Recently, the us Federal Trade Commission successfully brought an action against Accusearch (aka Abika) for selling customer phone records without consent.

Readers will recall that Abika was the subject of a complaint brought by CIPPIC in Canada that is still ongoing.

District Court Bars the Sale of Consumers’ Telephone Records to Third Parties

A federal judge has barred the illegal operation of an information broker who advertised and sold confidential consumer telephone records to third parties without the consumers’ knowledge or consent. In entering summary judgment for the Federal Trade Commission, Judge William F. Downes of the U.S. District Court for the District of Wyoming also required the defendants to give up nearly $200,000 in ill-gotten gains derived from the consumer phone records they sold, and ordered that the individuals whose records were sold be notified.

In May 2006, the FTC charged AccuSearch, Inc., doing business as Abika.com, and its principal, Jay Patel, with violating federal law by selling consumers’ phone records to third parties without the consumers’ knowledge or authorization. According to the FTC complaint, the defendants advertised on their Web site that they could obtain the confidential phone records of any individual – including details of outgoing and incoming calls – and make that information available to their clients for a fee. To obtain such information, which is not legally available to the public, the FTC alleged that the defendants caused others to use “false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier,” to induce the telecommunications carriers to disclose the confidential records. Consumers whose phone records were sold by defendants suffered substantial injury as a result of those sales. The FTC charged that the defendants’ practices were unfair in violation of the FTC Act.

In his ruling, Judge Downes found that the defendants’ obtaining and selling of confidential phone records without consumers’ knowledge or consent was “necessarily accomplished through illegal means,” and that defendants knew that the phone records were being obtained surreptitiously. The court further found that this practice caused substantial injury to consumers, including: serious health and safety risks experienced by some consumers from stalkers and abusers; economic harm associated with changing telephone carriers and upgrading security on their accounts; and a host of “substantial and real” emotional harms. The court concluded that consumers had no way to avoid these harms. “In fact,” Judge Downes wrote, “the evidence presented before the court indicates that confidential consumer phone records were sold through Abika.com despite considerable efforts by consumers to maintain the privacy of those records.” Finally, the court found no countervailing benefits to consumers or competition that could be derived from defendants’ practice.

Judge Downes also rejected the defendants’ claimed immunity under Section 230 of the Communications Decency Act, 47 U.S.C. § 230, a federal statute that confers immunity on interactive computer service providers for publishing information content provided by a third party. The court found that the defendants failed to establish two of the three necessary elements of a CDA defense, holding that the FTC’s lawsuit did not seek to “treat” defendants as a publisher within the meaning of the CDA, and that the defendants participated in the creation or development of the information content.

Following his opinion, Judge Downes permanently barred the defendants from obtaining, causing others to obtain, marketing, or selling consumers’ telephone records except as permitted by law. The order also bars the defendants from purchasing, marketing, or selling consumer personal information unless the information was lawfully obtained. The order prohibits the defendants from making deceptive statements to obtain consumers’ personal information and from buying such information from third parties.

The judge’s order requires the defendants to give up the $199,692.71 in ill-gotten gains they earned through illegally obtaining and selling the records. The order also authorizes the FTC to notify the individuals whose phone records were sold by defendants, to the extent that those consumers can be located. The order allows the FTC to use the forfeited ill-gotten gains for this purpose. Finally, the order contains certain bookkeeping and record keeping requirements to allow the FTC to monitor compliance.

The defendants have appealed the order to the Tenth Circuit Court of Appeals.

The FTC wishes to thank the Office of the U.S. Attorney for the District of Wyoming for its assistance in this matter.

The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftc.gov/ftc/complaint.shtm or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://www.ftc.gov/bcp/consumer.shtm.

Labels: health information, pretexting, privacy, telemarketing

You may recall some time ago when pretexting made the headlines in Canada after a MacLean's reporter purchased the Privacy Commissioner's phone records (Canadian Privacy Law Blog: That's a little cheeky: MacLean's Magazine buys Privacy Commissioner's cellphone records off the 'net). Today the Commissioner released a finding into the incident, accompanied by a big media release:

Data broker exploits human error, weak safeguards to access phone records

July 10, 2007

PIPEDA Case summary #372: Disclosures to data brokers expose weaknesses in telecoms’ safeguards

Here's the release:

Data broker exploits human error, weak safeguards to access phone records

OTTAWA, July 10 /CNW Telbec/ - Recent experience has shown Canadian companies must take precautions to ensure personal information and customer data is not vulnerable to data thieves and pretexters. Strong identification and authentication procedures are essential in blocking unauthorized attempts to access the personal information of Canadians.

An investigation by the Office of the Privacy Commissioner of Canada (OPC) has found that human error and weaknesses in the policies and procedures of three telecommunications companies allowed a data broker to gain unauthorized access to personal phone records.

The investigation was prompted by an article in Maclean's alleging the magazine had been able to purchase the telephone records of Privacy Commissioner Jennifer Stoddart and a senior Maclean's editor from US-based data broker Locatecell.com.

The investigation found that Locatecell.com used "social engineering" to trick phone company customer service representatives into divulging confidential information, either in the specific instances alleged and/or subsequent test cases. Social engineering involves manipulating people into divulging personal information, for example, by pretexting, or pretending to be someone authorized to obtain the information.

The OPC looked at improper disclosures of personal information to pretexters seeking to gain unauthorized access to phone records of individuals without their knowledge or consent. The three companies investigated were Bell Canada, Telus Mobility and Fido.

"In each case, we found that customer service representatives had not followed the companies' established authentication procedures. We also found that training of customer service representatives was not comprehensive enough to protect customers' personal information from illegal access by pretexters," says Assistant Commissioner Raymond D'Aoust. "As a result, the three companies failed to meet the requirements of the Protection of Personal Information and Electronic Documents Act (PIPEDA)."

All three companies revised their customer authentication procedures shortly after the disclosures took place. The OPC reviewed those changes and recommended further steps to address weaknesses in their policies and procedures to prevent unauthorized individuals from gaining access to customers' personal information. All three companies have since taken additional steps to further mitigate the risks resulting from pretexting and unauthorized access to personal records. The Office of the Privacy Commissioner is generally satisfied that all three companies have put in place an adequate set of measures to address the problems.

Nonetheless, the Assistant Commissioner says the companies should have been better prepared to deal with social engineering in the first place. The issue of data brokers using social engineering to obtain call records in the United States had been in the news some time before these incidents occurred.

"It's particularly troubling that not enough was done to let call centre employees know about this kind of threat," says Assistant Commissioner D'Aoust.

"Given the prevalence of identity theft, it is absolutely crucial that all companies adopt strong authentication processes to help ensure that they are providing information to someone who is actually authorized to have that information. It is equally vital that companies ensure that their employees are following these processes and are aware of the threats to personal information that pretexting poses."

The OPC has developed Guidelines for Identification and Authentication on its web site.

A summary of findings in the three cases is also available on the web site.

New laws in the US have recently made it an offence to use pretexting to obtain individuals' phone records in an effort to curb the activities of US information brokers, including Locatecell.com. However, this does not mean the problem has gone away either in the US, or elsewhere, particularly in other countries, including Canada, where no similar legislation yet exists.

In an appearance before a Parliamentary committee last month, Commissioner Stoddart called on the federal government to work collaboratively with the provinces and international partners to adopt a range of legislative and policy solutions to address this problem.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Labels: identity theft, pipeda findings, pretexting, privacy

These sound like eminently sensible regulations that could be adopted as best practices for any company that handles personal information. According to the Privacy and Security Law Blog, the US Federal Communications Commission has adopted regulations about the release of calling records by telecommunications companies. The rules provide that information can only be released to those who have a password associated with the account. If no password is provided, the information can only be either (i) mailed to the address of record or (ii) telephoned to the phone number of record. Also, the customer has to be alerted via these approved channels of the address or the password is changed. Makes sense to me.

Labels: pretexting, privacy

The Federal Communications Commission is trying to develop rules to counter pretexting, but is encountering resistance from the FBI and Secret Service. A requirement to destroy calling records after they have served legitimate business purposes would not make the records available to be reviewed by law enforcement. A second requirement to notify consumers if their records have been disclosed by a pretexter would tip the consumers off if they are the subject of an investigation. See: Gov't balks at phone privacy provision - Yahoo! News.

Labels: law enforcement, national security, pretexting, privacy

The first charges have been laid in the HP pretexting case: Federal charge in HP spy case.

Labels: pretexting, privacy

Kevin Bousquet, a private investigator with The Corpa Group, has an interesting and long post on PIs, privacy law and pretexting on his blog. It's his view that privacy laws have backfired and that Bill C-299 (the anti-pretexting private member's bill) will have a disastrous effect on the ability of private investigators to deal with fraud, among other things. It's obvious that he put a lot of thought into it and, though I don't agree with many of his conclusions, it is an interesting perspective.

Oddly, there wasn't anyone espousing this perspective who appeared at the PIPEDA review hearings.

Labels: law enforcement, pipeda review, pretexting, privacy, surveillance, video surveillance

Hewlett Packard has settled its pretexting case with the Attorney General of California, agreeing to pay $14.5 million: HP Settles California 'Pretexting' Charges, Pays $14.5 Million - News by InformationWeek.

Labels: pretexting, privacy

Rob Hyndman has some interesting things to say about the whole surveillance fiasco that appears to be blowing up in faces of HP's management. (See: robhyndman.com » Blog Archive » Surveillance - is this the HP Way?) I also have to say thanks to Rob for posting a link to the Smoking Gun's reproduction of a letter from one board member who resigned in protest (Hewlett-Packard Targeted Board In Leak Probe - September 5, 2006). That letter includes, as an attachment, a letter from AT&T describing the outcome of their investigation of how someone managed to establish online accounts in the name of the board member to review his calling activity. Apparently, HP's management also hacked the accounts of journalists to get similar info on them (Reporters' records hacked in HP probe CNET News.com).

[What follows is very general and should not be taken as legal advice.]

If this case had arisen in Canada, PIPEDA would probably not be much help to go after the pretexter. In connection with an investigation, you can collect personal information without consent under 7(1)(b). And then you can use it without consent under 7(2)(d). The only check on this is likely the "reasonableness" provision in s. 5(3):

An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

Unfortunately, this section doesn't really speak of the manner of collection. Principle 4.4 of Schedule I, however, says that "Information shall be collected by fair and lawful means." Hacking into a system and impersonating the individual is probably not fair and (see below) lawful.

(I would emphasise that PIPEDA does not apply to private individuals pretexting for their own purposes or to journalists. But the Criminal Code applies to everyone. )

In Canada, our Criminal Code has a number of provisions that could be used to prosecute anyone doing this sort of pretexting. To begin with, there's the fraud section (s. 380) that reads:

Every one who, by deceit, falsehood or other fraudulent means, whether or not it is a false pretence within the meaning of this Act, defrauds the public or any person, whether ascertained or not, of any property, money or valuable security or any service,

(a) is guilty of an indictable offence and liable to a term of imprisonment not exceeding fourteen years, where the subject-matter of the offence is a testamentary instrument or the value of the subject-matter of the offence exceeds five thousand dollars; or

(b) is guilty (i) of an indictable offence and is liable to imprisonment for a term not exceeding two years, or

(ii) of an offence punishable on summary conviction,

where the value of the subject-matter of the offence does not exceed five thousand dollars.

Courts have held, generally speaking, that an individual commits fraud when (a) deceit; (b) unfair disclosure; or (c) unfair exploitation is used to induce any person to part with any property or suffer a financial loss. But is setting up an online account really within "any service"? It's not 100% clear.

The Criminal Code also contains a section dealing specifically with impersonation. Section 403 reads:

403. Every one who fraudulently personates any person, living or dead,

(a) with intent to gain advantage for himself or another person,

(b) with intent to obtain any property or an interest in any property, or

(c) with intent to cause disadvantage to the person whom he personates or another person,

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years or an offence punishable on summary conviction.

There are also the "hacking" provisions in s. 342.1, which in my experience the crown and police are too bashful to apply to hacking to obtain information:

342.1 (1) Every one who, fraudulently and without colour of right,

(a) obtains, directly or indirectly, any computer service,

(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system,

(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or

(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.

(2) In this section,

“computer password” means any data by which a computer service or computer system is capable of being obtained or used;

“computer program” means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function;

“computer service” includes data processing and the storage or retrieval of data;

“computer system” means a device that, or a group of interconnected or related devices one or more of which,

(a) contains computer programs or other data, and (b) pursuant to computer programs,

(i) performs logic and control, and

(ii) may perform any other function;

“data” means representations of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer system;

“electro-magnetic, acoustic, mechanical or other device” means any device or apparatus that is used or is capable of being used to intercept any function of a computer system, but does not include a hearing aid used to correct subnormal hearing of the user to not better than normal hearing;

“function” includes logic, control, arithmetic, deletion, storage and retrieval and communication or telecommunication to, from or within a computer system;

“intercept” includes listen to or record a function of a computer system, or acquire the substance, meaning or purport thereof;

“traffic” means, in respect of a computer password, to sell, export from or import into Canada, distribute or deal with in any other way.

Several aspects of this provision make it extremely broad or at least allow a very broad interpretation. The definition of computer service includes data processing and the storage or retrieval of data. Computer system is quite broad, covering every device that contains some software-related functionality. The definition of data is also rather expansive, including data “in a form suitable for use in a computer system,” which would include data in the process of being transmitted, or in offline storage, in addition to data inside a computer.

It may appear that Canadian law is up to the task of dealing with pretexting, but I'd conclude that we could use some clarification. The courts have held that information is not property and there may be enough wiggle room to argue that pretexting doesn't fit within the above sections of the Criminal Code. Perhaps we need an amendment or two to clearly criminalize impersonation of a person to obtain information about that person.

Labels: pretexting, privacy, surveillance

Conservative backbencher James Rajotte has introduced a private members' bill, Bill C-299: An Act to amend the Criminal Code, the Canada Evidence Act and the Competition Act (personal information obtained by fraud). It is intended to criminalize pretexting and obtaining personal information by fraud. Here's a summary:

SUMMARY

This enactment amends the Criminal Code to create the following criminal offences:

(a) obtaining personal information from a third party by a false pretence or by fraud;

(b) counselling a person to obtain personal information from a third party by a false pretence or by fraud; and

(c) selling or otherwise disclosing personal information obtained from a third party by a false pretence or by fraud.

It also amends the criminal offence of “personation with intent” to include fraudulent personation with intent to obtain any record containing personal information about a third party.

As well, the enactment amends the Canada Evidence Act to prohibit the admission into evidence of any personal information obtained by fraud, false pretence or fraudulent personation.

Finally, it amends the Competition Act to

(a) characterize the business of fraudulently obtaining personal information as an illegal trade practice;

(b) characterize the promotion of a product that is provided by means of fraud, false pretence or fraudulent personation as a false or misleading representation to the public; and

(c) provide for the recovery of damages from corporations within Canada affiliated with corporations outside Canada that have obtained personal information from third parties in Canada by fraud, false pretence, or personation.

Whether it will have any legs is anyone's guess.

Thanks to Michael Geist for the link:

Labels: information breaches, pretexting, privacy

The latest chapter in the series of lawsuits over the sale of phone records: Sprint Nextel has filed a lawsuit against a PI firm that was allegedly acquiring phone records on behalf of online record brokers. Here's the press release:

Sprint News Detail Print Page

Sprint Nextel Files Lawsuit Against Fraud Source in Ongoing Effort to Protect Consumer Privacy

Latest Action Aims to Wipe Out Threat Posed by Private Investigation Firm Responsible for "Pretexting" on Behalf of Online Data Brokers

Sprint Nextel Media Contact:Jennifer Walsh, 913-794-2950jennifer.r.walsh@sprint.comMore information on Sprint Nextel's Commitment to Customer Privacy

RESTON, Va. — 03/20/2006 Sprint Nextel Corp. (NYSE: S) announced today that it has filed a lawsuit against a private investigation firm that employs deceptive practices to illegitimately obtain customer call detail records, and then sells the confidential information to online data brokers. In its complaint against San Marco & Associates of St. Petersburg, Fla., Sprint Nextel states that the company employs fraudulent tactics such as pretexting, the practice of obtaining personal information under false pretenses, to access cell phone logs and phone numbers.

In the suit filed March 17, 2006, in U.S. federal court in Florida, Sprint Nextel states that the schemes conducted by San Marco & Associates invade the privacy of Sprint Nextel's customers. Sprint Nextel has requested both temporary and permanent injunctions against San Marco & Associates.

"As we dig deeper into the origins of this fraud, we've determined that, in some cases, companies with no Internet presence whatsoever are handling the dirty work for these online operations," said Kent Nakamura, vice president for telecom management and chief privacy officer for Sprint Nextel. "We indicated previously that we would take any action necessary to eliminate this threat, and we are following through on that promise to our customers."

In addition to this latest legal action, Sprint Nextel secured a permanent injunction against First Source Information Specialists Inc., parent company of www.locatecell.com, www.datafind.org, and others, based on a complaint it filed in January 2006. As a result, First Source will no longer attempt to obtain, sell or distribute call detail records belonging to Sprint Nextel customers. Sprint Nextel also filed a complaint against All Star Investigations Inc. ("ASI"), a company believed to own and or operate web sites including www.onlinePI.com, www.allstarinvestigations.com, www.detectivesusa.com, www.miamiprotection.com and www.privatedetectivesusa.com.

Sprint Nextel strongly encourages its customers to take precautions to protect themselves. In particular, Sprint Nextel recommends that customers regularly change passwords used to access account information on the Sprint.com web site or when calling customer care, and select unique passwords to access voicemail messages on Sprint phones. For additional customer privacy tips, please go to www.sprint.com/privacy.

Thanks to beSpacific for the reference: beSpacific: Sprint Nextel Files Lawsuit Against PI Firm For Sale of Customer Phone Records.

Technorati tags: Privacy :: Phone Records.

Labels: information breaches, pretexting

The Electronic Privacy Information Center (aka EPIC) has been waging war on the practice of "pretexting", which is most popularly associated with private investigators calling under under a fake identity with a fake rationale to get information about somebody they are investigating. Now, EPIC is taking it to the state bar associations in the US as they have concluded that lawyers are some of the prime consumers of pretexting services. In a letter sent to all the state bars, EPIC is calling upon the ethics bodies each state to issue an advisory opinion to prevent lawyers from using investigators who employ pretexting:

State Ethical Boards Must Take Action to Protect the Integrity of the Profession

We urge you to take action to review these practices under the ethical rules of your state. Pretexting involves using fraud to trick a company into releasing private personal information. We believe that hiring investigators or other services to engage in pretexting implicates ABA Model Rules 1.2, 3.4, 4.1, 4.4, and 8.4. We urge you to analyze the practice of pretexting under the ethical rules in force in your State.

We realize that attorneys may unwitting participants in this practice. They may hire investigators to locate witnesses or perform other functions without being aware that pretexting was being employed. Accordingly, issuing an advisory opinion or highlighting this issue in communications to members of the Bar may be appropriate action to addressing use of pretexting.

See also: EPIC West: Electronic Privacy Information Center West Coast Office: Pretexting and Attorneys' Ethical Rules

Technorati tags: Privacy :: Private Investigators :: Lawyers :: Pretexting

Labels: information breaches, pretexting

From the Federal Communication Commission (via beSpacific: FCC Proposes Rulemaking to Prevent Sale of Cell Phone Records):

FCC EXAMINES NEED FOR TOUGHER PRIVACY RULES

Comment Sought On Measures Proposed by EPIC, Commission

Washington, D.C. – The Federal Communications Commission today launched a proceeding to examine whether additional security measures could prevent the unauthorized disclosure of sensitive customer information held by telecommunications companies.

In a Notice of Proposed Rulemaking (NPRM) adopted today, the Commission seeks comment on a variety of issues related to customer privacy, including what security measures carriers currently have in place, what inadequacies exist in those measures, and what kind of security measures may be warranted to better protect consumers’ privacy. The Notice grants a petition for rulemaking filed by the Electronic Privacy Information Center (EPIC) expressing concerns about whether carriers are adequately protecting customer call records and other customer proprietary network information, or CPNI. EPIC claims that some data brokers have taken advantage of inadequate security standards to gain access to the information under false pretenses, such as by posing as the customer, and then offering the records for sale on the Internet. The practice is known as “pretexting.”

In its petition, EPIC proposed five additional security measures that it says will more adequately protect CPNI. The NPRM specifically seeks comment on these five measures, which are:

• Passwords set by consumers.
• Audit trails that record all instances when a customer’s records have been accessed, whether information was disclosed, and to whom.
• Encryption by carriers of stored CPNI data.
• Limits on data retention that require deletion of call records when they are no longer needed.
• Notice provided by companies to customers when the security of their CPNI may have been breached.

