Saturday, April 30, 2005

Faxing Tips: Avoiding common privacy incidents

The privacy incidents that have gotten the most press recently in Canada have been related to misdirected faxes. To name just a few:

I've seen loads of "Faxing Guidelines" produced by organizations and privacy commissioners that include some pretty common sense suggestions to minimise the likelihood of problems. But problems almost always will occur simply because accidents to happen. (Luckily, in most cases it will be a one-off mistake.) Guidelines need to be implemented to make sure that the right people are informed of the issue and know how to practice safe faxing.

Below is a set of faxing tips I've developed over the last little while. A couple, which I've highlighted, do not appear in any other guidelines I've seen and are the results of lessons learned from various incidents I've seen or been involved with.

  • Physically secure the location of any fax machine that receives incoming faxes.
  • Use speed dial functions of your fax machine ... and verify each number by sending a test fax before sending any personal information.
  • If you use a fax machine to send both sensitive and non-sensitive information, consider getting separate fax machines for the different kinds of information. Designate a fax machine for personal or confidential information and program the speed dial functions to include only trusted recipients. (I have heard the story of a physician who regularly faxed letters to the editor, so had the local papers on his speed dials. Unfortunately, one of these buttons was right next to the speed dial button for the local hospitals' records department. You can guess what happened.) If you can't have a separate fax machine, don't have "trusted" and "not-trusted" buttons next to each other.
  • If particularly confidential information will be sent, contact the recipient in advance to tell them to expect the fax.
  • Do not "retire" any of your fax numbers because it may continue to receive faxes from people who haven't updated their records. Phone companies, facing a shortage of numbers, will quickly reassign retired numbers and you have no idea where those faxes may end up.
  • If you have a number of locations, branches or outgoing fax machines, make sure that all fax cover pages have one central number for reporting misdirected faxes and make sure that someone is at that number to keep track of problems. This one, simple and easy to implement precaution would have avoided all of the problems experienced by CIBC. Three faxes with the same error would have been all it would take to notice a pattern and figure it out. Of course, include a cover sheet that indicates that the information is confidential and should not be disclosed to any unauthorized persons.
  • Double check the number before you push the "send" button.
  • Check your confirmation sheets to make sure that the number called was the same as you intended.
  • Use desktop faxing technologies or -- better yet -- scan materials to PDF and e-mail them. The risk of interception is greater with e-mail, but e-mail goes to one designated recipient and does not sit around on a fax machine.
  • Many fax machines have the ability to encrypt or password protect faxes. If the information is sensitive, by all means use it! For internal faxes, as was the case with the CIBC incident, there is no reason why you shouldn't since you have control over both fax machines and you'll prevent the faxes from being read if they end up at the wrong machine.

Implementing all of the above should significantly reduce the likelihood of problems and should also allow you to identify any problems before they get out of control.

Charging fees for access under the Health Information Act

The Information and Privacy Commissioner of Alberta has sent a pharmacy back to the drawing board after it attempted to charge an additional $40.00 "professional fee" to process an access request. Read Order H2005-002 here. As is the practice in Alberta, the Commissioner named the offending pharmacy.

Friday, April 29, 2005

EPIC asks: which digital music service is selling your data?

This is an interesting series of postings at Boing Boing: Chris Hoofnagle of the Electronic Privacy Information Centre was perusing direct marketing publications and noticed a customer list for sale full of subscribers to a digital music centre. Boing Boing posted about the particular of the list and it wasn't long before the blog's readers had tracked down the company that sold the list. Of course, a discussion of the service's privacy policy ensued: See Boing Boing: EPIC asks: which digital music service is selling your data? (UPDATED).

As an aside, the DMNews' lists make interesting reading. My fave so far is a list of people who have recently purchased a firearm or have inquired about purchasing a gun for personal protection. That list might be useful for someone who wants to do something other than selling gun locks.

Incident: Hackers breach Brigham Young University security using keystroke loggers

What a day for privacy incidents. Brigham Young University is reporting that some nefarious character (or characters) installed keystroke loggers on systems in a campus computer lab, taking students' information: BYU NewsNet - Hackers breach Widstoe security.

Incident: Massive bank security breach uncovered in N.J.

MSNBC is reporting on what is characterised as the largest breach of security and leak of personal information is US banking history. Employees are implicated in providing information on 500,000 customers to bill collectors:

Massive bank security breach uncovered in N.J. - Nightly News with Brian Williams - MSNBC.com:

"Bank employees implicated in conspiracy; 500,000 victims alleged

By Tom Costello, Correspondent

NBC News

Updated: 7:22 p.m. ET April 28, 2005HACKENSACK, N.J. - In court Thursday, Orazio Lembo was described as the alleged ring leader of what police say was a massive scheme to steal 500,000 bank accounts and personal information, then sell it to bill collectors.

Lembo's alleged accomplices included branch managers and employees from some of New Jersey's biggest banks, including Bank of America, Wachovia and Commerce Bank.

All of them are accused of turning over customer bank account numbers and balance information for a profit of $10 per account. Even a state employee is accused of providing private information from state employment files...."

Incident: Georgia Southern University students' personal information compromised by hackers

Yet another American university has been hit by a breach of confidential personal information. This time, it is Georgia Southern University:

AP Wire | 04/28/2005 | Students' personal information compromised by hackers:

"STATESBORO, Ga. - Hackers broke into a Georgia Southern University server that contained thousands of credit card and Social Security numbers collected over more than three years.

The Saturday breach puts anyone who made a purchase at the university bookstores between Jan. 1, 2002, and April 25 of this year at risk of identity theft or unauthorized credit card usage, the university said Wednesday...."

ID Theft: Thieves Tell How To Avoid It

A Florida television station has paid a visit to two jailed identity thieves to get their advice on how to avoid becoming a victim. Until they got caught, their job was suprisingly easy and the article is an interesting read: WFTV.com - Action 9 - ID Theft: Thieves Tell How To Avoid It.

New Yahoo! Group for PIPEDA and Canadian Privacy Law

I've discovered that a number of corporate firewalls block access to blogspot domains, so I've decided to create a mailing list for those who would like to follow this blog but can't reach it in a conventional way. Also, there may be some who would rather that blog postings just appear in their inbox or on their BlackBerry or whatever. To susbscribe, send an e-mail to privacy_law-subscribe@yahoogroups.com.

New Yahoo! Group for PIPEDA and Canadian Privacy Law:

"Description

The Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Group Email Addresses
Post message: privacy_law@yahoogroups.com
Subscribe: privacy_law-subscribe@yahoogroups.com
Unsubscribe: privacy_law-unsubscribe@yahoogroups.com
List owner: privacy_law-owner@yahoogroups.com"

Commissioner's Findings - PIPEDA Case Summary #294: Denial of access and inappropriate disclosure allegations are made against a physician

Finally some clarity on the privacy aspects of independent medical examinations since PIPEDA. I've had to deal with a number of these over the last year and though all my files are still winding their way through the OPC's system, it's good to see some clarity on the issue.

In this finding, a complaint was made against a physician who was working for an insurance company doing medical examinations of insurance claimants. The individual asked for access to his/her records and was denied as the physician did not keep any records provided to him/her. The individual also complained that the doctor disclosed his/her medical information without consent. The Assistant Commissioner found that both complaints were not well founded.

Commissioner's Findings - PIPEDA Case Summary #294: Denial of access and inappropriate disclosure allegations are made against a physician - March 17, 2005 - Privacy Commissioner of Canada:

"Complaint

An individual alleged that a physician refused to provide him with access to his personal information and disclosed a medical report about him to an insurance company without his consent. The complainant in this case also filed two complaints against the insurance company, which are discussed in greater detail in Case Summary #293.

Summary of Investigation

The complainant had been absent from work for medical reasons, and was insured under the terms of a group insurance policy between his employer and an insurance company. The physician, an independent medical consultant under contract with the insurance company, provided it with a report on the complainant's medical condition. After obtaining a copy of this report from the insurance company, the complainant wrote to the doctor requesting a copy of his file, including copies of the materials provided to the doctor by the insurance company and an independent medical examiner.

The doctor works as a non-treating medical consultant on the premises of the insurance company, approximately one day a week. His position was that he was hired by the company to provide medical opinions on disability files and that these files are owned by the company. As a result, he was not in a position to grant or deny access to them. He states that he does not keep his own files or copies of any records relating to his work for the insurance company. He dictated his report for the company, which was subsequently typed by one of its employees. The company confirmed that its employees type the reports dictated by doctor, and the report also indicated that it was first dictated and later typed.

The College of Physicians and Surgeons of Ontario has a policy for its members, governing the standards of care for non-treating physicians who prepare reports for third parties. Where the doctor is providing a report to a third party based on a file review, which was the case with the physician in question, the policy states that there is no obligation to keep notes or records. The duty to provide a copy of the report will vary according to the nature of the agreement with the third party. The policy also states:

Physicians who are given... documentation to review should make a comprehensive list of all materials reviewed in preparation of the report... Once a comprehensive list of materials is prepared and the report has been submitted to the third party, the physician may keep a copy of this material in his or her file but is not obligated to do so. This background material can be returned to the third party without making a copy....

The doctor's practice appeared to be consistent with the guidelines of the Ontario College of Physicians and Surgeons.

As for the inappropriate disclosure allegation, the doctor stated that, as per his contractual obligations, he prepared a report summarizing his review of the complainant's file, which was under the control of the insurance company. In his view, he was acting as an agent of the company and thus there was no disclosure.

We reviewed the consent form the complainant signed when applying for disability benefits, and noted that he consented to the provision and exchange of information between any physician and the insurance company for the purpose of assessing his claim and providing rehabilitation assistance.

Findings

Issued March 17, 2005

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate; and Principle 4.9 stipulates that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.

The Assistant Privacy Commissioner deliberated as follows:

With respect to the denial of access complaint, the Assistant Commissioner was satisfied that the information the complainant requested from the doctor was neither in his possession nor under his control, and that as a result he could not provide the complainant with access to his personal information. The Assistant Commissioner found that the doctor had not contravened Principle 4.9. She therefore concluded that the access complaint was not well-founded.

As for the disclosure complaint, the Assistant Commissioner noted that even if she did not accept the doctor's claim that he was acting under contract to the insurance company, it nevertheless was the case that the complainant had provided his consent to the exchange of personal information between the physician and the company for the purpose of assessing his claim for benefits. She therefore found that there was no contravention of Principle 4.3.

The Assistant Commissioner concluded that the disclosure complaint was not well-founded."

Private companies to begin hosting electronic health records

Apparently private companies are soon going to enter the market offering to host people's health records. This can be an obvious benefit for those who want to keep all this info in one place. Of course there are privacy risks that have to be addressed; It'll be self-regulation or buyer beware because HIPAA will not apply to the services:

World Peace Herald:

" Companies are expected soon to begin offering the public personal health record or PHR services, allowing individuals to maintain copies of their health records online, regardless of which doctor they may be using.

Such services could make it easier to obtain records in an emergency, and they could make life simpler for busy families that move frequently or face complicated medical situations, such as several young children on different vaccination schedules, or an elderly parent on multiple medications.

Data from such records also could be very valuable to pharmaceutical companies seeking to market new products, to researchers studying health trends or to public health officials monitoring the population for spikes in illness.

Officials are concerned, however, that data submitted to private PHR services could be packaged and sold commercially without appropriate privacy precautions or the informed permission of those submitting the data. Third-party services are not necessarily covered by the Health Insurance Portability and Accountability Act of 1996, which, among other provisions, limits the sharing of health data without the patient's express permission.

'Because of the HIPPA [sic] loophole, third parties, whether they are profit or non-profit, are not covered by HIPPA[sic],' said Paul Tang, chief medical information officer at the Palo Alto Medical Foundation in California. 'In other words, consumers and patients do not have (legal recourse and) I think that is a real concern.'..."

Incident: Halifax student information posted on Internet

A teacher with the Halifax Regional School Board apparently put a confidential student list on an accessible website. It wasn't linked to from anywhere, but someone e-mailed the URL to the Halifax Chronicle Herald:

Student information posted on Internet: "

Teacher at Dartmouth school unaware confidential file could be accessed

By BARRY DOREY / Staff Reporter

School webmasters can expect a stern warning and a reminder about the dangers of their online duties after a detailed Dartmouth student list was left accessible on the Internet.

A teacher at Bicentennial School on Victoria Road posted a spreadsheet that listed the name, address, birthdate and phone number of every student.

It was posted in an area where she believed nobody would find it and there were no links to the page on the school website. But provided with the web page address, anyone could download the file.

"That information should have never been able to be accessed," said Doug Hadley, spokesman for the Halifax regional school board.

"We will be following up, we will talk to our schools this week."

Alerted to the situation by this newspaper, board officials located and removed the file within an hour Thursday night.

Mr. Hadley said the board is looking into the possibility that a hacker located the file, which was created last summer and was stashed in a private folder on the board's servers. But it was not protected by any passwords or other safeguards, meaning anyone with the URL could view the page.

"It's possible it may have been accessible for the entire year," Mr. Hadley said.

An e-mail including the web address was sent to this newspaper Thursday.

Board officials will use the incident as a "teaching moment" for all teachers or administrators who act as webmasters, he said. They will be reminded of the board's acceptable-use policy and will be warned of the perils of posting confidential information.

"This type of breach was not done with any type of (malicious) intent in mind, but we have to treat it seriously," Mr. Hadley said.

"The teacher was likely going beyond (the call of duty) and carrying the work home," where she could access information online.

The warning to webmasters, who receive general training but little in the way of followup or skills upgrading, is clear.

"Files may not be just for their eyes" if a hacker finds the page or "if someone knows what they are looking for," Mr. Hadley said.

He wouldn't speculate on any discipline that may be meted out to the teacher who made the mistake.

"I'm sure that the principal will follow up with the staff person," he said.

One parent of a Bicentennial student said the school board should be doing more to train and oversee teachers.

"It's unfortunate and I think the school board has to be more vigilant," said the father of two students.

"It's disappointing that it was not more secure."

Board policy forbids the posting of any student information without the written consent of a parent or guardian. And any files containing personal information must be protected with user names and passwords."

Thursday, April 28, 2005

Theft might cut Indian call center growth by 30%

From the ZDNet IT Facts Blog:

Theft might cut Indian call center growth by 30% by ZDNet's IT Facts -- A Forrester Research report has warned that personal information theft might curb the booming Indian BPO industry's growth by as much as 30%.

Vancouver considers proposal to cover downtown's trouble spots with CCTV

From the Vancouver Province, the City of Vancouver is considering a proposal to install a network of CCTV cameras in the downtown. There's just a bit of opposition, with civil liberties groups calling it a waste of resources:

Police raise spectre of cameras in downtown's troubled spots: Police board to hear results of British study before deciding CCTV's fate:

"....A proposal to install 23 cameras in the Downtown Eastside was shelved in 2004, pending the results of the British study.

Barwatch, an organization that works with police to try to ensure patron safety in downtown establishments, is also onside with a CCTV system.

'They did it in Kelowna and it's been very effective,' said vice-chairman Vance Campbell.

Barwatch talked with police about a downtown system in the mid-1990s, but the idea was abandoned because of privacy concerns, Campbell said.

Meanwhile, the B.C. Civil Liberties Association is opposed to the cameras as a 'colossal waste of resources' and an inexcusable invasion of privacy.

Those who claim otherwise are 'full of baloney,' said executive director Murray Mollard.

'They actually don't make a difference from an empirical point of view. I'm not even sure they make people feel safer,' Mollard said. 'It just displaces crime.'

The British study appears to support Mollard's views.

It looked at 14 systems with hundreds of cameras and evaluated their effectiveness. In the majority of the areas, crime rates actually increased.

Just two areas reported a statistically-significant reduction in recorded crime and only in one is it 'plausible that the role of CCTV was a significant factor in this reduction,' the report states.

After a legal battle pitting former federal privacy commissioner Don [sic] Radwanski against the city, Kelowna installed a permanent camera to watch a section of its downtown.

The case against the camera was tossed out of court in the summer of 2003. Mayor Walter Gray said the monitoring device is an effective crime reduction tool."

Alberta's privacy commissioner concerned about random on-the-job drug testing

Alberta Information and Privacy Commissioner Frank Work isn't being shy about letting his feelings be known about random drug testing in the workplace, according to the Canadian Press:

Alberta's privacy commissioner concerned about random on-the-job drug testing - Yahoo! News:

"EDMONTON (CP) - Any plan by Alberta to legislate random workplace drug and alcohol testing must be based on hard evidence that testing makes worksites safer, says the province's privacy commissioner.

Frank Work made the point to Human Resources Minister Mike Cardinal in a letter earlier this month after a government-appointed committee recommended that random testing be approved.

'Any consideration of legislative change must be preceded by a thorough study of the evidence on drug and alcohol testing and workplace safety,' Work said in the letter, obtained by The Canadian Press.

'At this point, it is not even clear to what extent drug and alcohol impairment plays a role in workplace accidents. This is a classic case of the need for solid, evidence-based decision making.'..."

Boing Boing: Arkansas salon requires thumbprint to get a tan

Here's an interesting one, via Boing Boing... a chain of spray-on tanning salons in the United States is requiring thumbprints from customers to make sure that you aren't using someone else's "unlimited session" plan. The thumbprint is even required for one-time users: Boing Boing: Arkansas salon requires thumbprint to get a tan. Of course, privacy advocates aren't too keen on the idea.

Privacy and security are governace issues: ChoicePoint CEO Won't Discuss Breach

I would have thought that issues affecting share price and the future of the company are fair game at an annual general meeting, but the organizers of ChoicePoint's AGM didn't think so. A question about the high-profile breach that are leading to regulation of their industry were considered out of order, according to ABC News and the Associated Press:

ABC News: ChoicePoint CEO Won't Discuss Breach:

"NEW YORK Apr 28, 2005 — ChoicePoint CEO Derek Smith refused to answer questions on Thursday about the security breach that allowed criminals to access the company's database, telling shareholders at the company's annual meeting that the matter was the subject of pending litigation.

"As we have previously disclosed, the company is continuing to investigate the recent fraudulent data access and other matters," Smith told about a dozen shareholders at the Waldorf-Astoria Hotel in Manhattan.

The Alpharetta, Ga.-based company announced in February that the personal information of 145,000 Americans may have been compromised when thieves posing as legitimate small business customers gained access to its database. Authorities say at least 750 people were defrauded in the scam. The scandal has fueled consumer advocates' calls for federal oversight of the loosely regulated data-brokering business, and Capitol Hill hearings are likely soon on the issue.

...

Smith and ChoicePoint President Douglas Curling earned $16.6 million from ChoicePoint stock sales after the company learned last fall of the security breach and before that was made public on Feb. 15.

During Wednesday's brief meeting, the shareholders voted in four new directors and approved the appointment of Deloitte & Touche as the company's independent auditor.

After reading prepared remarks, Smith answered written questions submitted by shareholders. A question relating to the security breach was deemed inappropriate and was not read aloud...."

Even as summer dawns, the credit freeze is spreading across the United States

Thanks to PrivacySpot for pointing me to this great table of state legislative iniatives to follow in California's lead in allowing consumers to put a "freeze" (not just a fraud alert) on their credit file: 2005 Consumer Report Security Freeze Legislation.

Decision: Blood Tribe (Dept. of Health) v. Canada (Privacy Commissioner)

The Federal Court of Canada has been given the opportunity to consider the powers of the Privacy Commissioner under PIPEDA to compel the production of information for which solicitor-client privilege is claimed. In Blood Tribe (Dept. of Health) v. Canada (Privacy Commissioner), Justice Mosley concluded that the Commissioner does have the power to compel information for the purposes of determining whether it is privileged:

"[58] Having regard to the overall scheme of the statute and the Commissioner's responsibility to conduct an effective investigation, the principles enunciated by the Supreme Court of Canada in Lavallee do not, in my view, require that section 12 of the PIPED Act be given the restrictive interpretation called for by the applicant. The production order issued by the Commissioner will not limit or deny any solicitor-client privilege that the applicant may enjoy in the questioned documents. I am satisfied that in order to complete her investigation it is necessary that the claim of privilege be assessed by the Commissioner to determine whether it properly applies to the questioned documents or not. That will not prevent the applicant from continuing to assert the claim in any other proceedings that may arise in relation to the complaint.

[59] Accordingly, the Commissioner correctly exercised her authority to issue the production order and this application will be dismissed. As the question of interpretation of the scope of the PIPED Act in relation to solicitor-client privilege appears to have arisen for the first time in these proceedings, I will exercise my discretion to make no order of costs in favour of the successful party."

This was a judicial review of the Commissioner's order and the standard of review applied in this case was correctness.

Giving credit where credit is due

Thanks to David Akin, who left a comment on my previous post about errant faxes from the Bank of Montreal (PIPEDA and Canadian Privacy Law: BMO investigating faxes sent to wrong machine) correcting me ... it was Mike King with the Montreal Gazette who broke this story.

Don't leave your company secrets in the trash

There's no shortage of articles and incidents on this topic, but it bears repeating over and over again: don't chuck your computers without wiping the hard-drives:

The Globe and Mail: Don't leave your company secrets in the trash:

"Whether your business is operating on a single computer or you have an office full of equipment, eventually you'll have to buy new gear. The question is: When you get rid of the old computers, are you giving away more than you think?..."

Whoa, Canada: SSN Request Doesn't Add Up

The Washington Post is reporting on the interesting practice of a Canadian online retailer that has been demanding social security numbers from American customers. Weird.

Whoa, Canada: SSN Request Doesn't Add Up:

"Gaithersburg reader Denise McQuighan was ordering a pair of $269 Mission D3C roller hockey skates for her son, Patrick, from an online Canadian sports-equipment retailer recently, but she stopped cold when the order form required her Social Security number.

'The Web site indicated that this was needed by the U.S. Customs agents for some reason,' says McQuighan, who knows better than to hand out her Social Security number (SSN) to just anyone who asks for it.

McQuighan told Patrick to find different skates -- from a U.S. company. 'But could you tell me,' she asks via e-mail, 'is there some requirement to provide a SSN to order something from Canada?'

The policy statement at the retailer's Web site, http://www.hockeygeeks.com , says: 'We require a Social Security number for U.S. customers or else products cannot cross the border and failure to provide this information will result in delayed or even non-shipment.'..."

More than 100 women complain after cancer test info shared

More than 100 women were sufficiently upset to complain to the Saskatchewan Privacy Commissioner after finding out their cancer test results are routinely shared with the province's cancer agency. The Commissioner's report is available here and CBC's coverage is below:

CBC Saskatchewan - More than 100 women complain after test info shared:

"Last Updated Apr 27 2005 04:38 PM CDT

REGINA – Women in Saskatchewan should have the option of keeping their Pap test results to themselves, rather than having the data go to the province's cancer agency automatically, Privacy Commissioner Gary Dickson says.

On Wednesday, Dickson said more needs to be done to protect women after more than 100 complained of receiving copies of their test results in the mail.

Many women had no idea their private health information and cervical cancer test results were sent to the Saskatchewan Cancer Agency.

"I opened it up and was shocked," recalled Anemarie Buchmann-Gerber of Saskatoon, who thought she received a piece of junk mail. "There was my information from an agency I had never heard of. There were the results of my test."

Thousands of other women received their cancer test results the same way. In some cases, the results were sent to a woman's ex-husband or parents.

"The agency did not have in place what I determined would be all the safeguards," Dickson concluded after a year-long investigation.

Dickson's report recommends doctors do a better job of telling women that their test results will be shared with the province's cancer agency.

Women who don't want to participate in the cancer agency's research should be able to opt out, Dickson said.

Other women said they didn't mind receiving a letter notifying them of their results, or reminding them to get tested.

Hilary Craig has been cancer-free for more than 10 years, but wishes a health professional suggested having a mammogram years ago.

"I would have gone and had my mammogram," the Regina resident said. "Instead, I realized with a terrible sinking heart when I felt the lump. I wondered how much growth happened between when I hadn't went for a mammogram and the time that I had the lump found."

Early detection is critical to many cancer treatments. The cancer agency notes the information they collect is saving lives, but it acknowledges it will have to factor in privacy concerns in using the statistics."

Alberta Commissioner reports on inappropriate use of police databases

The Alberta Information and Privacy Commissioner has released his report following an investigation of police using their information systems to target two individuals for an "improper purpose":

OIPC:

"Investigation Report F2005-IR-001

Investigator finds EPS members used personal information in contravention of the FOIP Act. It was alleged that members of the Edmonton Police Service (EPS) inappropriately used the service's information systems and the Canadian Police Information Centre (CPIC) in relation to two individuals for an improper purpose.

Click to view more information Investigation Report F2005-IR-001"

This incident was originally reported at PIPEDA and Canadian Privacy Law: Edmonton cops investigated for misusing law enforcement databases. The Calgary Herald is also covering this story: Commissioner says police violated privacy laws.

Wednesday, April 27, 2005

Casino Camera Operators Accused of Ogling Women

Video surveillance has its detractors, many of whom point to accusations like this one from a Casino in Atlantic City: ABC News: Casino Camera Operators Accused of Ogling.

The Common Scold: LEAKING DATA

Rob Hyndman just pointed me to a posting on the Common Scold about the need to encrypt your backup tapes because -- surprise! -- they can get misplaced: The Common Scold: LEAKING DATA.

Tuesday, April 26, 2005

Incident: St. Joseph Hospital Medical Records Stolen from data processor

PrivacySpot is reporting that patient information from a Houston hospital was on a stolen computer being used by a service provider to digitize records. Though the information was encrypted and password-protected, the hospital has terminated its contract with the service provider: St. Joseph Hospital Medical Records Stolen | PrivacySpot.com - Privacy Law and Data Protection. See also Health Care Blog Law : Theft of Computers from Texas Hospital Involve 16,000 Patient Records.

BMO investigating faxes sent to wrong machine

CTV is breaking another story about misdirected faxes affecting another chatered bank: CTV.ca | BMO investigating faxes sent to wrong machine.

Monday, April 25, 2005

Blockbuster Clerk Charged In Identity Theft Case

In many cases, employees are the weakest privacy link. Police in Washtington DC have arrested a Blockbuster clerk for stealing the identities of customers, based on information used to apply for Blockbuster membership cards: nbc4.com - News - Blockbuster Clerk Charged In Identity Theft Case.

Alarm as private Australian medical files go offshore

Offshoring of medical information processing is not only a concern in North America ... Australians are also raising it as an issue:

Alarm as private medical files go offshore - Next - http://www.smh.com.au/technology/:

"... Lyndie Arkell, CEO of Melbourne-based Ozescribe, believes sending such sensitive information overseas could breach Australia's national privacy legislation and certainly puts that information at risk. Ms Arkell points to a recent case in the US in which a woman in Pakistan who had been transcribing medical documents for doctors in America threatened to post patient details on the internet unless she was paid money that she claimed was owing to her...."

Credit Card Merchants Face Deadline for Data Safety

Computerworld is reporting that credit card issuers in the United States are about to implement tougher security standards for their merchants:

Merchants Face Deadline for Data Safety - Computerworld:

"APRIL 25, 2005 (COMPUTERWORLD) - Companies that manage credit card information have just over a month to comply with new data-protection requirements being pushed by MasterCard International Inc. and Visa U.S.A. Inc. amid growing concerns about identity theft and fraud...."

Illinois Bill to require notification when info illegally accessed

From the Champaign-Urbana News-Gazette:
Bill to require notification when info illegally accessed :

"... Legislation pending before the Illinois Senate calls for companies to reveal when such breaches occur. House Bill 1633, which would create the Personal Information Protection Act, passed the Illinois House by a vote of 96 to 12 on April 14. It's now in the Senate rules committee. So far, it has 37 Republican and Democrat sponsors, including Rep. Naomi Jakobsson, D-Champaign, and Rep. Bill Black, R-Danville...."

Equity Firm Is Set to Buy DoubleClick

The New York Times is reporting that a private equity firm is about to buy DoubleClick, a company that has repeatedly been in the privacy crosshairs: The New York Times > Business > Equity Firm Is Set to Buy DoubleClick.

Yahoo Settles Dispute Over Deceased Marine's Data

Rob Hyndman is blogging about the resolution to the battle over a dead Marine's e-mail account: robhyndman.com - Yahoo Settles Dispute Over Deceased Marine's Data.

Release: Shaw will Continue to Defend Customer Privacy

Shaw Communications Inc. appears to see its approach to protecting customer privacy to be a competitive advantage and important to its customers. It has issued the following press release, just to make sure you know what side they are on:

Shaw will Continue to Defend Customer Privacy: "

Monday April 25, 8:05 am ET

CALGARY, Alberta--(BUSINESS WIRE)--April 25, 2005--Shaw Communications Inc. announced today that it strongly opposes an appeal by the Canadian Recording Industry Association ("CRIA") in the Federal Court of Appeals that would require the Company to disclose personal information about its Internet customers who share or swap music files. Shaw appeared in front of the Federal Court of Appeals to reaffirm this position.

In March 2004, the Federal Court of Canada confirmed that Canadian Internet Service Providers ("ISPs") like Shaw are not required to disclose personal information about their Internet customers to representatives of the CRIA. The Court's decision fundamentally underscored the importance of protecting the privacy of Canadian Internet users. CRIA is seeking to overturn the decision.

"We will continue to defend and safeguard the privacy of our customers," said Jim Shaw, Chief Executive Officer of Shaw. "We have a responsibility to our customers to ensure that their privacy is respected and protected and we will remain steadfast in this position."

Shaw Communications Inc. is a diversified Canadian communications company whose core business is providing broadband cable television, Internet, Digital Phone and satellite direct-to-home ("DTH") services to approximately 3.0 million customers. Shaw is traded on the Toronto and New York stock exchanges and is a member of the S&P/TSX 60 index (Symbol: TSX - SJR.NV.B, NYSE - SJR).

Shaw Communications Inc. (TSX:SJR.NV.B - News; NYSE:SJR - News)


Contact:

Shaw Communications Inc.
Peter Bissonnette
President
(403) 750-4500"

Shopping for data

FCW, which bills itself as your "Government IT Resource", is running an article on the US government's use of the services of data aggregators. It also has a summary of legislative initiatives to regulate them, incuding the following:

Shopping for data:

"Federal lawmakers have introduced 18 cybersecurity bills and state legislators have offered 30 bills to regulate the use of personal information and to respond to growing online threats stemming from spyware, phishing and other pernicious activities on the Internet.

Here are a few highlights from bills proposed by Sen. Dianne Feinstein (D-Calif.) and Sens. Charles Schumer (D-N.Y.) and Bill Nelson (D-Fla.):

S. 751 (Feinstein):

Would require any agency or company that collects personal information to notify potential victims of identity theft when a security breach is discovered.

Would impose a fine of up to $50,000 a day for each day that a company fails to notify victims about unauthorized access to personal information. S. 768 (Schumer-Nelson):

Would create an Office of Identity Theft at the Federal Trade Commission to help victims of identity theft.

Would require any company that holds sensitive personal information to take reasonable steps to protect it. "

Sunday, April 24, 2005

NYT: The Security Adviser: You've Been Sold

Today's New York Times Magazine has a piece on identity theft and risks to personal information: The New York Times > Magazine > The Security Adviser: You've Been Sold:

"... To fight thieves and terrorists, maybe Congress needs to come up with an identity-protection bill of rights. Of course, companies that have insecure networks and databases, or those that make money with sensitive data about you, may disagree."

Privacy watchdog warns online job seekers to beware

ID Thieves go where the data is. If it is on a resume posted online, there they are: SecurityFocus HOME News: Privacy watchdog warns job seekers to beware.

Saturday, April 23, 2005

Is Your Shoe Spying on You?

Today Rob Hyndman asks: Is Your Shoe Spying on You?. Looks like we'll need to ditch the cell phone, pay cash, wear wooden shoes and take the batteries out of our toques to make sure we aren't generating discoverable evidence...

Friday, April 22, 2005

Genuity fires back at CIBC with, among other things, a PIPEDA lawsuit

According to the Globe and Mail, the Genuity and CIBC litigation has been turned up a notch by inlcuding a claim by former employees that CIBC invaded their privacy. The employees are seeking a million dollars in damages each from the bank: The Globe and Mail: Genuity fires back at CIBC.

Incident: Blood, medical records stolen from Chicago clinic

This is the grossest privacy incident I've chronicled on this blog. Medical information, including blood and stool samples, have been stolen from a medical clinic in Chicago. Apparently, social security numbers were also part of the haul: ABC7Chicago.com: Blood, medical records stolen.

Thursday, April 21, 2005

Incident: Japanese telco employee arrested for taking customer information

From the Daily Yomuiuri On-Line:

DoCoMo staffer held over leak :

"The Metropolitan Police Department has arrested a 41-year-old temporary employee who formerly worked for NTT DoCoMo Inc. over a leak of clients' personal data. "

Interesting. I seem to recall a Canadian case that held data is not property and therefore can't be stolen. You'd have to find some sort of breach of trust to actually arrest someone.

Another interesting comment from the article:

"According to NTT DoCoMo, the walls of the secure room are glass and six security cameras record the movements of everybody who enters or leaves all day, every day.

To enter the room, a person must pass security checks, including an iris biometric identification system, company executives said.

Security analysts said the incident showed that the most advanced security systems could not prevent an insider from stealing data."

Canadian ISP says it's ready to ID owners of IP addresses accused of song piracy

It's interesting to learn that the ISPs are not unanimous in the Federal Court of Appeal battle over the disclosure of subscriber information to the recording industry. One of them is siding with the recording industry:

Videotron says it's ready to ID owners of IP addresses accused of song piracy:

"Producing the identities of Internet users alleged of wrongdoing happens so regularly, says a lawyer for Videotron, that he's bewildered as to why other ISPs are fighting a motion from the music industry to hand over the names of people who share large volumes of songs online.

"We do it on a regular basis. It's not very complicated," said Serge Sasseville, following the conclusion of weighty Federal Court of Appeal hearings about file-swapping, which could lead to the start of lawsuits against so-called music pirates.

...

Videotron has aligned itself with the music industry's motion saying it agrees that putting songs in a shared directory on peer-to-peer networks like Kazaa and IMesh constitutes copyright infringement because it allows users to copy and download the material for free...."

Incident: Carnegie Mellon Says Computers Breached

Another week, another university privacy incident. This time, it's Carnegie Mellon University in Pennsylvania:

Carnegie Mellon Says Computers Breached:

"Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network..."

Incident: Ontario student loan documents found in Thunder Bay landfill

A box of documents, labeled as "Material for Shredding" was left in front of a recycling bin at a Thunder Bay landfill. In the box were documents related to student loan applicants, including social insurance numbers, financial statements and other sensitive information. The Information and Privacy Commissioner of Ontario has begun an investigation:

Privacy botched: Copies of OSAP documents land at dump (Thunder Bay Chronicle-Journal):

"By Stephanie MacLellan - The Chronicle-Journal

April 21, 2005

The Ontario privacy commissioner’s office is investigating after confidential information from the Thunder Bay office that runs Ontario’s student loan program turned up in the John Street landfill Tuesday.

Some papers found in the landfill listed social insurance numbers, income information and home addresses for Ontario Student Assistance Program applicants.

Four boxes from the student support branch of the Ministry of Training, Colleges and Universities, located in the Ontario government building on Red River Road, were discovered by a custodian Tuesday at about 3:30 p.m. They were stacked in front of a paper recycling bin at the landfill.

The boxes were labelled, “Material for shredding,” but the papers were intact. The boxes have been retrieved and the Office of the Information and Privacy Commissioner has launched an investigation, said office spokesman Bob Spence.

“We look into what did happen and make a series of recommendations,” he said Wednesday.

Charges won’t be laid unless it’s shown someone intentionally violated the Freedom of Information and Protection of Privacy Act, he said.

The student support office runs the provincial student loan program, known as OSAP. Two boxes contained “garbage,” and the other two held filed copies of correspondence between staff and OSAP applicants that included personal information, ministry spokeswoman Linda Nicolson said.

“Those were not the original documents, but the working copies the staff works with,” she said.

Those copies were to be shredded before they were thrown out, she said.

She said it wasn’t clear what was included in the “garbage” boxes, or how long the boxes sat in the landfill.

Office staff notified the ministry after the boxes were found, and the ministry immediately contacted the privacy office, Nicolson said. The ministry has also launched its own investigation into the incident.

“We want to make sure that we’re following the best practices, in terms of the records that are kept in the OSAP office,” she said. “We want to make sure that this doesn’t happen again, and that we do whatever we have to do to ensure that.”

Documents that arrive at the student support office are scanned into a computer imaging system, with the paper copies stored for six months, Nicolson said. After that, they are transferred to a government records storage facility, where they are stored for 20 years, then destroyed.

Reino Viitala, a custodian at a Thunder bay seniors’ home, discovered the boxes Tuesday afternoon when he made his weekly stop at the landfill. They drew his attention because they were sitting in front of a paper recycling bin, which was overflowing.

He was hoping to reuse the file boxes, until he realized they contained personal information.

“Social insurance numbers, addresses, names, financial statements, the whole bit,” he said. “I was concerned. . . . I know how sensitive that information is.”

He said one of the boxes was partially open and papers were escaping.

Viitala called the phone number on one of the forms and reached the student support office. He reported the boxes and waited at the landfill for over an hour until someone showed up to collect them, he said. He left after he helped her load the boxes into an SUV.

Spence said there is a danger of identity theft if this kind of information ends up in the wrong hands.

“Identity theft rarely happens, but it can happen, and that’s one of the reasons care has to be taken in the destruction of records,” he said."

Hmm. Not sure if identity theft "rarely happens"...

Michigan insurers stop using SSN as indentifier

Arguably, the title of this article should be "Health care providers stop facilitating ID thefts": Health care providers help foil ID thefts - 04/15/05.

Wednesday, April 20, 2005

Privacy from the trenches

Scott Granneman, in The Register, joins the chorus of those calling for stronger privacy laws in the United States:

Privacy from the trenches | The Register:

"... I hate to involve the government unless it's necessary, but I think something's got to give here. We can't rely on companies, schools, and organizations policing themselves. That's obviously a terrible failure. We need federal legislation to mandate that organizations that experience data thefts must notify those affected by the breach in a timely manner. As Mark Rasch stated earlier this week, recent legislation was passed that requires this for all financial institutions in the U.S., but all other companies are still off the hook. Right now, a few states have such a law -- California is one, which is why ChoicePoint even had to make its embarrassing revelation in the first place -- but there is no federal, all-encompassing requirement for anything but financial institutions (and even that law is very recent). This needs to change, and soon. Other states have proposed legislation, but it varies from state-to-state. A new federal law would be a great start. Right after that, a few class-action lawsuits against particularly egregious carelessness might also wake companies and schools up to the necessity of protecting data. Again, I don't like bringing in the lawyers, but to paraphrase the great Dr. Samuel Johnson, 'Depend upon it, sir, when a man knows he is to be sued in a fortnight, it concentrates his mind wonderfully.'..."

ChoicePoint Division Changes Tack, Notifies Individuals of Use of their Information

Wired News is reporting that a recently-acquired division of embattled ChoicePoint is changing its practices by notifying individuals if a negative criminal records check has been disclosed:

Wired News: ChoicePoint Division Changes Tack:

"...On Tuesday, the company sent an e-mail to customers announcing that it is implementing 'a new compliance policy.' Effective April 25, whenever a customer runs a background search on someone through the Rapsheets database for employment- or volunteer-screening purposes and the search unearths a criminal record for that person, Rapsheets will automatically notify the person and provide him or her with a copy of the background report and the name and address of the organization that requested it...."

IRS security flaws expose taxpayer data to snooping, GAO finds

Earlier this week, the GAO of the United States reported that problems with the Internal Revenue Service's computer systems may threaten the privacy and security of taxpayer information. Computerworld coverage: IRS security flaws expose taxpayer data to snooping, GAO finds - Computerworld.

Frisco ID thieves targeting car dealerships

According to Inside Bay Area, a band of ID thieves has been targeting San Francisco area car dealerships to acquire personal information: Protecting consumers' personal information may not be possible

Final phase of HIPAA goes into effect today

The Security Rule under the Health Insurance Portability and Accountability Act goes into effect today in the United States:

Jacksonville.com: Metro: Patient privacy law on data takes effect 04/20/05:

"...Today's deadline applies to the law's Security Rule, which requires that doctors' offices, hospitals and health insurance companies establish rigid programs to ensure the privacy of personal health information of their patients and clients. The rule specifies three types of safeguards that must be put in place -- administrative, physical and technical -- as well as a risk analysis which each entity must perform to guarantee the system works...."

Illinois universities take steps to combat identity theft

Universities in Illinois are joining the twenty-first century by taking social security numbers off student cards and using them as student numbers: AP Wire | 04/18/2005 | Illinois universities take steps to combat identity theft.

Tuesday, April 19, 2005

Describing privacy

When I give presentations and teach about privacy, I always start with a discussion of "what is privacy". The concept means very different things to people, depending upon their background and the baggage they bring to the discussion. to help us wade through this, Daniel Solove, of George Washington University Law School has written an article in the U. Penn Law Review that addresses the vocabulary and taxonomy of the slippery concept of privacy:

SSRN-A Taxonomy of Privacy by Daniel Solove:

"Privacy is a concept in disarray. Nobody can articulate what it means. As one commentator has observed, privacy suffers from 'an embarrassment of meanings.' Privacy is far too vague a concept to guide adjudication and lawmaking, as abstract incantations of the importance of 'privacy' do not fare well when pitted against more concretely-stated countervailing interests.

In 1960, the famous torts scholar William Prosser attempted to make sense of the landscape of privacy law by identifying four different interests. But Prosser focused only on tort law, and the law of information privacy is significantly more vast and complex, extending to Fourth Amendment law, the constitutional right to information privacy, evidentiary privileges, dozens of federal privacy statutes, and hundreds of state statutes. Moreover, Prosser wrote over 40 years ago, and new technologies have given rise to a panoply of new privacy harms.

A new taxonomy to understand privacy violations is thus sorely needed. This article develops a taxonomy to identify privacy problems in a comprehensive and concrete manner. It endeavors to guide the law toward a more coherent understanding of privacy and to serve as a framework for the future development of the field of privacy law. "

Thanks to Bruce Schneier for the link: Schneier on Security: A Taxonomy of Privacy.

Update: Ten times more exposed in shoe data breach

MSNBC is reporting that DWS Shoe Warehouse under-reported the impact of their earlier privacy incident by a factor of ten: 1.4 million exposed in shoe data breach - Consumer Security - MSNBC.com. For the posting of the original reports, see PIPEDA and Canadian Privacy Law: Incident: Shoe chain says customer data stolen.

Incident: Ameritrade warns 200,000 clients of lost backup tape

MSNBC is reporting that online brokerage Ameritrade has begun warning two hundred thousand current and former customers that their personal information (including social security numbers) is on a lost backup tape: Ameritrade warns 200,000 clients of lost data - Consumer Security - MSNBC.com.

Monday, April 18, 2005

Privacy Commisioner of Canada releases her report on the CIBC faxing incidents

The Privacy Commissioner of Canada has just released her report on the "CIBC faxing incident", in which faxes related to customers of the bank repeatedly were sent to a junk yard in West Virginia and Dorval, Quebec. The incident garnered a huge amount of press when the incidents came to light and CIBC faced a barrage of criticism for allowing it to continue unabated for three years. In her Incident Summary and Addendum (released today at 1:00 Eastern), the Commissioner found fault with the bank's practices that meant repeated incidents were never brought to the attention of senior management who were supposed to be responsible for the organization's privacy compliance. The Commissioner also criticises the bank for not informing customers that these incidents had taken place. (The Canadian media only became aware of it when the owner of the junk yard in West Virginia made it public.) The Commissioner also notes, in her press release, that
“simply publishing a privacy policy does not make a business privacy compliant. Organizations must ensure that all employees are aware of and adhere to privacy policies. When there are breaches, these must be brought to the immediate attention of the organization’s privacy officials,” said Ms. Stoddart. This did not happen with CIBC.

Organizations, large and small, must make sure that all employees are aware of their privacy obligations. There has to be a mechanism to ensure that all privacy-related incidents, large and small are brought to the attention of a senior officer, whose job includes constant awareness of the big picture and what is going on. The problem at CIBC was that each individual fax was a "minor incident" that was probably easy to dismiss as a "one off". When this happens hundreds of times, and nobody thinks to report it to senior management, it can quickly turn into a major disaster. There hasn't been any suggestion (yet) that anyone has been harmed as a result of this incident, but the bank has been working overtime to address customer concerns.

I still hear from business who think they are 100% compliant with Canada's privacy laws because they have a privacy policy or get customers to sign consent forms. That's a start, but it is a long way from compliance. I have yet to see a business end up on the front page for not having a privacy policy or for using the wrong form. The incidents that wind up causing huge problems are those caused by lack of training and awareness on the part of employees and a lack of a "culture of privacy" in the company.

The Commissioner also notes, in her press release:

In light of these events and other current investigations by the Office of the Privacy Commissioner into similar cases involving misdirected faxes within the banking sector, we strongly urge all organizations subject to PIPEDA to assess their policies and privacy management practices and address any shortcomings.

The current environment of identity theft and increased concern about privacy among the general public means that this is no longer an issue that businesses can afford to become complacent about. "Can this incident happen to us?" is a question that has to be asked. For too many businesses, the answer is yes and, for some, it is merely a matter of time.

For more coverage, see

Saturday, April 16, 2005

Dilbert: Identity theft and the pointy-haired boss

USA Today: Rules aimed at digital misdeeds lack bite

USA Today has a breathless article about legislative initiatives to fight the recent wave of "cybercrimes". Hmm. They cite the Lexis-Nexis and ChoicePoint incidents, but fail to mentin that neither was a "cybercrime." Good old fashioned fraud. If you want, give it a read:

Yahoo! News - Rules aimed at digital misdeeds lack bite:

"Federal and state lawmakers, compelled by headlines of a computer-crime wave, are scrambling to introduce bills that would tighten cybersecurity and make it easier for prosecutors to file charges and impose stiffer penalties.

Digital thieves have rarely been so audacious. Data breaches at ChoicePoint, LexisNexis, the University of California and elsewhere, in which the personal records of thousands of Americans were pinched, underscore the brazen tactics of criminals marauding like gunslingers on a lawless Internet, security experts say...."

Credit card debacle centers on Polo sales software

CNET's Security Blog says that a representative of Polo Ralph Lauren called CNET to tell them that the recent incident was the result of inappropriate storage of customer information in their point-of-sale software:

Credit card debacle centers on Polo sales software | News.blog | CNET News.com:

"Following Thursday's news that both MasterCard and Visa were informing some customers that a U.S. retailer -- now positively identified as Polo Ralph Lauren -- had experienced a security mishap that may have compromised card holders' data, the issue has been confirmed as a technology-related problem. In a statement phoned in to News.com overnight, Polo said that the credit card data in question was inappropriately stored in its point-of-sales software system...."

Official Cars In The UAE Will Have IBM-Installed Back Seat Drivers

Techdirt is reporting that IBM has been given a contract to install a sophisticated telematics system in all official cars in the United Arab Emirates to keep tabs on drivers and to rat out the bad ones.

Techdirt:Cars In The UAE Will Have IBM-Installed Back Seat Drivers:

"Contributed by Dennis on Friday, April 15th, 2005 @ 12:42AM from the as-if-i-need-yet-another-voice-nagging-at-me dept.

In an effort to stem a rising tide of automobile-related accident deaths, the UAE has contracted IBM to install telematics 'black boxes' in tens of thousands of emergency and government vehicles. The systems will be connected to a nationwide wireless network, making it the largest telematics network in the world. In addition to tracking vehicle speed and location, the system will also vocally warn the driver if they are speeding. While this is a huge win for IBM in its big bet on becoming the world's high-end services and business process vendor, will this system actually make the roads any safer? We've discussed numerous times here that speed cameras don't work. Also, in the case of traffic light cameras, thinking that big brother is watching makes for some nervous, brake-happy drivers -- which, in turn, results in a higher number of rear-end collisions at camera equipped traffic signals. With the telematics system, the UAE could end up with a nation full of enraged drivers, not paying attention to the road because they're busy being nagged by their cars for driving too fast. Just because big brother is watching doesn't mean it's safer. "

Links in the original post.

Friday, April 15, 2005

Incident: 2 Computers Stolen From American Century Investments

Yahoo! News - 2 Computers Stolen From American Century Investments:

"American Century Investments is working around the clock to notify customers after someone stole two laptop computers with thousands of people's personal information on them.

KMBC's Jim Flink reported that the break-in happened at the company's downtown office on Main Street April 6...."

Business Week advocates suing companies for data leaks

Business Week is usually pro-business, but it has an unusual take on the issue of companies leaking personal information. Give people the ability to sue, individually and in class actions. It may be a blunt instrument, but it speaks the language that business understands.

Personal Data Theft: It's Outrageous:

"... At a time when the Bush Administration and the Republican majority in Congress have put tort reform high on their agenda, talking about new tort rights is distinctly unfashionable in Washington. But creating liability for companies that fail to take proper care of the data entrusted to them is probably the most efficient way to get businesses to do the right thing.

SEE YOU IN COURT? Companies possessing personal data should be required to take all reasonable steps to protect it along the lines already in place for financial data under the Sarbanes-Oxley Act and for medical records under the Health Insurance Portability & Accountability Act. Individuals whose information is lost because a custodian has failed to protect the data adequately should have the right to bring individual suits or class actions for damages.

Tort suits, especially class actions, are a blunt instrument for enforcing good behavior, and they can be abused. But liability is a language that business understands, and monetary disincentives are something corporations respond to. And cumbersome as the court system is, it can be faster and more effective than government civil penalties (criminal sanctions should be reserved for the most egregious cases). This is by no means a magic bullet, but would at least create a monetary incentive, where none now exists, for data companies to be careful.

The incidents of wrongfully obtained data from ChoicePoint and LexisNexis are only the most prominent in what's increasingly a mass assault on the privacy and security of our information. Clearly some government action is needed, mainly to give law enforcement better tools to prosecute obvious cybercrimes such as phishing...."

Thanks to Rob Hyndman for the link.

Comcast sued for disclosing customer info

According to CNET (via PrivacySpot.com), Comcast is being sued by a woman whose personal information was disclosed to RIAA in connection with a lawsuit. She says no court ordered the disclosure, which only came to her attention when she was contacted by a collection agency pushing her to pay up on behalf of the RIAA. See: Comcast sued for disclosing customer info | CNET News.com

Thursday, April 14, 2005

Forbes.com: Are Companies Liable For ID Data Theft?

In the aftermath of the most recent incident involving Polo Ralph Lauren, Forbes Magazine is asking whether companies should be held liable for identity theft if their lax security is to blame.

Forbes.com: Are Companies Liable For ID Data Theft?:

"...

"A case could be made that [companies whose data is stolen] do have a responsibility," says Anita L. Allen, Henry R. Silverman professor of law at the University of Pennsylvania School of Law. Publicizing private facts about people is a tort, she says, and companies can be held liable even if the victim hasn't suffered a monetary loss. "If they recklessly failed to protect the information, that might be seen by a jury or judge as highly offensive conduct," she says.

...

Insecure databases of online retailers and information brokers are fueling the problem, providing huge batches of potential identities to steal. So consumers are increasingly asking that businesses be held responsible for securing the personal information they maintain.

In the wake of its security breach, ChoicePoint offered one year's worth of free credit monitoring to the consumers affected. But attorney Peter A. Binkow says consumers deserve more, even though most have not yet been the victim of fraud.

"While that might be a step in the right direction, our belief is that [ChoicePoint's offer] is not enough," he says. One year "is not enough time to see if someone has misused their information."

Binkow's firm, Glancy, Binkow & Goldberg, has filed a class-action suit against ChoicePoint on behalf of consumers who had their information exposed, and he plans to ask for an extension of the one-year monitoring, as well as for the establishment of a system to help consumers who do get hit by fraud. They may also seek monetary damages.

ChoicePoint became aware of the problem when Eileen Goldberg, the mother of one of the company's partners, received a letter from ChoicePoint saying that her personal information had been exposed. She didn't know what to do and took it to her son.

Binkow says ChoicePoint needs to take responsibility for the consumers who don't have those sorts of resources and will likely be confused about how to protect themselves. "I'm an attorney, and I'm fairly confused by this stuff," says Binkow. "If I found out my identity had been stolen, I wouldn't know where to start."

It's unlikely that a court would award monetary damages, unless a judge or jury wanted to make an example of the offending company, according to attorney Allen. But a court might well order remedies like added security precautions or help with credit monitoring.

Unlike ChoicePoint, retail businesses like DSW and Ralph Lauren Polo don't trade in sensitive information like Social Security numbers. But they still might be held responsible for exposing credit-card numbers, particularly if the breach occurred because of poorly implemented or maintained security technology.

Companies are free to establish their own privacy and security policies (most if not all online businesses, including Forbes.com, state their privacy policies online), but all are mandated by the U.S. Federal Trade Commission to follow their stated policies. If they do not, says Allen, they could be charged with fair trade violations. Beyond that, a court might force a company to pay damages if it's clear it didn't do everything it could to protect its customers.

"If some company is extremely negligent in the way they handle data, they could be liable for damages," says Allen. "Any business that exists online has to worry about this.""

Incident: Polo Ralph Lauren Customers' Data Stolen

I blogged earlier today about an incident involving an "unnamed retailer" connected with a huge number of stolen credit card numbers. (See PIPEDA and Canadian Privacy Law: Incident: GM MasterCard holders exposed to possible ID theft.) Apparently the retailer involved was Polo Ralph Lauren:

Polo Ralph Lauren Customers' Data Stolen:

"Data apparently stolen from the popular clothing retailer Polo Ralph Lauren Corp. is forcing banks and credit card issuers to notify thousands of consumers that their credit-card information may have been exposed...."

Thanks to Secondary Screening for the link.

Incident: GM MasterCard holders exposed to possible ID theft

A large number of credit card holders are being notified that their information may have been compromised after a large number of the cards were used at an undisclosed retailer:

GM MasterCard holders exposed to possible ID theft:

"About 180,000 General Motors rewards credit cardholders will be notified that someone might have stolen their personal information in a data breach that could affect an even bigger number of MasterCard and Visa customers.

Cards by HSBC, the bank that issues the GM MasterCard to about 6 million customers, were used at a U.S.-based retailer that neither MasterCard nor Visa would identify Wednesday.

HSBC has been sending out letters this week to the 3 percent of those cardholders whose plastic was used at the anonymous retailer between June 2002 and December 2004. The letters notify them of the problem and offer new replacement cards to any customers who want them...."

See also Boston.com / Business / Technology / Breach in security reaches 2d credit firm.

Wednesday, April 13, 2005

Data brokers didn't notify consumers of past breaches

According to testimony before the Senate Judiciary Committee today, both ChoicePoint and Lexis-Nexis admitted to previous incidents in which the individuals involved were not informed. Read more about it at Computerworld:

Data brokers didn't notify consumers of past breaches - Computerworld:

"APRIL 13, 2005 (IDG NEWS SERVICE) - WASHINGTON -- Two large data brokers that recently reported data breaches potentially affecting hundreds of thousands of U.S. residents have been compromised in the past and have not notified victims, executives from the two companies told a U.S. Senate committee today...."

Things are looking worse and worse for the data aggregation industry in the United States.

Privacy on the Senate Judiciary Committee's Agenda

The United States Senate Judiciary Committee had a blue ribbon panel testifying on privacy and security today. I haven't seen any testimony posted online yet, but when I do I'll point to it. (The prepared statements are, however, available on the page below.)

United States Senate Committee on the Judiciary:

"NOTICE OF COMMITTEE HEARING

The Senate Committee on the Judiciary has scheduled a hearing for Wednesday, April 13, 2005 at 9:30 a.m. in Room 226 of the Senate Dirksen Office Building on 'Securing Electronic Personal Data: Striking a Balance Between Privacy and Commercial and Governmental Use'.

Senator Specter will preside.

By order of the Chairman

Witness List

Hearing before the Senate Judiciary Committee

on

"Securing Electronic Personal Data: Striking a Balance Between Privacy and Commercial and Governmental Use"

Wednesday, April 13, 2005
9:30 a.m. Senate Dirksen Building, Room 226

PANEL I

Deborah Platt Majoras
Chairman
Federal Trade Commission
Washington, DC

Chris Swecker
Assistant Director for the Criminal Investigative Division
Federal Bureau of Investigation
Washington, DC

Larry D. Johnson
Special Agent in Charge
Criminal Investigative Division
U.S. Secret Service
Washington, DC

William H. Sorrell
President
National Association of Attorneys General
Montpelier, VT

PANEL II

Douglas C. Curling
President, Chief Operating Officer and Director
ChoicePoint Inc.
Alpharetta, GA

Kurt P. Sanford
President & CEO, U.S. Corporate & Federal Markets
LexisNexis Group
Miamisburg, OH

Jennifer T. Barrett
Chief Privacy Officer
Acxiom Corp.
Little Rock, AR

James X. Dempsey
Executive Director
Center for Democracy & Technology
Washington, DC

Robert Douglas
CEO
PrivacyToday.com
Steamboat Springs, CO "

Michigan law holds employers responsible for protecting employees against ID theft

Thanks to Michael Fitzgibbon of Thoughts from a Management Lawyer fame, for sending me a link to the following article on the Littler Mendelson website.

Hot on the heels of the finding of liability against a trade union for not protecting members' information, the Michigan state government has enacted legislation to require employers to protect employee personal information:

asap_04_MI_IdentityTheft.htm:

"In early 2005, Michigan became the first state in the nation to enact legislation requiring that every employer maintain a policy for safeguarding employee social security numbers. During the same time frame, the Michigan Court of Appeals became the first appellate court to allow the victims of identity theft to recover damages (totaling $275,000) from an organization that failed to adequately safeguard personal information that was subsequently used for identity theft. These national precedents expose Michigan employers to liability for failing to safeguard employee personal information, and open the door to employer liability for workplace identity theft in other jurisdictions that likely will follow Michigan's example...."

ND passes law about ownership of auto black box data

Apparently North Dakota has passed a law which says auto black box data can only be taken with a court order. See David Canton's eLegal Canton blog post.

Tuesday, April 12, 2005

Record companies v file sharers, Round II ...

In his eLegal blog, David Canton reports that the next round of BMG Canada v John Doe will fought out at the Federal Court of Appeal next week. This is the case in which the Federal Court refused to make a number of internet service providers hand over personal information about suspected file-sharing miscreants. See: eLegal Canton: Download wars continue.

US Government Surpasses Business in Protecting Citizens' Privacy

In the United States, citizens are more often concerned about the information held by government. After a huge range of privacy breaches in the private sector, Newhouse news has an interesting take on how the US federal government secures personal information in its custody:

Government Surpasses Business in Protecting Citizens' Privacy:

"WASHINGTON -- Here's a surprise:

In the face of increasingly intrusive information-gathering technology, many experts on privacy are convinced the U.S. government does a better job than business when it comes to protecting data compiled on hundreds of millions of Americans.

Federal agencies including the Internal Revenue Service, the Social Security Administration, the Census Bureau and the Centers for Medicare & Medicaid Services routinely collect and store detailed personal information about each citizen.

They keep a security lid on it with stiff criminal and civil penalties for improper disclosure. Leaks have been rare.

"That is because the federal government inherently is not in the business of moving information around to make the economy and commerce flow," said Robert Atkinson, a technology expert at the Progressive Policy Institute. "They use information for very narrow purposes, and in those situations it's a lot easier to protect data."

In the private sector, citizens often simply are viewed as consumers, their personal information a valued commodity to be bought and sold and exploited in a marketplace where data mining is the rage, and where identity theft has become widespread.

...

While laws on the subject have varied from state to state, effective April 20 tighter new federal privacy guidelines will cover private-sector electronic transactions handled by most health plans, care providers and health data clearinghouses. The rules were drafted by the Centers for Medicare & Medicaid Services, responsible for the confidentiality of health care records of 82 million citizens.

Still, federal authorities fear that public reaction to abuses in the private sector will damage faith in the government and interfere with its efforts to perform assigned functions.

...

"We think privacy is essential in building trust," said Gerald Gates, chief enforcement officer at the Census Bureau.

"We have a strict confidentiality statute, with penalties of five years in prison and $250,000, and training for employees on an annual basis. In 35 years there has never been a violation that has come to my attention."

The IRS, which processes 130 million individual and family tax returns annually, takes a back seat to no other agency in respecting the confidentiality of taxpayer records, said spokesman John Lipold.

"We never, ever disclose anybody's personal privileged information except as authorized by law, and there are stringent access rules," he said.

Then there's the Social Security Administration, which each year keeps track of some 160 million people reporting their wages and paying Social Security taxes, another 50 million collecting retirement benefits, and 50 million more aged, blind and disabled Americans getting Supplemental Security Income payments.

"Nobody has access to our computer records," said spokesman Mark Hinkle, adding that the agency enforces a "zero tolerance" policy for privacy violations...."

Leaks of personal health information can have side effects on your health

In the wake of a recent incident in San Jose involving the leak of personal information from a medical clinic, the San Jose Mercury News is running a story about how privacy fears affect patients:

MercuryNews.com | 04/12/2005 | Medical data thefts spur worry:

"The recent theft of two computers from the San Jose Medical Group could have repercussions beyond the 185,000 people whose billing records were on those machines.

Privacy advocates worry that this case, and a rash of others involving the loss of personal data, will make people afraid to get the medical care they need.

``It has a devastating impact on the way people seek health care,'' said Emily Stewart, a policy analyst for the non-profit Health Privacy Project in Washington, D.C.

In a 1999 survey, she said, one out of six people said they were so worried that their medical or financial details would leak out that they withheld information from their doctors, skipped from doctor to doctor to avoid having all their records in one place or paid cash to avoid dealing with insurance companies.

Emma Burgess, 34, a former patient of San Jose Medical Group, said the break-in ``really irks me in a big way'' -- especially since she left the group four or five years ago...."

If anyone has a copy of that survey, please e-mail me at david.fraser (at) mcinnescooper.com.

Incident: LexisNexis Data on 310,000 more people compromised

Hot off the wires....

Apparently internal investigations by LexisNexis related to the original security breach announced in March has revealed that 310,000 more people are affected than originally stated:

Yahoo! News - LexisNexis Data on 310,000 People Feared Stolen:

"NEW YORK/AMSTERDAM (Reuters) - Data broker LexisNexis said Tuesday that personal information may have been stolen on 310,000 U.S. citizens, or nearly 10 times the number found in a data breach announced last month.

An investigation by the firm's Anglo-Dutch parent Reed Elsevier determined that its databases had been fraudulently breached 59 times using stolen passwords, leading to the possible theft of personal information such as addresses and Social Security numbers.

LexisNexis, which said in March that 32,000 people had been potentially affected by the breaches, will notify an additional 278,000 individuals whose data may have been stolen.

Of the initial group contacted, only 2 percent asked the company to conduct an investigation of their credit records. LexisNexis has found no cases of identity theft, such as using a stolen Social Security number to apply for a credit card.

'We need to write to them and offer the same kind of support and investigation we offered the original 32,000,' a Reed Elsevier spokeswoman said.

'Of the original group, it's somewhat encouraging that none of them has suffered identity theft.'

Law enforcement authorities are assisting the company's investigations, which coincide with a rash of similar break-ins at other companies handling consumer data...."

For information on the original breach, see PIPEDA and Canadian Privacy Law: Incident: Personal information of 32,000 stolen from LexisNexis.

More coverage and update:

Better shred than read: Community paper on what local organizations are doing to protect personal information

Thanks to HIPAA Blog for pointing me to this interesting article in a local paper that chronicles what community businesses and organizations are doing in in Muscatine, Iowa to protect personal information. For example, city hall is shredding like crazy:

MuscatineJournal.com:

"...City Hall, schools

David Casstevens, director of Administrative Services for the city of Muscatine, says there are three paper shredders in City Hall, where shredding receipts and personnel information has been practiced for at least five years.

Nearly every county office has at least one shredder. Check stubs and vendor claims are destroyed after two years; primary and general election materials are destroyed after 22 months; and city, school board, and county supervisor election results are destroyed after six months.

Current school records are all that's stored at the respective schools in the Muscatine School District. Superintendent Tom Williams says that space for records is limited and older records are stored on microfiche and CDs. The paper copies are stored in bins until June when staff can begin to shred them.

Muscatine Power & Water, does its own shredding and also uses a boiler in the power plant to burn some of its sensitive documents, according to MPW spokesman Gary Wieskamp. He said accounts payable and invoices are recorded on microfilm...."

The article discusses the local police, a number of local merchants and other organizations. Interesting to see a community paper take such an interest.

Incident: Tufts University warns alumni on breach

Yet another university is contacting students and alumni about a possible privacy breach. This time, it is Tufts University in Boston, which has noticed suspicious activity on one of its computer systems that contains sensitive personal information:

Boston.com / Business / Technology / Tufts warns alumni on breach:

"... Tufts University last week began sending letters to 106,000 alumni, warning of ''abnormal activity' on a computer that contained names, addresses, phone numbers, and, in some cases, Social Security and credit card numbers.

''We have no evidence that information was retrieved or misused,' the letter said. But it urged alumni to notify their banks and check their credit reports for signs of illicit activity. The school also set up a website, www.tufts.edu/security, to provide alumni with more detailed information..."

Monday, April 11, 2005

Most Privacy Friendly Places On the Web

Jay Cline in Computerworld has taken a scoot around the web to see how the most popular sites stack up with respect to privacy. The yardstick he used to measure are the Safe Harbour principles for compliance with the European Union Privacy Directive. I'd suggest that he use the ten principles from the Canadian Standards Association Model Code for the Protection of Personal Information, but the Safe Harbour Principles are a good place to start.

Safest Places On the Web - Computerworld:

"...So how do we know where our data is safe? The best answer I found is this: We need to look for privacy policies that address the Safe Harbor privacy principles negotiated by the U.S. Department of Commerce and the European Union. Why? Because these principles represent best practices in privacy and security, and companies that publicly commit to them are at great legal risk if they don't adhere to them. A solid privacy policy is our best guarantee of data safety...."

His findings are well worth the read.

How Dangerous Is Outsourcing?

The Motley Fool is wading into the outsourcing and privacy debate after the most recent CitiBank incident. The author's conclusion is that outsourcing is not the problem, but criminals are the problem.

How Dangerous Is Outsourcing? [Fool.com: Motley Fool Take] April 11, 2005:

"...Exaggerating the dangers of outsourcing and sending data abroad won't make our data any more secure. On the contrary, the facts of the Mphasis case suggest that in some cases, data may be safer once sent abroad. Reflect for a moment on how quickly the alleged criminals in Pune were caught. Consider for a second the fact that they were caught by the 'cybercrime unit' of the Pune police force. Ponder for a minute the fact that a place most of us have never even heard of before (really? 'Pune?') even has something called a 'cybercrime unit.' I know my hometown doesn't.

Then come to the correct conclusion: Outsourcing wasn't the problem here. The problem was criminals, plain and simple. And those can be found the world over."

The only thing I'd add is you want to make sure your customers' data goes somewhere that you can expect assistance in dealing with the issue. Like beautiful Nova Scotia, for example....

The Three Stages of Canadian Privacy Law

Michael Geist, in his most recent Law Bytes column, writes that he believes Canadian privacy law is soon to enter a third stage. Self-regulation (stage one) and weak enforcement (stage two) will give way to more aggressive enforcement, particularly after the Personal Information Protection and Electronic Documents Act comes up for review next year. There is no doubt that the enforcement of the law has been very low key up to this stage, leading to very uneven compliance and many businesses dismissing the necessity to become compliant with the law.

The Three Stages of Canadian Privacy Law:

"Canadian privacy law has developed in three stages. Stage one involved the adoption of a self-regulatory approach to privacy protection, as the Canadian Standards Association brought together industry, government, and public interest groups in the early 1990s to develop a non-binding code of privacy best practices based on international standards.

While CSA Model Code was initially hailed a self-regulatory success, within a few years it became apparent that few companies were willing to bind themselves to the Code’s principles.

With the growing interest in privacy protection, Ottawa moved to stage two by introducing the first national private sector privacy statute (PIPEDA) in 1998. That law, which took effect in 2001, directly incorporates the CSA Model Code into the legislation, supplemented by a series of enforcement provisions.

The result is a light regulation model that emphasizes mediation of privacy disputes. Administration rests with the Privacy Commissioner of Canada who issues “findings” that are not binding on the parties. Unlike some of her provincial counterparts, the Federal Commissioner does not currently enjoy order-making power. Rather, she must apply to the federal court, which is not bound by her findings, for enforcement. In addition to the statutory shortcomings, the Commissioner has been reluctant to engage in an aggressive application of the law, protecting the targets of privacy complaints by refusing to disclose their identity.

As Canada heads toward a review of the current law led by Industry Minister David Emerson, it is likely moving toward the third stage of privacy law that will be characterized by greater emphasis on transparency and aggressive enforcement.

Recent developments point to three potential reforms that illustrate this evolution. First, as frustration mounts over the Commissioner’s lack of order making power as well as the policy of shielding the targets of privacy complaints, the third stage of privacy law will feature growing pressure to address these issues through a statutory amendment. Although order making power might result in more contentious investigations and challenges to the Commissioner’s findings, it would also send a much-needed message about the importance attached to privacy protection in Canada.

Moreover, a commitment to disclosing the names of organizations that breach Canadian privacy law would create an important incentive for greater compliance. According to a recent, unreleased finding involving spam, the Commissioner reminded the target of the complaint that failure to abide by Canada’s privacy legislation created “a risk that its business reputation will be tarnished.” This statement will only become reality if the Commissioner begins to name names.

...

Third, the B.C. outsourcing case points to the need for increased statutory protections for personal information that may be secretly disclosed to foreign law enforcement authorities. Although the recent court case was a nominal victory for the outsourcing company, a careful examination of the decision reveals a dramatic change in the protections afforded to the personal information in question.

The B.C. judge affirmed the importance attached to privacy protection but allowed the outsourcing arrangements largely because of a series of significant new protections introduced by Maximus in response to the public outcry. These included a $35 million penalty for breach of confidentiality, extensive provisions to ensure that the data remained in the province, and a contractual term prohibiting disclosure of the data.

The Maximus case will set the benchmark for future outsourcing arrangements in Canada with similar safeguards likely to be introduced on a national level in the months ahead. If accompanied by order making power and greater transparency, it will go a long way to ushering a new age for Canada’s privacy law framework. The days of light regulation for Canadian privacy appear to be numbered."