on laptop stolen from auditor in February.)

The Practical Nomad blog: Expedia auditors lose laptop with customer credit card numbers:

...

Notably, Expedia has not said whether it had in place the contractual privacy commitments from Ernst & Young that would be required under Canadian (and other countries') laws -- although not under USA law -- as a precondition to allowing Erndst & Young to access personal information in customer or reservation records.

Hotels.com operates one of the world's largest travel Web site affiliate networks , many of whose members (in addition to the other Expedia divisions in the USA, Canada, and Europe), hide the Hotels.com service behind their own "private label". Many Hotels.com customers may never have realized they were dealing with Hotels.com rather than the company that operates the "private label" Web site. In the past, this lack of transparency has been one of the major themes of customer compliants against Hotels.com, especially when customers had problems at check-in and didn't knom whom to call. And customers of Expedia divisions in Canada and Europe may not have known that their personal data was being passed on to Hotels.com in the USA.

So, I asked, (1) does Hotels.com attempt to identify, or keep a record of, the country from which personal information was collected, and (2) are the actions being taken the same for all people whose data may have been on the stolen laptop, or are any different or additional actions being taken with respect to people from whom data may have been collected while they were in Canada or the European Union (e.g. as potentially identifiable from the IP address or the origination of the transaction through Expedia.ca or Expedia.uk), in light of the differences in Canadian and European Union data protection law?

The response on behalf of Expedia? "We do not track or capture geographies aside from the address customers provide for the transaction."

In other words, the word's largest Internet travel agency -- even though it requires cookie acceptance for purchases, and undoubtedly logs IP addresses and tracks referrals by affiliate -- make no attempt to keep track of the jurisdiction and legal conditions under which personal information is provided, or ensure that those restrictions accompany the data whenit is passed on. Even if they wanted to comply with the law in Canada and the EU, where they operate entire divisions, their current data structures aren't adequate to support compliance with the laws in those jurisdictions.

From what I've seen of industry norms, Expedia is no exception. Neither computerized reservation systems nor the AIRIMP (more on the latest AIRIMP revisions in a forthcoming post) support transmitting or recording the jurisdiction or rules under which any portion of the data in a passenger name record (which typically includes data entered in multiple jurisdictions, so a single field for the entire PNR would not suffice). But if Expedia can get away with ignoring data protection laws in countries where they do billions of dollars a year in busisness, so can the little guys.

This should be the test case of whether USA-based travel companies that do business in, and/or accept personal data from affiliates in, Canada and the EU need to track the jurisdiction and conditions governing use of that data, and ensure that those jusirsdictional and usage-restriction notes follow the data wherever it goes.

If you reserved a hotel through Hotels.com, and you were in Canada or the EU at the time, demand an explanation from the company, and complain to your national privacy commissioner or other national data protection authorities.

Labels: , , ,

Friday, June 09, 2006

Incident: Security clearance info on nuclear contractors compromised by hacker 

Not a good couple of weeks for information security in the US Government. It is now being reported that a hacker penetrated a computer system of the Department of Energy's Nuclear Weapons Agency in September, but the Secretary of Energy was not informed until last week. Here's a bit more info:

DOE computers hacked; info on 1,500 taken - Yahoo! News:

Although the compromised data file was in the NNSA's unclassified computer system -- and not part of a more secure classified network that contains nuclear weapons data -- the DOE officials would provide only scant information about the incident during the public hearing.

Brooks said the file contained names, Social Security numbers, date-of-birth information, a code where the employees worked and codes showing their security clearances. A majority of the individuals worked for contractors and the list was compiled as part of their security clearance processing, he said.

Tom Pyke, DOE's official charged with cyber security, said he learned of the incident only a few days ago. He said the hacker, who obtained the data file, penetrated a number of security safeguards in obtaining access to the system.

Labels: ,

Canadian government to revive wiretap bill 

According to the Globe & Mail, the Consevative government is planning to revive the previous Liberal government's proposal that would require all telcos, ISPs and VoIP providers to design in and implement tecnologies to facilitate wiretapping. The biggest issue is that internet-based communications aren't inherently tappable and snoops are trying to make the new technology compatible with their techniques:

globeandmail.com: Wiretap access bill to be revived:

... E-mails and Web surfing usually cannot be monitored by physically tapping into a wire, and new telephone technologies such as voice-over-Internet can make tapping calls more difficult, meaning access at the service providers' facilities is sometimes the only way to conduct surveillance....

Labels: ,

Thursday, June 08, 2006

Incident: IRS employee loses laptop with personal info on 291 employees and job applicants 

From the Washington Post:

IRS Laptop Lost With Data on 291 People:

The IRS's Terry L. Lemons said the employee checked the laptop as luggage aboard a commercial flight while traveling to a job fair and never saw it again. The computer contained unencrypted names, birth dates, Social Security numbers and fingerprints of the employees and applicants, Lemons said. Slightly more than 100 of the people affected were IRS employees, he said. No tax return information was in the laptop, he said.

'The data was not encrypted, but it was protected by a double-password system,' Lemons said. 'To get in to this personal data on there, you would have to have two separate passwords.'...

Labels: , ,

Wednesday, June 07, 2006

Incident: Info on 300K+ CPAs goes missing along with hard-drive 

If you don't need (really, really need) a particular type of personal information and it is at all sensitive, do not collect it. Do not keep it. If you have it, securely destroy it.

Privacy best practices world wide are pretty clear that you should only collect and retain personal information that is necessary for a clearly articulated purpose. In the CSA Model Code for the Protection of Personal Information, it is articulated thusly:

4.4 Principle 4 - Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

This goes hand-in-hand with the principle that you should only keep information for as long as is reasonably necessary to fulfil those clearly articulated purposes. Take it away, CSA Code:

4.5 Principle 5 - Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

Generally Accepted Privacy Principles produced by the Canadian Institute of Chartered Accountants in Canada and the American Institute of Certified Public Accountants include variations on these general rules:

4. Collection. The entity collects personal information only for the purposes identified in the notice.

5. Use and Retention. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes.

So I guess you can draw from these examples that you should not collect or keep someone's social security number or social insurance number unless you really need it.

Interestingly and ironically, this lesson has just been learned the hard way by the American Insitute of Certified Public Accountants. The AICPA has just reached the conclusion that it should apply at least a portion of its own Generally Accepted Privacy Principles with respect to the personal information about its members that it collects and retains. It appears that a hard-drive containing personal information on 330,000 members, including social security numbers, has gone missing while in the custody of an overnight courier. While it is very easy to blame the courier, it is clear that the AICPA has no compelling reason to collect SSNs. In fact, there's no reason that even roughly corresponds to the risk associated with keeping such data around, let alone couriering it to a service provider.

To read more, check out: CPA group says hard drive with data on 330,000 members missing.

Labels: , ,

Privacy Commissioner tables report calling for urgent reform of Canada's Privacy Act 

The Federal Privacy Commissioner appeared before the House Standing Committee on Access to Information, Privacy and Ethics to call for reform of the federal Privacy Act, which governs the collection, use and disclosure of personal information by federal government institutions.

News Release: Privacy Commissioner tables report calling for urgent reform of Canada's Privacy Act (June 5, 2006):

Ottawa, June 5, 2006 –The Privacy Act is an outdated law that leaves the Office of the Privacy Commissioner of Canada virtually powerless to protect the privacy rights of Canadians relating to information collected, used and disclosed by the federal government, said Privacy Commissioner Jennifer Stoddart in a document tabled today with the House of Commons Standing Committee on Access to Information, Privacy and Ethics.

The Privacy Act, which came into force in 1983, has never been amended or updated despite repeated calls for review by successive Privacy Commissioners.

“The world has profoundly changed since the Privacy Act was drafted,” said Ms. Stoddart. “Globalization has increased, national security concerns have become heightened, and Canadians have higher expectations that the federal government will respect fundamental privacy rights. The Privacy Act is outdated and it must be amended.”

Two separate federal laws protect Canadians’ privacy rights: the Personal Information Protection and Electronic Documents Act, or PIPEDA, and the Privacy Act. PIPEDA limits the private-sector’s collection, use or disclosure of an individual’s personal information. The Privacy Act governs how the public sector must handle personal information.

In her report, the Commissioner calls for the scope of the Privacy Act—which the Supreme Court has said has quasi-constitutional status—to be expanded in a number of specific ways:

  • Since 1982, the government has created many entities that are not subject to either the Privacy Act or PIPEDA. All public-sector bodies or offices should be subject to the Privacy Act unless Parliament specifically excludes them.
  • The Federal Court should be able to review not only claims of denial of access to personal information held by government, but also improper collection, use and disclosure of personal information. The Court should also be empowered to assess damages against offending institutions.
  • The definition of personal information should be expanded to include both recorded and unrecorded information, such as DNA samples, about identifiable individuals.
  • All individuals about whom the government holds personal information—and not just those present in Canada—should have the right to access, correct and be informed of that information. For example, airline passengers, immigration applicants and foreign student applicants have no right to access their information in Canadian government files.

The Commissioner has noted that the Privacy Act could be substantially remedied by adopting many of the provisions of PIPEDA, which came into force in stages starting in 2001. Ms. Stoddart identified specific fair information principles contained in PIPEDA that should be applied to the Privacy Act, such as:

  • Government institutions should only collect personal information that is reasonable and necessary for a particular purpose. They should specify the authority under which information is being collected, the uses to which it will be put, whether and with whom it may be shared, the consequences of not providing the information, and the right to make a complaint.
  • Where possible, when information is disclosed without consent, there should be a corresponding duty on the government to inform the individual about the disclosure.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.

To view the report: Government Accountability for Personal Information: Reforming the Privacy Act

Labels: ,

An ounce of prevention ... 

This should be obvious to most, but needs to be repeated: It is much less expensive to properly protect data than it is to deal with the aftermath of a data breach. See: Cleaning Up Data Breach Costs 15x More Than Encryption.

Labels:

Monday, June 05, 2006

Quebec to amend law to protect transfer of personal information to U.S. 

According to an article that crossed the wired about twenty minutes ago, the Province of Quebec is planning to amend its privacy law to require any export of personal information from the province is as secure as it would be in the provice. I haven't seen the proposed amendments to provide any more details, but check out the article in the meantime:

Macleans.ca : Quebec to amend law to protect transfer of personal information to U.S.:

MONTREAL (CP) - Quebec plans to follow the lead of several other provinces in attempting to protect its residents from the prying eyes of the American government.

Quebec's 12-year-old law governing the release of personal information by private businesses will be enhanced, partly in reaction to the USA Patriot Act enacted to give broader FBI access to records held by U.S. firms. The proposals, which are expected to be passed later this month, would require public bodies and private companies to ensure the information they send outside the province is as secure as it is in Quebec, said Richard Parent, a government official.

