The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Thursday, June 30, 2005
Recently, I've posted a few blog entries about blogging and privacy. Now, an anonymous correspondent has pointed me to an interesting story (I am assuming he does not want to be associated with this particular story): A Korean woman has involuntarily become despised and reviled because (a) her dog pooped in the subway, (b) she refused to clean it up when asked, (c) someone took a picture of her with her dog and the mess and put it on the 'net. She is now notorious and ridiculed throughout Korea. Some would say that this is a huge invasion of privacy but others would say that it's a good old fashioned shaming, only facilitated by the online community. For more info, see: Don Park's Daily Habit - Korean Netizens Attack Dog-Shit-Girl
Labels: information breaches
Wednesday, June 29, 2005
This probably comes as a surprise to many, but a large portion of internet users actually read online privacy policies. I'll say that again: some people actually read online privacy policies. Or, more accurately, try to read online privacy policies.
Hold onto your chairs, now: people actually make buying decisions based on what they read in the policy.
The world is changing. A growing group of customers ... perhaps your customers ... care about privacy and want the companies they deal with to come clean with comprehensible privacy policies.
I still see too many companies that have privacy policies that are screensful of small print with the "good stuff" that people are interested in buried at the bottom. E-commerce sites probably pay significant sums of money to make their services accessible to Mac and FireFox users because they don't want to alienate potential customers. You should do the same with your privacy statements. Do your company a favour: ask both your grandmother and your seven year old nephew to read your site's privacy statement. If either or both do not fully understand what the statement really means, re-write it and try again. Repeat as necessary.
Harris Interactive did a survey for Privacy & American Business, which backs this up: Vague online privacy policies are harming e-commerce, new survey reports.
Labels: information breaches
Privacy and blogging ... two great tastes that taste great together. But I digress.
Fernanda B. Viégas of the MIT Media lab did a survey of bloggers to find out about their feelings on privacy and their blogs:
Bloggers' Expectations of Privacy and Accountability: An Initial Survey:"Fernanda B. Viégas
Media Laboratory
Massachusetts Institute of TechnologyAbstract
This article presents an initial snapshot, based on an online survey of weblog authors, of bloggers' subjective sense of privacy, and of their perceptions of liability. The findings suggest that the social norms of bloggers are emergent and self-imposed. When confronted with questions of defamation and legal liability, respondents in the survey expressed contradictions between their actions and their knowledge of how the technology works. They generally believed that they were liable for what they published online, although they were not concerned about the persistence of their entries. In general, bloggers do not feel as if they know their audiences. For the most part, blog authors have no control over who accesses their entries, and this inability to define their audiences leads them to make a number of assumptions about who their readers are."
Labels: information breaches
Wired is running a brief, one page article on what consumers should know about ID theft: Wired News: ID Theft: What You Need to Know. Worth reading for those who aren't up to date on the topic.
Labels: information breaches
Bank Systems & Technology is running an article that discusses the cost of privacy breaches. Notification can cost $25-30 per customer, and then add $25 per for credit monitoring. Class action lawsuits, even if won, cost millions. The cost to reputation is impossible to calculate and can be devastating to a company.
Effective data governance is the key to avoiding these problems in the first place and strong, proactive responses to incidents are the way to mitigate these losses.
The article is online here:
Bank Systems & Technology : Lost Data Tapes Likely To Be Costly for Citi:"Lost Data Tapes Likely To Be Costly for Citi
...
Costly Mistake
As it stands, however, the incident will cost Citigroup significant money to remedy, starting with the need to assuage affected customers. "The average cost of notifying a customer of a breach is anywhere from $30 to $50 per customer. Then, the monitoring of credit records is an additional $25," relates Maureen Kelly, director of product marketing for security technology firm Vontu (San Francisco).
Citi - and other banks - could go even further toward making the customer feel safe - and that's not a bad idea, notes Vytas Kisielius, president of communications solutions provider Adeptra (Norwalk, Conn.). Kisielius compares the current public relations opportunity to Johnson & Johnson's handling of the Tylenol poisonings in 1982. When consumers no longer trusted its product, J&J responded with tamper-resistant packaging. "They made their customers feel completely safe and secure in their relationship that they had with the company," says Kisielius.
But the cost of reaching out to customers can pale in comparison to the legal costs involved with responding to class-action lawsuits. "You're talking six figures to read the complaint, seven figures before you get to a court," asserts Kevin Kalinich, national managing director for technology and professional risks, of Aon's (Chicago) Technology and Telecommunications Group. Aon offers extensions of "errors and omissions" insurance that cover both indemnification and defense costs of third-party claims or losses due to litigation.
The litigation expenses would kick in even if the defendant has a solid defense. "It'd be very hard for anyone to prevail on a lawsuit, unless they could prove actual harm and they could show it traces back to this security breach," notes Fred H. Cate, director of the Indiana University Center for Applied Cybersecurity Research.
But, "The greatest single cost is in the press disclosure," continues Cate. "Do people think less of Citibank, or, if you're a Citibank customer, are you going to be more likely to move [to another bank] now?"
Labels: breach notification, information breaches, tort
It doesn't take long.... a class action lawsuit has been filed in California against Cardsystems, related to the recent privacy breach: Lawsuit filed over CardSystems data breach | InfoWorld | News | 2005-06-28 | By Robert McMillan, IDG News Service.
Labels: cardsystems, information breaches, tort
A group of 44 State Attorneys General have written to Cardsystems, demanding that it notify all consumers who were affected by the recent security breach. Also, they've demanded that the company inform them of how it happened, what steps they are taking to mitigate the effect of incident and what steps consumers should take: The Seattle Times: Business & Technology: States demand cardholders get notice of security breach.
Labels: cardsystems, information breaches
Tuesday, June 28, 2005
Despite strong criticism, the British government is going forward with a national ID scheme that will require all Britons to carry biometric ID cards: British lawmakers back ambitious ID scheme - Yahoo! News.
Labels: information breaches
Michael Geist has some things to say about the recent Security and Prosperity Partnership for North America, and notes that there are some privacy aspects worth following:
www.MichaelGeist.ca:"...Second, the plan calls for the establishment of a formal process for consultation on issues related to the protection of personal information and trans-border data flows, consistent with privacy goals, the needs of legitimate private and public sector business as well as the protection of public safety and national security. If this does indeed result in a formal process, this issue has some potential given the growing concern associated with U.S. law enforcement access to Canadian data and related outsourcing issues."
Labels: information breaches
I blogged last week about one of the most recent findings of the Office of the Privacy Commissioner related to movie theatres and the information collected when handing out assistive technology for the disabled. (See The Canadian Privacy Law Blog: New finding (#304): Movie theatre chain strengthens personal information handling practices - June 7, 2005). The complainant in this case has outed himself as Joe Clark, an advocate for making movies more accessible. He has put up a webpage devoted to his complaint and his experience here: Famous Players privacy complaint (Joe Clark: Media Access). I'd suggest taking a look at his site to get the complainant's perspective on this one.
Labels: information breaches
The Associated Press, via the San Francisco Chronicle, is reporting on a speech given by the CEO of Equifax. Thomas Chapman says he's afraid that the "epidemic" of identity theft will undermine consumer confidence and eventually stifle consumer spending: Equifax CEO: Identity Theft Is an Epidemic
Labels: identity theft, information breaches
Monday, June 27, 2005
Networkworld's "Net Insider" is calling for the banishment of Cardsystems in light of relevations that it was not following the industry's rules:
The winner so far: CardSystems Solutions:"... According to the payment card industry, failure to meet the requirements can result in a permanent prohibition of participation in credit card programs. If the payment card industry is as serious about security as it claims to be, it will use this willful disregard of its own rules to send a message - it will permanently ban CardSystems from processing credit card transactions.
I feel sorry for some of the people that work at CardSystems but not sorry enough to suggest that the company be given a slap on the wrist if it promises to be good in the future...."
This may amount to the death penalty, but it certainly would send a very strong message to whole industry. If that were to happen (I don't expect it will), I'd bet there'd be a huge class-action suit against the directors and officers for overseeing the destruction of the company.
Also ... imagine if retailers who didn't follow the rules were cut off from accepting credit cards....
Labels: cardsystems, information breaches
Bank of America is making privacy news again, this time for accidentally allowing at least one customer access to accounts beloning to others:
Customer given access to others' accounts - The Boston Globe - Boston.com - Business:"Bank of America Corp. says its recent conversion of FleetBoston accounts to its computer network went smoothly, but don't tell that to Mark Levy, who accidentally got online access to about $90,000 of other people's money.
When Levy went to the bank's website to check his accounts, the freelance writer from Brookline said, he also had access to several accounts that weren't his. If he were criminally inclined, he said, he could have emptied those accounts.
Bank spokesman Ernesto Anguilla said that what happened was an isolated incident caused by ''human error' and ''unrelated to the conversion.' While Levy got access to about 10 accounts, it appears that they belonged to two customers, Anguilla said...."
Labels: information breaches
Sunday, June 26, 2005
Findlaw is carrying a very thorough discussion of the legal issues surrounding an invasion of privacy lawsuit brought by Robert Steinbuch after his relationship with "the Washingtonienne" (aka Jessica Cutler) was featured on her notorious blog. He is suing her for public revelation of private facts. The article, FindLaw's Writ - Hilden: Are Accounts of Consensual Sex a Violation of Privacy Rights? The Lawsuit Against the Blogger "Washingtonienne" by Julie Hilden, also contains links to the pleadings.
Thanks to the Tech Law Advisor for the pointer in his Blawg Review #12 (and also thanks for the pointer to this blog, referring to the lawyer ketchup e-mail incident).
Labels: information breaches
The growing list of privacy and security breaches and associated threats of identity theft is the front page story in the most recent Newsweek magazine. The main feature story is Grand Theft Identity, while a second link leads to a summary of the recent cases and what ID thieves are looking for: Identity Crisis. Other content includes:
Labels: identity theft, information breaches
Saturday, June 25, 2005
Thanks to Gerry Riskin for pointing this out to me ...
Techdirt is reporting on a fight between the recording industry and Dutch ISPs that parallels the recent Canadian CRIA case (see The Canadian Privacy Law Blog: The new test for disclosure of identities after BMG v John Doe):
Techdirt:Dutch Supreme Court Considering User Privacy Issues:"Contributed by Mike on Friday, June 24th, 2005 @ 12:18PM
from the anonymity?--no-such-thing... dept.
Last month, we noted that Dutch ISPs were fighting in court against the entertainment industry who wanted them to hand over names of people associated with IP addresses that were seen on file sharing networks. The ISPs argued that handing over the information was a violation of their customers' privacy. In a separate case, (but which was also funded by the entertainment industry) a stamp collector tried to get Lycos to turn over the names of people using their forums who had spoken negatively about them. Lycos, again, pointed out that this would be a privacy violation. That case is now in the Supreme Court and a 'neutral' advisor to the court has urged the Justices to require Lycos and other ISPs to cough up the names based on a fairly low threshold as the test. It remains to be seen if the Supreme Court follows this recommendation, but it could be yet another way that anonymity online gets chipped away. "
Labels: information breaches
Hats off to Tom Zeller. The writer for the New York Times is doggedly pulling together some of the most interesting and probing articles on credit card fraud, ID theft and privacy. Today's instalment discusses how a merchant is trying to reduce fraudulent purchases: To Catch a Thief - New York Times.
Labels: information breaches
The BBC is asking "how secure are India's call centres?", after the widely-reported story that a British journalist was able to buy personal information from a call centre employee:
BBC NEWS | South Asia | How secure are India's call centres?:"...
Tougher laws
The worker could also face prosecution for theft, cheating and criminal breach of laws under the country's archaic penal code.
There is now talk of a comprehensive employee data base
The offender can even be sued for damages up to $225,000 to be paid to people affected by the leakage of information. But experts say that India's information technology laws are largely skewed towards checking e-commerce fraud, and do not give adequate attention to data protection.
'India needs a dedicated data protection law to check crimes as leakage of information from call centres,' says Pavan Duggal. "
Labels: information breaches
Friday, June 24, 2005
Computerworld has in interview with Rich Baich, the CISO of Choicepoint. I'm not sure whether observers will find it reassuring:
Q&A: ChoicePoint's Rich Baich on data breach, security needs - Computerworld:"You have in the past said that what happened at ChoicePoint was not really a security breach. Then what was it? It all comes down to how you define a breach and how you define an incident. This was fraud. Someone fraudulently provided authentication to the system. It's no different than credit card theft and credit card fraud. Those are never referenced as IT-related issues though they happen millions of times every year. In fraud terms, it's called an account takeover. And that's what occurred. All I was trying to do was educate the press more than anything else that this was not what everyone would call a traditional hack. "
Labels: choicepoint, information breaches
The proposed Identity Theft Prevention Act breezed through (unanimously!) both houses of the NJ legislature yesterday and will come into force on January 1, 2006.
North Jersey Media Group providing local news, sports & classifieds for Northern New Jersey!:"Fast facts
Key provisions of the Identity Theft Prevention Act:
- Consumers may place a 'security freeze' on their credit files at no cost, prohibiting the information from being released to a third party without the consumer's express authorization.
- Exempt from the prohibition are law enforcement agencies, the Division of Taxation and financial institutions with which the consumer has an existing relationship.
- Customer records must be destroyed by businesses and government agencies, excluding the federal government, when they are no longer needed.
- Security breaches of computerized records must be disclosed by any business or agency that conducts business in New Jersey 'in the most expedient time possible.'
- Social Security numbers may not be printed on identity cards or materials sent through the mail, unless required by state or federal law."
Labels: identity theft, information breaches
Yet another university incident:
TheBostonChannel.com - News - Hacker Gains Access To UConn Personal Data:"STORRS, Conn. -- University of Connecticut officials have discovered a 20-month-old security breach of a computer server that contains Social Security numbers and other personal information for about 72,000 members of the university community, the school said Friday...."
Labels: information breaches
Thursday, June 23, 2005
You may have noticed that I've changed the name of his blog from "PIPEDA and Canadian Privacy Law" to "The Canadian Privacy Law Blog." When I started it in January 2004, this blog was almost entirely about the Personal Information Protection and Electronic Documents Act (PIPEDA). Since then, it has morphed into a broader presentation of privacy law and issues with a privacy angle.
I started thinking about this after reading that only 8% of Canadians are aware of PIPEDA and surely fewer of my readers from outside of Canada have a clue what PIPEDA means.
In the coming weeks, I'm planning to move from blogspot.com over my own domain, privacylawyer.ca. I just have to figure out how to do it without causing too many problems for existing readers. I'll try to give as much notice as possible.
Labels: information breaches, privacy
From beSpacific:
beSpacific: FOIA Request By Advocacy Group Reveals Social Security Data Released Post 9/11:"Social Security Opened Its Files for 9/11 Inquiry: 'The Social Security Administration has relaxed its privacy restrictions and searched thousands of its files at the request of the F.B.I. as part of terrorism investigations since the Sept. 11, 2001, attacks, newly disclosed records and interviews show.'"
Labels: information breaches
According to the New York Times, the story behind the Cardsystems breach may not be as it was initially reported. There is a suggestion that the intrusion began at least as early as November 2004 (among other revelations): Bank in Utah Says Its Data Was at Risk in Intrusion - New York Times. Thanks to Ars Technica for the pointer. Check out their posting for some strongly-worded commentary: Scope of CardSystems-caused credit card data theft broadens.
Labels: cardsystems, information breaches
An undercover reporter, working for the Sun, managed to buy extremely sensitive personal information from an Indian call centre employee. The story is all over the media and the police are investigating.
Looking into my crystal ball, I think this story will have significant repurcussions, at least in the United Kingdom. I am sure that there are corruptible employees all over the world, but this story has additional interest because of the increasing concern about offshoring personal information processing.
Companies are increasingly looking closer to home for places to economically outsource this sort of data processing, particularly places with low costs and robust privacy law enforcement. Nova Scotia has become a centre of oursourcing and companies are moving operations from India to Nova Scotia.
But back to the original story. From the Sun:
The Sun Online - News: Your life for sale:"Harvey, who paid a total of 5,000 US dollars (£2,750) for the information and was asked for another £275 to be sent later, was told details usually cost £4.25 but he was getting a special deal.
Kkaran Bahree, who said he got the details from a network of call centre workers in Delhi, also boasted that he could get up to 2,000 account details a month.
The information received included account holders’ addresses, secret passwords, credit card details, passports and driving licence information.
In some cases there were also the issue and expiry dates of bank cards, as well as the three digit security number from the back of the card.
A spokeswoman for the City of London Police said: "All the financial institutions identified have been fully informed of the situation.
"An investigation is now under way. Therefore it would be inappropriate for us to provide further details at this stage."
The spokeswoman said The Sun handed police the names of banks that might have been compromised following an investigation into the security of financial information held at foreign call centres.
"At this stage we are not fully aware of the breadth of what we are going to be investigating."
Labels: information breaches
Ontario's Information and Privacy Commissioner is recommending that the province pass a law requiring notification of privacy breaches, like California's law:
CBC Toronto - Make privacy breaches reportable: Cavoukian:"CBC NEWS – Ontario's privacy commissioner says the province should pass a law requiring businesses to notify customers if there has been a security breach involving their personal information.
Ann Cavoukian says that information is often released by mistake, accessed by electronic interlopers who hack into computer systems, or accessed by rogue employees who sell it.
With the threat of identity theft on the rise, Cavoukian says consumers should have a legal right to be notified when their personal information has been compromised.
"How would you know if your information is at risk? The fastest way … is to have the organization notify you," she said.
Canadian Federation of Independent Business spokesperson Judith Andrew acknowledges that businesses have an obligation to inform customers of security breaches.
However, Andrew said make it a legal requirement is a heavy-handed response that would hurt businesses.
"A proposal for many new protocols and all that kind of thing may end up being a useful thing to do," she said, "but it's more likely to just impose a burden that's huge and difficult to comply with for the vast majority of business out there."
Cavoukian says such a law already exists in California, and is under consideration in 30 American states."
Labels: breach notification, identity theft, information breaches, ontario
It didn't take long for phishers to try to exploit the coverage of the Cardsystems breach. Within a day, weasels were sending out scam messages, purportedly on behalf of MasterCard, telling "customers" to verify their information. See: Phishers Exploit 40M Credit Card Theft - Softpedia News.
Labels: cardsystems, information breaches
This is perhaps a privacy issue that not everyone has to deal with, but it is near and dear to the hearts of Canadian porn performers and members of this country's "adult entertainment" industry. New regulations are going into effect today in the United States that require, among other things, that perveyors of sexually explicit content online keep records related to the identity and age of all performers. According to a Vancouver lawyer who has written to the Canadian and BC Privacy Commissioners, this will mean that all Canadians whose content will be distributed via the United States will be required to provide detailed personal information to the custodian of records for each site in the United States, all of which is there for inspection by federal agents.
The relevant law is 18 USC s. 2257. You can read it here, as I suggest that you not just Google "18 USC 2257", particularly from a workplace computer.
The Ottawa Citizen has a report on the issue and the position taken by some in the Canadian porn industry: Canadian porn performers want protection from U.S. law: Critics say industry's enemies, after failing to ban it, are trying to regulate it to death.
Labels: google, information breaches, privacy
The Texas Legislature has passed a new law that follows California's lead in requring notification of any breaches of personal information. The new law comes into force on Sepember 1, 2005. For the full text of the bill, see: 79(R) SB122 Enrolled - Bill Text. Thanks to HIPAA Blog for the link.
Labels: breach notification, information breaches
Public registries have always been public, but putting them online can pose particular risks because they are so easily accessible and can be readily harvested by identity thieves. Today's Boston Globe is running a story on the information that available through Massacusetts' government websites, the risks they pose and what legislators are planning to do about it.
State's online records pose risk - The Boston Globe - Boston.com - Technology - Business:"...Public documents that sometimes contain names and Social Security numbers include state and federal tax liens, Massachusetts Health liens, child support liens, and, less frequently, mortgages, said registers of deeds.
Although registers of deeds said that they are unaware of cases in which criminals used information from their databases maliciously, the information contained in the documents would be more than enough to steal an identity and open new lines of credit, said Eric Bourassa, a consumer advocate with the Massachusetts Public Interest Research Group who deals with identity theft issues.
''Once you get someone's name, address, and Social Security number you can really create a fake identity,' said Bourassa. ''This is really bad.'..."
Labels: health information, identity theft, information breaches
Wednesday, June 22, 2005
The Cardsystems breach has really spurred a lot of coverage of privacy issues. The Washington Post has a good article the problem from two fronts: lax security and more aggressive (and organized) criminals: Ubiquitous Technology, Bad Practices Drive Up Data Theft.
Labels: cardsystems, information breaches
Don't know that a "cob" is? Hopefully it isn't yours that on sale online.
Yesterday's New York Times had a very thorough and chilling look at the undergound market in stolen credit card information: Black Market in Stolen Credit Card Data Thrives on Internet - New York Times.
Labels: information breaches
Thanks to David Canton for pointing to an interesting Wired article on auto black boxes, which outlines new rules for the devices in the United States. In short, they are not mandatory, but the NHTSA wants each one to record 29 different data elements: U.S. to introduce new rules for auto black boxes.
Labels: information breaches
The Ontario Information and Privacy Commissioner has released her annual report for 2004 and has hit the media hustings to call for increased application of the province's freedom of information legislation, extending it to all organizations that are publicly funded. Perhaps more importantly (at least from my perspective), she is continuing her call for Ontario to enact a private sector privacy law.
For some media coverage, see: CTV.ca | Expand information laws, Ontario watchdog urges.
Labels: information breaches, ontario
Loren Steffy, a business writer with the Houston Chronicle, has published an open letter to Mastercard in an attempt to introduce new terms to her credit agreement with the company:
HoustonChronicle.com - Steffy: An open letter to dearest MasterCard:"... Effective May 1, 2005, any compromise of my data will result in a $50 liability for you, the card issuer, owed to me, the card holder.
Cashing the payment check I sent you last month (which you did) shall constitute your acceptance of this agreement. Subsequent security breaches will compound the fee. I will spell out the terms of just how much these fees and related costs will escalate as soon as I find a typeface that is small enough.
Failure to comply with these changes will result in finance charges, compounded monthly and based on the average daily balance of the amount lost to fraud.
By the way, I recently incorporated myself in South Dakota, which means I can now engage in usury as much as you can. Therefore, I have selected an annual percentage rate of 28.7 percent. However, failure to make payments will force me to raise this rate to 73.9 percent, just because I can.
And one more thing. I expect my payment to be on my desk by 12:37 p.m. on the day it's due. I'm usually at lunch at that time, so I will consider it late if it's not there by 11:24 a.m. After that, all the previously listed finance charges will apply. The date the payment is mailed is irrelevant.
Also, given the widespread nature of the security problems, I am going to share information with my fellow consumers. If I determine you failed to secure their private account information, I may be forced to enact the terms specified in this agreement even though you did not violate the agreement with me. Call it universal default in reverse...."
Labels: information breaches
From USA Today, information theives are increasingly focusing their efforts on getting access to the large databases of personal information, such as those maintained by Cardsystems: USATODAY.com - ID thieves search ultimate pot of gold databases.
Labels: cardsystems, information breaches
According to the Australian Broadcasting Corporation, that country's bankers association is considering new policies of breach notification after the Cardsystems incident in the US: Bankers group to examine security breach alert policies. 22/06/2005. ABC News Online.
Labels: breach notification, cardsystems, information breaches
The Daily Yomiuiri in Japan is reporting that a laptop has been stolen containing the personal information of 307,000 people. The info is about donors to a memorial project:
Daily Yomiuri On-Line:"PC stolen with data on 307,000 people
The Yomiuri Shimbun
A notebook computer containing personal information on 307,000 people has been stolen from a company dormitory in Itami, Hyogo Prefecture, an Osaka municipal government official said Monday.
The computer included information on donors to the construction of a tower at the Flower Expo Memorial Park in Tsurumi Ward, Osaka. The data leakage is thought to be the largest since the Personal Information Protection Law took effect in April.
According to the municipal government, an employee of Mitsubishi Electric Control Software Corp., which was contracted to digitalize the data, copied the data onto his personal computer to work on it at home, and it was stolen from the company's dormitory on June 13.
The data included people's names, addresses and other information. The municipal government said it was unlikely to be misused, however, as a 16-digit password must be inputted to access the data. "
Labels: information breaches, laptop
Tuesday, June 21, 2005
The OPC has released a new finding related to the information management practices of a theatre chain and, in particular, the information it collects when it loans out assistive technology for the disabled.
I've been contacted by the complainant in this case, who tells me he'll have a webpage up about the case in the coming days. I'll post a link when it is up and running. In the meantime, enjoy the new finding: Commissioner's Findings - PIPEDA Case Summary #304: Movie theatre chain strengthens personal information handling practices - June 7, 2005.
Labels: information breaches, pipeda findings, privacy
We've heard that information related to Canadian, Australian and Japanese customers was involved in the Cardsystems breach. Helsingin Sanomat is reporting that 500 Finns are affected, as well.
Helsingin Sanomat - International Edition - Foreign:"Sensitive information contained in the credit cards of about 500 Finns were among the up to 40 million cards that were compromised recently by hackers in the United States.
'We have been given the card numbers from Visa International and MasterCard International', said Heikki Kapanen, CEO of the Finnish credit card service company Luottokunta on Sunday...."
Labels: cardsystems, information breaches
A Federal Appeals Court in California has struck down part of that state's consumer privacy law that limits the ability of financial institutions to transfer customer data to affiliates, concluding it is pre-empted by federal law: Federal Appeals Court Limits Calif. Law. Thanks to Privacy Digest for the link.
Labels: information breaches
Monday, June 20, 2005
Over at e-Legal Canton, David Canton has an article on the intersection of the "right to publicity" and privacy: Publicity a personal choice
Labels: information breaches
Bob Coffield, at the Health Care Blog Law, is reporting that Kaiser Foundation has been fined $200K for unauthorized disclosure of patient information:
Health Care Blog Law: Kaiser Foundation Health Plan Fined $200,000:"For those of you following the Elisa D. Cooper (aka Diva of Disgruntled) matter, you will be interested to know the Department of Managed Health Care (DMHC) today issued a press release stating that the DMHC had completed its investigation and was fining Kaiser Foundation Health Plan $200,000 fo the unauthorized disclosure of patient health information....
Labels: health information, information breaches
According to the New York Times, the company at the centre of the latest privacy scandal, Cardsystems, wasn't supposed to be keeping the information that was compromised. And, to compound issues, the information was not encrypted.
I've mentioned in a previous post that the card issuers may be unfairly tarred in this whole incident. The media are starting to place the blame on the third party processors, though the headlines scream out "MASTERCARD!". The electronic payments system relies upon third party processors, otherwise you would have seven terminals at each point of sale, which would be unworkable.
The NYTimes article refers to an audit, which the company passed. Perhaps the auditors need to be asked some questions.
See the NYTimes article: Lost Credit Data Improperly Kept, Company Admits - New York Times.
Labels: cardsystems, information breaches
Hot off the wires ...
The Federal Privacy Commissioner has commissioned EKOS Research Associates to survey Canadians on their privacy awareness and attitudes (For the survey results, see Canadians, Privacy, and Emerging Issue - Office of the Privacy Commissioner of Canada). A small fraction of Canadians are aware of the laws that are designed to protect privacy but increasing numbers are concerned about privacy and cross-border transfers of information.
Majority of Canadians demand informed consent on cross-border sharing of their personal information:"OTTAWA, June 20 /CNW Telbec/ - The level of concern and demand for consent on cross-border sharing of personal information is extremely high amongst Canadians, according to an EKOS Research Associates survey commissioned by the Office of the Privacy Commissioner of Canada. Approximately 90 percent of Canadians surveyed wish to not only be informed but insist on governments and the private sector obtaining their permission before sharing their information cross-border.
"There is a growing lack of confidence by Canadians in the protection of their personal information being transferred across borders and support for greater government oversight to better understand the full impact of the issue on their privacy rights. Governments need to be proactive in responding to this concern and at a minimum include consent provisions in any outsourcing or contract arrangements with foreign governments or companies," says Privacy Commissioner of Canada Jennifer Stoddart.
Highlights of survey:
- 70 percent of Canadians surveyed express a high sense of erosion of their privacy and the protection of their personal information, and predict that it is one of the most important issues facing the country.
- Although they are not familiar with privacy laws, about three in four Canadians agree on the need for strong laws to protect their personal information.
- The issue of cross-border transfer of personal information is an example of how privacy laws have not kept pace with how new technologies are impacting on the way in which companies use and transfer Canadians' personal information. In fact, nine in 10 Canadians see a need for ongoing updating of privacy legislation.
- A strong majority of Canadians surveyed indicate low confidence in the area of technology and privacy protection. Although about three in 10 Canadians are willing to allow companies to track how they shop in return for a discount on products and services, Canadians significantly agree they should be notified about the privacy implications of the products and services they buy.
"We are pleased that Canadians have expressed support for strong and responsive public and private sector privacy laws which are crucial to protecting the personal information of Canadians in today's advanced security and technology environment which is marked by data sharing between public and private organizations." says Privacy Commissioner of Canada Jennifer Stoddart.
The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.
For a copy of the EKOS Research Associates survey, please visit: http://www.privcom.gc.ca/information/survey/ekos_e.asp"
Labels: information breaches
This is just as an aside, but it seems a little unfair to call the most recent breach involving 40 MILLION people the "MasterCard" incident, since the breach is reported to have come from a third-party processor and a wide range of payment cards are affected. MasterCard is just the first one to come forward, and I'd hope they aren't unfairly tarred for doing this.
Labels: information breaches
Kyodo News is reporting that the Cardsystems incident also affects Japanese holders of certain cards: MasterCard security breach spills over to Japanese cards.
Labels: cardsystems, information breaches
Sunday, June 19, 2005
Yet another university related incident:
KPUA.net - KPUA Hawaii News - U-H warns of possible identity theft:"HONOLULU (AP) _ University of Hawaii officials are contacting about 20 people connected with the university to warn them about possible identity theft.
But the officials say about 150-thousand students, faculty, staff and library patrons at any of the 10 campuses between 1999 and 2003 should take precautions.
The U-H officials took the action after being advised by federal investigators in connection with the indictment of a former Sinclair Library worker on federal charges of bank fraud related to identity theft.
The case against Deborah Jenkins is unrelated to her employment as a student worker at the U-H-Manoa library system. But she had access to the university's database, which included Social Security numbers, addresses and phone numbers for more than 150-thousand students.
Deborah Jenkins remains a fugitive."
Labels: identity theft, information breaches
The Mayor of Spokane, WA has found out the hard way that there is virtually no anonymity online. Apparently, he is accused of offering city jobs in a gay chat room, among other things:
Newsday.com: Spokane Mayor Debates Privacy Online:"SPOKANE, Wash. -- After what Mayor James West called his 'brutal outing' by a newspaper that published transcripts of his conversations from a gay chat room, he complained in an e-mail to the city's commission on race relations. West asked: 'Should we all fear that our private conversations will be splashed publicly and out of context for all in our sphere to see?' The answer, Internet privacy advocates say, is 'yes.'
'Online anonymity is kind of hard to come by,' said Beth Givens of the Privacy Rights Clearinghouse, a consumer information privacy group in San Diego.
'You cannot count on anonymity in virtually any online communication, unless you are an expert at using encryption and do a lot of research on the service you are using,' Givens said.
After receiving a tip the mayor was offering city jobs to young men he met in a Gay.com chat room, The Spokesman-Review found a way to corroborate the information without having to subpoena records from the chat room's sponsor.
It hired a computer expert to track the identity of the person behind the screen names 'Cobra82,' 'RightBiGuy' and 'JMSElton' that it suspected was the mayor...."
Labels: information breaches
Every week, I enjoy William Safire's column, On Language, from the New York Times. This week, he discusses the term "quality assurance-purposes", as it is used in the little "on hold" messages to tell you your call will be recorded.
Qualassurepurp - New York Times:"Your perusal of this column ''may be monitored for quality-assurance purposes.''
That's from the recorded announcement we hear over the phone more often than any other. The frequency of the transmission of those bland-sounding words is greater than the ever-maddening ''please hold'' or the plaintive message from college, ''Send money.'' Who coined this oleaginous and misleading monitoring message, and when?
According to Brad Cleveland, boss of Incoming Calls Management Institute, ''The first use of for quality-assurance purposes was likely AT&T ('Ma Bell') in the early 1980's.'' He adds, ''There are 75,000 to 100,000 call centers in the U.S., handling around 32 billion calls annually, so these announcements are getting a lot of air time.''
Eran Gorev, president of NICE Systems, which claims to be the leading supplier of computer systems for call monitoring, agrees that what he calls ''quality recording'' began about 20 years ago. He says it was a response to the needs of business ''to be responsive with customer service,'' but he's frank about an underlying purpose: ''From a legal standpoint, if you accept the disclaimer by staying on the line, you are forfeiting your privacy rights. The recorded conversation then becomes the property of the service provider.''
But just what is a quality-assurance purpose? That omnipresent phrase has a happy, upbeat ring, as if the recorded disclaimer is protecting the caller from snarling employees or static on the line. Who could object to an assurance of quality? In reality, I think it means ''We're spying on our workers so we can have legal grounds to fire them if they make any wild promises'' or ''We're recording your call to use your words against you in court if you dare to sue us, claiming you said 'buy' instead of 'sell.' ''..."
In Canada, under PIPEDA, you actually have to be more specific than that. One of the hallmarks of this law is that you have to clearly indentify the purposes for which information is being collected. Many companies in Canada are how reciting "this call may be monitored and recorded for record-keeping, training and quality-assurance purposes."
Labels: information breaches, privacy
Saturday, June 18, 2005
The Canadian connection, from the Toronto Star:
TheStar.com - Security breach affects 40 million credit cards:"As many as 240,000 Canadian Visa accounts are among the 40 million North American credit records at risk of fraud after a security breach at an American data processing company, Visa Canada said last night...."
Labels: information breaches
I've noticed that the story about the hacking of Cardsystems Solutions Inc. is getting a lot of ink (or electrons, if you prefer). It is the most e-mailed story at the moment on Yahoo! News and Google News links to at least 700 stories. I've heard it said that these stories will stop getting attention, but as the numbers involved seem to grow weekly the amount of publicity is growing as well.
Labels: cardsystems, google, information breaches, privacy
Rob Hyndman has some more coverage of the most recent incident involving the personal information 40 Million people. There's also a bit of a dialog going on in his comments. I suggest checking it out: robhyndman.com - Mastercard Security Breach Affects 40 Million Cards.
Labels: information breaches
BJ's Wholsale Club and the Federal Trade Commission have entered into a settlement agreement following charges that BJ's didn't provide adequate security for customers' personal information. The process of dealing with the charges is said to have cost BJ's $10M in legal fees and the settlement requires BJ to do audits of their practices every two years for the next twenty years. From Privacyspot:
$10 Million Later, BJ's Agrees to Audits Every Other Year for 20 Years | PrivacySpot.com - Privacy Law and Data Protection:"The FTC and BJ's Whole Sale Club ("BJ's") recently announced that they have agreed to settle the charges against BJ's that it failed to provide adequate security for its customer data.
The FTC claimed that BJ's lackadaisical data security policies failed to protect against fraudulent purchases at other stores made with counterfeit credit cards that contained personal information BJ's had collected from the magnetic stripes of its customers' credit cards. Specifically, the FTC cited BJ's failure to encrypt customer data when transmitted or stored on BJ's computers, to properly password protect customer data, and to run secure, sufficiently monitored wireless networks.
In a classic case of why companies should be proactive about addressing security and privacy, it's being reported that BJ's incurred $10 million in legal costs in 2004 and 2005 resolving this matter.
As part of the settlement, BJ's agreed to implement a comprehensive information-security program. Additionally, in line with the FTC's notorious history of lengthy audit requirements, even though BJ's admitted to no wrongdoing, it will be subject to third-party audits every other year for the next 20 years. Imagine the administrative burden associated with this settlement requirement.
In announcing the settlement, FTC chairman Deborah Platt Majoras stated, "Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security. This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information." Companies that fail to pay close attention to what constitutes "due care," run the risk of facing expensive and burdensome clean-up costs down the road."
Labels: information breaches
Personal information of present and former employees of the Federal Deposit Insurance Company (FDIC) has been compromised, according to various sources including ZDNet. It is not clear how many people are affected:
FDIC Reports Security Breach - Yahoo! News:"The FDIC has notified former and current employees of the agency that personal data including name, date of birth, salary, Social Security number and other information had been stolen several months ago.
Although the data theft was discovered in March and letters were sent to affected employees at that time, the FBI subsequently found that data of all former and current Federal Deposit Insurance Corp. employees--not only those notified by the FDIC in March--had been compromised.
Not only is the security breach embarrassing for the FDIC, it's also ironic, because the FDIC's job is to issue alerts to financial institutions about how to handle sensitive information, said Gerry Gebel, senior analyst at Burton Group, a Midvale, Utah, research and advisory firm.
The security breach at the FDIC is just the latest in a series of high-profile cases of identity thefts...."
Labels: identity theft, information breaches, law enforcement
Friday, June 17, 2005
Each week, it seems we hear about the "biggest privacy incident yet". This one may affect FORTY MILLION people, according to to the San Francisco Chronicle:
Security Breach Could Expose 40M to Fraud:"A security breach of customer information at a credit card transaction company could expose to fraud up to 40 million cardholders of multiple brands, MasterCard International Inc. said Friday....
The compromised data included names, banks and account numbers — not addresses or Social Security numbers, said MasterCard spokeswoman Sharon Gamsin. Such data could be used to steal funds but not identities....
CardSystems was hit by a virus-like computer script that captured customer data for the purpose of fraud, Gamsin said. She said she did not know how the script got into the system. The FBI was investigating..."
Labels: cardsystems, information breaches, law enforcement
When I woke up this morning, I had no idea that it would be e-mail day. But it is. After the two previous posts about e-mail today, I thought I'd just continue the theme.
One of the partners in my firm got an e-mail from an accountant or actuary or business valuator or some other fellow professional. It was to announce that their offices had moved or something. I didn't really read the e-mail, because it was one paragraph on page four when he printed it out. The first three pages were the e-mail addressees. Three pages of them in ten point arial font. Hundreds of them. May have been in the thousands.
I have seen this happen, mostly by accident. I've seen it happen because of careless employees, new employees or those who just don't understand the technology. I've seen it happen over and over and over again. I know it bothers more than a few people when they know their address is being shared with hundreds of others, many of them strangers. Some people get bothered enough to complain. When a business does this, not only are they compromising the confidentiality and privacy of the people on the list (and their goodwill), but they are giving away their mailing list that they often have taken hours or thousands of dollars to compile. A good (opt-in) distribution list is valuable and practicing unsafe e-mailing is just giving it away. In this particular example, some of the sender's competitors were on the list and all it takes is a quick "cut and paste" to take that valuable intelligence. You may be giving your competitors a quick view of your clientele and an easy way to reach them.
E-mail to a distribution list has risks. Be sure that your employees appreciate this fact, because one click can cause a bunch of headaches.
Labels: information breaches
I guess there is an e-mail theme today.
Mistakes are very easy to make with e-mail. You need to be careful with e-mail. Check your e-mail before you send it. Take a deep breath. Look at the "TO:" line. Look at the "CC:" line. Re-read the message. Think ... would I want this in the Times, on the BBC, or in Yahoo! news. Only then should you click send.
A poor soul at the University of Kansas made a big mistake, according to Yahoo! News. An e-mail, sent to inform students who had failed all their courses that they would be ineligible for furhter student aid was accidentally sent to all 119 students. Mistakes happen, but mistakes like this can have big consequences.
E-Mail Embarrasses 119 Failing Students - Yahoo! News:"LAWRENCE, Kan. - Due to an e-mail mistake by the University of Kansas, 119 students who failed all their classes during the last semester found out who shared their misfortune.
The students were notified earlier this week that they were in jeopardy of having their financial aid revoked. The e-mail sent Monday by the Office of Student Financial Aid asked for additional information to determine if they were still eligible for aid.
The e-mail address list included the names of all 119 students, with the result that everyone on it could see the names of all the others.
'It was a completely inadvertent, unintentional mistake,' university spokesman Todd Cohen said Thursday. 'It was our error, our mistake and we deeply regret it.'
Nancy George of Gardner, one of the students on the list, was livid, saying the mistake was tantamount to releasing the grades of students without their permission, which the Family Educational Rights and Privacy Act prohibits...."
Labels: information breaches
David Canton considers this question at eLegal Canton: Is unintended release of personal information negligence?
Labels: information breaches
Computerworld has some pretty thorough coverage of the recent US Senate hearings on ID theft: Congress offers competing ideas on fighting ID theft - Computerworld.
Labels: information breaches
An anonymous correspondent has pointed me to this story, which is getting a lot of traction since it was first published by the Times of London.
It has been said that you should never put anything in an e-mail message that you wouldn't want to see on the front page of the New York Times. The same can be said for the London Times, as an English lawyer has learned. E-mail has a very long memory and a click of the mouse can forward a message around the world. Unfortunately, not only do messages often reflect poorly on the author, but the name of their organization can get dragged through the mud as well.
Britain, UK news from The Times and The Sunday Times - Times Online:
"How a few ketchup splashes, a £4 bill and an e-mail have become the talk of the City
A CITY lawyer who made an office secretary pay £4 towards a dry-cleaning bill after she accidentally spilt ketchup on his trousers was paying dearly for his actions last night.
...
“Dear Jenny,” he wrote. “I went to the dry-cleaners at lunch and they said it would cost £4 to remove the ketchup stains.” He wrote that it would be “much appreciated” if he could have the money back.
Ms Amner replied: “I must apologise for not getting back to you straight away but due to my mother’s sudden illness, death and funeral I have had more pressing issues than your £4.” She went on: “I apologise for accidentally getting a few splashes of ketchup on your trousers. Obviously your financial need as a senior associate is greater than mine as a mere secretary.”
Ms Amner’s colleagues offered to hold a collection to raise the £4 but she paid the sum herself — while copying her colleagues in on the e-mail exchange. It has since been widely circulated on the internet. A tabloid newspaper was offering to pay £2,000 last night for a photograph of Mr Phillips. Among many unanswered questions is how the ketchup came to arrive on Mr Phillips’s trousers...."
In the BBC's coverage, they hit the nail on the head about the dangers of e-mail:
BBC NEWS | Technology | Ketchup spat embarrasses law firm:"... Commercial anthropologist Dr Simon Roberts, research director of Ideas Bazaar consultancy, said he thought Mr Phillips had chosen to e-mail the request for the money, partly because email had become the 'de facto messaging medium' in business.
'Also, we find it easy to use e-mail to say things we would feel a bit uncomfortable saying in person because we feel more distant from the interaction.'
However, Mr Phillips may be regretting starting the exchange by e-mail because 'e-mails have a long memory', he added."
For a lawyer, one might never live this down. Many lawyers use Google to find out about the lawyers on the other side of litigation or deals. After an incident like this, most of the hits on a search query will be related to the incident, not his or her practice. Be careful out there.
For more coverage, check out:
Also, this story reminds me of some other faux pas, this time with voice mail instead of e-mail: PIPEDA and Canadian Privacy Law: F-bomb-dropping attorney gets worldwide notoriety
Labels: google, information breaches, privacy
Thanks to a colleague in Newfoundland, I've obtained a copy of the decision in O'Dea v. Lucas, which I referred to yesterday (PIPEDA and Canadian Privacy Law: Insurance access trumps privacy: court). It has some interesting things to say about the right of litigants to relevant medical information in face of requests to limit access on the basis of privacy. If the information may be relevant to the resolution of the disputes between the parties, the privacy rights of the plaintiff must give way in the interests of justice.
IN THE SUPREME COURT OF NEWFOUNDLAND AND LABRADOR TRIAL DIVISION
CITATION: O’Dea v. Lucas et al, 2005 NLTD 98 Filing Date: 2005 06 09 Docket: 2003 01T 4224
BETWEEN: ROSEANNE O’DEA PLAINTIFF AND: ERNEST LUCAS FIRST DEFENDANT AND: MICHAEL STAPLETON SECOND DEFENDANT
Before: The Honourable Mr. Justice Robert M. Hall
Place of Hearing: St. John’s, Newfoundland and Labrador
Date of Hearing: January 27, 2005
Appearances:
Edward J. Shortall, Q.C. for the Plaintiff Rodney J. Zdebiak for the First and Second Defendants
Authorities Cited: Cases Considered: Furlano et al v. Calarco (1987), 60 O.R. (2d) 451, [1987] O.J. No. 744; Raymond Frenette et al v. Metropolitan Life Insurance Co., 1992 CanLII 85 (S.C.C.); A.Y. v. Gellately (2001), 198 Nfld. & P.E.I.R. 147; Micheli v. Sheppard, [1994] O.J. No. 1609 (Ontario Court of Justice - General Division). Rules Considered: 32.02 and 38.01.(1) of the Rules of the Supreme Court, 1986REASONS FOR JUDGMENT
Hall, J.:
Background.
[1] This matter comes before the Court by way of an interlocutory application on behalf of the plaintiff who suffered a soft tissue neck injury in a motor vehicle accident for which she claims the defendants are liable. In the statement of claim issued in this matter the only injury alleged by the plaintiff was a soft tissue injury to her neck, and she claims that as a result of the accident, and her injuries suffered therefrom, she has experienced pain and suffering and has undergone medical treatment for her injuries. The plaintiff has not made any claim for any cost of future care, loss of earning capacity, loss of housekeeping capacity, or any other form of pecuniary general damages. She has submitted a claim to the defendants claiming special damages, judgment interest, costs and non-pecuniary general damages only. The defendants have demanded production of the plaintiff’s family physician’s chart and her entire medicare billing history, as well as all pharmacy records for a 10 year period prior to the accident. The plaintiff takes the position that only conditions, treatments and medications relating to her neck would be relevant in the action and has agreed to the production of family physician’s records, MCP records and pharmacy records relating to the neck injury only and any other neck injuries whether before or after the accident in question, which injuries may be disclosed by such records. The plaintiff’s stated purpose is a desire to preserve her privacy with respect to conditions or treatments which she claims are not relevant to the action. She has not disclosed, even in the most summary way, what these might be. She therefore applies for an order, pursuant to Rules 32.02 and 38.01 of the Rules of the Supreme Court, 1986 that the discovery of medical records, including the family physician’s chart, MCP records and pharmacy records be limited to those relating to her neck.
Applicable Rules.
[2] Rule 32.02 deals with discovery and inspection of documents and it provides:
“32.02. The Court may at any time(a) order any party to file and serve on any opposing party to a proceeding a list of documents in Form 32.01A, as provided by rule 32.01;
(b) order any party to make discovery, limited to certain documents or classes of documents only, or of documents related to the matters specified in the order;
(c) where it appears that any issue or question in the proceeding should be determined before the discovery of all or any of the documents is made, order that the issue or question be determined; or
(d) where satisfied that discovery of all or any of the documents is not necessary at that time or later, dismiss or adjourn the application; or
(e) make such other order as is just.”
[3] Rule 38.01.(1) provides:
“38.01.(1) The Court may, on the application of any party or on its own motion, at any time prior to a trial or hearing,(a) determine any relevant question or issue of law or fact, or both;
(b) determine any question as to the admissibility of any evidence;
(c) order discovery or inspection to be delayed until the determination of any question or issue;
(d) give directions as to the procedure to govern the future course of any proceeding, which directions shall govern the proceeding notwithstanding the provision of any rule to the contrary;
(e) where the pleadings do not sufficiently define the issues of fact, direct the parties to define the issues or itself settle the issues to be tried, and give directions for the trial or hearing thereof; or
(f) order different questions or issues to be tried by different modes and at different places or times. “
Plaintiff’s Argument.
[4] Counsel for the plaintiff wishes to limit both document discovery and oral discovery in such manner that discovery is limited both in time frame and as to the nature of physical or other ailments suffered by the plaintiff. The plaintiff cites in favour of such restrictions a decision of the Ontario High Court of Justice in Furlano et al v. Calarco (1987), 60 O.R. (2d) 451, [1987] O.J. No. 744. In this case on discovery in a personal injury accident, the plaintiff gave evidence that prior to the accident she had suffered from depression and that she had injured her neck in an earlier accident. The defendant moved for an order requiring the plaintiff to produce medical records from the date of the prior accident onwards. The master directed the plaintiff to obtain a report or clinical notes relating to her condition of depression and to any prior neck injury only. The defendant appealed, seeking to set aside the limitation on the master’s order. Potts, J., after review of various cases, stated:
“I would conclude by noting that the balancing of a plaintiff’s interest in the confidentiality of medical records (and indeed, the interest of all patients whether currently involved in litigation or not) and a defendant’s interest in full disclosure of relevant materials is a delicate process. I would not agree with sweeping statements to the effect that once personal injuries are alleged in a lawsuit, a plaintiff’s entire medical history becomes a matter in issue. Criteria must be found by which to assess what part of a medical history is relevant and what is not. Because this case alleges broad physical and psychiatric injuries arising out of the accident, and there is evidence of both in the plaintiff’s recent pre-accident medical history, the defendant’s request for a review of the plaintiff’s clinical record from 1981 onward is not unreasonable. I am inclined however to limit this review to the medical conditions identified in the statement of claim or at the examination for discovery.”[5] Rule 32.01(1) requires parties to provide a list of documents in a prescribed form “... of the documents of which the party has knowledge at that time relating to every matter in question in the proceeding ...”. In Raymond Frenette et al v. Metropolitan Life Insurance Company, 1992 CanLII 85 (S.C.C.), the Supreme Court of Canada considered issues arising concerning the production of documents under the Quebec Code of Civil Procedure. This Article 402 of the Code required that if, after a defence was filed, it appeared from the record that a document “relating to the issues between the parties” was in the possession of a third party, the third party may upon summons authorized by the Court be ordered to give communication of it to the parties unless he shows cause why he should not do so.
[6] The bolded sections of our Rule 32.01(1) and s. 402 of the Quebec Code of Civil Procedure are in my view identical in effect in that the document must “relate to” the “issues between the parties” (Quebec) or “every matter in question in the proceeding” (Newfoundland). In the Frenette case the appellant insurer had issued a policy of life insurance on the respondent’s son. Under the policy there was a basic indemnity plus a rider which provided a supplemental indemnity for accident death. Death resulting from suicide was expressly excluded as a risk. The deceased’s body was found in a river. The autopsy revealed that the probable cause of death was asphyxiation as a result of drowning but, given the advanced state of decomposition of the insured’s body, no chemical tests were performed on the insured’s tissues to detect traces of alcohol or toxins. The insurer paid the basic indemnity but refused to pay the supplemental indemnity for accident death, claiming the drowning was not accident but a suicide. Those beliefs were based on information gathered from the medical records the insurer had been able to obtain during its investigation. These records indicated that two days before his disappearance, the insured had been rushed to the emergency ward of a hospital and questioned for a possible drug overdose. Despite a 1983 authorization releasing all medical information, the hospital refused to release medical records. The Court decided that the waiver determined the issue and that the requisite information ought to be released. The Court held that even if there had been no waiver to the right of confidentiality the insurer was still entitled under Article 402 of the Code of Civil Procedure to have access to the insured’s complete medical records. The Supreme Court of Canada held that a Court must exercise its discretion to grant access to medical records according to the degree of relevance and importance to the information sought relevant to the issue between the parties. In exercising that discretion, a Court must weigh the diverse interest in conflict – the interest of justice against the right of privacy and confidentiality of an individual. In the Frenette case, the cause of the insured’s death was central to the litigation. Access to information sought became inextricably linked to the ability to prepare a full defence. Moreover, the records provide the best evidence or pertain most directly to the cause of the insured’s death. As for the scope of access, the complete records of the insured held by the hospital are relevant and should be given to the insured. Access to the insured’s complete medical records would not constitute an unjustified intrusion into his private life. The records covered only a brief period of the insured’s life. The nature of the claim put into question a whole series of events which may have led to the questionable cause of death and render these medical records crucial to the issues being litigated. In these circumstances, access to the records did not constitute a fishing expedition.
[7] Plaintiff’s counsel referred also to comments by McLachlin, J. as she then was, referred to by Barry, J. in this Court in the case of A.Y. v. Gellately (2001), 198 Nfld. & P.E.I.R. 147. In A.Y. v. Gellately Barry, J. referred to McLachlin, J. in A.N. v. Ryan, [1997] 1 S.C.R. 157. Ryan involved a case where the plaintiff alleged she had been sexually assaulted by her former psychiatrist and had sustained injuries as a result of the assault. In order to deal with her problems she had sought psychiatric treatments from another psychiatrist. At the commencement of her treatment by the second psychiatrist she had expressed concern that her communications with the second psychiatrist remain confidential. The first psychiatrist requested production of the second psychiatrist’s records and notes. At para. 9 of his decision in A.Y. v. Gellately, Barry, J. referring to the decision of McLachlin, J. in Ryan states:
“At paragraph 18 of her decision, Madam Justice McLachlin noted:‘The degree of protection conferred by the privilege may be absolute or partial, depending on what is required to strike the proper balance between the interest in protecting the communication from disclosure and the interest in proper disposition of the litigation. Partial privilege may signify that only some of the documents in a given class must be produced. Documents should be considered individually or by subgroups on a “case-by-case” basis.’” (Emphasis added by Barry, J.)[8] Further at para. 13 of Gellately, Barry, J. refers to the following quote from para. 38 of Ryan by McLachlin, J.:
“It remains to consider the argument that by commencing the proceedings against the respondent, Dr. Ryan, the appellant has forfeited her right to confidentiality. I accept that a litigant must accept such intrusions upon her privacy as are necessary to enable the judge or jury to get to the truth and render a just verdict. But I do not accept that by claiming such damages as the law allows, a litigant grants her opponent a license to delve into private aspects of her life which need not be probed for the proper disposition of the litigation.”[9] Put simplistically the plaintiff’s position in this case is that what is involved is non-pecuniary general damages for a straightforward neck injury and that the plaintiff ought to be entitled only to examine such documents or to conduct oral examinations if the documents and the examinations are confined to the “same area” and must deal with conditions which:
(a) aggravate the symptomatic injury for which claim is made;(b) deal with pre-existing non-symptomatic conditions which would not but for the accident in question, have become symptomatic – i.e., the application of “thin skull” principles; and
(c) other injuries in the same area which would have become symptomatic.
Defendants’ Argument.
[10] The defendants’ counsel takes the position that disclosure should not be governed by the size of the claim. He cites the principle applicable in tort damages assessments, i.e. restitutio in integrum. He questions how his client can be expected to put the plaintiff back into the position where she was without knowing what her baseline medical assessment was prior to the accident. He contends that unless he gets enough information he cannot know the size of the problem that he has to deal with.
[11] Defendants’ counsel contends that while evidence with respect to the neck injury claimed is important it does not help entirely with determination of the question of quantum. Implicit in the claim for non-pecuniary general damages is a claim for loss of amenities of life. Defendants’ counsel asks how he can determine if the plaintiff has lost an amenity by reason of a neck injury if she had already lost that amenity of life due to some other pre-existing condition. Hypothetically the question could be “How can the defendant compensate the plaintiff for no longer being able to engage in a game of bowling because of the neck when she already could not engage in a game of bowling because of a leg injury?”.
[12] The defendant also points out that there may be other conditions at play, for example, degenerative disc disease in the lumbar or thoracic spine which may impact upon the claimed neck injury. If he is limited in his examination and discovery he claims that he can never determine if the spinal condition is general. Even when dealing with normally unrelated medical conditions, defendants’ counsel claims that the same principle applies. He postulates the question “What if the plaintiff could not bowl any more due to stomach cancer?” or “What if the life expectancy of the plaintiff was less due to some unrelated condition such as cancer?”.
[13] Defendants’ counsel also points out the risk of receiving false information or information being withheld from him. He claims that without full disclosure he has no way to know if the information provided to him is true or false. In addition, he points to simple fragility in the plaintiff’s memory as her personal health historian and he cannot, without full disclosure, test her memory in that regard. Defendants’ counsel contends that the injury and symptoms claimed by the plaintiff are not ones which are easily segregated. He postulates that a shoulder injury from some other causation may refer pain to the neck. If he is unable to measure her baseline condition prior to the accident he contends he is placed at a serious disadvantage.
[14] Additionally, defendants’ counsel submits that the plaintiff has failed to adduce any evidence to show that disclosure of medical evidence beyond the medical evidence specifically relevant to the plaintiff’s neck would result in some further physical or emotional harm and asserts that the onus should be on the plaintiff to demonstrate this situation before any consideration should be given to restricting discovery.
Analysis.
[15] I accept that information sought by the defendants might be of a highly personal or sensitive nature, the release of which might cause some anxiety on the part of the plaintiff. However I have not been provided with any medical evidence that this will in fact result. I must therefore balance the general privacy interest of the plaintiff against the interest of pursuing truth and disposing properly of the litigation, and in this regard I conclude that justice requires me to find that the plaintiff’s privacy interest must give way to the right of the defendants to access to all reasonably relevant information relating to the plaintiff’s medical condition before and since the accident.
[16] I am not satisfied that the injury claimed to be suffered by the plaintiff is sufficiently discrete and detached from impacts by reason of other physical conditions, that the examination of her medical records can property be confined only to her “neck” without seriously and negatively impacting upon the ability of the defendants to investigate whether pre-existing or subsequently arising conditions have caused or may cause loss of amenities of life claimed by the plaintiff to be attributable to the neck injury. In this regard the case is significantly different from that relied upon by the plaintiff in Micheli v. Sheppard, [1994] O.J. No. 1609 (Ontario Court of Justice - General Division), where the plaintiff suffered a serious eye injury and the master dismissed the defendant’s motion for production of clinical notes and records. In Micheli the Court held that the key to disclosure was relevance to the issues raised in the matter and that while the pleadings were broad the plaintiff was asserting a claim referable only to his eye. The Court held that the master was correct in concluding that the defendant’s broad and general request for all of the plaintiff’s clinical records in these circumstances went beyond the limits of relevance. However, in our circumstances I am not satisfied that the defendant’s requests for clinical records and pharmacy records do in fact go beyond the limits of relevance, and therefore in terms of disclosure in its purest form I deny the plaintiff’s application with costs to the defendant.
Confidentiality.
[17] It may well be however that certain restrictions on the disclosure or the dissemination of information beyond those persons within an immediate need to know might be appropriate. These could be of the nature ordered by Barry, J. in A.Y. v. Gellately (para. 21). If this is an issue between the parties, it can be dealt with on a subsequent application.
Justice
Labels: health information, information breaches, litigation, privacy
From Declan McCullagh at CNet:
Your ISP as Net watchdog | CNET News.com:"The U.S. Department of Justice is quietly shopping around the explosive idea of requiring Internet service providers to retain records of their customers' online activities.
Data retention rules could permit police to obtain records of e-mail chatter, Web browsing or chat-room activity months after Internet providers ordinarily would have deleted the logs--that is, if logs were ever kept in the first place. No U.S. law currently mandates that such logs be kept.
In theory, at least, data retention could permit successful criminal and terrorism prosecutions that otherwise would have failed because of insufficient evidence. But privacy worries and questions about the practicality of assembling massive databases of customer behavior have caused a similar proposal to stall in Europe and could engender stiff opposition domestically...."
Labels: information breaches, law enforcement, retention
CNet is reporting the credit reports of 600 British Columbians have been disclosed without authorization from the databases of Equifax:
Canadian credit agency reports data breach | CNET News.com:"The credit files of about 600 Canadian consumers were accessed without authorization, credit reporting agency Equifax Canada said Thursday. The breach resulted from what appears to be improper use of the access codes and passwords of one of Equifax's customers, the company said in a statement. Most of the affected people are in British Columbia, and all have been contacted and offered a one-year subscription to a credit monitoring service, Equifax said...."
Labels: bc, information breaches
Thursday, June 16, 2005
I have not read the judge's decision in this case, but I am not surprised by the conclusion. Apparently, according to the Canadian Broadcasting Corporation, a judge of the Supreme Court of Nova Scotia has concluded that a defendant in a personal injury lawsuit has a right to review the complete medical records of the plaintiff for the last five years to review for pre-existing injuries.
This appears consistent with previous judgements, such as the decision of the Ontario courts in Ferenczy v. MCI Medical Clinic (see: PIPEDA and Canadian Privacy Law: PIPEDA and Video Surveillance: Guidance from the Ontario Courts).
CBC Newfoundland and Labrador - Insurance access trumps privacy: court:"ST. JOHN'S - The Supreme Court of Newfoundland and Labrador has ruled an insurance company's right to access personal information may override an individual's right to privacy.
Mount Pearl resident Roseanne O'Dea applied to the court to restrict an insurance company from obtaining her medical records.
O'Dea had been in a collision with a taxi in 2003.
The Insurance Corporation of Newfoundland, which is representing the taxi company, said it wanted to review her medical and pharmacy records for the past decade before it proceeded with any compensation.
O'Dea refused, calling the request an unacceptable breach of her privacy.
Justice Robert Hall ruled there are occasions when an insurance company's access to records should be limited.
However, Hall ruled that O'Dea's privacy must give way to the right of the company to access all potentially relevant information.
Hall said pre-existing medical conditions could be relevant to O'Dea's claim.
Don Forgeron, Atlantic vice-president of the Insurance Bureau of Canada, welcomed Thursday's ruling.
In the past, he said, courts have determined rights of access on a case-by-case basis.
'In the course of settling a claim, there needs to be appropriate medical information put forward to assess the extent of the injuries,' Forgeron said.
'We would look to the courts, as they have done in the past, to apply the appropriate tests to determine whether or not the information being requested is relevant to the proceedings.'"
Labels: information breaches, litigation, privacy, surveillance, video surveillance
This is a new one ... amid all the calls for legislation to protect personal information in the United States, a commentator in Business Week Online is calling for an amendment to the US Constitution to protect consumer privacy: Adding Privacy to the Constitution.
Labels: information breaches
Wednesday, June 15, 2005
According to the Irish Times, that country's cabinet is studying privacy laws to rein in the press: Irish Times Article - Working group to consider privacy law.
Labels: information breaches
Not surprisingly, Wired thinks that the US government should step in to address identity theft. The suggestions seem to be picking up traction, if you listen to other commentators in the media recently:
Wired News: Congress Must Deal With ID Theft
- Require businesses to secure data and levy fines against those who don't.
- Require companies to encrypt all sensitive customer data.
- Keep the plan simple and provide authority and funds to the FTC to ensure legislation is enforced.
- Keep Social Security numbers for Social Security.
- Force credit agencies to scrutinize credit-card applications and verify the identity of credit-card applicants.
- Extend fraud alerts beyond 90 days.
- Allow individuals to freeze their credit records so that no one can access the records without the individuals' approval.
- Require opt-in rather than opt-out permission before companies can share or sell data.
- Require companies to notify consumers of any privacy breaches, without preventing states from enacting even tougher local laws.
Labels: identity theft, information breaches
MSNBC is reporting on a survey that suggests the recent publicity about privacy breaches is starting to affect consumer attitudes:
Data leaks stunt e-commerce, survey suggests - Consumer Security - MSNBC.com:"Nearly half of all Americans avoid shopping on the Internet because they are worried their personal information will be stolen, according to a survey released Wednesday by an industry group. The survey also found nearly all Americans think identity theft and spyware are serious problems, but only 28 percent think the government is doing enough to address the issues. About 70 percent said new laws are necessary to protect consumer privacy...."
Labels: identity theft, information breaches
New York Newsday is running an article by AP Business writers Brian Bergstein and Matt Moore, suggesting that the United States may be able to learn a thing or two from other countries when it comes to protecting privacy and reducing the incidence of identity theft. It considers the privacy and credit environment of the UK, other European countries, Japan and Canada. Worth reading: New York City: Lower overseas rates of identity theft could guide U.S. lawmakers
Labels: identity theft, information breaches
The Commissioner's Office has just released three new "findings" under the Personal Information Protection and Electronic Documents Act. In short, they are:
Commissioner's Findings - Privacy Commissioner of Canada
- PIPEDA Case summary #303: Real estate broker publishes names of top five sales representatives in a city - Assistant Commissioner finds that statistics about real estate agent's sales are "personal information", when published in an advertisement by a competing broker.
- PIPEDA Case summary #302: Pharmacy's privacy policy and practices considered exemplary - Pharmacy's practices were inadequate, but they were reformulated to the Assistant Commissioner's satisfaction.
- PIPEDA Case summary #301: Property management company improves privacy policy - Just saying you're compliant doesn't cut it. Organizations need a privacy policy that complies with the Act and says who the privacy officer is, among other things.
Labels: information breaches, privacy
Tuesday, June 14, 2005
People often confuse privacy and security. Security is a part of privacy. (Security is also an important part of protecting other corporate assets.) Some may that privacy is the latest buzzword for applying security to personal information. It's more than that.
In IT Management, Ray Everett-Church writes about how to explain privacy to security-types, and particularly the need to have a privacy officer.
Privacy Officers: Security Types Need Convincing:"I've spent much of the last six or seven years promoting the importance of privacy officers. Much to my dismay, over the course of the years, some of the greatest skepticism I've met has come from security professionals.
Much of the skepticism boils down to some basic misconceptions about the relationship between privacy and security, and fears that privacy officers are just going to be competing for the same organizational ''turf''. But as I have sat with security professionals to explain why the role of the privacy officer is complimentary, but fundamentally different, the concerns and misconceptions are easily dispelled.
Indeed, many security executives quickly realize that privacy officers get to deal with many of the murkier, subjective, and often politically-charged issues that many security officers try to avoid being drawn into -- such as marketing strategies or legal and regulatory compliance.
But let's not miss the bigger point here.
Assuming Congress could fix the law so it would require the auditing of privacy practices, instead of the day-to-day work of the privacy officer, this is something that should be encouraged. A critical element of the Federal Trade Commission's enforcement actions in the realm of privacy has been the requirement that companies bring in outside auditors to oversee their privacy fixes and ongoing practices.
If this panel believes you should only audit after a problem is discovered, then they don't appear to have a good grasp on the reality of today's privacy methodology in use at the most enlightened organizations the world over.
The methodology is pretty simple... I ought to know. I helped develop it. The four elements of a coherent privacy program are:
- Know your current privacy-related practices;
- Articulate those practices in a privacy policy;
- Implement those practices through training and oversight, and
- Audit those practices, from within and without, to ensure compliance.
All of this may be for naught, however.
According to reports, Rep. Tom Davis (R-Va.), chairman of the U.S. House of Representatives Government Reform Committee, is pushing legislation that would repeal the appropriations language that mandated the CPO appointments. But if the Davis proposal does not become law by year's end, the ranks of America's CPO population will grow by a few dozen, and somebody will finally be accountable for privacy practices at federal agencies.
And know knows... maybe by then some government committee will have grasped what these new CPOs are supposed to be doing!"
At least in Canada's legal environment, the status quo may not be acceptable. I would therefore suggest that a coherent privacy program has the following elements:
Labels: information breaches
I have previously pointed to items addressing the issue of data quality and data aggregators, but this piece from Baseline Magazine shows a real human side of the potential consequences of bad data:
The Rising Threat from Bad Data:"Steven Calderon had a clean record, a clean conscience and no reason to think that his new employer's routine background check would cause any problem at all. Then the sheriff showed up at the office and took him to jail on warrants for child molestation and rape.
A nightmare? Sure, but Calderon figured it was a mistake that could be cleared up pretty quickly. He'd reported the theft of his Social Security number and birth certificate in 1993, so it was obvious that the bad guy was whoever had stolen Calderon's identity.
A week later he was still in jail, a victim of bad information from data broker ChoicePoint -- and of the blind belief held by his employer, the police and everyone else involved that he was more likely to be lying than the data was...."
Labels: choicepoint, information breaches
It's bad enough that sensitive medical information was being thrown out instead of being shredded, but someone dropped the bag of "trash" on a Manotick man's driveway. But it gets worse ... this is the second time.
The Ottawa Sun is reporting in incident involving the medical waste and health information originating from Gamma-Dynacare in a suburb of Ottawa.
Ottawa Sun Online: NEWS - Patient info in trash: "Homeowner finds medical waste, including personal data, in his driveway for second timeA MANOTICK homeowner was shocked last week to find used medical supplies and private health information in a garbage bag dumped in his driveway.
Anthony Heembrock opened the bag Thursday to find out who'd dumped garbage on Rideau Bend Cres. for a second week in a row.
He says he found medical debris, including bloodied gauze and lab test forms with patients' names, addresses, phone and OHIP numbers.
"What if my animals or my kids got into this stuff?" Heembrock said. "What about patients' confidentiality?"
He's worried that kids and pets are at risk from handling medical waste and patients from identity theft or fraud if the information fell into the wrong hands.
Heembrock said the forms listed the Gamma-Dynacare Medical Laboratories, which shares a building with the Manotick Medical Centre. Gamma-Dynacare didn't return calls yesterday.
Dr. Ann Fillingham, a physician at the health centre, says the public was never at risk from the bag of garbage but how it disappeared is under investigation, she said.
The medical items Heembrock found, including urine specimen bottles, had never been used, she said. The bag did contain cotton balls that are taped to patients' arms after blood tests because patients throw them in the trash.
The clinic has secure disposal of needles and blood products and shreds all sensitive patient information, Fillingham said.
LOCKED AT ALL TIMES
She said the records found were requisition forms from the lab, not medical centre patient records.
Someone must have grabbed the garbage in the few minutes between when it's collected from the building and put in a locked dumpster, Fillingham said. It's now locked up at all times.
"How the garbage got to where it got twice doesn't make sense," Fillingham said. "Something is going on. We're not letting it happen again."
Having health information turn up in the garbage could violate new health privacy legislation, said Bob Spence, spokesman for the province's information and privacy commissioner.
The Personal Health Information Protection Act requires health care workers to store, share and discard private information securely.
"Anyone who works in health would be encouraged to destroy health information rather than throwing it out in the trash," said Spence. "Once we obtain more information, we will be launching a privacy investigation into this."..."
Labels: health information, identity theft, information breaches, phipa
Dan Goodin, a regular contributor to Wired, writes about his experience after receiving a letter from his former university that his data had been compromised.
Wired News: Dear Sir: Your Data Was Stolen:"... With or without government intervention, companies that fail to take effective action will surely suffer for it. Already, I'm thinking twice about donating money to UC Berkeley or continuing my relationship with Bank of America. Better to keep my information out of their hands altogether than risk them losing it."
Labels: information breaches
Elites TV, a news source I've never heard of before, has a lengthy and negative article on offshoring of personal data processing.
U.S. Offshoring of Personal Data Grows - Elites TV - Your Elite News Source:"According to the Identity Theft Resource Center in San Diego, CA there have been close to 60 reported security breaches of customer financial information from United States corporations thus far in 2005, involving 13.5 million customers’ identities. The companies include Choicepoint, Inc., Bank of America Corp., Wachovia Corp., Ameritrade Holding Corp., DSW Shoe Warehouse, Time Warner Inc., LexisNexis and most recently Citbank Financial Group. While most lost data has involved data storage tapes lost in transit by courier services or UPS, others involved computer security breaches. And as corporate America looks for ways to shore up its security problems rather than face the wrath of Congress, an even more unwieldy problem is brewing abroad.
As holes still exist in protecting the personal information of both customers and employees of corporations in the United States, many of these same corporations, which include the largest financial institutions and two of the three credit reporting agencies, have offshored information technology units which include-back office functions from customer service to software development and engineering.
Yet American customers or consumers are never informed whether or not their personal information and credit history is being offshored, as it is not required by U.S. corporations to do so. Coming to light is that various U.S. government programs and states are utilizing more and more offshore subcontractors in addition to those corporate entities which indirectly do business with the U.S. government. But unknown to the American consumer or taxpayer is the threat of theft of an individual’s identity and financial resources which remain largely unprotected without the ability to enforce U.S. law on foreign land...."
Labels: choicepoint, identity theft, information breaches
Monday, June 13, 2005
Credit card providers have been using purchase pattern information to fight fraud for some time. Visa is throwing neural network technology and other analytical techniques to deduce whether a transaction is likely to be fraudulent.
Visa's newest attempt to thwart fraud - Online Banking - MSNBC.com:"... Visa said that when a card is swiped, its new Advanced Authorization technology provides an instant rating of the transaction's potential for fraud to the card issuer, including whether the card was part of a reported security breach. The issuer can then tell the merchant whether to accept or decline the transaction...."
Labels: information breaches
Stop the presses! Stop the presses!
Apparently some companies are following privacy laws. I'm shocked.
I wonder how many of the companies impugned in this article are even aware of the new mandatory shredding rules?
KRISTV.COM - Corpus Christi, TX - New shredding laws aren't followed:"CORPUS CHRISTI-- A new federal law is now helping to protect consumers from identity theft. It requires businesses and individuals using consumer credit reports to either shred or burn the information that's obtained from them. The disposal rule went into affect this month, but some people still aren't complying. The new law protecting personal information was created in hopes of reducing the rising number of identity theft cases. The disposal rule makes it a crime for businesses to simply toss out your credit report, without shredding or burning it...."
Labels: identity theft, information breaches
Not sure if this is news to any regular readers of this blog, but privacy incidents are very often the fault of employees. Poorly trained employees and malicious employees:
Identity thefts often inside job:"You do everything right.
You protect your Social Security number like the Swiss Guard protects the pope.
You shred more documents than a secretary for Oliver North.
You never -- ever -- respond to those e-mails requesting PIN numbers and birth dates.
But before you can say "Club Med, Bora Bora," some identity thief has booked the honeymoon suite there with a credit card in your name.
How could this happen?
Here's the scary reality: It might have been an inside job.
And there's no way you could have stopped it...."
Labels: information breaches
A big part of the raison d'etre of this blog is that it is preferable to learn from the mistakes of others, rather than one's own.
It appears that many companies are learning from CitiGroup's problems:
Networking Pipeline | Enterprises Scramble To Protect Off-Site Data:"Companies are scrambling to encrypt data on tapes shipped to off-site centers for archiving and disaster recovery, and they're taking other steps to avoid the kinds of data-loss incidents that have been a major source of embarrassment in recent months. Last week it was Citigroup's turn, as the bank revealed that a box of tapes containing information on 3.9 million customers was lost in transit...."
Labels: information breaches
The US Senate is, once again, holding privacy-related hearings. This time, the US Senate Committee on Commerce, Science, & Transportation is considering ID Theft. I think you can watch it live on C-SPAN on Thursday, June 16, 2005, at 10:00 a.m (Eastern). Thanks to Tamara Thompson's blog.
Labels: information breaches
Sunday, June 12, 2005
An increasing portion of the mainstream media are picking up on privacy issues, mainly stemming from the string of breaches starting with ChoicePoint and culminating in the most recent CitiFinancial data loss. The Boston Globe is running a column by Michelle Singletary of the Washington Post that calls for legislation but also suggests that consumers become more proactive in protecting their personal information. The columnist shows one example from her own experience:
Keeping your data secret is up to you - The Boston Globe - Boston.com - Your Money - Business:"... For instance, I recently contracted to have an alarm system installed in my home. As I was filling out the sales agreement, I noticed a request for my Social Security number. I refused to divulge it. The salesman said it was a requirement. He said I ''had" to give it to him.
I unequivocally refused to divulge my number. A manager of the company called. He explained that it was needed to pull my credit score because we were signing up for a three-year monitoring service. He said it had been their experience that people with low credit scores often break the three-year contract.
Even if that was the case, I was appalled at the lack of security about my data from this company. By my rough estimate, from the time the salesman took my service agreement to his office, my data could have been exposed to at least half a dozen of the company's employees. In several of the recent data breaches, employees were doing the pilfering.
I was prepared to leave my home unprotected for the time being in the name of protecting my personal data.
Ah, but here's where it pays to be persistent about protecting your data.
The manager came up with a way to get my Social Security number without me actually giving it to him or anyone else at the company. In a three-way conference call, he phoned the credit bureau and when the automatic system asked for the customer's Social Security number, I punched it in. All he heard on his end was a beeping sound. In a few seconds he got my credit score without having to know my Social Security number.
So folks, it's up to us. We have to become our own data protectors. You may not win the battle all the time, but if you're fierce enough you can reduce the number of companies that have your information."
Labels: choicepoint, information breaches
Note to self: Make sure you are sending your faxes to the right place. Addendum: Make sure that if you do screw up, you don't accidentally send faxes to someone who is already mad at you.
CANOE -- CNEWS - Canada: Credit info in wrong hands:"It seems Equifax Canada can't get the fax or the facts right after the credit agency sent detailed personal information about three Canadians to a Lindsay man.
Scot Paterson, 42, who's been battling the agency for two years to update his credit history, received a fax this week with the addresses, social insurance numbers, driver's licences and credit card information on three people living in Scarborough, Ottawa and Montreal.
When his wife called the company to notify them of the privacy breach, she was told it was 'impossible' for such an error to occur and that they were too busy to check their faxes, he said.
Paterson got the profiles on three strangers within minutes of faxing his own personal information to Equifax in a bid to straighten out his credit history...."
Labels: information breaches
From News Channel 10 in Rhode Island:
News Channel 10 - News - CVS Apologizes For Customers' Documents Spilled On Highway:"CVS, based in Woonsocket, R.I., apologized to some customers Friday after a truck licensed by the company spilled documents with personal information on a highway in Birmingham, Ala.
CVS told News Channel 10 the incident in Alabama is an accidental situation due to a truck malfunction.
A portion of Interstate 65 in Birmingham was littered with medical documentation about CVS customers.
"We deeply regret the incident that occurred today (Friday) when a Waste Management truck that was traveling from one of our distribution centers broke open and spilled information about customers on the road,” said CVS corporate spokesman Todd Andrews, in an interview with the NBC station in Birmingham.
"What happened today (Friday) was that the information which travels from our pharmacies to our distribution center, which is then packaged and then brought to a secure landfill, was somehow relieved in transit either through a door being unsecured or somehow being damaged and opening."
After receiving calls that the documents were strewn all across the Interstate, Andrews said the issue was addressed by CVS immediately.
"We immediately took action and contacted Waste Management, which is the licensed hauler of this material,” said Andrews. “We are working with Waste Management now and their cleaning crews to secure all of this information."
CVS said they've asked the waste management company to do a full investigation into how the documents became unsecured and blew off the truck and were allowed to remain on the roadside, uncollected."
I would think this information should be shredded, rather than sent to a "secure landfill".
Labels: information breaches
MSN Money - 7 ways Congress can battle identity theft:"Allow consumers to freeze their credit.
Make "opt in" the rule.
Require that sensitive financial data be encrypted.
Take the profit out of credit monitoring.
Compensate consumers for identity theft.
Make reporting false information to credit bureaus a real crime."
Labels: identity theft, information breaches
Reuters is reporting that a computer was stolen containing names and social security numbers, among other info, of Motorola employees from Affiliated Computer Services: Two computers stolen with Motorola staff data | Reuters.com
Labels: information breaches
Saturday, June 11, 2005
On Friday, the Canadian Bar Association's Access and Privacy Law Section executive had a unique opportunity to meet with the Federal and Provincial Access and Privacy Commissioners in Ottawa. It was a very interesting and useful session, but off the record.
The issue of notification of data breaches was raised and I was asked at the lunch by one of the Commissioners whether there has been serious research on the topic. Because there is no law (other than PHIPA in Ontario) that requires notification, any business dealing with an incident will need to consider what information, if compromised, will result in actual loss or harm to the individual(s) in question. The Commissioners are increasingly being contacted by businesses who want to know whether they should contact affected individuals, but they don't have all the information to fully assess the risk.
Though the media is full of information related to identity theft, I couldn't point to any substantive research of what information is useful to identity thieves. I know anecdotally that name, address, social insurance number (or SSN in the US), date of birth are the "keys to the kingdom". If anyone can point to anything authoritative that can provide insight, please e-mail it to me at david.fraser@privacylawyer.ca. I'll post links to anything I get.
Thanks.
Labels: breach notification, identity theft, information breaches, phipa
Tom Zeller, in the New York Times, has a lengthy article on the recent CitiGroup incident involving the loss of backup tapes of 3.9 MILLION Americans. The article notes that Citi was in the process of beefing up their security after a similar incident involving Japanese customers of a related company. The author interviewed Bruce Scheier and discusses encryption of data in transit. See The Scramble to Protect Personal Information - New York Times.
Labels: information breaches
Dennis Bailey, who always asks interesting (and sometimes contrarian) questions, asks in his blog, The Open Society Paradox, why so many privacy activists are lawyers. Interesting question.
I hesitate to speculate, but I hope he gets some good comments on the question.
Labels: information breaches
Computerworld, a consistently good source of privacy news, is reporting that a study by The Customer Respect Group shows that online firms are doing better with garnering customer respect. Privacy is an important component of the CRI score: Study: High-tech firms doing better with online customer privacy - Computerworld.
Labels: information breaches
Sorry for the very light writing this last week. I had a crazy week, flying to Ottawa, Toronto and St. John's. I'm back and blogging ...
The Canadian Internet Policy and Public Interest Clinic is reporting that the Canadian Federation of Students is objecting to the possible outsourcing of the administration of the Canadian student loan system to an American company. The objection is based on privacy fears connected with the USA Patriot Act.
Students demand protection from US anti-terror laws:"The Canadian Federation of Students (CFS) is urging the federal government to protect the privacy of students by retaining management of Canada's multi-billion dollar student loan program. If this contract is outsourced to US-linked organizations, student loan information will be accessible to US security agencies, who have virtually unrestricted rights to access this information for counter-terrorism purposes, in secret, under the US PATRIOT Act."
Labels: information breaches, patriot act
Thursday, June 09, 2005
Since the ChoicePoint fiasco, the hot topic in privacy is the question of public notification of security breaches. California has led the way on this and many state and federal legislators are looking to follow California's lead. The Federal Privacy Commissioner in Canada has suggested that notification should be done, but our privacy law contains no obligation (except for Ontario's Personal Health Information Protection Act).
Bruce Scheier always has interesting things to say and on this topic there's no exception:
Schneier on Security: Public Disclosure of Personal Data Loss:"... As a security expert, I like the California law for three reasons. One, data on actual intrusions is useful for research. Two, alerting individuals whose data is lost or stolen is a good idea. And three, increased public scrutiny leads companies to spend more effort protecting personal data.
Think of it as public shaming. Companies will spend money to avoid the PR cost of public shaming. Hence, security improves.
This works, but there's an attenuation effect going on. As more of these events occur, the press is less likely to report them. When there's less noise in the press, there's less public shaming. And when there's less public shaming, the amount of money companies are willing to spend to avoid it goes down...."
The attenuation effect may be true, but I don't think we've peaked on this yet. If you search Google News for "citigroup tape", you get well over 360 news stories about the incident. Eventually the media's interest will trail off, but I don't think it has happened yet.
Labels: breach notification, choicepoint, google, health information, information breaches, phipa, privacy, schneier
Tuesday, June 07, 2005
PrivacyActivisim.org has conducted a study of the accuracy of information contained in the records of Choicepoint and Acxiom.
In light of the use the employers and others make of this information, the results are troubling....
Data Aggregators: A Study on Data Quality and Responsiveness:"...100% of the reports given out by ChoicePoint had at least one error in them. Error rates for basic biographical data (including information people had to submit in order to receive their reports) fared almost as badly: Acxiom had an error rate of 67% and ChoicePoint had an error rate of 73%. In other words, the majority of participants had at least one such significant error in their reported biographical data from each data broker...."
Thanks to Schneier on Security: Accuracy of Commercial Data Brokers for the link.
Labels: choicepoint, information breaches, schneier
There are a number of articles on this that I was going to link to, but once again Schier on Security has it all summed up:
Schneier on Security: U.S. Medical Privacy Law Gutted:"In the U.S., medical privacy is largely governed by a 1996 law called HIPAA. Among many other provisions, HIPAA regulates the privacy and security surrounding electronic medical records. HIPAA specifies civil penalties against companies that don't comply with the regulations, as well as criminal penalties against individuals and corporations who knowingly steal or misuse patient data...."
Labels: information breaches, schneier
The number of reported privacy incidents involving US universities is truly staggering. I am apparently not the only one to have noticed ... Jay Cline, in Computerworld, has an interesting opinion piece, discussing the phenomenon, its causes and the outlook for more ... He even has a nice table summarizing the incidents in the last little while.
Security breaches challenge academia's 'open society' - Computerworld:"JUNE 07, 2005 (COMPUTERWORLD) - While all the attention lately has been focused on security breaches at our nation's data consolidators, U.S. universities have also been notifying thousands of employees, students and alumni to monitor their personal accounts for unusual activity. The University of Iowa recently became at least the 16th college this year to publicly disclose a breach of its information security (see table)...."
Labels: information breaches
Monday, June 06, 2005
Class action lawsuits usually follow privacy incidents. In Ohio, the state Attorney General is suing Designer Shoe Warehouse to compel the company to notify all 700,000 consumers whose information may have been compromised by a long-running incident earlier this year. See DSW Sued After Customer Data Theft - Yahoo! News. For coverage of the original incident, see PIPEDA and Canadian Privacy Law: Incident: Shoe chain says customer data stolen.
Labels: information breaches, privacy
CNN, via PrivacySpot.com is reporting that CitiGroup has lost computer tapes containing personal information on almost four million current and former customers. ALMOST FOUR MILLION.
Citigroup division tells 3.9M customers personal info lost - Jun. 6, 2005:"NEW YORK (CNN/Money) - Citigroup said Monday that personal information on 3.9 million consumer lending customers of its CitiFinancial subsidiary was lost by UPS while in transit to a credit bureau -- the biggest breach of customer or employee data reported so far.
Citigroup, the nation's biggest financial services company, said that UPS lost the tapes while shipping them to a credit bureau in Texas...."
The tapes were not encrypted, though the company plans to start encrypting tapes starting in July. Hmm.
Labels: information breaches
Sunday, June 05, 2005
I have previously blogged about the "black boxes" found in airbag-equipped cars (See Article: Black box shows car crash data, Official Cars In The UAE Will Have IBM-Installed Back Seat Drivers, ND passes law about ownership of auto black box data, and most recently The Spy Under the Hood).
Often, privacy advocates ask "where will this end?" Now the BBC is reporting that the UK Minister of Transportation is proposing a new tax that will be based on motorists' use of the roads, tracked by GPS black boxes.
BBC NEWS | UK | 'Pay-as-you-go' road charge planDrivers could pay up to £1.34 a mile in "pay-as-you go" road charges under new government plans.
The transport secretary said the charges, aimed at cutting congestion, would replace road tax and petrol duty.
Alistair Darling said change was needed if the UK was to avoid the possibility of "LA-style gridlock" within 20 years.
Every vehicle would have a black box to allow a satellite system to track their journey, with prices starting from as little as 2p per mile in rural areas.
Mr Darling has outlined his proposals to the BBC - previewing a speech he will give to the Social Market Foundation on Thursday.
"The advantage is that you would free up capacity on the roads, you would reduce the congestion that we would otherwise face and you would avoid the gridlock that you see in many American cities today," he said.
"This is a prize well worth going for. We've got to ask ourselves: would it work. Could it bring the benefits that I believe it could bring, because it would make a real change to the way we drive in this country."
A satellite tracking system would be used to enforce the toll, with prices varying from 2p per mile for driving on a quiet road out of the rush hour to £1.34 for motorways at peak times...."
The more paranoid among us might see this as a backdoor way of tracking all motorists. As long as the information exists, it is available to any cop with a search warrant, secret agent with a writ or any litigant with a subpoena.
Labels: information breaches
A number of sorority sisters in the US have discovered that sometimes a teddy bear can be a trojan horse. In this case, it concealed a video camera but their suspicions were not piqued though the bear seemed to be travelling around their sorority house to get a better angle of the bathroom.
mcall.com - An extreme invasion of privacy:"At first, the six women of the Alpha Sigma Tau sorority house at Moravian College thought little of the teddy bear that appeared in their shared bathroom.
The stuffed animal allegedly belonged to XXXXXXXX, the 26-year-old boyfriend of one of the girls, who had been staying at the house.
But over the course of two weeks in February, the bear reappeared in different locations, at times facing the shower, toilet and other corners of the second-floor bathroom at 1118 Main St., Bethlehem.
It wasn't until XXXXXX's girlfriend wanted to tape a TV show for her sorority sisters that she noticed something suspicious - an unfamiliar tape in the videocassette recorder. She pushed the play button, and images of her bathroom filled the screen...."
I think the moral of the story is that in an age of mini-electronics, you need to be on the lookout for anything suspicious, particularly in your bathroom. Update: I've removed the guy's name since the charges were later dropped.
Labels: information breaches
The San Francisco Chronicle has published some findings from a study done by the University of Pennsylvania about consumer attitudes and understanding of, among other things, online privacy.
Surprisingly, consumers think the mere presence of a privacy policy is a promise not to share information. Au contraire.
You are being tracked:"Joseph Turow, a University of Pennsylvania professor who co-authored the study with a pair of grad students, told me he was surprised by how little consumers understand the ways digital technology has altered the retail business.
'The 20th century was about the democratization of prices,' he said. 'We got used to the idea that you could see how much things cost and learn about the product. The digital age changes this.
'Increasingly, what's happening is that people are being tracked and prices are being individualized based on people's behavior and background.'
One of the scarier findings of his study, Turow said, is that three- quarters of all people believe that when a Web site has a privacy policy -- and virtually all do -- it means the site won't share your personal info with others.
In fact, just the opposite is true. Most privacy policies explain in dense, difficult-to-read language that people's data will be shared unless you go to the trouble of opting out from the practice...."
Labels: information breaches, retail
Friday, June 03, 2005
Students at a community college in Michigan are being notified of a potential security breach:
Students worry about breach:"Jackson Community College officials say measures have been taken to stop hackers from accessing computers.
By Andrea Yeutter
Daily Telegram Staff Writer
A security breach in Jackson Community College's computer system may have revealed the Social Security numbers of 8,000 JCC students and employees to a hacker who broke into the system from an external source on May 18.
The compromised computer was located in the Information Technology Office, according to the college. The computer had significant administrative privileges, including access to student and employee passwords, many of which were Social Security numbers.
Prior to the breach, student and employee Social Security numbers were used as default passwords for computer and e-mail accounts. Although college officials said they encouraged students and employees to change their passwords, many continued to use their Social Security numbers until the break-in occurred...."
Labels: information breaches
Thursday, June 02, 2005
Another incident involving missing backup tapes, this time involving 600K present and former Time Warner employees:
Time Warner says data on 600,000 workers lost:"Time Warner reported Monday that a shipment of backup tapes with personal information of about 600,000 current and former employees went missing more than a month ago during a routine shipment to an offsite storage site...."
Labels: information breaches
Thanks to Gerry Riskin for pointing me to this interesting story. He probably didn't think it had a privacy angle, but just about everything does these days...
Most commentary about video surveillance talks about how intrusive it is and how it invades privacy. But video can help the average person fight back against big brother.
A Toronto panhandler and a real estate agent friend have used in-store video surveillance to get back the homeless man's shiny red bicycle, which the Toronto Police had confiscated believing that that it must be stolen. (They also pepper-sprayed him, presumably because he got a little uppity at having his new bike taken from him.) The cops did not accept his tattered receipt as proof that the man had bought the bike from a local Zellers, so the homeless man and a friend went to the Zellers and got the video surveillance tapes that showed him buying the bike, not stealing it. The police have generously returned his bike (minus the lock). No word on an apology (and I'm not expecting one).
TorontoSun.com - Toronto And GTA - A rough ride:"... Real estate agent Roderick Stewart -- a frequent contributor to Campbell's coffers over the last six months -- first heard the story Thursday when he walked by the panhandler in his usual haunts on Yonge St. south of St. Clair Ave.
"I believed him," Stewart said. "He knew dates and places so I checked it out."
Stewart, 47, went to the Zellers at Victoria Park and Danforth Aves. and staff there went through the surveillance tapes -- where they found visual evidence of Campbell buying the bike.
So Stewart took the tape and a duplicate receipt to the 55 Division police station at Coxwell Ave. and Dundas St. E. on Friday..."
Labels: information breaches, surveillance, video surveillance
Liz Pulliam Weston, in MSNMoney notes that the rates of ID theft in Europe are only a fraction of what they are in the United States and offers her reasons why:
MSN Money - What Europe can teach us about identity theft
- Security numbers are for Social Security -- period.
- Information is kept private.
- Credit bureaus aren't wide open.
- Credit isn't king.
Ironically, the ad that appears next to the article is for the "Loan Center" ... "Find the loan that's right for you".
Labels: identity theft, information breaches
Yawn. Another university incident:
Hacker Steals Personal Data From UC System - Yahoo! News:"Thousands of Tri-staters may be at risk after their Social Security numbers ended up in the hands of a computer hacker. News 5's Brian Hamrick discovered that hackers have been successful in the area before.
More than 7,000 employees at University of Cincinnati are worried about identity theft after a computer hacker stole their Social Security numbers.
UC Vice President of Information Technology, Fred Siff, said the hacker knew how to avoid intruder alerts on the system.
"This was obviously a serious breach," Siff said. "This is a very sophisticated hack. I hope that goes without question. It wasn't just somebody fooling around. This was very sophisticated, to be able to figure out how to piece different pieces of information together."
He also said the hacker's motivation was the Social Security numbers, which have a high value in the world of high-tech thieves.
"Anyone would not want someone to take their Social Security number and use it because a Social Security number is like identification. It's your personal identification that somone could use and mess up your credit. It could change your whole life," said Michelle Norflee, UC employee.
It's not just employees who are worried. News 5 uncovered evidence that some UC computers were sold with student Social Security numbers still on the hard drive. The mistake was found before the numbers were released, but that also forced a chance in computer security.
The case is now part of an FBI investigation and at least five other universities have seen similar crimes.
So far, no identity theft crimes related to the hack have been reported."
Labels: identity theft, information breaches, law enforcement
Network Magazine has an article on the eight states that have passed privacy laws similar to California's trail-blazing legislation:
Network Magazine's Weblog: States Pass Privacy Laws:"States Pass Privacy Laws
As of today, eight state legislatures have passed privacy legislation, largely in reaction to the recent, well-publicized privacy breach incidents at ChoicePoint, Axciom, Bank of America, LexisNexis, and others (and more states are debating such laws). This morning I read the eight states' laws to compare and contrast and see what, if any, unusual requirements they might contain (yes, maybe I do need to get a life). Although these state efforts may one day be superseded by a national law proposed by California Senator Dianne Feinstein based on her state's privacy law, the laws are all similar enough that if you understand the state laws, you'll be ready for the new national rules.
California's, Georgia's, Illinois', Washington's and Arkansas' bills are almost identical.
Florida's and North Dakota's bills are tougher than the others. They both have a section that cracks down on those who willfully and fraudulently use or create personal identification information -- Florida's sets minimum prison terms for offenders -- that hopefully won't apply to your company. The rest of these two bills mirror the other state laws, except that Florida's sets fines for violators (see below). North Dakota's act was declared an emergency measure and takes effect today; Florida's bill takes effect July 1.
Montana's bill has extra provisions for credit reporting bureaus and credit card companies, otherwise it is similar to California law. It takes effect March 1, 2006.
Illinois' rule applies to government agencies, whereas Florida specifically exempts them. Otherwise the state laws share the following common requirements...."
Labels: choicepoint, information breaches
Wednesday, June 01, 2005
I am getting a little tired of reporting these university incidents ...
press-citizen.com | Local News:"A University of Iowa Book Store computer containing credit card numbers and student and employee ID numbers was hacked into last month, the university said in a statement today.
The computer was "improperly accessed from outside the UI network" on May 18, the statement said. The university detected the breach later in the day. University Book Store staff shut the computer down and disconnected it from the network. The computer may have contained up to 30,000 active credit card numbers, UI said. The statement notes that no other UI departments that accept credit cards and/or ID charges are affected.
UI Police are investigating the incident with the help of two computer-security firms: VeriSign, the nation's leading Internet security company, and The Starken Group of Cedar Rapids. Their aim is to see if hackers were able to steal any personal information from the machine as well as to prevent a similar incident from happening again.
Credit card companies Visa and MasterCard are also involved in the investigation.
More information on the incident, including what you can do if you suspect your credit card information has been stolen, can be found at the book store's Web site at http://www.uiowa.edu/~ournews/bookstore/
For more on this story, see tomorrow's edition of the Press-Citizen and press-citizen.com."
Labels: information breaches
According to CNN/Money, business is booming for consumer reporting agency Equifax. In fact, analysts say that the fear of ID theft is probably helping their bottom line: Equifax looks like a good bet - Jun. 1, 2005.
Labels: information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.