The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Monday, October 31, 2005
I've been asked to help get the word out about a National Science Foundation-funded survey on privacy policies and how users understand them. Please give these folks a hand ...
ThePrivacyPlace.Org 2005 Privacy Survey is Underway!Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and will help us establish with our investigations of privacy policy expression and user comprehension thereof.
The URL is: http://survey.theprivacyplace.org/
We need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey which takes about 5 to 15 minutes to complete. The results will be made available in 2006 via our project website (http://www.theprivacyplace.org/).
Prizes include
- $50 Amazon.com gift certificates and
- IBM sponsored giveaways!
On behalf of the research staff at ThePrivacyPlace.Org, thank you!"
Labels: information breaches
Full marks to the Information and Privacy Commissioner for the fast investigation and report related to sensitive medical records being used as props on a Toronto movie set (see: The Canadian Privacy Law Blog: Incident: Medical records blowing in the wind in Toronto). She has issued the first order under the Personal Health Information Protection Act.
From the Commisioner's website:
IPC - Medical records found scattered across Toronto streets: Commissioner Cavoukian issues first Order under new lawNEWS RELEASE : October 31, 2005
TORONTO – An investigation into how personal health records ended up being strewn across the streets of downtown Toronto on October 1 as a backdrop for a film production has resulted in a ruling by Information and Privacy Commissioner Ann Cavoukian that both a Toronto X-ray/ultrasound clinic and a paper disposal company had breached Ontario’s Personal Health Information Protection Act (PHIPA).
The Commissioner, who was appalled at learning of this breach, went to the scene herself shortly after being advised of the records being scattered on the streets. “The Order I released today – the first under the new Act – should be carefully reviewed by every health information custodian and paper disposal company in Ontario. Everyone handling personal health records has to realize that the storage and destruction of such sensitive information has to be carried out in the most secure manner so that mistakes such as this are virtually eliminated.”
In her Order, Commissioner Cavoukian said that the personal health records were collected by a paper disposal company that engaged in both shredding and recycling activities. A portion of the personal health records picked up from the clinic were mistakenly believed to be intended for recycling. The records were subcontracted to another recycling company, which later sold them – intact – to the film company for use on its set.
The Commissioner found that:
- the Toronto clinic failed to take all reasonable steps to secure the personal health information in its custody or control;
- the clinic failed to ensure that the personal health information was disposed of in a secure manner; and
- the clinic failed to comply with section 17(1) of PHIPA, which requires it to be responsible for the proper handling of personal health information by itself and its agents. Commissioner Cavoukian said that, in the above context, a written contractual agreement would be required setting out the agent’s duty to securely shred the materials and require the agent to provide a written attestation confirming that shredding has been completed.
The Commissioner also found that:
- the paper disposal company’s action in forwarding the records to a recycling facility instead of shredding them, while caused by a mistaken belief that the records were intended for recycling, contravened the Act.
Commissioner Cavoukian ordered the clinic to review its information practices to ensure that the location of all personal health information within its custody or control is documented, and that this personal health information is adequately secured.
The Commissioner ordered the clinic to put into place a written contractual agreement with any agent it retains to dispose of personal health information. The agreement must set out the obligation for secure disposal and requires the agent to provide written confirmation once secure disposal has been carried out.
“Secure disposal,” the Commissioner said in her Order, “must consist of permanently destroying paper records by irreversible shredding or pulverizing, thus making them unreadable. Further, steps must be taken to ensure that no unauthorized person will have access to the personal health information between the time the records leave the health information custodian’s custody until their actual destruction.”
Similarly, the paper disposal company, which fell under PHIPA because it functioned as an agent, having been given personal health information directly by a health information custodian, was ordered by the Commissioner to put into place a written agreement that includes the requirement for the disposal company to engage in secure shredding and provide an attestation confirming destruction of records.
Among other requirements, the Commissioner also ordered the paper disposal company to put procedures into place that will prevent paper designated for shredding from being mixed together with paper that is intended to be disposed of via recycling.
This Order will establish the practice to be followed by all health information custodians and their agents in Ontario, with respect to the Commissioner’s expectations for the secure disposal of health information records under Ontario’s new Health Information Privacy law.
The Commissioner’s Order, HO-001 is available on the IPC website.
Some media coverage, as well:
Clinic, paper firm broke privacy rulesOctober 31, 2005
TORONTO -- Ontario's privacy commissioner has found a clinic and a paper-disposal company broke privacy rules after personal health records were strewn on a downtown movie set.
Ann Cavoukian says the health records were collected by a company that engaged in both shredding and recycling.
The company mistakenly believed that the records picked up from the X-ray and ultrasound clinic were meant to be recycled.
As a result, it subcontracted the paper to another recycling company, which later sold it to a film company for use on its set.
The health records then ended up being strewn across the streets of downtown Toronto on Oct. 1 as a backdrop for a film production.
Cavoukian says she was appalled at the breach of Ontario's Personal Health Information Protection Act.
'Everyone handling personal health records has to realize that the storage and destruction of such sensitive information has to be carried out in the most secure manner so that mistakes such as this are virtually eliminated,'' Cavoukian said.
The Toronto clinic, which she did not identify, failed to take all reasonable steps to secure the information and ensure it was disposed of securely.
The paper-disposal company also breached the act by sending the records for recycling instead of shredding them.
She also ordered both facilities to put measures in place to preclude a recurrence. "
Labels: health information, information breaches, ontario, phipa
All last week, CNet assembled a blue-ribbon panel of experts to discuss various aspects of identity theft and privacy. Check out the conversation:
Labels: identity theft, information breaches
Saturday, October 29, 2005
The use of video surveillance has come under increased scrutiny in recent years, prompted mostly by new privacy laws such as PIPEDA and the western provinces' PIPAs. To insurance lawyers, the most important question is what impact do these laws have on the admissibility of video surveillance evidence.
The only published court decision on this point, Ferenczy v. MCI Medical Clinics, 2004 CanLII 12555 (ON S.C.), may be interpreted to hold that a violation of PIPEDA does not render video evidence inadmissible (but it could be much more clear):
"[35] For all of the foregoing reasons I conclude the evidence here in question was not collected, recorded, used or disclosed in contravention of the Act. However, as I indicated earlier in these reasons, the evidence is in any event relevant and its probative value exceeds its prejudicial effect. Its admission into evidence would not render the trial unfair and it is, in my view, admissible at trial in any event at trial."
Johannes Schenk recently wrote about a BC arbitration decision in which the arbitrator decided that a violation of that province's Personal Information Protection Act would render the resultant evidence inadmissible. From paragraph 58 of IN THE MATTER OF an Expedited Arbitration Between EBCO Metal Finishing Ltd. and International Association of Bridge, Structural, Ornamental & Reinforcing Iron Workers, Shopmens' Local 712, [2004] B.C.C.A.A.A. No. 260:
... The PIPA is clearly intended to apply to the employment relationship. The authority of the legislation would not be given effect were an employer to breach its provisions and be permitted to rely on the unlawfully obtained evidence anyway. For an arbitrator in British Columbia to admit the evidence in such a case would amount to error of law and abdication of jurisdiction.
Aribral decisions have little precedential value, particularly outside the particular province, but this highlights that this issue has not entirely been put to rest.
Labels: bc, information breaches, litigation, pipa, privacy, surveillance, video surveillance
The Canadian Judicial Council has recently been struggling with the balance between open courts and privacy when making court records available online. It has just released its Use of Personal Information in Judgements and Recommended Protocol (pdf here). Until recently, legal publishers have taken it upon themselves to selectively edit judgements to conform with publication bans, but more courts are releasing their own decisions online. The protocol does not deal with electronic access to court records themselves, but hopefully a protocol for that will be forthcoming.
Thanks to beSpacific for the link.
Labels: information breaches
Former members of Interex, a Hewlett-Packard user group, are upset that the bankrupt association's member list is likely to be sold to satisfy creditors. The organization's privacy policy didn't anticipate bankruptcy, but some members think their information is confidential and simply should not be treated as any other asset. See: Interex membership list for sale to highest bidder - Computerworld.
Labels: information breaches
Thanks to Bruce Schneier (Schneier on Security: Eavesdropping Through a Wall) for directing me to an interesting US patent application for through-the-wall audio surveillance technology that was developed in association with NASA: United States Patent Application: 0050220310.
Labels: information breaches, schneier, surveillance
Lance Koonce and Kraig Baker, from the Privacy and Security Law Blog, has been blogging from the International Association of Privacy Professional's Privacy Academy recently held in Las Vegas. Rather than link to all the postings, just check out the blog and you'll find them...
Labels: information breaches
The US State Department has issued its final rules on the implementation of RFID in all US passports, beginning with those issued after October 2006. The chips will include a digitised version of the holder's photo and other information. According to the Washington Post, 98% of the comments on the proposal were against the measure, but the Department suggests that measures are being taken to minimise the risk associated with the RFID chip. The passports will include an "anti-skimming" film on the front and back covers, making it more difficult to read the chip at a distance: U.S. Passports to Receive Electronic Identification Chips.
Labels: information breaches, rfid
US Federal law enforcement officers have been seeking to have cellular phone companies provide, without a warrant or probable cause, information on subscribers. The information requested includes the caller's location and the particulars about calls made. This week, a US Federal Court Judge in New York has denied the US Justice Department access to this information without a warrant. According to eWeek, this decision is similar to one made by a district court in Texas last month.
From eWeek: NY Court Bans Feds from Tracking Cell Phones.
Labels: information breaches
NetworkWorld has a great article on how to respond to security incidents involving personal or corporate data:
Responding to a security breach...But organizations can reduce their overall losses by reporting breaches in a timely manner and offering whatever help they can to the affected parties, Penn says. On the other hand, organizations can compound their losses by covering up and delaying reporting, such as the case with ChoicePoint, whose stock dropped by 15% after fraud in its system exposed 145,000 credit identities in February. And health maintenance organization Kaiser Permanente was fined $200,000 in August for a three-month delay in reporting an exposure of patient data posted on a publicly accessible Web site used for help desk support....
Labels: choicepoint, information breaches
Thursday, October 27, 2005
The Canadian Information Technology Law Association has just launched a new blog to foster discussion of issues of interest to practitioners and others who are interested in Canadian technology law issues. It also has an RSS/XML feed.
One of the initial postings is related to the recent decision by the Privacy Commissioner on outsourcing and the USA Patriot Act. I blogged about it here (The Canadian Privacy Law Blog: Privacy Commissioner considers USA Patriot Act / Outsourcing complaints against Canadian bank), but the IT.Can blog provides a good oppotunity for discussion. Check out the post here: Bank’s notification to customers triggers PATRIOT Act concerns.
Labels: breach notification, information breaches, patriot act
I don't often find good privacy stories by reading blogs about law firm marketing and management, but sometimes you just luck out ...
From Larry Bodine's great Professional Marketing Blog (verbatim):
Larry Bodine's PROFESSIONAL MARKETING Blog: Hidden Camera in Bathroom = Lawsuit:How would you like to be the marketer for the l7-lawyer firm of Mangan, Langhenry, Gillen & Lundquist in Wheaton, IL: They got sued by a former attorney who discovered a hidden camera in the ladies' bathroom -- twice.
A woman identifying herself only a 'Jane Doe,' said in her complaint filed in Cook County District Court that she discovered a hidden video camera in the toilet paper roll one day. She removed it, only to find it back in place a month later. Apparently one of the male partners was using it to view or record everyone who used the stall.
According to WBBM news radio in Chicago, one of the male partners recently left the firm, but wouldn't say who it was. It also wouldn't comment.
If you were the marketing director of this disaster, what would you do?
Labels: information breaches
Wednesday, October 26, 2005
The Ontario proposal to change the rules for open adoption records will likely be voted upon this week:
Bill opening Ontario's adoption records expected to be voted on soon - Yahoo! News:...The law would open up adoption records, making it easier for adoptees and birth parents to find one another. Adoption records have been sealed in Ontario since 1927. Adult adoptees would be able to access their original birth certificate, which could include the names of their birth parents. Birth parents, meanwhile, would be able to see the birth certificate and current name of the child they gave up for adoption. The campaign would inform people about the changes and let both parents and children know they have the option to request not to be contacted. They can also ask a tribunal for a veto to keep their file sealed, provided they can prove releasing the records would cause harm....
Labels: information breaches, ontario
Tuesday, October 25, 2005
The pre-trial process in the Cardsystems class action lawsuit continues, while the parties are squabbling over what and how much information Visa and MasterCard should be providing to the plaintiffs about their relationships with Cardsystems: Squabble continues over credit card breach | Tech News on ZDNet.
Labels: cardsystems, information breaches, tort
Business Week Online is carrying a feature on the somewhat surprising popularity of a number of cell-phone tracking services in South Korea. Many people are willing to give up a significant measure of privacy for convenience or safety:
"Working Late" Won't Work Anymore"I used to be worried when my boyfriend didn't answer my calls," says Shim You Sun, a 25-year-old accountant who pays 11 cents each time she checks up on him. "Now I can rest assured that he is at work or busy attending a seminar."
She's one of more than 4 million Koreans who have signed up for various services using technology that can determine a cellular subscriber's location. One, costing $3 per month, will send a message with your coordinates to friends and family periodically while you're traveling. Another will automatically dispatch a text message to friends who get within a block or so of each other as they move around town. Yet another, costing 29 cents a day, will send a message if a person isn't at a specified place at a certain time and then allows the tracker to see the person's movements over the previous five hours. And 20,000 parents pay $10 per month for alerts if their children stray from the route between school and home. The Korea Association of Information & Telecommunication reckons such services are growing by 74% annually, with revenues expected to triple in 2007, to $1.54 billion, from $500 million last year....
Thanks to Privacy Spot for the link: The Ultimate in Cell Phone Tracking | PrivacySpot.com - Privacy Law and Data Protection.
Labels: information breaches
Monday, October 24, 2005
Even when the FBI can go to a secret court for authorization for intrusive surveillance or, in some cases, do it according to internal oversight, the Washinton Post is reporting that some FBI agents have circumvented all oversight to conduct surveillance on US residents:
FBI Papers Indicate Intelligence ViolationsIn other cases, agents obtained e-mails after a warrant expired, seized bank records without proper authority and conducted an improper "unconsented physical search," according to the documents.
Although heavily censored, the documents provide a rare glimpse into the world of domestic spying, which is governed by a secret court and overseen by a presidential board that does not publicize its deliberations. The records are also emerging as the House and Senate battle over whether to put new restrictions on the controversial USA Patriot Act, which made it easier for the government to conduct secret searches and surveillance but has come under attack from civil liberties groups.
The records were provided to The Washington Post by the Electronic Privacy Information Center, an advocacy group that has sued the Justice Department for records relating to the Patriot Act.
David Sobel, EPIC's general counsel, said the new documents raise questions about the extent of possible misconduct in counterintelligence investigations and underscore the need for greater congressional oversight of clandestine surveillance within the United States.
"We're seeing what might be the tip of the iceberg at the FBI and across the intelligence community," Sobel said. "It indicates that the existing mechanisms do not appear adequate to prevent abuses or to ensure the public that abuses that are identified are treated seriously and remedied."
Labels: information breaches, law enforcement, patriot act, surveillance
The Police Association of Ontario is floating a proposal that police officers not wear any indication of their names, only their badge numbers. The PAO cites officer privacy as the issue, but others say that the move further removes the police from the communities they serve and make it harder to keep track of abusive cops. See: CBC Ottawa - Police Association balks at officer nametags.
Labels: information breaches, ontario
Michael Geist continues to chronicle the journey of the proposed "Do Not Call" law through the legislative sausage factory:
Michael Geist - Government Caves to Lobbyists on Do-Not-Call Legislation:"Appeared in the Toronto Star on October 24, 2005 as Ottawa Caves to Lobbyists on Do-Not-Call Law Sometime this week - possibly as soon as later today - the House of Commons will proceed to pass do-not-call legislation by giving Bill C-37 its third and final reading. While officials from all parties will likely point proudly to the new law as evidence that government can respond to the concerns of Canadians, the reality is that the bill has devolved into an embarrassing shell of its original self, rendered practically useless under the onslaught of lobby groups determined to thwart any attempt to limit their ability to call consumers at all hours of the day."
Labels: information breaches
I was recently invited by the Canadian Bar Association - Nova Scotia's Insurance Law subsection to give a presentation on privacy laws and insurance claims, focusing on where we are now that PIPEDA has been in force for almost two years. The two principal themes were video surveillance and access to the claims file. You can download a pdf of the presentation here if you are interested: Privacy and Insurance Claims.
Labels: information breaches, presentations, privacy, surveillance, video surveillance
Sunday, October 23, 2005
Marketwatch reports that student aid programs are under increasing attack by identity thieves who see a big pot of money, much of which is acessible online: College-aid money means big bucks for identity thieves - Financial - General News - Internet Services - Financial Services - Internet - Personal Finance.
Labels: information breaches
I wrote recently about the prospect of VoIP companies having to build-in law enforcement tapping abilities into their systems (The Canadian Privacy Law Blog: Internet bugging may dictate technolgies and call-routing for VoIP services). The rule change also apparently applies to Universities in the US, who are not happy about having to spend untold thousands of dollars to modify their systems: Colleges Protest Call to Upgrade Online Systems - New York Times
Labels: information breaches
Last night (and this afternoon) was the season premiere of CTV's investigative news program, W-Five. The second feature on the show was about the theft of and trafficking in personal information that occurs in Canada and the United States. It chonicled a Canadian connection to the infamous Shadowcrew bust in the US and the efforts to two local police departments to deal with the Canadian angle. The RCMP refused to appear on camera but wrote to the reporters that they did not deal with it because of a lack of resources. Not a high priority, the reporter inferred.
The story also featured an interview with the Minister of Industry, David Emerson who was obviously very uncomfortable. A data theft disclosure law is not a priority of the Canadian government and he expects Canadian companies will consistenly do the right thing by letting customers know if their information is compromised:
A disclosure law is being considered in Ontario, but on the federal level, virtually nothing. We spoke to the man responsible, Industry Minister David Emerson, who admitted he didn't really know how many Canadian companies have been breached or how many Canadians have had their information stolen."We don't know with precision, let me put it that way," said Emerson. "We know in an approximate way."
Though Emerson admits the impact of the crime is huge, he also says the legislation just isn't a priority for the governing Liberals. But not to worry, he says, most companies will do the right thing.
"I would say that there are many more cases of companies who have properly notified their customers than there are companies who have not," says Emerson.
But, Emerson admits, he doesn't know for sure.
Read the summary of the feature here: CTV.ca No One's Safe
You can also see the video, starting at about 12:30 in the broadcast: click here. Video should open in Windows Media Player.
Labels: information breaches
Saturday, October 22, 2005
Canada.com has written a little article about the recent finding from the Assistant Privacy Commissioner related to video surveillance. I advised the insurer in this case and wrote about it earlier (The Canadian Privacy Law Blog: Assistant Privacy Commissioner concludes that initiating a lawsuit is implied consent to video surveillance). See the Canada.com article here: PIPEDA doesn't pip PI's video in court, Privacy Commissioner finds.
Labels: information breaches, privacy, surveillance, video surveillance
A central Ohio school board received a series of presentations for replacing the check-out systems at school cafeterias. Usually not newsworthy, but some of the proposed systems include the ability to alert kids that their meals contain ingredients to which they are allergic and a function to report back to parents what their kids are eating. There is also a "privacy protection" feature being advertised: the system will make harder for kids to tell which student is getting a subsidised or free meal.
Interesting: School eyes lunch systems to protect privacy, track eating.
Labels: information breaches, privacy
A former employee of the State of Georgia has been fired and charged with computer trespass and theft after logs (allegedly) showed that he had downloaded drivers and employee records of almost half a million people to his home computer. The former employee and computer programmer had been involved in a project with that data, but logs showed the activity after the project was over. The databases included addresses and social security numbers. The State of Georgia is sending letters to all the affected people: The state of Georgia is sending letters to 465,000 drivers and state employees, warning that they may be at risk for identity theft.
Labels: identity theft, information breaches
Friday, October 21, 2005
Pinsent Mason's Out-Law (a great source of IT law news) is pointing to an interesting new service designed to fight credit card fraud. The service, offered by Metacharge, apparently verifies information related to credit card customers for online clients that are at a high risk of fraud. Metacharge checks whether the authorized holder of the card is a live adult and also tracks the IP address of the customer to see whether they are connected from their expected origin. If you are trying to gamble online while connected from Nigeria and Malaysia, you may be cut off. If you're dead, the consequences may be worse. See: How to check your customer is over 18 and still alive | OUT-LAW.COM.
Labels: information breaches, ip address
Thanks to David Canton for e-mailing me about this story out of the University of Western Ontario: It appears that someone posted a listing of graduate students who had applied for scholarships on a web server. The information included names, social insurance numbers and whether they had been successful in previous competitions. The university has sent letters to the thousand affected students, informing them that the info was online and had been taken down. In the meantime, it had been indexed (and presumably cached) by Google and viewed at least fourteen times. Concerned students are being told to place a fraud alert on their credit files. See London Free Press - City & Region - Students' personal data posted on Internet in error. Also, check out David Canton's post: eLegal Canton: UWO student personal data posted on Internet.
Labels: google, information breaches, privacy
The Office of the Privacy Commissioner just released a finding related to a free e-mail provider's PIPEDA compliance, particularly with respect to access, security and challenging compliance. The complainant thought her estranged husband had been accessing her e-mail and was responsible for changing her password on a number of occasions. Trying to deal with customer service people at the e-mail provider proved fruitless and the Assistant Commissioner found that the company was not in compliance with Principle 10 of PIPEDA, which requires that any complaints be escalated to the company's privacy officer. The Assistant Commissioner also concluded that the IP address of the person who had been resetting her password might be information about a third-party, but the company could release it to the complainant becuase it could not be linked to a third-party without the assistance of the ISP involved. Finally, the Assistant Commissioner concluded that the company could not be faulted for inadequate security because the customer didn't follow the instructions to make her own password and "personal question" more secure. Read the full finding here: Commissioner's Findings - PIPEDA Case Summary #315: Web-centred company's safeguards and handling of access request and privacy complaint questioned (August 9, 2005).
Labels: information breaches, ip address, pipeda findings, privacy
The Office of the Privacy Commissioner has just posted to its website a finding related to a complaint filed by an insured under an automobile policy who was looking for information about a claim that has been filed by a third party related to damage to a motor vehicle. Though the insurer settled the claim, the insured disputed whether she was at fault.
The insurer refused to provide the insured with access to the particulars of the claim because, in its view, it contained personal information about the claimant. That information, it argued, could not be disclosed without consent under PIPEDA. The insurer attempted to get this consent and was not able to do so.
The insured enlisted the help of the province's superintendent of Insurance but to no avail. She then complained to the Privacy Commissioner that she was denied access to her personal information under Principle 9 of PIPEDA.
The Privacy Commissioner concluded that the third-party personal information should have been severed from the records and the remainder provided to the insured:
Commissioner Findings - PIPEDA Case Summary #314: Insurance company denies access to personal information in statement of claim (August 9, 2005)Application: Principle 4.9 states that upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. An exception to access is included in subsection 9(1), which states that an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.
In making her determinations, the Assistant Privacy Commissioner deliberated as follows:
- Based on her review of the statement of claim in question, the Assistant Commissioner was of the opinion that some of the information in the statement of claim was the complainant personal information.
- While she noted that the statement also contained the third party claimant's personal information, this information could be severed in the manner described in subsection 9(1), and the complainant personal information provided to her.
- As this had not been done, and instead the complainant was denied access to the entire document, the Assistant Commissioner determined that the insurance company had denied the complainant access to her personal information, contrary to Principle 4.9.
The Assistant Commissioner concluded that the complaint was well-founded.
I have some questions about this that are not dealt with in the published finding. First, it refers simply to the "statement of claim". If it is a statement of claim filed in a lawsuit, it's a public document that the complainant can get in other ways and you can likely imply consent to its disclosure. Secondly, and perhaps more importantly, is that the finding does not address any aspects of agency between the insurer and the insured. The insurer is simply the agent of the insured. The information collected and held by the insurer is done on the behalf of the insured. Using principles of agency, the information (arguably) is constructively held by the insured herself. The insured would have the ability and right to that information under agency principles, regardless of PIPEDA. I don't know if this argument was ever raised before the Assistant Commissioner, but I'd be interested to see whether it would fly.
Labels: information breaches, pipeda findings, privacy
Thanks to Michael Zimmer for a recent posting on his Thinking About Technology blog, which points to two pending Google patents.
When Gmail first came out, many commentators found the idea of targeted advertising based on keywords in e-mail messages to be weird and intrusive. (See Gmail Privacy FAQ from EPIC, Thirty-One Privacy and Civil Liberties Organizations Urge Google to Suspect Gmail, Gmail is too creepy.) The new technology that Google is working on would target ads to users based on searches and websites that the user has visited in the past.
From the pending applications:
United States Patent Application: 0050222901:"Determining ad targeting information and/or ad creative information using past search queries
Abstract
Ad information, such as ad targeting keywords and/or ad creative content for example, may be determined using aggregated selected document-to-query information associations. For example, popular terms and/or phrases also associated with a selected document may be used as ad targeting keywords and/or ad creative content for an ad having the document as a landing page. Query information may be tracked on a per document level, a per domain level, etc. The determined ad information may be used to automatically populate an ad record, or may be provided to an advertiser as suggested or recommended ad information. "
United States Patent Application: 0050222989:"Results based personalization of advertisements in a search engine
Abstract
Personalized advertisements are provided to a user using a search engine to obtain documents relevant to a search query. The advertisements are personalized in response to a search profile that is derived from personalized search results. The search results are personalized based on a user profile of the user providing the query. The user profile describes interests of the user, and can be derived from a variety of sources, including prior search queries, prior search results, expressed interests, demographic, geographic, psychographic, and activity information. "
Read Michael Zimmer's posting here: Thinking About Technology: Google Files for Behavioral Targeting Patents.
Labels: google, information breaches, privacy
Thursday, October 20, 2005
While Canadians are fretting over lawful access, our friends south of the border are dealing with the second generation, or rather an extension of the rules begun with the Communications Assistance to Law Enforcement Act. CALEA, as it is called, required telecommunications companies to build-in wiretapping capabilities. A recent set of rules published by the Federal Communications Commission extends that wiretapability requirement to VoIP providers. Any company that provides a service that connects calls to or from the traditional phone system is required to provide central bugging features for law enforcement.
Wired News is asking where that leaves VoIP companies that use a peer-to-peer model. These providers don't route calls centrally so there is no easy place to intercept the calls. And the rules apply to all calls on the system, not just those that go to or from traditional switches. According to the regs, that's no excuse.
This may be a case where law enforcement access requirements will be dictating the technology that a company can use. Read more: Wired News: Furor Grows Over Internet Bugging.
Labels: information breaches, lawful access
Since the Conrona (Southern California) Chamber of Commerce and the local police have begun asking local businesses to provide law enforcement with access to the feeds from local businesses' web-enabled security cameras, Bruce Schneier asks how long it will be before a law is passed requiring a backdoor for police?: Schneier on Security: Private Webcams and the Police.
"Lawful access" to the next level? "We're just keeping up with technology. In the olden days, we'd be able to post a cop in front of your store so this is no different ..."
Labels: information breaches, lawful access, schneier
Not too long ago, the Canadian Imperial Bank of Commerce gave the users of the bank's Visa card notice that processing of account information may take place in the United States, which would make the information accessible to US law enforcement and intelligence officials. This caused a relatively minor stink in the press but did result in a number of complaints to the Office of the Privacy Commissioner of Canada.
Today, the Assistant Commissioner has released her finding related to these complaints and has found that there is nothing in PIPEDA which prevents oursourcing such as this or that requires getting consent for the processing of personal information by third-party service providers. There was some question of whether CIBC appeared to offer an opt-out option. With respect to the cross-border outsourcing issue, there is again no requirement to get consent from the customer. The company has to use contractual means to make sure that the information has a comparable level of protection, but the existence of the USA Patriot Act doesn't mean that you can't have comparable protection in the US. (Canada has similar legislation that has garnered less attention.) Personal information is equally vulnerable to disclosure to law enforcement, whether it is located north or south of the Canada-US border.
The Assistant Commissioner did state that companies that do outsource the processing of personal information are under an affirmative duty to inform their customers. While the customer cannot "opt out" of the outsourcing, they can choose not to do business with the company.
Read the full finding here: Commissioner's Findings - PIPEDA Case Summary #313: Bank's notification to customers triggers PATRIOT Act concerns (October 19, 2005).
Michael Geist has a comment here: Michael Geist - Canadian Privacy Commissioner Denies PATRIOT Act Complaints.
CIPPIC also has a thing or two to say: Privacy Commissioner OKs outsourcing to US.
Labels: breach notification, information breaches, patriot act, privacy, public sector
Another university-related privacy/security breach:
Personal information on Vermont Tech students ends up on the InternetVermont Technical College's entire student body had their names, addresses, Social Security numbers and academic information inadvertently posted on the Internet by a college staff member more than a year ago, and the records remained publicly accessible until last week, Vermont Tech officials said Wednesday.
A former Vermont Tech student happened upon the 2003 student information last week after using the search engine Google to look up his own name, Vermont Tech President Allan Rodgers said. The college, which notified Google and removed the information from the college computer server on which it was stored, is contacting all 1,100 students whose private information was likely available on the Internet since January 2004.
"We have taken swift steps to secure the information and to remove the data from the Vermont Tech server and from other sources," Rodgers wrote in an Oct. 12 e-mail to students and alumni. "We regret this incident, and we are reviewing our security practices, policies and employee training."
A Vermont Tech employee who coordinates the college's tutoring services was responsible for the error, Rodgers said. The staff member, he said, attempted to electronically submit the student information over a privately secured computer drive but inadvertently sent it to a publicly accessible college Web site.
The information included student names; ethnicity; Social Security numbers; addresses; and student identification numbers. Academic information, including SAT scores and academic standings, were also part of the compromised data.
"This is the first time we've been aware that this information could be accessed," Rodgers said, referring to the former student's Internet discovery. Rodgers said he has since spoken to one or two students who are curious about what happened and how the college will follow up on it.
Rodgers said all Vermont Tech employees, including the employee who made the error, will receive additional training on computer network security.
"People have to have access to information in order to do their jobs, and we need to make them understand what is secure and what is an unsecured venue for information transmission," Rodgers said.
While there is no indication that any of the Vermont Tech information was lifted off the Internet by identity thieves, the possibility that such a thing could happen is very real, said Gary Kessler, an associate professor at Champlain College and director of its information security program.
Kessler said universities and colleges, with their vast computer networks and wealth of sensitive data, might be particularly vulnerable to hackers. The University of California, San Diego, and the University of Texas at Austin, he said, are among the growing number of institutions that have fallen victim to identity thieves.
Champlain College recently spent millions of dollars on a new administrative student database system that includes state-of-the-art security. As part of the new system, only specific employees may access private data, such as Social Security numbers.
"With the new system at Champlain, I cannot get Social Security numbers of my students. I can't even accidentally disclose the information," Kessler said. "The only people that generally require Social Security numbers are dealing with financial aid."
Labels: google, information breaches, privacy
Wednesday, October 19, 2005
From the Federal Government's principal website:
Privacy Commissioner of Canada to appear before House of Commons Standing Committee on Access to Information, Privacy and EthicsThe Privacy Commissioner of Canada, Jennifer Stoddart, will be appearing before the House of Commons Committee to discuss her Office's Annual Reports tabled recently in Parliament - the 2004-2005 Annual Report on the Privacy Act and the 2004 Annual Report on the Personal Information Protection and Electronic Documents Act.
Date: Thursday, October 20, 2005
Time: 11:00 a.m. to 2:00 p.m.
Location: Room 253-D, Centre Block, Ottawa
Labels: information breaches
Labels: information breaches
A special Halifax Police/RCMP task force has recently made an arrest in Halifax in connection with a suspected card skimming operation. It is alleged that an employee at a gas station double-swiped customers' bank cards, first in the normal card terminal and then in a card reader, to capture card data. Then, the PIN entry was observed. This information was used to create new cards, which were then used by the fraudsters. Police say the scam may have had up to 400 victims: Latest charges bring total to 85 in bank card scam.
Labels: information breaches
Monday, October 17, 2005
According to Reuters, the Federal Financial Institutions Examination Council has told US banks to switch to two-factor authentication to prevent account hijacking. Two-factor authentication, which usually involves biometrics, challenge/response queries or secondary PINS generated by key-chain or card-based gizmos, are hoped to minimise the threat posed by intercepting passwords or phishing attacks. Banks will have just over a year to implement the requirements: Banks to strengthen Web log-ons to thwart ID theft - Yahoo! News.
Labels: information breaches
The Electronic Frontier Foundation started a project some time ago to decode the hidden tracking information that certain colour laser printers embed in documents. The results are out and EFF's findings are rather interesting. The info is hidden in small yellow dots that are too pale for the human eye to readily discern, but are visible under magnification and blue light. EFF reports here: EFF: DocuColor Tracking Dot Decoding Guide.
Thanks to Boing Boing for the link.
Labels: information breaches
While evil hackers are often portrayed as the gravest threat to personal privacy, Bob Sullivan at MSNBC writes that screwups and lax policies are the leading cause of information leaks. Read it here: Surprise! You're exposed - Security - MSNBC.com.
Also check out Accidents Happen | PrivacySpot.com - Privacy Law and Data Protection for discussion of the MSNBC article.
Labels: information breaches
Chris Hoffnagle at EPIC West must be a voracious reader of marketing publications. He regularly blogs about the kinds of marketing lists that brokers of such things are selling. Today, he checks out the offering of OnRebate.com's customer list and how it stacks up to their online privacy policy. Something doesn't add up, he concludes: EPIC West: Electronic Privacy Information Center West Coast Office: Onrebate.com: Violating its Privacy Policy?
Labels: information breaches
Michael Geist's most recent Law Bytes article says that we are facing a privacy crisis evidenced by the new "lawful access" snooping powers and the Federal Privacy Commissioner's lack of effective enforcement powers. Read it here: Michael Geist - Privacy Protection Requires Action Not Rhetoric.
Labels: information breaches, lawful access
From the Associated Press, via Yahoo! News:
FBI Raid Shuts Down Suspected Spammer - Yahoo! News:"WEST BLOOMFIELD, Mich. - A man described as one of the nation's leading senders of spam says an FBI raid on his home office has halted his e-mail operation.
Warrants unsealed last week show that a September raid on Alan M. Ralsky's home in a Detroit suburb included the seizure of financial records, computers and disks.
'We're out of business at this point in time,' Ralsky said. 'They didn't shut us down. They took all our equipment, which had the effect of shutting us down.'
Terry Berg, the top deputy in the Detroit U.S. attorney's office, declined to comment.
Ralsky, 60, has said that he has 150 million or more e-mail addresses, and he has been a target of anti-spam efforts for years.
Verizon Communications Inc. sued him in 2001, saying he shut down its networks with millions of e-mail solicitations. He settled, promising not to send spam on its networks.
A federal law that took effect last year bans use of misleading subject lines and the sending of commercial e-mail messages that appear to be from friends. It also bans use of multiple e-mail addresses or domain names to hide senders' identities."
Labels: information breaches, law enforcement, spam
A Federal Court in Chicago has held that spyware makers may be subject to liability for trespass to chattels. In a motion to dismiss before trial, the judge in Sotelo v. DirectRevenue held that there was at least an arguable case that this legal doctrine may apply:
USATODAY.com - Spyware can constitute illegal trespass on home computers:"... The defendants filed a motion to dismiss the trespass to chattels cause of action, arguing that the traditional legal elements pertaining to this type of claim were not met in this new setting. While the court acknowledged that this historical legal doctrine over time has applied to personal property (such as damaging or stealing a person's bicycle), the court nevertheless denied the motion, allowing the cause of action to proceed to later trial.
First, the court found that this type of trespass cause action does not require loss of personal property. Instead, 'interference' is sufficient. The court then took the leap to hold that interference with the use of a home computer is enough to maintain a claim for trespass to chattels.
Because the plaintiff's complaint alleged that computer use had been hindered, slowed down and bombarded with pop-up advertisements, enough interference had been asserted for the case to proceed on this cause of action.
In sum, and in the words of the court: 'Simply put, plaintiff alleges that Spyware interfered with and damaged his personal property, namely his computer and Internet connection, by over-burdening their resources and diminishing their functioning. Accordingly, the court denies (the) motion to dismiss (the) trespass to chattels cause of action.'"
Thanks to Privacy Digest for the link.
Labels: information breaches
Sunday, October 16, 2005
The Telegraph of London is reporting on identity theft in the United Kingdom. It includes some statistics related to practices that put UK citizens at risk of identity theft. Approximately 77% of trash bins in that country contain personal information and are easy pickings for "bin raiders". See: Telegraph | News | Identity theft on the rise as householders bin their bills.
Labels: identity theft, information breaches
First, CardSystems was circling the bowl: CardSystems threatened with extinction due to Visa and AMEX termination.
Then, CardSystems was being bought by CyberSource: Cardsystems assets being sold to CyberSource.
Then, CyberSource leaves CardSystems at the altar: CyberSource Terminates Negotiations with CardSystems.
Now, CardSystems is being wooed by Pay by Touch: Card Center Hit by Thieves Agrees to Sale (registration req'd).
Labels: cardsystems, information breaches
Canadian immigration authorities are making their first foray into using biometrics to keep track of refugees, immigrants and visitors to Canada. A pilot project is being implemented at border crossings in British Columbia and the Vancouver International Airport. The test will involve digital photos and fingerprints. At the moment it is only a pilot project, but is likely a sign of things to come. From the Canadian Press: Facial scans, digital fingerprints to be compiled for border security project - Yahoo! News.
Labels: air travel, airlines, bc, british columbia, information breaches
I was just browsing the Daily Show with Jon Stewart's video archive and happened upon a handy-dandy video that's somewhat relevant to this blog: Ed Helms on Avoiding Identity Theft (Windows Media required). There may be something somewhat useful in there.
Labels: identity theft, information breaches
Mathew Englander just pointed me to an interesting comment on the Industrial Brand blog about the writer's experience at a screening at the Vancouver International Film Festival. The writer is more than a little perturbed by the aggressive, anti-piracy measures being taken at such screenings, which include pat-downs, scanning by a metal detector and -- la piece de resistance -- videotaping of the entire audience. He was told this is the new normal for film festival entries by the big studios. Read the blog entry here: Industrial Brand Creative Watching Movies or Being Watched?.
Labels: information breaches
Today's Arizona Daily Star has a profile of B.J. Ostergren, who has a mission to get social security numbers and other sensitive personal information out of public records that are made available (much of it online) by all levels of government. Her tactics include finding the SSNs of the powerful and posting them on her site:
Counties putting your private data online | The Arizona Daily StarB.J. Ostergren, a Virginia activist, has fished out from the public records the Social Security numbers of dignitaries ranging from CIA Director Porter Goss to Florida Gov. Jeb Bush in an effort to persuade politicians of the dangers of posting the information online.
She's also ferreted out the Social Security number for Rep. Tom DeLay, R-Texas, which is mentioned on a 1980 tax lien the IRS filed against him. Local clerks dutifully filed the lien against DeLay's property with his local tax records because a lien is something that must be cleared up before the property can be sold.
In the past this information has been available for anyone willing to trek down to the courthouse and leaf through public land records or the proceedings of divorce courts. But thanks to the Internet age, public records are now put online to make it easier for anyone with a computer anywhere around the world to retrieve them.
"It's putting our country at great danger," said Ostergren, who has posted some of the Social Security numbers she's retrieved on her Web site at www.opcva.com/watchdog.
Labels: information breaches
Saturday, October 15, 2005
On Thursday night, I had the pleasure of giving a presentation alongside Nancy Milford (of the Nova Scotia Health Organizations Protective Assoc.) to the Nova Scotia Medical-Legal Society on issues related to consent and the release of patient information. The group is composed of lawyers and medical professionals who have an interest in health law. Almost all of them had very interesting questions on how PIPEDA is being applied (and should be applied) in the healthcare context. If you're interested in a copy of the materials, send me an e-mail at david.fraser@mcinnescooper.com.
Labels: health information, information breaches, presentations, privacy
A press release put out today says that Cybersource has withdrawn its offer to purchase embattled CardSystems: CyberSource Terminates Negotiations with CardSystems: Financial News - Yahoo! Finance.
See, also, The Canadian Privacy Law Blog: Cardsystems assets being sold to CyberSource, et seq.
Labels: cardsystems, information breaches
Chris Hoofnagle runs his own personal blog on privacy and also updates the EPIC West blog regularly.
He has recently posted about an ad that he saw in a publication for private investigators in California. Merlin Data is advertising that it can find you an address for an unlisted number, using information collected by pizza restaurants. See: EPIC West: Electronic Privacy Information Center West Coast Office: Merlin Selling Personal Info From Pizza Delivery Database.
(You may recall Merlin being mentioned on this blog in connection with a Choice Point-type incident: The Canadian Privacy Law Blog: Incident: Another data aggregator provides personal information to impostors.)
Labels: information breaches
The Association for Automatic Identification and Mobility (aka AIM) has released a position paper on RFID privacy and security. It sure has impressed Data Collection Online, which was a little bit breathless in its report on the position paper:
"The position paper, that also includes position statements on other important RFID issues, can be downloaded, at no cost, from the AIM Store from the following link: https://www.aimglobal.org/estore/ProductDetails.aspx?productID=306.As the professional association representing the full AIM community of providers and end users, AIM Global is uniquely positioned to deliver clear, unbiased, and credible information on auto ID technologies, a broad category of wireless data transmission and data capturing technologies, encompassing RFID."
I haven't read the position paper (more on that below), but I am not sure how you can say that the lobbying group of the RFID industry is "unbiased". Being unbiased suggests being disinterested, which those who make their livelihoods from the products being discussed really aren't. But I digress ...
The document is available for free download from the documents section of the AIM Global website. I didn't download the document, simply because the process to do so involved filling out a huge form that requires information that many would consider intrusive. I just find such forms annoying, since there is no compelling reason given for why the information is necessary. There is no privacy policy and no statement of any kind related to how the information will be used. I am sure that they all mean well, but this registration requirement coupled with no privacy statement significantly undermines whatever their privacy experts have to say on RFID.
Labels: information breaches, rfid
Major online retailers, including eBay and Amazon, have joined forces to create an industry alliance to lobby congress and other legislators on issues such as privacy, internet access, taxation of online purchases and others. The publicity associated with the launch does not suggest the position they are likely to take on privacy, so stay tuned as the group will have its first meeting in the near future. See: TechWeb | E-Business | Major Online Retailers Form Lobbying Group.
Labels: information breaches, retail
The Missouri Department of Transportation has initiated a pilot project that will track cell-phones for traffic management purposes. The authorities say that there is nothing to worry about, since the signals will remain anonymous but privacy advocates like Daniel Solove see this as the thin edge of the wedge of electronic tracking of individuals. See: Tracking cell phones for traffic data.
Labels: information breaches
Thanks to Rob Hyndman for pointing out to me that Google has just updated its privacy policy. Rob notes that it has given notice of the update via the Official Google Blog:
Our ongoing privacy efforts10/14/2005 04:28:00 PM
Posted by Nicole Wong, Associate General CounselWe updated our privacy policy today. We know privacy is important to our users, and it's important to us, too. That's why we work hard to let people know how we collect and use personal information to provide our services. A clearly written privacy policy is part of this effort. In this update, most of the terms are the same, but there are two important differences:
First, we created a short, one-page "highlights" notice summarizing our privacy practices. We hope this is easy to digest and understand at a glance. Second, we provided even more detail about our privacy practices in the full-text privacy policy and lots more detail in the accompanying FAQs. The goal of both is to help you make informed choices about using our services.
Designing privacy protection and user choice into Google products is an ongoing effort. Please let us know how we're doing. Permalink
Labels: google, information breaches, privacy
Thursday, October 13, 2005
The Star Herald of Kosciusko, Mississippi is suggesting that all business should check ID when customers use credit cards and cheques. This minor inconvenience would reduce the likelihood of ID theft and fraud: Inconvenience could stop ID theft.
Labels: information breaches
Wednesday, October 12, 2005
Canadian information technology companies are players on a global stage. Few large information technology projects are restricted to only one country and any venture into electronic commerce invariably crosses borders. No ambitious Canadian IT company is content to narrow its sights to the domestic market. Lawyers advising these businesses have always had to maintain an awareness of legal developments elsewhere but the last few years have brought with them a range of new laws that affect their southward-looking clients. No area of law has seen as much change at that touching upon the protection of personal information.
The one law that has received the greatest publicity and, perhaps, the greatest scrutiny, is the USA Patriot Act, which was passed by the Congress within two months of the terrorist attacks of September 11, 2001. This law does not single out the technology industry but a number of its provisions have had a particular impact on cross-border services, regardless of the direction in which those services flow. Section 505 of the USA Patriot Act short-circuits ordinary search warrant requirements and allows the Federal Bureau of Investigation to have access to records such as financial records, credit reports, ISP logs and transactional records for intelligence, counter-intelligence and anti-terrorism purposes by use of a “national security letter”. The recipient of a national security letter is required to hand over the information requested and is specifically precluded from informing the individual concerned that the US government has sought access to the information. When information on Canadians is within the jurisdiction of the United States, privacy advocates fear that this information will be too-readily made available to law enforcement, who are able to dispense with the usual “probable cause” requirements. Information in the custody of a US company (or a subsidiary) in Canada may be within the Act’s jurisdiction.
In May of 2004, the Information and Privacy Commissioner of British Columbia initiated a public consultation on whether these provisions of the USA Patriot Act would infringe upon the privacy of British Columbians following an announcement by the BC Government that it would outsource the processing of medicare claims to a Canadian subsidiary of a US company. The request for submissions resulted in more than five hundred contributions from individuals and organizations throughout Canada.
As was pointed out in a number of submissions to the BC Commissioner, personal information has always been available for law enforcement, intelligence and anti-terrorism investigations, regardless of where the information actually resides. The principal effect of the BC Commissioner’s report was to shine a spotlight on the cross-border sharing of personal information and to raise awareness – some might say paranoia – about Canadian personal information being stored in the United States. The attention to the issue spawned significant changes to the BC public sector privacy law and put government outsourcing under the microscope. Many outsourcing customers, government included, are now including language to prohibit the transfer of personal information outside of Canada, and in some cases outside the home province of the customer.
Legal changes in California’s privacy laws are spilling over to other states and are having an impact upon Canadian technology companies. California’s trail-blazing consumer privacy law, which has been followed in a number of US states, requires that organizations notify affected individuals whose personal information may have been compromised or accidentally disclosed. The California law is intended to operate extra-territorially. These laws not only place the company in the uncomfortable position of having to notify customers, but also provide penalties for failing to do so. The California law in particular has prompted the recent deluge of public disclosures of privacy and security breaches in the United States and has also increased consumer expectations on both sides of the border. Similar provisions have found their way into Ontario’s relatively new Personal Health Information Protection Act and the concept of mandatory notification will undoubtedly be considered as part of the five year review of the Personal Information Protection and Electronic Documents Act.
In an era in which privacy and security are perceived to be clashing on a regular basis and in which identity theft is characterized as one of the fastest-growing crimes, it should not be surprising that technology lawyers have to grapple with privacy on a more regular basis as both a customer-relations issue and as a significant regulatory concern. At least a baseline knowledge of the legal regimes on both sides of the border are necessary to get a sense of the big picture for advising clients.
Labels: bc, breach notification, health information, identity theft, information breaches, outsourcing, patriot act, phipa
Prime Minister Paul Martin says that the proposed new wiretap law will protect the civil rights of Canadians, but that's hard to evaluate since the bill hasn't been publicly produced. Regardless, the opposition is up in arms: Globetechnology: Martin defends new wiretap bill.
Labels: information breaches
I've been invited to speak on October 30 at the Fall Refresher for the Nova Scotia College of Pharmacists on privacy liability and pharmacy practice. The brochure for the full, two-day event is available here. If you are interested in the presentation materials, e-mail me at david.fraser@mcinnescooper.com.
Labels: information breaches, presentations, privacy
Police in Rochester, Washington held a public forum recently and reinforced the connection between identity theft and addiction to methamphetamines:
Identity theft worse; don't let yourself be yet another victim“Rochester is kind of unique: They not only steal your garbage, but your entire garbage can,” said detective Sgt. Jim Dunn in discussing new kinds of identity theft. He and detective Roland Weiss described the many kinds of identity crimes, including a woman with a baby stroller loading up from mailboxes she passes.
Our state is eighth in the nation for identity theft and it’s an exploding problem, they said.
And, chillingly, they linked the high incidence here to another huge crime problem we have in Lewis and Thurston counties and surrounding areas — methamphetamine use and abuse. Meth users not only need the money they obtain from identity theft to finance their drug addiction, when they are high on it they find new and clever ways to steal, Dunn said.
You’ve heard of meth labs — now there’s identify theft labs, temporary quarters found in hotel rooms, for example, where all the tools needed for buying, selling and exchanging personal information have been found.
Thanks to Identity Theft Spy for the link.
Labels: identity theft, information breaches
Tuesday, October 11, 2005
A typo in the fax number printed on certain Amazon.com invoices has sent a flood of faxes related to corporate credit accounts to the fax machine of a Seattle small business. Reminiscent of the CIBC faxing incident we've see here in Canada: The Seattle Times: Business & Technology: Amazon.com error floods man with faxes. The most interesting aspect of the story is how difficult it was for the poor guy who received the faxes to get Amazon's attention.
Thanks to Rob Hyndman for the pointer: robhyndman.com - Privacy Breaches and Fax Floods, Redux.
Labels: information breaches
According to a study recently reported in the Arizona Republic, a significant portion of "identity" fraud is committed by people known to the victims and most fraudsters who are not known to the victim get their information using low-tech means:
Identity theft? Culprit is likely a friend or relative:"...According to one recent study, by Javelin Strategy & Research, a consulting firm in Pleasanton, Calif., in 26 percent of all cases the fraud victims knew the person who had misused their personal information. (Typically it was a family member, friend or neighbor, or in-home employee.) In addition, as much as 50 percent of debit-card fraud occurs when a card is snagged by a family member or friend who knows the card's personal-identification number, according to a recent report from TowerGroup, a unit of MasterCard International Inc.
The term 'identity theft' is often used loosely to describe a wide array of crimes. But true identity theft occurs when someone uses stolen information to create a new form of identity, such as opening a new credit-card account under the victim's name. That differs significantly from other kinds of bank fraud, such as when a criminal uses a stolen ATM card to get cash out of a teller machine.
Whether it's full-blown ID theft or small-scale fraud, even in cases where the criminal is a stranger, it's almost never a case of sophisticated computer hacking. Although 75 percent of all households use the Internet and 65 percent of those do some online banking, 'most criminals obtain personal information through traditional rather than electronic channels,' according to the Javelin study. Some 29 percent of victims surveyed said their personal information was obtained through a lost or stolen wallet, checkbook or credit card.
According to the study, the bulk of the rest were attributed to friends and relatives, corrupt employees, stolen mail, Dumpster-diving, and computer spyware. Computer viruses or hackers accounted for only 2.2 percent of incidents. While there has been a significant increase in the number of electronic attempts at identity theft, "the ones that are working are the traditional ones," said James Van Dyke, Javelin's president...."
Labels: identity theft, information breaches
According to the New York Times, IBM is the first major corporation to make a commitment to its 300K employees that it will not use genetic information to determine eligiblity for employment or employment benefits, such as health plans. See: I.B.M. to Put Genetic Data of Workers Off Limits - New York Times.
Labels: health information, information breaches
Monday, October 10, 2005
The New York Times from October 1, 2005 has a very good and very in-depth article on the effect of identity theft on its victims. The article also outlines some scarily clever ways that fraudsters are wringing money out of unsuspecting victims, including bogus income tax refunds. Read it here: For Victims, Repairing ID Theft Can Be Grueling - New York Times.
Labels: identity theft, information breaches
Ken Rubin, an access to information advocate, writes in the Hill Times about the latest wrangling over access to information and law reform in Ottawa:
Access Commissioner John Reid produces his own access bill :Justice Minister Irwin Cotler has been promising a draft government access bill to the House Access to Information Committee, but has so far not delivered. So Access Commissioner John Reid produced his own.
Labels: information breaches
Sunday, October 09, 2005
The President of the Air Miles program in Canada recently spoke in Vancouver, suggesting that retailers are missing out on the true benefit of his loyalty program. It's not being able to say "hey, we give you Air Miles so shop here", but rather to build a more intimate relationship with your customers (via data mining):
Retailers missing the point of loyalty reward programs, Air Miles head says - Yahoo! NewsVANCOUVER (CP) - Retailers have lost their way and have become too focused on using loyalty reward programs as a currency to attract customers, says the president of Air Miles.
Bryan Pearson says most retailers are neglecting the wealth of shopper data that is collected by the programs that could be used to better market to their customers, which was one of the purposes the program was created in the first place.
"Points are really viewed as discounts or an alternative way to get something extra and that's not a bad thing, but I'm not sure it's sustainable in the long run," Pearson said in an interview Thursday.
Labels: information breaches, loyalty cards, privacy, retail
An Arizona appeals court has held that unsolicited text messages to a cell phone violate a federal anti-telemarketing law originally aimed at voice calls. See Court: Federal Law Bans Text-Message Spam - Mobile News - Designtechnica.
Labels: information breaches, telemarketing
It may be hard to have sympathy for the privacy of the people listed on this website, but ...
A Miami woman has produced what is becoming a popular website for women to alert other women to cheating husbands, boyfriends, etc. At www.dontdatehimgirl.com, members can upload photos and details about men they think have cheated on them. Interestingly, their privacy policy has nothing to say about the information of the people listed on the site.
For info, check out the article in the Miami Herald: Herald.com | 09/28/2005 | On website, women identify cheaters.
Labels: information breaches
Sorry. Couldn't resist that headline.
City authorities in Boston are planning to require all beer vendors to send the names and particulars of everyone who buys a keg of beer in the city to the local police, so that the cops can drop by parties to check on how things are going. The privacy acspect of this commented upon, albeit briefly:
Bloomberg.com: U.S.:Big Brother' Watching
``Big Brother is watching,'' [Boston Detective Tom Sexton] said, in a reference to the George Orwell novel ``1984.'' ``I guess in some respects we are. But we're doing so for good reasons.''
Invasion-of-privacy arguments don't hold up, [Boston Licensing Board Chairman] Pokaski said.
``There's no privacy when alcohol is concerned because it is a highly regulated commodity,'' he said.
Labels: information breaches
Newsday is running an article from the Washington Post on the availability, through certain card issuers, of temporary credit card numbers for online or over-the-phone purchases. The service is designed to assuage the common fears associated with using credit cards online: Newsday.com: Gaining peace of mind when shopping online.
Labels: information breaches
A closed Blockbuster video outlet reportedly dumped piles of membership application forms on a sidewalk. The forms contained very sensitive information that would be more than enough to give an identity thief a good run at the video store's members: name, address, social security number, phone number, credit card and expiry and other information. From the New York Daily News:
It's fraud gold mineEast Side Blockbuster dumps customers' records on street
By TRACY CONNOR
DAILY NEWS STAFF WRITER
Blockbuster forms on sidewalk with credit card numbers.
A shuttered Blockbuster video store carelessly dumped hundreds of files containing customers' Social Security and credit card numbers on a busy upper East Side sidewalk.
The Daily News discovered the stacks of confidential paperwork - a gold mine for scam artists - scattered like ordinary litter on Lexington Ave. near 85th St. on Thursday.
The trash pile included recent membership applications, each revealing the customer's birth date, address, phone number, driver's license number and signature.
More alarming, each application also contained a credit card number and expiration date, and many included a Social Security number.
"That makes me really mad," Kerry Norton, 29, a city teacher told The News after learning that her personal data had been left on the street for anyone to take.
"It's horrendous. You would think you could trust a big company like that. They should have shredded them."
Rebecca Pruthi, a 32-year-old doctor, said she was "disturbed" that a major corporation would fail to take basic steps to protect customers' privacy.
"I make sure my garbage at home is shredded," she said. "People do go through garbage on the street in New York, and this could have been dangerous."
Privacy expert Eric Gertler agreed. He said in the information age anyone who disposes of records without shredding is flirting with disaster.
"In the wrong hands, the information is very valuable to identity thieves, scammers, hackers and other bad guys," said Gertler, author of "Prying Eyes" and CEO of Blackbook Media.
For instance, a thief could use the credit card and address information to order merchandise online - a scam that might go unnoticed until the victim got their next bill.
With a Social Security number, a crook could do even more damage, essentially assuming the victim's identity and applying for loans, credit cards and cell phones in their name.
"In the wrong hands, your personal information is gold," Gertler said. "There's no question that these customers were at risk."
Blockbuster's corporate headquarters said it was investigating the breach and would discipline the employee responsible.
"Our corporate policy is applications must be safely secure under lock and key and must be destroyed when no longer kept on file," spokesman Randy Hargrove said.
"Our top concern is the privacy of our customers and we believe what you are reporting to us is an isolated incident."
The manager of the Lexington Ave. branch, who declined to give his name, blamed the Sanitation Department for failing to pick up the trash Thursday.
But he couldn't explain why the applications weren't shredded and were instead left in clear garbage bags after the store shut it doors for good.
He also could not say why he didn't haul the files back inside after the bags broke open, spilling the papers on the sidewalk.
"It's appalling," said upper East Side resident Deborah Glass, 46, another Blockbuster patron. "I can't believe it."
Originally published on October 8, 2005
Labels: information breaches
The technology currently exists to replace PINs with supposedly unbreakable biometrics, such as fingerprint and retina scans. It is being used in other countries, but it has yet to break into the North American market due to the privacy concerns associated with using such data and the expense involved in replacing or upgrading the thousands of ATMs around. From the Associated Press: AP Wire | 10/09/2005 | Privacy concerns, expense keep fingerprinting, eye scans out of U.S. ATMs.
Labels: information breaches
Today's San Francisco Chronicle has a column by David Lazarus about the difficulties in not only understanding some companies' privacy policies, but also knowing which applies as financial companies merge, sell accounts and outsource:
Looking-glass world of privacy policies:"Companies do so much bed hopping, it's hard to keep track of who's sleeping with whom, much less which firm's privacy policy is in force for consumers at any particular time. "
Lazarus quotes a particularly sketchy policy, which essentially means the company will do everything it can legally do with your info. In the US, that's a lot of stuff:
"We do not disclose any nonpublic, personal information about our introduced customers or introduced former customers to anyone except as permitted by law."
That just wouldn't fly under PIPEDA.
Labels: information breaches, privacy
Saturday, October 08, 2005
As of this week, the US Government requires all airlines, cruise ship companies and others to provide the Department of Homeland Security with detailed passenger information in standard, electronic format. The Practical Nomad notes this new development and offers a strong opinion on the new regulations. While the government may have an interest in obtaining this information, the author is more than a little upset that passengers are required to hand it over to the carriers (which are often unregulated in what they do with the info), who then pass it to the government:
The Practical Nomad blog: USA requires passenger details from international airlines:"... But that's not what the rule requires: the rule gives travellers no option to provide the required information directly to the CBP. Instead, the rule requires airlines to provide passengers' personal information to the CBP, effecting requiring travellers -- if the airlines are to be able to comply, without which airlines' passengers won't be allowed to travel -- to turn over their information to the airlines as well as the government.
Both the final rule and the PIA entirely ignore the implications of requiring passengers to provide detailed personal information to, at a minimum, airlines (and, in most cases, other companies such as Computerized Reservation Systems (CRS's) and travel agencies), under government order, without imposing any restrictions whatsoever on the ability or authority of the recipient airlines and other companies to use, rent, or sell the information that passengers will be forced to give them, without any requirement for notice or consent. This government-compelled transfer of rights in personal data to unregulated private entities is the real violation of privacy rights in the new rule...."
Labels: air travel, information breaches
Law.Com's Legal Technology department has an interesting article on the use of e-mails of former employees in connection with litigation. The article is entirely New York-centric. That being said, it is an interesting read though your mileage may vary when you cross the border: Legal Technology - Are Private E-Mails Really Private?.
Labels: information breaches
Privacy laws and a fear of other forms of liability have caused many companies to stop giving references about former employees. Some HR folks have their own way around that ....
The legal way around all this is for the hiring company to get a written consent that not only allows it to check references but also stands as written authority for anybody with relevant information to disclose it to the company. Or you can just talk about the weather ...
Labels: information breaches
Friday, October 07, 2005
Today's Direct Marketing News carries an op/ed piece by Robert Gellman, a Washington-based privacy consultant. He reviews three recent decisions of the BC, Alberta and Federal Privacy Commissioners. I can't say that I disagree with much of what he says, particularly his comments on the Federal Commissioner's finding related to envelope stuffers. See the article here: DMNews.com | News | Article.
Labels: alberta, information breaches
A short while ago, I was interviewed for an article in Legion Magazine, a Canadian publication for veterans and active armed forces personnel, about access to medical records. If you're interested, you can read it online here: Legion Magazine: Access to medical records.
Labels: information breaches, media-mention, vanity
The pendulum has swung the other way and some customers of ChoicePoint are a little upset at how vigilant the company is being about how it screens its customers. Even law enforcement agencies are being subjected to random audits and on-site inspections: RedNova News - Technology - ChoicePoint Struggles to Strike Balance.
Labels: choicepoint, information breaches
I must have missed this one last week ...
The Chief Electoral Officer of Canada apparently thinks that he'd break the law that prevents disclosing the national list of electors, if the circumstances were right. He wants the law amended so that he could provide the list to organizations like CSIS in certain circumstances:
ottawasun.com - National/World - Chief would mull sharing voters list"Canada's chief electoral officer says he'd consider illegally sharing the confidential federal voters list in the interest of public safety.
Jean-Pierre Kingsley says the law should be changed to allow him to release the list under certain conditions, such as inquiries from Canada's spy agency.
CSIS could use the voter database as it tries to protect citizens, Kingsley said yesterday.
"Of course I can understand why that may raise some alarms. But I also understand that CSIS is a legal entity in this country," he said. "And if they're the ones asking me for something, and I find it reasonable, I'll go along with it -- if the statute is changed.
"Right now if anybody comes to see me and asks me for information -- where I could save lives potentially -- I can't give it. I'd have to break the law. It might even be possible that I would break the law if those were the circumstances."
In a report to Parliament, Kingsley also says he should have new powers to review financial reports from parties."
Labels: information breaches
The editorial writers at the San Francisco Chronicle aren't too thrilled with the recent US District Court ruling that has gutted the protections in California's financial privacy law (background: The Canadian Privacy Law Blog: US Federal Court Preempts Landmark California Privacy Law):
Put your faith in the bank?:"...State Sen. Jackie Speier, D-Hillsborough, was ahead of the curve in pushing legislation that would restrict the ability of banks, insurance companies and brokerages to share and sell their customers' personal information without permission. Speier's SB1 was signed into law by then-Gov. Gray Davis in August 2003.
The financial-services industry has since rolled out the heavy legal artillery to try to undercut SB1's privacy protections. The industry gained a significant victory this week when U.S. District Judge Morrison England ruled that federal law prevents states from restricting the flow of information among their affiliates. The federal Fair Credit Reporting Act allows affiliated companies to share information about customers' "credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living."
Considering that many big-name institutions count their affiliates in the thousands -- in myriad lines of business -- the ruling means that Californians' personal information will be spread far and wide for marketing and other purposes.
"We're fighting the Bush administration on federal pre-emption all the time," said Attorney General Bill Lockyer, whose office put up the defense for SB1. "They are consistently on the side of banks and financial institutions on all of these consumer protection lawsuits."
The judge did preserve one key provision of SB1 -- a ban on the sale of customer information to third parties without permission.
This decision once again turns the focus on Congress to provide all Americans with more meaningful privacy protections. This nation needs to require encryption and other security precautions on financial data, require the notification of customers when breaches occur -- and adopt what California lawmakers thought would become a national model of customer control over how their personal information is distributed."
Labels: breach notification, information breaches
A laptop containing sensitive customer informaiton has been stolen from a "service provider" to the Bank of America:
Bank of America notifying customers after laptop theft | InfoWorld | News | 2005-10-07 | By Robert McMillan, IDG News Service:"... In a letters sent to Buxx users and dated Sept. 23, the Charlotte, North Carolina, bank warned that customers may have had their bank account numbers, routing transit numbers, names and credit card numbers compromised by the theft. Visa Buxx is a prepaid credit card for teenagers that the Bank of America (BofA) stopped selling in January.
The laptop, which belonged to an unnamed Bank of America 'service provider' was stolen on Aug. 29, said Diane Wagner, a BofA spokeswoman. The bank was notified of the theft on Sept. 9, and began sending out the letters after a two-week investigation, she said...."
Labels: information breaches, laptop
I generally do a pretty good job of "staying on message" with the privacy stuff, but sometimes you just have to get the word out about other things...
This was on the phone pole at the bottom of my driveway this afternoon. So if you happen to be in Halifax and you sene this bunny, give me a call. I am sure that'll make a little kid in my neighbourhood very happy.
Labels: information breaches
CNN Money reports that RBC Dain Rauscher, a subsidiary of the Royal Bank of Canada, is investigating a possible theft of personal information:
RBC Dain Rauscher says client information stolen - Sep. 27, 2005:"NEW YORK (Reuters) - RBC Dain Rauscher, a unit of Royal Bank of Canada, said Tuesday it is investigating the possible theft of the identities of a small number of its customers.
According to the bank, a person claiming to be a former employee of RBC Dain Rauscher sent anonymous letters to some of its customers saying their personal information had been stolen.
RBC Dain Rauscher said it is working with local and federal authorities, including the Federal Bureau of Investigation, and has hired an outside firm specializing in identity theft to probe the matter.
Identity theft by some estimates affects more than 9 million Americans each year.
MasterCard International in June said a security breach had exposed about 40 million credit cards to potential fraud.
RBC Dain Rauscher said it had set up a 24 hour-a-day hotline for customers who have received the suspicious letter. "
Labels: identity theft, information breaches
MSNBC has some additional coverage of the recent Ponemon Institute survey that I blogged about last week (The Canadian Privacy Law Blog: Survey says security breaches cost companies customers): Bad-news data letters push consumers to stray - Security - MSNBC.com.
The Free Internet Press also has a thing or two to say about it: Free Internet Press - Millions Dump Companies That Leaked Personal Info.
Labels: information breaches
John Coghlan, the new CEO of Visa USA recently spoke at a conference on cardholder security and called for tougher data protection laws, including a requiremnet to notify affected individuals of security/privacy incidents. This is a bit surprising, given that Visa USA recently argued in court that they shouldn't have to notify cardholders of such incidents (The Canadian Privacy Law Blog: Credit card companies head to court over disclosure obligation). For reporting on Coghlan's speech, see: Visa CEO calls for data protection laws, incentives | InfoWorld | News | 2005-10-05 | By Grant Gross, IDG News Service.
Additional coverage here: Visa Hosts Industry Leaders at First Security Summit: Financial News - Yahoo! Finance.
While it may appear a bit counter-intuitive, companies with robust policies and procedures should be calling for mandatory notification since their more lax competitors will be shown as not doing enough to protect personal information. And that's good for the companies that are proactive about security and privacy.
Labels: breach notification, information breaches
Thursday, October 06, 2005
The Privacy Commissioner of Canada has released her Annual Report to Parliament. There are actually two reports: the first related to the Privacy Act and the second based on the PIPEDA. Here's the relase for your consideration while I digest the report itself:
News Release: Privacy Commissioner's 2004-2005 Annual Report on the Privacy Act tabled in Parliament - Commissioner calls for reform to the Privacy Act (October 6, 2005):""Privacy Commissioner’s 2004-2005 Annual Report on the Privacy Act tabled in Parliament – Commissioner calls for reform to the Privacy Act
Ottawa, October 6, 2005 – The Privacy Act is an outdated and often inadequate public sector data protection law, according to the Privacy Commissioner of Canada, Jennifer Stoddart, in her 2004-2005 Annual Report on the Privacy Act, which was tabled today by Parliament. The Privacy Commissioner's 2004 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private sector privacy law, was also tabled today.
In her 2004-2005 Annual Report on the Privacy Act, the Commissioner highlights some of the most significant issues her Office has faced in the past year. These include security and the voracious appetite for personal information and surveillance that has sprung up in the post-9/11 environment, and the sharing of information and outsourcing of data operations across borders. She also emphasizes the long overdue need to modernize the Privacy Act, a first generation privacy law which has not been substantially amended since its inception in 1983.
"The privacy landscape is infinitely more complex today than it was a decade ago," states Ms. Stoddart. "Faced with increased globalization and extensive outsourcing of personal information processing and storage, Canada's Privacy Act lags woefully behind."
In her report, the Commissioner elaborates on the situation and explains some of the important things for the government to consider in updating the Privacy Act, for example:
- There are gaps in the Privacy Act's coverage. Many institutions, including the Office of the Privacy Commissioner of Canada, are not subject to privacy law.
- Under the Privacy Act, only those present in Canada have the right to seek access to their personal information. This means airline passengers, as well as immigration applicants, foreign student applicants, and countless other foreigners with information in Canadian government files, have no legal right to examine or correct erroneous information, to know how their information is used or disclosed, or to complain to the Commissioner.
- Although government use of data matching arguably poses the greatest threat to individuals' privacy, the Privacy Act is silent on the practice. Government institutions should be obligated to link personal records in discrete systems only when demonstrably necessary, and under the continued vigilant oversight of the Commissioner.
- Complainants may only seek a Court review of, and remedies for, denials of access to their personal information. This means that allegations of improper collection, use and disclosure may not be challenged before the Court, and the subsequent benefit of the Court's guidance on all government institutions is lost. Nor does the Privacy Act contemplate remedies for any damages caused by government actions.
- The weaknesses of the Privacy Act are even more striking when the law is measured against PIPEDA. In fact, several of the Commissioner's concerns could be remedied by adopting provisions similar to those in PIPEDA.
In addition to pointing out the flaws of the Privacy Act, the Commissioner also calls for a more comprehensive and consistent approach to managing privacy in the federal government. She recommends seeking improvements to the current system through the development of a privacy management framework. A privacy management framework should be designed to help departments protect the personal information they control by identifying the inherent privacy risks, and how best to mitigate those risks.
This year, for the first time, the Commissioner has published two separate annual reports, dividing the Privacy Act from PIPEDA. The Privacy Act requires the Office to report on the fiscal year (2004-2005), while under PIPEDA, it must report on the calendar year (2004). As well, each Act provides a separate framework for investigations and audits. There is much overlapping between the reports because many of the Office's activities are not particular to one law or another and, increasingly, the policy issues are common across the two regimes.
The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.
Labels: information breaches, privacy, surveillance
Stay tuned ... the Privacy Commissioner of Canada will be tabling her Annual Reports to Parliament later today: Privacy Commissioner of Canada's Annual Reports to Parliament.
Labels: information breaches
This really sounds like a comedy of errors that ceases to be funny when you realize the real medical records from real people are involved. The Canadian Press is reporting that a recycling company gave away -- yes, gave away -- loads of medical records to a movie company for use as props. They were strewn about a movie set to make it look like New York on September 11th. The Ontario Information and Privacy Commissioner is on the case:
Bloomberg.com: Disney Unit Probed for Using Real Medical Records, Star Says:"Oct. 2 (Bloomberg) -- Walt Disney Co.'s Touchstone Television will be investigated for possibly breaking Ontario privacy laws when it used real patient medical records during a filming in Toronto, the Toronto Star said today.
The ``fake garbage'' that littered a downtown street yesterday for the filming of a show about the Sept. 11 terrorist attacks in the U.S. were actually medical documents, including ultrasounds and X-rays, from a Toronto clinic. They included patient names and addresses and government health insurance numbers, the newspaper said.
Ontario privacy commissioner Ann Cavoukian said she would begin an investigation, the Star reported. Ontario's Ministry of Health also plans to start an investigation, spokesman David Spencer told the newspaper.
An unidentified Touchstone Television spokesman told the Star the company removed the documents from the scene when it learned of the contents and they would not be used again..."
See also: Littered health records probed.
Labels: health information, information breaches
Wednesday, October 05, 2005
Canada and the European Union have signed an agreement for the transatlantic transfer of passenger data. I haven't seen the actual accord yet, but both sides are naturally talking about how wonderful it is and how it incorporates robust data protection standards.
Air Transport World Daily News:"European Union and Canada signed an agreement allowing the transfer of selected API/PNR data by airlines flying from the EU to Canada. 'The agreement strikes a good balance between security requirements and the data protection standards required under EU and Canadian law, thus making an important contribution to the fight against terrorism,' the European Commission said in a statement, noting that the negotiations took 'over two years of painstaking work.' The EC said the agreement with Canada gives further enhanced data protection compared to the deal concluded with the US last year, and a smaller number of data elements are involved. In addition, carriers will initiate the transfer of data using the so-called 'push' system. The European Parliament is trying to get the agreement with the US blocked and has lodged an appeal against it with the European Court of Justice. The court's ruling is expected in the coming months. The accord with Canada will enter into force once notes have been exchanged confirming that the Canadian side has completed the internal regulatory changes necessary for full implementation."
Labels: air travel, information breaches
Major thanks are due to Rob Hyndman for pointing me to a very cool presenation given by Dick Hardt (of Sxip and Identity2.0) at O'Reilly's Open Source Con. The presentation has loads of style as well as substance about what is meant by "Identity 2.0" and how it is hoping to make your credentialed identity portable on the 'net.
Identity2.0 - OSCON Presentation:"As the online world moves towards Web 2.0, the concept of digital identity is evolving, and existing identity systems are falling behind. New systems are emerging that place identity in the hands of users instead of directories. Simple, secure and open, these systems will provide the scalable, user-centric mechanism for authenticating and managing real-world identities online, enabling truly distinct and portable Internet identities."
You can choose to see the presentation in QT, Flash, WinMedia, etc.
Labels: information breaches, privacy
Tuesday, October 04, 2005
Oh. My. God. Wired has found a handful of people whose personal information is not on the internet, but are somehow able to live fulfilled lives. Where bloggers try to get Google hits, more than a few people try really hard to stay below the Google radar: Wired News: 'UnGoogleables' Hide From Search.
Labels: google, information breaches, privacy
Chris Hoofnagle of Epic West reports that a US District Court has ruled that some of the ground-breaking rules in California's privacy law are pre-empted by the federal Fair Credit Reporting Act: EPIC West: Electronic Privacy Information Center West Coast Office: Federal Court Preempts Landmark California Privacy Law
UPDATE: More coverage:
Tough bank privacy law thrown out:"SACRAMENTO - A U.S. District Court judge on Tuesday struck down a portion of a California law that restricts banks from selling consumers' private information to their affiliates, ruling that the state law is pre-empted by federal rules.
The American Bankers Association, the Financial Services Roundtable and Consumer Bankers Association had sued California Attorney General Bill Lockyer, arguing that the federal Fair Credit Reporting Act already regulated their ability to sell such information to affiliates in other lines of business.
The federal act lets banks and other financial institutions share information with affiliates about customers' 'credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.'
The 2003 California financial privacy law forced companies to offer consumers the right to opt-out of sharing such information...."
Labels: information breaches
Jay Cline of Carlson Companies Inc. has an interesting opinion piece in Computerworld about how privacy is not just a risk-management issue, but rather an opportunity to build stronger relationships with your customers: What's your company's privacy strategy? - Computerworld. There two equally interesting sidebars to the article: Be Prepared and Legal Niceties.
Computerworld's recent package of articles also includes the interesting Data Scandal on how companies should avoid and prepare for security/privacy incidents.
Labels: information breaches
Hot on the heels of the announcement that CyberSource was planning to acquire CardSystems, VISA USA now says it will delay by three months its planned termination of its relationship with CardSystems. This may ultimately lead to the survival of the embattled transactions processor: Visa delays plan to cut ties with CardSystems - Computerworld.
Labels: cardsystems, information breaches
Sorry for the complete lack of updates for almost a week. A firm retreat in Brudenell, PEI from Thursday to Sunday conspired with a huge load of real work on my desk to keep me away from the blog. But I'm back ...
Labels: information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.