The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Sunday, July 31, 2005
What is the root cause of the identity theft "crisis". That depends upon what you consider "identity theft". The term is often used to refer to simple credit card or debit card fraud, but the definition that I use involves impersonating another person to fraudulent obtain a benefit, such as credit facilities. The root cause of this sort of fraud is that it is very easy to impersonate someone, at least to the extent that banks and credit grantors would extend credit on the basis of the faked identity.
Though conventional identification methods, such as drivers licenses, can be faked or can be fraudulently obtained, credit grantors often do not even use such methods to confirm that the applicant is who s/he says s/he is. In most online applications, it seems the credit grantors assume your identity if the information you provide matches what's retrieved from your credit file.
MSNBC is today running an article on two responses to this challenge. The first would be mandatory "fraud alerts" on credit files, so that the credit bureaus are required to confirm that the owner of a credit file consented to its disclosure before handing it over to a lender. The second is a technological method to displace the social security number as the universal identifier.
A new way to authenticate your identity? - Consumer Security - MSNBC.com"...Several identity theft watchdogs say the bills would neglect the deeper reason why financial fraud is relatively easy: Speed, not identity assurance, is the main priority of U.S. financial institutions that issue credit.
To be sure, the fact that many companies use Social Security numbers essentially as a password — not only are they the key to getting credit, they can also unlock access to an account over the phone — magnifies the problem. That's why Congress hopes to hide the numbers better — by reducing the ways they can be sold, for example, or by prohibiting them from being printed on benefit checks.
Even so, keeping the numbers and other personal data out of the wrong hands likely will remain tricky.
"It's too easy to get to data no matter what the key is, from insiders or hackers or mistakes," said Jody Westby, head of the security and privacy practice at PricewaterhouseCoopers LLP. "What we have to do is make it harder to use the data."
Westby's solution would be quite simple: universal use of the fraud alert, which identity theft victims are allowed to put on their credit reports for seven years. Before any new credit is granted, a card issuer or loan provider is supposed to call them and doublecheck that they, rather than an impostor, really made the application.
Putting everyone on fraud alert status would be a simple way of bringing more personal control to the system, Westby argues, just as do-not-call lists let people decide for themselves whether to talk to telemarketers.
In contrast, the data bills pending in Congress would make a lot of changes at once. Consumer advocates like many of the provisions, such as allowing people to refuse to give businesses their Social Security numbers, requiring more encryption of financial records and demanding widespread disclosure of data breaches....
Labels: identity theft, information breaches, telemarketing
Geoffrey Huntley, an Australian Unix engineer bought a bunch of used servers from a government auction. When he got back to his office, he fired 'em up. He found that the earlier owners had not even deleted any of the contents of the drives, let alone wiped 'em. Transit administrations stuff may be boring, but payroll and e-mail info is much more interesting. Being a blogger, he has written about his find: Geoffrey Huntley - Archive - Data Security 101. Slashdot is dissecting the incident at Slashdot | Govermental Servers Wiped? Never!.
Labels: information breaches
Saturday, July 30, 2005
In many hotels these days, you can use the room's television to check your bill, check your e-mail and check out of your room. Will miracles never cease? I, for one, never gave any thought to how secure these systems are. That's pretty naive.
If it moves, whirs, clicks, plugs in or connects anything to anything else, someone will try to figure out how it works and what mischief can be accomplished with it. Wired news has interviewed a hacker who, in a fit of boredom and a desire to watch pay movies for free, has figured out the system. What he has found is more than a bit troubling:
Wired News: A Hacker Games the Hotel"... But one of the most serious vulnerabilities he found was in the billing system. Hotel guests can use their TV to check their account balance. The bill is tied to the room number, which in turn has a unique address that's assigned to the TV.
Laurie could view the bills of other guests and see their room numbers simply by going to a menu that displayed the address of the TV in his room and changing a number in the address to make the TV think it was in a different room.
"If I change that address -- it was A161 and I've now changed it to A162 -- I'm now looking at the bill of the guy next door," he said.
If he wanted to know the names and room numbers of all the guests in a hotel, he could automate the process by writing a simple script to call up sequential TV addresses, then set a video camera on a tripod in front of the TV to capture the bills as they came up.
"That tells me who's in there, who's sharing (the room) with who and what they've been doing," he said. This sort of hack would be useful to any number of people, including paparazzi stalking celebrities and private detectives hired by spouses.
"Why would they connect (the TV) to a billing system?" Laurie asked. "Because they don't think. As far as the hotel is concerned, you're the only person who can see (your bill). But they're sending you confidential data over the air through a broadcast system. It's the equivalent of running an open wireless access point. If I tune my TV to your channel, then I get to see what you're doing."
Laurie could view certain activities of other guests by tuning to other channels or by scanning through all possible channels in the system. That's because when a guest purchases premium content or TV internet access, the hotel system assigns a channel to the guest's room through which to deliver the service. All Laurie had to do was surf the channels.
He produced a slide of his TV screen showing another hotel guest sifting through business proposals in his e-mail.
"He's happily typing away in his room thinking he's privately viewing his e-mail," Laurie said. "But I could be anywhere else in the building watching what's going on (from) the TV. If I was a business rival staying in the same hotel at a conference, I could do a little corporate espionage. I see the (bid) proposal he's putting in and I could go in and put one in that's 10 bucks cheaper." ..."
Labels: information breaches
Many security and privacy incidents are caused by stolen computers, both laptops and desktops. Often you hear the phrase "Don't worry, the information is password protected." The next question has to be "What kind of password protection?"
Many people think that requiring login passwords in Windows provides an effective level of security for the data on the computer.
Not true.
Ok, maybe it'll take a determined hacker a month to get through?
Not true.
Maybe you need the kind of James Bond tools that the CIA and computer forensics folks have access to?
Not true.
This may be old news to those in the security business, but anybody with an internet connection and physical access to the computer in question can use a free online system to "recover" those pesky passwords that you've "lost". Thanks to Inter-Alia for pointing to Windows XP Login Recovery, which is a free online service that'll crack the password file that you can get off any XP computer with a simple boot disk. I assume that once you have the password, you can have access to all the stuff on the drive that has been encrypted using Windows' native encryption, too.
Scary stuff.
Labels: information breaches, laptop
Rescue 4 from Detroit got a call from someone who had received a stranger's medical records via fax machine. The documents were meant for the woman's lawyer, but the doctor misdialed: Doctor's Office Faxes Woman's Records To Stranger - Yahoo! News.
Labels: information breaches
Yet another security/privacy incident at a US university:
Austin Peay State Has Security Breach On Website: ""There's been a security breach at Austin Peay State University. Social Security numbers, grades and other personal information of nearly 1,500 students were accessible to anyone visiting the school's Web page...."
Labels: information breaches
System administrators at the San Diego County Employees Retirement Association have discovered that someone has illicitly gained access to the Association's database that contains sensitive personal information about members, including current law enforcement officers:
Computer breach leaves county personnel vulnerable North County Times - North San Diego and Southwest Riverside County News"SAN DIEGO ---- A computer breach may have exposed more than 32,000 current and former San Diego County employees to financial danger and may have revealed the closely guarded home addresses of some 5,000 law enforcement personnel, officials said Friday.
Two computers containing names, Social Security numbers, dates of birth and addresses of current and retired San Diego County employees and their assigned departments were apparently hacked last week, San Diego County Employees Retirement Association leaders said.
...
Brian White, executive director of the association, the independent agency that manages the county's $6.3 billion pension fund, said Friday that the association was busily mailing warnings to its members about the breach.
...
However, a number of officials on Friday said they were even more troubled by the fact the information ---- if it was downloaded ---- contained the home addresses of all current and retired members of the San Diego County Sheriff's Department and district attorney's office.
Labels: information breaches
Friday, July 29, 2005
The chorus in favour of stronger privacy protections is getting louder. Daniel Handson, at SecurityFocus, has written an opinion piece at that website, calling for greater laws to deal with incidents like the CardSystems breach:
CardSystems made its choices clear"... The latest news in this escapade is that CardSystems has now lost the contracts it had, and also faces corporate extinction. Now some reading this may be cheering a little, or perhaps a lot, at the karmic balance of CardSystems potentially paying the ultimate price for their cavalier attitude. However other people are suggesting that this corporate extinction might come as a result of misguided notification laws implemented in California, and that without the mandated public disclosure and the resulting firestorm of controversy, the company could have fixed its problems quietly and kept on serving its shareholders and customers. I think that both of these views are misguided and miss the truth.
CardSystems violated a contractual agreement that was put in place by the companies it served. It's that simple. CardSystems kept data in an insecure fashion, with no concern given to the minimum security and encryption standards that it was required to implement. I fail to see why legislation on data protection would change this situation. CardSystems was already required to maintain a certain level of security and failed to do that. In one report, Bruce Schneier, mentioned that this was a common problem with contractual obligations: the fact that auditing is hard. Therefore I cannot see why changing a contractual agreement into a legislated law will make auditing any easier. To draw another comparison, did the fact that they were violating laws affect the behavior of the people at Enron?
Many companies have a long way to go in the security world, and yet the one sector of our civilian society that tends to get information security is the banking and financial industry. Sure they aren’t perfect, but in my experience they are heads and tails better than almost anyone else that I deal with at understanding data privacy. In the case of CardSystems, however, the industry insisted that minimum standards be maintained, outlined what those minimum standards were, and yet much of that was ignored. CardSystems, if it does go bankrupt, will have done so because they willfully violated a contractual obligation, not because of disclosure laws, or public pressure. Would you use a company that had willfully violated previous contracts? Would you want your credit card company to supply your data to that company? I cannot see why repealing disclosure laws and helping to mitigate the lynch mob mentality that can follow a mistake changes the fact that CardSystems violated a contract, and that contract violation is what has brought about this imminent death. I await the forthcoming laws that attempt to prevent something like this from ever happening again. Meanwhile, I continue to check my credit-card statement, bank statements and never give out my Social Insurance Number (or SSN) unless I absolutely have to. I wonder if any of the legislators who are outraged by this would give me their mother’s maiden name, birth-date and the name of their first pet? ..."
Labels: breach notification, cardsystems, information breaches, schneier
Timothy Grayson at recrusiveProgress has been mulling over the recent decision of the federal Privacy Commissioner about secondary marketing (see The Canadian Privacy Law Blog: PIPEDA and non-personalized secondary marketing). He's also been thinking about what Professor Michael Geist has had to say about it (see: Michael Geist - Building a Privacy Culture from the Ground Up). All of this has left him a little confused about what this has to do with "privacy" as the term is understood by most people:
recursiveProgress: I guess I just don't understand Privacy."...What makes less sense is what comes of that foundational premise. First, the Commissioner and Geist take the position that these "secondary marketing" materials are an unauthorized use of customers' personal information. Interesting. With reference to the online practice of ensuring opt-out from mailings of "other interesting and valuable information from associated companies," I see the consistency. I, a customer, did not specifically allow you, the business, to send me any information beyond that which relates directly to the service you are providing. OK. But what does that have to do with privacy?
The bank under scrutiny notes that it bulk mails such enclosures to all its customers with their regular statements. The mailings are apparently not individuated and personalized by customer. Moreover, the envelope is a means to convey an essential element in the provision of the service: the statement. That it also affords a fabulous, paid channel to the individual for added messaging is a bonus not especially different than having sponsor's signs painted on hockey rink boards, commercials on television, ads in magazines, or . . . Yes, no doubt, the paper that is received inside the envelope, inside my house, is much more insidiously annoying and difficult to block out like those other ads. Yes, they are inside my house and therefore have breached my territory (without my desire or approval). All true. So what? ..."
In a further posting (recursiveProgress: I still don't understand privacy, but maybe it's a language barrier), he muses that perhaps there is a problem with the language and terminology of this particular discussion.
"...The point of this entire pedantic diatribe is that I think the language -- the vocabulary --we're using to create and discuss digital identity is a holdover from a different time and place. While it is valid and necessary to some degree during this transitional period because it creates a shorthand for getting to ideas and provides essential continuity with the past, the baggage that this vocabulary brings with it is weighing down and impeding effective discussion about what is and where it's going. In this case, we're applying 17th or 18th-century definitions of private and privacy in a 21st-century world.Some people like the old vocabularies: they're comfortable and easy. New vocabularies are hard work and cause tremors of their own accord. Some would suggest it is more important to focus on the practical issue at hand than with the pissy notion of the vocabulary by which we discuss these issues. Others -- like the Cluetrainers and Kim Cameron, even Dick Hardt -- are busy dealing with changing the language. Is "identity meta-system" an appropriate word or description? Maybe, maybe not. Doesn't really matter. What matters is that the word is (sort of) new and the opportunities for it are endless.
Thanks to Rob Hyndman for pointing me to Grayson's postings.
Labels: information breaches, privacy
A nationwide survey of 1,097 ID theft victims in the US shows that it takes quite some time and effort for victims to clear their names. One third of the victims blame the internet for disclosing their information. Other info:
USATODAY.com - Survey: ID theft takes time to wipe clean"...The typical ID-theft victim is in his or her 40s, white, married, college-educated and with annual income of $50,000 to $75,000, the Nationwide survey says.
Someone such as Scott Cummins, 45, who works at an insurance company in Ohio. He did not take part in Nationwide's survey, but his case is indicative of what happens to many ID-theft victims.
In early 2003, a crook who swiped Cummins' name and Social Security number opened two credit card accounts under the name C. Scott Cummins.
More than $4,000 was charged to the cards. Cummins discovered the fraud when a collection-agency rep called him, demanding payment, in October. Cummins requested a credit report, contacted the card issuer and, 45 days later, the mess was cleaned up, he says. "The biggest hassle I've ever been a part of in my life." Cummins isn't taking any chances. "I'm on my second shredder," he says."
Labels: information breaches
Thursday, July 28, 2005
Bruce Schneier always has interesting things to say about privacy and security. Today, he points to a research project carried out at MIT in which volunteers allowed their cell phones to report back tracking data. The aggregated data was mined to reveal interesting insights into the individual phone users.
Schneier on Security: Automatic Surveillance Via Cell Phone:"...This is worrisome from a number of angles: government surveillance, corporate surveillance for marketing purposes, criminal surveillance. I am not mollified by this comment:
People should not be too concerned about the data trails left by their phone, according to Chris Hoofnagle, associate director of the Electronic Privacy Information Center.'The location data and billing records is protected by statute, and carriers are under a duty of confidentiality to protect it,' Hoofnagle said.
We're building an infrastructure of surveillance as a side effect of the convenience of carrying our cell phones everywhere."
There's some interesting discussion in the post's comments, too.
Labels: information breaches, schneier, surveillance
Thanks to beSpacific for pointing to a draft European Union directive for the retention of communications data.
"The European Commission has finally produced its draft directive on data retention. According to the Commission, all fixed and mobile telephony traffic and location data from all private and legal persons should bestored for 1 year. Data about communications 'using solely the internet protocol' should be stored for 6 months."
Labels: information breaches, retention
Declan McCullagh and Anne Broche of CNET News.com have a handy summary of the legislative initiatives to deal with ID theft that are currently stewing in various congressional committees over the summer: Senate moves toward new data security rules | CNET News.com.
Labels: information breaches
CongressUrged to Get Tough on Identity Theft; Consumers Union Outlines Needed Reforms as Senate Committees Take Up ID Theft Protection Bills - Yahoo! News"Meaningful notice about data security breaches: Consumers need to be notified whenever sensitive information about them has been compromised so they can take steps to protect themselves against identity theft. Congress shouldn't allow the company that has experienced the breach to decide on its own when the breach may cause harm to consumers. Consumers cannot count on companies to do a good job evaluating whether they are at risk of identity theft when so many of them have demonstrated such a poor track record keeping information safe.
Strict new data security rules: Congress must impose strong requirements on information brokers to protect the information they hold and to screen and monitor the persons to whom they make that information available.
Protect Social Security numbers: In this information age, Social Security numbers have become widely accessible and are the key used by crooks to steal identities and unlock credit files. Restrict the sale, collection, use, sharing, posting, display and secondary use of Social Security numbers.
Give all consumers the right to freeze credit files: A security freeze enables consumers to prevent anyone from looking at his or her own credit files for purposes of granting credit unless the consumer chooses to let that particular business look at the information. This gives the consumer control over who has access to the information needed to process a credit application and prevents crooks from opening up new accounts using stolen information. When the consumer is applying for credit, the freeze can be lifted temporarily so the application can be processed. Ten states have adopted some form of security freeze for consumers.
Limit preemption of state safeguards: States have been innovators in the field of identity theft and Congress should preserve the ability of states to develop new ways of protecting consumers. Congress should set a minimum standard of consumer protection for everyone, allowing states to give their residents additional safeguards."
Labels: identity theft, information breaches
Wednesday, July 27, 2005
Since cops in New York have started searching subway passengers' bags, I'm sure that there are a number of people asking the question answered in today's Slate: Are Subway Searches Legal? - The rules for searching bags. By Daniel Engber.
Labels: information breaches
Tuesday, July 26, 2005
Users who visit the Microsoft website looking for patches and upgrades will find their computers and software being probed as part of an attempt to crack down on priated software. To be eligible for patches (other than security fixes), software will audit to see if "U R Legit". No surprise, but there are some concerns about privacy when Microsoft rummages through your PC, particularly after other companies have covertly collected personal information through similar means.
The Globe and Mail: Bill Gates will be frisking you with a simple point and click"It sets an extremely negative precedent," Pam Dixon, executive director of World Privacy Forum, a non-profit public-interest research centre in San Diego, said of the company's initiative. "Microsoft is saying, 'Before I let you do anything at all, you have to open your computer to us.' I really object to this."
The company will scan machines for a variety of information, including product keys or software authorization codes, operating-system version and details on the flow of data between the operating system and other hardware, such as printers.
It is access to this information that particularly upsets the privacy advocates. Ms. Dixon says the only information Microsoft needs to fight piracy is the product key and the operating-system version, and she says that Microsoft will be able to identify users uniquely based on some of the information the company collects.
"They are grabbing more information than they need to deter piracy," she said.
...
Microsoft said no personal data will be collected during the validation process, and information will remain completely anonymous. The company said it commissioned TÜV-ITÖ, an independent German security auditor, to test how well its Windows Genuine Advantage program protects customers' data, and the firm concluded that Microsoft does not collect any personal information that would allow it to identify or contact a user.
Labels: information breaches
The New York Times is reporting on how small retailers without the security or IT expertise of their larger competitors are becoming easy pickings for data thieves who use basic wireless technology to take personal and credit card data from the airwaves: Main Street in the Cross Hairs - New York Times.
Labels: information breaches
Today's USA Today has an OP/ED on privacy and the little bits of data that consumers are willing to give up in exchange for a bit of convenience or a discount. There aren't any great revelations in the article, but it is an example of how the call for greater regulation is moving front and centre in the mainstream media:
USATODAY.com - Who's minding the store (of private data you gave up)?"Several recent developments have chipped away at privacy:
• Invisible surveillance. Information is increasingly collected without the knowledge, much less permission, of those giving it up. "Black boxes" the size of cigarette packs have been installed in 40 million vehicles to monitor speed, seat-belt use and more. Only five states require that car buyers be informed of its presence. From Philadelphia to Chicago to Los Angeles, surveillance cameras are on silent watch in public spaces. London's recent success in capturing photos of terrorists has fed the calls for more.
• Collection mania. Data mining is big business. Companies vacuum up data from public and private sources, aggregate it, analyze it and sell it to buyers ranging from private companies to the CIA. Any one item is not very invasive, but when birth certificates, credit histories, real estate deeds, military records and insurance claims are pulled together, they paint intimate pictures. If errors exist, the public has no way to know or demand fixes.
• Data thefts. In recent months, breaches involving banks, credit card processors, colleges and the biggest of the data brokers, ChoicePoint, have left millions of people vulnerable to identity theft. Legislators and the companies themselves have done little to correct the problem.
• Government mischief. Collection of information by the government is often fraught with errors and overreaching. The Transportation Security Administration's "no-fly" list has repeatedly ensnared innocent travelers. The agency was rapped again Friday for violating privacy while trying to create another program to screen fliers.
It's easy to sympathize with the goals of much of this data collection, whether safer driving or terrorism prevention. But it might be possible to reach those goals less invasively.
Congress and state lawmakers need to establish basic protections for all information. Businesses need to realize they can profit more by viewing consumers as partners, not as pesky subjects for dossiers. Individuals will need ways to monitor data about themselves.
Fighting technology is no answer. It won't work. Nor is surrendering to Big Brother. A palatable compromise should involve an active government, private ingenuity and an involved public. Perhaps that's what's finally taking off in Orlando."
Labels: choicepoint, identity theft, information breaches, surveillance
Monday, July 25, 2005
I blogged a little while ago about a plan by the City of New York to collect personal information about diabetics in that city without the consent of the individual patients (see The Canadian Privacy Law Blog: City Officials Aim to Track How Diabetics Manage Illness). The plan is starting to attract more criticism, according to an article from the Associated Press, via Yahoo!:
N.Y. Diabetes-Tracking Plan Draws Concern - Yahoo! News"... Diabetes is different, threatening no one but the people who have it.
"This isn't smallpox," said James Pyles, an attorney who represents health care groups concerned with medical privacy. "The state, or the city in this case, does not have a compelling interest in the health of an individual that overrides that individual's right to privacy."
Pyles praised the intent of the program, but said unless diabetics are asked for their consent, it would be "an outright violation of the constitutional right to privacy" for the government to obtain their identities.
The city's program wouldn't initially get consent to collect data, but would allow patients to opt out later. The database would also be tightly controlled, off limits to anyone but department staff, the patients and their doctors, health officials say.
Over time, doctors could receive letters, telling them whether their patients have been getting adequate care. People who skip checkups might get a note from their doctors, reminding them of the dangers of untreated diabetes.
The plan is akin to the surveillance system put in place in 1897 to fight tuberculosis. At first, doctors were outraged they had to report TB cases to the government, but it became a model after deaths plummeted....
UPDATE: You may not be surprised by the Wired News headline on this one: Wired News: Big Brother Wants to Be Diet Cop
Labels: health information, information breaches, surveillance
There has been some buzz in the privacy law community about the possibility of merging the Office of the Privacy Commissioner with that of the Access to Information Commissioner. The PMO today announced that Gerard V. LaForest, the retired Supreme Court Justice, has been appointed to be a special advisor to the Minister of Justice to make recommendations on whether this merger is advisable: Prime Minister of Canada: Prime Minister Announces Special Advisor to Review Information and Privacy Mandates.
Labels: information breaches
Alberta is introducing an online system for applying for student loans and other financial assistance:
Camrose Canadian, Camrose, AB"Students can apply on-line
Application procedure streamlinedAmanda Kuttnick-Dyer, Staff Reporter
Sunday July 24, 2005Camrose Canadian — Post-secondary students will be able to access a wealth of financial assistance and resources this fall.
Alberta students will be able to complete an on-line application for student loans, grants and bursaries giving them access to a greater range of faster, more flexible and user friendly, electronic services through a new electronic application system.
The new system allows post-secondary students to apply on-line for financial assistance, and have their application processed instantaneously and now immediately how much they will be receiving. Full-time students attending private vocational institutions can also use this new system.
Electronic
The system will also provide post-secondary institutions with the ability to electronically notify the finance departments of student registration. The idea is to reduce lineups, as the institutions will no longer have to approve student federal or provincial loan certificates.
It’s expected that this new process will assist in the processing of 45,000 full time applications. In a single day between 2,000 and 3,000 students will assessed.
To access the system, all students will be required to input an Alberta Student Number, a Social Insurance Number and some standard personal information. Additional input requirements differ for first time students and returning students. For more information on access and requirements, visit www.alis.gov.ab.ca/studentsfinance/eap/main.asp or call 1-800-222-6485."
Sounds like a good idea, but it reminds me too much of various incidents I've read about in the last little while, such as this one: The Canadian Privacy Law Blog: Inicdent: hacker may have read applicant files at University of Southern California.
Labels: alberta, information breaches
Last week, I wrote about a new finding from the office of the Privacy Commissioner that faulted a bank for not allowing people from opting out of receiving marketing materials with their credit card bills. (See: The Canadian Privacy Law Blog: PIPEDA and non-personalized secondary marketing.)
In his regular Law Bytes column, Michael Geist has some interesting comments on the decision itself and where it fits into the bigger picture. See his column on his website here.
Labels: information breaches, privacy
Journal Gazette | 07/25/2005 | Lawsuits broach data-security breaches"... The Marin County, Calif., salesman, along with two other plaintiffs, has filed a class-action lawsuit in California Superior Court in San Francisco against CardSystems Solutions Inc., which last month acknowledged that hackers had obtained information on approximately 200,000 credit- and debit-card accounts. The payment-processing concern might have put the personal information of as many as 40 million consumers at risk, including Schultz’s Visa debit-card account.
Schultz, 52, hasn’t discovered fraudulent activity in connection with his Visa account; and even if he wins, he isn’t likely to recoup much money for the time and trouble of monitoring his account and changing his automatic-payment arrangements.
But his suit against CardSystems, of Tucson, Ariz., might help answer one of the biggest questions arising from the recent rash of data-security breaches: Who should pay for damages?
In an earlier era, when little was known about particular hackings, accountability was difficult and data losses were deemed an unavoidable annoyance. Now, merchants, banks, payment processors, credit-card associations and even security auditors and software makers face the prospect of liability for lax practices.
“There is going to be a flood of lawsuits by both consumers and businesses,” said Mark Rasch, a former Justice Department prosecutor and now senior vice president for Solutionary Inc., a security-audit firm in Bethesda, Md. ..."
Labels: cardsystems, information breaches, tort
After being found to have broken the province's privacy laws by an investigation by the New Brunswick Ombudsman's Office, Brenda Fowlie has resigned from her cabinet post as Minister of Environment and Local Government. The investigation stemmed from statements in and out of the legislature that an opposition MLA had violated zoning laws. See: CBC New Brunswick - Fowlie resigns from cabinet.
Labels: information breaches
Saturday, July 23, 2005
The overseer of privacy in Italy has advised municipalities in that country that requiring the use of transparent garbage bags is a violation of privacy, as it could unduly expose personal information. The municipalities had required see-through bags to make sure citizens are following sorting guidelines:
WATCHDOG FOR PRIVACY: TRANSPARENT BIN BAGS 'OUTLAWED' :"(AGI) - Rome, Italy, Jul 22 - The obligation set by some municipalities for citizens to use transparent or with labels for 'door-to-door' garbage collection bin bags involve a breach of privacy. Instead it is allowed to have bags with bar codes, microchips or 'intelligent labels' (RFID). No to indiscriminate controls, but bags can be inspected only in cases in which the citizen who did not respect the sorting of household waste is not identifiable in any other way. With a general measure, proposed by Giuseppe Fortunato, the Watchdog for Privacy replied to questions of local authorities and many complaints and citizen's warnings who lamented a possible violation of privacy, deriving especially by the method of garbage collection and administrative controls, regarding personal data observed through the bags themselves or inspecting their contents. There are, in fact, many personal belongings (mail, phone bills, bank statements) that end up in rubbish, sometimes also regarding health (medicine, prescriptions, etc.) or political, religious or union memberships. This information, if not treated fairly, or if abused, can involve serious inconveniences to people. The Watchdog observed that the sorting of household waste, expected by specific norms, is in the public interest, but did not consider the obligation placed by some local authorities to use transparent bags for the 'door-to-door' collection fair, as anyone can easily see the contents. The norm involving labels with the name and address of the owner of the garbage, especially if left on the street, also involve a violation of privacy. (AGI)"
Labels: health information, information breaches, rfid
Over at Schneier on Security, there's been a bit of a discussion in the comments about how to deal with the increasingly reported security incidents involving credit card processors. One commentator suggested a novel approach to protecting his own accounts:
Schneier on Security: Visa and Amex Drop CardSystems:"Me? I request replacement credit and debit card numbers every six months, and watch my account activity carefully."
Interestingly, Dr. Don at Bankrate.com just fielded a question on the practice:
Changing credit card numbers won't help:"Dear Kim,
Your idea about rotating credit card numbers is inventive but it could actually wind up increasing the odds that you find yourself a victim of identity theft or credit card theft. Getting a new credit card number every quarter would mean that you will have credit cards in your mailbox four times a year vs. once every three to four years, and fraud programs that recognize when your spending patterns don't jibe with past purchases aren't going to be effective, because the account won't have a transaction history for comparison.
It's also likely to hurt your credit rating because your credit history will show a series of accounts closed at your request every three months -- unless the series of account numbers is treated as a single account relationship by the credit card provider. For this to happen it would have to be a practice established by the credit card provider in reporting your history to the credit bureaus. It isn't something that you can do on your own...."
Labels: cardsystems, identity theft, information breaches, schneier
Friday, July 22, 2005
In the aftermath of the second London bombing, New York authorities have announced they will be doing random searches of passengers in that city's transit system. This has spawned a reaction, including T-shirts that read "I do not consent to being searched." (From the village voice > NYers to NYPD: 'I Do Not Consent to Being Searched'. If you want a T-shirt of your own, go to No Consent : CafePress.com.
Labels: information breaches
The CEO of CardSystems testfied before the US House Financial Services Subcommittee that his company is likely to shut down because Visa and Amex is ending their relationship with the company that was faulted with allowing a breach of personal information of 40M people.
Credit Data Firm Might Close - Yahoo! News:"As a result of coming forward, we are being driven out of business," John M. Perry, chief executive of CardSystems Solutions Inc., told a House Financial Services Committee subcommittee considering data-protection legislation. He said that if his firm is forced to shut down, other financial companies will think twice about disclosing such attacks. ...
Perry called the decisions by Visa and American Express draconian and said that unless Visa reconsiders, CardSystems would close and put 115 people out of work. CardSystems handles only a small percentage of American Express transactions, while Visa accounts for a large part of its business.
Perry said closing his company could disrupt the ability of merchants to complete transactions, since it might take time for them to arrange for alternate payment processors. For that reason, Visa said it is not cutting off the company until Oct. 31.
While Perry said his company is doing everything it can to ensure that such a breach never occurs again, Visa said it could not overlook that CardSystems knowingly violated contractual requirements for how long credit card data were supposed to be stored and how they were secured...."
Labels: cardsystems, information breaches
Yet another university incident, this time at Colorado University:
TheDenverChannel.com - Technology - Personal Info For 43,000 CU Students, Staff Breached:"...The school said Thursday that someone gained unauthorized access to a computer server in the College of Architecture, which has personal information for 900 students and faculty members, and a computer server in the health center, which holds information for 42,000 students and staff.
Both computers contain names, Social Security numbers, addresses and dates of birth. Although no credit card information was on either computer, the school is warning students, staff and faculty to be on the lookout for signs of identity theft...."
Labels: health information, identity theft, information breaches
I blogged a little while ago about privacy issues and the response of Clovis, New Mexico, to concerns about people buying over the counter cold remedies which are precursors to methamphetamines (The Canadian Privacy Law Blog: Privacy and the regulation of the sale of OTC cold remedies). In response to some privacy concerns, the proposed ordinance has been amended:
Privacy concerns prompt meth ordinance revision"....The ordinance states that anyone wishing to purchase a pseudophedrine product must write their name and address on a log. In response to privacy concerns, the ordinance now states that retailers must conceal the log in a folder or in some other manner to prevent observation by other customers. The purchaser still must present photo identification.
Another added provision dictates the log must be picked up from retailers by law enforcement on “about a weekly basis,” according to Van Soelen. The logs must be destroyed by law enforcement after 3 to 6 months, Van Soelen said. ..."
Labels: information breaches
Thursday, July 21, 2005
When you go to a restaurant, you probably expect that your credit card number is used to process your payment and, perhaps, so your server can buy cool stuff online. But what about your name? Well, if your server thinks you are cheap, your name may end up in the [BEEP] Tipper Database ("beep" is what my son would say, with a sly grin), along with editorial comments about how unpleasant a customer you are. Kottke.org has a bit of discussion about this site, which provides disgruntled foodservice employees an opportunity to vent about customers using the names lifted from credit cards:
The [BEEP] [BEEP] Tipper database (kottke.org)Does the [BEEP] Tipper Database seem wrong to anyone else? I'm all for underpaid service staff venting and attempting to raise public awareness about bad tipping (which, in the absence of poor service, amounts to an unjust pay-cut determined completely by some random idiot customer). But since when is anything under 17% considered shitty? $0 on a $125 bill, that's shitty. 15% (on the pre-tax amount, I might add) is still the industry standard, no matter how much it sucks to get exactly the minimum for adequate service.
More importantly, what gives these people the right to take someone's full name off of a credit card (procured on the job, BTW) and put it up on the web because of some completely subjective gauge of service provided? If I'm eating somewhere, my expectation is that my credit card is being used only for payment and not for any personal use by the employees of the restaurant. If I don't leave someone what they think was deserved, they should catch me on the way out and ask me about it. Perhaps I forgot or miscalculated. Or maybe the service was a bit off in my mind. If I left no tip, I probably talked to the manager about why I did so and they'll be hearing about it from them. But to be all passive aggressive and get my name from my CC and post it on some internet message board...that suggests to me that maybe they didn't deserve a good tip in the first place."
So if you are going to tip less than fifteen percent and want to remain anonymous, use cash like the "bunch of soccer moms" from Halifax:
Tipper's Name: Some Pub Crawl for Soccer Mom'sWhere it happened: Halifax NS
Total bill / Tip amount / Percentage: $110.00 / $0.17 / 0%
What happened:
This bitter old hag bought many rounds of shooters for her washed up friends who were in their late forties and trying to look like britney spears. She didn't tip all night, but I was still all (fake) smiles and joy, until I brought around their last round for last call. When I gave her change, she proceded to hold up one of the loonies (a dollar coin) and asked me to make change for it so she could finally tip me. I told her I didn't have small change, thats the smallest I have, so instead of just givin up that pathetic dollar she proceded to open up her wallet and dropped a dime, nickel and two pennies on my serving tray. SEVENTEEN CENTS! After slaving for them all night! ..."
Labels: information breaches
On the privacy front, Alberta is apparently where it's at:
Commissioner releases report concerning disclosure and security of personal information by a collection agencyClick here to download Investigation Report P2005-IR-006.Commissioner Frank Work authorized an investigation under the Personal Information Protection Act ("PIPA" or "the Act") after receiving a complaint alleging that CBV Collection Services Ltd. ("CBV") contravened the Act.
The complainant reported that CBV faxed a form to the complainant's place of employment, and specifically to a non-confidential fax machine. In so doing, the complainant alleged CBV failed to adequately protect her personal information from possible disclosure to other colleagues and employees in her workplace
The investigator found that although CBV did have some policies and procedures in place to address information privacy and confidentiality requirements, a CBV employee acted to the contrary. As a result:
- CBV disclosed the complainant's personal information when it faxed the form to the complainant's place of employment.
- CBV contravened section 19 of the Act as the disclosure in this case was not for a reasonable purpose.
- CBV contravened section 34 of PIPA by failing to make reasonable arrangements to mitigate the risks associated with sending personal information by fax.
In response to the incident and this Office's investigation, CBV revised its process and internal policy documents with respect to requesting verification of employment (VOE), particularly when doing so by fax, and developed a plan to communicate the new process to all offices across Canada. Among other things, the new process requires that:
- A Collection Supervisor verify that a VOE is authorized in the circumstances.
- The collector pre-arrange sending the VOE with the appropriate receiving party.
- Fax transmissions must be sent to a confidential fax machine and must include a confidential cover sheet that does not state the name of the debtor.
- The collector must confirm receipt of a fax or email within 30 minutes of sending it.
The circumstances in this case illustrate that organizations need to be diligent in reviewing information privacy and confidentiality policies and procedures with their staff on an ongoing basis, and in following-up any failure to comply.
With respect to transmitting personal information by fax, organizations must ensure their employees are aware of the potential risks involved, and implement appropriate measures to mitigate that risk."
Labels: alberta, information breaches, pipa
The legal page in the Globe and Mail Report on Business section has picked up the story about the finding of the Alberta Information and Privacy Commissioner that faulted two law firms for their handling of personal information in the course of a business acquisition (Background: The Canadian Privacy Law Blog: Alberta Privacy Commissioner faults two companies and their law firms for handling of employee information). The article is informative, but the real lesson is the fact that it was reported nationally, it names the law firms and this page is read by the colleagues, contemporaries and competitors of the lawyers in question. Privacy law is not just the domain of geeky privacy lawyers. Even corporate and securities lawyers need to know about it to keep their clients and their firms on the right side of the law and out of the news papers. See The Globe and Mail: Firms get wrists slapped over privacy breach.
Labels: alberta, information breaches
The Bank Lawyer's Blog has some things to say about the latest CardSystems news, not surprisingly from the perspective of a bank's lawyer:
Bank Lawyer's Blog: The High Price of Privacy Breaches:"...A couple of obvious points: (1) make certain that the bank's contracts with payment processors contain provisions that meet not only the privacy and security requirements of the law (for example, those imposed by Gramm-Leach-Bliley and its implementing regulations), but the privacy and security requirements of other interested parties that might be imposed upon the bank and its contractors, such as VISA and Amex, and that permit the bank to terminate in a timely manner the processing agreement for a breach of those obligations; and (2) that even though a bank builds obligations into the contract, ongoing monitoring by the bank and/or a third party (such as an annual SAS 70 audit), is an essential part of a vendor management program.
This incident also demonstrates that 'reputational risk' is real. The processor retained and used 'for research purposes' personal data that it had agreed not to retain and use. Existing and future customers will have to consider carefully whether such an organization is to be trusted not to renege on its obligations in the future. That's an ugly fact of life...."
Labels: cardsystems, information breaches
The financials are in for ChoicePoint's second quarter and CNet is reporting that the data aggregator has taken a total charge fo $11M related to the privacy incident that took place some months ago. That's real money and has a direct impact on the shareholder's value:
Break-in costs ChoicePoint millions | CNET News.com:"Data broker ChoicePoint took a $6 million charge in its second quarter to cover costs related to the leak of information on about 145,000 Americans, it said Wednesday.
The charge is in addition to the $5.4 million in costs the company recorded in the first quarter. Of the total $11.4 million, about $2 million in charges through June 30 were for communications to individuals whose data has been exposed as well as credit reports and monitoring services for those people, the company said in a statement.
The remaining $9.4 million was for legal and other professional fees, ChoicePoint said...."
Labels: choicepoint, information breaches
The CEO of CardSystems has fired back at Visa after the credit card company announced that it was instructing its member banks not to use CardSystems to process visa transactions. John M. Perry said that the decision effectively puts them out of business and that the penalty has not been invoked before: Chief of Card Processor Fires Back at Visa - New York Times.
Labels: cardsystems, information breaches
Tim Oren at Due Diligence is pondering privacy and has some interesting observations, particularly his "hierarchy of unease":
Due Diligence: Pondering Privacy:"... I haven't seen a domain with more zealots since the early crypto market. There are zealous marketers sure they can make their customers more loyal and profitable if only can pool all the known data about them. There are privacy zealots, who often don't seem to believe in marketing at all - or maybe even markets. And there are zealous computer scientists and security experts, sure the whole matter can be resolved with the right algorithms. And now that the press and politicians are coming to the party, we can expect the discourse to become even more informative...."
The "hierarchy of unease", which he discusses in his blog posting, is a categorization of the sorts of privacy issues that individuals fear, in order of severity:
Labels: information breaches
Wednesday, July 20, 2005
A group of accused fraudsters have been arrested in Arizona for allegedly taking bank account information from, among other places, the court clerk's office, making fake cheques and cashing them all over town. Police found drugs and a gila monster in houses searched as part of the investigation. We've heard before about the fraud/methamphetamine connection, but this is the first fraud/large lizard link I've seen:
Officials break up ID-theft racket 6 held in scheme that took bank data from 2 agencies - Yahoo! News:"... The group stole bank-account information from the Clerk of Pima County Superior Court, the Arizona Department of Economic Security and five people, created counterfeit checks using a computer and cashed at least $20,000 at Sahuarita-area stores, said Detective Pat Willson of the Sheriff's Department fraud division.
She wouldn't say how they stole the account numbers or how they spent the money.
Willson said the investigation into 'extensive fraud activity' turned up methamphetamine and marijuana in three houses authorities searched, in the 700 block of East Linden Street north of Downtown; in the 200 block of West Duval Road in Green Valley; and in the 1300 block of West Calle Del Ensayador in Sahuarita. Officers also found a Gila monster in the house on Linden.
The investigation began with three or four suspects and a victim, but the detectives noticed similarities in other cases and broadened the scope of the case, said John Cotsonas, a special investigator with the Sahuarita Police Department...."
Though the term "ID theft" is used, this looks like basic fraud since there isn't a suggestion that the alleged fraudsters impersonated anybody or obtained credit using someone else's identity.
Labels: information breaches
Tuesday, July 19, 2005
From the CIPPIC website:
CIPPIC files complaint against info-broker:"CIPPIC has filed a complaint under the federal Personal Information Protection and Electronic Documents Act against a Canadian data-broker. In its complaint, CIPPIC alleges that InfoCanada combines publicly available data from telephone books with geographically aggregated demographic data from Statistics Canada, to compile lists of individuals by demographic feature, for sale to marketers. CIPPIC argues that this act of data-matching invokes PIPEDA, and that InfoCanada fails to obtain the consent of individuals to its use and sale of their personal information, however inaccurate, contrary to PIPEDA."
Labels: information breaches, privacy
I'm a regular reader of Engadget to satisfy my inner nerd. Today, there are two goodies to satisfy my inner privacy nerd. Well, goodie may not be the right word. In any event, check out the new surveillance technology to make sure that only the appropriate minimum number of warm bodies are in the high occupancy lane of your local highway: U.K. tests infrared HOV-compliance cam. While you're there, take a look at the new time card system that uses fingerprint recognition to make sure you aren't punching your buddies on- and off-shift: No more "buddy punching" with the Kronos 4500 Touch ID.
Labels: information breaches, surveillance
The Associated Press is reporting that VISA is ordering all of its card-issuing banks to cut all ties with CardSystems after VISA concluded that the company was not compliant with security requirements and could not get its stuff together.
This is the equivalent of the "death penalty" and I expect that it will be a loud wake-up call for all third-party processors of personal information. I am sure that other card issuers will be soon to follow.
Via KVOA TV in Tuscon: Visa to cut ties with card processor at center of massive breach.
UPDATE: AMEX is following suit according to AP via Forbes: Update 2: Visa to Cut Ties With Card Processor - Forbes.com.
Labels: cardsystems, information breaches
In a new finding under PIPEDA, the Assistant Commissioner was satisfied that a bank had discharged its obligations under PIPEDA when it sold its credit card portfolio to another bank. The original and new cardholder agreements contained a clause that said the bank reserved the right to assign its rights under the cardholder agreement and to transfer personal information to a purchaser. See: Commissioner's Findings - PIPEDA Case Summary #307: Customer alleges that sale of his personal information by one bank to another occurred without his knowledge and consent - July 14, 2005.
Labels: information breaches, privacy
It has always been clear that using a list of customers to send marketing information is a "secondary use" of personal information for which PIPEDA demands consent. It has, however, been the opinion of many that "envelope stuffers" or "invoice stuffers" that do not differentiate among customef are not really a "use" of personal information.
The Assistant Privacy Commissioner of Canada has today weighed in on the question, in PIPEDA Case Summary #308: Opting-out of marketing inserts in account statements, and has concluded that it does amount to a use of personal information. Furthermore, banks and others are required to allow customers to opt-out of this form of marketing.
The finding includes:
- The bank in this case contended that the inserts were not addressed personally to the client but rather were placed, without distinction, in the account statement addressed to the client. The Assistant Commissioner, however, noted that the customer’s personal information was still being used, and the goal of placing such inserts was nevertheless one of marketing and was secondary to the reasons for which the complainant initially gave his personal information, namely to receive a credit card.
- The bank informed the complainant through its agreement and disclosure statements that clients might receive marketing information with their account statements. While the bank believed it reasonable for customers to opt-out of secondary telephone or direct marketing, and offers customers the option to refuse such marketing, it did not believe it reasonable for customers to opt-out of statement inserts, many of which concern products or services that have nothing to do with the service for which the customer provided his or her personal information. As the Assistant Commissioner noted, marketing is marketing, whether it arrives in a bank statement or in the form of a telephone call. The bottom line is that, under the Personal Information Protection and Electronic Documents Act, individuals have the right to opt-out of secondary marketing.
- The Assistant Commissioner therefore determined that by not providing a means of withdrawing consent to secondary marketing, the bank was requiring the complainant to consent to a use of his personal information beyond that required to fulfil the purpose of servicing his credit card account, in contravention of Principles 4.3.3 and 4.3.8 of Schedule 1.
Labels: information breaches, privacy
New rules for payment processors have recently come into effect, to prevent another CardSystems-type incident. Bank Systems & Technology is running an article on efforts that processors are making to bring themselves into line with the new rules:
Bank Systems & Technology: Crunch Time For Payment Processors:"...As of June 30, any entity that stores, processes, or transmits cardholder data had to comply with the Payment Card Industry Data Security standards, which require access-control measures, regular network monitoring and testing, and an information-security policy. Annual security audits and quarterly network scans also are required.
Just how many transaction-processing companies are compliant with the Payment Card Industry requirements isn't clear. Visa has published a list of about 150 compliant services providers, which it says represent most major payment processors. But Ordonez says there are hundreds of smaller processors for whom compliance costs could cause many to fold.
Companies that experience breaches and are found not to be in compliance face stiff penalties. Banks are responsible for ensuring compliance of the service providers they use and their merchant's service providers. Visa can fine banks up to $500,000 per incident for any merchant or service provider that's compromised and not compliant..."
Labels: cardsystems, information breaches
Monday, July 18, 2005
The Associated Press is distributing an eye-opening article on the plight of a toddler in Indiana whose identity has been stolen more than once. On one occasion, someone used her SSN to claim her unlawfully as a dependent on a tax return. On another occasion, her info was used to set up phone number in her name. See the Indy Star: Identify thief picks on toddler.
Apparently, it is not "fraud" according to the Deputy Chief of Police, since there was no financial loss to the young girl. I guess they don't count a damaged credit history even before she can crayon a signature on a credit card slip.
Labels: information breaches
The New York Post isn't too keen on the proposed New York registry of diabetics (see The Canadian Privacy Law Blog: City Officials Aim to Track How Diabetics Manage Illness):
DR. BUSYBODY'S DATABASE - Yahoo! News:"... Name-specific registries for certain communicable diseases - such as HIV/AIDS and hepatitis - make sense.
The early-20th century Typhoid Mary demonstrated the need for public-health authorities to prevent individuals from spreading highly contagious diseases.
Diabetes doesn't fall into that category.
This would be the first time that a complete record would be assembled for a non-communicable, chronic affliction.
As far as privacy goes, Frieden notes that the confidentiality of the department's registries haven't been compromised in more than 140 years.
That anybody knows about, of course.
Indeed, the potential of large private databases being compromised by hackers and criminals is sharper than it's ever been - as demonstrated by the recent cases involving MasterCard and the ChoicePoint identification-and-verification service. And health-insurance companies and potential employers would have no interest in Frieden's database? Yeah, right.
It's time for New Yorkers to say enough is enough.
And if all this information depresses you, and drives you to drink? Well, expect a visit from Dr. Frieden presently.
He'll be there to help."
Labels: choicepoint, health information, information breaches
Sunday, July 17, 2005
The community of Clovis, New Mexico, is considering passing an ordinance to regulate the sale of over the counter cold and allergy remedies because they are essential ingredients for making methamphetamines. The ordinance will require that the drugs be kept behind the counter, purchasers will have to provide photo ID (the details of which will be logged) and they will be limited to three packages per purchase. Some are questioning the ordinance, from a privacy perspective and about whether it will be effective. One person is quoted saying that she and her husband live in the country and have allergies. Their weekly consumption of the drugs may give the police probable cause to search their house. Since the police usually use SWAT team tactics in executing meth-related warrants, I can just imagine how unpleasant a "false positive" could be. See the story online: Detractors question effectiveness of meth strategy.
Labels: information breaches
Saturday, July 16, 2005
Recently, the writers of the Sunday New York Times have consistently had interesting things to say about privacy-related topics. This week, Christopher Caldwell talks about the creeping appearance of tracking technologies into daily lives and how their uses can be easily expanded:
A Pass on Privacy? - New York Times"Anyone making long drives this summer will notice a new dimension to contemporary inequality: a widening gap between the users of automatic toll-paying devices and those who pay cash. The E-ZPass system, as it is called on the East Coast, seemed like idle gadgetry when it was introduced a decade ago. Drivers who acquired the passes had to nose their way across traffic to reach specially equipped tollbooths -- and slow to a crawl while the machinery worked its magic. But now the sensors are sophisticated enough for you to whiz past them. As more lanes are dedicated to E-ZPass, lines lengthen for the saps paying cash.
E-ZPass is one of many innovations that give you the option of trading a bit of privacy for a load of convenience. You can get deep discounts by ordering your books from Amazon.com or joining a supermarket ''club.'' In return, you surrender information about your purchasing habits. Some people see a bait-and-switch here. Over time, the data you are required to hand over become more and more personal, and such handovers cease to be optional. Neato data gathering is making society less free and less human. The people who issue such warnings -- whether you call them paranoids or libertarians -- are among those you see stuck in the rippling heat, 73 cars away from the ''Cash Only'' sign at the Tappan Zee Bridge.
Paying your tolls electronically raises two worries. The first is that personal information will be used illegitimately. The computer system to which you have surrendered your payment information also records data about your movements and habits. It can be hacked into. Earlier this year, as many as half a million customers had their identities ''compromised'' by cyber-break-ins at Seisint and ChoicePoint, two companies that gather consumer records.
The second worry is that personal information will be used legitimately -- that the government will expand its reach into your life without passing any law, and without even meaning you any harm. Recent debate in Britain over a proposed ''national road-charging scheme'' -- which was a national preoccupation until the London Tube bombings -- shows how this might work. Alistair Darling, the transport secretary, wants to ease traffic and substitute user fees for excise and gas taxes. Excellent goals, all. But Darling plans to achieve them by tracking, to the last meter, every journey made by every car in the country. It seems that this can readily be done by marrying global positioning systems (with which many new cars are fitted) with tollbooth scanners. The potential applications multiply: what if state policemen in the United States rigged E-ZPass machines to calculate average highway speeds between toll plazas -- something easily doable with today's machinery -- and to automatically ticket cars that exceed 65 m.p.h.?..."
Labels: choicepoint, information breaches
A writer at the New York Times had the unpleasant experience of someone going on a two day shopping spree (if $1772 is a spree) with her debit card and thought it would be of interest to let her readers know about her experience with fraud alerts, credit freezes and the like: What to Do After Your Data Is Stolen - New York Times.
Labels: information breaches
It is interesting how sensitive some are becoming to privacy issues. I don't think we would have seen a commentary like this one a year ago:
Connected: Verizon puts your privacy in precarious position"Would you give your credit card number to a company if you knew it was to be used for anything else besides taking your payment? That is exactly what is happening for thousands of people nationwide who have signed up for Verizon's VoiceWing Voice over IP telephone service.
VoiceWing is different from Verizon's traditional telephone service in several ways, one of which is that the company only accepts credit cards as payment. It will not direct bill you. So you must provide your card to get the service. Once you have the service, Verizon debits your card monthly -- and also uses the last four digits of your card number to verify who you are when you call for support.
According to Margo Hammar, chief privacy officer at Verizon, using your credit card digits this way is just like paying for your gas at the pump, then crumbling the receipt and throwing it away.
But it's not the same. At the pump, the credit card is inserted for a one-time transaction and not saved by the gas station. It is you who makes the decision on the spot to provide the card data; and it is you who decides whether to print the receipt and crumble it (or keep it). In the VoiceWing scenario, your credit card information is placed into a database at Verizon -- and then the last four digits are shown to any customer support rep who pulls up your record -- even if no transaction is taking place.
Hammar told me that "Verizon takes the safeguarding of client information very seriously" and that the company has created a method and procedure to be used by employees with a need to know. As the key privacy person, she has pushed the company to move away from using Social Security numbers for customer authentication, but has not yet provoked the company to stop using this credit card data for the same task.
According to Dean Ocampo, product marketing manager for security software developer Check Point Software Technologies, using only the last four digits minimizes risk compared to using the entire number, "but ideally you don't want to use any of it." He says the issue goes deeper than whether the company is using the digits. It involves the processes they employ and the depth of security.
In the Verizon situation, your credit card digits are displayed to first-tier customer support reps -- people who are not in a "need to know" position regarding your credit card. In one call that I made to VoiceWing support, I refused to give the CSR my digits, which made him exclaim that the digits are right in front of him already; it's not like I'm revealing anything new to him.
That, in fact, is the problem. The digits should not be in front of him. He has no reason to see a customer's credit card data, no matter how ethical he is. Check Point's Ocampo agrees: "The more you put private data through the company, the more likely it can be hacked and stolen." He cites instances in which companies have not properly secured the data at every juncture, even though it thinks it has. Recent news items about security problems at Citibank, ChoicePoint and CVS provide examples. Ocampo's examples include points of attach within the company, including PCs living around the perimeter of the network that have not been completely secure.
Since businesses make decisions over time, other factors may later create security risks. For instance, a move to outsourcing customer support offshore would put your credit card data in a rep's hands in another country -- perhaps a country that doesn't have the same protection laws that are in force in the United States. Securing customer privacy is not a science. What's good for the business is not always good for privacy, and vice versa. Companies are always dealing with the trade-offs when making business decisions.
Verizon's published privacy policy promises that the company will use SSL (a security mechanism) whenever it transmits your credit card, but it doesn't promise to use your card number only for your transactions. As long as Verizon continues to use customer credit card numbers as authentication, in whole or in part, it is putting the customer at risk, no matter how slight."
Labels: choicepoint, information breaches
In Alleghany County, Virginia, a former county employee has been charged under various hacking provisions for gaining access to and perusing sensitive personal information of other county employees:
News from The Roanoke Times -Former Alleghany County employee indicted on 36 computer charges"... Alleghany County grand jury that met Tuesday handed down the indictments, charging Jackson with one felony computer fraud charge and 35 misdemeanor charges that include altering computer data, computer trespassing, copying data and invasion of privacy.
Jackson is accused of examining employment, salary, credit and other personal records of county employees, including County Administrator Tammy Stephenson, Deputy County Administrator Rick Hall and Safety Coordinator Ryan Muterspaugh...."
Labels: information breaches
Friday, July 15, 2005
Michael Zimmer has posted two privacy-related conference papers on his website:
Thinking About Technology: Papers on Privay and Vehicle Safety Communication Technologies:"I am on my way to The Netherlands to particpate in two exciting conferences. I will be presenting my paper 'Surveillance, Privacy and the Ethics of Vehicle Safety Communication Technologies' [PDF] at the International Conference of Computer Ethics: Philosophical Enquiry. And I will be presenting my paper 'Privacy and the Design of Vehicle Safety Communication Technologies' [PDF] at the International Conference of the Society for Philosophy and Technology. "
Go directly to his site for the links to the papers and more info on the conferences.
Labels: information breaches, surveillance
My friends and family are probably getting pretty tired of hearing that just about everything has a privacy angle. Sorry, it's everywhere.
The latest political story out of Washington, DC has a privacy angle with a national security twist, according to David Lazarus of the San Francisco Chronicle:
Privacy is easy to breach"The fracas over whether Karl Rove, one of President Bush's most trusted advisers, publicly outed an undercover CIA operative highlights the ease with which personal information on virtually anyone can be obtained.
It also points to the need for privacy laws -- and, in this case, national-security laws -- recognizing the harm that can be done with only a few computer keystrokes.
That harm, as a slew of recent security breaches makes clear, can include identity theft, credit card fraud and other invasions of one's personal-data space.
It can also represent a graver danger if the work you do is of interest to terrorists and other enemies of this country.
I found out how significant this threat can be when I attempted to identify the CIA agent in question for myself, based solely on what Rove is known to have told a journalist.
The results were troubling, to say the least.
...
It's not my place to say whether Rove crossed that line in his discussion with Cooper. But I can say what I was able to do with the information Rove reportedly supplied.
First of all, I knew from published reports that the full name of the author of the critical op-ed piece was Joseph C. Wilson IV. A Google search quickly told me that he was born in 1949.
So I went to ZabaSearch.com, which readers of this space know is a powerful online people-search tool that rapidly combs through public records - - for free.
My first nationwide search for a Joseph C. Wilson born in 1949 turned up too many matches, so I narrowed the search by guessing that he likely lives in Washington, D.C.
Bingo. Now I had his home address. But I didn't know his wife's name.
So I went to the Web site of LexisNexis, a prominent data broker, and did a public-records search for Joseph Wilson in Washington, D.C., subsequently narrowing the search with Wilson's street address. Bingo again.
"Spouse name: Wilson, Valerie E."
For non-subscribers, LexisNexis is available online on a pay-per-search basis. It's also accessible via acquaintances at universities, law schools and a wide variety of private companies.
I did another LexisNexis search for Valerie E. Wilson in Washington, D.C. This confirmed she lives at the same address as Joseph C. Wilson. It also took me the next step.
"Former name: Plame, Valerie E."
I now had the identity of a covert CIA agent (who was using her maiden name as part of her cover as an energy-industry analyst working for a firm called Brewster Jennings & Associates, now known to be a CIA front company).
It took me less than a half-hour to identify her.
I then went back to Google and got a map of Plame's neighborhood and directions to her home. Google also allowed me to study a high-resolution satellite photo of Plame's house.
I could see that the property appears to be in a quiet residential community and looks approachable from all sides. It also offers ready access by car to major thoroughfares.
And I now possess all this information simply because I know (from Karl Rove, via Matt Cooper) that Joseph Wilson's wife "apparently works at the agency on WMD issues."
Little effort required
Rove's questionable judgment aside, this episode underlines how little effort is required in this info-rich age to identify and locate virtually anyone. You don't even need that person's name.
This should alarm anyone who relies on a measure of secrecy for his or her well being, as well as all others who value their privacy.
It also should serve as a wake-up call for legislators that existing privacy and national-security laws haven't kept pace with dazzling improvements in information technology.
The intent of current laws might be to keep certain info under wraps. The reality is that nearly all data are exposed and accessible, there for the taking by anyone with a computer and a small measure of resourcefulness.
With little effort, I pinpointed a working CIA agent. I did so only to make a point.
Can we be sure that the intentions of the next person to commence such a search will be as benign? "
Labels: google, identity theft, information breaches, privacy
Thursday, July 14, 2005
"You are what you google," is good quote from this article from CNet News, which discusses the privacy implications of what google knows about consumers and what the company can do with that information: Google balances privacy, reach | CNET News.com.
Labels: google, information breaches, privacy
A second finding from the Privacy Commissioner's Office was released today. This one found that a dog breeder violated PIPEDA by posting personal information about a former customer on the site as part of a dispute between the parties. Because the website was for the purpose of promoting a business, it was deemed to be a collection, use or disclosure of personal information in the course of commercial activities. See: Commissioner's Findings - PIPEDA Case Summary #305: Internet posting violates PIPEDA - February 4, 2005
Labels: information breaches, privacy
A new finding from the Office of the Privacy Commissioner deals with an individual's request for access to the examination notes from a physician who conducted an independent medical examination of an insured under an insurance policy. The physician refused the request, first stating that the notes were not "personal information" because they did not form a part of the individual's medical record. Not surprisingly, the Assistant Commissioner didn't buy that argument.
The physician argued that even if it was personal information, it was protected by two exceptions to the access principle: (i) that it was solicitor client privileged, and (ii) was generated in the course of a formal dispute resolution process. The Assistant Commissioner did not agree with either arguments, principally because the medical exam was conducted in order to determine whether benefits under the policy should be continued but before any dispute resolution process had been initiated.
See the Assistant Commissioner's findings at: Commissioner's Findings - PIPEDA Case Summary #306: Physician refuses to provide access to individual's personal information - March 17, 2005
Labels: information breaches, privacy
According to the Kansas City Star (registration required), a plastic surgeon is at the centre of a class action lawsuit because he is alleged to have taken home an office computer and to have left it at the curb with his garbage without securely removing patient information. The claim is for negligence, invasion of privacy and breach of fiduciary duty: Kansas City Star | 07/14/2005 | Patients sue doctor over old computer.
I just googled the name of the surgeon and came upon the following:
Medical Newswire - Healthcare, Biotechnology News Release ServiceErase PHI Before You Discard Old Hard Drives
"KANSAS CITY, KS (HIPAA Wire) You must strip all data from your computer's hard drive before you throw it in the scrap pile -- or risk exposing patients' PHI.
That's the lesson Daniel Bortnick, a Kansas City plastic surgeon, learned after patients' before-and-after photos and other PHI were found on a computer the surgeon had deposited in his curbside trash.
Robert Dickerson discovered the information and voluntarily gave the computer and its contents to KCTV. The news station then began contacting patients -- who turned to the surgeon's employer, Monarch Plastic Surgery Group, for answers.
Monarch requested and was granted a restraining order that forbids KCTV from "using, publishing, disseminating, broadcasting, distributing, or disclosing" the PHI found on the computer. But KCTV isn't giving up its fight to expose the surgeon's lax privacy and security policies.
"We either have to violate the order, we've got to [edit] the story in a way that doesn't violate it, or we have to say, 'We've got an important story to tell you that the courts won't let us yet. Stay tuned,'" the station's lawyer Bernard Rhodes told the Kansas City Star. Rhodes is taking the case to the Kansas Supreme Court for resolution.
Bottom Line: Protect both your organization's reputation and your patients' PHI by double checking that all data stored on your computer is destroyed -- before you send your hard drives to the trash pile."
Labels: health information, information breaches, tort
An employee of the US Social Security Administration has been indicted for using information obtained on the job to commit fraud, including taking out loans in the name of someone else: Social Security has 'no tolerance' for worker fraud.
Labels: information breaches
Wednesday, July 13, 2005
If you are a regular reader of Michael Geist's blog or any other form of media known to humanity, you have heard about the injunction obtained by Raincoast Books about the accidental sale of a few copies of the latest Harry Potter novel. Some, including Michael, have been very critical of the order obtained by the Canadian publisher. While I won't comment on that, Michael's posted a summary of what the publisher was asking for, but didn't get. The judge declined to order that anyone who got their hands on the book should hand over information about anyone who may have been privy to any discussion of the embargoed book:
Michael Geist - The Potter Injunction - It Could Have Been Worse"...There are two things to take from this additional level of detail. First, Raincoast Books sought an order that not only would curtail basic freedoms but it also targeted individual privacy by literally seeking legal authority to compel disclosure about anyone who may have learned of the contents of the book. Second, the judge that issued this order did indeed consider the consequences of the order and amazingly felt that it was appropriate to limit the freedom to read, freedom of speech, and the freedom of personal property."
Labels: information breaches
From AZCentral.com:
Medical firm's files stolen"The personal information of 57,000 Blue Cross Blue Shield of Arizona customers was stolen from a Phoenix-based managed care company.
Arizona Biodyne, an affiliate of Magellan Health Services that manages behavioral health for Blue Cross of Arizona, began last Friday notifying customers and providers whose information was lost in the latest theft in which financial, personal or medical records were taken.
The stolen information included policyholders' addresses, phone numbers, Social Security numbers and dates of birth. They also contained partial treatment histories for some patients and certain information about the doctors who provided that care, Biodyne spokeswoman Erin Somers said.
...
Biodyne reported to police on June 29 that a safe containing computer backup tapes was stolen from its office at 8900 N. 22nd Ave., Suite 206...."
Labels: health information, information breaches
Tuesday, July 12, 2005
Hot off the presses ...
The Information and Privacy Commissioner of Alberta has just released a decision that should make business, securities and labour lawyers look more closely at the information that is made available in the course of business acquisitions and that is filed electronically in compliance with securities regulations.
In this particular decision, the Commissioner was responding to a complaint brought by an employee of the vendor company whose personal information was provided to the purchaser and was subsequently posted on SEDAR, the online repository for information about public companies. The vendor apparently provided, as a schedule to the purchase agreement, a list of employees that included home addresses and social insurance numbers. This schedule was provided to the purchaser by the vendor's counsel. The purchaser's counsel subsequently posted the agreement, including the complete schedule, on SEDAR.
Provincially regulated organizations in Alberta are subject to the Personal Information Protection Act (PIPA), which has been deemed to be "substantially similar" to PIPEDA by the federal cabinet. PIPA covers employee information, but also contains what is often called the "business transaction exception", meaning that employee consent is not required for certain disclosures of personal information that are necessary and connected to a business transaction, such as a sale of a business. In this case, the Commissioner's investigator found that the exception did not apply because employee home addresses and social insurance numbers were not necessary for the purposes of the transaction.
While the Commissioner concluded that counsel was acting as agents for their clients, both the clients and their law firms were at fault. The decision contains two particularly strong statements with respect to the law firms:
"[47] We suggest generally that [vendor's counsel] and other law firms have shown a lack of attention to the impact of privacy laws on the myriad legal processes involving the collection, use and disclosure of personal information, including client information and third party information that are common in the type of work they perform on behalf of their clients. Privacy laws are complex, and have implications for their clients on many different types of transactions, including mergers and acquisitions such as in the present case. We believe that lawyers and law firms require heightened awareness and knowledge of privacy laws in order to properly recognize these implications."
The Commissioner also made strong recommendations to the firms. To purchasers' counsel:
- enact a privacy policy and appoint a Calgary-based Privacy Officer [though the national firm already had a Toronto-based privacy officer];
- conduct comprehensive in-house privacy training with all lawyers and staff;
- ensure that lawyers develop professional awareness and knowledge of privacy law by supporting participation in privacy law seminars and courses and encouraging ongoing education in this regard;
- communicate these findings to all lawyers and staff;
- review its processes when representing clients on business transactions where personal information may be collected, used or disclosed and address any gaps that are identified;
- review the processes and controls employed by Stikemans when material contracts or other filings are posted on SEDAR and address any gaps that are identified.
From the Commissioner's website:
Investigation Report P2005-IR-005Commissioner releases investigation report into improper disclosure of home addresses and SINs onto the Internet by two organizations and their law firms.
Click to view more information Investigation Report P2005-IR-005
Labels: alberta, information breaches, pipa, privacy
What can possibly go wrong when you get out of your car, leave the door open, leave the engine running and leave personal information about job applicants in the car while you use the bank machine? Not too hard to guess what happened next in Bellevue, Wasthington:
kingcountyjournal.com - Car thief drives away with personal data:"The woman was also a Bellevue Parks Department employee, and in her car were records of Washington State Patrol background check on some 20 people who had recently applied for jobs.
Those files, said Bellevue Police Officer Michael Chiu, contained ``Social Security numbers, addresses, dates of birth, names -- you name it. Definitely a lot of sensitive personal information.''..."
Labels: information breaches
Labels: cardsystems, information breaches, tort
Monday, July 11, 2005
Federal law enforcement in the US are seeking to extend the current system of the Communications Assistance for Law Enforcement Act to cover broadband systems being implemented in airliners. This would require them to build in wiretap ability that can be activated within minutes of receiving a court order. See: Wired News: Feds Fear Air Broadband Terror.
Labels: information breaches
The watchdog of financial institutions in Japan has reported in a press conference that 184 financial institutions in that country have reported to have "lost" customer data. The report doesn't define "lost", but it can't be good PR: 184 financial institutions lose customer data: FSA.
Labels: information breaches
Michael Geist is reporting that a federal/provincial/territorial consultation on identity theft has been launched, beginning with a background paper:
Michael Geist - Canadian Consultation Launched on Identity Theft:"The Consumers Measures Committee, a committee comprised of federal, provincial, and territorial consumer protection representatives, has launched a public consultation on identity theft. The background paper identifies several potential legislative solutions including a requirement for organizations to notify consumers affected by a security breach; the placement of a fraud alert on a consumer's credit file; the ability for consumers to put a freeze on the sharing of their credit reports without prior notice; and a requirement for credit bureaus to take reasonable steps to authenticate persons accessing credit reports. Comments on the paper are due by September 15, 2005. "
Labels: identity theft, information breaches
Sunday, July 10, 2005
The Guardian Unlimited's Observer is carrying a story about how a UK bank has "found a way round" the UK's privacy law so that its insurance division can use customers' banking and credit information to determine insurability. The article isn't clear about the "way round", but does give an overview of how insurers use credit information to assess whether an individual is likely to present an insurance risk:
The Observer | Cash | Spy in the bank"The general insurance division of one of Britain's biggest banks believes it has 'found a way round' the data Protection Act enabling it to use customers' banking details to underwrite insurance policies.
Barclays Insurance intends to 'score' potential customers according to their banking records. The insurer says those with poor scores - perhaps because they have missed bill payments or are constantly in the red - are more likely to make claims than richer customers with good banking records. Clients with very poor scores may be charged more or not be offered cover at all, enabling the insurer to offer cheaper premiums to richer clients with better scores.
Adrian Grace, the managing director, told Cash he thinks the company will be able to start using the customers' banking information as soon as September or October.
'Affluence underwriting', as insurance credit scoring is often called, is common in the US. One American insurer, Progressive Direct, says it has found credit history 'to be predictive of future accidents, which is why we, and most insurers, use this information to help develop more accurate rates'...."
Labels: information breaches
The Register has a very loooooong overview of the proposal to implement biometric, mandatory ID cards in the United Kingdom: Everything you never wanted to know about the UK ID card [printer-friendly] | The Register. After the recent bombings, I understand that support for the scheme has swung past the fifty percent mark.
Labels: information breaches
The Fresno Bee of California has an article on the connection between methampheatmine addiction and identity theft. The connection is interesting, apparently because meth addicts need money for their addictions and are well suited for the intensive search for personal information:
FresnoBee.com: Metro: Drugs drive identity theft crimes"...Itheyus Murphy, a former meth addict now serving prison time for identity theft, said he spent many sleepless nights injecting meth and using his laptop computer to assume others' identities.
"When I got under the influence of meth, it was all about money," says Murphy, 26, of Fresno. "Get more money.
"With that drug, I would become a sociopath who would sit in front of the computer."
Murphy says meth addicts gravitate to identity theft because it's profitable and nonviolent: "They are more paranoid. They're more [likely] to do things on the creep. They're nonconfrontational. They don't want to do it face-to-face.
"Identity theft is something you can do from a distance. In their mind, they're further away from getting caught."
Murphy also says that he felt like meth made him more creative: "You're just multitasking. On meth, it's easy. It makes you think more thoughts at the same time."..."
A recent ID theft bust in Appalachia also showed a similar connection:
Major bust ties identity theft to methamphetamine - forsythnews.com"...Adams said many of the credit card numbers were traded by members of the ring in exchange for drugs, mainly methamphetamine.
Said Moss, "This is a new trend we're seeing in the methamphetamine industry now -- they're diversifying."..."
Labels: identity theft, information breaches, laptop
This is one aspect of ID theft that I haven't really seen much about. It is the taking of identities of children by relatives who have already ruined their own credit ratings. Unpleasant stuff and nothing other than identity verification will fix this: Children targeted in surging numbers - The Boston Globe - Boston.com - Your Money - Business.
Labels: information breaches
Today's Boston Globe has an article on the effect of locking down personal data on the ability of private investigators to do their jobs: Dealing with identity theft - The Boston Globe - Boston.com - Business.
Labels: identity theft, information breaches
Saturday, July 09, 2005
Yet another security incident at yet another university. This time, USC is informing everyone who used their online application system in the last ten years that their information may have been viewed by a hacker. See: USC: Hacker May Have Read Applicant Files - Yahoo! News.
Labels: information breaches
On July 1, 2005, I wrote about the recent decision of the Alberta Information and Privacy Commissioner about keystroke logging of a public library employee's PC (Alberta Commissioner finds that local library had no authority to use keystroke logging software).
Today, Michael Geist has updated his blog posting on the subject and points to the blog of the complainant in this case, who has written about the incident on his blog Terremoto's Hand Picked Headline News - Served Fresh Daily, and also links to a range of materials related to the case. Interesting stuff.
Labels: alberta, information breaches
Cardsystems, the company that was caught up in the most recent and largest data incident in recent memory, has just announced that they'll be compliant with the credit card industry's security standards by August. I expect we'll hear some ask about the transactions they plan to process in the meantime. See CardSystems Sets Plan to Comply With Security Standards - New York Times.
Labels: cardsystems, information breaches
The New York Times has done a great job of providing quality coverage and commentary on the recent personal information breaches. Today's NYT has a commentary by Joseph Nocera that draws parallels between what has recently been happening and regulations that were put in place in the 1970's to deal with unsolicited cards and fraudulent transactions. When originally introduced the banks were furious about being prohibited from sending unsolicited cards and about the $50 liability cap for consumers. In retrospect, the author says, the banks should be thankful because it saved the credit industry by giving people much more confidence in the credit system. By not fearing fraudulent transactions, consumers embraced credit cards and this has been a huge windfall for the banking industry.
We have been reading a number of articles in recent weeks about how consumers are growing more fearful of doing business online and are concerned about who has their personal information and how it is protected (see, for example: Online trust is falling, The Canadian Privacy Law Blog: Equifax CEO: Identity Theft Is an Epidemic). If the parallels are there, increased regulation and accountability may be negative in the short term but can actually help the industry in the long term. Read the article here: Data Theft: How to Fix the Mess - New York Times.
Labels: identity theft, information breaches
Friday, July 08, 2005
The amount of press devoted to privacy issues appears to be increasing each week, and not only to report the piles of privacy breaches. Today, the Washington Post is reporting on the availability of cell phone records from online personal information brokers. The article is worth reading and highlights companies such as Best People Search.com. In a related story, the Electronic Privacy Information Center is calling on the FTC to investigate whether such companies are breaking the law.
Labels: information breaches
I wrote earlier today about a number of backup tapes from one bank that have been reported as missing. Well, it turns out that a number of other banks are affected:
Tapes containing banking details go missing - ZDNet UK News:"Offsite storage specialist Iron Mountain lost the tapes, which included names and social security numbers for customers of America's City National Bank, on 28 April, and notified the bank last month. An unknown number of other US banks were also affected...."
Labels: information breaches
Today, Michael Geist has a blog posting about workplace monitoring. He mentions the Canadian Internet Policy and Public Interest Clinic and applauds them for their involvement in the recent decision from the Alberta Information and Privacy Commissioner about keystroke logging. The posting is interesting, in and of itself, but the part that has the widest policy implications is the inconsistency of rules from coast to coast in Canada about workplace privacy. Some provinces have privacy laws that apply in the workplace, but most do not. The federal law, PIPEDA, only applies to federal works, undertakings and businesses leaving the rules dramatically inconsistent from province to province.
Michael Geist - Unequal Privacy Protection"The Alberta Privacy Commissioner recently issued a noteworthy decision on the use of keystroke logging in the workplace that hits home for several reasons. First, the facts of the case: an employee at an Alberta library uncovered the fact that his supervisor had installed a keystroke logger program on his computer to monitor his activities. The supervisor claimed the move was made due to productivity concerns. The employee filed a complaint and last week Commissioner Frank Work ruled in favour of the employee. He found that the evidence did not support the supervisor’s claims and that there were far less intrusive methods to address any productivity concerns. Moreover, the employee had actually been given permission to engage in Internet banking during work hours, yet this too was monitored and logged.
As I mentioned, this case has particular resonance for me. On a substantive level, it points to the disturbing level of unequal privacy protection in the Canadian workplace. This specific case involved a public institution in Alberta, but provincial privacy laws there would have provided some measure of protection for all workers. The same is not true for all Canadian provinces. In Ontario, workers at federally regulated businesses benefit from PIPEDA protection and workers at public institutions from public privacy laws. Moreover, workers in unionized settings also typically enjoy some level of protection. If you fall outside of those protected workplaces, however, you may be out of luck. That is simply wrong: the privacy protections against invasive surveillance enjoyed by some Canadians in the workplace must surely be enjoyed by all.
The case also resonates on a personal level. First, I wrote about these issues several years ago in a study for the Canadian Judicial Council, which was then concerned about the legality of electronic surveillance of the judiciary. The issues raised then remain valid today.
Second, I am very proud that the Canadian Internet Policy and Public Interest Clinic (CIPPIC), the public interest technology clinic at our law school, played a role in the case by providing a legal memo to the employee to help him pursue the case.
I receive regular requests for assistance and advice. I try to provide at least a short answer when I can, though admittedly the volume of correspondence is making that increasingly difficult. In any event, last June this employee sent me an email looking for help. I'm grateful that Pippa Lawson and her CIPPIC team jumped at the chance to get involved. CIPPIC has garnered considerable attention due to its involvement in the file sharing litigation. I think it has done a remarkable job in that case, but we should not overlook the fact that the clinic is helping to fill the void on many other important issues. Congratulations all round."
Labels: alberta, information breaches, privacy, surveillance
Health Authorities in New York are proposing to require laboratories to pass along information on certain blood tests for diabetes. This is the first time that mandatory reporting has gone beyond communicable diseases and the American Diabetes Association is supporting the initiative: City Officials Aim to Track How Diabetics Manage Illness - New York Times.
Labels: health information, information breaches
In what looks like deja vue, the Boston Globe is reporting that Iron Mountain has lost or destroyed backup tapes belonging to City National Bank of LA which contained customer information: Boston data firm loses Calif. bank tapes - The Boston Globe - Boston.com - Technology - Business
Labels: information breaches
Thursday, July 07, 2005
You see them all the time on the internet: ads telling you about a free copy of your credit report. This all sounds good, but as Dennis Bailey points out in the Open Society Paradox, individual access to credit reports may actually be harmful if the custodians of this information don't confirm the requestor really is who he says he is. What's to stop Joe Identity Thief from impersonating you and getting your report? See The Open Society Paradox: Security Breach Legislation Needed?. Dennis' solution, which he doesn't explicitly say in this posting but has in previous, is identity documentation that is much more robust and reliable than what we have today.
Labels: information breaches
The Michigan State University's College of Education began to notify 27,000 students that their social security numbers may have been compromised through an attack on the College's computer systems: MIDDAY UPDATE: New attack threatens College of Education server.
Labels: information breaches
Baseline Magazine, a publication of Ziff-Davis, is soliciting contributions for their new "Security Hall of Shame", which will be published in a special edition entitled "Year of Living Dangerously." They've already "inducted" a number of now companies in this article who have become notorious for incidents involving personal information:
The Baseline Security Hall of Shame
- Lowlight of the Month: CardSystems Solutions Inc.
- Other Hall of Shame Inductees
- Bank of America Corp.
- Choicepoint Inc.
- Citigroup
- DSW Shoe Warehouse (DSW Inc.)
- LexisNexis, a division of Reed Elsevier Inc.
- Polo of Ralph Lauren Media LLC
- Wachovia Corp.
Labels: cardsystems, choicepoint, information breaches
Wednesday, July 06, 2005
Mike at Techdirt has some pretty strong things to say about comments from Equifax's CEO, reported in Wired.
Techdirt:Equifax Says It's Un-American For People To Know What Equifax Knows About Them "It's tough to figure out where to start on the various comments from Equifax boss Thomas Chapman, who claims that the new law requiring the big credit companies to let people see what data has been collected on them for free at least once a year "unconstitutional and un-American." His argument is that it "cuts into the profits" of his company. First of all, cutting into someone's profits isn't unconstitutional or un-American by itself. Second, they're not asking him to "give away" some random product, but to let anyone check the info that his company has collected on that person to make sure it's accurate. ... The article also gets amusing towards the end where Chapman puts his foot in his mouth big-time by basically saying they've had a bunch of data breaches which haven't been announced, and then trying to pretend he never admitted that, first by saying: "I don't think you've seen our name in the news," then by refusing to answer more pointed questions on the issue with: "I'm not going to go there. I'm not going to answer that question. We have been notifying and engaging in communication with customers, consumers, for a long time. We're known for that. We're known for our stand on privacy." Yup. Your stand on privacy is apparently that you don't believe in anyone's ability to check on their own private data to make sure it's accurate -- unless they first pay you."
Labels: information breaches
Some cities have video surveillance of public spaces. Well, Chicago has gone one better by pairing ordinary video surveillance with new high technology that will detect gunshots, determine where it came from, take a video of the shooter and call 911. It's called SENTRI. What will they think of next? Check out the photo and more info at: Metroblogging Chicago: Smart Sensor Enabled Neural Threat Recogniton and Identification System. Because "Big Brother" was already taken.
Labels: information breaches, surveillance, video surveillance
David Canton, at eLegal Canton, blogged today about a plan by authorities in London to levy a congestion charge on commuters in the City of London by means of a tracking device. Discussion around the technology suggests that it can be extended to take control of the driver's car. Hmm.... Big Brother can drive your car
Labels: information breaches
Labels: identity theft, information breaches
The Daily Yomiuri online is reporting that a student in Japan has been arrested for breaking into corporate computer systems to steal personal information. An analysis of his computer showed that he assembled more than a half million bits of personal information, including information on 90,000 travel agency customers:
Student tied to massive data theft : National : DAILY YOMIURI ONLINE (The Daily Yomiuri):"A 27-year-old Chinese student at a private university in Tokyo was arrested Wednesday on suspicion illegally accessing a server computer of travel company Club Tourism Co. and stealing private information on about 90,000 customers, violating the Unauthorized Computer Access Law, the Metropolitan Police Department said...."
Labels: information breaches
The former Information and Privacy Commissioner of British Columbia has an essay on the "On the Identity Trail" blog in which he discusses the blurring lines between the private and public sectors, and law enforcement and national security:
blog*on*nymity - bloggin On the Identity Trail:"Because my time working in privacy oversight is up I can't resist writing a piece that looks back, although I also hope to offer a forward-looking perspective on state co-option of the private sector. This is because when thinking about privacy developments over the last six years, I can't ignore the obvious, can't overlook signs that the state's power is being applied more and more to corral or recruit the private sector into surveillance activities...."
Labels: bc, british columbia, information breaches, surveillance
The Michigan State Police have established a special investigative team to deal with identity theft, according to the Harbor Light of Harbor Springs, Michigan: Michigan State police announce identity theft team to combat fastest growing crime Special to Harbor Light Newspaper.
Labels: identity theft, information breaches
The Federal Privacy Commissioner has renewed the contributions program, which provides $200,000 for research into privacy issues: Privacy Commissioner renews funding for research into emerging privacy issues.
Labels: information breaches
ChoicePoint has been awarded a contract by the California government to help track criminals and terrorists, despite protests from Californians: RedNova News - Technology - California Selects ChoicePoint to Develop Terrorist-Tracking Computer System.
Labels: choicepoint, information breaches
Citizens of Vermont can now place a freeze on their credit files to protect against identity theft: New law gives Vermonters shield against identity theft.
Labels: identity theft, information breaches
Tuesday, July 05, 2005
The Alberta Information and Privacy Commissioner has released his report on the case of the missing backup tape (for earlier reports, see The Canadian Privacy Law Blog: Incident: Encrypted tapes containing health information on hundreds of thousands of Albertans missing or tampered with). The report is available from the Commissioner's site:
Investigation Report H2005-IR-001:"Commissioner releases report into missing computer tape containing health information. Commissioner Frank Work initiated an investigation on his own motion under the Health Information Act (HIA) into the loss of a missing data tape containing information related to the administration of the Alberta Health Care Insurance Plan (AHCIP), specifically group premium statement information.
Click to view more information Investigation Report H2005-IR-001."
Labels: alberta, health information, information breaches
Larry Ponemon, of the Ponemon Institute, writes in ComputerWorld about how to break the news of a privacy breach to your customers. All makes sense:
After a privacy breach, how should you break the news? - Computerworld:
- Timeliness is important.
- Document the issue.
- Don't sugarcoat the message.
- Provide support.
- Show me the money.
- Personalization creates trust.
- Adjust the message to fit the severity of the breach.
Labels: information breaches
A little while ago, I blogged about a news article from the Morning Call Online. The article was about an arrest that had been made by police in Northampton County in PA, allegedly for invasion of privacy after an teddy bear had been discovered harboring a covert video camera. Tonight, I got a comment on that post that suggested I remove my blog entry:
The Canadian Privacy Law Blog: Beware the bear:"FYI - never happened. he did not do it. so says pennsylvania law. and that's that. remove the article or i will contact him and have him contact his lawyer, who will then MAKE you remove it.
thanks!"
The comment didn't provide a lot of info, but I did manage to find a later article in the Morning Call saying that the charges had been dropped: mcall.com - Charges dropped in Peeping Tom case.
Labels: information breaches, voyeurism
Michael Geist has been a vocal proponent of reform to Canada's privacy laws. In the past, he has criticised the ombudsman model adopted under PIPEDA is inadequate and that the privacy commissioner should "name names". His latest Law Bytes column suggests that there should be an obligation to report privacy breaches, following the lead of California.
Michael Geist - Canada Needs A National Privacy Breach Reporting Law:"My latest Law Bytes column ... makes the case for a national Canadian privacy and security breach reporting law. Over the past twelve months, there has been a staggering number of reported privacy and security breaches -- with some experts estimating that more than 50 million people have been put at risk since the start of this year alone. While the number of breaches may not have changed (few doubt that privacy breaches have been occurring for years), news of yet another privacy or security breach, whether it is the 40 million credit card holders whose personal information was recently placed at risk or it is the several dozen CIBC banking customers whose data was inadvertently faxed to a West Virginia junkyard, this type of violation has become a staple of the daily news cycle.
The change in practice is due in large measure to the State of California's SB1386, a two-year old law which mandates that companies and agencies that do business in the state or possess personal information of state residents must report breaches in the security of personal information in their possession.
Unfortunately, no similar law exists in Canada at the present time. In fact, until Ontario Privacy Commissioner Ann Cavoukian publicly called for the adoption of such a law late last month, no Canadian privacy commissioner at either the federal or the provincial level had used their position to pressure for such reforms...."
Interestingly, most of the Canadian privacy lawyers with whom I have discussed the issue are advising their clients to voluntarily fess up to affected customers if personal information is compromised. We do not yet have any judicial consideration of the common law duty to warn, but it appears likely that a Canadian court will find a duty to warn a customer if the custodian's actions (or inactions) has placed that customer at risk of identity theft or other threat and the custodian did not assist the customer to mitigate the harm that the breach may have caused.
At a recent meeting of privacy lawyers, at which we were discussing reform of PIPEDA, it was interesting to see that they were virtually unanimous in supporting such a reform to PIPEDA.
Labels: identity theft, information breaches, privacy
Yahoo news is carrying a story on "VIN theft", which is essentially identity theft of your car:
Is your car a clone?:"... In recent months, the term 'auto theft' has sprouted a new variation, known as 'VIN theft,' 'VIN cloning' or 'auto identity theft.' Whichever you prefer, it's a costly and complicated problem for some car dealers and car buyers.
Of the 1.5 million vehicles stolen last year, 225,000 were used in VIN-theft activity, says Dan Kahn, road test editor for Edmunds.com and Insideline.com.
In this new genre of the crime, your automobile stays with you but the VIN is duplicated on another vehicle -- usually one that is stolen or used in a different state...."
Labels: identity theft, information breaches
The City of Fredericton is planning to install a network of video cameras in the bar district to catch hooligans who make noise and cause problems when the bars close. I haven't heard too much of a fuss about it from this end of the country. It may be that law-abiding patrons want to be surveilled:
CBC New Brunswick - Fredericton opts for downtown cameras:"... Coun. Bruce Grandy, the chair of the city's Public Safety Committee, says law-abiding bar patrons may come to appreciate the fact that they're being watched...."
Labels: information breaches
The Reporters' Committee for Freedom of the Press has produced a fact sheet on privacy for photographers. I don't know when it was first produced, but it is an interesting and handy guide to the principal privacy torts in the United States:
Photographers' Guide to Privacy:"Celebrities, politicians and other sought-after sources of news would appear, by their routine claims that members of the media have violated their privacy, to understand precisely what is private and what is public, or newsworthy, information.
Journalists, however, often possess different notions of privacy and newsworthiness, and know that the question is more complicated. Reporting news stories in a way that serves and informs the public will often entail publicizing facts or displaying images that will embarrass or anger someone...."
Labels: information breaches
Monday, July 04, 2005
I've posted about this before (see The Canadian Privacy Law Blog: Privacy watchdog warns online job seekers to beware), but it bears repeating. The San Francisco Chronicle is warning jobseekers to beware what they put online since thieves, criminals and other miscreants are out there, looking for fertile sources of personal information: Online resumes turn risky / Job seekers post data that can be used by identity thieves.
Labels: information breaches
Sunday, July 03, 2005
WomensBiz.US has asked a range of American lawyers about privacy of workplace e-mail. Thanks to Gerry Riskin for pointing me to The Common Scold's posting about this article:
The Fizz June05 - WomensBiz.US:"With the recent ruling awarding 30 million dollars to saleswoman Laura Zubulake, who won her sex discrimination case against UBS with the help of subpoenaed e-mail messages, a Pandora's box of issues is emerging regarding work-product privileges in this new age of electronic communications. Many states now have laws requiring employers to preserve all electronic documents, including those generated by their employees on personal business. So we asked you to tell us if you think it's fair to eavesdrop on employee conversations via phone or e-mail? Are our Blackberries and home computers no longer private? And how far do you think this will go? This is what you said!"
Labels: information breaches
Police in Connecticut have arrested a hotel clerk who refused to give police information about a guest of the hotel, citing respect for the guest's privacy. The police were responding to a report about a suicidal person and finally got the information when they convinced the clerk to call his manager. See NBC30.com: Hotel Clerk Arrested After Choosing Privacy Over Police.
Labels: information breaches
ChoicePoint is back in the news. This time, it is because of a multi-million dollar contracted awarded to it by the IRS. The contract is now coming under review after widespread criticism: ChoicePoint's IRS contract under review.
Labels: choicepoint, information breaches
Saturday, July 02, 2005
The New York Times (yesterday's edition) has a revealing article on the payment processing industry with a particular focus now-notorious Cardsystems and on security (or not) in the industry: Weakness in the Data Chain - New York Times.
Labels: cardsystems, information breaches
The Indian government is trying some damage control and considering legislative changes in light of the most recent incident: Indian PM For Making Illegal Data Transfer A Punishable Offence. For background, see The Canadian Privacy Law Blog: How secure are India's call centres?.
Labels: information breaches
After ages of deliberating, I've taken the plunge and moved this blog to my own domain: The Canadian Privacy Law Blog.
The new RSS feed is at http://www.privacylawyer.ca/blog/atom.xml.
I was wary of making the move, since it'll probably throw off all my previous Google rankings and my RSS subscribers, but I did manage to leave the old blog at pipeda.blogspot.com, with a redirect on each page so that all old links will redirect to the relevant page on the new server.
What follows is more geekish than usual, but it may be helpful for anyone else figuring out how to move a blog from blog*spot to another domain.
Follow the instructions that you can find here, but also add the following to the top of your blog templates, just after the <BODY> tag:
<SCRIPT LANGUAGE="JavaScript"> if (location.href.indexOf("privacylawyer.ca") != -1){} else { window.location = location.href.replace('pipeda.blogspot.com', 'www.privacylawyer.ca/blog'); } </SCRIPT>
I couldn't find any websites with a complete how-to, so I figured I'd post it here in case it can save anybody half a day of learning about javascript.
Before you publish to your new location, republish the blog on Blog*Spot, so that the pages left on Blog*Spot include the redirect code.
Also, as soon as you move to the new server, create a new blog with the old blogspot domain so that it will not be overwritten by anyone else.
Labels: google, information breaches, privacy
Friday, July 01, 2005
Sometime over this weekend, I'll be moving this blog from its current spot at http://pipeda.blogspot.com to http://www.privacylawyer.ca/blog.
I'm sure this will probably mess up the RSS feed, but I think the new URL for that will be http://www.privacylawyer.ca/blog/atom.xml.
I hope that you can still find the site after the move.
Labels: information breaches, privacy
The Associated Press, via CNN.com, is reporting that the head of the FTC's personal information was compromised in the DSW data incident: CNN.com - FTC chief's credit card data stolen
Labels: information breaches
This is the fourth security/privacy incident at University of California San Diego since April 2004: SignOnSanDiego.com > News > Education -- 3,300 affected as hackers hit UCSD server.
Labels: information breaches
The Alberta Information and Privacy Commissioner has concluded that a local library did not have authority to install keylogging software on an employee's computer:
Commissioner finds that Parkland Regional Library had no authority to collect personal information using keystroke logging software:"The Parkland Regional Library installed keystroke logging software on the computer of an information technology employee, unknown to the employee. The employee complained that this collection was not permitted under the Freedom of Information and Protection of Privacy Act (the 'Act'), and that the collected information had not been adequately protected by the Parkland Library.
The Parkland Library relied on section 33(c) of the Act, which permits collection of information that relates directly to and is necessary for an operating program or activity of a public body. It argued that the collected information was necessary to manage the employee, based on concerns about his productivity, and his use of his working time.
The Commissioner found that the Parkland Library did not have the authority under section 33 of the Act to collect the Applicant's personal information that it collected through keystroke logging and noted that less-intrusive means were available for collecting information needed for managing the employee. However, the Commissioner did not accept the Applicant's argument that the collected information had not been adequately protected."
Labels: alberta, information breaches, libraries
Just hours before the end of his seven year term as Information Commissioner, John Reid has been given a three-month extention while Ottawa contemplates combinding the offices of the Information and Privacy Commissioners into a single person: TheStar.com - Ottawa mulls single information-privacy watchdog
Labels: information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.