The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Saturday, October 17, 2009

Laptop searches at airports infrequent, DHS privacy report says 

Computerworld is reporting on the first report of the Department of Homeland Security Privacy Office since the changeover to the Obama administration. The report itself is interesting, but perhaps most interesting are the statistics related to the number of searches of laptops at border crossings. This has been a controversial practice since reports on it came to light some time ago. I was surprised to read that fewer than two thousand took place in the year under review, in light of the millions of people (and laptops) that have crossed the border during that time.

Here's Computerworld's coverage: Laptop searches at airports infrequent, DHS privacy report says.

Labels: , , , , , ,

Friday, June 26, 2009

"Clear" may put customer information up for sale 

Clear, the for profit company that did pre-screening of travelers so they could breeze through security, recently went out of business. Now there's a suggestion that the personal information they've compiled may be put up for sale. According to the release (below), it would be to a company that would provide a similar business and would be approved by the Transportation Security Administration.

Out of business, Clear may sell customer data ITworld

by Robert McMillan

June 26, 2009, 08:18 AM — IDG News Service — Three days after ceasing operations, owners of the Clear airport security screening service acknowledged that their database of sensitive customer information may end up in someone else's hands, but only if it goes to a similar provider, authorized by the U.S. Transportation Security Administration.

Until this week, the Clear service had given customers a way to skip long security lines in certain airports. For a $199 annual fee, air travelers could be pre-screened for flight and then use Clear's security checkpoints instead of the TSA's. Clear was run by New York's Verified Identity Pass, which also shut down on Monday.

Customers had to provide personal information, including credit card numbers, fingerprints and iris scans in order to participate in the program. After Clear abruptly shut its doors -- it has not yet declared bankruptcy -- some worried that this data could fall into the wrong hands.

"They had your social security information, credit information, where you lived, employment history, fingerprint information," said Clear customer David Maynor, who is chief technical officer with Errata Security in Atlanta. "They should be the only ones who have access to that information."

Maynor wants Clear to delete his information, but that isn't happening, the company said in a note posted to its Web site Thursday.

Clear's IT partner, Lockheed Martin, is working with the company "to ensure an orderly shutdown as the program closes," Clear said. But in a section of the note entitled, "Will personally identifiable information be sold?" Clear acknowledged that it could be used by someone else, presumably if Clear's assets were sold. "If the information is not used for a Registered Traveler program, it will be deleted," Clear said.

Boasting more than 260,000 customers, Clear was the largest private company authorized to provide airport security services, under a TSA program called Registered Traveler. Other providers, who may now be interested in purchasing Clear's assets, include Flo and Preferred Traveler.

Until Clear's demise, Registered Traveler companies operated in about 20 airports nationwide. Once a traveller has registered with any one of these companies, he is given a travel card that can be used for security screening by any company in the Registered Traveler program.

Last year the TSA temporarily yanked Clear's Registered Traveler status after the company lost an unencrypted laptop containing data on 33,000 customers at San Francisco International Airport. A few days later, Clear was allowed back into the program after the laptop mysteriously reappeared and the TSA determined that Clear was properly encrypting data.

Although it appears to be retaining information on its central databases, Clear said it has erased PC hard drives at its airport screening kiosks, and it is wiping employee computers as well, using what it calls a "triple wipe process." This technique, used by the U.S. Department of Defense, is considered to be a reliable way of erasing data.

"Clear is communicating with TSA, airport and airline sponsors, and subcontractors, to ensure that the security of the information and systems is maintained throughout the closure process," the company said.

Customers will be notified via e-mail when their information is deleted.

That wasn't good enough for Maynor. "How about the opposite? Where if they sell my information, they send me an e-mail," he said.

Labels: , , , ,

Alberta Commissioner fed up with unencrypted laptops 

I can just imagine Frank Work's expression of exaperation in uttering the quote attributed to him in the following media release:

Level of security on stolen laptops simply not acceptable, says Commissioner

June 24, 2009

Level of security on stolen laptops simply not acceptable, says Commissioner

Information and Privacy Commissioner Frank Work is perplexed with news that two laptops containing health information stolen from Alberta Health Services (AHS) were not encrypted. “This is shocking for me...I don’t know what we have to do to drive this message home” says the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less. This is highly sensitive information and an issue of public trust. How can the public have faith in public bodies if they can’t provide security for personal information?”

Two laptops with health information of more than 300,000 people were stolen earlier this month. Information on the laptops included names, birth dates, personal health numbers and lab test results for communicable and reportable diseases.

The Commissioner says AHS did have layers of protection on those laptops, but the final layer simply was not there, and while the risk might be low, there is still a risk, “A person with motivation and sufficient skills could still access the information. Risk remains without properly implemented encryption. The measures they had in place are better than nothing, but not good enough.”

Works says, “Encryption technology is readily available, and if you are going to store personal information on a portable device, you had better make sure that encrypting that information is a priority, a part of your business model, and an everyday occurrence, like making sure the door is locked before you leave home.”

The Office of the Information and Privacy Commissioner has launched an investigation into this matter. Work says, “We will be working very closely with AHS to make sure they understand their obligations and to ensure that steps are taken to prevent this from happening again”.

I pity the (next) fool who loses an unencrypted laptop in Alberta.

Labels: , ,

Tuesday, February 03, 2009

Cross-border laptop searches: the view from Canada 

I had the opportunity this morning to speak at the Ontario Bar Association's annual CLE extravaganza on the topic of cross border laptop searches. I was joined by David P Sanders of Williams Mullen in Washington, DC.

For those who may be interested, here is my presentation that was given at the session:

The ultimate conclusion is that Canadian border authorities have similar powers to search your laptop when you cross into Canada.

In case Google Documents isn't being helpful, here it is as a PDF: Border searches - OBA Institute - DFRASER.pdf.

Labels: , , ,

Friday, January 02, 2009

The Canadian Privacy Law Blog is Five! 

Five years ago, on January 2, 2004, a new age of privacy was creeping across Canada and this blog was born. The day before, at the stroke of midnight, the Personal Information Protection and Electronic Documents Act (Canada) had come fully into force. The Alberta and British Columbia Personal Information Protection Acts also became effective on the first day of 2004.

Since then, we have seen dramatic changes in privacy throughout the world: Identity theft is on the rise; there have been literally thousands of data breaches exposing the personal information of millions of people; governments are looking for easier access to personal information; video surveillance is more widespread; more personal information is generated digitally and aggregated in private hands.

And in the past year specifically, things have remained interesting on the privacy front. We've seen debate over changes to PIPEDA without anything definitive coming from the mandatory five year review. We've also seen arguments put forward to reform the public sector Privacy Act. Focus has also been drawn to the increasing practice of examining laptops at US border crossings. Litigation between Viacom and Google has raised awareness of log information that's often retained by internet companies. And Google has also been sued by a couple claiming their privacy has been violated by presenting pictures of their house in Google Street View. But in the last year, the one big privacy story that was supposed to have the largest impact on Canadians was the implementation of the National Do Not Call List. Whether it has, in fact, had an impact is the subject of debate.

I'd like to thank the many thousands of readers of the blog for visiting this site and thanks to those who have contacted me with comments, compliments, suggestions and links to interesting news. It's been a pleasure to write and I plan to keep it going as long as there's interesting privacy news to report.

Birthday cake graphic used under a creative commons license from K. Pierce.

Labels: , , , , , , , , , , , ,

Thursday, October 09, 2008

Senators introduce bill to curb border crossing laptop searches 

Two senators have introduced a bill to curb controversial laptop searches and seizures, limiting them to when there is a reasonable suspicion of illegal activity:

Techworld - Privacy groups praise bill curbing warrantless laptop searches

Feingold's bill spells out standards for search and seizures of electronic equipment belonging to US travelers at airports and other borders. The biggest condition is that such searches may be initiated only if the customs agent has "reasonable suspicion" that the traveler is carrying contraband or items otherwise prohibited in the country, or because the traveler is prohibited from entering the US. The equipment may be seized only if the DHS secretary, or a relevant federal or state law enforcement agency, obtains a probable-cause warrant on the belief that the equipment contains information that either violates a law, provides evidence of illegal activity or is foreign intelligence material.

Labels: , , , ,

Friday, August 01, 2008

Nomadic laptops can expect the rubber glove treatment 

There's been a bit of a buzz lately about laptop inspections by the Department of Homeland Security (Crossing the border? Consider the possibility of laptop searches, Hands off my laptop, Your papers and laptops, please?, US Customs confiscating laptops). Today, the Washington Post is reporting on recently disclosed policies used by the DHS to take and inspect laptops:

Travelers' Laptops May Be Detained At Border (washingtonpost.com)

... The policies state that officers may "detain" laptops "for a reasonable period of time" to "review and analyze information." This may take place "absent individualized suspicion."

The policies cover "any device capable of storing information in digital or analog form," including hard drives, flash drives, cell phones, iPods, pagers, beepers, and video and audio tapes. They also cover "all papers and other written documentation," including books, pamphlets and "written materials commonly referred to as 'pocket trash' or 'pocket litter.' "

Reasonable measures must be taken to protect business information and attorney-client privileged material, the policies say, but there is no specific mention of the handling of personal data such as medical and financial records.

When a review is completed and no probable cause exists to keep the information, any copies of the data must be destroyed. Copies sent to non-federal entities must be returned to DHS. But the documents specify that there is no limitation on authorities keeping written notes or reports about the materials.

"They're saying they can rifle through all the information in a traveler's laptop without having a smidgen of evidence that the traveler is breaking the law," said Greg Nojeim, senior counsel at the Center for Democracy and Technology. Notably, he said, the policies "don't establish any criteria for whose computer can be searched." ...

If you want to take a look at the policy itself, it's here.

Thanks to Rob Hyndman for the tipoff.

Labels: , , , , ,

Friday, July 11, 2008

Privacy protections disappear with a judge's order 

More commentary on the Viacom v. Google/YouTube case, this time from MIT's Technology review:

Technology Review: Privacy protections disappear with a judge's order

Privacy protections disappear with a judge's order

By Associated Press

NEW YORK (AP) _ Credit card companies know what you've bought. Phone companies know whom you've called. Electronic toll services know where you've gone. Internet search companies know what you've sought.

It might be reassuring, then, that companies have largely pledged to safeguard these repositories of data about you.

But a recent federal court ruling ordering the disclosure of YouTube viewership records underscores the reality that even the most benevolent company can only do so much to guard your digital life: All their protections can vanish with one stroke of a judge's pen.

"Companies have a tremendous amount of very sensitive data on their customers, and while a company itself may treat that responsibly ... if the court orders it be turned over, there's not a lot that the company that holds the data can do," said Jennifer Urban, a law professor at the University of Southern California.

In the past, court orders and subpoenas have generally been targeted at records on specific individuals. With YouTube, it's far more sweeping, covering all users regardless of whether they have anything to do with the copyright infringement that Viacom Inc., in a $1 billion lawsuit, accuses Google Inc.'s popular video-sharing site of enabling.

It's a scenario privacy activists have long warned about.

"What we're seeing is (that) the theoretical is becoming real world," said Lauren Weinstein, a veteran computer scientist. "The more data you've got, the more data that's going to be there as an attractive kind of treasure chest (for) outside parties."

U.S. District Judge Louis L. Stanton dismissed privacy arguments as speculative.

Last week, Stanton authorized full access to the YouTube logs -- which few users even realize exist -- after Viacom and other copyright holders argued that they needed the data to prove that their copyright-protected videos for such programs as Comedy Central's "The Daily Show with Jon Stewart" are more heavily watched than amateur clips.

"This decision makes it absolutely clear that everywhere we go online, we leave tracks, and every piece of information we access online leaves some sort of record," Urban said. "As consumers, we should all be aware of the fact that this sensitive information is being collected about us."

Mark Rasch, a former Justice Department official who is now with FTI Consulting Inc., said the ruling could open the floodgates for additional disclosures.

Though lawyers have known to seek such data for years, Rasch said, judges initially hesitant about authorizing their release may look to Stanton's ruling for affirmation, even though U.S. District Court rulings do not officially set precedence.

The YouTube database includes information on when each video gets played. Attached to each entry is each viewer's unique login ID and the Internet Protocol, or IP, address for that viewer's computer -- identifiers that, while seemingly anonymous, can often be traced to specific individuals, or at least their employers or hometowns.

Elsewhere, search engines such as Google and Yahoo Inc. keep more than a year of records on your search requests, from which one can learn of your diseases, fetishes and innermost thoughts. E-mail services are another source of personal records, as are electronic health repositories and Web-based word processing, spreadsheets and calendars.

One can reassemble your whereabouts based on where you've used credit cards, made cell phone calls or paid tolls or subway fares electronically. One can track your spending habits through loyalty cards that many retail chains offer in exchange for discounts.

Though companies do have legitimate reasons for keeping data -- they can help improve services or protect parties in billing disputes, for instance -- there's disagreement on how long a company truly needs the information.

The shorter the retention, the less tempting it is for lawyers to turn to the keepers of data in lawsuits, privacy activists say.

With some exceptions in banking, health care and other regulated industries, requests are routinely granted.

Service providers regularly comply with subpoenas seeking the identities of users who write negatively about specific companies, at most warning them first so they can challenge the disclosure themselves. The music and movie industries also have been aggressive about tracking individual users suspected of illegally downloading their works.

Law enforcement authorities also turn to the records to help solve crimes.

The U.S. Justice Department had previously subpoenaed the major search engines for lists of search requests made by their users as part of a case involving online pornography. Yahoo, Microsoft Corp.'s MSN and Time Warner Inc.'s AOL all complied with parts of the legal demand, but Google fought it and ultimately got the requirement narrowed.

In the YouTube case, Viacom largely got the data it wanted.

Google has said it would work with Viacom on trying to ensure anonymity, and Viacom has pledged not to use the data to identify individual users to sue. The YouTube logs will also likely be subject to a confidentiality order.

But privacy advocates warn that there's no guarantee that future litigants will be as restrained or that data released to lawyers won't inadvertently become public -- through their inclusion as an attachment in a court filing, for instance.

And retailers, government agencies and others are regularly announcing that personal information, stored without adequate safeguards, is being stolen by hackers or lost with laptops or portable storage drives.

"You just never know," said Steve Jones, an Internet expert at the University of Illinois at Chicago. "There are some circumstances under which what seems to be private information is going to be shared with a third party, and the court says it's OK to do that."

Copyright Technology Review 2008.

Labels: , , , , , , ,

Saturday, July 05, 2008

Keep your friends close, but your laptop closer ... Especially in airports 

According to a recent study conducted by the Ponemon Institute, 10,000 laptops are lost/stolen each week in US airports. While the commentary on this study talks about confidential business information, I am confident that the majoriy of these laptops also contain personal information. See: PC World - Business Center: Laptops Lost Like Hot Cakes at US Airports.

Labels: , , ,

Monday, June 16, 2008

Pedophile fears as student profiles, pictures go in Queensland education database 

Just because you can doesn't mean you should.

Parents' groups are up in arms in Australia after it was revealed that an intranet database of all students in Queensland State is being implemented that will be available to all employees of the education system. The database will include a vast range of information:

The intranet database, dubbed OneSchool, will profile each of the state's 480,000 public school students enrolled from Prep to Year 12.

Photographs, personal details, career aspirations, off-campus activities and student performance records are being collected from all 1251 state schools.

Parents fear that it will become a catalog for pedophiles while the Eduation Minister for the State says inclusion will be mandatory.

However Civil Liberties Council vice-president Terry O'Gorman yesterday said parents should be concerned, warning the OneSchool system could put students' privacy at risk.

Mr O'Gorman called for the system to be restricted so principals and teachers could access data only on their own students, with non-teaching staff excluded and no access for home computers or laptops.

"Why should anyone other than the teacher of a particular student and the principal of that school have a right to know what a child's academic performance is, behavioural status is or what their life aims are?" he said.

"It just puzzles me as to how it can have any possible benefit to centralise that information, whereas it has a clear privacy downside."

See: Pedophile fears as student profiles, pictures go on net The Courier-Mail. Via Australian educational authority forcing kids into invasive database - Boing Boing.

Labels: ,

Wednesday, June 04, 2008

Privacy Commissioner tables annual PIPEDA report 

The Privacy Commissioner of Canada tabled her annual report to Parliament on the Personal Information Protection and Electronic Documents Act for 2007 on June 3, 2008.

The report is here: Annual Report to Parliament 2007 Report on the Personal Information Protection and Electronic Documents Act - Privacy Commissioner of Canada.

Here is the accompanying media release:

Lack of basic privacy and security measures causing major data breaches, Privacy Commissioner says

Tabling of Privacy Commissioner of Canada's 2007 Annual Report on the Personal Information Protection and Electronic Documents Act

Ottawa, June 3, 2008 — Too many data breaches are occurring because companies have ignored some of the most basic steps to protect personal information, says the Privacy Commissioner of Canada, Jennifer Stoddart.

The Commissioner’s 2007 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA) was tabled today in Parliament.

“Many companies need to do more to prevent inexcusable security breaches,” Commissioner Stoddart says. “Too often, we see personal information compromised because a company has failed to implement elementary security measures such as using encryption on laptops.”Voluntary privacy breach guidelines which the Office of the Privacy Commissioner (OPC) developed with business and consumer groups, and published last summer, appear to be prompting more organizations to report breaches.

The OPC has received 21 voluntary breach reports in the first five months of 2008. Last year, there were 34 voluntary reports of breaches to the OPC – up from a total of 20 reports in 2006.

Over the last few years, hundreds of thousands of Canadians have been affected by data breaches.

“Many organizations want to be good corporate citizens and do the right thing,” says Commissioner Stoddart. “While the increased number of reports is a positive sign, it’s clear we still aren’t hearing about every breach which could have a harmful impact on people.”

Financial institutions are reporting the largest number of breaches to the OPC. Some telecommunications, insurance and retail companies have also reported breaches.

The OPC is concerned that few small- and medium-sized enterprises are reporting breaches.

Examples of reported breaches include the theft of laptops containing unencrypted personal information, data tapes lost in transit, improperly discarded paper records, and misdirected faxes.

Information the OPC is collecting from the voluntary reports is helping to shed light on some of the common problems which are leading to breaches.

It is clear, for example, that unprotected laptops remain a huge issue which companies must address. Many breaches related to electronically stored data, often customer information stored on stolen laptop computers. Almost nine in 10 people whose data was compromised by a self-reported breach in 2007 were put at risk because their personal information was held in an electronic format that was either not secured or lacked adequate protection mechanisms such as firewalls and encryption.

Other breaches occurred because employees had not followed established company practices. Companies can address this problem by providing ongoing privacy training, yet a poll commissioned by the OPC last year found only a third of all businesses had trained staff about their responsibilities under Canada’s privacy laws.

The OPC strongly supports a plan by Industry Canada to introduce mandatory breach notification. Reporting requirements will encourage businesses to do more to reduce the risk of a data breach and ensure all organizations are playing by the same rules. They will also ensure Canadians are notified about serious breaches.

Industry Canada has prepared draft breach notification reporting rules and is now fine-tuning this model based on stakeholder input.

The current proposals suggest the federal government is generally headed in the right direction and that Canada will have a breach reporting regime which is both reasonable and flexible.

As the federal government completes its work on reporting requirements, the OPC continues to investigate a wide range of privacy complaints.

The OPC received 350 new PIPEDA complaints during 2007. Almost one third of complaints involved financial institutions. As in past years, other major sectors for complaints were telecommunications, insurance, sales and transportation. The annual report is available on the OPC website.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

To view the report:

Annual Report to Parliament 2007 — Report on the Personal Information Protection and Electronic Documents Act (Adobe format)

Labels: , ,

Thursday, May 29, 2008

Hands off my laptop 

The Canadian Press and CanWest are reporting that the Canadian government is seriously considering implementing an Anti-counterfeiting law that would, among other things, permit ex parte searches for allegedly infringing materials. This raises the spectre of customs and border enforcement authorities searching laptops, ipods and other electronic devices.

Copyright deal could toughen rules governing info on iPods, computers

....The deal would create a international regulator that could turn border guards and other public security personnel into copyright police. The security officials would be charged with checking laptops, iPods and even cellular phones for content that "infringes" on copyright laws, such as ripped CDs and movies.

The guards would also be responsible for determining what is infringing content and what is not.

The agreement proposes any content that may have been copied from a DVD or digital video recorder would be open for scrutiny by officials -- even if the content was copied legally.

"If Hollywood could order intellectual property laws for Christmas what would they look like? This is pretty close," said David Fewer, staff counsel at the University of Ottawa's Canadian Internet Policy and Public Interest Clinic. "The process on ACTA so far has been cloak and dagger. This certainly raises concerns." ...

In light of the private copying exception that is in the current Copyright Act, I can't imagine that a border guard has any ability to determine whether an MP3 is "infringing".

Labels: ,

Saturday, May 17, 2008

Cleanse or secure your electronics before crossing the border 

Over the past weeks, I've done a lot of travelling. First to Geneva and then to the US. On both occasions, I had to be very mindful of what information I have on my laptop and my USB drives, since I am subject to the Personal Information International Disclosure Protection Act.

This new law prohibits the export of personal information by Nova Scotia public bodies and their service providers. As a lawyer to a number of public bodies and an instructor at Dalhousie Law School, my laptop an blackberry are subject to those laws. Since I didn't want to go to the bother of asking the chief executive of each public body I work for wheter I had one-off permission to take their data with me (and since I wouldn't need their data on the road), I had to delete all traces of such personal information from my portable electronics. While this is a concern for public bodies in Nova Scotia and their service providers, it's also a concern for anyone who is crossing the border into the United States as increasingly customs officers are scrutinizing laptops at the border.

Bruce Schneier, who always has interesting things to say, has an article in the Guardian on how to secure your laptops if you're taking them into the US. It's a good read and probably something to bookmark to read next time you're crossing the frontier: Read me first: Taking your laptop into the US? Be sure to hide all your data first Technology The Guardian.

Labels: , , , ,

Tuesday, April 22, 2008

US border agents given unfettered access to travelers' laptops 

A US Federal Appeals Court has overruled a lower court ruling that had previously restricted laptop searches at the border. The 9th Circuit Court of Appeals, in a unanimous three judge ruling, held that border agents do not need any probable cause to rummage through portable electronics.

Border Agents Can Search Laptops Without Cause, Appeals Court Rules Threat Level from Wired.com

... Federal agents at the border do not need any reason to search through travelers' laptops, cell phones or digital cameras for evidence of crimes, a federal appeals court ruled Monday, extending the government's power to look through belongings like suitcases at the border to electronics.

The unanimous three-judge decision reverses a lower court finding that digital devices were "an extension of our own memory" and thus too personal to allow the government to search them without cause. Instead, the earlier ruling said, Customs agents would need some reasonable and articulable suspicion a crime had occurred in order to search a traveler's laptop.

On appeal, the government argued that was too high a standard, infringing upon its right to keep the country safe and enforce laws. Civil rights groups, joined by business traveler groups, weighed in, defending the lower court ruling.

The 9th U.S. Circuit Court of Appeals sided with the government, finding that the so-called border exception to the Fourth Amendment's prohibition on unreasonable searches applied not just to suitcases and papers, but also to electronics.

Via Boing Boing.

Previously: Canadian Privacy Law Blog: Crossing the border? Consider the possibility of laptop searches, Canadian Privacy Law Blog: Your papers and laptops, please?, Canadian Privacy Law Blog: US Customs confiscating laptops.

Labels: , , , ,

Monday, March 31, 2008

Ontario's Commissioner recommends PHIPA to Americans 

Last week's New York Times had an editorial on Safeguarding Private Medical Data:

... These are good steps, but a larger solution is needed. There should be a federal law imposing strict privacy safeguards on all government and private entities handling medical data. Congress should pass a bill like the Trust Act, introduced by Representative Edward Markey, a Democrat of Massachusetts, imposing mandatory encryption requirements and deadlines for notifying patients when their privacy is breached. As the N.I.H. has shown, medical privacy is too important to be left up to the medical profession.

In today's edition, Ontario's Information and Privacy Commissioner responds:

Ontario’s Example on Privacy - New York Times

To the Editor:

Re: Editorial: Safeguarding Private Medical Data (March 26, 2008)

I couldn’t agree with you more. In Ontario, we take privacy very seriously, especially when it comes to medical data.

Four years ago, we passed the Personal Health Information Protection Act, or Phipa, and haven’t looked back. This law provides solid privacy protection for health data but doesn’t act as a barrier to the delivery of health services. It doesn’t interfere with health care but ensures that it comes wrapped in a layer of privacy.

As privacy commissioner of Ontario, I can investigate complaints and issue orders if Phipa is breached. One order I issued requires that any identifiable health data must be encrypted if removed from a health care facility on a laptop or any other medium.

Medical privacy is far too important to be left to chance, or to the well intentioned. Strong legislated safeguards are needed.

Take a look at Phipa, which could serve as an excellent model.

Ann Cavoukian

Toronto, March 27, 2008

Labels: , , , ,

Sunday, March 09, 2008

Crossing the border? Consider the possibility of laptop searches 

As March Break is almost in full swing, it's timely to read Compterworld's recent 5 things you need to know about laptop searches at U.S. borders. State sovereignty usually means that a country has total control over who and what gets in and traditional searches are being extended to laptop searches. This makes sense on one level but seems futile as any traveller can upload ilicit digital content before crossing into the US and then download it on the other side of the border.

But searches are happening, so make sure you delete from your computer all content that you wouldn't want disclosed as part of such a search. Lawyers should particularly remove any privileged content they don't need to be taking with them. And if you're a public servant from BC, Alberta or Nova Scotia, you can't take it with you thanks to the USA Patriot Act blocking legislation in your province.

Labels: , , , ,

Thursday, February 07, 2008

US Customs confiscating laptops 

Boing Boing reports that Consumerist reports that the Washington Post reports that US Customs are continuing their practice of requiring some travellers to log into their laptop computers and provide data to the government. In some cases, they`re confiscating the computers on a promise of returning them in a few days. This is problematic from a privacy point of view, but I also have to wonder what would happen with a lawyer crossing the border whose laptop is full of privileged info.

Labels: , ,

Saturday, February 02, 2008

NL data breach caused by P2P program 

The Justice Minister of Newfoundland and Labrador says a recent data security breach was caused by the P2P program LimeWire, which had been installed on a laptop used by a consultant. See: LimeWire led to data breach: N.L. justice minister.

Labels: ,

Sunday, January 20, 2008

Incident: Personal info on 600K UK military recruits on stolen laptop 

The Register reports that a laptop containing the personal information of 600,000 UK military recruits was on a laptop stolen from a naval officer's car. See: Join the army, get your ID pinched - MoD laptop goes AWOL | The Register.

Labels: , , , ,

Friday, December 28, 2007

Privacy resolutions from the PCC 

Privacy resolutions from the Privacy Commissioner of Canada:

News Release: Do you resolve to protect your privacy in 2008? (December 27, 2007) - Privacy Commissioner of Canada

Do you resolve to protect your privacy in 2008?

OTTAWA, December 27, 2007 – Threats to the privacy rights of Canadians will intensify in 2008 unless organizations resolve to do more to protect personal information, warns Privacy Commissioner of Canada Jennifer Stoddart.

“Heightened national security concerns, the growing business appetite for personal information and technological advances are all potent – and growing – threats to privacy rights,” says Commissioner Stoddart.

“The coming year will be another challenging one for privacy in Canada.”

With that prediction in mind, Commissioner Stoddart today released her 2008 list of top 10 suggested New Year’s resolutions for businesses, individuals and government.

Resolutions for businesses in Canada:

1. Protect personal information with strong security.

More than 162 million records were compromised by theft or loss in 2007, triple the number of data losses for the previous year, according to a USA Today analysis of breaches in the US, Canada and other countries. This alarming trend can be reversed if businesses begin to recognize the value of personal information. The disastrous breach involving Winner’s and HomeSense stores is an example of what can go wrong if businesses don’t invest in the latest security.

2. Use encryption to protect personal information on mobile devices such as laptops.

We are seeing too many headlines about personal information at risk because a laptop has been lost or stolen. Organizations must ensure personal information on a mobile device is encrypted – protecting information stored on a laptop with a password is simply not enough.

3. Ensure credit card processing equipment masks complete card numbers on receipts.

Complete credit card numbers should not be printed on receipts for electronically processed transactions. Businesses were supposed to switch to electronic processing equipment that masks card numbers – for example, by printing Xes – by the end of 2007. Printing complete card numbers exposes customers to the risk of identity theft. (Some very small businesses may still be manually taking imprints of cards because it is not economically feasible for them to purchase electronic equipment. They should still take all steps necessary to protect the information they collect.)

Resolutions for Canadians:

4. Think twice before posting personal information on social networking sites.

Many Facebook and Myspace users think of these sites as private, when, in reality, the information they post can often be seen by just about anyone. Before posting something, ask questions such as: How would I feel defending this comment or photo during a job interview five years from now? Am I harming someone else or invading someone’s privacy by posting this comment, photo or video? We like this simple rule of thumb: If Grandma shouldn't know, it shouldn't be posted.

5. Ask questions when someone asks for personal information.

It’s a good idea to understand why information such as your phone number or postal code, or driver’s licence is being requested and how it will be used. If you are concerned about receiving junk mail or telemarketing calls, decline to provide the information. Canada’s privacy laws offer you a choice about providing personal information that is not necessary for a transaction.

6. Take steps to protect your personal information.

Invest in a good shredder or burn all documents that include your name, address, SIN, financial information or other sensitive personal information. Papers containing personal information don’t belong in the recycling bin.

Resolutions for the federal government:

7. Overhaul the no-fly list to ensure strong privacy protections for Canadians.

The no-fly list involves the secretive use of personal information in a way that has very serious impact on privacy and other human rights. Innocent Canadians face the very real risk they will be stopped from flying because they’ve been incorrectly listed or share the name of someone on the list.

8. Move forward with proposed reforms to Canada’s privacy laws.

The federal government is currently holding consultations on important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). These proposed changes include mandatory breach notification, a step that would encourage businesses to take security more seriously and protect Canadians against identity theft.

We also urge the federal government to open a review of the Privacy Act, which will be celebrating its 25th anniversary in 2008. Canadians should be offered the same level of legal protection under the Privacy Act as they have, as consumers, under PIPEDA.

9. Ensure that identity theft legislation is swiftly passed.

The government has introduced Criminal Code amendments to help police stop identity thieves or fraudsters before Canadians suffer actual financial harm. The changes include explicit penalties for collecting, possessing and trafficking in personal information.

10. Develop anti-spam legislation.

Canada remains the only G-8 country without anti-spam legislation, raising the danger that we will become a harbour for spammers. Halting the proliferation of spam is another important measure necessary to address identity theft.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Labels: , , , , , ,

Thursday, November 29, 2007

Whole disk encryption made easy 

If you have laptop, you should read Bruce Schneier's commentary in Wired: How Does Bruce Schneier Protect His Laptop Data? With His Fists -- and PGP.

Labels: , ,

Sunday, November 18, 2007

Incident: Laptop containing pensioners' personal information stolen from bureaucrat's home 

CBC is reporting that a laptop containing personal information on more than a thousand pensioners was stolen from a bureaucrat's home in Gatineau, Quebec. The government has notified the 1600 affected individuals. It appears the laptop was not supposed to leave the building. The Privacy Commissioner is investigating. See: Private information stolen from civil servant's home.

Labels: ,

Thursday, November 15, 2007

Alberta commissioner: "It' just nuts that we're not looking after this stuff better" 

After an investigation into a stolen laptop from Alberta Capital Health, Frank Work has expressed some exasperation about how personal information is being protected:

Safeguard cyber-privacy

The Edmonton Journal

Thursday, November 15, 2007

Crafting sophisticated privacy legislation has never been more important, as lawmakers struggle to keep up with technological advances. And yet all the statutes in the world are no excuse for common sense.

"It's just nuts that we're not looking after this stuff better," exclaimed an exasperated Frank Work on Tuesday. Work, Alberta's information and privacy commissioner, had just released a report investigating the May theft of four laptop computers at a Capital Health office.

The study concluded that Capital Health had contravened the Health Information Act by not taking adequate security precautions. This was in spite of two previous warnings about the need for encryption programs. Capital Health has promised that it will have encryption for laptops installed by January and will soon provide the commissioner with a detailed implementation plan for other changes. Let's hope so.

Not that Capital Heath is alone. Work also announced another investigation into the theft of a memory stick storing personal details of 560 students attending Edmonton Catholic Schools. An employee of the board's school bus company kept the stick in her purse. The school board now insists bus carriers' memory sticks must be encrypted.

The hope is that other organizations are paying attention. Breaches in consumer information security have made all of us think twice when ordering online or even at the local cash register.

To be fair, a lot of bright people are working on this and lessons have been learned. Still, coming to terms with the storehouse of private information most of us carry around daily in various devices is everyone's business. As technology moves forward, we must remember that privacy is too precious to be taken lightly. That begins at home, at work and at school.

Labels: , , ,

Tuesday, May 15, 2007

Social Security Cards to go biometric 

One of two initiatives in Congress, which may never see the light of day, would replace the flimsy social security card with a biometric ID that employers would be required to verify before employing anybody.

National ID: Biometrics Pinned to Social Security Cards

The Social Security card faces its first major upgrade in 70 years under two immigration-reform proposals slated for debate this week that would add biometric information to the card and finally complete its slow metamorphosis into a national ID.

The leading immigration proposal with traction in Congress would force employers to accept only a very limited range of approved documents as proof of work eligibility, including a driver's license that meets new federal Real ID standards, a high-tech temporary work visa or a U.S. passport with an RFID chip. A fourth option is the notional tamper-proof biometric Social Security card, which would replace the text-only design that's been issued to Americans almost without change for more than 70 years.

A second proposal under consideration would add high-tech features to the Social Security card allowing employers to scan it with specially equipped laptop computers. Under that proposal, called the "Bonner Plan," the revamped Social Security card would be the only legal form of identification for employment purposes.

Neither bill specifies what the biometric would be, but it could range from a simple digital photo to a fingerprint or even an iris scan. The proposals would seem to require major changes to how Social Security cards are issued: Currently, new and replacement cards are sent in the mail. And parents typically apply for their children before they're old enough to give a decent fingerprint.

There are also logistical problems to overcome before forcing all of the nation's employers to verify a biometric card -- given the nation has millions of employers, many of whom may not have computer equipment at all....

Labels: , ,

Saturday, March 10, 2007

Hospitals must encrypt patient data on portable devices 

The Information and Privacy Commissioner of Ontario yesterday released order HO-004 under the Personal Health Information Protection Act following the theft of a laptop containing confidential personal health information on 2,900 patients at the Sick Kids hospital in Toronto.

The order requires the hospital

  • to develop or revise and implement policies and procedures the ensure that records of personal health information are safeguarded
  • to develop a corporate policy that prohibits the removal of identifiable personal health information in from the premises. If identifiable personal health information must be removed in electronic form, it must be encrypted;
  • to develop an encryption policy for mobile computing devices, a policy relating to the use of virtual private networks, a privacy breach policy, and to educate staff regarding the policies how to secure the information contained on mobile computing devices.

While the order directly relates to a hospital, it would applyl to all health information custodians in the province of Ontario and will likely serve as guidance to all health care providers in the country.

For more info, see TheStar.com - News - Sick Kids ordered to encrypt all electronic patient files.

Labels: , , , , ,

Thursday, February 15, 2007

Taking care of business with the four Ps 

Dawn Jutla of the Saint Mary's Sobey School of Business has a piece in today's Chronicle Herald on information protection that's worth a read:

The ChronicleHerald.ca

Minding your Ps can protect your customers

By DAWN JUTLA / Taking Care of Business

IN 2006, the FBI reported that unauthorized data access — similar to the problem faced by WINNERS’ parent company T.J. Max — became the second-most-costly loss in organizations due to computer crime after viruses. As the costs of unauthorized access are on the rise, suppliers will increasingly be asked to provide copies of their security and privacy policies and processes as part of contract agreements.

Security and privacy documents are key communication vehicles for helping employees understand and comply with recommended security and privacy guidelines, as well as learn good security and privacy behaviours. Recent high-profile examples of where policies were not well-formulated, communicated or complied with include AOL’s firing of its chief technology officer after users’ search results were published on the web, and Boeing’s disclosure that the personal information of hundreds of thousands of current and former employees was compromised when an unencrypted laptop was stolen from an employee’s car.

To control unauthorized access from insiders and outsiders, good security policies, at a minimum, address the management of four Ps: Policy guidelines for employees, Patches and updates, Protective software and devices, and Physical security. Security managers, chief information officers and consultants help company executives understand the costs and benefits of the 4Ps. ...

Policy guidelines for employees: ...

Patches and updates: ...

Protective software and devices: ...

Physical security: ....

Dawn Jutla is an associate professor in the department of finance, information systems and management science. Taking Care of Business is a monthly column created by the Sobey School of Business.

Labels: , ,

Sunday, December 10, 2006

With electronic health records, it's the privacy piece 

I had a great but busy week last week and I'm only just getting caught up on my extracurricular reading...

Last week, the New York Times ran a very interesting and informative article on electronic health records (Health Hazard: Computers Spilling Your History - New York Times). The article confirms what I've believed for some time: the greatest impediment to the adoption of electronic health records is privacy and most planners are giving that short shrift as they plunge furter and further into this new age.

It doesn't help that celebrities, such as former President Clinton, have to check into hospitals under aliases.

“There is a huge potential for technology to improve health care and reduce its cost,” Mr. Bosworth said in a statement. “But companies that offer products and services must vigorously protect the privacy of users, or adoption of very useful new products and services will fail.”

Even before the theft this year of a Veterans Affairs official’s laptop that contained private medical records of 28 million people, a consumer survey found that repeated security breaches were raising concerns about the safety of personal health records.

About one in four people were aware of those earlier breaches, according to a national telephone survey of 1,000 adults last year for the California HealthCare Foundation. The margin of error was plus or minus 3 percentage points.

The survey, conducted by Forrester Research, also found that 52 percent were “very concerned” or “somewhat concerned” that insurance claims information might be used by an employer to limit their job opportunities.

The Markle survey, to be published this week, will report even greater worry — 56 percent were very concerned, 18 percent somewhat concerned — about abuse by employers. But despite their worries, the Markle respondents were eager to reap the benefits of Internet technology — for example, having easy access to their own health records.

...

Still, worries linger across the health care system. Hospital executives say that private investigators have often tried to bribe hospital employees to obtain medical records that might be useful in court cases, including battles over child custody, divorce, property ownership and inheritance.

But computer technology — the same systems that disseminate data at the click of a mouse — can also enhance security.

Mr. Liss, of NewYork-Presbyterian, said that when unauthorized people tried to gain access to electronic medical records, hospital computers were programmed to ask them to explain why they were seeking the information.

Moreover, Mr. Liss said, the computer warns electronic intruders: “Be aware that your user ID and password have been captured.”

Labels: , ,

Wednesday, December 06, 2006

Calgary Health Region found in Contravention of Health Information Act over stolen laptop 

The Office of the Information and Privacy Commissioner of Alberta has found that the Calgary Health Region violated the Health Information Act in connection with a stolen laptop:

Calgary Health Region found in Contravention of Health Information Act over stolen laptop:

The Office of the Information and Privacy Commissioner has found that the Calgary Health Region contravened the Health Information Act (HIA), following an investigation into the theft of a laptop computer. The laptop contained a database of more than 1,000 children in a mental health care program, including patient history and treatment details.

Key findings included:

  • The Health Region had policies in place that would have protected the stolen laptop and the information it contained, but those policies were not fully implemented by the Collaborative Mental Health Program.
  • A copy of the entire database was stored on the stolen computer, increasing the number of people affected. Program workers should only have copied the files they needed, rather than the entire database.
  • While the laptop was protected by passwords, this was not adequate given the nature of the information it contained
  • A knowledgeable and motivated individual could access the data with tools that are readily available on the internet.
  • While the risk of identity theft from the information is low, it cannot be ruled out.
  • Encryption technology would have protected the lost data, but it was not implemented.

The CHR informed the Commissioner's Office of the incident on its own initiative, took immediate action to notify affected individuals and has since implemented measures to secure mobile computers. The Health Region also agreed to follow our Investigator's recommendations.

Investigator Brian Hamilton says, "For the most part the Calgary Health Region does a good job protecting information, and has been taking steps to improve security. Unfortunately, they failed to recognize and address the risks of mobile computing in this program area."

Others can learn from this investigation. The Office of the Information and Privacy Commissioner urges all HIA custodians, public bodies and private sector organizations to follow these recommendations for mobile computing:

  • Perform a Privacy Impact Assessment (or a security risk assessment) before implementing mobile computing.
  • Do not store personal or health information on mobile computing devices unless you need to - consider technologies that allow secure, remote access to your network and data instead.
  • If you must store personal or health information on a mobile device, use encryption to protect the data - password protection alone is not sufficient.
  • Keep the amount of personal or health information stored on mobile computing devices to a minimum, based on your business needs.
  • Periodically check your policies against practice to ensure they reflect reality and remain effective.
  • Provide specific training on mobile computing to staff to ensure they understand the risks and understand how to protect their equipment.

-30-

For more information or to view a copy of Investigation Report H2006-IR-002, visit our website, http://www.oipc.ab.ca/.

Labels: , , , , ,

Friday, November 17, 2006

British RFID passports cracked 

The Guardian is reporting that Steve Boggan and a friend/computer expert have managed to crack into the supposedly securely encrypted British RFID passports:
Cracked it! Special reports Guardian Unlimited:

...By last month, Booth, Laurie and I each had access to a new biometric chipped passport and were ready to begin testing them. Laurie's first port of call was the ICAO's website, where the organisation had published specifications for the new travel documents. This is where he learned that the key to opening up the secure chip was contained in the passports themselves - passport number, date of birth and expiry date.

"I was amazed that they made it so easy," Laurie says. "The information contained in the chip is not encrypted, but to access it you have to start up an encrypted conversation between the reader and the RFID chip in the passport.

"The reader - I bought one for £250 - has to say hello to the chip and tell it that it is authorised to make contact. The key to that is in the date of birth, etc. Once they communicate, the conversation is encrypted, but I wrote some software in about 48 hours that made sense of it.

"The Home Office has adopted a very high encryption technology called 3DES - that is, to a military-level data-encryption standard times three. So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a 'secret key'. That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat."

Within minutes of applying the three passports to the reader, the information from all of them has been copied and the holders' images appear on the screen of Laurie's laptop. The passports belong to Booth, and to Laurie's son, Max, and my partner, who have all given their permission....

Labels: , ,

Tuesday, November 14, 2006

Alberta Commissioner investigates stolen laptop 

Some coverage of the Information and Privacy Commissioner of Alberta's investigation of the theft of a laptop containing mental health informaton of around 1,000 patients: Stolen laptop contained mental health data.

Labels: , , ,

Thursday, November 09, 2006

Alberta Commissioner investigates missing laptop with mental health records 

Hot off the presses from the Information and Privacy Commissioner of Alberta:

Commissioner launches investigation into stolen Calgary Health Region laptop:

Alberta’s Information and Privacy Commissioner has confirmed that his office is investigating the theft of a laptop computer from the home of an employee of the Calgary Health Region. The computer contains the personal health information of approximately 1,000 patients, who received services provided by the Region’s Collaborative Mental Health Department.

Click to view more information Commissioner launches investigation into stolen Calgary Health Region laptop

Labels: , , ,

Tuesday, October 24, 2006

Your papers and laptops, please? 

The blogosphere has recently been buzzing about what appears to be a growing practice of laptop searches when entering the United States. The NYT had a piece on this yesterday (At U.S. Borders, Laptops Have No Right to Privacy - New York Times) and Boing Boing is linking to it.

It's a long established soverign right to strictly regulate what comes into a country. Increasingly, information has value and is even regulated from both the export perspective and the import perspective. This appears to be a simple extension of customs officers having the right to go through your dirty clothes on your way back from vacation, but certainly has privacy effects.

More and more people keep intimate information on their laptops and crossing a border with one is akin to crossing the border with your personal archives. If they were in paper form, there's no doubt the customs folks would have the right to take a peek. But laptops also often contain information that is a cut above the routine. A lawyer's laptop is full of privileged material and a physician's laptop is full of confidential information. It doesn't sound like there are any protections built into the system to acknolwedge this and that's particularly troubling.

Labels: , ,

Tuesday, September 26, 2006

Alberta Commissioner faults MD Management for laptop theft 

The Office of the Information and Privacy Commissioner of Alberta has released its investigation report into the missing laptop case (for some background, see: Canadian Privacy Law Blog: Alberta commissioner launches investigation into stolen laptop). In the wake of the theft of a laptop from an employee of MD Management (a subsidiary of the Canadian Medical Association), the Commissioner's office concluded that the organization violated the Personal Information Protection Act by not adequately securing the information of 8,000 customers. See the report here: Investigation Report P2006-IR-005.

Labels: , , ,

Saturday, September 23, 2006

If you have one of the US census bureau's hundreds of missing laptops ... 

Please return it.
CNN.com - Census Bureau loses hundreds of laptops - Sep 21, 2006:

"WASHINGTON (AP) -- The Commerce Department has lost 1,137 laptop computers since 2001, most of them assigned to the Census Bureau, officials said Thursday night."

Labels: ,

Thursday, September 07, 2006

Ontario Commissioner and BMO release brochure on information security on the road 

The Information and Privacy Commissioner of Ontario and the Bank of Montreal have just released a brochure related to safety, security and privacy in using mobile devices. Here's the media release:

IPC - Guard the information you take out of the office, urges Privacy Commissioner Ann Cavoukian:

NEWS RELEASE : September 7, 2006

Guard the information you take out of the office, urges Privacy Commissioner Ann Cavoukian

In a number of recent cases, thousands of people have found themselves facing the potential threat of identity theft simply because someone took a laptop – packed with people’s personal information – home with them or on a business trip, and the laptop was later lost or stolen.

Ontario’s Information and Privacy Commissioner, Ann Cavoukian, and BMO Financial Group (BMO) have met this challenge head on by partnering together to create a joint brochure, Reduce Your Roaming Risks – A Portable Privacy Primer, which outlines specific steps that everyone can take to minimize the chance that the information contained on one’s laptop or personal digital assistant (PDA) will be accessed by unauthorized parties.

“With today’s technology, people have the flexibility to connect to their organization’s network from virtually anywhere in the world,” said Commissioner Cavoukian. “But working away from the bricks and mortar office means that you are also working outside of the traditional security layers. You need to re-assess the privacy and security risks associated with working remotely or while travelling.”

“It is critical that you take the steps needed to safeguard all confidential information, whether it be your own, that of your employer, or, most importantly, that of the people who entrusted their personal information to your custody and care, in the belief that it was in safe hands,” said the Commissioner.

“As a financial services provider, it is fundamentally important that we continue to earn the trust and confidence of our customers that their personal information is safe and secure,” said Dina Palozzi, Chief Privacy Officer, BMO Financial Group. “We were pleased to work with Commissioner Cavoukian on the development of the brochure. It’s a timely and relevant tool that all workplaces should make available to any employees who share a responsibility for safeguarding important customer or company information.”

Among the recommendations that the Commissioner and BMO make in the brochure:

  • Always use strong password protection, preferably in conjunction with data encryption;
  • Do not remove any client information from your organization’s network or premises without proper authorization from your supervisor;
  • Remove all confidential information, or any devices containing confidential information, from plain sight in your vehicle. Lock your valuables in the trunk before you start the trip, not in the parking lot of your destination;
  • In public places, do not discuss any confidential information on your cell phone; and
  • Only conduct confidential business on business or personal computers. Do not use public computers or networks, or conduct business in public places.

Laptops, PDAs, Cell Phones:

Laptops, PDAs and, more recently, cell phones, are considered to be the “golden eggs” by identity thieves. Here are some of the precautions the brochure recommends be taken to minimize the risks:

  • Ensure that all of your devices require passwords for access: power-on passwords, screensaver passwords, account passwords. Strong passwords consist of at least eight characters, upper and lower case, numerals and special characters. The password should not be a word that can be found in any dictionary;
  • Enable the automatic lock feature of your device after five minutes of idle time;
  • Encrypt your data according to your company’s policies. This is essential if you transport personal and/or confidential customer data – it should never be left in “plain view;”
  • When no longer needed, remove all confidential data from your devices using a strong “digital wipe” utility program. Do not simply rely on the “delete” function.

    Confidential and Financial Information:

    If you handle confidential information online or perform financial transactions, then your laptop (and sometimes your PDA) should, at a minimum, have a personal firewall, anti-virus and anti-spyware protection. In addition, install the latest updates and security patches for your mobile devices, including your cell phone.

    When connecting to public wireless networks or HotSpots in airports, hotels, coffee shops, etc., bear in mind that these networks are inherently unsafe. Remember the following:

    • Watch out for shoulder surfing – someone “casually” observing the work on your laptop; Never connect to two separate networks simultaneously (such as Wi-Fi and Bluetooth);
    • Do not conduct confidential business unless you use an encrypted link to the host network (such as a Virtual Private Network – VPN).

    The brochure also contains advice on what to do if you lose confidential data, as well as providing a quick reference checklist.

Labels: , , , , ,

Wednesday, August 23, 2006

Privacy hall of shame 

Wired News has released a top ten list for its suggested entries in the "Privacy Debacle Hall of Fame". The countdown is:
Wired News: Privacy Debacle Hall of Fame

10. ChoicePoint data spill
9. VA laptop theft
8. CardSystems hacked
7. Discovery of data on used hard drives for sale
6. Philip Agee's revenge
5. Amy Boyer's murder
4. Testing CAPPS II
3. COINTELPRO
2. AT&T lets the NSA listen to all phone calls
1. The creation of the Social Security Number

The Wired article has more details on each of the above blunders.

Via Concurring Opinions and Rob Hyndman.

Labels: , , ,

Sunday, August 13, 2006

Another VA laptop disappears 

I've stopped writing about privacy breaches as they are becoming too routine, but this one is worth mentioning: After all the media storm, congressional hearings, firings and general ruckus, the US Department of Veterans' Affairs has managed to lose another computer. This one contains data on 38K people. See: Update: Another VA computer missing.

Labels: ,

Saturday, August 12, 2006

New article on laptops and privacy 

Michael Power and Roland L. Trope have recently published the first of what I understand to be a regular privacy-specific column in IEEE Security & Privacy. The article is entitled "Lessons for Laptops from the 18th Century". The courts and constitutions of Canada and the United States have steadfastly protected the privacy of the home, but what should courts be doing now that more and more of peoples' intimate lives are chronicled on portable electronic devices? And what of such records that are uploaded using online backup services?

Labels: ,

Friday, July 28, 2006

Alberta commissioner launches investigation into stolen laptop 

From the Office of the Information and Privacy Commissioner of Alberta:

OIPC:

News Release: Commissioner launches investigation into stolen laptop

Alberta’s Information and Privacy Commissioner has initiated an investigation into a stolen laptop computer which contains financial and other personal information about possibly 8,000 clients of MD Management, a subsidiary of the Canadian Medical Association.

Click to view more information News Release: Commissioner launches investigation into stolen laptop.

Labels: , ,

Tuesday, July 18, 2006

Not even the royal laptop is safe 

Apparently a laptop containing Her Majesty's secrets has been stolen from an aide in Buckingham Palace. See: Contractor UK: Contractor steals laptop of royal secrets. I imagine it would be very difficult to steal the identity of Queen Elizabeth, but I suppose stranger things have happened.

Via Pogo Was Right.

Labels: , , ,

Saturday, July 15, 2006

Edmontonian writes about his data breach experience 

In today's Edmonton Sun, Timothy le Riche writes about his recent experience of having his information compromised when an investment advisor lost his laptop:

Identity indemnity

It's been a tough a day at work, traffic was crazy getting home, and there you find a letter waiting that warns: "An incident has occurred which may have compromised the security of a file containing some of your personal information."

Great. Just what you need.

The letter that arrived at my house recently was from one of my investment dealers. A laptop computer was stolen, and, unfortunately, it contained client details such as my name, age, month of birth, address, home and office phone and fax numbers, e-mail addresses and some asset information.

They note that the information did not include my day of birth, social insurance number (S.I.N.) nor any banking details.

Even if this thief is able to hack through the password protection to get at the data, I don't think he'll be too impressed with my account. What I'm more concerned about is, of course, identity theft. So that's what I set out to deal with.

Now I'm not too pleased with this investment dealer in that a sensitive laptop could go missing, but I'll give them good marks for how they moved on it. They began by establishing exactly what information was on the computer and then took a series of actions.

First, they sent out a letter to affected investors like me, beginning with apology. Apologies don't solve much but at least offer an appropriate demeanour.

NOTIFIED POLICE

Then, they notified the police - and the letter I received includes the police file number. I can refer to this number in any dispute over future fraudulent charges against me, the letter explains.

My account with the dealer has been flagged. I am assured that extra measures will be applied to ensure validity of any requests on my account.

The dealer notified TransUnion of Canada Inc., one of two main credit reporting agencies, where a fraud warning was placed on my file. This one is important. In addition, the letter suggests that I contact Equifax, the other big credit agency, and flag my name there.

With my name flagged, those agencies will contact me first before issuing any credit under any application with my name on it.

My dealer has also notified the Alberta Privacy Commissioner, and pledges a security review with outside consultation. Finally, they offer phone numbers of top staff - including the chief privacy officer - whom I immediately called the next morning. Again, kudos to them. I was called back quickly. The privacy officer offered some more details and urged me to contact Equifax.

GENERIC FILE

I also called the police. Unfortunately, no single officer is assigned to the report number - it's a generic file. I am directed to the police website for information on identity theft: http://www.police.edmonton.ab.ca/Pages/identitytheft/

Equifax, it turns out, is one of those organizations that doesn't like to talk to people; they would rather have you press a series of phone buttons to deliver information.

I keyed in my S.I.N. and other details, as requested, and then I was informed my account is flagged. A computer voice said they will send me a copy of my credit report.

It is recommended that you check your credit report at least once a year.

Even though my investment dealer had no credit card information, I decided to call MasterCard for more information on identity theft and fraud.

It turns out they provide a free legal advice service to card holders. Top marks to MasterCard as well.

It seems I've tagged all the bases.

Now all I can do is wait.

And brace myself for that credit report - and whatever bad news it might reveal.

Labels: , , ,

Nova Scotia passes USA Patriot Act blocking statute 

In one of the shortest sittings that I can recall, the Legislature of Nova Scotia has passed the Personal Information International Disclosure Protection Act, also known as Bill 19.

Nova Scotia Legislature - House Business - Status of Bills

Bill No. 19 An Act to Protect the Personal Information of Nova Scotians from Disclosure Outside Canada

Hon. Murray K. Scott Minister of Justice

First Reading June 30, 2006

Second Reading (Second Reading Debates) July 6, 2006

Law Amendments Committee July 10, 2006; July 11, 2006

Committee of the Whole House July 13, 2006

Third Reading July 14, 2006

Royal Assent July 14, 2006

I do not believe it has been proclaimed into force, so stay tuned for that part. (See update below.)

The Personal Information International Disclosure Protection Act is a response to the USA Patriot Act, specifically designed to prevent the export of personal information in the custody or control of public bodies in Nova Scotia to any other country. Though the prohibition is generic, it is clearly meant to prevent personal information from being the subject of a demand under the USA Patriot Act. It is also subject to the individual's consent, meaning that the prohibition does not apply if the individual data subject has identified the information and has specifically consented to the export of his or her information.

The Act is binding on all public bodies, their employees and specifically their service providers.

The Act requires that all public bodies ensure that all personal information in its custody or control is kept in Canada and is accessed only in Canada, unless the head of that public body has determined that storage or access outside of Canada is necessary for the public body's operations. If the head so determines, he or she has to notify the Minister of Justice for the province within ninety days of the end of the year.

The Act also contains a requirement that the Minister of Justice be notified forthwith of any "foreign demand for disclosure" or of any request that may be such a demand. The notice has to include the following:

as known or suspected,
(a) the nature of the foreign demand for disclosure;

(b) who made the foreign demand for disclosure;

(c) when the foreign demand for disclosure was received; and

(d) what information was sought by or disclosed in response to the foreign demand for disclosure.

It is an offence to disclose any personal information except in compliance with the Act and it contains specific penalties for public bodies, employees and service providers. Public sector employees may be subject to a fine of up to $2000 and imprisonment for six months. Corporate service providers may be subject to a fine of up to $500,000.

Interestingly, the Act grandfathers in contracts already entered into with service providers, but public bodies are expected to use all reasonable efforts to come into compliance with the new disclosure rules as soon as reasonably possible.

Nova Scotia is now the third Canadian province to enact such legislation, after British Columbia and Alberta.

Probably the most unmanageable portion of the Act deals with temporary exports. These are permitted (for example, in an employee's blackberry or on their laptop), but only with the permission of the head of the public body. This will be very difficult to administer because virtually every public sector employee's cell phone, laptop or briefcase contains information that is considered to be "personal information" under the statute. Every public sector employee who goes to a conference with her laptop will need the permission of the minister or university president or crown corporation president. However, given the rash of laptop thefts as of late, it may be a good thing to make public bodies think much more carefully about how information is carried around.

Interestingly, the Act is not an amendment to the Freedom of Information and Protection of Privacy Act which generally governs the collection, use and disclosure of personal information by public bodies. It is a stand-alone statute, unlike the way this was done in Alberta and BC.

For some background, see:

Update (20060717): The Bill has received Royal Assent, but is has not yet been proclaimed into force. (I've added the bold bit in the table above.)

Labels: , , , , , , , ,

Tuesday, July 11, 2006

Business Week columnist calls for personal information protection at US universities 

It's not often that a columnist in Business Week says "there oughta be a law!" But that's what Scott Olson says after being notified by his alma mater that his personal information was among 197,000 records of fellow UTexas alums that was compromised by a computer hacker.

It's Time to Protect Students' Data - Business Week Online via Yahoo! News

... It got me thinking: Colleges and universities should be held to the same government compliance standards as companies that operate in health care or financial services.

After all, a third of all data leaks are at universities, according to CNET Networks. That's not surprising, as universities walk a fine line between ensuring that users, many of whom are using personal laptops and other devices, have continuous access to network resources, while keeping those same resources safe from infections and unauthorized access. All too often, security gets shoved to the back burner in favor of keeping networks open and users productive. Cybercrooks, recognizing a good thing when they see it, are making hay while the sun shines....

Labels: , ,

Sunday, July 09, 2006

Common questions following laptop breaches 

The Associated Press' technology writer asks and tries to answer a number of questions that arise in the fallout of all the recent privacy breaches stemming from lost/stolen laptops:

  1. Why is sensitive personal data on the laptop in the first place?
  2. Why aren't sensitive identifiers (like social security numbers) masked or otherwise obscured?
  3. Why isn't it encrypted?

It's an interesting article with a bit more insight into some of the more recent breaches: Questions linger over secrets on laptops - Yahoo! News.

Labels: ,

Monday, July 03, 2006

US Government sets new standards on security for personal information 

According to the Washtington Post (OMB Sets Guidelines for Federal Employee Laptop Security), the White House Office of Management and Budget has sent a memorandum to all heads of civilian agencies setting additional requirements for the safeguarding of personally identifiable information. The memo requires, among other things, that government departments:

1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing;

2. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;

3. Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity; and

4. Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.

Labels: ,

Sunday, July 02, 2006

Incident: Laptops stolen from American Red Cross office in Texas 

According to the Dallas Morning News, three laptops were stolen from a locked closet in a Texas office of the American Red Cross. The laptops contained years of data on all donors from that particular region, but all the data was encrypted. Because it was encrypted, it should probably classified as a "non-incident" or "incident averted".

See: Dallas Morning News | Donor data stolen at local Red Cross .

Labels: , ,

Thursday, June 29, 2006

Laptop with veterans' info found 

According to the New York Times, the laptop stolen from an employee of the Department of Veterans' Affairs (containing information on more than twenty million veterans) has been recovered.

According to the FBI, the information has not been accessed. I'm enough of a propeller-head to know that you can't ever tell with certainty that information has not been accessed. A drive can be copied without altering the data in any way. (Please, correct me if I'm wrong.)

Here's part of the NYT's article:

Missing Laptop With Veterans' Data Is Found - New York Times:

WASHINGTON, June 29 - The government has recovered a stolen laptop computer and hard drive that contains sensitive information, including birthdates and Social Security numbers, for millions of veterans and military personnel, the Department of Veterans Affairs said today.

The Federal Bureau of Investigation said in a statement issued by its Baltimore field office that an initial examination had found that the data had not been copied or misused in any way.

'A preliminary review of the equipment by computer forensic teams has determined that the data base remains intact and has not been accessed since it was stolen,' the statement said....

Update (20060706): Over at Slashdot, those more knowledgeable than me tend to agree with my semi-informed observation: Slashdot | Forensic Analysis of the Stolen VA Database.

Labels: , ,

Saturday, June 24, 2006

Incident: FTC laptops stolen, along with personal data 

The American Federal Trade Commission is usually at the forefront of slapping around companies who do not take adequate steps to secure personal information. So it is a bit ironic that two FTC laptops have been stolen from a locked car, along with personal information on around one hundred defendants in current FTC investigations. Check it out: FTC laptops stolen, along with personal data.

Labels: , ,

Thursday, June 22, 2006

Incident: Laptop stolen with Equifax employee info 

The Privacy Law Site is reporting that an employee of Equifax had his laptop stolen in Europ last month. The computer contained names and social security numbers for all of the company's US-based employees. See: The Privacy Law Site: Equifax Laptop Stolen.

Why would an employee need to travel with that information? I dunno.

See also: Chron.com | Equifax: Laptop With Employee Data Stolen.

Labels: , , , ,

Wednesday, June 21, 2006

What will it take? 

Ira Winkler, at Computerworld, asks what will it take for executives to pay attention to the privacy of personal information. He ends his opinion piece thusly:

Opinion: What will it take?

... Again, the problem isn’t that the laptops are getting stolen, but that the data is on the laptops to begin with. There is no legitimate work situation where tens of thousands, let alone millions, of personal records are required on an individual system. I can understand the need for backup tapes, but no individual should be entrusted with all this data.

At this point, given all of the attention to stolen laptops, every organization should IMMEDIATELY ban the bulk downloading of databases holding personally identifiable information. All copies of such data should immediately be deleted with a disk wiping program. Continued possession of such data should be cause for immediate dismissal.

But let's not stop with the users, since the problem certainly didn't start with them. After the dozens of incidents of the compromise of millions of records, any CIO or consulting or audit manager who doesn’t immediately ban the practice of downloading data and institute a program to minimize the exposure of personally identifiable information on portable media should be fired. Immediately. You can't guarantee that everyone will follow the policy, but if you don’t have a policy in the first place, only a very poor manager does not learn from the painful experience of others. There is no discussion about this.

So what more has to happen to get a CIO to realize this? Or will it take a few high-profile cannings to get my point across?

Labels: ,

Sunday, June 18, 2006

Incident: Laptop with D.C. workers' data stolen 

Too many data breaches 

It is increasingly difficult to stay on top of all the security/privacy breaches as of late. Thanks to the Privacy Rights Clearinghouse, all the latest are set out in a handy table at http://www.privacyrights.org/ar/chrondatabreaches.htm and includes these recent additions:

Ohio University

Innovation Center

(Athens, OH)

a server containing data including e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes was compromised.

A breach was discovered on a computer that housed IRS 1099 forms for vendors and independent contractors for calendar years 2004 and 2005.

A breach of a computer that hosted a variety of Web-based forms, including some that processed on-line business transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration.

330,000 [Updated 6/16/06]

June 11, 2006

Denver Election Commission (Denver, CO)

Records containing personal information on more than 150,000 voters are missing at city election offices. The microfilmed voter registration files from 1989 to 1998 were in a 500-pound cabinet that disappeared when the commission moved to new offices in February. The files contain voters' Social Security numbers, addresses and other personal information.

June 13, 2006

Minn. State Auditor (St. Paul, MN)

Three laptops possibly containing Social Security numbers and other personal information on some employees of local governments the auditor oversees have gone missing.

Oregon Dept. of Revenue (Portland, OR)

Electronic files containing personal data of Oregon taxpayers may have been compromised by an ex-employee's downloaded a contaminated file from a porn site. The "trojan" attached to the file may have sent taxpayer information back to the source when the computer was turned on.

U.S. Dept of Energy, Hanford Nucear Reservation

Current and former workers at the Hanford Nuclear Reservation that their personal information may have been compromised, after police found a 1996 list with workers' names and other information in a home during an unrelated investigation.

Labels: , ,

Encrypt it 

ABC News could be accused of stating the obvious in Encryption Can Save Data in Laptop Lapses, but the article does have some interesting info on specific lessons that the VA, EDS and Ernst & Young have recently learned the hard way.

Labels: , ,

Tuesday, June 13, 2006

Ok. Somebody must be paying attention 

When The Onion, America's Finest News Source makes fun of the Hotels.com breach, you know that these are getting widespread coverage:

Hotels.com Information Stolen The Onion - America's Finest News Source

Hotels.com Information Stolen

A laptop containing sensitive information about Hotels.com customers was recently stolen from an Ernst and Young employee's car. What do you think?

Old Man

Doodles McKennan, Costume Designer "Great, now everyone at work will know about my thing for amenities."

Young Woman

Tina Garland, Lens Grinder "Dogs, toddlers, laptops with credit-card information—this list of things not to leave locked in a car on a hot day just keeps getting longer and longer."

Asian Man

Chris Benning, Receptionist "Forget the confidential client information. Have you ever seen so much Rick Astley on a single iTunes collection?"

Labels: , ,

Saturday, June 10, 2006

The Practical Nomad on the Expedia/Hotels.com data breach 

The Practical Nomad has a very interesting post on the recent Expedia/Hotels.com privacy and security breach resulting from the loss of an auditor's laptop. (For my previous comments, including the fact that my data may have been on the laptop in question, see: The Canadian Privacy Law Blog: Incident: Hotels.com customer info on laptop stolen from auditor in February.)

The Practical Nomad blog: Expedia auditors lose laptop with customer credit card numbers:

...

Notably, Expedia has not said whether it had in place the contractual privacy commitments from Ernst & Young that would be required under Canadian (and other countries') laws -- although not under USA law -- as a precondition to allowing Erndst & Young to access personal information in customer or reservation records.

Hotels.com operates one of the world's largest travel Web site affiliate networks , many of whose members (in addition to the other Expedia divisions in the USA, Canada, and Europe), hide the Hotels.com service behind their own "private label". Many Hotels.com customers may never have realized they were dealing with Hotels.com rather than the company that operates the "private label" Web site. In the past, this lack of transparency has been one of the major themes of customer compliants against Hotels.com, especially when customers had problems at check-in and didn't knom whom to call. And customers of Expedia divisions in Canada and Europe may not have known that their personal data was being passed on to Hotels.com in the USA.

So, I asked, (1) does Hotels.com attempt to identify, or keep a record of, the country from which personal information was collected, and (2) are the actions being taken the same for all people whose data may have been on the stolen laptop, or are any different or additional actions being taken with respect to people from whom data may have been collected while they were in Canada or the European Union (e.g. as potentially identifiable from the IP address or the origination of the transaction through Expedia.ca or Expedia.uk), in light of the differences in Canadian and European Union data protection law?

The response on behalf of Expedia? "We do not track or capture geographies aside from the address customers provide for the transaction."

In other words, the word's largest Internet travel agency -- even though it requires cookie acceptance for purchases, and undoubtedly logs IP addresses and tracks referrals by affiliate -- make no attempt to keep track of the jurisdiction and legal conditions under which personal information is provided, or ensure that those restrictions accompany the data whenit is passed on. Even if they wanted to comply with the law in Canada and the EU, where they operate entire divisions, their current data structures aren't adequate to support compliance with the laws in those jurisdictions.

From what I've seen of industry norms, Expedia is no exception. Neither computerized reservation systems nor the AIRIMP (more on the latest AIRIMP revisions in a forthcoming post) support transmitting or recording the jurisdiction or rules under which any portion of the data in a passenger name record (which typically includes data entered in multiple jurisdictions, so a single field for the entire PNR would not suffice). But if Expedia can get away with ignoring data protection laws in countries where they do billions of dollars a year in busisness, so can the little guys.

This should be the test case of whether USA-based travel companies that do business in, and/or accept personal data from affiliates in, Canada and the EU need to track the jurisdiction and conditions governing use of that data, and ensure that those jusirsdictional and usage-restriction notes follow the data wherever it goes.

If you reserved a hotel through Hotels.com, and you were in Canada or the EU at the time, demand an explanation from the company, and complain to your national privacy commissioner or other national data protection authorities.

Labels: , , ,

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs