Commissioner's Findings - Privacy Commissioner of Canada -
- PIPEDA Case summary #300: Company collecting consumer personal information without identifying purposes halts practice and implements privacy policies and practices - A consumer product company placed labels reading "Call this number before you use your new widget", which required the consumer to provide warranty registration information without telling the consumer why the info was being collected.
- PIPEDA Case summary #299: Thief cashes convenience cheque on cancelled credit card account - A bank cashed a stolen cheque on a cancelled credit card account and thus violated the accuracy and safeguards principles.
- PIPEDA Case summary #298: Store employee discloses customer telephone number to a third party - A pet store employee provided the phone number of a customer to a "long lost friend" who harassed the customer. The employee was fired and the company was found to have violated the consent principle. The Assistant Commissioner also noted that the store should not have told other employees and customers that the employee had been fired for the breach, even though employee information (in the provincially-regulated private sector is not covered by PIPEDA.
Tuesday, May 31, 2005
In this case, a privacy incident may also be a national security incident. Computerworld is reporting that a laptop containing credit card info on 80,000 Department of Justice employees was stolen. The article says that the info was "password protected", which may or may not mean that it was encrypted.
The article does not say whether it has information on the travels of DOJ employees, which may also be a threat.
Laptop with credit card info for 80,000 DOJ workers stolen - Computerworld:
"MAY 31, 2005 (COMPUTERWORLD) - The FBI and Fairfax, Va., police are investigating the theft of a laptop containing the names and credit card numbers of about 80,000 U.S. Department of Justice workers.
Gina Talamona, a DOJ spokeswoman, said the laptop was stolen between May 7 and May 9 from the Fairfax, Va., headquarters of Omega World Travel, a travel agency used by the DOJ for its employees.
The computer did not contain employees' personal information, such as home addresses, office addresses or Social Security numbers, Talamona said. All the data was password-protected to prevent unauthorized access...."
David Canton (of eLegal Canton) has written a very good article on the CIBC faxing fiasco for the Canadian Privacy Law Review. He has posted it on his blog and it's well worth the read: CIBC Junkyard faxes.
Sunday, May 29, 2005
Yup. Better make darn sure your surplus computers are scrubbed of tax records, medical data and social security numbers. A hard lesson learned by the state of Montana:
Montana Leaves Private Info on Computers:
"The legislative audit, obtained Tuesday, blamed unclear state policy for the computer hard drives not being properly 'scrubbed' before the machines were donated to school districts, given to other state agencies or sold to the public.
'The state lacks a single clear policy instructing departments on information removal, assigning responsibility for defining sensitive data, and assigning responsibility for performing data removal and certifying the task has been accomplished,' the auditors said.
Janet Kelly, Department of Administration director, said in a written response that her agency immediately began crafting a more concise policy to ensure private information held by the government is not made public.
'The resulting language will require that all data must be irretrievably removed from the hard drive,' she said.
Jeff Brandt, acting chief information officer for the state, said Tuesday the new policy should be complete by mid-July. In the meantime, he said, a warning has gone out to all information technology officials throughout state government.
'We're telling folks to not make any assumptions about options for scrubbing disks,' he said. 'Err on the side of making darn sure they are scrubbed.'"
Thanks to beSpacific for the pointer to this article.
Does any of this sound familiar?
"Interestingly, many experts still believe that our current legal framework, if well enforced, is adequate to addresses violations of personal privacy. To my mind, the current legal framework is rendered ineffective because of the slow legal process and paltry punishments. It is only when there is adequate debate and discussion on privacy issues that the government will recognise the need for an effective legislative framework to protect individual privacy."
An American privacy activist is trying to get privacy protection for "public records" by making personal information about legislators readily available: A Matter Of Public Record. It might just work.
Thanks to beSpacific for the link.
The Lexis breach is one of this year's leading privacy stories. This past week, Wired News ran an interview of the suspects. While they say they did it for "bragging rights", how they got into the system makes this article a must-read: Wired News: Database Hackers Reveal Tactics.
The irony tag is appropriate for this posting.
According to Australian IT, Trend Micro, a security vendor, committed a significant security faux pas in the way it implemented a contest, exposing customers' personal information:
Australian IT - Offer exposes Trend Micro list (Chris Jenkins, MAY 30, 2005):
"SECURITY vendor Trend Micro has had an embarrassing privacy breach exposed, with subscribers to a promotional offer able to easily discover the addresses of other recipients.
The offer, which has now expired, was hosted by email and web services group Clever Bytes. It invited subscribers to update details for a security update email from Trend Micro, offering a digital camera and cinema tickets as prizes.
Once the user clicked on 'Confirm and Update your Details', they were taken to a new screen containing blank fields that allow them to update their information.
However, the email address field was automatically filled in, or 'pre-populated'.
To discover the email addresses of other subscribers, users simply had to change the URL, modifying the 'userID' number...."
The latest volume of the Archives of Internal Medicine is carrying the results of a study of the impact of the HIPAA privacy rule on health outcome research. This study is related to acute coronary syndrome, but its findings are probably relevant for all sorts of research that is based on post-treatment contact with the relevant patients.
Arch Intern Med -- Potential Impact of the HIPAA Privacy Rule on Data Collection in a Registry of Patients With Acute Coronary Syndrome, May 23, 2005, Armstrong et al. 165 (10): 1125:
Background Implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule has the potential to affect data collection in outcomes research.
Methods To examine the extent to which data collection may be affected by the HIPAA Privacy Rule, we used a quasi-experimental pretest-posttest study design to assess participation rates with informed consent in 2 cohorts of patients eligible for the University of Michigan Acute Coronary Syndrome registry. The pre-HIPAA period included telephone interviews conducted at 6 months that sought verbal informed consent from patients. In the post-HIPAA period, informed consent forms were mailed to ask for permission to call to conduct a telephone interview. The primary outcome measure was the percentage of patients who provided consent. Incremental costs associated with the post-HIPAA period were also assessed.
Results The pre-HIPAA period included 1221 consecutive patients with acute coronary syndrome, and the post-HIPAA period included 967 patients. Consent for follow-up declined from 96.4% in the pre-HIPAA period to 34.0% in the post-HIPAA period (P<.01). In general, patients who returned written consent forms during the post-HIPAA period were older, were more likely to be married, and had lower mortality rates at 6 months. Incremental costs for complying with the HIPAA Privacy Rule were $8704.50 for the first year and $4558.50 annually thereafter.
Conclusions The HIPAA Privacy Rule significantly decreases the number of patients available for outcomes research and introduces selection bias in data collection for patient registries."
On May 13, 2005, the Information and Privacy Commissioner of Alberta released an investigation report under the province's Personal Information Protection Act related to overt video surveillance of a workplace. (The Alberta law covers information collected about employees in the provincially regulated private sector.)
The report says it's OK to use overt video surveillance for security and loss management, but not employee management. See the full report here: Report of an Investigation into Collection and Use of Personal Employee Information without Consent: Re R.J. Hoffman Holdings Ltd. (Investigation Report P2005-IR-004).
From KESQ in Palm Desert, California:
KESQ NewsChannel 3 Palm Springs, CA: State warning 21-thousand Medi-Cal recipients about identity theft:
"SACRAMENTO State health officials have begun notifying more than 21-thousand Medi-Cal recipients that they could become targets of identity theft because of the theft of a laptop computer.
The computer contained the names, Social Security numbers and health information about 21-thousand-600 Medi-Cal recipients. It was stolen from the trunk of a car belonging to an employee of a company that provides the state with data services.
State Sen. Jackie Speier (Spear) of Hillsborough says she will introduce legislation to require state agencies and their contractors to encrypt personal information on laptop computers so it can't be read by unauthorized persons."
Saturday, May 28, 2005
I just got back from a week in Sweden to find an overflowing inbox. One message was from Cappone D'Angelo of McCarthy's in Vancouver who has pointed me to the first order issued under the Personal Information Protection Act of BC. A media advisory is on the Commissioner's site, pointing to the 26-page decision.
The Commissioner considered a complaint brought against a retail franchisee who was requiring personal information (and ID in some cases) to process returns. The Commissioner found that the practice was reasonable to fight fraud, "necessary" as the term is used in the Act and permissible. The company was not allowed, however, to use this information for customer satisfaction surveys and is not allowed to retain it indefinitely.
Friday, May 27, 2005
IT Observer is running an article entitled the Seven Laws of Information Risk Management. All of the rules ring true, in my experience:
IT Observer - The Seven Laws of Information Risk Management:
"1. Your partners and employees will steal from you
You are ultimately responsible for how your employees and business partners access and use your data. Today's information theft debacles are the tip of the iceberg. As globalization and interconnectedness increases without proper vetting and security, employees, customers and trading partners can accidentally corrupt your data or cause regulatory compliance issues through misuse of the data. In the worst-case scenario, they can steal the confidential data and sell it. Information Risk Management technology continuously learns corporate, customer and partner user behavior patterns and alerts to changes in these patterns.
2. Bust up policy barriers
Security, auditing, regulatory affairs and privacy impact the entire organization and should not be kept in departmental silos. People, process and technology must be integrated. A crucial element is that the organization's security executive must have the authority and budget to develop, implement and enforce a holistic information security plan. The mindset of "implied trust" between systems, employees and trusted partners is no longer valid. Information Risk Management technology uses data governance frameworks to integrate business functions, control processes, employee education and cultural values.
3. It's all about privacy
You can't have privacy without security and you can't meet regulatory compliance without privacy. Security is a building block for privacy, which is a major component of regulatory initiatives. For example, CA1386, HIPAA and GLBA in the United States and the Japan Information Privacy Law are primarily about privacy. The fundamental weakness to such laws is they cannot protect your brand, sensitive data, business continuity or financial position against a breach. Implementing a comprehensive information risk management solution helps you achieve privacy and compliance through security.
4. Don't stop working
Effective Information Risk Management should not radically alter work or its flow. Examples are rife of organizations implementing draconian policies that substantially reduce productivity and impair customer service, while providing questionable security benefits. Securing information is fundamentally about protecting data integrity, confidentially and availability at rest and as it moves through the organization and beyond to the value chain. As such, Information Risk Management must protect information "in context" of business processes, decisions and evolving conditions.
5. Don't spend foolishly
You must match the level of Information Risk Management investment directly to the level of risk. Business process owners should determine risk profiles of the organization's data. For instance, customer data has a much higher risk profile than a marketing brochure PDF. The resulting risk management portfolio is an essential guide to selecting the necessary technologies. The next step is evaluating the risk reduction on investment.
For each dollar invested, ascertain the quantitative and qualitative risk mitigated by the technology. Every organization has an optimal risk reduction on investment tipping point.
6. Be afraid - it will happen to you
Expect the unexpected by assigning responsibilities before a privacy breach occurs. Information theft only happening to the "other guy" is just a myth and the chance is greater than 50 percent that it has already happened at your organization. Access to customer demand forecasts, financial records and patents is very valuable, not just to your trusted partners, but also to thieves and harvesters. Protecting against abused authorized user privileges should top the list of priorities. Ernst & Young recently reported that 70% of all security breaches that involve losses of more that $100,000 are perpetrated internally.
7. No silver bullet
There is no single technology that will solve security problems or provide regulatory compliance! Proper planning of how people and processes should leverage technology and enforce business rules and security best practices is key to a successful Information Risk Management strategy. The right Information Risk Management solution should be judged on its vulnerability assessment, monitoring, auditing and deterrence functionality. Also important are global support for heterogeneous databases, compliance reporting and cost efficiency. Remember that Information Risk Management is a process that requires continuous monitoring, auditing and adjustment of how sensitive information is used - not just an initial risk assessment."
Businesses should pay particular attention to "It will happen to you" and then re-read the other six ...
I have been in Sweden for the last week, so sorry for the light blogging. I have a big backlog which I'll get to shortly ...
In the meantime, there's yet another incident at a US University for Stanford Students and alumni to worry about:
Network intrusion prompts Stanford to warn of possible data theft - Computerworld:
"(COMPUTERWORLD) - Stanford University is notifying about 9,600 users of its Career Development Center of a network intrusion on May 11 that may have exposed their names, Social Security numbers and other personal information.
Notices of the attack are being sent through the U.S. Postal Service or e-mail to students and alumni who have used the Career Development Center since 1995 to help find jobs, said Debra Zumwalt, an attorney in the university's office of general counsel.
As part of its security policy, the school immediately notified the San Jose field office of the FBI, which is investigating the incident, Zumwalt said. The attacker has not yet been identified.
Stanford network administrators discovered the electronic intrusion through their regular monitoring of the system, Zumwalt said. The intruder apparently accessed the Career Development Center system on May 11, but it is not known if any of the names, Social Security numbers or other data was copied or accessed, she said. No credit card information for individuals was included in the records, she said. The names and credit card information for some companies that had registered as prospective employers were also in the database...."
Wednesday, May 25, 2005
The Sydney Morning Herald is reporting that Australian doctors are legally selling de-identified patient records to a company that will provide the data to pharmaceutical companies.
Australian doctors sell medical records - Breaking News - National - Breaking News:
"Australian doctors are legally selling confidential medical records to a marketing firm with links to the pharmaceutical industry. GPs are handing over their patients' drug records - with no names attached - and receiving as little as $150 or gift vouchers as payment, a Melbourne newspaper reported on Wednesday.
The federal Privacy Commissioner has approved the deal between doctors and the Cam Group, one of the world's largest pharmaceutical promotions companies, because the information was 'de-identified' and did not breach the Privacy Act, the Herald Sun said.
But, according to the paper, the commissioner warned the government last year that removing a patient's name and address did not guarantee anonymity.
The promotion company collects the data through software used by 16,000 Australian GPs, collates the information and sells it to drug companies.
So far about 200 GPs across Australia have signed up, the paper said.
The Australian Consumers Association complained to Privacy Commissioner about the deal last year, alleging it broke privacy laws and was a threat to the doctor-patient relationship."
It takes much more than removing names and addresses to make medical records anonymous. I recall a study from not long ago in which the owners of "de-identified" medical records were identified with +90% accuracy by matching against public sources.
The more important thing is that patients probably don't care about how anonymous it can be rendered or the finer points of data matching. If they hear that their information is being sold to pharma companies, they will likely lose trust in their physicians.
Computerworld is reporting that an MCI employee had her laptop stolen, which contained sensitive personal information related to a large number of employees:
MCI employee data stolen in laptop theft - Computerworld:
"... The missing data includes names and Social Security numbers stored on a laptop that was stolen last month from a car parked in the home garage of an MCI financial analyst, said Linda Laughlin, an MCI spokeswoman. The MCI employee, whom Laughlin declined to identify, was authorized to have the data on her laptop; she was using it to analyze financial trends for the company, Laughlin said...."
Tuesday, May 24, 2005
Thane Peterson at Business Week has a well-researched article on the privacy issues of "black boxes" that record various parameters about the cars in which they are installed. The article reviews the technology and how various states have responded with legislation. He also interviewed me for for story, asking about Canadian laws and my general views:
The Spy Under the Hood:
"... WHERE WILL IT STOP? What most worries privacy experts is the potential for abuse of black boxes as technology evolves. 'Once your start collecting information, there's always an impulse to collect more and more,' says David Fraser, head of the privacy practice at the law firm of McInnes Cooper in Canada, where privacy laws are stricter than in the U.S.
For instance, auto black boxes could easily be made far more elaborate by tying them into, say, in-car navigation or cell-phone systems. Indeed, long-haul trucking companies now routinely use sophisticated black boxes to monitor their drivers' driving habits in great detail.
Some insurance companies have run experiments in which they offer rate reductions to customers who agree to have their driving habits monitored by advanced black boxes -- leading to concerns the companies could structure rates to punish customers who don't agree to let their cars be monitored. California and New York have already passed laws prohibiting insurance companies from using black boxes in that way.
LEGAL 'HODGEPODGE.' Companies say they have no intention of making the boxes much more elaborate. 'We're sensitive to privacy concerns,' Snyder says, adding that 'it might lead to a huge reaction from privacy advocates and the general public.'
But Jeffress predicts that before long, the federal government will have to step in with a national data privacy law governing auto black boxes and other similar data-collection devices. 'Otherwise, we're just going to have a hodgepodge of state rules,' he says. And that won't serve the interests of either business or the public."
Monday, May 23, 2005
The Buffalo News is carrying an article on the need to reduce the use of the Social Security Number as a general personal indentifier in light of its utility in identity theft: Buffalo News - I.D. theft aided by rampant use of Social Security numbers.
Further to my earlier posting, PIPEDA and Canadian Privacy Law: U.S. security files with Cdn data off-limits (and vice-versa), the Ottawa Citizen is reporting that that Federal Privacy Commissioner is on the case:
Ottawa Citizen - canada.com network:
"Canada's Privacy Commissioner has launched an examination of the cross-border flow of personal information hastened by the war on terror.
The commissioner's first-ever such audit will focus on information about Canadians that's being sent to United States security agencies via the Canadian Border Services Agency....
Privacy Commissioner Jennifer Stoddart said the audit will help Canadians understand where their personal information is going, how it is being used in the U.S. and what safeguards or limits are in place.
"It's a fairly modest incursion into this world," Ms. Stoddart said in describing the audit which is expected to be completed late this year.
Details are now being negotiated with officials from the border services agency.
Ms. Stoddart said the exercise will also help her to understand the extent of her office's statutory powers and what needs to be done to burnish them in future.
"I felt we had to attempt to do this," she said...."
Yet another security incident involving leaks of personal information from a university. This time, it is Purdue University:
Purdue University: Computer security incident:
"Purdue issues alert about illegal access of computers
Purdue University began alerting more than 11,000 current and former employees on May 20, 2005, that their Social Security numbers, names, and campus addresses may have been illegally accessed from at least one of four campus computer workstations.
Although there is no direct evidence that the information was stolen, the person or persons who gained access to the computers had the opportunity to access this information, and so precautions should be taken...."
Saturday, May 21, 2005
Michael Geist is the source for all information related to the recent CRIA file-sharing decision. If you want any information on the case, just go to www.michaelgeist.ca
About the privacy aspects of the decision, Michael provides a summary written by Pippa Lawson:
"While I don't doubt that CRIA might come to court with some reliable evidence this time, this decision makes it clear that privacy matters. How clear? Pippa Lawson, CIPPIC's Executive Director, has compiled the following roadmap:
1. Plaintiff must show that it has 'a bona fide claim' against the proposed defendant, 'i.e., that they really do intend to bring an action based on the information they obtain, and that there is no other improper purpose for seeking the identity of these persons'. (para.34)
2. 'There should be clear evidence to the effect that the information cannot be obtained from another source such as the operators of the named websites.' (para.35)
3. 'The public interest in disclosure must outweigh the legitimate privacy concerns of the person sought to be identified if a disclosure order is made' (para.36) and '... caution must be exercised by the courts in ordering such disclosure, to make sure that privacy rights are invaded in the most minimal way' (para.42):
a) the information on which a request for identification is made (e.g., IP address) must be timely; no undue delay between investigation and motion for disclosure (para.43)
b) plaintiffs must not collect more personal information than necessary for the purpose of their claim (para.44)
c) if a disclosure order is granted, specific directions should be given as to the type of information disclosed and the manner in which it can be used. In addition, the court should consider making a confidentiality order or identifying the defendant by initials only (para.45)
** If either (a) or (b) are not met, the court may refuse to make a disclosure order."
David Canton, one of Canada's leading legal bloggers with eLegal Canton, is a regular contributor to the London Free Press. In today's business section, he advises companies about the privacy issues of printing credit and debit card numbers on receipts:
London Free Press: Business Section - Don't print full card numbers on receipts:
"If they fall into the wrong hands, your debit or credit card numbers can be used to run up charges at your expense.
Businesses should not print debit or credit card numbers on receipts or other documents. Printing them increases the chances of misuse of credit and debit card numbers and is a violation of privacy obligations...."
For more on this topic, see:
Friday, May 20, 2005
Canadian and American security agencies are increasing their sharing of data about international passengers. The Canadian Press is pointing out that privacy laws on the each side of the border make the data untouchable to those on the other side:
CANOE -- CNEWS - Canada: U.S. security files with Cdn data off-limits:
"... However, a Canadian barred from flying into the U.S. may not be able to contest the information held by the Americans. This is because Canadians, unlike American citizens, cannot use the U.S. Privacy Act to obtain personal files from Washington.
'Canadians do not have the right to challenge the data held by U.S. authorities,' says the privacy assessment.
Use of Canada's Privacy Act is also usually limited to citizens and residents of Canada...."
This is surely a sign that more and more companies are coming forward about security incidents: companies are reporting smaller incidents and the media are picking up on the stories. A Boston area bank is informing 750 customers that a former bank insider may have provided their information to a convicted felon with a history of fraud: Bank urges caution after possible security breach.
In my experience, librarians are among the most strident proponents of patron privacy. So it comes as a surprise to hear that a library in Chicago has paid a biometrics company forty thousand dollars to install fingerprint scanners for each of their public use internet terminals. For the full story, see: Chicago Tribune | Library card? Check. Fingerprint? Really?
Computerworkd is reporting that the New Jersey bank security incident (See Incident: Massive bank security breach uncovered in N.J.), which was already being called the nation's largest, involves far more people than originally reported: Scope of bank data theft grows to 676,000 customers - Computerworld.
In February, I posted about the "hacking" of Paris Hilton's T-Mobile Sidekick (Paris Hilton's Sidekick gets hacked), exposing her personal information and photos. The Washington Post is running a story today about how the T-Mobile system was penetrated. Contrary to initial speculation, it was mostly good old fashioned "social engineering": Paris Hilton Hack Started With Old-Fashioned Con.
Thursday, May 19, 2005
The Canadian Federal Court of Appeal has released its decision in BMG Canada v. John Doe, 2005 FCA 193. The Court considered the balance to be struck when the recording industry goes after the identities of those it alleges are infringing copyright by seeking the personal information of otherwise anonymous internet users. The Court dismissed CRIA's appeal based on a lack of evidence.
Ian Kerr of the University of Ottawa Law School offers his comments at blog*on*nymity - bloggin On the Identity Trail: FEDERAL COURT DISMISSES CRIA's APPEAL SEEKING DISCLOSURE OF THE IDENTITIES OF 29 PSEUDONYMOUS FILE SHARERS.
Data theft involving four banks could affect 500,000 customers - Computerworld:
"MAY 18, 2005 (COMPUTERWORLD) - Electronic account records for some 500,000 banking customers at four different banks were allegedly stolen and sold to collection agencies in a data theft case that has so far led to criminal charges against nine people, including seven former bank employees. Hackensack Police are continuing their investigation into the theft by a crime ring that apparently accessed the data illegally through the former bank employees. "
Wednesday, May 18, 2005
I had hoped to be able to review and comment upon the Canadian Spam Task Force's report which just came out, but it has been a really crazy day. CIPPIC has some comments and some links:
CIPPIC News - CIPPIC:
"The Task Force appointed by the federal government to advise it on how to combat spam issued its report today. Among other things, the Task Force recommends new anti-spam legislation with meaningful penalties, new powers for consumers to sue spammers, more resources to government agencies tasked with fighting spam, industry self-regulation, and greater international cooperation to track down and stop those responsible for the floods of unwanted messages clogging Canadians' e-mail inboxes.
- Spam Task Force webpage
- CIPPIC News Release"
Newfoundland is discovering that moving public records online does have privacy effects to be considered. Both the Chief of Police and the Information and Privacy Commissioner of Newfoundland are concerned about what will happen when the Companies office and the Registry of Deeds make their info available via the internet:
Online registry hurts privacy: commission
"ST. JOHN'S — The executive director of the Privacy Commissioner's office does not like the amount of personal detail available on a provincial government website.
The provincial Registry of Companies and Deeds – which has always been accessible to the public – began offering its services online in January.
The government intends to make microfilmed records and other materials accessible online.
Sandy Hounsell, the executive director of the Office of the Information and Privacy Commissioner, says the ability to more easily search land transactions – which usually reveal the addresses of homeowners – puts the privacy of particular individuals at risk.
They include "women, for example, who have been abused and who have left abusive relationships, police officers, judges, jurors."
Joyce Hancock, president of the Provincial Advisory Council on the Status of Women, agrees there is a downside.
"Every step we made toward making everything technologically available must be tempered with, 'What are the risks out there?'" Hancock says.
"I think this is one where the risks outweigh the gains."
Tim Buckle, who heads the Royal Newfoundland Constabulary Association, says the electronic registry creates a hazard for officers who want their home addresses kept secret.
"Police officers, when they go home, like to leave the dark side of life at work and not have their families personally involved or under any kind of threat or risk or danger," Buckle says.
Hounsell says other jurisdictions, including Manitoba, limit how much information can be obtained through electronic searching.
Hounsell would like the Department of Government Services to consider such options as online registration and user fees.
Government is reviewing the suggestions."
Bob Francis at Infoworld has an interesting article on the lessons to be learned from the recent rash of incidents involving personal information: Security's weakest links | InfoWorld | Analysis | 2005-05-16 | By Bob Francis.
Encrypt your data, physically secure your information assets, shore up your password policies and limit your lifecycles and retention are his principal recommendations.
Tuesday, May 17, 2005
I blogged a little while ago about the numerous complaints received by the Saskatchewan Information and Privacy Commissioner after thousands of women were unexpectedly contacted by the provincial cancer agency about their cervixes. (See PIPEDA and Canadian Privacy Law: More than 100 women complain after cancer test info shared).
Since then, the Commissioner has released his report on the agency and its privacy practices. I haven't had a chance to wade through all of its 203 pages, so I'm relying on the info from the Medical Post (below). While it is lawful, the agency should make sure that women know all about it and it should follow an opt-out program. Who gets to tell the women and manage this opt-out? Physicians! Lucky them. I'm sure they don't have anything else to do....
MedicalPost.com: Sask. MDs: Prepare patients for Pap results:
"... Gary Dickson, provincial information and privacy commissioner, completed a two-year study on the Saskatche-wan Cancer Agency's prevention program for cervical cancer (PPCC) after receiving more than 100 complaints and 700 items of correspondence from Saskatchewan women. Many of the complaints were that personal information was sent directly to patients from the cancer agency without their knowledge or consent—and that the program is compulsory. Many family physicians were also unaware of the process which began in summer 2003, while Saskatche-wan's Health Information Protection Act was being created.
Dickson said the cancer agency had the right to collect and disseminate the information, but did not do so correctly because it did not offer an opt-out provision to patients as other provinces do. He made 23 recommendations including one that family physicians inform their female patients about the PPCC the first time a Pap specimen is taken and alert them that they will be receiving notification from the cancer agency in the future. He said health information act requires physicians to take "reasonable steps to inform the individual of the anticipated use and disclosure of the information by the trustee (the cancer agency)."
He also said "the College of Physicians and Surgeons should take appropriate steps to ensure that there is informational material available to all Saskatchewan women who attend at their physicians' office for a Pap test. This material should explain the PPCC and in particular the direct contact with women that is a feature of the PPCC."
Dr. Dennis Kendel, registrar of the college, told the Medical Post that he wasn't sure how the college will respond to the privacy commissioner's report. "It wouldn't immediately seem logical to us that we would be the agency responsible for that," he said. "We haven't yet had a chance at our council level to consider the report in detail and its implications."..."
The Electronic Privacy Information Center is being critical of the information that is collected by Washington DC transit authorities by means of a new SmarTrip card:
Cards let Metro collect data on riders, track trips - The Washington Times: Metropolitan - May 17, 2005:
"... According to documents obtained by EPIC through the Freedom of Information Act, the SmarTrip card can record a Metro passenger's time of arrival in the Metro system, the passenger's destination and the amount of time the passenger spends traveling from point to point.
It even records the gate through which a passenger leaves the station.
But transit officials say they have addressed the privacy issues with a policy expected to be passed by the Metro board at its monthly meeting Thursday.
According to the new policy, personal SmarTrip information may be released by Metro only in what are called 'limited instances' - the request must be made by the registered user of the SmarTrip card, there must be a court order, or the request must come from law enforcement when the information is required in the course of an investigation in which time is of the essence.
'Basically, it means nobody can get an individual's SmarTrip data,' said Lisa Farbstein, a Metro spokeswoman. 'The policy is being established as a way to regulate and safeguard individual data.'..."
Hmm. Doesn't really mean "nobody" can get an individual's data. And having a policy does not necessarily mean the info is protected.
Usually, the first rule of privacy is to only collect the information that is reasonably necessary for the service to be provided. The article does not say why having that sort of detail is reasonably necessary in the first place.
Monday, May 16, 2005
Yesterday, I posted about an incident involving Merlin Information Services (Incident: Another data aggregator provides personal information to impostors). Adam Shostack at Emergent Chaos picked up on the posting and wrote about it on his blog (Emergent Chaos: Merlin Information Systems, 9,000, Lying customers). He also points to the Press Room of Merlin Information Services, which is an interesting read. The company appears to be very open about the incident and is offering each affected consumer with one year of credit watching services and $50,000 of identity theft insurance. Of course they are strengthening their customer verification process to prevent people from fraudulently opening accounts with them, it's closing the barn door a tad too late.
While nobody would want to be one of the 9,000 affected people, the company's response may be the best that one can expect.
Over at the Gripe Line Weblog, Ed Foster has a few choice words to say about the new privacy notice that he received from Orbitz. He's not pleased that only Californians have a right to know what info the company has about them, thanks to that state's more stringent privacy laws. Anyone living in any other state in the union gets to go pound sand, I guess. Also, he's not happy that they get to provide all his personal information to anybody they darn well please, for any other purpose:
The Gripe Line Weblog by Ed Foster
"We may also disclose your information to our affiliates and non-affiliated business partners for their use both on our behalf and for their own business purposes. For example, our affiliates and business partners may use such information to send you information about their products, services, other information, and materials that may be of interest to you."
The San Francisco Chronicle is citing the "ChoicePoint Effect", which means that more companies are willing to fess up when something goes awry with personal information. The article suggests that we aren't more data incidents, we're just hearing about them more often.
I'm not entirely sure this is the case. I have a feeling that the number of incidents has increased and we are hearing about it more often. ID theft is being perpetrated more and more often in recent years and I think that more criminals are seeking out personal information than they did before. A mugger would take your wallet and use your cards until you reported them stolen. Now, using the same stuff that's in your wallet, they're opening accounts in your name and committing a different species of crime. When personal information can be acquired in bulk, whether from dumpster diving or impersonating legitimate businesses, the sheer number of threats faced has to have increased and the number of incidents along with it.
The Chronicle article is here: Security breaches not on rise / Privacy watchdogs say incidents are being disclosed more often.
This morning, Rob Hyndman (robhyndman.com - Phishing With Stolen Data) pointed me to an article about a new, more sneaky and sohisticated kind of phishing attack. According to CNet:
New phishing attack uses real ID hooks | CNET News.com:
"Workers at hosted security services company Cyota are sharing the details of this more sophisticated form of phishing threat, which forsakes the mass-targeting approach traditionally used in the fraud schemes in favor of taking aim at individual consumers. The security company would not disclose the names of the banks involved in the attacks, but said that its list includes some of the largest financial-services companies in the nation.
According to Cyota, the phishing e-mails arrive at bank customers' in-boxes featuring accurate account information, including the customer's name, e-mail address and full account number. The messages are crafted to appear as if they have been sent by the banks in order to verify other account information, such as an ATM personal-identification number or a credit card CVD code, a series of digits printed on the back of most cards as an extra form of identification...."
Sunday, May 15, 2005
The New York Daily News is running an overview of the growing crime of "identity theft." Not too much is news, but it does provide a good summary of how it happens and what sort of effect it can have on those whose information is compromised. Some stats:
New York Daily News - Home - I want my name back!:
"BOOMING BIZ IN CRIME
- Annual ID theft cost: $48 billion
- Number of U.S. victims per year: 9.9 million
- Number of New York state ID theft complaints in 2003: 663,300
- Average thieves' profit setting up new accounts in a victim's name: $10,200
- Number of new accounts set up in the last year: 3.23 million
- Average thieves' profit using existing credit cards: $2,100
- Average time thieves use victims' ID: 3.2 months
- Average out-of-pocket expense per victim: $500
- Average loss to businesses per victim: $4,800
Identities reported compromised by hackers or other unauthorized use of data banks in recent weeks:
- LexisNexis/Seisint ................................... 310,000 people
- DSW Shoe Warehouse .................... 1.4 million customers
- ChoicePoint Inc. ...................................... 145,000 people
- Polo Ralph Lauren ............................ 180,000+ customers "
In an incident similar to the one that dragged ChoicePoint into the limelight, Merlin Information Systems has begun to notify nine thousand people that thier personal information (name, address, ssn) was obtained by somone who used fraudulent credentials to get access to the Merlin system. See Thief nets personal information from Kalispell company.
Saturday, May 14, 2005
The Office of the Privacy Commissioner is once again investigating the Canadian Imperial Bank of Commerce. This time, the bank is alleged to have given a customer detailed account information about over 100 other bank customers. Bank springs another privacy leak: CIBC hands client details of other customers' accounts. The person who recevied the information complained to the Commissioner, but I haven't heard whether the 100+ others have been advised of the breach.
Friday, May 13, 2005
Regular readers of this blog will know that employees are one of the most common causes of personal information "leaks". In some cases, the leak is accidental but all too often personal information is taken by an insider for malevolent purposes. The Chicago Sun-Times is reporting the arrest and charge of eleven people who were allegedly involved in lifting sensitive personal information from medical files to commit fraud. The worst part of the story is that it was an inside job, involving an administrative employee of a physicians' group and a receptionist from another. See: 11 charged with ID theft from doctors' offices.
The most recent edition of the Canadian Bar Association's The National Magazine is running an article on Canadian legal bloggers. The article features interviews with the authors of this blog, and the fantastic blogs of Rob Hyndman, Michael Fitzgibbon ("Thoughts from a Management Lawyer") and Sander Gelsing ("Now Why Didn't I Think of That?").
Blogging the spotlight"
"They’re transforming the delivery of news and putting mass media outlets on the run. They’re changing the rules of publishing to favour the sole practitioner over the big corporation. They’re blogs, and they have the potential to reshape how lawyers communicate with clients and with each other.
Thursday, May 12, 2005
Findlaw's most recent Modern Practice column is about the risks of data aggregators. Bob Barr's conclusion: Accept, but regulate, data aggregators: See FindLaw's Modern Practice. (Via Privacy Digest.)
Wednesday, May 11, 2005
Consumers Union, is calling upon Congress to deal with the issue of identity theft. They issued the following release on Monday, May 9:
CU calls on Congress to enact strong identity theft safeguards:
"Consumers Union outlines reforms needed to protect consumers from identity theft
Senate Energy & Commerce Committee takes up ID theft at May 10 hearing; Subcommittee of House Energy & Commerce Committee follows on May 11
WASHINGTON, D.C. – In light of the recent rash of identity theft scandals, Consumers Union called on Congress today to enact new safeguards to help reduce the risk of such fraud, require companies to notify consumers when their personal information has been compromised, and provide new rights to help victims limit the damage of this fast growing form of financial crime.
“We’ve been reminded again and again this year how lax security by information brokers, financial institutions, and other companies has left consumers vulnerable to having their personal information fall into the hands of identity thieves,” said Susanna Montezemolo, Policy Analyst with Consumers Union’s Washington, D.C. office. “These companies should be held accountable for keeping sensitive consumer data safe and required to notify all Americans when their identities are placed at risk by a breach in security.”
In letters submitted to members of the Senate and House Energy & Commerce Committees, Consumers Union called on Congress to enact a series of reforms, including safeguards that:
- Reduce the risk of identity theft: Congress must impose strong requirements on information brokers to protect the data they hold and to screen and monitor the persons to whom they make that information available. Creditors should be required to take additional steps to verify the identity of an applicant when there is a sign of ID theft. And Congress should restrict the sale, sharing, display, and secondary use of Social Security numbers.
- Require notice of breaches of sensitive information: Congress must impose requirements on businesses, nonprofits, and government entities to notify consumers when an unauthorized person has gained access to sensitive information pertaining to them. Consumers need prompt and proper notice, including information on what kind of data has been stolen.
- Ensure that victims have rights: Congress should strengthen the Fair and Accurate Credit Transactions Act (FACTA) to provide greater protections for consumers at risk of identity theft and those who have already become victims. FACTA can be made more effective by extending the initial fraud alert period from 90 days to one year, automatically sending consumers with a fraud alert a free credit report, and giving consumers who receive a notice of a security breach the right to an extended fraud alert.
Consumers Union also called on Congress to authorize federal, state, local, and private enforcement and provide funding for law enforcement to pursue multi-jurisdictional crimes promptly and effectively. The group emphasized that victims also need tools to fix the problem once the breach occurs – such as making sure there is a clear process for preventing identity theft and repairing credit once a breach occurs, providing for free credit monitoring, and covering the costs of fixing the problem.
“Currently, when a company improperly breaches a consumer’s sensitive information, the onus is on that consumer – the victim – to fix the problem,” said Montezemolo. “If a company has put a consumer at risk of having their identity stolen, it should be obligated to help clean up any mess it created because of lax security practices.”"
Wired News, via PrivacySpot, is reporting that Monster.Com has cautioned its members that some job postings may be a scam to collect personal information from unsuspecting job-seekers: Monster.com's Warning | PrivacySpot.com - Privacy Law and Data Protection.
Yesterday, I wrote about a news report from Nashville about a reoprter going dumpster diving for personal information (PIPEDA and Canadian Privacy Law: Dumpster diving could lead to quick-and-dirty identity theft). Today, a report from the Belleville NewsDemocrat in which their reporters did the same and came up with a load of information from an Illinois state office:
Belleville News-Democrat | 05/09/2005 | Trash bins yield personal data (4/24/2005):
"For 23 job applicants who gave state employment officials in Belleville detailed personal information for work profiles, their only safeguard against identity theft was a plastic trash bag.
But in less than 30 seconds, a reporter last week stopped his car outside the Illinois Department of Employment Security office at 4519 W. Main St., yanked a bag from an open trash bin, tossed it into the back seat and took off.
Instead of containing shredded documents, according to routine state disposal policy, the trash bag held more than 100 records just a few months old listing clients' names, addresses, birth dates, home telephone numbers and Social Security numbers. Besides the 23 applicants who completed the work profiles, there were forms and reports for an additional 41 metro-east residents with similar personal information that could be used by identity thieves to obtain credit cards or checking accounts, commit financial fraud and leave the residents dealing with credit problems for years to come...."
A correpondent from the west coast sent me this link.
Janice Mucalov, a contributing writer to the North Shore News (North and West Vancouver, BC) has written an article on the forms of waivers that are routinely sought by insurance companies following an accident. (ICBC is the Insurance Corporation of British Columbia.) In my experience, these forms are often way too broad and give carte blanche to insurance companies and lawyers to delve into irrelvant facts. That said, I have also seen cases where matters of medical history that plaintiffs' lawyers say are irrelevant that are actually evidence of pre-existing conditions. It's a difficult line to draw.
ICBC can discover too much information :
"IT'S an innocuous-looking form. But what damage it can cause.
The problem is ICBC's "Authorization to Provide Medical Information." If you're injured in a car accident, ICBC routinely asks you to sign this form. It authorizes your doctor, chiropractor, physiotherapist and others who have treated you to provide ICBC with copies of your medical records. Assuming responsibility for the accident isn't an issue, ICBC uses these medical records to come to an assessment of your injuries and determine the amount to offer you by way of a settlement.
So far, so good. The form even says that while it authorizes release of your medical history and physical condition both before and after the accident, "regardless of lapsed time," the information should relate in some way to the injuries received.
In practice, however, ICBC often gets hold of some very personal medical information that has nothing to do with the accident, causing claimants a lot of grief.
In one case, the claimant (let's call her "Janet X") suffered a simple whiplash as a result of a car accident. She wasn't making any claim for psychological injuries caused or aggravated by the accident. In the course of her dealings with ICBC, she signed the release form. She then hired a lawyer, who asked ICBC to send over copies of all Janet X's medical records that ICBC had obtained.
When the lawyer reviewed the records, he discovered ICBC had reams and reams of information about Janet X's lengthy five-year history of depression from before the accident. Needless to say, Janet X was extremely upset about ICBC having access to information which she rightly believed was none of its business.
The fact is, if you have been treated for ovarian or prostate cancer or been prescribed Prozac for depression or Viagra for erectile dysfunction, there's no reason for ICBC to see this information if it isn't relevant to your legal case. The adjuster, the supervisor, the ICBC unit manager and perhaps others within ICBC all have access to this information. Adjusters also change, so there's a good chance that at least two adjusters will look at your file, in addition to the supervisors up the chain. This is personal information. Do you really want ICBC knowing this about you?
One difficulty is that, in most cases, doctors and medical practitioners don't screen your medical records before sending them off to ICBC, so ICBC gets everything from years and years before the accident.
But ICBC is also interested in reviewing your past medical history from way back to see if you've made previous complaints similar to the complaints arising out of the accident. If you've complained of back pain before, the argument can be made that the back pain you've been experiencing since the accident wasn't caused by the accident, but is an old problem for which you shouldn't be compensated.
A lawyer will block out all personal and private information that's irrelevant to your claim and only give ICBC the relevant medical information. If you're concerned about the privacy of your medical records, consult a lawyer before you sign any documents or releases in a personal injury claim."
Tuesday, May 10, 2005
Bob Evans, in an article in Database Pipeline, has some strong words on privacy. In his words, businesses will be getting what they deserve if Congress decides to throw a 1200 page privacy law at them. An extract:
Protecting Customer Data Is Good Business:
"... Speaking of arcane: In that last sentence, I refer to 'customer-data security breaches,' which is an inside-baseball term if ever there were one. Maybe, to help us focus more clearly on the full implications of these 'breaches,' we should drop that IT-industry descriptor and adopt a customer-oriented term: privacy disasters. Or broken privacy promises. Or massive privacy violations. Privacy lawsuits ... negligence and malfeasance ... reckless disregard for privacy ... failure to comply with Generally Accepted Privacy Principles ... privacy litigation ... privacy crimes. Is it a big stretch from there to jail time?..."
It is probably no surprise to regular readers of PIPEDA and Canadian Privacy Law that businesses routinely throw out sensitive personal information that can be used by identity thieves and conventional fraudsters. WKRN in Nashville recently sent a reporter rummaging through local dumpsters and came up with a trove of personal information, including credit reports and other goodies. Just to make sure, the reporter interviewed a convicted identity thief from prison who said she could really go to town with the found info. A text and video report are available from the WKRN site: Dumpster diving could lead to quick-and-dirty identity theft.
The Anti-Terrorism Act is up for review and a number of interested parties are making submissions to Parliament for its overhaul. The Office of the Privacy Commissioner has issued a press release (below) outlining its suggestions for reform:
Contained surveillance and increased oversight needed in Anti-terrorism Act to protect against loss of privacy rights:
"OTTAWA, May 9 - Greater accountability, transparency and oversight of agencies involved in national security is needed to curtail the cumulative impact of the Anti-terrorism Act on the privacy rights of Canadians, according to the Privacy Commissioner of Canada, Jennifer Stoddart. The Commissioner today urged a Senate Special Committee to critically examine the appropriateness and effectiveness of the extraordinary powers granted under the Anti-terrorism Act and the associated loss of established privacy rights.
"No one denies the reality of the threat that the Act was intended to address, but we must ask ourselves whether what the Act gains us in security justifies the sacrifice of our privacy and other rights enshrined in our democracy," said Ms. Stoddart.
In a submission to the Committee, the Commissioner called for the Government of Canada to carefully examine the continued need for the Anti- terrorism Act and to conduct an empirical assessment of the proportionality of the measures adopted in the interests of anti-terrorism.
"Canadians are increasingly aware of their privacy rights and expect a reasonable and balanced approach to a national strategy to combat terrorism with greater accountability, transparency and oversight. The absence of serious evidence of the effectiveness of the extraordinary broad powers under the Anti-terrorism Act need to be questioned so security threats do not end up abolishing the very freedoms and democracy we claim to be defending," said Ms. Stoddart.
The Commissioner tabled a series of recommendations to strike the right balance between achieving national security objectives without unnecessarily encroaching on privacy rights including:
- contained surveillance and increased oversight to include greater judicial oversight over activities of law enforcement and intelligence agencies;
- greater transparency and openness to balance disclosure and national security interests;
- creation of a security-cleared special advocate position to challenge arguments that information should not be disclosed to the affected party or before the judge;
- continued review of the Anti-terrorism Act and the Public Safety Act;
- development of a privacy management framework including a thorough review of outsourcing of personal information and the development of contractual clauses to mitigate against privacy risks;
- strengthened reporting requirements to Parliament on a periodic basis to describe anti-terrorism programs and the effectiveness of measures to detect, stop or deter terrorist acts;
- support for a National Security Committee of Parliamentarians but a recommendation that the Committee address, as part of its mandate, the need to reconcile privacy protection with national security requirements; and
- a long overdue reform of the Privacy Act to examine its adequacy in protecting personal information collected, processed and shared by the Canadian government.
According to the Commissioner, the security and protection of privacy rights need not be seen as a trade-off, where one is sacrificed in the interest of the other. Both can be achieved with well-designed law, prudent policy and effective but not excessive oversight.
The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.
For more information, click on the following links:
- Opening Statement by the Privacy Commissioner of Canada on the Anti- terrorism Act
- Position Statement by the Office of the Privacy Commissioner of Canada on the Anti-terrorism Act
For further information:
Renée Couturier, Acting Director, Public Education and Communications,
Office of the Privacy Commissioner of Canada,
(613) 995-0103, firstname.lastname@example.org"
Monday, May 09, 2005
The Denver Channel is reporting that a Colorado woman is suing a large electronics retailer for selling a floor model computer onto which staff had copied loads of her personal information: TheDenverChannel.com - News - Store's Floor Model Computer Loaded With Woman's Personal Info. The retailer is arguing that it owes the woman no duty of care.
This reminded me of a complaint made to the Canadian Privacy Commissioner about a defective computer that was returned, refurbished and resold, complete with the original purchaser's personal information.
Bruce Schneier is a consistently good source of information on privacy and security. Today, he has posted a summary of the issues related to the proposed American REAL ID Act. This law imposes a uniform standard on states' drivers licenses, which may object to as being outside of the federal government's jurisdiction, a thinly-veiled anti-immigrant measure and the first step toward a national ID card: consistently on Security: REAL ID.
A bill working its way through the North Carolina legislature would outlaw the use of social security numbers as student identifiers at NC universities: Privacy worries spark legislation. A large number of universities have already made this change without legislation being required.
Sunday, May 08, 2005
Today is the 60th anniversary of VE-Day and I've decided to write something that has nothing to do with privacy. This may appear to be bragging, but Canadians have a lot to brag about on this VE-Day anniversary. I just have an special memento of the occasion.
May 8 has a special meaning in my family. My grandfather, William L. Roberts, was one of 1.1 million Canadians who served in the Second World War. He was with the Seaforth Highlanders of Canada and fought in Italy and then joined the rest of the Canadians who were fighting the last German resistance in Holland. Sixty years ago today, on May 8, 1945 his unit arrived in Amsterdam and began assembling in a park. A Bren Gun Carrier was missing from their group, so he took a motorcycle to go and find them. While looking through the town, he picked up a few hitchhikers and, unknown to him, someone took this incredible picture.
The picture was eventually sent to the Seaforth Armoury in Vancouver, where he was recognized and the picture was sent to him. We also found out that the picture has been used in a number of Dutch textbooks to illustrate the euphoria of the liberation. It has been a great piece of family history, but the story doesn't end there....
For the millennium, in 1999, the Dutch postal service did a poll of the Dutch people to find out the most important events of the twentieth century. Not surprisingly, the liberation was at the top of the list. The postal service selected my grandfather's photo to symbolize that amazing day. We found out when my cousins, travelling in Europe for the summer, saw the stamp on a huge poster in Amsterdam.
In 1999, when the stamp came out, my cousin Peter McLean put together a webpage about the photo, the stamp and some of the media coverage that the stamp garnered: W.L. ROBERTS: Home Page.
I've also found some other mentions around the web: goDutch.com :: WWII veteran honoured as poster boy on Dutch stamp, goDutch.com :: Canadian veteran depicted on Dutch stamp dies at age 88.
May 8 is a pretty important day.
Saturday, May 07, 2005
David E. Gumpert, in Business Week Online, recounts his experience with LexisNexis after his personal information was compromised (unrelated to the massive breach otherwise reported on). After the company repeatedly trivialized the incident, he offers some suggestions to companies who are dealing with issues like this:
How to Plug an Info Leak:
"... HONESTY COUNTS. Because so many small businesses conduct transactions online, they have a lot to lose if the concern becomes so great that Americans demand legislative or legal action. Europe has already enacted strict laws about the handling of personal data, and that could be where the U.S. is heading.
Second, small businesses need to be honest and forthright with their customers when security breaches occur. Most people appreciate the fact that computer glitches occur -- but become uncomfortable when companies try to minimize what is happening, as LexisNexis appeared to do.
Thanks to e-mail, informing customers about problems is invariably easier and less expensive in the online world than, say, getting the word out to consumers who have purchased potentially unsafe food from a grocery. Since trust is such a delicate matter in any event, why shouldn't small businesses do what they can to improve trust rather than destroy it?
Finally, I would suggest that within such seemingly embarrassing problems are the seeds of opportunity. Giving customers the real story suggests an openness that often makes them want to do business with you. Had LexisNexis followed up, letting me know that the problem was bigger than originally anticipated and providing me with complimentary searches as some other customers reportedly received, I would have come away with a much more forgiving attitude. In business, how you handle a messy incident can leave a more lasting impression than the incident itself."
In this day and age, these sorts of issues are the most important for an online business. All you have is your repuation and the trust of your customers. Don't apologize for any "unnecessary concern this incident may have caused" your customer. That's simply not going to reassure them and will likely make them mad. If a sensible customer is concerned, take it seriously. If you messed up, fix it and apologize. Most of the time, that'll do the trick. Covering it up, minimising the issue, "spinning it" or getting defensive will do the opposite. (For more on how to deal with incidents like this, see PIPEDA and Canadian Privacy Law: Two magic words, big effects ....)
Thanks to Techdirt for the link.
According to the Kansas City Star, Texas authorities have mailed six hundred or so driver's licenses to the wrong people:
KRT Wire 04/26/2005 Hundreds of Texas driver's licenses mailed to wrong people:
"FORT WORTH, Texas - (KRT) - Talk about an identity crisis.
An agency that warns Texans not to share personal information with strangers because of the risks of identity theft mistakenly mailed hundreds of driver's licenses to the wrong people.
The Texas Department of Public Safety blamed the mix-up on a malfunctioning machine that was recently installed to sort licenses for mailing.
'We're very concerned about it, and we're working to make sure this never happens again,' DPS spokeswoman Tela Mange said Tuesday...."
This reminds me of the printing equipment error that led to benefits cheques being sent out with the stub from the next person's cheque. See PIPEDA and Canadian Privacy Law: Another privacy breach to round out the week, from December 2004.
Over at TechDirt, Brett is asking whether mandatory noficiation of security breaches will lead to an unrelenting bombardment of notices upon unsuspecting consumers, rendering them numb. Many, I think, will throw out the notices but anybody who gets more than a few of these will probably cross the line from apathy to concerned, demanding some action and accountability.
Techdirt:When Is Security-Breach Disclosure Too Much Disclosure?:
"Contributed by Brett on Thursday, May 5th, 2005 @ 02:09PM from the what-do-we-do-now? dept.
As Congress considers legislation requiring disclosure of data security breaches, some lawmakers are grappling with an issue that we've already been wondering about. How can you craft a law that forces companies to come clean on security breaches while not bombarding customers with too many notices? Notification is good -- it keeps customers informed and companies accountable. But the risk is that the more frequent the notices, the more likely people will start tuning them out. It'll be interesting to see what sort of balance a national law strikes. Perhaps each notice should come with a rating, in which an independent or law enforcement group assigns a risk level to the breach. Along with that, customers can be told what (if any) action they should take to deal with the situation, though this would probably involve giving customers more control over their information and how it's used -- and that would only make the political wrangling even worse. "
I do agree with the poster that notices should should also disclose the relative risk of the breach, since most consumers are probably ill-prepared to figure out the risk without assistance.
Friday, May 06, 2005
Thanks to Bruce Schneier (Schneier on Security: Lessons of the ChoicePoint Theft) for the pointer to this very interesting essay from CSO (Chief Security Officer) magazine about the ChoicePoint and related privacy incidents: The Five Most Shocking Things About the ChoicePoint Debacle - CSO Magazine - May 2005.
Thursday, May 05, 2005
The Onion, which rivals The Daily Show as the leading source of fake news in America, has a fake story about identity theft and President Bush:
The Onion | Arizona Man Steals Bush's Identity, Vetoes Bill, Meets With Mexican President:
"WASHINGTON, DC - Confusion and disbelief reigned at the White House after President Bush announced Monday that an Arizona man, known to authorities only as H4xX0r1337, stole his identity and used it to buy electronic goods, veto a bill, and meet with Mexican President Vicente Fox.
Above: Bush examines his credit-card statements.
'This is incredibly frustrating,' Bush told reporters Tuesday. 'Not only does this guy have my credit-card information, he has my Social Security number, all my personal information, and the launch codes for a number of ballistic intercontinental nuclear missiles. I almost don't want to think about it.'
'I feel so violated,' Bush added...."
Oh, did I mention it's fake (but somewhat funny)?
According to the Winnipeg Sun, the province of Manitoba is contemplating a law that would make it mandatory for computer technicians to report suspected child pornography on computers they are servicing. The article, Winnipeg Sun: NEWS - Tech repair official kid porn watchdog?, refers to a successful conviction made as a result of a technician who reported a very suspiciously named file.
The Office of the Privacy Commissioner has released three new summaries of findings under PIPEDA, located here.
Though the findings are coming out in dribs and drabs, recently posted ones are addressing some issues not previously touched upon.
I'd also note that finding #297 relates to Michael Geist's complaint, which I blogged about in December of last year: PIPEDA and Canadian Privacy Law: Privacy Commissioner issues first spam decision under the Personal Information Protection and Electronic Documents Act (PIPEDA).
You meet some great people through blogging. Gerry Riskin, who has a new blog called Amazing Firms, Amazing Practices, sent me a link to this article in the Opinion Journal.
I find people's attitudes about privacy to be very interesting. There really is a full spectrum and many people feel compelled to share just a little too much with total strangers.
OpinionJournal - Peggy Noonan:
"I was at a wedding, standing just off the dance floor, when a pleasant young man in his 20s approached, introduced himself and asked where I'd had my hair done. I shook his offered hand and began to answer, but before I could he said, 'I'm gay, by the way.' I nodded as if this were my business, but thought: I wonder why a total stranger thinks I want to know what he wishes to do with his genitals? What an odd way to say hello.
We live in a time in which people routinely violate their own privacy.
I don't think the young man lacked a sense of privacy. I suspect if I'd said, 'Tell me your annual salary,' he would have bridled. That's personal...."
I tend to agree with the commentator. It's not really that there is no sense of privacy any more, it is just that the line between public and private has been shifting. And people will happily share information with a stranger that the wouldn't give to a marketing company (unless they got some loyalty points for it!). Privacy these days -- for many -- is about the threat of being profiled by big business and having your identity stolen. The risks of sharing personal information have significantly changed in the last little while, and a stranger at a wedding isn't the threat.
Just last week, I was having a conversation with my pharmacist at the counter. The other people in line kept a respectful distance. Within a minute, some guy just walked up and stood right next to me. He was clearly able to hear everything I was discussing with my pharmacist. It was unnerving. "This guy has no sense of privacy," I thought. As soon as there was a pause in the conversation, the guy broke in and asked the pharmacist where he'd be able to find a particular brand of suppositories. Yup. No sense of privacy at all.
InformationWeek > Customer Data Security > Execs Testify In Favor Of National Data-Security Law > May 4, 2005:
"Executives from companies stung by losses or theft of customer information vowed Wednesday to do more to safeguard sensitive information and backed a federal law to require disclosure if customer data is compromised.
In prepared testimony for a hearing by the House Committee on Financial Services, executives from Bank of America, ChoicePoint, and LexisNexis supported legislation patterned after California's law requiring companies to notify customers about security breaches...."
Wednesday, May 04, 2005
I guess it's lists week. Earlier I pointed to an article about the seven tricks used by ID thieves (Seven techniques used by ID thieves). Now, CNN/Money has an article on the five things employees can do to protect their personal information:
5 Tips: Identity exposed - May. 4, 2005:
"NEW YORK (CNN/Money) - We've reported to you about security breaches at ChoicePoint, Boston College, and LexisNexis. Now, the latest case of missing personal data turns out to be closer to home.
Time Warner, parent company of CNN/Money and CNN, announced Monday that 40 computer backup tapes containing the names and social security numbers of more than 600,000 current and former employees -- plus their dependents -- were lost.
Here are five tips on what you need to know about your employer and your personal information.
1. Employers hold the key.
Your social security number is the key to your credit. With that nine-digit number and your name, an identity thief can get access to your credit history, open credit cards in your name, even take out a mortgage posing as you.
2. Snoop around.
No kidding: your name and social security number could be on a checklist about the company picnic taped to the wall in the HR office. Maybe your HR department is a little more discreet. But do you know where your information is?
Take a cruise through the office. Do the timesheets in the open employee mailroom have names and social security numbers already printed on them? Are the file cabinets containing employee profiles unlocked? Does your ID card or health card have your SSN plastered on it?
3. Have a fit.
If your employer is guilty of being too casual with your personal information, go ahead, tell them they're wrong. Go tell your HR department you're concerned about the security of employee data.
4. Watch your back.
It's up to you to do what you can to protect yourself. The unfortunate thing is that most people don't.
5. Keep an eagle eye.
Worse, your employer is not the only one out there with access to your personal information. Your doctor, dentist, and utility provider might have your social security number because, well, they asked for it.
Don't be afraid to tell them "no" next time unless it's necessary. And when you give it up, ask them how seriously they take your security.
Tuesday, May 03, 2005
The Pittsburgh Channel (via Yahoo! News) is running an article entitled "The 7 Forms Of ID Theft". It highlights, in a summary way, the principal ways that identity thieves get their hands on personal information:
"1. Stealing company data with your personal information.
3. Dumpster diving.
4. Outgoing mail theft.
5. Account takeover.
7. Raiding your old computer."
Embattled ChoicePoint is continuing its long history of acquisitions, this time by buying EzGov and Magnify. See the press releases: ChoicePoint(R) Adds to Government Services; Expands by Acquiring EzGov Operations in the Americas, Caribbean and ChoicePoint(R) Acquires Magnify, Expanding Fraud Detection and Analytics Services.
Monday, May 02, 2005
Computerworld is a fecund source of privacy commentary. This week, C.J. Kelley thinks about the costs and potential liabilites of privacy regulation. The author includes the following scenario to illustrate the potential impact of a privacy breach upon an individual:
The Cost of Securing the People's Privacy - Computerworld:
"... Here's a nightmare scenario: Two years later, you are buying a home. You have already sold your old house and moved into temporary housing, since you have every reason to believe that the purchase of the new home will go through without a hitch. In the middle of the back-and-forth with the loan officer over interest rates, he calls and tells you that your loan has been turned down because of an overwhelming number of extremely negative items on your credit report. You're stunned. You may not have perfect credit, but it certainly qualifies for the best interest rates. The loan officer provides copies of your credit report to you, and you see that it's filled with items that you don't recognize, including locations you have never lived in or visited. Your credit score is in the proverbial toilet. How could this have happened? Without your knowledge, ever since that DMV security breach, someone else has been using your Social Security number and identity and has basically ruined your life...."
The rest of the article is a good read, too.
More than a thousand families in Colorado have been receiving surprising notices. Most didn't know that they were part of an autism study that involved their medical records being reviewed by researchers, without their knowledge and consent. They never would have known, but a laptop containing the records was stolen from a researcher's vehicle. Months after the theft, families were first informed in January of this year. The issue for many, according to ABC7 News, Denver, is
"... should the state health department decide what is best for you or should you have the right to the information to decide for yourself?"For the full report, see: TheDenverChannel.com - News - Patients Not Notified That Their Health Records Were Stolen.
Incident: Storage company loses track of Time Warner's backup tapes, including information on 600K present and former employees
Time Warner, one of the world's largest media companies, has reported that an outside storage company has lost backup tapes that included personal information related to 600,000 present and former employees. The Secret Service is on the case: Time Warner says employee data lost by data company - Reuters.com.
UPDATE: See also
There are a few more days left to register for a two-day training program that I will be leading on behalf of National Privacy Services entitled "Privacy Risk Management: Exceeding expectations, building trust and avoiding privacy disasters". It will be held on May 11-12 at First Canadian Place, in downtown Toronto. The full brochure is available from the National Privacy Services website, but the highlights are below:
Privacy Risk Management: Exceeding expectations, building trust and avoiding privacy disasters.
A two-day workshop
Identity theft. Privacy laws. Misdirected faxes. Class action lawsuits. Spam. Customers are increasingly concerned about their personal information and businesses are legally required to do something about it.
National Privacy Services, a leading provider of compliance solutions, is offering a two-day workshop to provide the knowledge and the tools to exceed your customers’ expectations and avoid high-profile privacy disasters. Using real-world case studies, participants will gain a thorough knowledge of how to comply with Canada’s privacy laws and – perhaps more importantly – how to meet or exceed the demands of privacy-conscious consumers.
If you handle personal information in the course of commercial activities, the law requires that you:
- Designate a privacy officer;
- Develop and make a privacy statement available;
- Follow the law’s rules for adequate consent for the collection, use and disclosure of personal information;
- Train staff on compliance;
- Safeguard personal information; and
- Provide individuals with access to their own personal information.
A growing segment of the population is very concerned about their privacy and whether they can trust the organizations they deal with. Exceeding your customers’ privacy expectations can be a real competitive advantage.
Our Privacy Risk Management Workshop is specifically designed to provide the background and the know-how to incorporate the best practices of the Personal Information Protection and Electronic Documents Act in a way that does not interfere with your business. Instead, a properly designed privacy program can be a competitive advantage.
Who should attend: Privacy Officers, business owners & managers, IT managers, CIOs, in-house counsel, customer service supervisors, consultants.
$1499 + GST (two full days, lunch and refreshments included)
May 11 & 12 – 9:00 – 4:00
Toronto Board of Trade – Downtown Centre
1 First Canadian Place
For more information about National Privacy Services and our compliance programs, visit www.privlaw.com.
David T.S. Fraser, BA, MA, LL.B.
Legal Counsel, NPSiDavid Fraser is an experienced educator and a nationally-recognized authority on Canadian privacy law. David is one of a rare breed: a lawyer who can make complicated legal concepts readily accessible to non-lawyers. He has trained the privacy officers of hundreds of organizations. He has designed the privacy compliance programs for a wide range of organizations, including many that are household names.
David provides specific legal and privacy expertise in the development of NPSi’s privacy solutions and regularly leads the company’s training courses.
Extensive “takeaway resources”At the conclusion of the course, participants will have a thorough understanding of how privacy laws affect their organizations and what concrete steps must be taken to comply. In addition, participants will use real-world case studies to consider how to exceed the expectations of your privacy-conscious stakeholders. All training participants will be provided with a certificate of attendance and practical resources that will remain useful long after the course is concluded.
About Us:NPSi provides guidance and support to organizations in adopting mandatory privacy best practices that can be easily and efficiently adopted. In addition, NPSi offers full support to its clients, with toll-free, on-call expertise and our unique Privacy Officer Solution. NPSi brings together the nationally-recognized privacy law practice of McInnes Cooper and the information security expertise of Thor Solutions Inc.
Course content:Our training provides clear and concise guidance on how privacy best practices should be applied in the real world. Our instructors have hands-on experience in applying privacy principles in a way that does not interfere with the delivery of quality services. We combine lecture-style instruction with collaborative workshops, case studies and group learning to make sure that the key concepts of privacy best practices are demonstrated in action, not just in theory.
The Palm Beach Post is reporting on a survey carried out on behalf of Office Depot that suggests that more Americans are taking steps to protect their privacy and to prevent identity theft:
Americans increasing protections of privacy, personal information:
- Two-thirds of those surveyed shred credit-card offers and their bills.
- More than one-third bring their mail to the post office rather than leaving it unattended in their mailbox.
- A quarter of them shield the ATM screen at banks.
- A quarter of them don't sign the back of their credit card so sales clerks will check their identification.
- 7 percent of respondents use only cash for purchases so there's no paper trail.