The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Wednesday, August 31, 2005
Here's a product that should reduce some fears about shopping online: An Irish bank and VISA international have developed and tested a new personal finance product that is remarkably similar to prepaid cellular service or some long-distance cards. You set up an account, load it up with cash, and use it until it's empty. No credit check required, since it isn't credit. You can top it up or chuck it away when it's empty. The card is accepted by all Visa vendors and using it presents very little risk of fraud. All that's at risk is the balance on the card. No word on whether it will be as anonymous as long-distance cards, but it'll offer some protection for the paranoid and will enable people who don't have credit cards to book flights online and buy junk from eBay. More info: Disposable credit card? That'll do nicely | The Register.
Labels: information breaches
While watching CNN's coverage of the hurricane damage, I caught an ad for a company named e-loan. "Protecting Customer Privacy" was front a centre in the ad and I wandered over to the company's website. I can't say whether the company lives up to its commitment, but I am impressed with the stance they have taken and the things they say in the company's online privacy policy.
E-LOAN privacy policy.:"PRIVACY POLICY SUMMARY
E-LOAN is dedicated to protecting the privacy of your information. E-LOAN is a licensee of the TRUSTe Privacy Program. TRUSTe is an independent, non-profit organization whose mission is to enable individuals and organizations to establish trusting relationships based on respect for personal identity and information by promoting the use of fair information practices. This privacy statement covers the site www.eloan.com. Because this website wants to demonstrate its commitment to your privacy, it has agreed to disclose its information practices and have its privacy practices reviewed for compliance by TRUSTe.
We do not sell or share your information with third party marketers. So, there is no need for you to ask us not to. In fact, there is no need for you to opt-out of any information sharing because, unlike most financial institutions, we provide you with an opt-in. This means we won't share your information unless you explicitly tell us to, even though the law allows financial institutions to share your information unless and until you tell them not to. Additionally, although the law allows financial institutions to share your information with other financial institutions under a 'joint marketing agreement' without your consent, we don't.
Because we feel that current laws are inadequate in protecting your privacy, we've taken the liberty of providing you more privacy protections than the law requires. Now that you know some things we don't do, here's what we do: ..."
One thing to add, though: The TRUSTe program only applies to websites, so the TRUSTe seal does not extend to any licensee's offline activities.
Labels: information breaches
Today's Gainesville Sun asks the question: Is HIPAA, the patients' privacy law, getting in the way of police work. The answer is "probably". (I can hear in my head some people saying "the Constitution gets in the way of police work; that's what it's supposed to do.") One of the big problems is that hospitals interpret the law in very different ways, leaving police scratching their heads. We have the same problem with PIPEDA, particularly when the consent exceptions are oddly worded and lend themselves to broadly divergent interpretations.
While this will not give the police the carte blanche access they want, hospital associations should make an effort to come up with a consistent interpretation of HIPAA so that the ground rules are understood by all. I have seen some hospital counsel who may have a great facility with general health and employment law issues, but don't grasp the nuances of how privacy laws affect their operations. Without this, patients get different protections at different hosptials and, I expect, the police are sometimes left scratching their heads when an inquiry is accepted at one facility but not at another.
Labels: information breaches, privacy
Bank Systems & Technology is running a very good article on the role of banks in fighting identity theft. The intended audience is bank CTO/CIOs, but it should be read by a wider audience.
It wisely says that security of personal information is not just a technology issue. It is a people issue and a cultural issue. You have to get everyone involved. It also requires going back to the beginning and looking at your information holistically. Ask yourself whether you really need all that information in the first place. Tax laws may require the bank to have the customer's SSN/SIN, but there really is no reason to have it accessible by tellers or included in ordinary databases. Since most breaches involve insiders, limit access to the bare minimum that is required to support your operations. All good practices.
Read the article here: Bank Systems & Technology : Maximum Security.
Labels: identity theft, information breaches
A grand jury in Los Angeles has returned a new indictment against Olatunji Oluwatosin, charging the man with twenty-two counts of identity theft and other miscellaneous crimes in connection with the very high profile ChoicePoint breach. This indictment replaces the previous one, which included only four counts of identity theft. In February, Oluwatosin pleaded "no contest" to one charge of identity theft and is presently serving a sixteen month sentence.
More info: New charges in ChoicePoint identity theft case - Consumer Security - MSNBC.com.
Labels: choicepoint, identity theft, information breaches
Last month, I blogged about the fact that a number of companies online are selling telephone records without the consent or knowledge of the individuals concerned. The records appear to be obtained by "pretexting" or from employees of the telcos (See: The Canadian Privacy Law Blog: Online Data Gets Personal: Cell Phone Records for Sale). Now, the Electronic Privacy Information Center is petitioning the FCC to put a stop to the practice. Read about it at Red Herring: FCC's Privacy Petition.
Labels: information breaches, pretexting
Another good link from HIPAA Blog: Bankrate.com, a publication for the banking industry, ran an article yesterday on what is not covered by HIPAA in the US and the many loopholes that exist in the law. Check it out: Private medical information isn't so private.
Labels: information breaches
Tuesday, August 30, 2005
For some time, Google has had a feature that allows you to search for a term and automatically be redirected to the top scoring page. It's called "I feel lucky." I don't know how often it is used, but I'd guess often enough for Google to keep it there on the default search page.
In an effort to speed up browsing, Google is implementing "prefetching" of top search results. They'll put in a link that is, in effect, a command to your browser that it should go and retrieve the top result in the background so it'll already be loaded if you click on it. Sounds convenient. But it has more than a few SlashDotters worried. To anyone reviewing your cache or looking at your network connection (such as a sysadmin), it looks as though you manually surfed to that page which may not reflect well upon you. It will really depend upon what you search for, but there are a number of other unpleasant possibilities of this "feature". Anybody can capriciously put tags into their pages and have completely unknown pages loaded onto your computer. I could put this on my page "<link rel="prefetch" href="http://www.someplacenasty.com/">" and whoever reviews the firewall logs at your workplace will think you're up to no good. Or I could prefetch a link to an advertiser from my site so it'll look like every visitor has clicked on an ad, putting pennies in my pocket.
The "prefetch" function is enabled by default in Mozilla browsers such as FireFox. I don't think that IE has this feature, but it may in future versions. Users would be sensible to disable it.
See:Slashdot | Google Prefetching for Mozilla Browsers;See: Google Information for Webmasters; and
See: Link Prefetching FAQ.
Labels: google, information breaches, privacy
Monday, August 29, 2005
The US GAO is chastising a number of US government agencies for not following privacy laws when using citizen information for data mining. From Information week (via Privacy.org): InformationWeek > Data Mining, Privacy > Federal Data Miners Urged To Better Address Citizen Privacy > August 29, 2005.
Labels: information breaches
HIPAA Blog is pointing to a very interesting and lengthy article from the Wall Street Journal (but reprinted in the Pittsburg Post Gazette) on the legal minefield associated with the medical records of teenagers. Check it out here: Parents barred from teen health files.
Labels: health information, information breaches
I thought it has been a little while since I'd heard of a new privacy/security incident at a university. I knew it wouldn't be long: NBC11.com - Education - CSU Warns Financial Aid Recipients Of Possible Security Breach.
Labels: information breaches
The upcoming September 5, 2005 edition of Newsweek magazine is running an extensive feature on identity theft, including a number of related stories. The focus is on companies that, in its words, fail to protect the privacy of consumers:
Grand Theft Identity - Newsweek: International Editions - MSNBC.com:"Grand Theft Identity
Be careful, we've been told, or you may become a fraud victim. But now it seems that corporations are failing to protect our secrets. How bad is the problem, and how can we fix it? "
Labels: identity theft, information breaches
Rob Hyndman is pointing to an interesting story about a new use for in-car black boxes: to monitor and rehabilitate drivers who habitually run afoul of the law. See his post here: Car Black Boxes, Redux.
Labels: information breaches
Sunday, August 28, 2005
Mathew Englander, who many of the readers of this blog may know becuase of his mostly-successful fight against his phone company and the Privacy Commissioner that wound up in the Federal Court of Appeal, has recently put some of this thoughts on the proposed Canadian No Fly List on his website. Check it out at: Mathew Englander -- Does Canada Need a No-Fly List?.
Labels: information breaches, no-fly list
A few months ago, I used a loaner Blackberry for a week or so. When I was bored and fiddling around with it, I discovered the "saved messages" folder on the device had about a dozen e-mails in it from a previous user. Not good. I deleted them all and then did a bit of research to make sure that I didn't leave any data behind when I returned it.
This has just happened on a massive scale, according to Schneier on Security. He's blogging about a recent incident that has more than a few cellular customers hopping mad. When trading up, customers of a certain cellular provider were asked if they wanted to donate their older phones to charities, such as local women's shelters. The phones ended up on e-bay and the company didn't even bother purging the phones of data. Not good in more ways than one. See Schneier on Security: Privacy Risks of Used Cell Phones.
Labels: information breaches, schneier
I blogged yesterday about the shelving of SB 682 in the California legislature (See: The Canadian Privacy Law Blog: California legislature shelves RFID ban). Today, the San Francisco Chronicle has a strong editorial demanding that it be put back on the legislative agenda and urging readers to contact their legislators about it:
FOLLOW-UP / Don't hide this privacy bill:"... Should the state have the ability to track your movements with tiny radio transmitters? This is the essence of the debate behind Senate Bill 682, which reaches a critical juncture today in the Assembly Appropriations Committee. The bill, authored by Sen. Joe Simitian, D-Palo Alto, would wisely put some restrictions and safeguards on government's use of radio frequency identification (RFID) technology. Simitian's bill was inspired by the controversy that erupted when middle-school students in Sutter County were required to wear badges that allowed the school to track their movements around campus. The school board last year scrapped the experimental program in the face of parental objections, but the implications of expanded government use of this technology are truly chilling."
Labels: information breaches, rfid
Biometrics are lauded as among the most secure and accurate methods of verifying identites, but they are not foolproof. Fingerprint recognition systems have been fooled by Gummi Bears and I expect that dozens of people are toiling away in basements trying to figure out how to trick other forms of biometric identification.
Another threat to biometrics is the security of the database against which physical characteristics are compared. If you crack that database, you'll have all the datapoints you need to present to defeat the system. The Detroit News is reporting today on research being carried out by IBM to improve the security of those databases. It involves using an algorithm to distort the image collected, which is then compared to a database of similarly distorted images. This way, the database does not contain "cleartext" data that aligns with the actual data to be collected. If the system is comproised, a new distortion algorithm is introduced and the old data is supposedly useless. I'd think that coupling this with a one-way hash of the data would also be a good idea, but what do I know?
Labels: information breaches
Saturday, August 27, 2005
The title of this recent Washington Post article is another example of the overuse of the term "identity theft": A New Key to Fighting Identity Theft. The article is not about assuming someone's identity and getting credit in their name, but it is interesting nevertheless ...
Both America Online and E-Trade are offering their users an additional level of login security by using RSA's number generating tokens for a two-factor authentication.
"That number acts as an extra, one-time password by matching up with an identical number generated at the same time by a computer at AOL or E-Trade's offices. Both the token and the computer had their clocks synchronized at birth, ensuring that each would generate matching random six-digit numbers at the same intervals.The idea here is to ensure that password theft has no value. Each six-digit number's utility expires once it's used, but without it a regular user name and password alone won't log a customer in."
This is obviously a good thing, though it won't do a lot for real identity theft and we could end up with a whole mess of these things on our keychains.
Labels: aol, identity theft, information breaches
Articles on ID theft are a dime a dozen these days, but The growing problem of ID theft from BankRate.Com (via Yahoo! News) is worth a read. It considers the problem and legislative initiatives, but also delves into problems that banks are having in trying to retrofit modern security onto legacy databases and systems.
Labels: information breaches
Bruce Ramsay's column in the Seattle Times on Wednesday was devoted to discussing the US RealID scheme. He particularly focuses on the as of yet unanswered questions: He asks, if a foreign birth certificate is not acceptable documentation to get a new super-license, how will the millions of Americans and legitimate immigrants born overseas get the card? Not a whole lot of doubt about his position ... See The Seattle Times: Opinion: The known unknowns of a national ID card.
Labels: information breaches
A California senate committee has shelved SB 682, also known as the Identity Information Protection Act of 2005., until the next session. The bill would have outlawed embedding wireless identification technology (read: RFID) in state-issued documents, such as drivers' licenses. The bill had been supported by the ACLU, the EFF and the Privacy Rights Clearinghouse but had been opposed by a number of industry groups. According to ZDNet, the industry groups won out, resulting in the bill being shelved. See California shelves RFID ban | Tech News on ZDNet.
Labels: information breaches, rfid
You can find a lot of information about people just by using the internet. One of the premier "personal data search engines" is Zabasearch. Enter any name and, optionally, their state, and you'll get surprisingly accurate contact information: Name, address, phone number, birth month and year. With a few additional clicks, you can order a background check on anyone in your search results.
Making all this available online has upset privacy advocates (Wired News: Your Identity, Open to All), but they are now taking it a step further. The "public domain" information can now be supplemented by anyone with a grudge or too much time on their hands. Starting September 1, 2005, ZabaSearch will offer a "ZabaBlog" to let anyone comment about anyone. I can't see that anything good will come of this. David Lazarus, of the San Francisco Chronicle, has written a recent column on the development and solicited the views of the Privacy Rights Clearinghouse (Search site to add free blogs). The company itself doesn't see anything wrong with this. Collecting and displaying public information isn't illegal and blogs are constitutionally-protected free speech, they say.
The feature isn't live yet, but it'll be interesting to see how it is used and what sort of fuss ensues.
Labels: information breaches
Friday, August 26, 2005
Darwin Magazine has an article by Larry Ponemon of the Ponemon Institute on how a company should respond to a security/privacy incident: Darwin - Online Feature - Keeping the Trust. In fact, you should bookmark it in case you need it later.
Labels: information breaches
Thursday, August 25, 2005
Today's International Herald Tribune has an interesting look into the data centre of Visa international and highlights the many intermediaries that handle your transaction between the point of sale and the centre that is housed in an undisclosed location in the central United States. Check out: Credit card companies now turn to security - Technology - International Herald Tribune.
Labels: information breaches
CFCN of Calgary, Alberta is running a story about an individual who was called by a telemarketer on behalf of a life insurer, who got the individual's personal information from one of Canada's large retailers. The individual was upset that they had his birthdate, which was also obtained from the same source. The individual had not opted out from the information sharing.
The story is interesting also because it suggests that readers complain to the Information and Privacy Commissioner of Alberta: See the article here: CFCN.ca - Calgary news from CFCN, CTV
Labels: alberta, information breaches, telemarketing
Thanks again for Rob Hyndman pointing me to an intersting story with a privacy angle ...
A couple days ago, the Washington Times reported on the sorts of weird information that may be available in public patent files. It appears that inventors who fail to renew their patents are required to provide a reason why in order to renew without interruption. The files containing their submission are open to the public and contain an ecclectic range of very personal information to support the inventors' failure to renew:
Patent petitions reveal inventors' data:"More than 1,000 inventors petition to reclaim their patent rights each year. Inventors typically provide the information to prove that hardship prevented them from paying their maintenance fees on time. The fees range from $450 for independent inventors to up to $3,800 for large companies.
The records, which are not required but frequently are submitted as supporting documentation, include divorce decrees, tax returns, records of psychological therapy, professional license suspensions, hospital bills, credit reports, telephone numbers and home addresses.
Richard Pierce, a Brea, Calif., resident who owns a patent on a device to help emergency responders administer cardiopulmonary resuscitation with flashing light signals, has his credit report listed in patent office records...."
Labels: information breaches
From the Alberta Information and Privacy Commissioner's Office:
Commissioner releases report concerning collection and security of credit information:"Commissioner Frank Work authorized an investigation under the Personal Information Protection Act ("PIPA" or "the Act') after receiving a complaint alleging that SAS Institute Canada ("SAS") Inc. collected personal credit information in contravention of the Act.
The complainant had applied for a job with SAS as an Administrative Assistant/Receptionist. During the recruitment process, she signed a consent authorizing the organization to obtain a credit inquiry report; however, she subsequently complained that the organization's collection of her personal credit information was not reasonable. She was also concerned about the security of her personal information held by the organization contracted by SAS to conduct background checks.
SAS advanced the following purposes for collecting the complainant's personal credit information during the recruitment process:
- To assess the applicant's suitability to manage petty cash.
- To minimize the risk of employee corporate credit card fraud.
- To validate employment history by identifying past employment listed in a credit report but not described on the applicant's resume.
The investigator found that the personal credit information collected by SAS was not reasonably required to establish an employment relationship because:
- The organization had less intrusive and likely more effective means to assess the complainant's ability to manage petty cash, including contacting previous employers;
- The complainant had not yet applied for a corporate credit card, and so the information was not required at this stage to minimize the possibility of fraud; and,
- The organization had less intrusive and more effective means to validate the complainant's employment history.
The investigator found that the organization's purposes of collecting personal information to assess suitability to manage petty cash and validate employment history were reasonable; however, the extent of the collection was excessive for meeting those purposes. Further, the organization's collection of personal information to minimize the risk of corporate credit card fraud was not a reasonable purpose considering the complainant had not yet applied for a corporate credit card.
The investigator also found that SAS had implemented reasonable measures to ensure that personal information collected on its behalf is safeguarded as required under the Act.
Prior to this investigation, SAS had taken steps to bring its practices into compliance with privacy legislation; however, the organization agreed to refine its hiring practices and implement the following recommendations:
- Review the responsibilities of a position when hiring to ensure that credit information is reasonably required to determine a candidate's suitability.
- Where credit information is reasonably required, clearly state the purpose(s) for collection.
- Where credit information is reasonably required, clearly state in all job postings/advertisements that a credit check may be required of the successful candidate.
SAS was cooperative throughout this investigation and demonstrated a commitment to ensuring the protection of privacy."
Labels: alberta, information breaches, pipa
Wednesday, August 24, 2005
From the "reap what you sow" department:
Digital Media Europe: News - Dutch bad-debt name-and-shame website publisher accused of payment default:"BNR Nieuwsradio, a Dutch radio broadcaster, has reported that Hans van Heertum still owes it €6,000 for radio ads. Dutch financial daily Financieele Dagblad said he has not yet paid the paper €2,000 for a 2003 ad. And De Telegraaf, another daily, claims Mr Van Heertum has other outstanding debts.
Nothing really out of the ordinary, one might add, except that Mr Van Heertum runs a website, Incassoregister.nl, that names and shames bad debtors.
Incassoregister.nl also maintains an online database on defaulters, to which debt-collection agencies, bailiffs and other business can subscribe...."
Labels: information breaches
Thanks to Rob Hyndman for pointing out the following survey, reported on by CNET news:
Companies dinged on Web privacy | CNET News.com:"... The Customer Respect Group, the Boston research firm that conducted the study, rated the privacy practices of a whopping 72 percent of 464 North American companies it surveyed earlier this year as 'poor' with respect to reusing personal data for marketing purposes...."
Labels: information breaches
Scam Busters is reporting on a new scam being used by identity thieves to dupe people into exposing their personal information:
Brand New Jury Duty Scam::"Here's a new twist scammers are using to commit identity theft: the jury duty scam. Here's how it works:
The scammer calls claiming to work for the local court and claims you've failed to report for jury duty. He tells you that a warrant has been issued for your arrest.
The victim will often rightly claim they never received the jury duty notification. The scammer then asks the victim for confidential information for 'verification' purposes.
Specifically, the scammer asks for the victim's Social Security number, birth date, and sometimes even for credit card numbers and other private information -- exactly what the scammer needs to commit identity theft.
So far, this jury duty scam has been reported in Michigan, Ohio, Texas, Arizona, Illinois, Pennsylvania, Minnesota, Oregon and Washington state...."
Labels: breach notification, identity theft, information breaches
Tuesday, August 23, 2005
Anita Ramasastry has written more than a few interesting privacy-related columns for FindLaw. Her most recent one, Tracking Every Move You Make Can Car Rental Companies Use Technology to Monitor Our Driving? discusses the use of GPS as a monitoring technology, particularly in rental cars. There have been a few cases in the US and Ramasastry dicusses how GPS can be used, with clear notice and consent.
Thanks to beSpacific for the link: beSpacific: Rental Cars, GPS Tracking and Your Privacy.
Labels: information breaches
The Pittsburgh Channel is reporting on an incident of confusion in credit reports when consumer reporting agencies are required to truncate social security numbers. When all digits are used, the number is unique to an individual. But when only a portion of them are used, there are hundreds of others with similar numbers, some of whom you don't want added to your credit report: Social Security Number Privacy: Check Your Credit Report.
Labels: information breaches
The Washington Post, and others, are reporting that someone used a legitimate user's credentials to acquire personal information on 33,000 US Air Force officers via an online career management system. The investigation is ongoing: Hacker Steals Air Force Officers' Personal Information.
Labels: information breaches
Monday, August 22, 2005
Over at HIPAA Blog, Jeff Drummond is linking a recent US Circuit Court of Appeals decision that found a constitutional right to privacy in prescription drug records: Constitutional Right to Privacy.
Labels: information breaches
Money Magazine has a review of the range of ID theft products and services out there, and suggests more than a few free alternatives:
MONEY Magazine: ID insurance? Who needs this stuff? - Aug. 22, 2005"NEW YORK (MONEY Magazine) - Scared by all the doom-saying from security experts and the identity theft stories in the news? Well, don't lose sight of your common sense. Below are some of the services you could buy -- and the free alternatives...."
Labels: identity theft, information breaches
Today's Globe & Mail, just in time for the film festival in Toronto, is running an article on paparazzi. The writer contacted me a little while ago and paraphrases my comments about halfway down the article:
The Globe and Mail: The paparazzi snap back:"... David Fraser, a privacy lawyer with the firm McInnes Cooper, believes that's because the Canadian media are just a whole lot kinder. At the same time, federal privacy laws specifically exclude journalists and protect freedom of the press, he says. Celebrities who run into problems with paparazzi must turn to trespassing and stalking laws, which may keep the rare pushy snappers at bay...."
I would add that some provinces have a statutory tort of invasion of privacy and the non-statutory tort is evolving in Canada. Even for journalistic purposes, invasions of privacy that are "undue" and "unreasonable" can be condemned by the courts in the form of money damages or an injunction. There just hasn't been a lot of cause in Canada for celebrities to invoke these laws.
Labels: information breaches
Today's editorial in the National Post has come out against aspects of Canada's proposed lawful access rules:
National Post"...There will be a temptation for some to forgive this excess in light of enhanced concerns for security after 9/11. But this incorrectly assumes that the new laws would be reserved for extreme cases such as threats to national security. Think again: The Privacy Commissioner reveals that the initiative to reform Canada's lawful access laws predates the Sept. 11, 2001, attacks.
In any case, our judiciary is not insensible to the terrorist threat. And so in cases where tapping an e-mail account or cell phone truly is warranted, the police should have no problem convincing a judge that a warrant should be issued. Removing the robed gatekeeper does little to enhance safety, but merely increases the chance of a rogue officer invading someone's privacy for no valid reason.
We share the Privacy Commissioner's skepticism "about the need for these potentially intrusive and far-reaching measures." We agree that the government should be able to get just about any information it needs to protect national security. But that information should be protected from invasive fishing expeditions by the usual safeguard we have come to expect in a free society: a vigilant judge."
Labels: information breaches, lawful access
Sunday, August 21, 2005
Universities are constantly being hacked. On this blog alone, I have referred to dozens and dozens of privacy/security incidents involving post-secondary institutions (check this out).
Today's Boston Globe is running a story on how vulnerable universities are and what some are trying to do about it.
Colleges struggle to combat identity thieves - The Boston Globe"... ''[Universities] are certainly getting a collective black eye," said Beth Givens, director of the San Diego nonprofit group Privacy Rights Clearinghouse. ''I suspect there's a lot of hand-wringing in universities these days. Those in the IT departments are starting to tell administrators, 'See, I told you so, we have to have better control.' "
Universities provide a target-rich environment for identity thieves -- an abundance of computer equipment filled with sensitive data and a pool of financially naive students.
''A lot of times younger people think, 'I don't have a lot of money, so I don't have to worry about this.' " said Dennis Jacobe, chief economist at Gallup. A recent Experian-Gallup poll indicated that a quarter of surveyed consumers under 30 said their personal information had been stolen.
The academic culture that embraces the open exchange of information lends itself to identity theft. Add to that diffuse tech systems and independent departments and the struggle to stifle breaches becomes even more challenging.
''Because we're so big we're kind of decentralized," said Anthony Wood, director of academic computing at the University of California, San Diego, which has experienced several data breaches in the past year. ''Academic freedom [tends] to have people doing things on their own. And because we have so many [Internet] addresses, we're more visible."..."
Labels: identity theft, information breaches
In response to a high-profile privacy incident in December 2004 (see The Canadian Privacy Law Blog: Another privacy breach to round out the week), the Ontario government commissioned a study of privacy practices by Deloitte & Touche. The report is in (I haven't tracked down a copy yet) and it calls for "more robust privacy policies, procedures and other initiatives." See London Free Press: News Section - Government not doing enough to protect private data: report.
Labels: information breaches, ontario
This one is pretty amusing ...
In the PIPEDA age, store owners and others who use CCTV on their premises for security and other purposes are required to post notices that the area is under video surveillance. This is because you have to make a reasonable effort to bring this form of collection of personal information to the person's attention so they can decide whether to enter the premises. How much is "reasonable" and does anyone pay attention to the signs?
You can likely assume that a company specialising in video surveillance would have the place covered by CCTV. But just for good measure, the owner of a Manchester CCTV supplier put up signs. You would think that was enough, but some dolt actually went onto the property and stole a laptop worth £700. Reports say he was picked up by eight separate cameras and was also seen casing the place half an hour before. See the story on Sky News : CCTV Shop Raid: Britain's Thickest Thief?.
What are the lessons to be learned?
Labels: information breaches, laptop, privacy, surveillance, video surveillance
Saturday, August 20, 2005
The Reporters Committee for Freedom of the Press has produced an online guide to the laws that govern recording of phone calls in the United States. Worth bookmarking: "Can We Tape?".
Labels: information breaches
Perkins Coie, a US law firm, has produced a handy-dandy chart showing the US laws that require notification of security/privacy breaches:
Perkins Coie: Security Breach Notification Chart:"This chart provides information regarding security breach notification legislation which has been enacted in U.S. jurisdictions. The pioneering statute on this issue, California's Security Breach Notification Act (Senate Bill No. 1386), is used as the baseline for comparisons herein. "
It looks like it is a client bulletin, so I do not expect it will be updated (at least not at this link).
Labels: breach notification, information breaches
McInnes Cooper recently acted for one of Canada’s largest automobile insurers in achieving a favourable result in two related complaints to the Office of the Privacy Commissioner, both stemming from a decision by the insurer to use video surveillance to verify the claimed injuries.
Following a motor vehicle accident, the plaintiff advanced a claim against the driver of the vehicle, whose insurer responded to defend the claim. During the examinations for discovery, the insurer concluded that there were inconsistencies in the reported injuries and hired a private investigator to conduct video surveillance of the plaintiff. Surveillance captured the plaintiff, sometimes with her husband, carrying out daily activities. The tape was used at trail to impeach the witness.1
The plaintiff and her husband each brought separate complaints to the Privacy Commissioner, both alleging that the use of video surveillance was a collection of personal information without consent, contrary to the Personal Information Protection and Electronic Documents Act (PIPEDA). The Assistant Commissioner concluded that both complaints were not well-founded. For the plaintiff’s husband, the Assistant Commissioner reviewed the tapes and saw that he was not recognizable in the images. Thus, she concluded, the information was not “identifiable” and there was no collection of “personal information”, as that term is defined in PIPEDA.
With respect to the plaintiff, the Commissioner agreed with the insurer’s argument that, by initiating a lawsuit in which injuries are at issue, the plaintiff has impliedly consented to the insurer collecting personal information that is necessary to defend its insured. This implied consent only extends to information that is relevant to the merits of the case and the conduct of the defence. The Assistant Commissioner concluded that "the collection of her personal information was limited to what was necessary for [the insurer] to defend itself against … Court action."
The insurer argued, following the Ontario decision of Ferenczy v. MCI Medical Clinics, 2004 CanLII 12555 (ON S.C.) (see The Canadian Privacy Law Blog: PIPEDA and Video Surveillance: Guidance from the Ontario Courts), that PIPEDA does not apply to third-party personal injury claims as the insurer is an agent for the defendant and the relationship between the parties to litigation is not a commercial one. Unfortunately, the Assistant Commissioner did not refer to this line of argument in her finding.
As of yet, the Assistant Commissioner’s finding is not reported on the Commissioner’s website.
1 Counsel for the plaintiff argued that the video was made in violation of PIPEDA and should be inadmissible. The court decided, from the bench on voire dire, that PIPEDA did not apply and, if it did, any violation of PIPEDA would not render the evidence inadmissible.
Labels: information breaches, litigation, privacy, surveillance, video surveillance
Friday, August 19, 2005
The Australian Regulatory Review has links to and some dicussion of recent findings from the Australian Privacy Commissioner:
Australian Regulatory Review: Privacy Case Notes:"The Privacy Commissioner, Karen Curtis, has released case notes 8 to 18 regarding personal information handled by credit providers, insurance providers, employment agencies, a telecommunications service provider, an internet service provider and federal government agencies...."
Much of it sounds familiar.
Labels: information breaches
David Brannon, a personal injury lawyer at Patterson Palmer in Truro, Nova Scotia, has recently started a blog on personal injury matters. He has a background as an occupational therapist, so has an interesting perspective. Check out his blog at www.injurylawblog.com.
Labels: information breaches
There's currently a big fuss going on in Aspen over credit card fraud allegedly perpetrated by a claims clerk at the Aspen Valley Hospital. The hospital has since outsourced this function, saying this move "virutally guaranteed" it could not happen again.
Aspen Valley Hospital: All care taken to prevent identity theft"... When asked if AVH had performed a thorough background check on Lozano, Jellinek became extremely agitated with a reporter. He said the facility wouldn't spend $10,000 for a background check on a $10-per-hour clerk. He accused The Aspen Times of attempting to blow the story out of proportion and making the identity theft appear to be an extensive problem with the hospital's billing and collections procedures.
Jellinek later apologized and stressed that he and other AVH officials have worked hard to fix a financial crisis there and didn't want to see the progress harmed. One part of the solution was outsourcing billing and collections to First Consulting Group, he said...."
Methinks a background check may be in order if the clerk will have privileged access to patient information ... or you don't give privileged access to a $10-an-hour clerk.
As an aside, it looks like it was simple theft of credit card numbers, so "identity theft" may not be the appropriate term.
Labels: identity theft, information breaches
Today's Globe &apmp; Mail is reporting that "lawful access" legislation will be introduced in the fall to give law enforcement greater access to digital communications of Canadians:
The Globe and Mail: Ottawa to give police more power to snoop:"... The law would force Internet service providers to retain records on the Internet use of its clients in such a way that it can be easily retrieved by police, doing away with the need in many cases to seize an individual's computer as part of an investigation.
In her submission to the government earlier this year, Privacy Commissioner Jennifer Stoddart concluded that Ottawa and the police have not provided enough justification to warrant such a law.
'We remain skeptical about the need for these potentially intrusive and far-reaching measures,' she wrote. Ms. Stoddart noted the law could give police access to global-positioning-system data from cellphones combined with electronic banking data that could allow the government to track an individual's every move.
'The digits we punch into a modern telephone do not just connect us to another party, they can also reveal our financial transactions, PIN numbers and passwords, or even health information.' Michael Geist, a University of Ottawa law professor who took part in the consultations, said the proposed law goes 'well, well beyond' updating references to analog technology. 'For individual Canadians, this is an issue that should attract enormous interest because it fundamentally reshapes the Internet in Canada, creating significant new surveillance powers,' he said...."
Labels: health information, information breaches, lawful access, surveillance
InternetCases.com has a summary of a recent American decision in which the Court found that AOL subscribers have no reasonable expectation of privacy with respect to their identities. AOL disclosed a subscriber's identity to police without a warrant and the subscriber sued:
InternetCases.com: No reasonable expectation of privacy in Internet subscriber information:"...First, by signing up for service, a subscriber knowingly discloses information to the ISP, which is accessed and used by the ISP to provide services. Second, AOL's terms of service provided that AOL would release subscriber information 'in special cases such as a physical threat to [its customer] or others.' Such a provision was especially relevant given the underlying facts of this case. Third, the Electronic Communications Privacy Act, 18 U.S.C. ss 2510 et seq. provides that subscriber information can be divulged in situations where the risk of physical injury justifies its release..."
Labels: aol, information breaches
Thursday, August 18, 2005
The Office of the Privacy Commissioner has just released the summary of a new finding. This is the first time that I can remember where the complainants have asked to remain anonymous and the Commissioner proceeded to initiate a complaint of her own accord, as is provided for under PIPEDA. In this case, a number of residents of the United States complained that a Canadian-based internet pharmacy had unlawfully disclosed their personal information without consent to two American companies, who used the information without consent. The disclosure, which was by unauthorized employee activity, took place before 2004 and the Assistant Commissioner concluded she was without jurisdiction to issue a finding in that regard. Though the companies that acquired the lists did so without notice that it was purloined, the use was still without consent and the Assistant Commissioner concluded that portion of the complaint was well founded. Read the full finding on the Commissioner's website here: PIPEDA Case Summary #310: Commissioner initiated complaints against Internet pharmacies.
Labels: information breaches, pipeda findings, privacy
A man from Virginia has been acquitted of charges under Pennsylvania's privacy law after he used a cameraphone to take pictures up a woman's skirt. The judge lamented that the law, as it stands now, doesn't cover this kind of mischief.
Loophole lets man skirt state's privacy law:"CARLISLE - A Virginia man didn't break the state's privacy law when he used a camera phone to take a photo up a woman's skirt at a midstate shopping mall, a Cumberland County judge ruled yesterday.
It is a case where Pennsylvania law simply hasn't caught up with advances in technology, Judge Edgar B. Bayley concluded. Pennsylvania's privacy statute, last revised in 1998, didn't anticipate camera phones and has no provisions barring their use for what most people would consider the indecent act of 'upskirting' in public places, he said...."
The article does note that recent amendements to the law, which are not yet in force, have been made to address "up-skirting", "down-blousing" and other voyeuristic practices.
Labels: information breaches
Wednesday, August 17, 2005
Dennis Bailey at Open Society Paradox is putting his money where his mouth is; he has put up $1000 (US) saying that the new Real ID legislation in the US will lead to a measureable drop in identity theft. Check it out: The Open Society Paradox: The National ID Challenge.
Labels: identity theft, information breaches
A former AOL employee has been sentenced to a year and three months in jail for stealing screen names and e-mail addresses from the company and selling them to spammers. More details here: AOL Worker Who Stole E-Mail List Sentenced - Yahoo! News.
Labels: aol, information breaches
Enough is enough. Yet another university privacy breach: Stan State suffers breach of security to file servers .
Labels: information breaches
The Boston Globe is running an interesting article on the businesses that are offering services to calm consumers' fears about identity theft, including one that has been found by the Federal Trade Commission to have engaged in deceptive marketing:
Businesses see profits in fear of identity theft - The Boston Globe:"... Yesterday, ConsumerInfo.com, which is owned by the credit-reporting bureau Experian, settled with the Federal Trade Commission on charges that it had deceptively marketed ''free credit reports' and did not adequately disclose that customers who signed up for the report would also be enrolled in a credit-monitoring service and be charged $79.95 if they didn't cancel within 30 days..."
Labels: identity theft, information breaches
Tuesday, August 16, 2005
An outraged physician happened to find confidential medical files that had been dumped in the street near his house in Birmingham, UK. The records related to the conditions of two women, named in the files, who had medical issues of a particularly sensitive nature. For coverage, see RedNova News - Health - Dumped Medical Records Outrage.
Labels: information breaches
In response to the recent arguments raised by Dun and Bradstreet that privacy laws are actually feeding the increase of identity theft, the Australian Broadcasting Corporation is reporting that the government is considering providing the private sector with access to ID verification databases: Radio Australia - News - Australia seeks to combat increase in identity theft cases.
Labels: australia, identity theft, information breaches
Monday, August 15, 2005
I've been waiting for this complaint for some time. When people (usually younger and with more interesting social lives) make the mistake of asking me what I do for a living, the description is usually follwed by the question "can bars legally scan your driver's license?" According to the Globe & Mail, an Alberta law student has complained to the Alberta Information and Privacy Commissioner about the increasingly common practice of requiring bar patrons to have their ID scanned before being allowed entry.
Presumably the basis for the complaint is that the bar is requiring patrons to consent to the collection and use of personal information that is not necessary. Section 7(2) of the Personal Information Protection Act (Alberta) reads:
An organization shall not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information about an individual beyond what is necessary to provide the product or service.
I have heard bar owners in Halifax quoted as saying that the practice is only to verify that the ID has not been altered because the readers check that the info encoded on the magnetic strip is the same what appears on the face of the license. OK. But readers also record all the data (name, address, date of birth, license restrictions, etc.) and download them into a central system at the end of the day.
This should be an interesting case, since it will have to consider why the bars want this information and whether it is reasonable.
Read the Globe & Mail article here: Globetechnology: Calgary student challenges nightclub
Labels: alberta, id swiping, information breaches, pipa
Yawn. Yet another university privacy/security incident. This time, it's the University of North Texas:
UNT warns of potential ID theft :"DENTON - University of North Texas officials are recommending that almost 39,000 students and alumni protect themselves from identity theft after discovering that hackers accessed a UNT computer server last week...."
Labels: identity theft, information breaches
Gary Dickson, the Privacy Commissioner of Saskatchewan, has released a report that calls for some significant changes to the province's public sector privacy law. The Sask. statute is similar to Nova Scotia's in that it lacks any requirement to safeguard personal information:
The Globe and Mail: Address 'gaping hole' in privacy laws, officer says:"Saskatchewan's privacy commissioner says the province must address a 'gaping hole' in privacy laws and require public organizations to protect personal information more stringently.
In the report, Privacy Commissioner Gary Dickson said that the current Freedom of Information and Protection of Privacy Act does not require a government body to ensure personal information in its possession or under its control is protected.
'The effect is that Saskatchewan citizens continue to experience an unreasonably high level of risk that their personal information entrusted to public bodies will be used or disclosed inappropriately.'..."
Labels: information breaches, saskatchewan
Michael Geist has a few things to say about telecommunications law reform in Canada, including how privacy of internet customers fits into the mix:
Michael Geist - Canadian Telecommunications Policy Needs New Roadmap:"...It is essential that Canadian law ensure that subscriber information is only disclosed under court order with the privacy interests of the individual fully considered and protected. Moreover, strong Internet privacy protections will be needed in the face of Ottawa's lawful access plans, which will reportedly require ISPs to implement new network interception and surveillance capabilities...."
Labels: information breaches, lawful access, surveillance
I blogged earlier about a story out of Australia in which Dun and Bradstreet claims that privacy laws are feeding identity theft in that country (The Canadian Privacy Law Blog: Credit bureau in Australia blames privacy laws for rise of identity fraud). Here is a transcript of the Australian Broadcasting Corporation's report: PM - Claim privacy laws leaving identity fraud unchecked.
Labels: australia, identity theft, information breaches
If you want your eyes opened to the threat of insiders to your confidential company and customer information, look no further: So You Think Your Data Is Secure? - Computerworld.
Labels: information breaches
After British journalists reported that information on UK citizens is for sale from call centres operated in India (see The Canadian Privacy Law Blog: How secure are India's call centres?), Australian reporters have found the same with respect to Australian data:
Personal details up for grabs in India - Breaking - Technology - smh.com.au:"Frauds are offering to sell the personal details of thousands of Australians, culled from information gathered at call centres in India.
The ABC's Four Corners program has revealed it was offered information on 1000 Australians.
Four Corners says it was offered a deal on the information, through an unidentified broker, which it turned down.
The information included names, addresses, telephone numbers, birth details, Medicare numbers, driver's licence numbers, ATM card numbers and even passport information. The program verified that the information belonged to real people....
Labels: information breaches
Martin Gill, a UK criminologist, is calling for increased sharing of data among credit agencies as a way of making life more difficult for identity thieves. From the Independent:
Independent Online Edition > Business News : Sharing of data 'could block identity theft'"Thousands of cases of identity fraud could be prevented if financial services companies and credit reference agencies shared more data, according to a report from a leading criminologist. Professor Martin Gill said criminals behind ID fraud, now the fastest growing type of theft in the UK, were exploiting the fact that people's credit files contain different information, depending on which company holds them....
Labels: identity theft, information breaches
Sunday, August 14, 2005
Jennifer Stoddart was on CTV's Question Period today to discuss the proposed Canadian "no-fly list". She has been looking for particular information on the plan and hasn't gotten the answers from the federal government that she's looking for. CTV.ca | Privacy commissioner seeks info on 'no-fly' list.
Among her questions:
Labels: information breaches
Dun and Bradstreet, a consumer reporting agency serving clients in Australia, is suggesting that privacy laws are feeding the growth of identity theft. As an example, D&B is saying that more fraudsters are impersonating dead people because the credit agencies are not able to get the information necessary to determine whether a named applicant is actually alive: Privacy laws blamed for identity fraud rise.
UPDATE: I forwarded this article to Dennis Bailey at Open Society Paradox, because I was sure he would have something interesting to say. I was not disappointed: The Open Society Paradox: Privacy to Blame for Identity Theft?.
This particular article really highlights the tensions between privacy and identity. On one hand, I'm sure that most people who are concerned about privacy would not want credit agencies to be directly plugged into the massive government vital statistics databases. At the same time, reasonable people would say that there should be a way for credit grantors to check to make sure that the person asking for credit is who they say they are and that they are in fact not quite dead.
Dennis has always been a proponent of robust identity for a number of reasons, one of which is the issue at hand. If credit agencies take steps to verify the physical person applying is the same person named on the form, using reliable ID, much of the risk of fraud is eliminated. But this will slow down the "instant credit" that consumers are now used to.
In Canada, the only credit facility that really requires ID is getting a mortgage because lawyers are supposed to check ID before registering the mortgage at the registry. Every bit of credit I've ever gotten have relied upon other means of "identification". (To give my bank some credit, I've personally known my banker for years.) If you look at your average credit card application, you'll see the current system relies on the information provided by the applicant to determine identity, which is as unreliable as the data to which it is compared. If the name, address and date of birth on the application match the data at the credit bureau, we have a match! If that database doesn't say person X is dead, then someone with person X's information can pretend to be him and get credit in that name.
It's an important problem that needs to be solved by informed discussion between those in Dennis Bailey's camp and those in the pro-privacy camp. I hope it is solved, sooner rather than later.
Labels: identity theft, information breaches
Today's Arizona Republic has an article on the move towards electronic health records, which discusses the privacy implications of switching to digital records: High-tech record: Less paperwork, less privacy.
Labels: information breaches
Mary Minow at the Library Law Blog is a little purturbed that her local library has started putting customer hold books in a rack in the lobby with slightly truncated names on them "to protect patrons' privacy". Not a lot of protection, Mary thinks, and not a good idea: LibraryLaw Blog: Browsable Hold Shelves? With Names!.
Labels: information breaches
The only person criminally charged in connection with the ChoicePoint fiasco and the resultant fraud is now facing additional charges of identity theft, according to the Associated Press (via The Washington Post): Man Faces More Charges in Fraud Scheme.
Labels: choicepoint, identity theft, information breaches
Saturday, August 13, 2005
The Associated Press (via Yahoo! News) is reporting that a jury has convicted Scott Levine in connection with the Acxiom data theft. Sentencing will take place in the beginning of next year:
Man Convicted in Huge Computer-Theft Case - Yahoo! News:"...The jury convicted Scott Levine, the owner of defunct e-mail marketing contractor Snipermail.com, on 120 counts of unauthorized access to data, two counts of access device fraud and one count of obstruction of justice.
Jurors cleared Levine of 13 counts of unauthorized access of a protected computer, one conspiracy count and one count of money-laundering.
Statutory maximum sentences for his convictions total 640 years in prison and fines of $30.7 million, though his punishment likely will be much less under federal sentencing guidelines. Sentencing was set for Jan. 9.
Prosecutors said Levine and his company stole 1.6 billion customer records - the equivalent of 550 telephone books filled with names, e-mail and postal addresses. The government did not charge anyone with identity theft...."
Labels: identity theft, information breaches
Reports of identity theft are pretty common (at least here on the Canadian Privacy Law Blog), but what is the likelihood that the identity of an entire law firm would be stolen? Hang onto your hats folks, but it has happened and lawyers need to be on the lookout for similar scams.
According to Legal Mutual, scammers replicated a British Columiba law firm's website to suggest that the lawyers were "transfer agents" for an offshore investment scam. Doing this would mean that soon-to-be bilked investors would be able to confirm that the supposed transfer agents were, in fact, members of the BC bar. This is scary stuff. Check out Theft of Law Firm Website Behind Investment Scam. Thanks to The Insurance Defense Blog for the link.
From the article:
Theft of Law Firm Website Behind Investment Scam"... Victoria law firm McConnan Bion O’Connor & Peterson discovered firm photos and lawyer names had been copied from their website (www.mcbop.com) and used to create a website for a fictitious Vancouver firm called Bion McConnan & Associates.
A company called First Independent Capital Resources, Inc., purportedly from Tokyo, then began soliciting investments in Australia claiming “Bion McConnan & Associates” was its transfer agent for the investment. First Independent’s website listed a number of impressive deals the company had allegedly been involved in and provided a link to the fictitious “Bion McConnan & Associates” website. First Independent had also been circulating a fictitious letter purportedly signed by one of the Bion McConnan & Associates lawyers, confirming that certain items would be held in escrow by Bion McConnan & Associates as part of the bogus deal.
Because the fictitious website used the names of real British Columbia lawyers, anyone checking their status in telephone books, law directories or with the Law Society of British Columbia would see that they were Law Society of British Columbia members....
Labels: bc, identity theft, information breaches
Friday, August 12, 2005
As of today, New York has joined the list of states that have mandatory notification of breaches of personal information: New law requires consumers to be notified when identity 'stolen'.
Labels: breach notification, information breaches
Another reminder of why it is important that full credit card numbers not be written on receipts:
icTeesside - Credit card details found in the street:"Credit card details of 17 shoppers were discovered in an alley among rubbish dumped by a major department store on Teesside.
The till roll, containing full credit card numbers and expiry dates, was found in Middlesbrough town centre when environmental enforcement officers examined the discarded bag...."
Labels: information breaches
Thursday, August 11, 2005
The Canadian federal government is proposing to break down the barriers between government databases to provide more seamless service to citizens and residents. According to the Globe & Mail, the "Crossing Boundaries National Council", a private think-tank supported by senior bureaucrats, has polled Canadians who say that they are willing to trade privacy for better service:
The Globe and Mail: New report plays down privacy fears:"...In a series of discussion groups, the Crossing Boundaries National Council, an organization stacked with prominent bureaucrats and politicians, found that Canadians do worry about the Big Brother nightmare of governments holding extensive files on citizens but most are willing to make trade-offs for better services as long as safeguards are in place...."
Labels: information breaches
BC's legislation has a one-term limit for Information and Privacy Commissioners. The current Commissioner's term was due to run out on August 15, 2005. To work around this, current Commissioner David Loukidelis has been named as "acting Commissioner" until the BC government gets a successor or amends the legislation. In any event, David is very well regarded within the privacy community and any additional time at the helm will be welcomed. See Straight.com Vancouver | Commentary | Premier takes his chances on stock market.
Labels: british columbia, information breaches
From the overstatement department: According to the Standard-Journal Online, identity theft is "the most widespread crime being committed in the world" (!) Buyers beware Identity theft is world's most prolific crime. The article is unclear on when ID theft supplanted jaywalking and misuse of milk crates as the most commonplace crime, but it must have just happened.
Labels: identity theft, information breaches
I often see articles about purient uses of cell phone cameras, which I seldom link to because they're as mundane as university security incidents. Rob Hyndman (Celphone Camera Use Policies) is linking to a post at IP Counsel Blog about camera phones and IP protection (IP Counsel Blog: Camera Phones And Corporate Espionage). It's a good post and any company with sensitive IP should carefully consider the issue.
In my practice, I'm seeing policies that try to address this technology from the perspective of protecting the privacy of employees and customers. For example, daycares should at least turn their minds to developing rules about who can photograph kids and should the organization get consent in advance from the parents to allow photography on the site? Gyms should (and many do) think about policies for allowing the devices in locker rooms and in exercise areas. Hospitals also need to think about whether visitors should be able to take pictures that may include unrelated patients in the background. Some people are very sensitive and would get upset if a photo from the Christmas party shows up on the staff bulletin board.
Phones with cameras installed are ubiquitous. The more prevalent they are, the harder they are to regulate. Also, as they become commonplace, it is easy to lose sight of the risks that they may pose and its harder to get people to give them up at the door.
Labels: information breaches
After a judge in Montana ruled that the police don't need a warrant to rummage through a person's garbage, the fine people at Boing Boing are pointing to some interesting articles online and have a suggestion from a reader of Declan McCullag's PoliTechBot:
Boing Boing: The Man, your garbage, and the law: followups"I think someone could come up with a business plan around this: truly private garbage collection. You don't put the trash out at the corner, but contract with the garbage collector to pick up the garbage in your yard, with some sort of contract that the garbage is still yours until properly incinerated, and the collector would dispose of it in a way that guarantees privacy - incineration...."
Labels: information breaches
The US Securities and Exchange Commission is looking into stock sales made by executives at ChoicePoint which were made after they became aware of he massive security/privacy incident, but before it was made public. The SEC's probe has been escalated the "informal inquiry" to a full-blown investigation. See: HoustonChronicle.com - ChoicePoint investigation may widen.
Labels: choicepoint, information breaches
The Arkansas Times, Arkansas's Newspaper of Politics and Culture, is running an article on all the interesting personal information you (or a stalker) can find out about people without leaving the comfort of your internet connection: The latest oxymoron? ‘Internet Privacy.’
Labels: information breaches
Oh my. Yet another university security/privacy incident:
ABC 4 - University Of Utah Computer Server Hacked; Identities Compromised.(ABC 4 News/U of U) -- The University of Utah announced Tuesday its computer server has been compromised by an unknown outside source, ultimately leading to unauthorized access of the server, according to the University of Utah Office of Information Technology.
The server contained library archival databases including a file with approximately 100,000 names and social security numbers of former University employees. The database included information used as an index for archives for paper employee files from 1970 to 2003...."
Labels: information breaches
Wednesday, August 10, 2005
Techweb is carrying a report on two recent security/privacy incidents at US universities. Most interesting in the article is the following statement:
TechWeb | News | Hackers Break Into Two Universities, 100,000 Identities At Risk"...The compromised data was limited to name and Social Security numbers, so the hackers could not have obtained credit card or driver's license numbers, bank account data, or any other financial information, the school said...."
I'm not sure that this should be any reassurance in this day and age. Just the names and social security numbers are enough for an identity theft to go to town on the credit of the students.
Labels: identity theft, information breaches
The Privacy Commissioner has come out -- not surprisingly -- against the proposed Canadian no-fly list. Here's the release:
Privacy Commissioner Raises Concerns That No-fly List Will Infringe on Privacy Rights:"Ottawa, August 9, 2005 -- "The no-fly list announced last Friday represents a serious incursion into the rights of travelers in Canada, rights of privacy and rights of freedom of movement," says the Privacy Commissioner of Canada, Jennifer Stoddart, following an announcement made on August 5, 2005, by the Honourable Jean-C. Lapierre, Minister of Transport Canada. The federal government will conduct consultations with key stakeholders over the upcoming months on the creation of a "no-fly list", entitled "Passenger Protect", with a view to enhancing aviation security in the context of ongoing concerns about terrorism. In addition to the no-fly list, the Minister announced a review of how new technology can be used in assessing security risks posed by passengers in Canada.
The Privacy Commissioner called on Transport Canada, nearly a year ago, to explain what they were planning with respect to the potential development of a no-fly list. In July 2005, Ms. Stoddart wrote to Transport Canada officials reiterating her concerns about such a list, and enclosing a list of questions (see list of questions). These are the kinds of questions which would form part of a Privacy Impact Assessment that the Commissioner must receive from Transport Canada according to government policy.
"Despite assurances from Minister Lapierre that Canadians' privacy rights will be protected, I have not yet received an in-depth briefing about the initiative. However, one is scheduled for the end of August," says Commissioner Jennifer Stoddart. "We will be pressing for the strongest privacy protections for individuals. We want those protections to be in place before this program is implemented, including the rights of access and correction."
"I will reiterate, however, that the growing culture of security in this country and abroad causes me great concern as it does the majority of Canadians, according to a recent EKOS Research Associates survey commissioned by my Office, said Ms Stoddart."
Commissioner Stoddart has already spoken with many provincial/territorial privacy commissioners regarding the creation of a working group to assess the privacy risks associated with the no-fly project and other transport security measures such as video surveillance on buses and rail systems.
Several commissioners have already agreed to participate. "We will work together to tackle the privacy implications of these initiatives," said Information and Privacy Commissioner David Loukidelis of British Columbia. "We welcome this opportunity to collaborate on an issue that is troubling on many levels, to those of us who are concerned about privacy and openness in government." Information and Privacy Commissioner Ann Cavoukian of Ontario agreed, saying "as Privacy Commissioner, I have repeatedly said that we are not opposed to stronger security measures, provided that they are effective and balanced. However, expanding the net of surveillance and gathering more personal information does not necessarily result in better security." Jacques Saint-Laurent, Quebec's President of the Commission d'accès à l'information, said "given that we all face these common challenges in our respective jurisdictions, we can all learn from sharing our experiences and knowledge."
Privacy Commissioner Stoddart believes that national security and the protection of the privacy of individuals in Canada need not be seen as trade-offs: "One value does not necessarily need to be sacrificed in the interest of the other. Both can be achieved with well-designed law, prudent policy, and effective checks and balances". The questions outlined in the Commissioner's letter to Transport Canada officials will contribute to the achievement of this goal.
The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada."
Labels: bc, british columbia, information breaches, surveillance, video surveillance
Jay Cline, over at Computer World, is writing about "lessons learned" from the recent string of privacy/security breaches. He concludes with a bit of a "to do" list:
Lessons learned from corporate security breaches - Computerworld"So what projects need to be at the top of your organization's agenda for the next 12 months?
- Adopt a comprehensive information security program based on the ISO 17799 and Payment Card Industry standards.
- Require any sensitive information stored on laptops to be encrypted.
- Formalize a process where employees can contact a central phone number or e-mail to report suspicious activity with company information.
- Validate the security of suppliers that handle your sensitive information, including backup tapes and documents.
- Train employees on your security policies and procedures and performing periodic spot checks to measure compliance.
Completing these types of projects is no guarantee of avoiding a publicized security breach. But they'll go a long way in properly allocating your limited budgets toward the areas of greatest risk."
All that makes sense, but I'd add a few elements to the mix:
- Review all your information holdings to make sure that you only have information that you should, that the information has been collected with the consent of the individuals and that you are not retaining any information longer than is reasonably necessary for the purposes for which it was collected. (If you don't need it, don't keep it around. What you don't have can't be stolen or misused.)
- Adopt a privacy/security policy that strictly delineates what information can be collected, how it will be used and for how long it will be retained.
- Train all your employees to be sensitive to security and privacy issues.
- Encrypt all information on any computer, not just laptops. (Servers and desktop computers are easily stolen.)
- To the extent that's possible, keep all sensitive information on a central server that is well secured.
- Collect audit trail information for all access to sensitive information, so you know who had access to it and when. Review the audit records for anything suspicious.
This isn't comprehensive, but it's a start ...
Labels: information breaches, laptop
Tuesday, August 09, 2005
Flickr, the very cool picture sharing site, is home to a user created pool of photos of surveillance cameras: Flickr: The The Panopticon: Pictures Of Surveillance Cameras Pool.
Thanks to Boing Boing for the pointer.
Labels: information breaches, surveillance
David T.S. Fraser†
The credit industry in North America has recently found itself both in the spotlight and the legal crosshairs, primarily due to two factors: privacy laws and identity theft. Both demand increased vigilance on the part of credit grantors to protect both their customers and complete strangers from identity theft.
In March of this year, the spotlight turned to the industries that rely on or traffic in personal information. A number of high profile personal information leaks wound up on the front pages of newspapers in Canada and the United States. In the US, scammers gained access to the personal information of 310,000 individuals via a Lexis-Nexis subsidiary, Seisint.[1] One of the largest American data aggregators, ChoicePoint, was similarly scammed, leading to the disclosure of personal information on 1.2 million Americans.[2] The Bank of America lost a set of backup tapes containing sensitive credit information of thousands of US government employees.[3] In Canada, we have had similar information breaches; the highest profile being the accidental faxing of information from CIBC branches to a junkyard in West Virginia. [4] In addition, police in Alberta this past winter were shocked to discover piles of credit reports on senior provincial bureaucrats at a methamphetamine lab, leading to the finding that drug addicts are being hired by identity thieves to “dumpster dive” for such information. [5] Hand in hand with these incidents, the crime of identity theft[6] continues to increase. This species of fraud is said to be the fasted growing crime on the continent.
The result of this has been significantly increased customer awareness of industries that otherwise operated in the background. Also, lawmakers have turned their legislative agendas toward increased regulation and accountability in this area. A number of remedial bills are currently pending before the U.S. Congress while commentators have suggested that Canada’s private sector privacy laws are not up to the task of dealing with incidents such as this. A private member’s bill introduced in the Ontario legislature would require companies to notify all individuals whose information is inappropriately accessed. [7] Stronger remedies will likely be on the agenda when the Personal Information Protection and Electronic Documents Act comes up for review in Parliament next year.
Class action lawyers and the courts are not waiting for the legislators to catch up to the current situation. In April, the Michigan Court of Appeals upheld a class action lawsuit that found a trade union liable for inappropriate security of personal information after the information was used for identity theft. [8] Class action lawyers have commenced litigation against CIBC as a result of the faxing incidents[9]. The Michigan case related to actual identity theft that had occurred. The CIBC case alleges that the bank should be responsible for the increased vigilance required to protect the individuals against identity theft and for the increased likelihood that they may be subject to identity theft. It will not be long before individuals whose identities are stolen will seek recourse against the credit grantors who offered facilities to the impostors, arguing that they did not do enough to verify the identity of the person seeking credit. These plaintiffs will be seeking damages related to the cost of repairing their credit, which can run pretty steep.
What does this all mean to credit grantors? Anybody in possession of information that would be useful to commit identity theft has an obligation to protect it from being inappropriately used or otherwise compromised. This obligation is already set out in PIPEDA and the common law will likely also impose a duty of care where the risk of identity theft is foreseeable. (In the current climate, it would be difficult to argue that it is not foreseeable.)
Custodians of personal information may have a legal duty to inform individuals if their information is compromised. This obligation may be statutory if the private members bill in Ontario becomes law, or may be imposed by the courts if a duty of care and a standard of care in negligence is established. Individuals whose information is compromised should be given the opportunity to keep a watch on their credit reports. If they are not informed of the situation, they will have no such warning.
Finally, credit grantors have to be even more vigilant in establishing the identities of those to whom they extend credit. This is not only to protect against credit losses, but to reduce the likelihood that your company will be the subject of privacy complaints and litigation. In this effort, privacy laws pull credit grantors in two different directions. On one hand, grantors should clearly establish the identity of any applicant. On the other hand, they can only require information that is reasonably necessary for the articulated purpose. To satisfy both, credit grantors should establish clear and reasonable policies related to how they will verify identity. Requiring two pieces of government issued identification, with at least one or both containing the applicant’s current address and photo would appear to be reasonable. The adoption of privacy best practices, including greater security and identify verification, can decrease the legal and credit risk faced by credit grantors. The courts and the legislators see that custodians of sensitive information are part of the problem. Being part of the solution makes business sense as well.
† David T.S. Fraser is the chairman of the privacy practice group at McInnes Cooper, Atlantic Canada’s largest single law partnership. He is also the principal legal advisor the National Privacy Services, a company that offers end-to-end training and compliance solutions to clients across Canada. He can be reached at david.fraser [at] mcinnescooper.com or (902) 424-1347.
[1] “LexisNexis begins notifying possible victims”, CNN International (19 April 2005). Online at http://edition.cnn.com/2005/TECH/04/19/lexisnexis.breach.ap/.
[2] “Database giant gives access to fake firms”, MSNBC.com (14 February 2005). Online at http://www.msnbc.msn.com/id/6969799/. [3] “Bank of America loses customer data”, MSNBC.com (1 March 2005). Online at http://www.msnbc.msn.com/id/7032779/.
[4] “CIBC faxes go to scrapyard”, The Globe and Mail (26 November 2004). Online at http://www.theglobeandmail.com/servlet
/story/RTGAM.20041126.wxcibc1126/BNStory/Business/.
[5] “Civil Servants See Red”, Edmonton Sun (14 November 2004).
[6] For the purpose of this article, “identity theft” means the fraudulent impersonation of an innocent third-party in order to obtain credit facilities and other benefits in the name of the victim.
[7] An Act to Amend the Consumer Reporting Act, Bill 174.
[8] Health Care Assn. Workers Comp. Fund v. Bureau of Workers Disability, (15 February 2005) Michigan Court of Appeals (Wayne Circuit), No. 246684.
[9] Statement of Claim is available online at http://www.cacounsel.com/CIBC%20Class%20Action%20Claim.pdf.
Labels: alberta, choicepoint, health information, identity theft, information breaches, privacy
The Information and Privacy Commissioner of BC, David Loukidelis, has issued his annual report in which he recommends that privacy not be swept aside on the quest for greater security:
Privacy protection should not suffer at the expense of security: B.C. report - Yahoo! News"VICTORIA (CP) - Personal privacy should not take a back seat to national security as officials try to anticipate and protect against terror attacks, B.C.'s privacy commissioner said Monday.
"The constitutional and statutory privacy protections we enjoy should not be set adrift in the name of national security to founder on the rocks of law enforcement expedience," Information and Privacy Commissioner David Loukidelis said in his annual report released on Monday.
"While extraordinary powers are often necessary to protect national security, such powers must be clearly linked to the objectives they are created to achieve, must be no more extensive than absolutely necessary."..."
The report is not yet available on the OIPC's website, but I'll link to it when it becomes available.
UPDATE: The Commissioner's press release is here and his 2004-2005 Annual Report is here.
Labels: british columbia, information breaches
Monday, August 08, 2005
Michael de Adder is the editorial cartoonist for the Halifax Daily News. Today, he's taking a cynical look at the surveillance society in England following the London bombings. Click the image (or the red X!).
Labels: humour, information breaches, surveillance
The Assistant Privacy Commissioner of Canada has recently released a finding that addresses the question of whether PIPEDA applies to "not for profit" organizations. In this case, an individual was seeking access to personal information in the custody of a daycare. The Assistant Commissioner concluded that PIPEDA does apply to this daycare as it was not municipally run:
Commissioner's Findings - PIPEDA Case Summary #309: Daycare denied parent access to his personal information - April 18, 2005:"...The first matter that needed to be determined in this case was the issue of jurisdiction. Daycare officials said that the centre was a non-profit organization subsidized by city funding. They also claimed that the centre was subject to provincial and municipal legislation. This Office confirmed that the centre is not a municipal-run day care. We also found that there was a commercial activity involved, namely, payment for child care services. As such, this Office determined that the daycare was subject to the Act...."
This finding is interesting and could be instructive but ... the dearth of details about this particular daycare leaves little assistance in trying to surmise whether a particular organization is in or out of PIPEDA. My local YMCA runs a daycare that charges for its services. Commercial activity? The university up the street has a daycare. Commercial activity? Sadly, this summary of the Assitant Commissioner's decision provides almost no help for answering those questions, which pop up with surprising regularity.
Labels: information breaches, pipeda findings, privacy
Yet another university privacy/security incident:
Sonoma State Confirms SSNs Hacked:"ROHNERT PARK (KRON) -- Officials at Sonoma State University confirm that the names and Social Security numbers of more than 60,000 people in the school's databases were hacked in a security breach.
The hacker broke into seven of the school's computers, exposing files containing the names and Social Security numbers of 61,709 people who applied to, attended or graduated from the university between 1995 and 2002. Files containing information on faculty between 1999 and 2005 were also exposed. The attack happened in July, but officials don't think anyone actually accessed the exposed data...."
Labels: information breaches
The Chartered Secretaries Australia, a corporate governance association, is calling for changes to the law that currently allows anyone to have access to companies shareholder lists. The current state of the law poses a threat to privacy, the CSA says: Call to protect shareholder information.
Labels: australia, information breaches
The Register is reporting that the US Federal Trade Commission has settled charges with Advertising.com that relate to including adware in a security download, the presence of which was only alluded to in the end user license agreement. The settelment does not include any penalties, but only a promise to make the presence of adware more prominent in the future: Security download must clearly disclose adware | The Register.
Labels: information breaches
Sunday, August 07, 2005
Once again, the Sunday New York Times is running a privacy-related story. This week, Eric Dash discusses the differences between the US and Europe, highligting the legal, business and cultural differences between the jurisdictions:
Europe Zips Lips; U.S. Sells ZIPs - New York Times"Why [are all these privacy/security incidents] happening here, and not, say, in Britain, Germany or France? One reason may be that every other Western country has a comprehensive set of national privacy laws and an office of data protection, led by a privacy commissioner.
The United States, by contrast, has a patchwork of state and federal laws and agencies responsible for data protection.
"In Europe, the question has been settled: citizens have strong legal rights," said Joel R. Reidenberg, a Fordham University law professor who is an expert on international data privacy rules. "In the United States, we basically have a mess, and we are still trying to sort it out."
More fundamentally, these two systems for dealing with data arise from a cultural divide over privacy itself. In broad terms, the United States looks at privacy largely as a consumer and an economic issue; in the rest of the developed world, it is regarded as a fundamental right...."
Labels: information breaches
Saturday, August 06, 2005
Government authorities in the UK are looking to digitise birth and death records to, among other things, produce a database to verifty passport applications. The job has been oursourced to Siemens Business Services, which will offshore a large portion of the data entry work to India. The government is anticipating privacy-related questions and says they are taking proper precautions:
ONS sends all our identities to India | The Register"...But how secure is it to send all the documents with which we can prove our identities offshore to be processed? Do we need to worry about identity theft?
Codling told us: "Simply mentioning records and personal identity in the same sentence as India has sparked a fairly predictable debate in the press. The difference is that this is a large public sector deal, rather than a large private sector company, such as a bank.
"The ONS has been at pains to point out the security precautions it is taking. The workers won't be able to take laptops or mobile phones into the rooms where they are working with the data, for instance. They'll be working at dumb terminals with no internet access," he said.
Codling argues that there is no evidence to suggest India is any less secure than any other country. "This is about perception of risk, rather than actual risk," he concluded....
Labels: identity theft, information breaches, laptop
The Associated Press is carrying an article that sheds a bit of light on organized groups of fraudsters based in Nigeria (also known as 419 scammers). I'm sure everyone is familiar with their e-mails, but the article provides some information on the people behind those solicitations: Internet Scammers Keep Working in Nigeria - Yahoo! News.
Labels: information breaches
Friday, August 05, 2005
One year after it was enacted, Newsfactor has an article discussing the (in)effectiveness of the US Identity Theft Penalty Enforcement Act. Critics say that it has not discouraged identity theft as it only ups penalties for those who commit the crime.
NewsFactor Network - - U.S. Passes the Buck on Identity Theft:"Critics of the federal legislation cite its largely unenforceable nature as the primary reason it will not work. The higher penalty is of little value, they say, if the identity thief cannot be caught. These malicious thefts often are committed by faceless criminals who are well hidden and distributed worldwide, said Varadarajan...."
Labels: identity theft, information breaches
Over at HIPAA Blog, Jeff Drummond has some interesting things to say about the tension between privacy and access to "de-identified" personal information:
HIPAA BlogQuality versus Privacy: How many times have I harped on the fact that the highest quality health care needs full and open disclosure (if everyone compared notes on every case, patterns would be much easier to discern and the best clinical pathways would quickly become evident), and that the best privacy in health care needs a total restriction on disclosure (don't even tell your doctor about your illness, and nobody will ever be able to find out about it)? Too many, I'm sure.
This report from GWU Medical Center and the Robert Wood Johnson Foundation seems to back me up (long version here, short version here). Real and perceived legal barriers prevent the best development of healthcare information systems and sharing. Well, duh. Take a look at what Judge Posner said in Northwestern Memorial Hospital v. Ashcroft, a case in which the Justice Department was trying to get de-identified information about partial birth abortion cases to defend the partial birth abortion law passed by the US Congress and signed by the President (the law was being challenged by Planned Parenthood and others, and part of the dispute involved how often the procedure was performed and whether it was ever "medically necessary"; several doctors testified that they did the procedure and that it was medically necessary, and the DOJ was seeking de-identified information from the hospitals at which the procedures were performed to determine whether the testifying doctors were really telling the truth in their expert testimony). ..."
Visit HIPAA Blog for all the links.
Labels: health information, information breaches
Yet another university security/privacy incident:
Hackers strike at Cal Poly Pomona:"Thousands notified after security breach
By Kenneth Todd Ruiz
Staff Writer
POMONA - Computer hackers added Cal Poly Pomona to a growing list of schools from which personal information has been accessed illegally.
Notification went out to 31,077 people Thursday that their records might have been stolen after Cal Poly Pomona discovered two computer servers were compromised in late June.
'We got hit by a hacker,' said Debra Brum, interim vice president for instructional and information technology. Personal data, including names and Social Security numbers of university applicants, as well as current and former faculty, staff and students were accessed in the security breach...."
Labels: breach notification, information breaches
I recently blogged about an incident that exposed sensitive personal information of San Diego county employees (The Canadian Privacy Law Blog: Incident: Computer breach leaves San Diego county personnel vulnerable).
Today, the North County Times is reporting that only one affected person showed up at a board meeting to discuss the incident, suggesting that very few of the affected employees are concerned about the leak:
County data breach yields little public outcry North County Times - North San Diego and Southwest Riverside County News:"SAN DIEGO ---- If 32,000 current and retired San Diego County employees are worried about a computer breach that exposed their Social Security numbers and may have put them in financial danger, it didn't show Thursday.
Just one county employee, Scott Gilmore, showed up to question the potential security breach when members of the San Diego County Employees Retirement Association board met for the first time since disclosing the computer break-in last Friday. Gilmore, who works in the county's Department of Planning and Land Use, said the agency downplayed the bad news, and that county employees did not appear to be taking the break-in seriously.
He said he had personally surveyed 25 to 30 of his co-workers to find out what actions they had taken in the wake of the computer breach that exposed names, Social Security numbers, home addresses, dates of birth and the departments that people worked in.
'Not one of them, zero, had requested fraud alerts,' Gilmore said. 'I realized then that people just had no clue.'"..."
Labels: information breaches
Thursday, August 04, 2005
As part of a class-action lawsuit brought against CardSystems Solutions Inc, the Superior Court of California has ordered the payment processor to preserve the data associated with the high-profile breach, according to CNet News:
Court orders data on credit card heist to be saved | CNET News.com:"A California court on Tuesday ordered CardSystems Solutions, Merrick Bank, Visa and MasterCard to preserve data related to the security breach at CardSystems, a payment processing company. Additionally, the Superior Court of the State of California in San Francisco set an Aug. 17 date for a hearing on the issue of informing individual credit card holders if their card data was exposed in the breach...."
Labels: cardsystems, information breaches
Credit reporting agency Experian has commissioned a poll of US consumers on ID theft:
Personal Credit IndexThe latest Experian-Gallup Personal Credit Index finds that roughly one-in-six American consumers (18%) report being victims of identity theft, with younger adults at greatest risk. 25% of people under age 30 report having their financial information stolen, compared with about 18% of respondents ages 31 to 64, and just 11% of people 65 and older.
The poll also finds some significant regional differences. Only 12% and 15% respectively of people in the Midwest and South report being victimized, compared with 20% and 26% of people in East and West...."
Given the uncertainty over what "ID Theft" means, I'm not sure that self-reported instances of ID theft can be considered to be consistently reliable.
Labels: identity theft, information breaches
Timothy Grayson is writing about privacy and credit reports as part of a "privacy jag":
recursiveProgress: Credit reporting invades my privacy . . . and privacy commissioners don't care"Credit reporting is an invasion of my privacy. (Apparently, I'm on a privacy jag right now -- I'm sure it will pass with the lunar phase. Until then please bear with me.) I know it's ridiculous to feel this way . . . because our society demands and accepts the credit reporting structure for good and valuable reason. I am obviously wrong. Be that as it may, my reasoning goes like this: There is information about my current and historical commercial transactions and financial situation -- salary, credit outstanding, retailers I purchase from, etc., etc. -- that is extremely private. It is the effluent of bi-lateral (commercial) relationships that I maintain with others -- independently -- to satisfy theirs and my needs, whatever those may be. What makes a third party (the credit bureau) relevant or privy (in the legal sense) to that detritus except the singular desire of the collective of the "other party?" Why should a new, separate potential relationship require and also be privy to the details of my private activities with others? To me, the (potentially extraneous and superficial) knowledge about me that others are able to realize from that information, which is vigorously aggregated and analyzed, seems invasive and violating. I'll elaborate below...."
Labels: information breaches
Wednesday, August 03, 2005
Over at Open Society Paradox, Dennis Bailey has posted six ways he believes that the proposed Real ID program will stop terrorism (for more info on Real ID, see this report from the Congressional Research Service of the Library of Congress):
The Open Society Paradox: One More Time - HOW REAL ID STOPS TERRORISM."For those who haven't gotten it yet, here is how REAL ID will stop terrorism.
1. REAL ID will be tied to immigration status. When a foreign visitor's visa expires (as was the case with some of the 9/11 hijackers) so will the driver's license. Terrorists will no longer be able to hide in this country when their legal status expires. Warning flags will go off and they will be tracked down.
2. A more secure driver's license will make it harder for Joe Terrorist to tamper with the card, effectively locking him into a single identity. Without a single identity, what good is a terrorist watch list?
3. REAL ID requires states to link databases. This ensures that when Joe Terrorist tries to get a different ID in another state, biometrics make it possible for officials to identify that he already has an official driver's license. Once again Joe Terrorist is locked into a single identity.
4. The FBI and CIA are sharing information and through intelligence leads are now looking for Joe Terrorist. As more forms of transportation and infrastructure (banks for example) require the use of an ID tied into a central terrorist watch list, Joe Terrorist won't be able to move around the country without being flagged and arrested.
5. Now desperate, Joe Terrorist tries to buy a fake ID from a DMV employee. Unfortunately for him, each ID is tracked and inventoried and the printing machines require biometrics. As soon as an improperly printed ID comes out of the printer, alarms sound and Joe is foiled.
6. Joe Terrorist now decides that he is stuck in the country and his only resort is to become a suicide bomber. Joe Terrorist builds a bomb and explodes it on a subway. Since Mr. Terrorist had to scan his ID through the new scanners at the Washington Metro, investigators have a log of passengers and quickly learn his identity. Quickly discovering his identity allows them to identify all of his associates, some of who are planning their own suicide attacks. Putting them in jail prevents future terrorist attacks.
Of course as is frequently mentioned on this site, no technology is 100% effective. However, that does argue against its use. At the same time, IDs are only part of the equation. There must be human intelligence, data sharing, watch lists and alert citizens all working together in a world with secure IDs in order to keep us safer."
Many appear to be willing to sacrifice a measure of privacy for security in this day and age, but I think that a large portion of people who are not at either extreme in this debate will need to be satisfied that the system will not be expanded beyond Joe Terrorist to tracking Joe Deadbeat Dad or Joe Overdue Library Books.
Labels: information breaches, law enforcement
Rob Hyndman is writing about car black boxes and an insurance company's pilot project using them. Check it out: robhyndman.com - Blog Archive - Update on Car Black Box Surveys.
Labels: information breaches
It has become common practice for retailers to demand personal information in order to process returns and refunds. (See The Canadian Privacy Law Blog: Retailers demanding ID, tracking returns and The Canadian Privacy Law Blog: Article: New privacy sprouts forest of complaints).
Today, the Alberta Information and Privacy Commissioner's office released a decision that faulted two large retailers for collecting drivers' license data for input into a centralized. All retailers in Canada who collect ID to deter fraud should be aware of this decision.
From the Commissioner's news release:
Commissioner releases report concerning collection and retention of personal information by two retail storesCommissioner Frank Work authorized an investigation under the Personal Information Protection Act (""PIPA"" or ""the Act"") after receiving complaints alleging that two Canadian Tire stores contravened the Act.
The complainants reported that a Canadian Tire store in Calgary and a Canadian Tire Store in Sherwood Park refused to complete a return of good transaction unless the customers provided their Drivers'' Licence (D/L) numbers or other identification.
The investigator found that the Calgary store contravened the Act by collecting and retaining D/L numbers in its merchandise return system. There was no evidence that the Sherwood Park Store retained the complainant''s D/L number.
The investigation revealed that:
- For the purposes of deterring fraud, the stores collect certain personal information of individuals returning goods. Simply asking for a name, address and telephone number was sufficient to meet their purposes.
- Viewing picture identification to confirm the name, address and telephone number in some cases was sufficient; it was not necessary to collect and retain more sensitive personal information such as a D/L number.
In response to this Office''s investigation, the Calgary Store immediately ceased collecting and retaining ID as part of its return of goods transactions. As well, Canadian Tire Corporation Limited, in consultation with the Canadian Tire Dealers'' Association (CTDA) committed to redesign the merchandise return computer system used by all Canadian Tire stores so that ID can no longer be entered into the system. They also agreed to purge the existing numbers from the system. The CTDA agreed to communicate this report to all Canadian Tire Associate Dealers, and to revise corporate merchandise return policies required as a result of this report. This will assist in harmonizing the practices across all Canadian Tire stores.
The circumstances in this case illustrate that organizations need to carefully consider and limit the amount of personal information collected for legitimate business purposes.
To obtain a copy of Investigation Report P2005-IR-007 contact:
Office of the Information and Privacy Commissioner
410, 9925 - 109th Street
Edmonton AB T5K 2J8
Phone: (780) 422-6860
E-mail: generalinfo@oipc.ab.ca
Website: www.oipc.ab.ca
Labels: alberta, information breaches, pipa, retention
A little while ago, I referred to a posting by Timothy Grayson, discussing the lack of a common vocabulary about privacy (see The Canadian Privacy Law Blog: The language of privacy). That posting on Grayson's blog has garnered a lot of attention, most recently from David Kearns of Network World:
What's the meaning of 'privacy'?"...Last week, I read a lament by Timothy Grayson (he works for the Canadian Postal Administration, but likes to talk about identity) called "I guess I just don't understand Privacy" http://timothygrayson.com/blog/archives/000737.html.
It seems that a Canadian Privacy Commissioner had ruled that those sometimes annoying inserts that come along with your bank statement amounts to a breach of the customer's privacy. Read the whole entry by Grayson (and the articles he links to) as it's much too long to re-create here. But I do like his reasoning:
"To be an invasion of one's privacy presumes that all communication and contact with a person has to be approved by the recipient. The logical extent of this is that there can be no communication because the initial mover is prevented from moving. That logical extent is, of course, ridiculous. But what it does present is bold relief of the inherently unworkable nature of a 'privacy culture' that extends the definition of privacy in this excessive, individual-centric way."
In other words, we need some generally understood definitions of terms like "privacy," "identity," "personal information," etc. How can we ever hope to move to a worldwide, federated, everybody's-included identity metasystem if we can't even agree on the meaning of "identity" and "privacy" and can't tell which information is "personal" and what isn't?"
Labels: information breaches
The struggle between privacy rules and speedy credit approvals is front and centre is this article from Market Watch. Some mortgage brokers are arguing that credit freezes and other privacy rules are hindering their ability to provide quick access to credit to their clients, in some cases causing people to lose opportunities to buy houses. The author of the article really doesn't buy that and quotes consumers who are able to obtain mortgages while their credit files are frozen. See: Consumer Watch: Some say privacy rules hindering mortgage speed - Banks - Financial - Real Estate - Specialty Finance - Financial Services - Personal Finance
Labels: information breaches
Tuesday, August 02, 2005
The Associated Press is reporting on a report from Gartner Inc., which suggests that most banks are not doing enough to protect customers from ATM fraud. The reason is that most bank and debit cards do not take advantage of the full potential of two-track magnetic strips. Most bank cards only encode the card number on the magnetic strip, so anybody with a card writer and your card number (available from discarded receipts) is able to make a duplicate. Combine that with your PIN and that's the key to emptying your account. The solution posited by the Gartner analysts is to use the second track in the magnetic strip to encode an additional token that is verified by the ATM but is not otherwise available to the users. Some banks already use this technique. See: Analysts Say ATM Systems Highly Vulnerable - Yahoo! News.
Labels: cardsystems, information breaches
On Friday, a US District Court Judge dismissed a class-action lawsuit brought against JetBlue, Acxiom and two defence department subcontractors. The airline, JetBlue, had provided detailed passenger information which was matched with data from Acxiom to the subcontractors, contrary to the arline's privacy policy. According to the Associated Press, the case was thrown out because the plaintiffs could not show any actual harm or any actual benefit to JetBlue. See the AP report on FindLaw: Judge Dismisses Lawsuit Against JetBlue.
Labels: information breaches
Monday, August 01, 2005
First, blame the auditors ...
Mark Rasch, in his Security Focus column this week, has some interesting things to say about security auditors and consultants in the wake of the cardsystems breach. The focus of his column is on what audits are and are not, but also contains some interesting insights about the Cardsystems debacle.
The CardSystems blame game"...None of this is surprising. One of the first things you do when confronted with a public relations problem is to minimize the extent of the problem. Lawyers do this all the time, exclaiming things like "My dog didn't bite you, my dog doesn't bite, I don't own a dog." The next thing to do, of course, is to find someone else to blame.
In the case of CardSystems, they reportedly found someone who wasn't at the table to blame -- not VISA, not MasterCard, not their sponsoring bank, and not their customers. They blamed their auditors and consultants. In his testimony, Perry noted that CardSystems had undergone a CISP audit by consultants from Cable and Wireless in December of 2003 (17 months before the incident), and that there were "do deficiencies" that did not have adequate compensating controls. Thus, according to Perry's live testimony, it was Cable and Wireless' fault. Oh, and while he was at it, he also reportedly blamed the California mandatory disclosure law, SB 1386, claiming that without the law, the company would have suffered no losses. Well, still the data would have been lost, just nobody would have known about it.
Cable and Wireless claimed that there was nothing wrong with their audit, and that they were simply retained to audit the systems that were used to process the payment information. If there was a separate system used to store transactional data not connected to the processing system, or a system not within the scope of the audit, it was not examined.
Meeting of the minds
The relationship between consultant and consultee is almost always one based on a consulting agreement. The case points out a serious problem with understanding the nature of auditors, security consultants, and the relationship between these consultants and the underlying client. The consulting contract is supposed to reflect a meeting of the minds between the parties. Invariably however, the parties come to the table with differing expectations about what they are buying and selling. In the case of CardSystems and Cable and Wireless, CardSystems thought they were auditing discrete parts of the payment processing network for compliance with VISA's standards. CardSystems, on the other hand, apparently thought they were purchasing "hacker insurance" and a guarantee that they would never be subject to attack. At a minimum, CardSystems was seeking a "Certificate of Assurance" that they were compliant with all the relevant standards. As we will see, even this latter assumption may be unrealistic...."
Labels: cardsystems, information breaches
Recent privacy and security incidents have spawned a whole range of class action lawsuits, but Law.com reports the larger class-action firms in the US are shying away. Into that gap has stepped a number of smaller firms, looking to make precedent in this untested area:
American Lawyer Media's Law.com - Small Firms Blaze a Trail for Privacy Suits"Matthew Righetti says companies that leak consumer data should be forced to pay. But the San Francisco plaintiffs lawyer can't say how much. Or, for that matter, whether any court would agree with him.
In fact, no one is sure. While electronic privacy breaches have caught the attention of big media -- the Wall Street Journal wrote Monday that they're generating large class actions -- the major class action firms have shied away from.
Since the cases rest on untested laws -- and often involve victims with no monetary losses -- the big plaintiffs firms are letting smaller outfits like Righetti's take the first steps in a litigation area with equally great risks.
Eager to find new practice areas without competition from the big firms that dominate consumer and securities class actions, the small plaintiffs shops have been happy to oblige.
Basing their complaints on disclosure notices that companies, under California law, send to customers whose financial data has been leaked, a bevy of small firms has aggressively pursued the suits.
While the plaintiffs lawyers say the notices fairly reek of liability, the outlook is so uncertain that small plaintiffs shops feel forced to share the risk of privacy suits with other firms...."
Thanks to Rob Hyndman for the pointer to this story.
Labels: information breaches, tort
Continuing its tradition of great reporting in the area of privacy and security, the Sunday New York Times has a feature on Mark Seiden. Seiden makes his living providing businesses with the straight goods on how vulnerable their information is to being compromised.
The Sniffer vs. the Cybercrooks - New York Times"... THE investment bank, despite billions in annual revenue and the small squadron of former police, military and security officers on its payroll, was no match for Mark Seiden.
"Tell me the things you most want to keep secret," Mr. Seiden challenged a top executive at the bank a few years back. The executive listed two. One involved the true identities of clients negotiating deals so hush-hush that even people inside the bank referred to them by using a code name. The other was the financial details of those mergers and acquisitions.
A week later, Mr. Seiden again sat in this man's office in Manhattan, in possession of both supposedly guarded secrets. As a bonus, he also had in hand a pilfered batch of keys that would give him entry into this company's offices scattered around the globe, photocopies of the floor plans for each office and a suitcase stuffed with backup tapes that would have allowed him to replicate all the files on the bank's computer system.
"Basically, that all came from working nights over a single weekend," he said with a canary-eating smile that seemed equal parts mischief and pride. Mr. Seiden is what some people inside the security industry call a "sniffer": someone who is paid to twist doorknobs for a living, to see which are safely locked and which are left dangerously unsecured. Clients sometimes hire Mr. Seiden, a former computer programmer, to buttress the security systems that protect their computers and other precious corporate assets. But primarily, large corporations turn to him to test the vulnerability of their networks...."
The article is accompanied by a very interesting 22 minute interview with Seiden. Download it here
Labels: information breaches
The Daily Herald of Provo, Utah has a Q & A column. This week, it's about identity theft:
Learning the ABCs of identity theft :: The Daily Herald, Provo Utah Learning the ABCs of identity theft"Q: Do all of the recent data thefts mean everyone affected will be a victim of identity theft? How can one protect oneself against identity theft if our data isn't safe? -- MT, Palo Alto, Calif.
A: The theft of data is in the news almost every day. It would seem that, based on the recent rash of data thefts, almost the entire country is now exposed to identity theft.
...
The root cause of the recent data thefts are companies and organizations -- banks, credit card processors, universities, motor vehicle departments and Web sites -- that maintain a great deal of sensitive personal information in their databases. Their databases are constantly hacked, and these companies lack the appropriate level of standards with respect to protecting data.
Your question is certainly timely and provides an opportunity to review the basics of identity theft.
As explained before, identity theft is a crime that occurs when a thief steals your personal information and then uses it to impersonate you or to commit fraud and theft in your name. Typically, the thief will need your Social Security number, your name, address and driver's license in order to "become" you. In certain cases, the thief may also need your credit card account numbers and other information contained in your credit report.
...
In this context, you need to understand the difference between identity theft and credit card fraud. When, for example, a security breach at CardSystems Solutions compromised 40 million credit cards, you likely became exposed to credit card fraud, not identity theft.
Credit card fraud, while annoying and troubling, does not expose you to the same effects as identity theft. Federal law limits your financial risk to $50...."
Labels: cardsystems, identity theft, information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.