The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, February 27, 2004
Wired News is reporting on what is being billed as a critical case that will be heard by the United States Supreme Court next month. In Hiibel v. Nevada, the appellant is fighting the right of police to demand indentification without enough cause to make an arrest:
Wired News: Fighting for Right Not to Show ID
02:00 AM Feb. 27, 2004 PT
Dudley Hiibel, a Nevada rancher who covets his privacy, didn't want to hand over his identification to a police officer in 2000. His refusal landed him in jail and his name on the U.S. Supreme Court's docket. "
The Electronic Privacy Information Center has a good information page on the case and has filed an amicus brief with the Court. Mr. Hiibel also has a page of his own for those who want to check out out: http://www.papersplease.org.
Labels: information breaches
Yahoo news is reporting a significan incident out of Japan:
Yahoo! News - Softbank Says Data on 4.52 Million Subscribers Leaked Fri Feb 27, 6:31 AM ET
TOKYO (Reuters) - Softbank Corp., Japan's largest provider of broadband Web access, on Friday said 4.52 million names, or 67 percent of its Yahoo BB Internet service database had been leaked due to two alleged extortion rings.
The company said it expected to spend four billion yen to compensate all of its 3.8 million Yahoo BB subscribers as well as other affected people. It also reiterated its recently announced goal of signing up six million subscribers by September 2005.
The database included 2.4 million current customer names as well as those who left the service, those who are still in the process of signing up, and those who are still in its free trial period.
Japanese media described it as the largest-ever leak of customer data.
"We are sincerely sorry," Softbank Chief Executive Masayoshi Son told a news conference as he bowed his head. "We will take the utmost care to make sure this never happens again."
Tokyo metropolitan police said earlier this week they had arrested four men in two separate cases on suspicion of stealing confidential customer data and trying to extort money from Softbank by threatening to leak it.
....
Son said the breach of security came from Softbank BB, the subsidiary that manages the business and of which he is also CEO.
He said names, phone numbers, postal addresses, email addresses and Yahoo Japan IDs were leaked, but credit card, bank account and password details were not involved as they were held on a different database.
In response, he said the company has severely restricted the number of employees that can access the database and improved its logging system to record access history. Son also said the company has retained a security firm to help prevent hacking from the outside.
Softbank said it believes the information was obtained from the inside, but it does not yet know specifically how the information was obtained. It is issuing 500 yen cash certificates to all Yahoo BB users, as well as other affected people, as an apology. ...
Labels: information breaches
Wednesday, February 25, 2004
Some folks in BC are more than a little mad about the provincial public insurer selling personal information to parking lot operators:
The Province - Your privacy rights get little protection from folks in Victoria
Jon Ferry
The Province - Wednesday, February 25, 2004
This Sunday is not simply a day that comes along once every four years. It is, I'm told, the 100th anniversary of the first vehicle registration in B.C.
Despite repeated attempts, however, I've been unable to get hold of B.C.'s $175,000-a-year privacy commissioner, David Loukidelis, to ask him why his office lets ICBC sell your licence- plate information -- at $5 or $6 a pop -- to Impark and 13 other parking-lot operators.
I also wanted to ask him whether he approves of this practice -- which many of you clearly don't. "I just finished reading your article on ICBC's selling of our personal data to private parking lot firms," writes Levan Turner of Victoria. "And I must say I am HORRIFIED!!!!"
But Mary Carlson, a director in Loukidelis's office in Victoria, told me her boss was in Santiago, Chile, on a U.S.-government-sponsored trip. And, while I was sad not to reach Loukidelis, I was glad to find we don't have a budding Radwanski here -- and that it's the freedom-of-information-loving U.S. taxpayers who'll be footing his travel bill.
Carlson, meanwhile, defends ICBC's legal right to sell your plate information. She argues that, under B.C.'s privacy laws, "public bodies can use or disclose information for the same reason it was collected in the first place." She notes that at least part of the info ICBC collects from you is needed for managing the highway system -- and that, under B.C. motor vehicle law, parking lots are part of that system. So, for that matter, is "every private place or passageway to which the public, for the purpose of the parking or servicing of vehicles, has access or is invited." In other words, it includes everything from your local muffler shop to the back yard parking lots beside the PNE.
Now, I think a good lawyer, paid handsomely, could drive a truck through Carlson's argument. I mean, the reason parking lot operators need your plate info is NOT to manage our highways. It's to make more money for themselves -- and make up for deficiencies in the management of their lots.
And you have to question the morality of a government monopoly like ICBC selling the info it requires from you, to assist in doubtful private debt collection. I don't buy ICBC's argument that it's required to so by law. Unfortunately, Nick Geer, ICBC's $300,000-a-year CEO, was unavailable for comment yesterday.
B.C.'s milquetoast privacy-protection system needs a shakeup. And I'd be happy to get Uncle Sam to fly me to the land of South America's finest wines to speed the process.
In the meantime, have a happy 100th vehicle- registration anniversary. And don't forget to contact your MLA to get him or her to stand up for your privacy rights. As things stand, there's obviously little protection for them in Victoria.
Letters: provletters@png.canwest.com. Voice mail: 604-605-2603 E-mail: jferry@png.canwest.com.
© The Vancouver Province 2004
Labels: british columbia, information breaches
Tuesday, February 24, 2004
The Australian legislation, similar to PIPEDA, does not appear to apply to the employer-employee relationship (NOTE: PIPEDA does apply to employee information for employees of federal works, undertakings and businesses. But employers are not federally regulated, so it does not apply to most employers.) The Commissioner there recently had a few comments about this exclusion:
Computerworld | Privacy Commission urges employee records review: "Privacy Commission urges employee records review
Sandra Rossi, Computerworld
24/02/2004 13:20:35
Federal Privacy Commissioner Malcolm Crompton has released a discussion paper on information privacy and employee records that will have widespread implications for the IT department.
Crompton said the paper, jointly prepared by the Attorney General's department and Department of Employment and Workplace Relations, will raise debate about the need to protect employee records, which are not covered by the current Privacy Act.
Since 21 December 2001, he said, the Office has received 2140 phone enquiries (around 3.4 percent of total calls) about the employee records exemption.
"During that time we have had to decline 45 complaints because of the employee records exemption," Crompton said.
"Employee records often contain sensitive information such as sick leave and wage records and it is important that we get the privacy balance right in this area.
"The Office will examine the paper closely and will make a submission on the discussion paper; I strongly encourage everybody with an interest in this area to do the same."
The Government announced in November 2000, before the private sector amendments to the Privacy Act were finally passed by Parliament, that it would review existing Commonwealth, State and Territory Laws to consider the extent of the privacy protection for employee records and whether there was a need for further measures.
At that time the government expressed the view that while employee records are deserving of privacy protection, such protection is more properly a matter for workplace relations legislation.
Submissions close on April 16 and any changes to the legislation will have implications for business processes and how records are maintained by the IT department. - with Staff Writers
Labels: information breaches
Sunday, February 22, 2004
Another good article on RFID, this time by Simson L. Garfinkel writing for the Nation:
The Trouble with RFID | Posted February 3, 2004
by Simson L. Garfinkel
RFID is such a potentially dangerous technology because RFID chips can be embedded into products and clothing and covertly read without our knowledge. A small tag embedded into the heel of a shoe or the inseam of a leather jacket for inventory control could be activated every time the customer entered or left the store where the item was bought; that tag could also be read by any other business or government agency that has installed a compatible reader. Unlike today's antitheft tags, every RFID chip has a unique serial number. This means that stores could track each customer's comings and goings. Those readers could also register the RFID tags that we're already carrying in our car keys and the "prox cards" that some office buildings use instead of keys.
The problem here is that RFID tags can be read through your wallet, handbag, or clothing. It's not hard to build a system that automatically reads the proximity cards, the keychain RFID "immobilizer" chips, or other RFID-enabled devices of every person who enters a store. A store could build a list of every window shopper or person who walks through the front door by reading these tags and then looking up their owners' identities in a centralized database. No such database exists today, but one could easily be built.
Indeed, such warnings might once have been dismissed as mere fear-mongering. But in today's post-9/11 world, in which the US government has already announced its plans to fingerprint and photograph foreign visitors to our country, RFID sounds like a technology that could easily be seized upon by the Homeland Security Department in the so-called "war on terrorism." But such a system wouldn't just track suspected Al Qaeda terrorists: it would necessarily track everybody--at least potentially.
Labels: information breaches, rfid
I've heard on a number of occasions about "card skimming", which is where some crook installs a device in front of an ATM's card slot that "skims" the data off the bank card's magnetic strip. Usually this has to be accompanied by someone watching you enter your PIN, since the card is supposedly useless without a PIN. The University of Texas police have put on an alert that shows a new twist on the scam: a wireless camera is hidden on the machine to catch your PIN. (Thanks to Wi-Fi Networking News for the link.)
Bank ATMs Converted to Steal IDs of Bank Customers
"A team of organized criminals is installing equipment on legitimate bank ATMs in at least 2 regions to steal both the ATM card number and the PIN. The team sits nearby in a car receiving the information transmitted wirelessly over weekends and evenings from equipment they install on the front of the ATM (see photos). If you see an attachment like this, do not use the ATM and report it immediately to the bank using the 800 number or phone on the front of the ATM."
Labels: information breaches
Saturday, February 21, 2004
The practice of swiping drivers' licenses is starting to get more and more attention. (See my blog entries: "Bar scheme could breach privacy rules"; "Ontario considering putting biometric data on drivers' licenses" and "Swiping drivers' licenses - instant marketing lists"). Privacy activitsts are paying very close attention to the practice.
Wired news, bless their hearts, has a story that illustrates how instrusive the practice may be.
Wired News: Great Taste, Less Privacy
By Kim Zetter - 02:00 AM Feb. 06, 2004 PT
A patron walks into a bar and orders a drink. The bartender asks to see some ID. Without asking permission, the barkeep swipes the driver's license through a card reader and the device flashes a green light approving the order.
The bartender is just verifying the card isn't a fake, right? Yes, and perhaps more.
Visitors to an art exhibit at the Pittsburgh Center for the Arts got more than their martinis when they ordered drinks at a bar inside the gallery's entrance. Instead of pretzels and peanuts, they were handed a receipt containing the personal data found on their license, plus all the information that could be gleaned from commercial data-mining services and voter registration databases like Aristotle. Some patrons also got receipts listing their phone number, income range, marital status, housing value and profession. For added effect, the receipt included a little map showing the location of their residence. "
Labels: information breaches
Wired News has an interesting article (Wired News: Outsourcing: Danger to Privacy) about the potential risks to personal information caused by offshore outsourcing. This is obviously an American article, but the issues are important here in Canada, as well.
4.1.3 - An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
This should mean that the oursourcer remains responsible for everything that happens to the data, including the obligation to safeguard the data. This responsibility can't be handed off.]
This is from the Wired article: "Outsourcing: Danger to Privacy"
Last year a medical transcriber in Pakistan threatened to post patients' medical records online unless the University of California at San Francisco Medical Center settled a financial dispute. Lubna Baloch, the transcriber, claimed she hadn't been paid the 3 cents a line reportedly promised by a Texas man, who, in turn, had subcontracted the work from a Florida woman. The Florida woman herself had subcontracted the work from Transcription Stat, a firm in Sausalito, California, that was paid 18 cents a line by the medical center for the work. The owner of Transcription Stat said she couldn't respond to questions due to a pending lawsuit in the case.
A hospital spokeswoman said the medical center didn't know or approve of more than one level of subcontracting and was not aware that work was being sent outside the country.
Although the Health Insurance Portability and Accountability Act of 1996 requires medical transcribers in the United States to uphold privacy practices mandated in the bill, the federal law has no reach overseas.
Of course, overseas workers aren't more likely to compromise or misuse sensitive information than workers in the United States. For example, recently, U.S. publications published false rumors that actress Nicole Kidman might be suffering from breast cancer after someone leaked information about her breast exam to reporters.
In addition to sensitive medical data, information shipped to foreign workers can include bank account numbers, Social Security numbers, stock holdings and credit card numbers -- all valuable information to identity thieves.
I guess this was a hot topic at the Privacy and Security Summit in Washington, D.C., because Computerworld has a related article on its website:
Story by Jaikumar Vijayan
FEBRUARY 20, 2004 ( COMPUTERWORLD ) - WASHINGTON -- Outsourcing jobs to offshore destinations can sharply increase data privacy risks and the complexity of managing that risk, several experts at the Fourth Annual Privacy and Data Security Summit here warned this week.
As a result, companies need to ensure that overseas vendors are contractually tied to specific conditions regarding how data is transmitted, accessed, used, stored and shared, they said. Those challenges include regulatory compliance, data protection and access issues, as well as monitoring and auditing issues.
"The risks are enormous to business strategy," said Richard Purcell, founder of Nordland, Wash.-based consultancy Corporate Privacy Group and former chief privacy officer at Microsoft Corp.
I'll also throw in, as an aside, that the Canadian Office of the Privacy Commissioner has taken the position that Canadian privacy law will apply to any personal information "outsourced" to Canada. This includes the processing of American data by an American company if any of it is carried out in Canada. Processing includes the operation of an inbound call centre to provide customer support.
As nearshore outsourcing to Canada is increasing, this raises very important considerations for American companies. Luckily, in the course of advising many US companies that have customer service functions being peformed from Canada, compliance is not as big of a challenge as one might have initially thought. (Complying with PIPEDA also has advantages, because PIPEDA is up to the European Union's standards. Thus, Canada is a good location for outsourcing the processing of both North American and European data.)
Labels: health information, information breaches
Thursday, February 19, 2004
For litigators and the insurance industry, one of the most vexing questions that arises about PIPEDA relates to video surveillance. These questions are not about video surveillance of the workplace or video surveillance of retail spaces -- all of which are easy to answer -- but are about the kind of video surveillance carried out by private investigators every day of every week. Every time I talk about PIPEDA to a group of lawyers (litigators in particular) or insurance folks, I get panicked questions about whether the law diminishes their ability to send out private investigators to snoop on claimants or plaintiffs.
Investigators are routinely used to check out whether a plaintiff or policy claimant is malingering. Often, the suspicions of the claims examiner or the lawyer are borne out by evidence that the actual disability is significantly lower than that claimed. (My personal favourite was a video of person who was claiming near-total disability but was caught carrying a canoe over an 800m portage in a national park.) There can be little doubt that being followed through the woods by a PI or surveilled from a van with tinted windows is invasive of privacy. So what is the impact of PIPEDA on this practice? Are PIs out of business?
Part of the impact of PIPEDA will be determined by whether you are dealing with first-party or third-party insurance. First-party insurers, such as under a disability policy, have a contractual relationship with the claimant, coupled with reciprocal duties of honest and good faith. Third-party insurers seldom have any pre-existing relationship with the claimant. The differing impact is a consequence of the supremely important "consent principle".
Among the fundamental tenets of PIPEDA is consent. This is taken from Principle 3 of the CSA Model Code, which is Schedule I to PIPEDA:
4.3 Principle 3 -- Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
It is clear that video taping someone is a "collection ... of personal information" for which knowledge and consent are ordinarily required. When an adjuster suspects that a claimant is malingering or is exaggerating, that is not the time to try to get consent. First-party insurers, unlike others, have the advantage of being able to seek consent to investigations well in advance, when the policy is being underwritten. Prudent insurers will, for the avoidance of doubt, place language in their policies and claim forms that provide consent for all collection, use and disclosure of personal information that is reasonably necessary to investigate and verify all claims advanced under the policy. Policy language and claim forms need to be very carefully drafted with assistance of legal counsel experienced with privacy issues in order to cover all anticipated circumstances.
Consent under PIPEDA may take many forms. The commentary to the consent principle contains the following:
4.3.4
The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.
4.3.5
In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual buying a subscription to a magazine should reasonably expect that the organization, in addition to using the individual's name and address for mailing and billing purposes, would also contact the person to solicit the renewal of the subscription. In this case, the organization can assume that the individual's request constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception.
4.3.6
The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
Some insurers take the position that, even in the third-party context, they have implied consent to carry out video surveillance on claimants. While nobody has said "I give you consent to covertly videotape my activities", the basis for this position is that by advancing a claim, the individual is consenting to the investigation and verification of the claim. Nobody can reasonably expect that an insurer will write a cheque without investigating the entirety of the claim. The "reasonable expectations" of the parties accord with this position.
If this becomes the norm, I would anticipate that counsel for claimants will send letters to insurers saying that they withdraw any implied consent and explicitly do not consent to the collection of personal information via video surveillance. (I have already seen correspondence from counsel for a plaintiff saying that an independent medical examination to verify injuries is an unreasonable collection of personal information that is prohibited by PIPEDA and for which the plaintiff refuses to consent. This is notwithstanding the explicit agreement to an IME which is contained in the policy.) In discussions with the Office of the Privacy Commissioner, it would appear that this position, if adopted by plaintiffs, would not garner much sympathy from them. PIPEDA was not designed to give compensation to individuals who are not entitled to it and insurers should be entitled to refuse to pay any claims that they are not able to thoroughly investigate. Insurers will need to be very careful when dealing with a situation like this, paticularly for their own insured where a duty of utmost good faith exists.
Among those who do not have explicit consent, some take comfort from the "except where inappropriate" part of principle 3, but this vague expression has been replaced by the laundry list of consent exceptions contained in Section 7 of the Act. (A word of warning: Section 7 is a nightmare to follow.) From Subsection 7(1), an organization is able to collect personal information without knowledge or consent in the following circumstances:
7. (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if
(a) the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
(b) it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;
(c) the collection is solely for journalistic, artistic or literary purposes; or
(d) the information is publicly available and is specified by the regulations.
Usually, in the context of video surveillance, paragraph 7(1)(b) is seen as the most applicable. But it may not be applicable in all cases where video surveillance is commonly used. That paragraph of PIPEDA requires all of the following to be present, which is not always the case:
Cases of suspected fraud would arguably be "for purposes related to investigating ... a contravention of the laws of Canada or a province", but the collection would still need to be reasonable and it would be reasonable to suspect that getting consent would compromise the information. A recent decision from the labour arbitration context has applied this principle in relation to video surveillance. In Ross v. Rosedale Transport Ltd., [2003] C.L.A.D. No. 237, 2003 CarswellNat 3620 (Ont. Arb.), the employee in question was fired from his employment for misrepresenting his injuries to his employer. In February, the employee sustained a low-back injury when moving a pallet from a truck. He was off work and was then put on reduced duties to accommodate his back injury. After some months of reduced duties, during when the employee's physician opined he may be permanently disabled, the employee went on vacation. On the day before commencing his leave, the employee told his supervisor that he would be moving with his family. The employer hired an investigator who conducted video surveillance of the employee while he carried furniture. The employee was fired for fraud.
The arbitrator, surprisingly, found that the video evidence was not admissible because its collection violated section 7(1)(b) of PIPEDA:
¶ In the instant case, there was absolutely no evidence that Ross had ever been anything other than an honest employee. He had no disciplinary record. He had never submitted a false or fraudulent claim for insurance or other benefits. There were a number of other means that were available to the employer to test the true extent of Ross' restrictions and the bona fides of his recovery as of April 6, 2002. As late as March 21, 2002, Rosedale had in its possession, a statement from Ross' physician that he was only fit for clerical duties and that a prognosis for full recovery was questionable. If the employer really thought that Ross was malingering or pretending that he was not yet fully able to resume the duties of a driver/associate, it was open for Rosedale to ask for an independent medical examination a matter that was conceded by Topping. His failure to do so was left unexplained. This is a case, where an employer, without any evidence that the employee was malingering or had made misrepresentations or spread disinformation as to his physical abilities, orders a surreptitious video surveillance in the hope of trapping the unsuspecting employee during the course of moving furniture at his place of residence at a time and place that he had voluntarily disclosed to his employer. In this respect, the words of Arbitrator M. G. Picher in Canadian Pacific Ltd. and Brotherhood of Maintenance of Way Employees, (supra), are very appropriate:
'as a general rule, (the employer's interests) does not justify resort to random video surveillance in the form of an electronic web, cast like a net, to see what it might catch. Surveillance is an extraordinary step which can only be resorted to where there is, beforehand, reasonable and probable cause to justify it. What constitutes such cause is a matter to be determined on the facts of each case'.
¶ In my opinion, this is exactly what Topping attempted to do, namely, to cast an electronic web to see whether he could catch Ross while moving his family on April 6, 2002. In my view, the collection of this personal information in the form of the video surveillance tape was not reasonable for any purpose related to the investigation of a breach of the employment agreement. Its collection without the knowledge and consent of Ross violated Section 7(1)(b) of the Act. It was for these reasons that I ruled on the first day of the hearings that the videotape was not admissible in evidence.
Notwithstanding that the employer had a basis for suspicion and that the employee had committed fraud with respect to the employment contract, the arbitrator found the dismissal to be unjustified. There was no doubt that this related to an investigation of a breach of an agreement (the employment contract), but it failed because the arbitrator found it to be unreasonable in the circumstances. The lesson of Ross v. Rosedale Transport Ltd. for insurers is that, if they wish to rely on Section 7(1)(b) of PIPEDA, their basis for ordering surveillance must be reasonable. A mere desire to catch the claimant in a lie is probably not enough of a basis to order intrusive surveillance.
It is clear that the advent of PIPEDA will not end the relatively common practice of using private investigators to determine whether a claim is legitimate. But PIPEDA does usher in a new era of sensitivity to individual privacy. Insurers can expect that video surveillance will be challenged, both in court and before the office of the Privacy Commissioner. Since the law came into force in the provincially regulated private sector, plaintiff's counsel are increasingly trying to use PIPEDA to place roadblocks in the way of insurers. In many cases their incantations are baseless, but surveillance may be an area where plaintiff's counsel might prevail. At least during this period of uncertainty, insurers need to tread carefully and take steps to increase the likelihood that their use of surveillance will survive challenges. All claims staff must know the new rules and, when the rules are unclear, should seek specific advice from counsel who are well-versed in both insurance and privacy law.
The author, David T.S. Fraser, is a Canadian privacy lawyer and chair of the privacy law practice group of McInnes Cooper, Atlantic Canada's largest single law partnership. He is regularly called upon to advise on matters related to Canadian privacy law and insurance. David's full contact information is available here.
This publication contains a general discussion of certain legal and related developments and is not intended to provide legal or other professional advice. Readers should not act on the information contained in this publication without seeking specific advice on the particular matter with which they are concerned. If you require legal advice, we would be pleased to discuss the issues in this document with you in the context of your particular circumstances.
Labels: health information, information breaches, surveillance, video surveillance
Saturday, February 14, 2004
Slashdot is usually a good place to check out for news and discussions related to the technology sector, with a geeky/user focus. (It's not called "News for Nerds" for nothing.) Yesterday, the following posting led to a very long and winding discussion about PIPEDA.
Not much of the ensuing discussion is well-informed, but it is illustrative of common perspectives on the law.
Labels: information breaches
By Diane Strandberg
The Tri-City News
Files containing property tax information and receipts for parking tickets and business licences were mistakenly left overnight Thursday in a recycling bin outside Port Coquitlam city hall. But the papers were public documents and were picked up and stored for shredding after they were noticed by city clerk Susan Rauh.
Rauh said the documents were from a year-end office clean up and shouldn't have been dumped. 'They were supposed to be shredded,' said Rauh, who said staff have been made aware of the problem and told to be more careful.
The city doesn't have any formal policy on document disposal but will have when it completes its business plan, which will include information on record management, said Kathleen Vincent, the city's manager of communications and administrative services.
But the city does keep up-to-date with privacy laws, including a new Personal Information Protection Act.
The documents, some dated as recently as last October, show assessed property values and what property taxes, garbage and sewer and water fees are owing as well as whether accounts are overdrawn. "
Labels: bc, information breaches, pipa
From today's Calgary Sun: Commish eyes info abuse:
"Premier Ralph Klein's government should tighten up its use of personal information to prevent abuse, says the office of Alberta's privacy commissioner and opposition critics. Those calls came after the province revoked parking lot operator Impark's access to personal information after a company contractor violated privacy rules by making bill collecting calls late at night.
The province received recommendations six years ago from the privacy commissioner and auditor general that it be more up-front with the use of personal information, said a spokesman for Alberta Privacy Commissioner Frank Work.
'It was to have strong (bill) collection-use disclosure to protect personal information and to prevent misuse,' said Tim Chander, adding the province has adopted many of its proposals.
'We think they should go "
Labels: alberta, information breaches
In November and December, I gave a few presentations in Halifax, Truro and Sydney for the Nova Scotia Barristers Society continuing professional development department. The first was on advising clients about PIPEDA and the second was specifically focused to what lawyers need to think about to get their own houses in order. In the last month or so, I've been bombarded with phone calls from lawyers who have received letters from clients asking about privacy and aren't sure what to do or say. Many see their law firms as any other supplier and are asking for assurances that we are up to par. I've also had a couple of calls from people who weren't able to make any of the presentations for a copy of my powerpoint. So, for them and for anyone else who might be interested, here is a link to the online-viewable version of PIPEDA for Law Firms and a PDF version. I'm not going to post a native PowerPoint version online since I've seen too much of my stuff cut and pasted in other places. If you want a copy of it for a presentation you are going to give, drop me a line at david.fraser (a) mcinnescooper.com.
Labels: information breaches, presentations, privacy
Thursday, February 12, 2004
This is more than a little creepy if the company involved doesn't tell customers that their presence will be announced by RFID-laden loyalty cards (thanks to "Slashdot | RFID for the Rich" for the link):
The Globe and Mail: "If you're a frequent Prada shopper, the loyalty card in your wallet or purse contains a radio frequency identification (RFID) tag that announces your arrival in the store. When you encounter a saleswoman, her handheld computer brings up your tastes, buying history, vital statistics and personalized suggestions from in-stock and coming inventory; the handhelds also place orders and book change rooms. Every item for sale bears an RFID tag. The tag certifies the authenticity for Prada's pricey togs -- and discourages theft (setting off alarms) and counterfeiters (it's nearly impossible to copy)."
But, on the other hand, if there is knowledge and consent, this may be a great convenience for customers and the salespeople alike. ... It's all about knowledge and consent.
Labels: information breaches, privacy, rfid
Privacy watchdog highlights website flaws. 12/02/2004. ABC News Online: "Privacy watchdog highlights website flaws
The [Australian] Federal Privacy Commissioner believes many Australian companies are risking significant damage to their brands because of fundamental errors on their websites.
A recent investigation into Melbourne-based Ticketmaster 7 found the organisation's website allowed customers' personal information and contact details to be easily accessed by visitors to the site.
Privacy Commissioner Malcolm Crompton says he has highlighted Ticketmaster 7 to ensure other companies meet their obligations under the privacy act.
'It's not on any more for any company in Australia to have such simple flaws in their websites and one of the purposes of making this one so public is to call on all companies in Australia to assure themselves that they aren't exposed to this risk, which includes the risk of significant brand damage,' he said."
For other stories on this, see Google News.
Labels: australia, google, information breaches, privacy
The safeguards principle from PIPEDA doesn't go far enough to address identity theft, according to panelists at a recent conference in Ottawa which included Stephanie Perrin, who was involved with drafting PIPEDA:
ITBusiness.ca: "For the last 10 years, countless cases of identity theft have sprung up across North America because industry standards for customer privacy protection have been 'inadequate,' said a co-author of Ottawa�s electronic privacy act Wednesday.
'I express indignation that it has taken so long to address the issue (of identity theft) and I blame government and industry,' said Stephanie Perrin, one of the authors of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the president of Montreal-based Digital Discretion Inc.
Perrin was one of several panelists who spoke at an Ottawa conference entitled 'Identity Theft: A $5 Billion Speck on Canada's Radar Screen.' Another panelist charged that there are 'very poor government and business security practices' for handling personal information. "
Labels: identity theft, information breaches
Monday, February 09, 2004
The article below comes out of Australia, but I've been hearing about similar things in Canada:
The Australian Consumers Association has called for a Federal Government inquiry into the credit-reporting system after a survey published today in its magazine Choice found 34 per cent of files held by the main bureau contained mistakes.
Choice asked 58 readers to request a credit report from Baycorp, which holds 13 million individual files.
Most errors (84 per cent) were in personal details such as name, licence number or address. The consumer association said this exposed consumers to the risk of 'mismatching' - with the system giving out data on the wrong person.
...
The federal privacy commissioner had admitted a six-month backlog of complaints, and did not have the resources to deal with credit-reporting problems, she said."
Credit grantors are really stuck between a rock and a hard place, in many circumstances. Under PIPEDA, as interpreted by Radwanski, they can't require the SIN (which has been used to positively identify credit files). So if you are called John Smith, there is a very good chance your credit file has been pulled by someone looking for another John Smith. The first John Smith has just had his information used without his consent and he has no idea it has even happened. This "accidental" use of third party information can be avoided by positively identifying the individual. Also, it is very likely that the credit files will be filled with even more errors, since they'll be reporting informaiton about John Smith without confidence that i'll go in the right file.
Labels: information breaches
Friday, February 06, 2004
From CNet: TiVo watchers uneasy after post-Super Bowl reports:
"TiVo watchers uneasy after post-Super Bowl reports
By Ben Charny
Staff Writer, CNET News.com
http://news.com.com/2100-1041-5154219.html
Janet Jackson's Super Bowl flash dance was shocking in more ways than one: Some TiVo users say the event brought home the realization that their beloved digital video recorders are watching them, too.
...
What's new:
TiVo-related privacy concerns resurfaced this week after Janet Jackson's Super Bowl flash dance prompted the maker of the digital video recorder to show off that it can tell what viewers are watching.
Bottom line:
Although TiVo has always disclosed its data-gathering practices, the new wave of complaints may indicate that it still has work to do to convince customers that it's protecting their interests.
Labels: information breaches
Handle With Care, If At All: Employers and Medical Information
In one of the first decisions related to the collection and use of medical information, the Office of the Privacy Commissioner has provided some guidance to employers who are subject to the federal privacy law[1] and to others who routinely handle medical information.
In PIPEDA Case Summary #226, the Assistant Privacy Commissioner of Canada considered a complaint brought by a former employee of a telecommunications company. In this case, the former employee alleged that that the employer was unnecessarily collecting personal medical information and had not implemented appropriate security safeguards to protect that information. In this specific complaint, the former employee said that the company was assisting with the administration of its long term disability program and required employees to file claim forms and medical reports with the employer’s Human Resources office. With respect to safeguards, the complainant objected to the employer’s practice of collecting medical reports by facsimile to the Human Resources office.
The federal privacy law, the Personal Information Protection and Electronics Documents Act (or “PIPEDA”, as it is often called), contains ten mandatory principles, taken from the Canadian Standards Association Model Code for the Protection of Personal Information. Principle 4 requires that all affected organizations limit their collection of personal information to that which is reasonably necessary for the purposes they have identified. Principle 7, also drawn from the Model Code, requires that an organization protect personal information with “security safeguards appropriate to the sensitivity of the information”. In short, the former employee was complaining that the organization was collecting more information than was necessary and was not safeguarding it appropriately.
The Assistant Privacy Commissioner, in the published summary of her decision, concluded that the company was in violation Principle 4 because the collection of employee medical information was not reasonably necessary. The disability plan was managed by a third-party insurance company and the employer was simply assisting with the processing of claims. Employees should have been able to submit their information directly to the insurer. The Assistant Commissioner also noted that while some people might find the practice adopted by the company to be innocuous, the company did not give employees any options. For that reason, the Assistant Commissioner determined that the company was in contravention of Principle 4 and also determined that the collection was not reasonable, as is required under Section 5(3) of PIPEDA, which reads:
(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
With respect to the complaint about safeguards, the Assistant Commissioner made some very important determinations. First of all, she concluded that medial information is considered to be “sensitive information” and that “specific diagnosis [are] among the most sensitive of medical information”. Principle 7 requires safeguards that are appropriate in light of the sensitivity of the information. The organization was in violation of Principle 7, the Assistant Commissioner found, by receiving sensitive medical information on a facsimile machine that was in an unlocked, accessible room. In the circumstances, receiving the information by fax was not appropriate, regardless of whether it occurred at the local human resources office or at the company’s head office. Allowing general human resources staff to receive and process reports containing such sensitive medical information was not appropriate. While employers may have a legitimate need to collect certain medical information (for purposes of verifying an employee’s medical absences and to meet employer obligations to accommodate employees under human rights legislation), stringent safeguards must be put in place. Specifically, the Assistant Commissioner said that such medical diagnosis should only be shared among qualified medical practitioners.
The Assistant Commissioner concluded that while the purposes for the collection by the employer might have been legitimate, the practices were unacceptable “on the whole”.
In conclusion, the Assistant Commissioner made the following specific recommendations to the employer, all of which provide useful lessons for similarly situated organizations:
This finding reinforces the fact that any health information requires special handling. Employers may, from time to time, have a legitimate need to know about specific diagnoses, procedures must be put in place to make sure that only necessary information is collected, that employees know how and for what purposes it will be used and, finally, extremely stringent safeguards must be put in place to protect that sensitive information.
The author, David T.S. Fraser, is a Canadian privacy lawyer and chair of the privacy law practice group of McInnes Cooper, Atlantic Canada's largest single law partnership.
This publication contains a general discussion of certain legal and related developments and is not intended to provide legal or other professional advice. Readers should not act on the information contained in this publication without seeking specific advice on the particular matter with which they are concerned. If you require legal advice, we would be pleased to discuss the issues in this document with you in the context of your particular circumstances.
Labels: health information, information breaches
More about a story previously reported below:
CBC North | News | Yukon government warns "clients" of security breach: "WHITEHORSE - Yukon government officials are writing letters to hundreds of criminals to let them know their probation files have been stolen.
Their files were stored on some computers that were stolen from government offices over the weekend.
However, the territory's deputy minister of Justice believes computer hardware, and not personal files were the real target.
And he says the government is confident that even though the files are now in criminal hands, people's personal information is still secure."
Labels: information breaches
Thursday, February 05, 2004
Interesting article on electronic health records from ITBusiness.ca that includes mention of privacy issues associated with electronic health records (EHR):
ITBusiness.ca: Electronic health records: Condition critical: "But an EHR, useful as it may be, does not come without headaches of its own, observed Richard Shekter, a medical malpractice lawyer with Shekter Dychtenberg.
'The real issue is while the justification for enhancing patient care (through EHR) is unassailable, the means by which you have to work to protect yourself and the rights of your patients gets immeasurably complicated,' he said.
That's because health-care organizations, like the private sector, are now governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA), he said, a piece of legislation which was never designed to meet the needs of the medical community.
And although students in the health care sciences might think confidentiality is the hallmark of the health care system, he said, 'I'm here to tell you that is largely a myth.
'I can tell you as a lawyer practising in the health field every day I am reading the health records of 10-20 patients I�ve never met. I get automatic access to the health records of the doctor who may or may not have seen thousands of patients over a 10-15 year period.'"
Labels: health information, information breaches
OK, not quite "Canadian Privacy Law", but interesting nevertheless: Yahoo! News - RFID-Privacy Law Debated: "Before radio-frequency identification technology has arrived, it risks being regulated. California state Sen. Debra Bowen plans to introduce legislation this month to restrict the retail use of RFID tags. "
Labels: information breaches, rfid
This just in from the Privacy & Irony Department:
Spyware cures may cause more harm than good | CNET News.com: "Web surfers battling 'spyware' face a new problem: so-called spyware-killing programs that install the same kind of unwanted advertising software they promise to erase. "
Labels: information breaches
An earlier blog entry referred to the Swipe Toolkit. For those who are interested, there is a discussion going on about it at Slashdot:
Chris writes 'The Swipe Toolkit is a collection of web-based tools that sheds light on personal data collection and usage practices in the United States. The tools demonstrate the value of personal information on the open market and enable people to access information encoded on a driver's license or stored in some of the many commercial data warehouses. Check out the Data Calculator, which shows how much your personal info is worth, and how the data brokers get it. It's all part of the Swipe Project, which will be on exhibition at UC-Irvine in March.' "
One of my favorite entries is a suggestion to use a large speaker to effectively degauss the magnetic strip on the back of the license. This will effectively thwart anyone who wants to swipe the info off the back. Legit users won't be able to swipe it either, but the author seemed OK with that. (Of course, becuase it is "Slashdot: News for Nerds" the thread digressed into a discussion of whether it is better to use a big speaker, a small speaker, a hard-drive voice coil or a bulk degausser.)
Labels: information breaches
From the Whithorse Star:
"Police ask for public's help in solving theft
by Sarah Elizabeth Brown
Whitehorse RCMP are turning to the public for help in solving a computer theft from the territory's probation office.
In particular, police are asking for calls from anyone who saw vehicles or people in the alley between Jarvis Street and Wood Street behind the Yukon Theatre between 4 p.m. and midnight last Sunday.
Police are also asking that anyone who noted activity in front of the Justice department's offices at 301 Jarvis St. in that time period to call them or Crime Stoppers.
Taken during the theft was a shopping list of electronics: palm pilots, camcorders, overhead projects, miscellaneous computer accessories, several black Dell computers and several laptop computers of the same make.
Along with the cost of the equipment itself, the concern is what information was stored on the hard drives.
The office's main server where the bulk of information is kept are located outside the building.
Justice Minister Elaine Taylor told reporters this morning that department officials and police are still trying to determine what information was on the hard drives of computers and laptops now missing.
If personal information was taken, those individuals will be notified immediately, said Taylor.
Most of the stolen equipment was taken from the adult probation office on the second floor, along with the crime prevention and policing and assistant deputy minister's office, also on the second floor, a department spokeswoman explained today.
While a boardroom on the first floor was entered, victims' services and the family violence sections were untouched and secure on the first floor.
Anonymous tips can be made to Crime Stoppers at 1-800-222-8477. Whitehorse RCMP can be contacted at 667-5555."
Labels: information breaches
Wednesday, February 04, 2004
A new batch of PIPEDA findings have been released by the Office of the Privacy Commissioner:
Labels: information breaches
"If you are headed to your dentist's office, pharmacy or travel agency, you may be asked to sign a form before you can get service, now that new federal privacy laws are in place.
And in some cases, you may not be able to book an appointment for a family member or have someone pick up a prescription for you without specific permission. The new privacy laws are altering the way many businesses � from pharmacies to dentists, travel agents and even the much-maligned 407 toll road � do business.
'The new law means you just can't go and collect information about people willy-nilly,' says Irwin Fefergrad, registrar with the Royal College of Dental Surgeons of Ontario.
Consumers must now be told what information is collected about them, how it is used and why it is collected. Every operation, large and small, from video stores and magazine publishers to charities and accounting firms, will need to get its information management practices in order if it wants to avoid possible court action and fines, in some cases of $10,000. Consent may be written, verbal or implied � meaning that, by using a service, a person consents. However, the person must be given a chance to opt out.
Fefergrad says that will definitely mean some changes in wording and protocols. 'You can't leave personal information on voice mail, for example.' He says people may not be able to make some dental appointments for a family member without their written permission. But he notes dentists already have strong confidentiality rules."
(Once again, there's an otherwise accurate article that suggests that you can be fined for violating consumer privacy. Not a bad message to send people fleeing to privacy lawyers, but the info is still wrong.)
Labels: information breaches
From the "yeah, that'll work" department: Gates Backs E-Mail Stamp in War on Spam:
"Some Internet experts have long suggested that the rising tide of junk e-mail, or spam, would turn into a trickle if senders had to pay even as little as a penny for each message they sent. Such an amount might be minor for legitimate commerce and communications, but it could destroy businesses that send a million offers in hopes that 10 people will respond. The idea has been dismissed both as impractical and against the free spirit of the Internet.
Now, though, the idea of e-mail postage is getting a second look from the owners of the two largest e-mail systems in the world, Microsoft and Yahoo.
Ten days ago, Bill Gates, Microsoft's chairman, told the World Economic Forum in Davos, Switzerland, that spam would not be a problem in two years, in part because of systems that would require people to pay money to send e-mail. Yahoo, meanwhile, is quietly evaluating an e-mail postage plan being developed by Goodmail, a Silicon Valley start-up company."
Labels: information breaches
This is from EPIC - the Electronic Privacy Information Center in the US. A group called the SWIPE Project has some interesting tools to show individuals what data might be encoded on their drivers' licenses (using 2D barcodes) and a calculator to figure out how much your personal information is worth. ("You want my birthdate? That'll be $14.50, please.")
The SWIPE Project has introduced a Data Toolkit, a collection of web-based tools that sheds light on personal data collection and usage practices in the United States. With the tools on the site, one can decode barcodes on licenses, request personal information files from data brokers, and use a "data calculator" to see how much personal information is worth on the market. For more information, see the EPIC Profiling Page.
Labels: information breaches
Tuesday, February 03, 2004
Another American article, but its lessons surely apply to Canada. Thanks to beSpacific for the link to the following:
Report Documents Extensive Security Flaws in State Motor Vehicle Offices Nationwide
The Center for Democracy and Technology investigated problems of ID theft and fraud at state motor vehicle administration offices nationwide. They conclude, in the report referenced below, that driver license information is subject to widespread theft due to fraud and bribery, and recommend remedies to address the widespread availability of false licenses that compromise individual and national security.