'You will have to ask the question with each contract: 'Will there be a violation of privacy and should there be a transmission of that information?' ' he said in an interview.

Companies would face increased fines - although the amount hasn't yet been made public - and would have to disclose publicly if a breach has occurred.

Individuals could also ask Quebec's information commissioner to investigate suspected breaches of the law.

Quebec's legal change comes in the wake of reports that the U.S. National Security Agency co-opted telecommunications companies to track millions of phone calls and store them in what may be the largest database in the world.

Labels: , ,

The NSA Is Listening 

Daryl Cagle's Professional Cartoonists Index at MSNBC is a great one-stop-shopping source for all your editorial cartoon needs. Not only does it include all the top editorial cartoonists from around the world and is up to date, they are also well organized by theme. Anyone with any interest in the latest scandal over NSA wiretapping should check out the theme "The NSA Is Listening".

Labels: ,

Privacy should be guarded 

David Canton's regular column in the London Free Press this week is a brief overview of the Annual Report of the Federal Privacy Commissioner on PIPEDA:
London Free Press - David Canton - Privacy should be guarded:

One noteworthy element is a more aggressive stance taken by the commissioner, Jennifer Stoddart, against organizations that are the subject of privacy complaints her staff determines to be well founded. Transgressors must now state the corrective measures they will take and when they will be completed.

Labels: ,

Sunday, June 04, 2006

Incident: Hotels.com customer info on laptop stolen from auditor in February 

OK. Now I'm a little mad. Another laptop reportedly stolen from an auditor. These have gotten too routine.

But this time, there's a good chance my personal information may have been on the stolen laptop. The data is from Hotels.com, a subsidiary of Expedia.com. This company also handles hotels booked through the Air Canada website using their Destina service. This is a service I've used in the past.

I haven't gotten a letter, but with information on 243,000 customers, I expect this is a subset of customers from 2002, 2003, 2004.

It is particularly rich that Hotels.com and Ernst & Young is suggesting that customers "take appropriate action to protect their personal information". Hello? You're suggesting that I take appropriate action to protect my personal information? How about you and your auditors taking appropriate action to protect my personal information. You can start by not letting it leave the building on a laptop. But if you don't follow that basic step, you could think about encrypting the information.

Here's the story from the Associated Press:

Hotels.com customer info may be at risk - Yahoo! News:

SEATTLE - Thousands of Hotels.com customers may be at risk for credit card fraud after a laptop computer containing their personal information was stolen from an auditor, a company spokesman said Saturday.

The password-protected laptop belonging to an Ernst & Young auditor was taken in late February from a locked car, said Paul Kranhold, spokesman for Hotels.com, a subsidiary of Expedia.com based in Bellevue, Wash.

"As a result of our ongoing communication with law enforcement, we don't have any indication that any credit card numbers have been used for fraudulent activity," Kranhold said. "It appears the laptop was not the target of the break-in."

Both Hotels.com and Ernst & Young mailed letters to Hotels.com customers this past week encouraging them to take appropriate action to protect their personal information.

The transactions recorded on the laptop were mostly from 2004, although some were from 2003 or 2002, the companies said. The computer contained personal information including names, addresses and credit card information of about 243,000 Hotels.com customers. It did not include their Social Security numbers.

Ernst & Young, which has been the outside auditor for Hotels.com for several years, notified the company of the security breach on May 3.

"We deeply regret this incident has occurred and want to apologize to you and Hotels.com for any inconvenience or concern this may cause," said the unsigned memo from Ernst & Young dated May 2006.

Ernst & Young invites those affected by the incident to enroll in a free credit monitoring service arranged by the auditor.

"We sincerely regret that this incident occurred and we are taking it very seriously," said the letter signed by Hotels.com general manager Sean Kell.

The letter from Hotels.com said "Ernst & Young was taking additional steps to protect the confidentiality of its data, including encrypting the sensitive information we provide to them as part of the audit process."

Labels: , ,

Saturday, June 03, 2006

Stolen DVA laptop had info on active duty personnel 

The Department of Veterans Affairs fiasco gets bigger with each few days.

It is now reported that the stolen laptop likely contained personal information on fifty thousand active duty military personnel:

IDs of active personnel on stolen laptop - Yahoo! News:

WASHINGTON - Personal data on up to 50,000 active Navy and National Guard personnel were among those stolen from a Veterans Affairs employee last month, the government said Saturday in a disclosure that goes beyond what VA initially reported.

VA Secretary Jim Nicholson said in a statement that his agency discovered after an internal investigation that the names, Social Security numbers and dates of birth of up to 20,000 National Guard and Reserve personnel who were on at least their second active-duty call-up were 'potentially included.'

Labels: ,

Law enforcement want ISPs to create and retain records of user activities 

The US Attorney General and the Director of the FBI met with executives from some of the largest ISPs in the US to suggest that they create and retain records to benefit law enforcement if/when they eventually come knocking. There is much speculation that this voluntary suggestion will soon become mandatory:

U.S. Wants Companies to Keep Web Usage Records - New York Times:

The Justice Department is not asking the Internet companies to give it data about users, but rather to retain information that could be subpoenaed through existing laws and procedures, Mr. Roehrkasse said.

While initial proposals were vague, executives from companies that attended the meeting said they gathered that the department was interested in records that would allow them to identify which individuals visited certain Web sites and possibly conducted searches using certain terms.

It also wants the Internet companies to retain records about whom their users exchange e-mail with, but not the contents of e-mail messages, the executives said. The executives spoke on the condition that they not be identified because they did not want to offend the Justice Department.