Section 222 of the Communications Act requires carriers to take specific steps to ensure that CPNI is adequately protected from unauthorized disclosure. Current rules require carriers to certify compliance with the Commission’s CPNI rules and make that certification available to the public, but the Commission observes that a lack of uniformity in these certifications could be an obstacle to effective enforcement. The Commission seeks comment on a tentative conclusion that it should amend its rules to require carriers to file annual compliance certificates with the Commission, along with a summary of all consumer complaints received in the past year concerning the unauthorized release of CPNI and a summary of any actions taken against data brokers during the preceding year.

The Commission also seeks comment on other ways to protect customer privacy, including whether carriers should be required to take the additional step of calling a subscriber’s registered telephone number before releasing CPNI in order to verify that the caller requesting the information is actually the subscriber.

Action by the Commission, February 10, 2006 by Notice of Proposed Rulemaking (FCC 06-10). Chairman Martin, Commissioners Copps, Adelstein and Tate.

Technorati tags: Privacy :: Phone Records

Labels: information breaches, pretexting, retention

Rob Hyndman weighs in on the recent concerns over the ease with which some companies are able to get calling records from various phone companies:

robhyndman.com: ... What I find particularly troubling about pretexting is that it pulls back the covers on what must be profoundly lax security precautions taken by the phone companies, and suggests that they are still - even after all of 2005's controversy over poor data security - remarkably unconcerned with building data security in as a core value of their corporate cultures (quite apart from the obvious failure to build sensible data protection measures into business processes). At some point, data security just has to be recognized as a mission-critical obligation of these organizations, and there ought to be serious and punitive consequences if they are not up to this challenge. "

Technorati tags: Privacy :: Security :: Phone Records

Labels: information breaches, pretexting

According to the Chicago Tribune, the state of Illinois is planning to be the first state to implement strong measures to protect phone customers from the unauthorized release of their calling information. The proposed law will require phone companies to protect the privacy and security of customer information. Notably, it will also outlaw "pretexting", which is said to be the technique used by most of the companies who trade in this sort of data. See: Chicago Tribune | Gov. fights cell records theft.

Labels: information breaches, pretexting

Last month, I blogged about the fact that a number of companies online are selling telephone records without the consent or knowledge of the individuals concerned. The records appear to be obtained by "pretexting" or from employees of the telcos (See: The Canadian Privacy Law Blog: Online Data Gets Personal: Cell Phone Records for Sale). Now, the Electronic Privacy Information Center is petitioning the FCC to put a stop to the practice. Read about it at Red Herring: FCC's Privacy Petition.

Labels: information breaches, pretexting

The Pittsburgh Channel (via Yahoo! News) is running an article entitled "The 7 Forms Of ID Theft". It highlights, in a summary way, the principal ways that identity thieves get their hands on personal information:

"1. Stealing company data with your personal information.
2. Pretexting.
3. Dumpster diving.
4. Outgoing mail theft.
5. Account takeover.
6. Skimming.
7. Raiding your old computer."

Labels: information breaches, pretexting

Over the weekend, I updated and added more content to my page of privacy resources, David T.S. Fraser's Privacy Law Resources. On the table of Canadian privacy legislation, I have added an annotation indicating the laws that have been declared by the federal Governor in Council to be substantially similar to PIPEDA.

I have also added a number of links to the national privacy regimes of the US, the UK, France and Germany:

Non-Canada: Individual Countries

United States of America

• Public Sector
  • Privacy Act of 1974, 5 U.S.C. § 552a
  • US Department of Justice Overview of the Privacy Act of 1974
• Health Information
  • Health Insurance Portability and Accountability Act (HIPAA) (PL 104-191)
  • HIPAA Privacy Rule
  • HIPAA Security Rule
• Financial Information
  • Gramm Leach Bliley Act (GLB) (PL 106-102) [Text] [PDF]
  • Subtitle A: Disclosure of Nonpublic Personal Information - 15 U.S.C. § 6801-6809 (Financial Privacy)
  • Subtitle B: Fraudulent Access to Financial Information - 15 U.S.C. § 6821-6827 (Pretexting)

United Kingdom

• Data Protection Act 1998
• Information Commissioners Office

France

• CNIL- Commission Nationale de l'informatique et des Libertés

Germany

• Bundesbeauftragten für den Datenschutz
  

Labels: health information, information breaches, pretexting, privacy