This is additionally interesting/scary in light of the movement to put biometric identifiers and other additional information on drivers' licenses and to turn licenses into de facto national ID cards.
Labels: identity theft, information breaches
The February 2004 edition of the Nova Scotia Business Journal has an article by Rhia Perkins which is based, in part, on an interview with me. (As far as I know, it is not available online, but was distributed free with the Globe and Mail today.) Unfortunately, it contains some incorrect information. The first paragraph reads, in part:
... the way companies do their electronic business must change this year, or they may have to pay damages of up to $20,000.
I don't know where the author got that bit of information, since it is incorrect. There is no cap on damages and the $20,000 figure doesn't even rougly accord with the fines provisions contained in PIPEDA:
28. Every person who knowingly contravenes subsection 8(8) or 27.1(1) or who obstructs the Commissioner or the Commissioner's delegate in the investigation of a complaint or in conducting an audit is guilty of
(a) an offence punishable on summary conviction and liable to a fine not exceeding $10,000; or
(b) an indictable offence and liable to a fine not exceeding $100,000.
Except for that, the article is pretty accurate!
Labels: information breaches
Monday, February 02, 2004
Every organization that is affected by the new federal privacy law must appoint a privacy officer. It quickly became clear that there was no established training program to provide the skills necessary to carry out this important function, so Jackie Penney, Mike Deturbide and I designed a two-day intensive training program for privacy officers. It goes well beyond the introductory type of seminars that are common these days. We offered it in Halifax last October for about 25 attendees and it was very well received. We offered a custom version for a client in Newfoundland, which was also well received.
Based on the phone calls and inquiries since January 1, the need for this program appears to be as strong as ever. We will be offering the two-day program again in March in Halifax (March 3-4), Saint John (March 15-16)and St. John's (March 10-11).
The brochure for the course available online at http://www.mcinnescooper.com/privacy/training2004.pdf.Labels: information breaches
All I can say is YIKES! and READ THE FINE PRINT! -- Yahoo! News - Spam Slayer: Be Wary of Opting In:
"I found Lewis and others like her through opt-in e-mail lists, which are sold through a perfectly legal network of e-mail address brokers. I obtained a list that contained Lewis's e-mail address, full name, postal address, phone number, IP address, credit rating, the estimated value of her house, how many times she was late paying her mortgage, and whether she was approved for a loan she requested."
Labels: information breaches, ip address
Today's Toronto Star has two columns about PIPEDA that bear a close read. The first one is by Richard Owens of the Centre for Innovation Law at the University of Toronto, is a critique of Michael Geists' earlier article (referred to below): "Federal privacy law is a dog's breakfast":
"The costs of the Quebec government's constitutional challenge to the federal privacy law are too high, Michael Geist argued in his Jan. 19 column in this newspaper. He fears the consequence, that the law may be struck down and replaced with a patchwork of provincial laws. But are those costs really too high? There are several good reasons to doubt it. The federal legislation does its job poorly; provincial legislatures might offer legislation that does the job better; and the structure of the federal legislation itself encourages a patchwork of laws. "
The Star also has a surrebuttal by Michael Geist: "CANADA badly needs a national standard":
The costs associated with privacy protection have long been a source of considerable debate. Ann Cavoukian, Ontario's Privacy Commissioner, who together with the Toronto Star's Tyler Hamilton wrote The Privacy Payoff, maintains that good privacy practices are actually good for business.
In my column of January 19, I argued maintaining a federal privacy law was essential since the provincial mish-mash of laws that would fill the void would create uncertainty and costs for the business and privacy communities.
Some remain unconvinced, however, as Professor Richard Owens illustrates in his response that accompanies this article. Far from a business opportunity, Owens writes that the federal government's Personal Information Protection and Electronic Documents Act (PIPEDA) is a costly endeavour that "rob[s] businesses and shareholders of value for no good reason, but for the legislators' inattentiveness.''
While perhaps Owens and I can agree to disagree on PIPEDA's cost implications, his response to my column makes historical claims that demand further discussion.
Labels: information breaches
Sunday, February 01, 2004
From Wired News: Is RFID Technology Easy to Foil?:
"CAMBRIDGE, Massachusetts -- You may need to read the following sentence twice: Aluminum foil hats will block the signals emitted by the radio tags that will replace bar-code labels on consumer goods.
That is, of course, if you place your tin-foil hat between the radio tag and the device trying to read its signal. "
Labels: information breaches, rfid
Consumer Federation of California - Feature Issue: "Consumer Federation of California Launches New Privacy Initiative
The Consumer Federation of California is working to qualify a new financial privacy initiative for the November ballot.
The initiative establishes the 'Ask Me First' rule - No commercial sharing of confidential financial information unless the consumer gives approval first. The initiative also stops the sale of our Social Security Numbers and increases penalties for unauthorized information sharing that results in identity theft."
Labels: identity theft, information breaches
This is out of the states ... Some school boards are considering banning posting honor rolls out of "privacy concerns". Well, it actually is because some people may not be happy because they aren't on the lists. But if you complaint about that, a school board lawyer might discover that a list of overachievers is actually a "disclosure" of personal information and against state privacy laws.
As a result, all Nashville schools have stopped posting honor rolls, and some are also considering a ban on hanging good work in the hallways ... all at the advice of school lawyers.
After a few parents complained their children might be ridiculed for not making the list, Nashville school system lawyers warned that state privacy laws forbid releasing any academic information, good or bad, without permission. "
What many people don't think about is that you can post the honor roll, as long as you have permission. Given how important the honor roll is in US schools, I expect that most parents and kids will be happy to give consent. Some kids who are targeted for bullying for being too smart may decline, but giving them the choice of whether to be on is much more responsible than assuming that it's OK.
This story is also covered elsewhere:
Labels: information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.