Labels: ,

Thursday, June 01, 2006

Response to: "If you've done nothing wrong, you have nothing to worry about" 

In case you haven't heard about it, Ask MetaFilter is an interesting online community where users post a wide range of questions and usually get high quality responses. A user just asked for a snappy response to "If you've done nothing wrong, you have nothing to worry about". Some of the best ones can't be reprinted on this family-friendly website, but I suggest checking it out: Response to: "If you've done nothing wrong, you have nothing to worry about" | Ask MetaFilter.

Labels:

Contractor loses personal data of 1.3M student loan customers 

The Associated Press is reporting that a contractor has lost a piece of unspecified equipment containing personal information related to 1.3 Million customers of Texas Guaranteed Student Loan Corp. The info had been decrypted by the contractor but is said to be protected by passwords "a number of times over". (I'm not sure what that means.) Check out the story here: Co. loses personal data of 1.3M customers - Yahoo! News, and the company's information page here: TG: TG announces contractor's loss of borrower files.

Labels:

Wednesday, May 31, 2006

Update on the Veterans' Affairs breach 

Some updated news in the wake of the ginormous data breach at the US Department of Veterans Affairs (for some background, see: The Canadian Privacy Law Blog: Incident: Personal information about 26.5M US veterans on laptop stolen):

Labels: ,

World Privacy Law Library 

I've used the World Legal Information Institute's website for various projects, but never browsed around to discover the WorldLII - Privacy Law Library. If privacy is your thing, bookmark this the main page of this sub-site now. You can search privacy regulators' decisions from around the world and get your hands on some fantastic publications in very short order. (Thanks to Peter Timmins' Open and Shut for leading me to this great resource.)

Labels:

What's new in ID theft? 

Yesterday's New York Times has a very interesting and wide-ranging article on identity theft, focusing on the growth in this kind of fraud in Arizona. The article illustrates innovative techniques that clever fraudsters have picked up and highlights the connection between meth abuse and ID theft. Finally, it also discusses whether the boom in identity theft is actually caused by how easily financial institutions hand out credit to people whose identities aren't verified. Check it out: Technology and Easy Credit Give Identity Thieves an Edge - New York Times. (Thanks to robhyndman.com for the link.)

For an intersting and contrarian perspective, check out Slate's: The New York Times flips out over "identity theft."

Labels: ,

Tuesday, May 30, 2006

European court blocks passenger data sharing deal with US 

Andreas Busch, blogging from Oxford, reports that the data sharing arrangement between the US and the EU has been struck down. Read all about it at his great blog ...

Politics of Privacy Blog: Passenger flight data: European court blocks EU data deal with US:

"The European Court of Justice has today anulled the European Council's decision regarding an agreement to provide US authorities with the data of European flight passengers, and the European Commission's decision that this agreement complies with with the European Union's data protection requirements. (More information about the details can be found in the ECJ's press release)...."

Labels:

E-mail issues causing headaches 

This morning, Toby Keeping of IronSentry and I gave a presentation on business and legal risks of e-mail and other electronic information at the Westin in Halifax. The Chronicle Herald is running a story on the topic, based interviews with Toby and me. Check it out: The ChronicleHerald.ca - E-mail issues causing headaches: Firms search for security in electronic age. E-mail me for a copy of the presentation.

Labels: , , , ,

Federal Privacy Commissioner releases annual report for 2005 

The Federal Privacy Commissioner of Canada has released her Annual Report to Parliament for 2005 (pdf). It is worth a read since it highlights many of the activities of that office that are not reported on elsewhere. It also includes a synopsis of a range of pending applications before the Federal Court of Canada that haven't been referred to elsewhere.

Here is the media release related to the report:

Tabling of Privacy Commissioner of Canada's 2005 Annual Report on the Personal Information Protection and Electronic Documents Act: Commissioner takes tougher stance

Ottawa, May 30, 2006 –There has been progress in advancing the privacy rights of Canadians in the private sector, but the Privacy Commissioner’s Office intends to be more assertive in ensuring that all businesses are complying with the law, according to the Privacy Commissioner of Canada, Jennifer Stoddart, whose 2005 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA) was tabled today in Parliament.

In 2005, the Privacy Commissioner began taking a stronger stance with respect to the recommendations made to organizations in her letters of finding. She began asking organizations that are the subject of well-founded complaints to state the corrective measures they would take – and when these measures would be implemented. In the one situation in which the company did not implement the recommendations, the Commissioner’s Office took the matter forward to the Federal Court. All other organizations have rapidly committed to providing redress and making systemic changes to their personal information management practices.

“Businesses, large and small, have demonstrated goodwill, commitment to community values and openness to change when it comes to protecting privacy,” states Ms. Stoddart in her report. “But I am concerned that apparent compliance does not always result in truly effective privacy and security practice. This goodwill needs to be translated into practice.”

Overall, information handling practices brought to the attention of the Privacy Commissioner’s Office show a high level of compliance with PIPEDA among Canadian companies. And the Commissioner is pleased that a recent trend toward settling complaints is continuing, with almost half of the 400 complaints in 2005 being settled to the apparent satisfaction of all parties.

Another theme of the report relates to technology, consumer trends and national security concerns, which continue to introduce novel uses for personal data and require ever greater amounts of it. It is time to revisit how the operating rules are defined and applied, and how adequate these rules are in a world of such rapid technological change.

