The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Wednesday, July 02, 2008

Most Canadians resist sharing personal details with stores: Poll 

When I give presentations on Canadian privacy law, the number one question I get -- without exception -- is whether a retailer can ask for your phone number or postal code at the point of sale. Sometimes I'm asked about asking for ID when making returns. According to (I haven't been able to find the survey itself), the Privacy Commissioner of Canada has commissioned a survey that confirms that Canadians are not comfortable with retailers who ask intrusive questions at the check-out:

Most Canadians resist sharing personal details with stores: Poll

Most Canadians resist sharing personal details with stores: Poll

Don Butler , Canwest News ServicePublished: Wednesday, July 02, 2008

OTTAWA - More than half of Canadians resist requests for personal information from retailers and nearly as many simply refuse to provide it, according to a survey done for the Office of the Privacy Commissioner.

The Ipsos Reid survey, made public recently on a government website, also found that safety or security concerns are a major impetus for the refusal to give retailers personal information such as name, phone number or postal code.

The survey of 1,000 adult Canadians, conducted last December, was commissioned in part to help the privacy commissioner's office evaluate the need for public education to inform Canadians about their privacy rights during retail transactions.

The survey found 52 per cent of respondents resist retailers' requests for personal information by asking why it is needed, and 45 per cent flatly refuse to provide such information.

Thirteen per cent have deliberately given a store incorrect information when asked for a name, phone number or postal code. Eleven per cent have done the same when registering for commercial online sites.

Anne-Marie Hayden, spokeswoman for the privacy commissioner's office, said it was encouraging that many Canadians are balking at requests for personal information from retailers.

"Personal information is increasingly invaluable in the marketplace," she said. "So we're pleased that consumers are taking charge and questioning requests for their personal information."

Under the Personal Information and Electronic Documents Act, Hayden noted, businesses aren't allowed to collect personal information indiscriminately. Rather, they're supposed to limit the information gathered to what is necessary for the purposes identified by the organization.

Retailers need to be open about why they're asking for personal information, she said.

"If they can't give you a good reason why they need your personal information, don't give it out."

The survey found those who have either refused to give personal information or given incorrect information most often say they did so for reasons related to security and safety.

One in five don't trust the safety of providing such information online, while one in 10 have concerns about identity theft, fraud or computer hackers. Another six per cent mention safety or security issues in general.

A further 28 per cent refrain from providing their personal information because they consider it private or none of the retailer's business.

Others say they refuse because retailers don't need the information or they don't want to be contacted by telemarketers or sent junk mail.

One in three Canadians say they think stores use personal information they gather to compile statistics or demographic information on their customers. Three in 10 think stores sell the information to telemarketers or other companies.

The survey has a margin of error of 3.1 percentage points, plus or minus, 19 times out of 20.

In a report last month, Privacy Commissioner Jennifer Stoddart said many companies ignore "elementary security measures" to protect the personal information they gather. This has led to a growing number of "inexcusable" security breaches, she said.

Last year, the privacy commissioner's office launched an online "e-learning tool" to help retailers bring their privacy practices and policies into line with the law.

Labels: , ,

Friday, April 11, 2008

Big Brother is watching, but he doesn't seem to care 

I was interviewed some time ago for a feature article in the Toronto Star on privacy issues associated with loyalty cards. These products are very popular in Canada, with Air Miles and Shopper's Drug Mart's Optimum card leading the way. Many of these programs have the potential to collect a vast amount of shopping data, but most of the companies interviewed by Paul Brent didn't really seem to care about collecting the sort of detailed individual data that most assume is being collected. - Travel - Big Brother is watching, but he doesn't seem to care

If you've ever hesitated when handing over that loyalty card at the liquor store or the pharmacy wondering, "just who is looking at what I'm buying?" you might take some comfort in the answer: Likely nobody.

In theory, marketers have the power to drill down into the digital minefield of a consumer's spending and determine their buying preferences for everything from their favourite wine to their brand of shampoo.

However, the reality is that retailers and service companies are too busy to care what we do, except in large numbers.

"It is not as if you are getting mail from a glasswares manufacturer saying: `We notice that you drink a lot of beer,'" says Ed Strapagiel, executive vice-president of Kubas Consultants. "For the most part, retailers have not over-exploited this data. The power is there to use, but they haven't really gone after it."

The reluctance of merchants to dig deeper into the consumer treasure trove of information makes some sense, however, he adds. "Many of these retailers that we are talking about – Loblaws, Canadian Tire, Shoppers Drug Mart ... they are not direct marketers. If the whole basis of your business is driving business to your store, you are not going to use direct marketing."

Consumers, for their part, realize they are giving up some of their privacy but appear willing to pay that price for the benefits that come from loyalty programs.

"It's actually never bothered me," says Tracy, waiting outside a Shoppers Drug Mart with her dog while her husband shops inside. She has been a devoted Air Miles collector for a decade and flew her mother from Sault Ste. Marie to Toronto on points.

A buyer for a local theatre company, she regularly uses the Internet for private and work purchases, and says she keeps a "close eye" on her credit cards and bank accounts electronically. Her husband agrees the benefits of collecting reward miles outweigh any privacy fears – "even though they are probably tracking our every move," he jokes.

But consumers should be aware they are entering into an agreement with loyalty companies when they take a membership card. The price for those "free" perks, such as travel rewards or discounts on purchases, is that you agree to allow marketers to take an electronic peek into your shopping basket.

"There are a whole bunch of programs where people choose to give up some privacy for convenience," says David Fraser, a privacy lawyer with the Halifax firm of McInnes Cooper.

"It doesn't bother me," says Zan Harriott, who had just purchased a greeting card and lottery tickets at Shoppers and swiped her Optimum points card.

A member of the loyalty program since it started, she says she regularly collects rewards from the card.

Launched in 2000, the Optimum program has 8.2 million members, making it one of the country's largest.

Fraser has not heard of any Canadian marketers abusing the data they obtain from loyalty programs. "In my experience, the companies that run loyalty programs are really quite diligent about privacy issues."

When it comes to privacy and loyalty programs, many consumers are surprised that information is being collected for marketing purposes, while others expect someone in a nameless data centre is noting every last tube of toothpaste.

The reality is somewhere in the middle.

Fraser notes that Air Miles was the subject of a consumer complaint a few years ago, but the federal Privacy Commissioner found the marketer was not amassing the detailed shopping information "a lot of people would have expected them to be collecting."

That fear of just how much information is being gathered acts as a brake on the expansion of loyalty plans. "If you don't tell customers what is going on, they assume the worst," Fraser says.

As the country's biggest loyalty marketer, reaching two-thirds of Canadian households (there are 9 million "collector" households), Air Miles is sensitive to the issue of privacy.

"Not just for us but across the Canadian marketplace, privacy is a pretty significant public policy issue," says Mitchell Merowitz, vice-president of corporate affairs and chief privacy officer for the Air Miles reward program.

The fact that Air Miles has been the most popular loyalty program in the country since 2001 shows that most Canadians are not too worried about leaving a digital record of their purchasing habits.

Information collected by Air Miles is gathered on a household basis and is not product-specific. A successful swipe of the card tells the company the date, value and store a purchase was made.

"The information that you see on your summary statement is the information that we collect," Merowitz says.

Related stuff: Canadian Privacy Law Blog: Air Miles should be about data mining, not mass appeal, Canadian Privacy Law Blog: Article: Loyalty cards plus legwork can track beef buying, and the finding of the Privacy Commissioner of Canada referred to is on the PIAC website at

Labels: , , , ,

Tuesday, April 01, 2008

Privacy commissioner raps home improvement retailer for collecting drivers licenses on product returns 

The Information and Privacy Commissioner of Alberta has ruled that Home Depot violated the Personal Information Protection Act (Alberta) when it collected and recorded a customer drivers license information in connection with a product return. The company's policy was that returns for purchases that were made with a debit card, even with a receipt, are treated as a "no receipt" return and the information is collected. The Commissioner noted that the information would be placed in a database maintained by the American parent company in the United States, which is a disclosure of personal information.

The article on quotes a Home Depot spokesperson who says this is no longer the policy as customers thought it to be an invasion of privacy. See: Privacy commissioner raps Home Depot.

Labels: , , ,

Sunday, December 30, 2007

2007 "worst year ever" for data breaches 

Looking back, 2007 has been the worst year ever for privacy breaches. This may only be the case because of mandatory breach reporting in many US jurisdictions, but the numbers are pretty staggering. See: Personal data theft reaches all-time high - Houston Chronicle, which includes:

Major 2007 breaches

Some major data breaches disclosed in 2007:

  • Discount retailer TJX Cos. reports hackers broke into its computer systems and accessed at least 46 million customer records, primarily credit card data. Banks later sue TJX and estimate the breach involved at least 94 million records.
  • Britain's tax and customs department loses two computer disks containing personal information such as addresses and bank account numbers for about 25 million people. The disks were sent via internal government mail to the government's audit agency, but never arrived.
  • Dai Nippon Printing Co., a Japanese commercial printing company, says a former contract worker stole nearly 9 million pieces of private data on customers from 43 clients.
  • A check-authorizing subsidiary of Fidelity National Information Services says information on 8.5 million consumers was stolen, allegedly by a former employee.
  • Online brokerage TD Ameritrade Holding Corp. said one of its databases was hacked and contact information for its more than 6.3 million customers was stolen.
  • The online job site Monster Worldwide Inc. discovered that con artists had grabbed contact information from resumes of 1.3 million people.

Source: Associated Press research

Labels: , ,

Wednesday, September 26, 2007

Inadequate security safeguards led to TJX breach, Commissioners say 

The federal Privacy Commissioner and the Information and Privacy Commissioner of Canada have released their reports on the TJX/Winners breach (Report of Findings (September 25, 2007) Privacy Commissioner of Canada and Investigation Report P2007-IR-006). The moral of the story: don't collect information you don't need, don't keep it any longer than you need and properly secure the information you have.

Here's the media release:

News Release: Inadequate security safeguards led to TJX breach, Commissioners say (September 25, 2007) - Privacy Commissioner of Canada

Inadequate security safeguards led to TJX breach, Commissioners say

September 25, 2007 –The risk of a breach of sensitive personal information held by TJX Companies Inc., the US parent company of Winners and HomeSense stores in Canada, was foreseeable, but the company failed to put in place adequate security safeguards, an investigation by the Privacy Commissioners of Canada and Alberta has found.

“The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it – putting the privacy of millions of its customers at risk,” says Privacy Commissioner of Canada Jennifer Stoddart.

“Criminal groups actively target credit card numbers and other personal information,” says Commissioner Stoddart. “A database of millions of credit card numbers is a potential goldmine for fraudsters and it needs to be protected with solid security measures.

“The TJX breach is a dramatic example of how keeping large amounts of sensitive information – particularly information that is not required for business purposes – for a long time can be a serious liability.”

The joint investigation by the two Commissioners was launched after TJX disclosed in January that its computer system had been breached. This breach involved millions of credit and debit card numbers as well as other personal information, such as driver’s license numbers collected when customers returned merchandise without receipts.

“This case is a wake-up call for all retailers. They must collect only the personal information necessary for a transaction,” says Frank Work, the Information and Privacy Commissioner of Alberta.

“One positive outcome of this extremely unfortunate breach is that TJX worked cooperatively with us to develop a new process for dealing with unreceipted returns which strikes an appropriate balance between privacy rights and a retailer’s need to take steps to prevent fraud.”

TJX believes the intruder may have initially gained to customer information via the wireless local area networks at two of its US stores. Customer information was stolen from mid-2005 through December 2006, a TJX investigation found. Some stolen information involved transactions dating back to 2002.

Stolen information included credit card account data as well as data collected when customers returned merchandise without a receipt (drivers’ license numbers, names and addresses).

The investigation concluded TJX did not comply with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and Alberta’s Personal Information Protection Act (PIPA). The investigation found:

  • TJX did not properly manage the risk of an intrusion against the amount of customer data that it collected.
  • The company failed to act quickly in converting from a weak encryption standard to a stronger standard. The conversion process took two years to complete, during which time the breach occurred.
  • TJX did not meet its duty to monitor its computer systems vigorously. An adequate monitoring system should have alerted the company of an intrusion prior to December 2006.
  • The company did not adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address the growing problem of credit card data theft.

The investigation also found the company did not have a reasonable purpose to collect driver’s license and other identification numbers when unreceipted merchandise was returned. TJX stated it asked for this information as part of a fraud prevention process to identify people frequently returning merchandise. It retained the driver’s license numbers – an extremely valuable piece of information for identity thieves – indefinitely.

In response to these concerns, TJX proposed a new process to address fraudulent returns. Store staff will continue to ask for identification, however, information such as a driver’s license number will instantly be converted into a unique identifying number when it is keyed into the point-of-sale system. This will allow the company to track unreceipted merchandise returns without keeping original driver’s license numbers in its system.

The Commissioners called on TJX to take a number of steps to improve its security measures and privacy practices and are pleased the company has agreed to follow these recommendations.

Commissioner Stoddart says the Winners/HomeSense breach illustrates the need to get security right in the first place to avoid the potentially huge costs of mopping up after a security breach. “Organizations need to ensure they have multiple layers of security and that they keep up with advances in security technologies. The cost of failing to do this can be enormous – not only to a company, but to its customers,” she says, adding that a data breach can also have a major impact on credit card companies, banks, law enforcement agencies and regulatory bodies.

A summary of the findings in the case is available on the Commissioners’ websites.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

The Information and Privacy Commissioner of Alberta has a mandate to promote a society where personal privacy is respected and public bodies are open and accountable.

Labels: , , , , ,

Tuesday, August 21, 2007

Privacy Commissioner launches e-learning tool for retailers 

This should have been done a few years ago ...

Yesterday, the Privacy Commissioner of Canada launched an online training tool for retailers to understand their obligations under PIPEDA. I haven't taken the course yet, but anything like this should be a good thing.

News Release: Privacy Commissioner launches e-learning tool for retailers (August 20, 2007) - Privacy Commissioner of Canada

Ottawa, August 20, 2007 – Retailers now have a free, do-it-yourself interactive tool to help them bring their privacy practices and policies in line with the law, the Privacy Commissioner of Canada, Jennifer Stoddart, announced today.

“Small businesses often don’t have the money to hire privacy specialists or lawyers to help them figure out how to comply with Canada’s privacy legislation,” says Commissioner Stoddart. “Nor is it always necessary. Good privacy compliance doesn’t have to be expensive or time-consuming”.

The new e-learning tool created by the Office of the Privacy Commissioner of Canada (OPC) provides retailers with the information they need to set up their business to meet their obligations under Canada’s privacy laws and provide customers with the privacy protection they’re guaranteed under the Personal Information Protection and Electronic Documents Act (PIPEDA).

“Protecting customers’ information is an increasingly important part of running a business today and the online training is a valuable tool to help our members build solid privacy practices into their operations,” says Catherine Swift, President and CEO of the Canadian Federation of Independent Business (CFIB).

Derek Nighbor, Vice-President, National Affairs with the Retail Council of Canada (RCC) agrees. “With the proliferation of identity thieves and online fraudsters, members of the RCC who do not always have the time or the resources to learn about PIPEDA requirements will be pleased with the user-friendliness of this e-learning tool. Ultimately, their customers will find this a rewarding tool in the protection of their personal information” says Mr. Nighbor.

The OPC, in a joint initiative with the RCC, recently mailed privacy information kits to some 3,000 retailers in provinces where businesses are governed by PIPEDA. The kit includes a guide entitled Your Privacy Responsibilities: A Guide for Businesses and Organizations. (The kits will not go out to Retail Council members in the three provinces which have adopted their own private-sector privacy laws, B.C., Alberta and Quebec.)

“Some small businesses have been very proactive in developing good privacy practices, while many others still have a ways to go,” Ms. Stoddart says.

“Protecting customers’ personal information is the law, and it’s also good for a company’s reputation and bottom line,” the Commissioner adds, noting that research has shown it costs far less to adequately protect personal information in the first place than to clean up after a data breach.

The online retailer training session takes only about 30 minutes to complete. At the end, retailers will have: an information audit of their business; consent provisions required specifically for their business; a security plan; a sample privacy brochure for customers; and a training needs assessment. The interactive training is available online at

New information for other types of small businesses is also available on the OPC’s web site.

Companies – large and small – in all but three provinces are subject to PIPEDA. The law imposes obligations on how those businesses must handle personal information such as names and addresses.The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.

Labels: , ,

Monday, May 07, 2007

WSJ sheds light on TJX breach methods 

David Canton has just posted a link to a very interesting and insightful article on the TJX/Winners breach, which sheds light on how the scammers were able to penetrate the TJX system to take approximately TWO HUNDRED MILLION credit card numbers.

How Credit-Card Data Went Out Wireless Door -

... When wireless data networks exploded in popularity starting around 2000, the data was largely shielded by a flawed encoding system called Wired Equivalent Privacy, or WEP, that was quickly pierced. The danger became evident as soon as 2001, when security experts issued warnings that they were able to crack the encryption systems of several major retailers.

By 2003, the wireless industry was offering a more secure system called Wi-Fi Protected Access or WPA, with more complex encryption. Many merchants beefed up their security, but others including TJX were slower to make the change. An auditor later found the company also failed to install firewalls and data encryption on many of its computers using the wireless network, and didn't properly install another layer of security software it had bought. The company declined to comment on its security measures.

The hackers in Minnesota took advantage starting in July 2005. Though their identities aren't known, their operation has the hallmarks of gangs made up of Romanian hackers and members of Russian organized crime groups that also are suspected in at least two other U.S. cases over the past two years, security experts say. Investigators say these gangs are known for scoping out the least secure targets and being methodical in their intrusions, in contrast with hacker groups known in the trade as "Bonnie and Clydes" who often enter and exit quickly and clumsily, sometimes strewing clues behind them.

The TJX hackers did leave some electronic footprints that show most of their break-ins were done during peak sales periods to capture lots of data, according to investigators. They first tapped into data transmitted by hand-held equipment that stores use to communicate price markdowns and to manage inventory. "It was as easy as breaking into a house through a side window that was wide open," according to one person familiar with TJX's internal probe. The devices communicate with computers in store cash registers as well as routers that transmit certain housekeeping data.

After they used that data to crack the encryption code the hackers digitally eavesdropped on employees logging into TJX's central database in Framingham and stole one or more user names and passwords, investigators believe. With that information, they set up their own accounts in the TJX system and collected transaction data including credit-card numbers into about 100 large files for their own access. They were able to go into the TJX system remotely from any computer on the Internet, probers say....

Labels: , , , ,

Wednesday, May 02, 2007

Alberta order on consent and withdrawal thereof 

A new and interesting Order from Alberta:
Order P2007-003

Two Complainants brought complaints under the Personal Information Protection Act with respect to the collection, use and disclosure of their personal information by International Stereo Ltd., (now operating as Urban Audio Video Inc.) (the “Retailer”). The information had been collected by the Retailer and then conveyed to Wells Fargo Financial Corporation of Canada, so as to permit the latter organization to conduct credit checks for determining whether it would grant credit for buying the Retailer’s merchandise. Although the Complainants signed applications containing clauses consenting to use of personal information for credit checks, they said they had been assured their personal information would not be used in this way. They also said they had been led to believe the cards for which they applied would allow them to get 10% discounts on purchases. As well, one of them complained that his request to withdraw his application had been refused.

The Adjudicator found that the Retailer collected, used and disclosed the Complainants’ personal information in violation of section 7 of the Act (collection, use and disclosure without consent), that it failed to provide adequate notification of the purpose for collection in contravention of section 13, and that it failed to cease collecting, using or disclosing the personal information after consent had been withdrawn, in violation of section 9(4).

Labels: , , , ,

Wednesday, February 21, 2007

T.J. Maxx probe finds broader hacking 

This isn't good:

T.J. Maxx probe finds broader hacking | Tech News on ZDNet

The TJX Companies, the discount retailer best known for its T.J. Maxx and Marshalls clothing stores, said Wednesday that its hacking investigation has uncovered more extensive exposure of credit and debit card data than it previously believed.

Information on millions of TJX customers may have been exposed in the long-running attack, which was made public last month. It affects customers of any of TJX store in the U.S., Canada or Puerto Rico, with the exception of its Bob's Stores chain.

The breach of credit and debit card data was initially thought to have lasted from May 2006 to January. However, TJX said Wednesday that it now believes those computer systems were first compromised in July 2005.

TJX said credit and debit card data from January 2003 through June 2004 was compromised. The company previously said that only 2003 data may have been accessed. According to TJX, however, some of the card information from September 2003 through June 2004 was masked at the time of the transactions.

The company added that names and addresses apparently were not included with the card information, that debit card PIN numbers are not believed to have been vulnerable, and that data from transactions made with debit cards issued by Canadian banks likely were not vulnerable.

TJX also found that there was evidence of intrusion into the system that handles customer transactions for its T.K. Maxx stores in the United Kingdom and Ireland, but that there has been no confirmation that anyone actually accessed that data.

In addition to these exposures, TJX said there were more breaches of driver's license information than it previously thought. These included the license numbers, names and addresses of customers making merchandise returns in the U.S. and Puerto Rico locations of T.J. Maxx, Marshalls and HomeGoods stores. That compromised data, according to TJX, is restricted to returns without receipts that took place in the last four months of 2003, as well as in May 2004 and June 2004.

TJX plans to notify customers whose driver's license data may have been accessed.

The company, which is continuing its investigation, encourages customers to check their credit-card and bank-account records and look for further updates on its website.

Labels: , , ,

Sunday, February 04, 2007

Consumer response and responsibility 

Dissent, at the Chronicles of Dissent (part of Pogowasright) asks whether consumer stupidity plays a role in privacy breaches and the response. Dissent points to an article from my local newspaper, the Chronicle Herald, quoted below.

I can't say that Canadians are more prudent or insistent about their privacy than our cousins below the border, or more stupid. In my experience on the east coast of Canada, most folks around here are much more trusting of the companies they do business with. The cynicism from down south hasn't quite permeated this neck of the woods. One thing we generally are more tolerant of is government regulation, such as that governing privacy.

We have not yet seen any provinces or the federal government come up with mandatory breach notification, with the narrow exception contained in Ontario's health privacy law. In that regard, we are lagging behind most of the states in the US.

Winners reassures Canadians

Security breach did not involve cards issued north of border, says retailer


TORONTO — Assurances from Winners and HomeSense that a security breach reported last month did not involve Canadian debit-card transactions isn’t making much of dent with customers of the two retail chains.

Not much can keep them from their bargain hunting.

The deals to be found at Winners makes the risk of becoming the victim of credit card fraud worthwhile, said Sherry Croney as she slowly sifted through the blouse racks at one of the chain’s cavernous stores in downtown Toronto.

Croney said she never uses her credit card when clothes shopping, and even if she did, a security breach wouldn’t stop her.


"Our computer security experts have now completed their investigation of the portion of our computer network that handles Winners and HomeSense transactions, and they have advised us that they do not believe that debit cards issued by Canadian banks were compromised in the intrusion," said a TJX statement posted on the Winners website.

I note there is only a reference to Canadian debit cards.... nothing said about credit cards.

Labels: , , ,

Thursday, February 01, 2007

Data Privacy Bill Expected to Target Retailers, Banks 

According to the Washington Post, the new chairman of the House Financial Services Committee will be pushing hard for a national privacy/data breach law:

Data Privacy Bill Expected to Target Retailers, Banks -

Data Privacy Bill Expected to Target Retailers, Banks

By Brian Krebs Staff Writer

Friday, February 2, 2007; Page D03

Data privacy is likely to be among the hottest technology issues to face Congress this year, in part due to interest from the new chairman of the House Financial Services Committee.

Panel Chairman Barney Frank (D-Mass.) said he plans to craft a bill that would exempt companies from disclosing data breaches, provided they secure the data with encryption software or other technology that would render it virtually unreadable if it fell into the wrong hands....

Labels: ,

Thursday, January 25, 2007

Winners security breach hits home 

The Globe & Mail is reporting that significant fraud has been linked to the Winners information breach: Winners security breach hits home

Thousands of Canadian credit-card holders have been victimized by fraud after a security meltdown at the U.S. parent company of retail chains Winners and HomeSense, according to sources in the financial community.

They suggested that number could rise as banks and other credit-card issuers continue to gather information on what has become one of the most high-profile privacy thefts in recent memory.

“We have seen fraud on some of those accounts that we can directly link back to [the breach],” said an official with one card issuer, who cautioned his company is still determining how many of its clients could be left vulnerable by the hacking incident. He added that issuers are directly contacting any customers whose cards appear to have been used fraudulently.

Labels: , ,

Thursday, January 18, 2007

Incidents: Rash of info breaches with Canadian connections 

This has been a crazy week for privacy breaches in Canada and the week isn't over yet. I can't recall the last time I had so many media inquiries.

In addition to those below, I've been asked about two other incidents that will likely break in the next few days. (Since I heard about them from journalists, it would be rude to scoop them on the blog.)

Today we've heard of a significant announcement made by Talvest Mutual Funds

Talvest Mutual Funds issues statement regarding missing back up computer file

MONTREAL, Jan. 18 /CNW/ - Talvest Mutual Funds today announced that a backup computer file containing client information has recently gone missing while in transit between its offices.

The backup file contained information relating to the process used to open and administer approximately 470,000 current and former Talvest client accounts and may have included client names, addresses, signatures, date of birth, bank account numbers, beneficiary information and / or Social Insurance Numbers. Talvest has retained original copies of their files on its secure website.

While Talvest has no evidence to suggest this backup file has been inappropriately accessed, the manager of Talvest Mutual Funds, CIBC Asset Management, has taken precautionary measures to protect its clients. These actions include:

  • Notifying all affected clients by letter.
  • Compensating any affected Talvest clients for monetary loss that arises directly from unauthorized access of personal information contained on this file.
  • Providing affected Talvest clients the opportunity to enrol in a credit monitoring service at no cost. This service will provide added security on client credit files at major Credit Reporting agencies.
  • Establishing a dedicated call centre and website to deal with any affected Talvest client inquiries.
  • Advising affected Talvest clients to regularly review activity on all their financial accounts and report any unauthorized activity immediately to their financial institution.
  • Working with the police to investigate this incident and retrieve this backup file.

"We are in the process of contacting affected Talvest clients by letter to advise them of this issue and to detail the steps we are taking to safeguard their information," said Steve Geist, President of CIBC Asset Management. "Although, we have no evidence that the information contained in the backup file has been accessed in any way, we are acting out of an abundance of caution and want to assure our clients that we are taking all steps possible to address this matter. Any issue that causes disruption to our clients is of great concern to us and we regret the inconvenience this may cause our Talvest Mutual Fund Clients."

For more information on this matter, Talvest Mutual Fund clients are advised to visit

And with a report from the CBC:

CIBC loses data on 470,000 Talvest fund customers

CIBC Asset Management says a backup computer file containing information on almost half a million of its Talvest Mutual Funds clients has gone missing.

The company says the missing data was in a file that disappeared "while in transit between our offices." The file had personal and financial details on current and former clients of Talvest Mutual Funds, which is a CIBC subsidiary.

The information may have included client names, addresses, signatures, dates of birth, bank account numbers, beneficiary information and/or Social Insurance Numbers.

Talvest says there's no indication that the missing backup file has been "inappropriately accessed," but says CIBC will be taking a number of precautions.

"We are in the process of contacting affected Talvest clients by letter to advise them of this issue and to detail the steps we are taking to safeguard their information," said Steve Geist, president of CIBC Asset Management.

Computer fraud expert Thomas Keenan from the University of Calgary said there's good reason for the company to alert their customers. "Because what's on there [the missing file] is everything you need to know to do identity theft," he told CBC News.

The privacy commissioner of Canada, Jennifer Stoddart, announced that she is launching an investigation.

"Although I appreciate that the bank notified us of this incident and that it is working co-operatively with my office, I am nevertheless deeply troubled, especially given the magnitude of this breach, which puts at risk the personal information of hundreds of thousands of Canadians," Stoddart said in a statement.

Talvest has set up special phone lines for clients who want more information.

The report follows news of a potential corporate privacy breach that could affect as many as two million Visa credit card holders in Canada.

The owner of Winners and HomeSense stores warned Thursday that hackers gained access to its computer system and credit card numbers may have been improperly accessed.

Also, a breach involving TJX, the parent of TJ Maxx, Winners and Homesense, may have exposed the personal information of Canadian customers of that store: Computer breach exposes TJX shoppers to fraud


Parent of Winners, HomeSense targeted


Tens of millions of credit card customers in Canada and the United States may have been exposed to fraud during a computer security breach at discount retailer TJX Cos., the U.S. parent of Winners and HomeSense.

TJX, which also owns T. J. Maxx and Marshalls, said yesterday it discovered the "unauthorized intrusion" in mid-December and has been working with police and security experts on both sides of the border to investigate the incident and tighten security procedures.

The retailer declined to say exactly how many customers are affected. But sources close to Visa said the company notified banks and other issuers last week that approximately 20 million of its cards around the world may have been involved. Some in the financial industry estimate the number in Canada could be as high as two million. It's not clear how many customers of other credit card companies have been left vulnerable.

The problem was tied to the computer systems that process and store information about customer transactions involving credit cards, debit cards, cheques and merchandise returns -- some of them going back to 2003. The Royal Canadian Mounted Police and the U.S. Secret Service have been called in to investigate.

"While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers is not yet known," the Framingham, Mass-based retailer said in a statement.


"I was stunned," said retail analyst John Chamberlain at Canadian Bond Rating Service. "That's not what you expect from a big retailer. You really expect that they would have stronger systems than that. You get to the point that you trust a retailer to keep that information."

Customers consider the shopping at TJX stores as a "treasure hunt," never quite sure what they'll find, he said. As a result, customers probably use plastic there more often because they don't always know how much they'll spend, he said.

Company officials didn't return calls. Their statement said the retailer kept the matter secret until yesterday at the request of law enforcement. The company said it promptly notified credit card companies and firms that process customer transactions.

An intruder grabbed information dealing with credit and debit cards sales in TJX stores during 2003 and part of 2006, according to the company. However, a source said that the debit transactions were confined to the U.S. market. TJX has been able to identify "a limited number" of credit card and debit card holders whose information was taken.

Canadian banks are scrambling to assess the potential damage. Tania Freedman, a Visa spokeswoman, said the company is forwarding information to banks. "These accounts were potentially exposed, [but] not all accounts that are exposed will experience fraud," she said, adding that customers are protected by the card's zero-liability policy.


In Canada, TJX runs 184 Winners and 68 HomeSense stores.

Expect much more info to come.....

Update (20070118): The Privacy Commissioner of Canada has inititated a complaint on her own accord related to the Talvest breach: Privacy Commissioner launches investigation of CIBC breach of Talvest customers' personal information.

Labels: , , , , ,

Saturday, May 20, 2006

Printing card data not smart 

David Canton's regular IT column in the London Free Press is about the practice of printing full debit and credit card numbers on receipts. (See: London Free Press - David Canton - Printing card data not smart.)

This is a practice that really bugs me. In three days in Toronto last week, every debit and credit card receipt I accumulated had my full number and expiry date printed on it. I was in Toronto for a Canadian Institute conference on Privacy Compliance, which I co-chaired. The topic of receipts came up in discussions with the Assistant Privacy Commissioner of Canada, the Alberta Commissioner and the British Columbia Commissioner. The Alberta Commissioner, Frank Work, discussed the incident that David mentions in his column and one of the more interesting things he discovered in his investigation: there's a black market for these receipts and they are $25.00 each.

The assistant federal commissioner, Heather Black, mentioned that the Commissioner's office had canvassed most of the POS suppliers in Canada, who assured them that they are rolling out upgraded machines as fast as they can. Not fast enough, in my personal opinion.

For those retailers whose receipts are generated through a full POS system, I expect it's just a software patch that would do the job. The dedicated card terminals may need something more.

But even if it is a "hardware problem", why not give cashiers a jiffy marker to black out the digits? There's no reason to have them on the receipt since it is all settled electronically and the transaction code is enough to reconcile the day's accounts. As for me (at least in restaurants, where I'm asked to sign the slip and have the time to linger), I black out my card number myself.

Labels: , , ,

Monday, May 01, 2006

Survey on Canadian privacy law compliance released by CIPPIC 

The Canadian Internet Policy and Public Interest clinic has today released a pair of reports that paint an unflattering portrait of the state of compliance with privacy laws in Canada. The first is a survey of Canadian retailers to determine whether the companies reviewed are complying with PIPEDA and its equivalents. The second is a survey of the data brokering indstry in Canada. Here's the blurb and links from the CIPPIC website:


CIPPIC study shows widespread violation of privacy laws

May 1, 2006

In a report released today, the CIPPIC provides the results of the first Canadian survey assessing the compliance of retailers with Canadian data protection laws. The results show widespread non-compliance with federal laws requiring openness, accountability, consent, and individual access to personal data. In a companion report also released today, CIPPIC exposes the many ways that detailed personal information about consumers is gathered and traded in the marketplace.

  • News Release (French version)
  • Report on Retailer Compliance with PIPEDA
  • Compliance Report - Executive Summary (French version)
  • Compliance Report - Appendices
  • Report on Databrokerage Industry
  • Databroker Report - Executive Summary (French version)
  • Update (20060512): The Ottawa Citizen is reporting on this in today's edition: Online sellers flout privacy rules.

    Labels: , ,

    Saturday, April 29, 2006

    Is that an RFID in your 501s, or .... 

    Levi's is apparently rolling out a test of using radio frequency ID tags (RIFDs) to track inventory in a select number of retail outlets. The RFIDs, which contain an individual serial number are on a dangling tag marked "Please discard this tag if it is not removed at the point of purchase." Not surprisingly, some see conspiracy afoot and are concerned about the privacy aspects of wider adoption of RFIDs on consumer goods. See: Advertising Age - Privacy Group Slams Levi's for Radio ID Tags.

    Labels: , , ,

    Sunday, March 19, 2006

    Debit card breach traced to POS systems 

    More information about the problems that may underly the recent and significant payment card breach is starting to come in. ZDNet is reporting that Visa has sent a bulletin retailers, warning that a certain brand of point-of-sale equipment may retain personal information, including PINs.

    Visa warns software may store customer data Tech News on ZDNet

    A popular software that retailers use to control debit-card transactions may inadvertently store sensitive customer information, including PIN codes, says Visa.

    Two versions of cash-register software made by Fujitsu Transaction Solutions are under scrutiny, according to a warning Visa issued to the companies that process card transactions for some of the nation's largest retailers. A Visa representative confirmed that the warning was sent.

    Some of Fujitsu's retail customers include Best Buy, Staples and OfficeMax, but it is not known which companies use the software Visa claims is flawed.

    Visa's warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts.

    Thanks to Slasdot for the pointer.

    Technorati tags: :: :: :: .

    Labels: , ,

    Tuesday, January 17, 2006

    Privacy and loyalty programs: What information consumers don't want to share 

    A recent survey by the NRF Foundation polled US consumers to see how much personal information consumers are willing to give up in exchange for benefits as part of loyalty programs. The results are interesting, since they show what information is considered most personal by consumers:

    ...While consumers do want to pledge their loyalty, retailers are going to have a tough time figuring out just how to build their allegiance. That's because consumers state they are only willing to share a small portion of the much needed personal information that retailers need to develop traditional loyalty programs. According to the study, the most acceptable information shoppers were willing to give retailers include their name (89.8%), e-mail address (78.1%), street address (60.7%), and past transactions (46.8%). Consumers were least likely to allow retailers to track weight (14.4%), income (12.5%), job title (12.1%), employer (10.9%) and net worth (8.2%).

    The more intrusive a company wants to get, the greater value they have to provide. This also suggests that a company that wants a widely-adopted program will have to limit the information collected and provide assurances about how it will be protected and used.

    Via CRM Today.

    Technorati tags: :: :: ::

    Labels: , , ,

    Monday, January 09, 2006

    Behind the curtain: Why retailers ask for your personal information and what they do with it 

    The Saginaw News ran an interesting feature-length article in its Sunday edition about privacy in the retail system. It touches on loyalty programs, RFID, advertising and security of personal information. And it is balanced, with good comments from both business and privacy activists. Check it out: A peek into your privacy: Retailers increasingly ask for personal information.

    [Personal Information] :: [Privacy] :: [Retail]

    Labels: , , , ,

    Thursday, January 05, 2006

    Most online retailers aren't there yet on new payment card security standards 

    In a recent survey of online retailers, only three percent have reported to passed the assessment and external scan needed to comply with the Payment Card Industry Data Security Standard, which became mandatory on June 1, 2005. A quarter of the vendors haven't even started yet while the majority are in the process.

    Sounds a lot like the state of PIPEDA compliance in 2004.

    See: - Daily News for Tuesday, January 3, 2006.

    Labels: , ,

    Thursday, December 15, 2005

    'Tis the season for returns 

    Chris Hoofnagle at EPIC West is today discussing the use of drivers' license swiping and returns tracking database Verify-1. The database tracks your returns and categorizes customers based on whether they "abuse" returns. He raises an interesting point about the database and how it may fit in American consumer reporting laws:

    EPIC West: Electronic Privacy Information Center West Coast Office: Return Exchange Database Tracking:

    ... The Return Exchange database skates right on the edge of the Fair Credit Reporting Act's definition for a consumer reporting database. If Return Exchange is sharing data on consumers across retailers (not just across chains within a certain retailer), the data it issues will be a 'consumer report,' and all sorts of rights will kick in to protect shoppers. Until then, a big black box system will have your driver's license data and make decisions about you with no transparency. ...

    The same conclusion may apply with respect to similar provincial laws in Canada.

    Labels: ,

    Saturday, October 15, 2005

    Online retail alliance set up to lobby on privacy, taxes and other online issues 

    Major online retailers, including eBay and Amazon, have joined forces to create an industry alliance to lobby congress and other legislators on issues such as privacy, internet access, taxation of online purchases and others. The publicity associated with the launch does not suggest the position they are likely to take on privacy, so stay tuned as the group will have its first meeting in the near future. See: TechWeb | E-Business | Major Online Retailers Form Lobbying Group.

    Labels: ,

    Sunday, October 09, 2005

    Air Miles should be about data mining, not mass appeal 

    The President of the Air Miles program in Canada recently spoke in Vancouver, suggesting that retailers are missing out on the true benefit of his loyalty program. It's not being able to say "hey, we give you Air Miles so shop here", but rather to build a more intimate relationship with your customers (via data mining):

    Retailers missing the point of loyalty reward programs, Air Miles head says - Yahoo! News

    VANCOUVER (CP) - Retailers have lost their way and have become too focused on using loyalty reward programs as a currency to attract customers, says the president of Air Miles.

    Bryan Pearson says most retailers are neglecting the wealth of shopper data that is collected by the programs that could be used to better market to their customers, which was one of the purposes the program was created in the first place.

    "Points are really viewed as discounts or an alternative way to get something extra and that's not a bad thing, but I'm not sure it's sustainable in the long run," Pearson said in an interview Thursday.

    Labels: , , ,

    Monday, September 05, 2005

    Privacy compliant merchandise return policies 

    David Canton's weekly column in the London Free Press is devoted to implementing privacy-respectful merchandise return policies, following a recent decision from the Alberta Information and Privacy Commissioner that faulted two retailers. See: Return policies changed.

    Labels: , ,

    Sunday, June 05, 2005

    Consumers don't know they are being tracked 

    The San Francisco Chronicle has published some findings from a study done by the University of Pennsylvania about consumer attitudes and understanding of, among other things, online privacy.

    Surprisingly, consumers think the mere presence of a privacy policy is a promise not to share information. Au contraire.

    You are being tracked:

    "Joseph Turow, a University of Pennsylvania professor who co-authored the study with a pair of grad students, told me he was surprised by how little consumers understand the ways digital technology has altered the retail business.

    'The 20th century was about the democratization of prices,' he said. 'We got used to the idea that you could see how much things cost and learn about the product. The digital age changes this.

    'Increasingly, what's happening is that people are being tracked and prices are being individualized based on people's behavior and background.'

    One of the scarier findings of his study, Turow said, is that three- quarters of all people believe that when a Web site has a privacy policy -- and virtually all do -- it means the site won't share your personal info with others.

    In fact, just the opposite is true. Most privacy policies explain in dense, difficult-to-read language that people's data will be shared unless you go to the trouble of opting out from the practice...."

    Labels: ,

    Monday, May 09, 2005

    Incident: Store's Floor Model Computer Loaded With Woman's Personal Info 

    The Denver Channel is reporting that a Colorado woman is suing a large electronics retailer for selling a floor model computer onto which staff had copied loads of her personal information: - News - Store's Floor Model Computer Loaded With Woman's Personal Info. The retailer is arguing that it owes the woman no duty of care.

    This reminded me of a complaint made to the Canadian Privacy Commissioner about a defective computer that was returned, refurbished and resold, complete with the original purchaser's personal information.

    Labels: ,

    Saturday, April 16, 2005

    Credit card debacle centers on Polo sales software 

    CNET's Security Blog says that a representative of Polo Ralph Lauren called CNET to tell them that the recent incident was the result of inappropriate storage of customer information in their point-of-sale software:

    Credit card debacle centers on Polo sales software | | CNET

    "Following Thursday's news that both MasterCard and Visa were informing some customers that a U.S. retailer -- now positively identified as Polo Ralph Lauren -- had experienced a security mishap that may have compromised card holders' data, the issue has been confirmed as a technology-related problem. In a statement phoned in to overnight, Polo said that the credit card data in question was inappropriately stored in its point-of-sales software system...."

    Labels: ,

    Wednesday, March 09, 2005

    Incident: Shoe chain says customer data stolen 

    A shoe store chain in the US is reporting that their systems were compromised, resulting in the theft of customer credit card information, according to MSNBC:

    MSNBC - Shoe chain says customer data stolen:

    "COLUMBUS, Ohio - Credit card information from customers of more than 100 DSW Shoe Warehouse stores was stolen from a company computer's database over the last three months, a lawyer for the national chain said Tuesday.

    The company discovered the theft of credit card and personal shopping information on Friday and reported it to federal authorities, said Julie Davis, general counsel for the chain's parent, Retail Ventures Inc. The Secret Service is investigating, she said...."

    Labels: , ,

    Thursday, October 14, 2004

    The new era of retail wants to be the old era of retail 

    Yahoo News is carrying a story on the use of wireless technology in the retail environment, Yahoo! News - 7-Eleven Adopting Wireless Technology. The focus is on 7-11 and slurpee inventory management, but there is a very interesting quote in the middle of the article:

    "'Retailers are trying to get back to where they were in 1905,' said Cathy Hotka, a retail consultant in Arlington, Va. 'Back then they knew you, knew your credit, knew what you wanted to buy and how to stock it.' "

    It is an interesting observation and I have little doubt that it is true. But today, I am not sure that this 1905 paradigm is what the shopper is looking for. Back then the relationship went both ways. Your local general store knew about your business, but the consumer knew the owner of the general store and most of its activities were out in the open. He wouldn't dare do anything nefarious with the customer's information because the customer would simply walk. It's a matter of trust. I think some retailers can get back to "where they were in 1905", but they have to do it with transparency and earned trust.

    Labels: ,

    This page is powered by Blogger. Isn't yours? Creative Commons License
    The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs