Saturday, July 31, 2004

Article: Suit charges Prozac privacy violations -

Over the years, there have been a series of stories like this one ..

Suit charges Prozac privacy violations - (United Press International):

"Fort Lauderdale, FL, Jul. 15 (UPI) -- Court papers filed this week in Fort Lauderdale, Fla., show pharmaceutical companies mailed unsolicited doses of Prozac to potential customers.

A deposition filed in a privacy suit brought by some of the recipients of the anti-depressant said the companies got the names and addresses from physicians, the South Florida Sun-Sentinel reported Thursday.

In one case, Dr. Ken Burke admitted supplying his signature on a blank piece of office stationery that a company representative, a frequent fishing companion, attached to the free drugs. Two other doctors from the same office also said they provided their signatures.

The trial packages of a new weekly form of Prozac were sent mostly to users of the standard medication but at least one recipient -- a 16-year-old boy -- had never used anti-depressants.

The suit has also prompted a criminal investigation by the state and criticism from consumer advocates who say it is an example of the improper relationship between doctors and drug companies.

Thanks to Privacy.Org for the pointer to this article.

Article: Privacy Expert To Publishers: Don't Bury It In The Privacy Policy

Here's an interesting article, reporting on a speech given by D. Reed Freeman, chief privacy officer, vice president-legislative and regulatory affairs, Claria Corp. He formerly worked with the US Federal Trade Commission. In short, if the customer would be surprised at what you propose to do with his/her personal information, you need to bring the practice to his/her attention.

Privacy Expert To Publishers: Don't Bury It In The Privacy Policy

Publishers that think their privacy policies are sufficient should think again. Claria Corp.'s chief privacy officer told attendees at the Jupiter Advertising Forum to expect more enforcement where privacy issues surrounding behavioral marketing are concerned. Freeman argued that anything a consumer is likely to be surprised by must be extracted from a privacy policy and made plain. "Ask yourself," Freeman told the crowd, "Is there something going on here that would surprise your mother or a sick uncle?"

Full text of the article here ...

Article: U.S. laws put Canadian privacy at risk

You can always count on Michael Geist to provide good commentary on privacy issues. His latest LawBytes article in the Toronto Star adds to the debate about the collision between the USA Patriot Act (among others) and Canadian privacy laws:

TheStar.com - U.S. laws put Canadian privacy at risk:

"Although it has garnered only limited attention in the rest of the country, for the past few months the British Columbia privacy and information technology communities have been embroiled in a high-stakes issue that raises difficult questions about the effectiveness of Canadian privacy law and the potential threat posed by data outsourcing to the United States. "

One thing that we shouldn't forget is that PIPEDA gives Canadian law enforcement access to Canadian personal information without consent and without notice to the individual concerned.

7(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is

(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

(c.2) made to the government institution mentioned in section 7 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act as required by that section;

*(c.2) made to the government institution mentioned in section 7 of the Proceeds of Crime (Money Laundering) Act as required by that section; *[Note: Paragraph 7(3)(c.2), as enacted by paragraph 97(1)(a) of chapter 17 of the Statutes of Canada, 2000, will be repealed at a later date.]

(d) made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization

(i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or

(ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;

Thursday, July 29, 2004

Not for me, thanks: Under-the-skin ID chips move toward U.S. hospitals

File this under "c" for creepy:

Under-the-skin ID chips move toward U.S. hospitals - News - ZDNet:

"VeriChip, the company that makes radio frequency identification--RFID--tags for humans, has moved one step closer to getting its technology into hospitals.

The Federal Drug Administration issued a ruling Tuesday that essentially begins a final review process that will determine whether hospitals can use RFID systems from the Palm Beach, Fla.-based company to identify patients and/or permit relevant hospital staff to access medical records, said Angela Fulcher, vice president of marketing and sales at VeriChip.

VeriChip sells 11-millimeter RFID tags that get implanted in the fatty tissue below the right tricep. When near one of Verichip's scanners, the chip wakes up and radios an ID number to the scanner. If the number matches an ID number in a database, a person with the chip under his or her skin can enter a secured room or complete a financial transaction."

Full text is available here ...

UK Big Brother Awards

A followup to my previous post. Privacy International announced the awarding of their annual Big Brother Awards last night:

Privacy International:

"Privacy International Announces Winners of 6th Annual Big Brother Awards

28/07/2004

PRIVACY INTERNATIONAL ANNOUNCES WINNERS OF
THE 6th ANNUAL BIG BROTHER AWARDS

WINNERS INCLUDE MARGARET HODGE MP AND BRITISH GAS.

28th July 2004

On July 28th, the human rights watchdog Privacy International will present the 6th annual 'Big Brother awards' to name and shame the government and private sector organisations that have done the most to invade personal privacy in Britain.

The awards will be bestowed at a special event at the London School of Economics. Awards will also be given to individuals and organisations that have made an outstanding contribution to the protection of privacy. "

Full text of the announcement and info on the winners is available here: http://pi.gn.apc.org/article.shtml?cmd[347]=x-347-63280

Wednesday, July 28, 2004

Video: ACLU - Pizza

This entry represents a first ... I've never linked to a video before, but the ACLU has released an interesting and eye-opening flash animation, illustrating a bit of a worst-case scenario for linked databases. Check it out:

ACLU - Pizza:

"The government and corporations are aggressively collecting information about your personal life and your habits. They want to track your purchases, your medical records, and even your relationships. The Bush Administration's policies, coupled with invasive new technologies, could eliminate your right to privacy completely. Please help us protect our privacy rights and prevent the Total Surveillance Society.

Government programs such as MATRIX and Carnivore are destroying our privacy. We live in a democratic society and government-controlled data systems are a dangerous step toward establishing a 24-hour surveillance society.

Recently Northwest Airlines provided the names, addresses, travel plans and credit card numbers of its customers to a NASA project in complete violation of its own privacy policy. In another example, JetBlue provided information from over a million of its customers to the Transportation Security Administration, also in violation of its own privacy policy."

Tuesday, July 27, 2004

Oops: Sentech Confidentiality Breach

Watch those attachments!

allAfrica.com: South Africa: Sentech Confidentiality Breach:

"Sentech has e-mailed a database of MyWireless users to some of its clients, in what one user described as a 'serious breach of confidentiality'.

Astonished MyWireless clients forwarded copies of the database to ITWeb this morning, saying it had been attached to an e-mail they received from Sentech at the weekend. The e-mail purported to contain an attachment outlining Acceptable Use Policy. The Excel database includes names, addresses and contact numbers of around 1 500 users.

User groups who have campaigned to get Sentech to improve its MyWireless service said this morning that they were hoping to arrange a meeting with Sentech soon. 'We don't want to fight with Sentech over things like this,' one said. 'We just want the service to work properly.'"

Monday, July 26, 2004

Labor groups raise outsourcing privacy concerns | CNET News.com

More coverage on the BC outsourcing privacy debate. This time, American CNET News.Com has a report that hightlights a submission co-written by Michael Geist, one of the leading Canadian academics on privacy and technology law:

Labor groups raise outsourcing privacy concerns | CNET News.com A 34-page legal analysis released Monday suggests that the Canadian unions are exaggerating the impact of the Patriot Act. A section of the law enacted after the Sept. 11, 2001 terrorist attacks lets police obtain records from any company with a U.S. branch if the information is said to be "relevant" to a terrorism investigation. The request is made to a secret court that meets behind closed doors in Washington, D.C.

The report, written by Michael Geist and Milana Homsi and filed with the BC Privacy Commissioner, says that current rules granting police the power to review data are "not significantly different than that which was available in a pre-Patriot Act era through grand jury subpoenas and national security letters." (National security letters are a type of administrative subpoena that doesn't require a judge's prior approval.)

The report also says that a Canadian law called the Personal Information Protection and Electronic Documents Act authorizes companies to secretly disclose data to government officials--a definition that could include U.S. police.

Saturday, July 24, 2004

Release: B.C. leads Canada in privacy protection

An earlier blog entry mentioned that BC is planning to strenthen their public sector privacy legislation to prevent access to British Columbians' data by foreign governments. (See the entry here.) The B.C. government's press release is available here: "B.C. LEADS CANADA IN PRIVACY PROTECTION". Also of interest is the BC Government's submission to the BC Privacy Commissioner's study on the impact of the USA Patriot Act on the privacy of Lotuslanders: http://www.gov.bc.ca/mser/down/submission.pdf

Friday, July 23, 2004

CBC News: P.E.I. to track prescription drug abuse

Prescription drug abuse has consistently presented one of the greatest challenges to the privacy of patient prescriptions. Health Canada has recently required many pharmacists to report prescriptions of certain drugs. Now it looks like the government of Prince Edward Island is proposing to introduce a province-wide computer system to drack prescriptions. Privacy is obviously an issue. Pharmacists and private practice physicians are subject to PIPEDA and are unable to disclose personal information without consent.

CBC News: P.E.I. to track prescription drug abuse:

"Last Updated Fri, 23 Jul 2004 15:22:45 EDT

The government's software could let doctors, hospitals and pharmacists share information on what prescriptions their patients are pocketing, but it's unlikely they will have access when the system launches in the fall.

Under the privacy act, doctors and pharmacists are not allowed to trade information about a patient without that person's consent."

One thing to remember is that PIPEDA has a catch-all exception to the consent principle buried in the end of section 7:

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that ...

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

...

(i) required by law.

If the pharmacist is "required by law" to disclose the information, the pharmacist arguably may dispense with consent.

Article: B.C. responds to U.S. Patriot Act with privacy plan

The Vancouver Province is reporting that the BC government will be responding to concerns about the impact of the PATRIOT Act on BC by introducing legislation:

The Province: B.C. responds to U.S. Patriot Act with privacy plan:

"VICTORIA -- The B.C. government is moving to introduce tough new privacy protection laws in response to the USA Patriot Act.

Attorney General Geoff Plant and Management Services Minister Joyce Murray outlined the plan Friday to B.C.'s Information and Privacy Commissioner.

Murray says the government is taking every step to have the strongest privacy legislation in Canada.

He says the laws would make sure no sensitive personal information will be sent to the U.S. on either a temporary or permanent basis.

It limits the application of the Act by ensuring that American affiliates and B.C. service providers do not have access to information supplied by a public body.

Plant calls the move a 'made-in-B.C.' solution and hopes other provinces will follow.

The U.S. government introduced the Patriot Act after the 9/11 terrorist attacks to give more power to law agencies like the FBI. "

I'll post more info as I find it. In the meantime, you can check out information about the BC Privacy Commissioner's consultations on this matter at his website:http://www.oipcbc.org/sector_public/usa_patriot_act/patriot_act.htm.

Thursday, July 22, 2004

Article: Protecting the Data Jewels

Computerworld.com has a very good article on protecting customer information. The focus on the article is confidentiality and preventing employees from stealing critical customer info when they leave their employment. A very good read:

Protecting the Data Jewels: Valuable Customer Lists :

"There are techniques to keep the list of your best customers from walking out the door.

News Story by Bob Violino

JULY 19, 2004 (COMPUTERWORLD) - In the casino industry, one of the most valuable assets is the dossier that casinos keep on their affluent customers, the high rollers. But last year, casino operator Harrah's Entertainment Inc. filed a lawsuit in Placer County, Calif., Superior Court charging that a former employee had copied the records of up to 450 wealthy customers before leaving the company to work at competitor Thunder Valley Casino in Lincoln, Calif.

The complaint said the employee was seen printing the list -- which included names, contact information and credit and account histories -- from a Harrah's database. It also alleged that he tried to lure those players to Thunder Valley. The employee denies the charge of stealing Harrah's trade secrets, and the case is still pending, but many similar cases have been filed in the past 20 years, legal experts say. "

Full text here ...

Article: They've got your number

Today's Montreal Gazette has a good and long article discussing privacy issues, from black boxes in vehicles to RFID technology:

They've got your number: Cutting-edge technologies work as tattle-tales for a surveillance-minded state, Canadian privacy advocates warn:

"RFIDs, like other technology, can be misused, Stoddart says. If it is used to track people or if it transmits personal information, those practices would come under applicable provincial and federal legislation, she says.

People have to be notified that RFIDs are attached to products they may buy, allowing them to refuse them or disable them so they don't collect or transmit personal information.

'What concerns me most is the fact that if we don't act fairly soon to have a public debate, a public awareness and discussion of (RFIDs and other potential invasive technologies), they may soon become ubiquitous and then lower our general societal expectation of privacy at a time when, due to the international situation, we already have great pressures on privacy,' Stoddart says.

Her office is in the process of designing a public education program on privacy issues that may be launched this winter."

Full text here ... (beware, Canada.com expires their content pretty quickly).

Tuesday, July 20, 2004

Article: Multinationals warned on global privacy policy

Thanks to Privacy.org for the reference to the following article that is pretty common sense, but bears repeating and repeating and repeating:

vnunet.com - Multinationals warned on global privacy policy:

"Companies should use the most stringent privacy laws of all the countries in which they operate in order to establish an effective privacy policy.

Leaks of customer information can cause major damage to reputation and brand, according to a report by The Information Security Forum.

The report recommends that organisations use the strictest legislation as the lowest common denominator for establishing an effective policy, and to make sure it is presented consistently at all levels."

Full text here ...

Monday, July 19, 2004

PIPEDA for Financial Planners

I recently gave a presentation for Advocis, the Canadian national association for financial planners. The presentation is available here: PIPEDA for Financial Planners.

Saturday, July 17, 2004

Incident: Intuit warns of credit card risk

From CNET News.com:

Intuit warns of credit card risk CNET News.com:

"Intuit, a provider of financial software and services, is warning 47,000 customers that their credit card data may be at risk after computers were stolen from a company office.

According to a letter sent to customers last week and a notice recently posted on Intuit's Web site, the theft happened in early June at the Omaha, Neb., office of ItsDeductible, a software maker acquired by Intuit last year to be part of its TurboTax tax preparation business.

Thieves broke into the office the weekend of June 11, according to the notice, and took several items, including a PC with password-protected customer data. "

Full text here ...

One thing that I find simply amazing is that the computers contained the personal information, including credit card data, for approximately 47,000 customers who purchased Intuit's "ItsDeductible" products between December 2002 and November 2003. Is there any reason why credit card data should be kept for transactions that took place over a year ago?

This highlights the risk inherent in keeping data longer than you need. Once you have sensitive data, you are responsible for protecting it. If the data has no business value, it is now a liability because of the costs of securing it and, more importantly, the cost of having to deal with it being stolen. It just doesn't make business sense to retain any personal information for any longer than you need it.

Article: Corporate surveillance of staff sparks concern

Today's Toronto Star has an article on workplace surveillance. It quotes Anne Cavoukian, the Information and Privacy Commissioner and is also notable because it mentions that PIPEDA only applies to federally regulated workers. (It's pretty rare for articles like this to make this critical point.)

TheStar.com - Corporate surveillance of staff sparks concern:

"Federally regulated businesses, such as telecommunications companies and airlines, are subject to federal privacy legislation, but the law does not prevent monitoring at the outset.

A company must decide for itself what is appropriate and when prying into e-mails is justified, according to the Privacy Commissioner's office. But there is recourse for an employee of federally regulated companies. The privacy commissioner will hear complaints and, acting as an ombudsman, can make recommendations to the employer. But the company is not obliged to comply. If not satisfied, the employee can take the complaint to federal court."

Full text here ...

Article: Video of workers ruled OK

The London Free Press has an article on the recent Federal Court of Canada decision about video surveillance at the CPR Yards in Toronto (see my blog entry on the case):

London Free Press: Business Section - Video of workers ruled OK:

"A recent decision of the Federal Court dismissed a complaint against Canadian Pacific Railway by one of its employees under the Personal Information Protection and Electronic Documents Act (PIPEDA). This decision reversed a decision of the privacy commissioner. PIPEDA is federal privacy legislation that governs the use and collection of personal information. The act allows organizations to collect, use or disclose personal information only for appropriate purposes and -- with certain exceptions -- only with consent. "

Full text here ...

Friday, July 16, 2004

Bill 31 (PHIPA) Training

National Privacy Services Inc. and ClinCoach Inc. have officially announced a series of training courses designed to assist physicians and other regulated healthcare professionals in addressing the Personal Health Information Protection Act, also known as Bill 31 and PHIPA.

Thanks to the alliance between NPSi and ClinCoach, the program will include a very comprehensive and practical course for those engaged in clinical research.

The updated brochure is available at http://www.privacylaw.ca/privacy/Bill_31_training.htm, which also includes an outline of the program.

More information is available on NPSi's training page, and you can register online here.

Tuesday, July 13, 2004

Article: New privacy legislation not main driver behind local shredding company's growth

I suppose the important thing is that they are getting more business...

New privacy legislation not main driver behind local shredding company's growth

By Ottawa Business Journal Staff
Mon, Jul 12, 2004 3:00 PM EST

Mr. Mannion attributes his branch's recent success to stepped-up promotion.

"Where we've seen our growth is by being proactive," he said. New privacy legislation has not brought a noticeable influx of business, Mr. Mannion said, though Shred-It did run commercials in Ottawa last fall, reminding businesses that, effective Jan. 1, privacy rules in the Personal Information Protection and Electronic Documents Act (PIPEDA) would apply to companies under provincial, as well as federal, jurisdiction.

"We haven't seen the deluge that a lot of people might have been expecting," he said.

Full text of the story here ...

Sunday, July 11, 2004

Bill 31 Training - Personal Health Information Protection Act (Ontario)

An Unprecedented Training Opportunity

ClinCoach and National Privacy Services have developed a range of training courses to assist health and health research professionals in adapting to and complying with Ontario's new Bill 31, the Personal Health Information Protection Act (aka PHIPA). This law comes into force on November 1, 2004 and has significant requirements for "health information custodians", including all regulated health professionals (physicians, physiotherapists, etc.), hospitals, nursing homes, and more.

The administrative requirements are similar to those of PIPEDA (hopefully the federal cabinet will deem the entire statute to be "substantially similar" to PIPEDA), and there are limited resources available to get healthcare professionals in compliance by the November 1 deadline. No matter what, it is not business as usual. The consent requirements are more specific for healthcare, but they are not exactly user friendly.

The new law also contains specific requirements for clinical researcher and Paula's years of experience in clinical research and clinical research education will prove to be a tremendous asset to attendees of our course designed for clinical research professionals.

From August to October, we will be offering our PHIPA training courses in Ottawa and Toronto. We will likely be hitting other centres in the rest of Ontario through late October and into the fall.

Training for Bill 31 - Personal Health Information Protection Act (Ontario):

"On November 1, 2004, the Personal Health Information Protection Act comes into force for Ontario's healthcare community. The new regime means it is no longer "business as usual" for regulated health professionals, hospitals and clinics. The rules have also changed for clinical research.

National Privacy Services Inc. (NPSi) and ClinCoach each have proven track records in delivering practical and effective privacy training for the healthcare sector. Together, we have designed a range of Bill-31 training courses specifically tailored for the medical community's varied roles and environments. Unlike other workshops and conferences you may have seen elsewhere, NPSi and ClinCoach provide solid training: in-depth, concise guidance on how to implement Bill 31 in your practice, all of which will be sufficient for continuing education credits. "

For more information, check out our brochure (advance copy available here) and the websites of National Privacy Services and ClinCoach.

Wednesday, July 07, 2004

ClinCoach and NPSi Alliance for Clinical Research Privacy

National Privacy Services Inc. and ClinCoach Inc. are going to announce tomorrow the establishment of a unique alliance to provide privacy training services for those involved with clinical research. ClinCoach is a leading, international provider of training for clinical research best practices, including the provision of Clinical Research Standard Operating Procedures. With NPSi, ClinCoach is developing a Standard Operating Procedures for interjurisdictional privacy best practices, designed to assist clinical researchers in complying with PIPEDA, PHIPA and other privacy laws.

ClinCoach and NPSi Alliance for Clinical Research Privacy:

"Standard Operating Procedures for Clinical Research

ClinCoach and NPSi have developed standardized means of integrating privacy best practices and legal requirements into clinical research, offering the first-of-its-kind Privacy Standard Operating Procedures for clinical trials. The best practices contained in the Privacy SOPs are designed to be compliant with Canada's multiple health privacy regimes, including PIPEDA, PHIPA: the Personal Health Information Protection Act and various laws in all Canadian provinces. These SOPs offer a privacy solution to sponsors in multi-centre trials located at sites across Canada."

You can check out the announcement at the websites of National Privacy Services Inc. and ClinCoach Inc. starting tomorrow.

Also, stay tuned for an announcement about Bill 31 training of Ontario's health professionals and institutions.

Tuesday, July 06, 2004

Thoughts from a Management Lawyer: Yet Another Surveillance Case

Michael Fitzgibbon's labour law blog has a reference to another workplace surveillance case, this time from the B.C. Court of Appeal: See Thoughts from a Management Lawyer: Yet Another Surveillance Case.

Correction: Coming into force of Bill 31

In an earlier blog entry, I suggested that the bulk of Ontario's Personal Health Information Protection Act will come into force on January 1, 2005. That was incorrect. The version of the bill passed by the legislature had November 1, 2004 as the effective date:

PART IX COMMENCEMENT AND SHORT TITLE

Commencement

99. (1) Subject to subsection (2), this Schedule comes into force on the day the Health Information Protection Act, 2004

receives Royal Assent.

Same

(2) Sections 1 to 72 and 75 to 98 come into force on November 1, 2004.

Short title

100. The short title of the Act set out in this Schedule is the Personal Health Information Protection Act, 2004.

Addition: For information about Bill 31 (PHIPA) training, see http://www.privlaw.com/pages/training_courses.htm

Monday, July 05, 2004

Proposed Bill 31 Regulations published

The Ontario Ministry of Health and Long-Term Care has published a notice of proposed regulations under Bill 31. The public and interested parties are invited to comment on the proposed regulations (deadline: September 3, 2004):

Notice of Proposed Regulations- Invitation to Provide Comments on Proposed Regulations:

"The Minister of Health and Long-Term Care on behalf of the Government of Ontario invites public comments on proposed regulations for the Personal Health Information Protection Act, 2004 and the Quality of Care Information Protection Act, 2004.

The public is invited to provide written comments on the draft regulations over a 60-day period, commencing on July 3, 2004 and ending on September 3, 2004.

Please be as specific as possible, and provide reasons for any suggested changes or additions. All comments and submissions received during the comment period will be considered during final preparation of the regulation.

The proposed regulations are available at this link.

Addition: For information about Bill 31 (PHIPA) training, see http://www.privlaw.com/pages/training_courses.htm

Event: Privacy International 2004 UK Big Brother Awards

Privacy International will be hosting the annual UK Big Brother Awards in London on July 28, 2004. The international lobby group always produces a very interesting list of initiatives and incidents, all of which should not be missed. Prizes are being awarded for the "Most Invasive Company" and "Most Appalling Project", among others. (Thanks to Slasdot and the Register for the link):

Privacy International 2004 UK Big Brother Awards:

"On July 28th 2004, Privacy International will stage the 6th annual UK Big Brother Awards to recognise the people and organisations that have done the most to devastate privacy & civil liberties in the UK.

Now an annual event in seventeen countries, Privacy International's Big Brother Awards bring together a rich and unique mix of all ideologies and backgrounds. This year, for the first time, the award night will be open to the general public. A space for a thousand people has been reserved at the London School of Economics, which is hosting the event on the night."

Friday, July 02, 2004

Article: Breach of trust -- it's about keeping customers

This is a slightly older article, but I just happened across it today. It highlights something that I try to drill into my clients. Protecting customer personal information is not just about compliance, it is about keeping customers.

Breach Of Trust > May 3, 2004:

Breach Of Trust May 3, 2004
Data breaches are a constant threat and put companies in danger of losing their most valuable asset: customer trust
By George V. Hulme

When Christina Guilbert got a call from her bank in March about an attempt to steal money from her account, she was alarmed--and suspicious. How could someone access her account from an automated teller machine in England when her ATM card was in her home in Boston? Was the caller really a bank representative or a thief fabricating a story in an attempt to get account information from her? "With all of the scams on the Internet, I knew they could try the same thing using the phone," Guilbert says.

Guilbert had the bank rep confirm his identity by providing information on a recent transaction on her account. The bank blocked the attempted withdrawal, but Guilbert, who works at a public-relations firm, still doesn't know how the overseas thief got her account information. Guilbert's faith in doing any kind of business online has been destroyed. "I was concerned about shopping online before; now I won't shop online at all," she says. ...

Full text here ...