Recent polling commissioned by the Privacy Commissioner’s Office suggests that 88 per cent of Canadians feel that it is important that privacy laws are updated to ensure they are keeping up with new technologies that may have an impact on their personal information.

PIPEDA came into effect in stages beginning in 2001, so the Office now has more than five years of experience dealing with the law. It is slated for a full Parliamentary review in 2006, which is expected to commence in the fall. This mandated review is vital and will present a unique opportunity to examine the Act’s effectiveness in protecting privacy rights in the marketplace. It will also give Parliamentarians the chance to help respond to growing attacks on personal information through identity theft, spam and fraudulent on-line activities. The Commissioner is urging the government to consider a similar review of the Privacy Act, the federal public sector privacy law, which has not been substantially amended since its inception in 1983.

As the Commissioner’s Office plans for its participation in this all-important review of PIPEDA, it will also continue to pursue preventive activities such as education, outreach, complaint resolution, as well as audits and reviews. The expectation of additional resources will further assist the Office in fully carrying out this multi-faceted mandate to protect and promote privacy rights.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.

— 30 —

To view the report: Annual Report to Parliament 2005 — Report on the Personal Information Protection and Electronic Documents Act (Adobe format)

Labels: , ,

Sunday, May 28, 2006

Incident: Sacred Heart computer security breach affects 135,000 

Security breaches at universities are such old news that I've stopped reporting them on this blog. But this one is a bit different. A computer security breach has resulted in the compromise of personal information of 135,000 people at Sacred Heart University in Connecticut. (Yawn.) But what's notable is that many of those affected are not alumni, not staff, not students, not applicants. The university had obtained information on prospective students from dozens of sources, likely without the OK of those individuals. And some of this information was compromised in the breach. Yup. That's a new one. And not a good one.

See: Wtnh.com, Connecticut News and Weather - Sacred Heart computer security breach affects 135,000.

Labels: ,

I'd like to thank the academy. And my blog ... 

I usually don't write about anything other than privacy law, but I thought I'd make an exception to write a bit about this blog ...

This week I was honoured to be the receipient of the Outstanding Young Canadian Award in the category of Leadership, given by the Junior Chamber of Commerce International, Halifax Chapter. My firm, McInnes Cooper, has made a pretty big deal out of it (Congratulations to David Fraser, our Outstanding Young Canadian!). It was all very flattering and humbling at the same time.

The criteria for the award are:

Leadership: The legal, political, public and governmental sectors have leaders to use their skills to attain goals on a regular basis. They constantly make a difference in their organization and their leadership ability is a key to their success. The nominee for this award has proven leadership abilities.

I fit the "young" part, since I'm between 18 and 40. And it is unusual for a young associate in a large law firm to head a practice group, to develop a niche practice and to have a significant national client base.

I had to give a speech, along with the winners in the other categories, at the gala dinner on Thursday. The organizers suggested something inspiring. Well, I spend a lot of time talking to large groups about privacy law but it was pretty weird to contemplate standing up and talking about myself. But it did make me reflect upon what "got me here". And a significant part of that is this blog.

In building my practice in privacy law, I have spent a lot of time and effort networking, getting know people in the field, doing wider marketing and even making direct pitches to prospective clients, but the one thing that has raised my profile most of all and has resulted in engagements from far-flung clients is this blog. I know from the site's stats that it is read regularly by the Office of the Federal Privacy Commissioner, the provincial privacy commissioners, most major Canadian law firms, the big five Canadian banks, and Canada's equivalent of the Fortune 500.

This blog and its wide readership has led to an invitation to speak at the Canadian Bar Association's annual meeting in Winnipeg in 2004 (The Canadian Privacy Law Blog: Report from the CBA in Winnipeg). Everything I've written for the Canadian Privacy Law Review has started as a posting on this blog. The first times I met each of the British Columbia, Alberta and Ontario privacy commissioners, each of them knew me and commented on my blog. I've given dozens of media interviews for newspapers, radio and TV throughout Canada and into the U.S. on privacy issues and, almost without exception, the reporters and producers found me via the blog. I've also been featured in high-profile articles on Canadian legal bloggers (CBA Magazine: Blogging the spotlight and New Media Marketing, Part I - Blogs: How Lawyers Can Become Thought Leaders in a Niche Market (CBA members-only login)), all thanks to this blog. Also, thanks to this blog, I've met a number of great people from coast to coast, some of whom I've met in the real world and some who I only know through e-mail.

Importantly, all of the above is an unintended consequence. I didn't start out the blog thinking it would raise my profile or would be a good way to meet people. I started it because I wished someone else had put together a "one stop shopping" place for Canadian privacy law and notable news in this area. At the end of 2003, there wasn't such a site to keep privacy lawyers and others up-to-date on this area, so I decided to do it for myself. I was surprised at how easy it was and I was also pleasantly surprised that it didn't take as much time as I thought it would. Everything else has been gravy. Heaps of gravy.

In any event, I'd like to thank my friends, my family, my firm and my blog.

Labels: , ,

Wednesday, May 24, 2006

Privacy and security may be a competitive advantage 

At least Paxx Telecom LLC thinks so. They have just issued a press release advertising that their service lets you thumb your nose at the NSA, et al:

Phone Company, In Response To Concerns About Phone Privacy, Shows Customers How To Tell The NSA To Take A Hike - Yahoo! News

(PRWEB) - Scottsdale, AZ (PRWEB) May 24, 2006 -- The recent revelation first made by USA Today that the National Security Agency (NSA) has been commandeering phone records of tens of millions of ordinary Americans has shocked those who cherish their privacy and do not agree with unnecessary snooping by their government.

It’s hard to know which phone companies are prepared to protect the privacy of telephone records from the NSA’s prying eyes. Certainly many of the nation’s largest phone companies are not, according to USA Today.

With the cooperation of the nations largest phone companies, the NSA has amassed the largest ever database of “call detail” information including who called what number, when and for how long.

Less understood is that while the public is “assured” no personal data is being collected, it’s only a small step required in order to “connect-the-dots”. Revealing the owner of most phone numbers is often as simple as typing the number into Google.

Even a pre-paid calling card purchased for cash is not anonymous. All calls originating from that card are recorded based on their authorization code, and it’s just a few simple steps to identify the caller.

“This is nothing new”, reports Paul Schmidt, CEO of Paxx Telecom LLC. “We reported back in 2002 that the a number of the major phone companies informed their customers that they intended to distribute or sell customers’ private information after a Federal Court gave them blanket permission to do so.”

“At Paxx Telecom, our records are secured offsite and we guarantee never to turn over any records to the government or anyone else without a court order. All our customers need do is dial a short access number in front of the number they want to reach. As a result, the local phone company will show only the connection to Paxx Telecom. It will have no record of the actual number the customer talked to", he said. “In addition, we keep call records on our servers only temporarily to give customers access to verify proper invoicing, after which the calling information will be extinguished.”

Paxx Telecom LLC is a privately owned long distance provider, incorporated in the state of Arizona in 1999. Paxx Telecom offers domestic and international long distance services to residents of the USA and Canada, and it offers International callback services in most countries overseas. Paxx Telecom has agreements to use the network backbones of some of the world’s largest communication providers. For optimal call clarity, Paxx Telecom is using traditional voice-quality networks rather than VOIP or other Internet technology. Additional information about Paxx Telecom services is available at www.PaxxTelecom.com

More information about Paxx Telecom’s secure phone system can be found at www.paxxtelecom.com or by calling 1-800-664-4977.

Labels: , ,

Tuesday, May 23, 2006

Singapore moving closer to data protection law 

Asian economic powerhouse Singapore is about two years away from a data protection law as the country moves through a consultation process toward that objective:

Channelnewsasia.com:

SINGAPORE: A committee that is looking at how to protect private information is expected to submit its report to the government next month.

Experts believe one of the key features of the upcoming data protection law is clamping down on private companies that collect and disseminate personal information freely.

Currently, when a person fills out their personal information on forms or lucky draw coupons, the companies will usually store the information in their databases and disseminate it without the person's knowledge or permission.

The upcoming law will likely make sure that that will not happen.

Experts believe the law may be ready in about 2 years.

"Data collectors would have to get your consent if they're going to use it for direct marketing and if you discover that your particulars are being used by direct marketing by a particular company, you'd have a right to go to the company and demand that they stop doing it. It's the sort of thing I could envisage in the legislation coming," said S Suressh, a partner at Harry Elias Partnership.

Singaporeans are increasingly using the internet to conduct transactions.

So it's timely for the government to study and develop laws to protect personal details.

"As we develop, there're more and more demands for rights and one of the rights is of course the right to privacy. So the government's probably decided that we have reached a certain level of development and that businesses can probably cope with the increased burden and cost of this," said Asst Prof Terence Tan from the Law Faculty at NUS.

The existing laws cover mainly government agencies such as the Inland Revenue Authority of Singapore, requiring they protect your personal information.

But data collection and protection are unregulated among private companies, which will change with the coming of new laws. - CNA /dt

Labels:

Upcoming Seminar: E-mail, storage and the law 

Location: Westin Hotel, Halifax, NS
Start Date: Tuesday, May 30, 2006
Time: 8:00am - 11:30am

With 70% of critical business information contained in email, small and medium sized companies face numerous challenges. Legal concerns including privacy, retention, and accountability are forefront, but improper use, hardware requirements, and the ability to recover old emails are also highly important to today’s business owner.

Join Toby Keeping (IronSentry Inc.) and David Fraser (McInnes Cooper) in an information session as they discuss these and other issues that small and medium sized companies have to address with electronic information.

For more information, or to register, click here.

Contact: Toby Keeping, 902.463.4485 x1401 or tkeeping@ironsentry.com

Labels: ,

Monday, May 22, 2006

Australian women fear "stalker" reverse directory 

The Privacy Commissioner of Australia is poised to investigate a controvertial "reverse directory" in that country. The site, www.boonghunter.com, provides names, addresses and numbers of residents based on partial information, including just the streets they live on. Women in particular are afraid that it'll make a good tool for stalkers.

The Advertiser: Women fear website puts them in danger [23may06].

By MICHAEL OWEN

23may06

AN unauthorised telephone directory website has alarmed women, who fear it will increase the risk of stalking and endanger women and children seeking refuge from domestic violence.

The website - www.boonghunter.com - also has disturbed Telstra, which yesterday described it as "a gross invasion of privacy".

The website and the source of its information was last night under investigation by federal authorities, including the Australian Communications and Media Authority and the Office of the Federal Privacy Commissioner. Sensis, Telstra's online directory division, said it was "appalled" by the website, which provides "reverse search" access to address and telephone numbers of individuals.

"Unlike the White Pages directory, where you need to know the name of the person you are searching for before you can find their details, reverse searching enables people to search for your private details without knowing who you are," Sensis Corporate Affairs Manager Karina White said.

"For example, you can find out someone's personal details just by knowing the street they live on.

"Whoever is behind this website has no regard for Australians' rights to have their personal contact information handled responsibly and with respect."

Karen Barnes, chairperson of the Kilburn-based Women's Housing Association, was concerned for the safety and security of women and children trying to flee abusive situations.

"We will be pursuing a formal inquiry to try and get this website closed down," Ms Barnes said.

Telecommunications industry sources last night said initial inquiries indicated an overseas computer hacker had gained access to the Integrated Public Number Database, which contains the names, addresses, phone numbers and phone location of all residential and business customers in the country. The database is managed by Telstra on behalf of the telecommunications industry.

The INPD is used by telcos to develop their own directories and is also available to authorised members of the Australian police and emergency services.

ACMA last night confirmed it had started investigating the source of the information on the website.

Privacy Commissioner Karen Curtis was last night preparing to launch a formal investigation.

The domain http://www.boonghunter.com is being redirected to http://www.indigenoushunter.com/. I understand the term "boong" (which I must confess I've never heard before) is an offensive term used to refer to aboriginal Australians.

Labels: ,

Incident: Personal information about 26.5M US veterans on laptop stolen 

An employee of the United States Department of Veterans' Affairs took home a laptop containing data on 26.5 million American veterans, which was subsequently stolen from his home. Authorities do not think the information has been misused:

Personal Data of 26.5M Veterans Stolen - Yahoo! News

WASHINGTON - Personal data, including Social Security numbers of 26.5 million U.S. veterans, was stolen from a Veterans Affairs employee this month after he took the information home without authorization, the department said Monday.

Veterans Affairs Secretary Jim Nicholson said there was no evidence so far that the burglars who struck the employee's home have used the personal data — or even know they have it. The employee, a data analyst whom Nicholson would not identify, has been placed on leave pending a review.

"We have a full-scale investigation," said Nicholson, who said the FBI, local law enforcement and the VA inspector general were investigating. "I want to emphasize, there was no medical records of any veteran and no financial information of any veteran that's been compromised."

"We have decided that we must exercise an abundance of caution and make sure our veterans are aware of this incident," he said in a conference call with reporters.

The theft of veterans' names, Social Security numbers and dates of birth comes as the department has come under criticism for shoddy accounting practices and for falling short on the needs of veterans.

Last year, more than 260,000 veterans could not sign up for services because of cost-cutting. Audits also have shown the agency used misleading accounting methods and lacked documentation to prove its claimed savings.

Veterans advocates immediately expressed alarm....

The federal government has put up an information page here:

Latest Information on Veterans Affairs Data Security -- Firstgov.gov

Latest Information on Veterans Affairs Data Security

The Department of Veterans Affairs (VA) has recently learned that an employee, a data analyst, took home electronic data from the VA, which he was not authorized to do. This behavior was in violation of VA policies. This data contained identifying information including names, social security numbers, and dates of birth for up to 26.5 million veterans and some spouses, as well as some disability ratings. Importantly, the affected data did not include any of VA's electronic health records nor any financial information. The employee's home was burglarized and this data was stolen. The employee has been placed on administrative leave pending the outcome of an investigation.

Appropriate law enforcement agencies, including the FBI and the VA Inspector General's office, have launched full-scale investigations into this matter. Authorities believe it is unlikely the perpetrators targeted the items because of any knowledge of the data contents. It is possible that they remain unaware of the information which they possess or of how to make use of it. However, out of an abundance of caution, the VA is taking all possible steps to protect and inform our veterans.

The VA is working with members of Congress, the news media, veterans service organizations, and other government agencies to help ensure that veterans and their families are aware of the situation and of the steps they may take to protect themselves from misuse of their personal information. The VA will send out individual notification letters to veterans to every extent possible. Additionally, working with other government agencies, the VA has set up a manned call center that veterans may call to get information about this situation and learn more about consumer identity protections. That toll free number is 1-800-FED INFO (1-800-333-4636). The call center will operate from 8 am to 9 pm (EDT), Monday-Saturday as long as it is needed.

Here are some questions you may have about this incident, and their answers.

I'm a veteran. How can I tell if my information was compromised?

At this point there is no evidence that any missing data has been used illegally. However, the Department of Veterans Affairs is asking all veterans to be extra vigilant and to carefully monitor bank statements, credit card statements and any statements relating to recent financial transactions. If you notice unusual or suspicious activity, you should report it immediately to the financial institution involved and contact the Federal Trade Commission for further guidance.

What is the earliest date at which suspicious activity might have occurred due to this data breach?

The information was stolen from an employee of the Department of Veterans Affairs during the month of May 2006. If the data has been misused or otherwise used to commit fraud or identity theft crimes, it is likely that veterans may notice suspicious activity during the month of May.

I haven't noticed any suspicious activity in my financial statements, but what can I do to protect myself and prevent being victimized by credit card fraud or identity theft?

The Department of Veterans Affairs strongly recommends that veterans closely monitor their financial statements and review the guidelines provided on this webpage or call 1-800-FED-INFO (1-800-333-4636).

Should I reach out to my financial institutions or will the Department of Veterans Affairs do this for me?

The Department of Veterans Affairs does not believe that it is necessary to contact financial institutions or cancel credit cards and bank accounts, unless you detect suspicious activity.

Where should I report suspicious or unusual activity?

The Federal Trade Commission recommends the following four steps if you detect suspicious activity:

  1. Step 1 – Contact the fraud department of one of the three major credit bureaus:

    Equifax: 1-800-525-6285; http://www.firstgov.gov/external/external.jsp?url=http://www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241

    Experian: 1-888-EXPERIAN (397-3742); http://www.firstgov.gov/external/external.jsp?url=http://www.experian.com; P.O. Box 9532, Allen, Texas 75013

    TransUnion: 1-800-680-7289; http://www.firstgov.gov/external/external.jsp?url=http://www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

  2. Step 2 – Close any accounts that have been tampered with or opened fraudulently.
  3. Step 3 – File a police report with your local police or the police in the community where the identity theft took place.
  4. Step 4 – File a complaint with the Federal Trade Commission by using the FTC's Identity Theft Hotline by telephone: 1-877-438-4338, online at http://www.firstgov.gov/external/external.jsp?url=http://www.consumer.gov/idtheft, or by mail at Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington DC 20580.

I know the Department of Veterans Affairs maintains my health records electronically; was this information also compromised?

No electronic medical records were compromised. The data lost is primarily limited to an individual's name, date of birth, social security number, in some cases their spouse's information, as well as some disability ratings. However, this information could still be of potential use to identity thieves and we recommend that all veterans be extra vigilant in monitoring for signs of potential identity theft or misuse of this information.

What is the Department of Veterans Affairs doing to insure that this does not happen again?

The Department of Veterans Affairs is working with the President's Identity Theft Task Force, the Department of Justice and the Federal Trade Commission to investigate this data breach and to develop safeguards against similar incidents. The Department of Veterans Affairs has directed all VA employees complete the "VA Cyber Security Awareness Training Course" and complete the separate "General Employee Privacy Awareness Course" by June 30, 2006. In addition, the Department of Veterans Affairs will immediately be conducting an inventory and review of all current positions requiring access to sensitive VA data and require all employees requiring access to sensitive VA data to undergo an updated National Agency Check and Inquiries (NACI) and/or a Minimum Background Investigation (MBI) depending on the level of access required by the responsibilities associated with their position. Appropriate law enforcement agencies, including the Federal Bureau of Investigation and the Inspector General of the Department of Veterans Affairs, have launched full-scale investigations into this matter.

Where can I get further, up-to-date information?

The Department of Veterans Affairs has set up a special website and a toll-free telephone number for veterans that features up-to-date news and information. Please check this webpage for further updates or call 1-800-FED-INFO (1-800-333-4636).

Page last updated, May 22, 2006

Labels: , , , , , ,

Sunday, May 21, 2006

Almost perfect accuracy still labels hundreds as criminals in the UK 

99.97% accuracy sounds pretty good, unless you are one of the 1500 people in the UK incorrectly labeled as a criminal.

The Criminal Records Bureau is unapologetic that it errs on the side of caution in managing its databases. See: BBC NEWS | UK | Hundreds wrongly dubbed criminals.

Labels:

Scottish 'Big Brother' plan to profile every child in massive database 

Child protection authorities in Scotland are planning to phase in an enormous database on all children born in the country in an effort to identify children at risk of abuse. Not surprisingly, the initiative is being referred to as "Orwellian":

Edinburgh Evening News - Edinburgh - 'Big Brother' plan to store every baby on computer: "'Big Brother' plan to store every baby on computer

EVERY newborn child in Edinburgh and the Lothians faces being stored on a "Big Brother-style" national database under a major shake-up of Scotland's child protection system.

The computerised files would be kept "live" until the child reaches the age of 16 and will include personal details of their health, family life and education.

The child's file will be closed when they reach 16, but it will then be kept on record for up to 75 years.

Teachers, police, GPs and social workers will be able to access the files to check for signs of abuse.

If the child is regularly late for school or their behaviour changes dramatically, the details could be put into the system where it is hoped it will build up a picture of the child's overall welfare.

...

The national database is being planned by ministers to revolutionise information sharing between different agencies and improve protection for vulnerable children.

The move follows a series of high-profile cases of child protection failures in Edinburgh and the Lothians.

In March, two-year-old East Lothian boy Derek Doran died after drinking his parents' methadone. He had been found dead in his bed by his mother last December at their home at Elphinstone, near Tranent.

And last year, three-year-old Michael McGarrity was found alone in a Leith flat with the body of his drug-addict mother, having survived for six weeks on scraps of food.

...

The scheme is to be piloted in Highland Council from September 3 before being extended across the country, according to the Scottish Executive.

Every newborn child in the Highland region and around 500 Inverness schoolchildren will be logged into the system during the trial.

Families have been told they will be consulted about the nature of information that is held.

A spokesman for the Scottish Executive said: "Highland's experience will also be used to help other local authorities prepare for the roll-out of the new systems."

But a human rights expert warned the new system may be open to abuse.

John Scott, former head of the Scottish Human Rights Centre, said: "The positive aspects of this are fairly obvious but bringing so much information into one place brings with it the scope for abuse.

"The important thing it to ensure there are very clear safeguards in place."

Thanks to Pogo Was Right for the link.

Labels: ,

DHS Privacy Office Bashes RFID Technology To Track People 

This is interesting (and unexpected):

DHS Privacy Office Bashes RFID Technology To Track People - Yahoo! News:

The Department of Homeland Security's Privacy Office has issued a draft report that strongly criticizes privacy and security risks of using radio frequency identification devices for human identification. Public comment on the paper is being taken until May 22.

The privacy office says the technology offers little performance benefit for identification purposes compared with other methods and could turn the government's identification system into a surveillance system.

Labels: , , ,

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs