Thursday, June 30, 2005

Invasion of privacy by internet. Exhibit 1: The Dog Poop Girl

Recently, I've posted a few blog entries about blogging and privacy. Now, an anonymous correspondent has pointed me to an interesting story (I am assuming he does not want to be associated with this particular story): A Korean woman has involuntarily become despised and reviled because (a) her dog pooped in the subway, (b) she refused to clean it up when asked, (c) someone took a picture of her with her dog and the mess and put it on the 'net. She is now notorious and ridiculed throughout Korea. Some would say that this is a huge invasion of privacy but others would say that it's a good old fashioned shaming, only facilitated by the online community. For more info, see: Don Park's Daily Habit - Korean Netizens Attack Dog-Shit-Girl

Wednesday, June 29, 2005

Hard to understand privacy statements turn off customers

This probably comes as a surprise to many, but a large portion of internet users actually read online privacy policies. I'll say that again: some people actually read online privacy policies. Or, more accurately, try to read online privacy policies.

Hold onto your chairs, now: people actually make buying decisions based on what they read in the policy.

The world is changing. A growing group of customers ... perhaps your customers ... care about privacy and want the companies they deal with to come clean with comprehensible privacy policies.

I still see too many companies that have privacy policies that are screensful of small print with the "good stuff" that people are interested in buried at the bottom. E-commerce sites probably pay significant sums of money to make their services accessible to Mac and FireFox users because they don't want to alienate potential customers. You should do the same with your privacy statements. Do your company a favour: ask both your grandmother and your seven year old nephew to read your site's privacy statement. If either or both do not fully understand what the statement really means, re-write it and try again. Repeat as necessary.

Harris Interactive did a survey for Privacy & American Business, which backs this up: Vague online privacy policies are harming e-commerce, new survey reports.

Bloggers' Expectations of Privacy and Accountability: An Initial Survey

Privacy and blogging ... two great tastes that taste great together. But I digress.

Fernanda B. Viégas of the MIT Media lab did a survey of bloggers to find out about their feelings on privacy and their blogs:

Bloggers' Expectations of Privacy and Accountability: An Initial Survey:

"Fernanda B. Viégas
Media Laboratory
Massachusetts Institute of Technology


This article presents an initial snapshot, based on an online survey of weblog authors, of bloggers' subjective sense of privacy, and of their perceptions of liability. The findings suggest that the social norms of bloggers are emergent and self-imposed. When confronted with questions of defamation and legal liability, respondents in the survey expressed contradictions between their actions and their knowledge of how the technology works. They generally believed that they were liable for what they published online, although they were not concerned about the persistence of their entries. In general, bloggers do not feel as if they know their audiences. For the most part, blog authors have no control over who accesses their entries, and this inability to define their audiences leads them to make a number of assumptions about who their readers are."

ID Theft: What You Need to Know

Wired is running a brief, one page article on what consumers should know about ID theft: Wired News: ID Theft: What You Need to Know. Worth reading for those who aren't up to date on the topic.

The cost of privacy incidents -- costs avoided by effective data governance

Bank Systems & Technology is running an article that discusses the cost of privacy breaches. Notification can cost $25-30 per customer, and then add $25 per for credit monitoring. Class action lawsuits, even if won, cost millions. The cost to reputation is impossible to calculate and can be devastating to a company.

Effective data governance is the key to avoiding these problems in the first place and strong, proactive responses to incidents are the way to mitigate these losses.

The article is online here:

Bank Systems & Technology : Lost Data Tapes Likely To Be Costly for Citi:

"Lost Data Tapes Likely To Be Costly for Citi


Costly Mistake

As it stands, however, the incident will cost Citigroup significant money to remedy, starting with the need to assuage affected customers. "The average cost of notifying a customer of a breach is anywhere from $30 to $50 per customer. Then, the monitoring of credit records is an additional $25," relates Maureen Kelly, director of product marketing for security technology firm Vontu (San Francisco).

Citi - and other banks - could go even further toward making the customer feel safe - and that's not a bad idea, notes Vytas Kisielius, president of communications solutions provider Adeptra (Norwalk, Conn.). Kisielius compares the current public relations opportunity to Johnson & Johnson's handling of the Tylenol poisonings in 1982. When consumers no longer trusted its product, J&J responded with tamper-resistant packaging. "They made their customers feel completely safe and secure in their relationship that they had with the company," says Kisielius.

But the cost of reaching out to customers can pale in comparison to the legal costs involved with responding to class-action lawsuits. "You're talking six figures to read the complaint, seven figures before you get to a court," asserts Kevin Kalinich, national managing director for technology and professional risks, of Aon's (Chicago) Technology and Telecommunications Group. Aon offers extensions of "errors and omissions" insurance that cover both indemnification and defense costs of third-party claims or losses due to litigation.

The litigation expenses would kick in even if the defendant has a solid defense. "It'd be very hard for anyone to prevail on a lawsuit, unless they could prove actual harm and they could show it traces back to this security breach," notes Fred H. Cate, director of the Indiana University Center for Applied Cybersecurity Research.

But, "The greatest single cost is in the press disclosure," continues Cate. "Do people think less of Citibank, or, if you're a Citibank customer, are you going to be more likely to move [to another bank] now?"

Lawsuit filed over CardSystems data breach

It doesn't take long.... a class action lawsuit has been filed in California against Cardsystems, related to the recent privacy breach: Lawsuit filed over CardSystems data breach | InfoWorld | News | 2005-06-28 | By Robert McMillan, IDG News Service.

States demand cardholders get notice of security breach

A group of 44 State Attorneys General have written to Cardsystems, demanding that it notify all consumers who were affected by the recent security breach. Also, they've demanded that the company inform them of how it happened, what steps they are taking to mitigate the effect of incident and what steps consumers should take: The Seattle Times: Business & Technology: States demand cardholders get notice of security breach.

Tuesday, June 28, 2005

British lawmakers back ambitious ID scheme

Despite strong criticism, the British government is going forward with a national ID scheme that will require all Britons to carry biometric ID cards: British lawmakers back ambitious ID scheme - Yahoo! News.

Canada-U.S.-Mexico Plan Raises IP, Spam and Privacy Issues

Michael Geist has some things to say about the recent Security and Prosperity Partnership for North America, and notes that there are some privacy aspects worth following:

"...Second, the plan calls for the establishment of a formal process for consultation on issues related to the protection of personal information and trans-border data flows, consistent with privacy goals, the needs of legitimate private and public sector business as well as the protection of public safety and national security. If this does indeed result in a formal process, this issue has some potential given the growing concern associated with U.S. law enforcement access to Canadian data and related outsourcing issues."

Famous Players privacy complaint (Joe Clark: Media Access)

I blogged last week about one of the most recent findings of the Office of the Privacy Commissioner related to movie theatres and the information collected when handing out assistive technology for the disabled. (See The Canadian Privacy Law Blog: New finding (#304): Movie theatre chain strengthens personal information handling practices - June 7, 2005). The complainant in this case has outed himself as Joe Clark, an advocate for making movies more accessible. He has put up a webpage devoted to his complaint and his experience here: Famous Players privacy complaint (Joe Clark: Media Access). I'd suggest taking a look at his site to get the complainant's perspective on this one.

Equifax CEO: Identity Theft Is an Epidemic

The Associated Press, via the San Francisco Chronicle, is reporting on a speech given by the CEO of Equifax. Thomas Chapman says he's afraid that the "epidemic" of identity theft will undermine consumer confidence and eventually stifle consumer spending: Equifax CEO: Identity Theft Is an Epidemic

Monday, June 27, 2005

Net insider calls for banishment of noncompliant processor

Networkworld's "Net Insider" is calling for the banishment of Cardsystems in light of relevations that it was not following the industry's rules:

The winner so far: CardSystems Solutions:

"... According to the payment card industry, failure to meet the requirements can result in a permanent prohibition of participation in credit card programs. If the payment card industry is as serious about security as it claims to be, it will use this willful disregard of its own rules to send a message - it will permanently ban CardSystems from processing credit card transactions.

I feel sorry for some of the people that work at CardSystems but not sorry enough to suggest that the company be given a slap on the wrist if it promises to be good in the future...."

This may amount to the death penalty, but it certainly would send a very strong message to whole industry. If that were to happen (I don't expect it will), I'd bet there'd be a huge class-action suit against the directors and officers for overseeing the destruction of the company.

Also ... imagine if retailers who didn't follow the rules were cut off from accepting credit cards....

Incident: Bank of America customer given access to others' accounts

Bank of America is making privacy news again, this time for accidentally allowing at least one customer access to accounts beloning to others:

Customer given access to others' accounts - The Boston Globe - - Business:

"Bank of America Corp. says its recent conversion of FleetBoston accounts to its computer network went smoothly, but don't tell that to Mark Levy, who accidentally got online access to about $90,000 of other people's money.

When Levy went to the bank's website to check his accounts, the freelance writer from Brookline said, he also had access to several accounts that weren't his. If he were criminally inclined, he said, he could have emptied those accounts.

Bank spokesman Ernesto Anguilla said that what happened was an isolated incident caused by ''human error' and ''unrelated to the conversion.' While Levy got access to about 10 accounts, it appears that they belonged to two customers, Anguilla said...."

Sunday, June 26, 2005

Privacy and blogs: Is blogging about consensual sex an invasion of privacy?

Findlaw is carrying a very thorough discussion of the legal issues surrounding an invasion of privacy lawsuit brought by Robert Steinbuch after his relationship with "the Washingtonienne" (aka Jessica Cutler) was featured on her notorious blog. He is suing her for public revelation of private facts. The article, FindLaw's Writ - Hilden: Are Accounts of Consensual Sex a Violation of Privacy Rights? The Lawsuit Against the Blogger "Washingtonienne" by Julie Hilden, also contains links to the pleadings.

Thanks to the Tech Law Advisor for the pointer in his Blawg Review #12 (and also thanks for the pointer to this blog, referring to the lawyer ketchup e-mail incident).

Identity Crisis - Newsweek Business -

The growing list of privacy and security breaches and associated threats of identity theft is the front page story in the most recent Newsweek magazine. The main feature story is Grand Theft Identity, while a second link leads to a summary of the recent cases and what ID thieves are looking for: Identity Crisis. Other content includes:

Saturday, June 25, 2005

Dutch Supreme Court Considering User Privacy Issues

Thanks to Gerry Riskin for pointing this out to me ...

Techdirt is reporting on a fight between the recording industry and Dutch ISPs that parallels the recent Canadian CRIA case (see The Canadian Privacy Law Blog: The new test for disclosure of identities after BMG v John Doe):

Techdirt:Dutch Supreme Court Considering User Privacy Issues:

"Contributed by Mike on Friday, June 24th, 2005 @ 12:18PM

from the anonymity?--no-such-thing... dept.

Last month, we noted that Dutch ISPs were fighting in court against the entertainment industry who wanted them to hand over names of people associated with IP addresses that were seen on file sharing networks. The ISPs argued that handing over the information was a violation of their customers' privacy. In a separate case, (but which was also funded by the entertainment industry) a stamp collector tried to get Lycos to turn over the names of people using their forums who had spoken negatively about them. Lycos, again, pointed out that this would be a privacy violation. That case is now in the Supreme Court and a 'neutral' advisor to the court has urged the Justices to require Lycos and other ISPs to cough up the names based on a fairly low threshold as the test. It remains to be seen if the Supreme Court follows this recommendation, but it could be yet another way that anonymity online gets chipped away. "

To Catch a Thief: Merchants battle credit card fraud

Hats off to Tom Zeller. The writer for the New York Times is doggedly pulling together some of the most interesting and probing articles on credit card fraud, ID theft and privacy. Today's instalment discusses how a merchant is trying to reduce fraudulent purchases: To Catch a Thief - New York Times.

How secure are India's call centres?

The BBC is asking "how secure are India's call centres?", after the widely-reported story that a British journalist was able to buy personal information from a call centre employee:

BBC NEWS | South Asia | How secure are India's call centres?:


Tougher laws

The worker could also face prosecution for theft, cheating and criminal breach of laws under the country's archaic penal code.

There is now talk of a comprehensive employee data base

The offender can even be sued for damages up to $225,000 to be paid to people affected by the leakage of information. But experts say that India's information technology laws are largely skewed towards checking e-commerce fraud, and do not give adequate attention to data protection.

'India needs a dedicated data protection law to check crimes as leakage of information from call centres,' says Pavan Duggal. "

Friday, June 24, 2005

Q&A: ChoicePoint's Rich Baich on data breach, security needs

Computerworld has in interview with Rich Baich, the CISO of Choicepoint. I'm not sure whether observers will find it reassuring:

Q&A: ChoicePoint's Rich Baich on data breach, security needs - Computerworld:

"You have in the past said that what happened at ChoicePoint was not really a security breach. Then what was it? It all comes down to how you define a breach and how you define an incident. This was fraud. Someone fraudulently provided authentication to the system. It's no different than credit card theft and credit card fraud. Those are never referenced as IT-related issues though they happen millions of times every year. In fraud terms, it's called an account takeover. And that's what occurred. All I was trying to do was educate the press more than anything else that this was not what everyone would call a traditional hack. "

New Jersey passes Identity Theft Prevention Act

The proposed Identity Theft Prevention Act breezed through (unanimously!) both houses of the NJ legislature yesterday and will come into force on January 1, 2006.

North Jersey Media Group providing local news, sports & classifieds for Northern New Jersey!:

"Fast facts

Key provisions of the Identity Theft Prevention Act:

  • Consumers may place a 'security freeze' on their credit files at no cost, prohibiting the information from being released to a third party without the consumer's express authorization.
  • Exempt from the prohibition are law enforcement agencies, the Division of Taxation and financial institutions with which the consumer has an existing relationship.
  • Customer records must be destroyed by businesses and government agencies, excluding the federal government, when they are no longer needed.
  • Security breaches of computerized records must be disclosed by any business or agency that conducts business in New Jersey 'in the most expedient time possible.'
  • Social Security numbers may not be printed on identity cards or materials sent through the mail, unless required by state or federal law."

Incident: Yawn! Hacker Gains Access To UConn Personal Data

Yet another university incident: - News - Hacker Gains Access To UConn Personal Data:

"STORRS, Conn. -- University of Connecticut officials have discovered a 20-month-old security breach of a computer server that contains Social Security numbers and other personal information for about 72,000 members of the university community, the school said Friday...."

Thursday, June 23, 2005

The Canadian Privacy Law Blog

You may have noticed that I've changed the name of his blog from "PIPEDA and Canadian Privacy Law" to "The Canadian Privacy Law Blog." When I started it in January 2004, this blog was almost entirely about the Personal Information Protection and Electronic Documents Act (PIPEDA). Since then, it has morphed into a broader presentation of privacy law and issues with a privacy angle.

I started thinking about this after reading that only 8% of Canadians are aware of PIPEDA and surely fewer of my readers from outside of Canada have a clue what PIPEDA means.

In the coming weeks, I'm planning to move from over my own domain, I just have to figure out how to do it without causing too many problems for existing readers. I'll try to give as much notice as possible.

US social security data widely released to law enforcement post 9/11

From beSpacific:

beSpacific: FOIA Request By Advocacy Group Reveals Social Security Data Released Post 9/11:

"Social Security Opened Its Files for 9/11 Inquiry: 'The Social Security Administration has relaxed its privacy restrictions and searched thousands of its files at the request of the F.B.I. as part of terrorism investigations since the Sept. 11, 2001, attacks, newly disclosed records and interviews show.'"

Cardsystems breach saga deepens

According to the New York Times, the story behind the Cardsystems breach may not be as it was initially reported. There is a suggestion that the intrusion began at least as early as November 2004 (among other revelations): Bank in Utah Says Its Data Was at Risk in Intrusion - New York Times. Thanks to Ars Technica for the pointer. Check out their posting for some strongly-worded commentary: Scope of CardSystems-caused credit card data theft broadens.

Undercover UK reporter buys personal information from Indian call centre

An undercover reporter, working for the Sun, managed to buy extremely sensitive personal information from an Indian call centre employee. The story is all over the media and the police are investigating.

Looking into my crystal ball, I think this story will have significant repurcussions, at least in the United Kingdom. I am sure that there are corruptible employees all over the world, but this story has additional interest because of the increasing concern about offshoring personal information processing.

Companies are increasingly looking closer to home for places to economically outsource this sort of data processing, particularly places with low costs and robust privacy law enforcement. Nova Scotia has become a centre of oursourcing and companies are moving operations from India to Nova Scotia.

But back to the original story. From the Sun:

The Sun Online - News: Your life for sale:

"Harvey, who paid a total of 5,000 US dollars (£2,750) for the information and was asked for another £275 to be sent later, was told details usually cost £4.25 but he was getting a special deal.

Kkaran Bahree, who said he got the details from a network of call centre workers in Delhi, also boasted that he could get up to 2,000 account details a month.

The information received included account holders’ addresses, secret passwords, credit card details, passports and driving licence information.

In some cases there were also the issue and expiry dates of bank cards, as well as the three digit security number from the back of the card.

A spokeswoman for the City of London Police said: "All the financial institutions identified have been fully informed of the situation.

"An investigation is now under way. Therefore it would be inappropriate for us to provide further details at this stage."

The spokeswoman said The Sun handed police the names of banks that might have been compromised following an investigation into the security of financial information held at foreign call centres.

"At this stage we are not fully aware of the breadth of what we are going to be investigating."

Ontario IPC: Make privacy breaches reportable

Ontario's Information and Privacy Commissioner is recommending that the province pass a law requiring notification of privacy breaches, like California's law:

CBC Toronto - Make privacy breaches reportable: Cavoukian:

"CBC NEWS – Ontario's privacy commissioner says the province should pass a law requiring businesses to notify customers if there has been a security breach involving their personal information.

Ann Cavoukian says that information is often released by mistake, accessed by electronic interlopers who hack into computer systems, or accessed by rogue employees who sell it.

With the threat of identity theft on the rise, Cavoukian says consumers should have a legal right to be notified when their personal information has been compromised.

"How would you know if your information is at risk? The fastest way … is to have the organization notify you," she said.

Canadian Federation of Independent Business spokesperson Judith Andrew acknowledges that businesses have an obligation to inform customers of security breaches.

However, Andrew said make it a legal requirement is a heavy-handed response that would hurt businesses.

"A proposal for many new protocols and all that kind of thing may end up being a useful thing to do," she said, "but it's more likely to just impose a burden that's huge and difficult to comply with for the vast majority of business out there."

Cavoukian says such a law already exists in California, and is under consideration in 30 American states."

Phishers Exploit 40M Credit Card Theft

It didn't take long for phishers to try to exploit the coverage of the Cardsystems breach. Within a day, weasels were sending out scam messages, purportedly on behalf of MasterCard, telling "customers" to verify their information. See: Phishers Exploit 40M Credit Card Theft - Softpedia News.

Canada's porn performers concerned about personal information going to the United States

This is perhaps a privacy issue that not everyone has to deal with, but it is near and dear to the hearts of Canadian porn performers and members of this country's "adult entertainment" industry. New regulations are going into effect today in the United States that require, among other things, that perveyors of sexually explicit content online keep records related to the identity and age of all performers. According to a Vancouver lawyer who has written to the Canadian and BC Privacy Commissioners, this will mean that all Canadians whose content will be distributed via the United States will be required to provide detailed personal information to the custodian of records for each site in the United States, all of which is there for inspection by federal agents.

The relevant law is 18 USC s. 2257. You can read it here, as I suggest that you not just Google "18 USC 2257", particularly from a workplace computer.

The Ottawa Citizen has a report on the issue and the position taken by some in the Canadian porn industry: Canadian porn performers want protection from U.S. law: Critics say industry's enemies, after failing to ban it, are trying to regulate it to death.

Texas joins California in requiring breach notification

The Texas Legislature has passed a new law that follows California's lead in requring notification of any breaches of personal information. The new law comes into force on Sepember 1, 2005. For the full text of the bill, see: 79(R) SB122 Enrolled - Bill Text. Thanks to HIPAA Blog for the link.

Online records pose risk of identity theft

Public registries have always been public, but putting them online can pose particular risks because they are so easily accessible and can be readily harvested by identity thieves. Today's Boston Globe is running a story on the information that available through Massacusetts' government websites, the risks they pose and what legislators are planning to do about it.

State's online records pose risk - The Boston Globe - - Technology - Business:

"...Public documents that sometimes contain names and Social Security numbers include state and federal tax liens, Massachusetts Health liens, child support liens, and, less frequently, mortgages, said registers of deeds.

Although registers of deeds said that they are unaware of cases in which criminals used information from their databases maliciously, the information contained in the documents would be more than enough to steal an identity and open new lines of credit, said Eric Bourassa, a consumer advocate with the Massachusetts Public Interest Research Group who deals with identity theft issues.

''Once you get someone's name, address, and Social Security number you can really create a fake identity,' said Bourassa. ''This is really bad.'..."

Wednesday, June 22, 2005

Ubiquitous Technology, Bad Practices Drive Up Data Theft

The Cardsystems breach has really spurred a lot of coverage of privacy issues. The Washington Post has a good article the problem from two fronts: lax security and more aggressive (and organized) criminals: Ubiquitous Technology, Bad Practices Drive Up Data Theft.

Black Market in Stolen Credit Card Data Thrives on the Internet

Don't know that a "cob" is? Hopefully it isn't yours that on sale online.

Yesterday's New York Times had a very thorough and chilling look at the undergound market in stolen credit card information: Black Market in Stolen Credit Card Data Thrives on Internet - New York Times.

U.S. to introduce new rules for auto black boxes

Thanks to David Canton for pointing to an interesting Wired article on auto black boxes, which outlines new rules for the devices in the United States. In short, they are not mandatory, but the NHTSA wants each one to record 29 different data elements: U.S. to introduce new rules for auto black boxes.

Expand information laws, Ontario watchdog urges

The Ontario Information and Privacy Commissioner has released her annual report for 2004 and has hit the media hustings to call for increased application of the province's freedom of information legislation, extending it to all organizations that are publicly funded. Perhaps more importantly (at least from my perspective), she is continuing her call for Ontario to enact a private sector privacy law.

For some media coverage, see: | Expand information laws, Ontario watchdog urges.

Steffy: An open letter to dearest MasterCard

Loren Steffy, a business writer with the Houston Chronicle, has published an open letter to Mastercard in an attempt to introduce new terms to her credit agreement with the company: - Steffy: An open letter to dearest MasterCard:

"... Effective May 1, 2005, any compromise of my data will result in a $50 liability for you, the card issuer, owed to me, the card holder.

Cashing the payment check I sent you last month (which you did) shall constitute your acceptance of this agreement. Subsequent security breaches will compound the fee. I will spell out the terms of just how much these fees and related costs will escalate as soon as I find a typeface that is small enough.

Failure to comply with these changes will result in finance charges, compounded monthly and based on the average daily balance of the amount lost to fraud.

By the way, I recently incorporated myself in South Dakota, which means I can now engage in usury as much as you can. Therefore, I have selected an annual percentage rate of 28.7 percent. However, failure to make payments will force me to raise this rate to 73.9 percent, just because I can.

And one more thing. I expect my payment to be on my desk by 12:37 p.m. on the day it's due. I'm usually at lunch at that time, so I will consider it late if it's not there by 11:24 a.m. After that, all the previously listed finance charges will apply. The date the payment is mailed is irrelevant.

Also, given the widespread nature of the security problems, I am going to share information with my fellow consumers. If I determine you failed to secure their private account information, I may be forced to enact the terms specified in this agreement even though you did not violate the agreement with me. Call it universal default in reverse...."

ID thieves search ultimate pot of gold databases

From USA Today, information theives are increasingly focusing their efforts on getting access to the large databases of personal information, such as those maintained by Cardsystems: - ID thieves search ultimate pot of gold databases.

Australian bankers group to examine security breach alert policies

According to the Australian Broadcasting Corporation, that country's bankers association is considering new policies of breach notification after the Cardsystems incident in the US: Bankers group to examine security breach alert policies. 22/06/2005. ABC News Online.

PC stolen in Japan with data on 307,000 people

The Daily Yomiuiri in Japan is reporting that a laptop has been stolen containing the personal information of 307,000 people. The info is about donors to a memorial project:

Daily Yomiuri On-Line:

"PC stolen with data on 307,000 people

The Yomiuri Shimbun

A notebook computer containing personal information on 307,000 people has been stolen from a company dormitory in Itami, Hyogo Prefecture, an Osaka municipal government official said Monday.

The computer included information on donors to the construction of a tower at the Flower Expo Memorial Park in Tsurumi Ward, Osaka. The data leakage is thought to be the largest since the Personal Information Protection Law took effect in April.

According to the municipal government, an employee of Mitsubishi Electric Control Software Corp., which was contracted to digitalize the data, copied the data onto his personal computer to work on it at home, and it was stolen from the company's dormitory on June 13.

The data included people's names, addresses and other information. The municipal government said it was unlikely to be misused, however, as a 16-digit password must be inputted to access the data. "

Tuesday, June 21, 2005

New finding (#304): Movie theatre chain strengthens personal information handling practices - June 7, 2005

The OPC has released a new finding related to the information management practices of a theatre chain and, in particular, the information it collects when it loans out assistive technology for the disabled.

I've been contacted by the complainant in this case, who tells me he'll have a webpage up about the case in the coming days. I'll post a link when it is up and running. In the meantime, enjoy the new finding: Commissioner's Findings - PIPEDA Case Summary #304: Movie theatre chain strengthens personal information handling practices - June 7, 2005.

International fallout from the Cardsystems breach

We've heard that information related to Canadian, Australian and Japanese customers was involved in the Cardsystems breach. Helsingin Sanomat is reporting that 500 Finns are affected, as well.

Helsingin Sanomat - International Edition - Foreign:

"Sensitive information contained in the credit cards of about 500 Finns were among the up to 40 million cards that were compromised recently by hackers in the United States.

'We have been given the card numbers from Visa International and MasterCard International', said Heikki Kapanen, CEO of the Finnish credit card service company Luottokunta on Sunday...."

Federal Appeals Court Limits Calif. Privacy Law

A Federal Appeals Court in California has struck down part of that state's consumer privacy law that limits the ability of financial institutions to transfer customer data to affiliates, concluding it is pre-empted by federal law: Federal Appeals Court Limits Calif. Law. Thanks to Privacy Digest for the link.

Monday, June 20, 2005

Privacy and the right to publicity

Over at e-Legal Canton, David Canton has an article on the intersection of the "right to publicity" and privacy: Publicity a personal choice

Kaiser Foundation Health Plan Fined $200,000 for privacy incident

Bob Coffield, at the Health Care Blog Law, is reporting that Kaiser Foundation has been fined $200K for unauthorized disclosure of patient information:

Health Care Blog Law: Kaiser Foundation Health Plan Fined $200,000:

"For those of you following the Elisa D. Cooper (aka Diva of Disgruntled) matter, you will be interested to know the Department of Managed Health Care (DMHC) today issued a press release stating that the DMHC had completed its investigation and was fining Kaiser Foundation Health Plan $200,000 fo the unauthorized disclosure of patient health information....

Lost Credit Data Improperly Kept, Company Admits

According to the New York Times, the company at the centre of the latest privacy scandal, Cardsystems, wasn't supposed to be keeping the information that was compromised. And, to compound issues, the information was not encrypted.

I've mentioned in a previous post that the card issuers may be unfairly tarred in this whole incident. The media are starting to place the blame on the third party processors, though the headlines scream out "MASTERCARD!". The electronic payments system relies upon third party processors, otherwise you would have seven terminals at each point of sale, which would be unworkable.

The NYTimes article refers to an audit, which the company passed. Perhaps the auditors need to be asked some questions.

See the NYTimes article: Lost Credit Data Improperly Kept, Company Admits - New York Times.

Privacy Commissioner commissions study of Canadian attitudes and awareness of privacy law

Hot off the wires ...

The Federal Privacy Commissioner has commissioned EKOS Research Associates to survey Canadians on their privacy awareness and attitudes (For the survey results, see Canadians, Privacy, and Emerging Issue - Office of the Privacy Commissioner of Canada). A small fraction of Canadians are aware of the laws that are designed to protect privacy but increasing numbers are concerned about privacy and cross-border transfers of information.

Majority of Canadians demand informed consent on cross-border sharing of their personal information:

"OTTAWA, June 20 /CNW Telbec/ - The level of concern and demand for consent on cross-border sharing of personal information is extremely high amongst Canadians, according to an EKOS Research Associates survey commissioned by the Office of the Privacy Commissioner of Canada. Approximately 90 percent of Canadians surveyed wish to not only be informed but insist on governments and the private sector obtaining their permission before sharing their information cross-border.

"There is a growing lack of confidence by Canadians in the protection of their personal information being transferred across borders and support for greater government oversight to better understand the full impact of the issue on their privacy rights. Governments need to be proactive in responding to this concern and at a minimum include consent provisions in any outsourcing or contract arrangements with foreign governments or companies," says Privacy Commissioner of Canada Jennifer Stoddart.

Highlights of survey:

  • 70 percent of Canadians surveyed express a high sense of erosion of their privacy and the protection of their personal information, and predict that it is one of the most important issues facing the country.
  • Although they are not familiar with privacy laws, about three in four Canadians agree on the need for strong laws to protect their personal information.
  • The issue of cross-border transfer of personal information is an example of how privacy laws have not kept pace with how new technologies are impacting on the way in which companies use and transfer Canadians' personal information. In fact, nine in 10 Canadians see a need for ongoing updating of privacy legislation.
  • A strong majority of Canadians surveyed indicate low confidence in the area of technology and privacy protection. Although about three in 10 Canadians are willing to allow companies to track how they shop in return for a discount on products and services, Canadians significantly agree they should be notified about the privacy implications of the products and services they buy.

"We are pleased that Canadians have expressed support for strong and responsive public and private sector privacy laws which are crucial to protecting the personal information of Canadians in today's advanced security and technology environment which is marked by data sharing between public and private organizations." says Privacy Commissioner of Canada Jennifer Stoddart.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.

For a copy of the EKOS Research Associates survey, please visit:"

Naming privacy incidents

This is just as an aside, but it seems a little unfair to call the most recent breach involving 40 MILLION people the "MasterCard" incident, since the breach is reported to have come from a third-party processor and a wide range of payment cards are affected. MasterCard is just the first one to come forward, and I'd hope they aren't unfairly tarred for doing this.

Massive credit card incident also affects Japanese card holders

Kyodo News is reporting that the Cardsystems incident also affects Japanese holders of certain cards: MasterCard security breach spills over to Japanese cards.

Sunday, June 19, 2005

Incident: University of Hawaii warns of possible identity theft

Yet another university related incident: - KPUA Hawaii News - U-H warns of possible identity theft:

"HONOLULU (AP) _ University of Hawaii officials are contacting about 20 people connected with the university to warn them about possible identity theft.

But the officials say about 150-thousand students, faculty, staff and library patrons at any of the 10 campuses between 1999 and 2003 should take precautions.

The U-H officials took the action after being advised by federal investigators in connection with the indictment of a former Sinclair Library worker on federal charges of bank fraud related to identity theft.

The case against Deborah Jenkins is unrelated to her employment as a student worker at the U-H-Manoa library system. But she had access to the university's database, which included Social Security numbers, addresses and phone numbers for more than 150-thousand students.

Deborah Jenkins remains a fugitive."

Spokane Mayor Debates Privacy Online

The Mayor of Spokane, WA has found out the hard way that there is virtually no anonymity online. Apparently, he is accused of offering city jobs in a gay chat room, among other things: Spokane Mayor Debates Privacy Online:

"SPOKANE, Wash. -- After what Mayor James West called his 'brutal outing' by a newspaper that published transcripts of his conversations from a gay chat room, he complained in an e-mail to the city's commission on race relations. West asked: 'Should we all fear that our private conversations will be splashed publicly and out of context for all in our sphere to see?' The answer, Internet privacy advocates say, is 'yes.'

'Online anonymity is kind of hard to come by,' said Beth Givens of the Privacy Rights Clearinghouse, a consumer information privacy group in San Diego.

'You cannot count on anonymity in virtually any online communication, unless you are an expert at using encryption and do a lot of research on the service you are using,' Givens said.

After receiving a tip the mayor was offering city jobs to young men he met in a chat room, The Spokesman-Review found a way to corroborate the information without having to subpoena records from the chat room's sponsor.

It hired a computer expert to track the identity of the person behind the screen names 'Cobra82,' 'RightBiGuy' and 'JMSElton' that it suspected was the mayor...."

This column may be recorded for quality-assurance purposes

Every week, I enjoy William Safire's column, On Language, from the New York Times. This week, he discusses the term "quality assurance-purposes", as it is used in the little "on hold" messages to tell you your call will be recorded.

Qualassurepurp - New York Times:

"Your perusal of this column ''may be monitored for quality-assurance purposes.''

That's from the recorded announcement we hear over the phone more often than any other. The frequency of the transmission of those bland-sounding words is greater than the ever-maddening ''please hold'' or the plaintive message from college, ''Send money.'' Who coined this oleaginous and misleading monitoring message, and when?

According to Brad Cleveland, boss of Incoming Calls Management Institute, ''The first use of for quality-assurance purposes was likely AT&T ('Ma Bell') in the early 1980's.'' He adds, ''There are 75,000 to 100,000 call centers in the U.S., handling around 32 billion calls annually, so these announcements are getting a lot of air time.''

Eran Gorev, president of NICE Systems, which claims to be the leading supplier of computer systems for call monitoring, agrees that what he calls ''quality recording'' began about 20 years ago. He says it was a response to the needs of business ''to be responsive with customer service,'' but he's frank about an underlying purpose: ''From a legal standpoint, if you accept the disclaimer by staying on the line, you are forfeiting your privacy rights. The recorded conversation then becomes the property of the service provider.''

But just what is a quality-assurance purpose? That omnipresent phrase has a happy, upbeat ring, as if the recorded disclaimer is protecting the caller from snarling employees or static on the line. Who could object to an assurance of quality? In reality, I think it means ''We're spying on our workers so we can have legal grounds to fire them if they make any wild promises'' or ''We're recording your call to use your words against you in court if you dare to sue us, claiming you said 'buy' instead of 'sell.' ''..."

In Canada, under PIPEDA, you actually have to be more specific than that. One of the hallmarks of this law is that you have to clearly indentify the purposes for which information is being collected. Many companies in Canada are how reciting "this call may be monitored and recorded for record-keeping, training and quality-assurance purposes."

Saturday, June 18, 2005

Toronto Star reports that 240K Canadian Visa accounts are affected by recent breach

The Canadian connection, from the Toronto Star: - Security breach affects 40 million credit cards:

"As many as 240,000 Canadian Visa accounts are among the 40 million North American credit records at risk of fraud after a security breach at an American data processing company, Visa Canada said last night...."

More publicity for Cardsystems security breach

I've noticed that the story about the hacking of Cardsystems Solutions Inc. is getting a lot of ink (or electrons, if you prefer). It is the most e-mailed story at the moment on Yahoo! News and Google News links to at least 700 stories. I've heard it said that these stories will stop getting attention, but as the numbers involved seem to grow weekly the amount of publicity is growing as well.

Discussion: Mastercard Security Breach Affects 40 Million Cards

Rob Hyndman has some more coverage of the most recent incident involving the personal information 40 Million people. There's also a bit of a dialog going on in his comments. I suggest checking it out: - Mastercard Security Breach Affects 40 Million Cards.

BJ's Wholesale Club settles with FTC, Agrees to Audits Every Other Year for 20 Years

BJ's Wholsale Club and the Federal Trade Commission have entered into a settlement agreement following charges that BJ's didn't provide adequate security for customers' personal information. The process of dealing with the charges is said to have cost BJ's $10M in legal fees and the settlement requires BJ to do audits of their practices every two years for the next twenty years. From Privacyspot:

$10 Million Later, BJ's Agrees to Audits Every Other Year for 20 Years | - Privacy Law and Data Protection:

"The FTC and BJ's Whole Sale Club ("BJ's") recently announced that they have agreed to settle the charges against BJ's that it failed to provide adequate security for its customer data.

The FTC claimed that BJ's lackadaisical data security policies failed to protect against fraudulent purchases at other stores made with counterfeit credit cards that contained personal information BJ's had collected from the magnetic stripes of its customers' credit cards. Specifically, the FTC cited BJ's failure to encrypt customer data when transmitted or stored on BJ's computers, to properly password protect customer data, and to run secure, sufficiently monitored wireless networks.

In a classic case of why companies should be proactive about addressing security and privacy, it's being reported that BJ's incurred $10 million in legal costs in 2004 and 2005 resolving this matter.

As part of the settlement, BJ's agreed to implement a comprehensive information-security program. Additionally, in line with the FTC's notorious history of lengthy audit requirements, even though BJ's admitted to no wrongdoing, it will be subject to third-party audits every other year for the next 20 years. Imagine the administrative burden associated with this settlement requirement.

In announcing the settlement, FTC chairman Deborah Platt Majoras stated, "Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security. This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information." Companies that fail to pay close attention to what constitutes "due care," run the risk of facing expensive and burdensome clean-up costs down the road."

Incident: FDIC Reports Security Breach

Personal information of present and former employees of the Federal Deposit Insurance Company (FDIC) has been compromised, according to various sources including ZDNet. It is not clear how many people are affected:

FDIC Reports Security Breach - Yahoo! News:

"The FDIC has notified former and current employees of the agency that personal data including name, date of birth, salary, Social Security number and other information had been stolen several months ago.

Although the data theft was discovered in March and letters were sent to affected employees at that time, the FBI subsequently found that data of all former and current Federal Deposit Insurance Corp. employees--not only those notified by the FDIC in March--had been compromised.

Not only is the security breach embarrassing for the FDIC, it's also ironic, because the FDIC's job is to issue alerts to financial institutions about how to handle sensitive information, said Gerry Gebel, senior analyst at Burton Group, a Midvale, Utah, research and advisory firm.

The security breach at the FDIC is just the latest in a series of high-profile cases of identity thefts...."

Friday, June 17, 2005

Incident: Security Breach at CardSystems Solutions Inc. Could Expose 40M to Fraud

Each week, it seems we hear about the "biggest privacy incident yet". This one may affect FORTY MILLION people, according to to the San Francisco Chronicle:

Security Breach Could Expose 40M to Fraud:

"A security breach of customer information at a credit card transaction company could expose to fraud up to 40 million cardholders of multiple brands, MasterCard International Inc. said Friday....

The compromised data included names, banks and account numbers — not addresses or Social Security numbers, said MasterCard spokeswoman Sharon Gamsin. Such data could be used to steal funds but not identities....

CardSystems was hit by a virus-like computer script that captured customer data for the purpose of fraud, Gamsin said. She said she did not know how the script got into the system. The FBI was investigating..."

Watch your e-mail distribution lists

When I woke up this morning, I had no idea that it would be e-mail day. But it is. After the two previous posts about e-mail today, I thought I'd just continue the theme.

One of the partners in my firm got an e-mail from an accountant or actuary or business valuator or some other fellow professional. It was to announce that their offices had moved or something. I didn't really read the e-mail, because it was one paragraph on page four when he printed it out. The first three pages were the e-mail addressees. Three pages of them in ten point arial font. Hundreds of them. May have been in the thousands.

I have seen this happen, mostly by accident. I've seen it happen because of careless employees, new employees or those who just don't understand the technology. I've seen it happen over and over and over again. I know it bothers more than a few people when they know their address is being shared with hundreds of others, many of them strangers. Some people get bothered enough to complain. When a business does this, not only are they compromising the confidentiality and privacy of the people on the list (and their goodwill), but they are giving away their mailing list that they often have taken hours or thousands of dollars to compile. A good (opt-in) distribution list is valuable and practicing unsafe e-mailing is just giving it away. In this particular example, some of the sender's competitors were on the list and all it takes is a quick "cut and paste" to take that valuable intelligence. You may be giving your competitors a quick view of your clientele and an easy way to reach them.

E-mail to a distribution list has risks. Be sure that your employees appreciate this fact, because one click can cause a bunch of headaches.

E-Mail Embarrasses 119 Failing Students

I guess there is an e-mail theme today.

Mistakes are very easy to make with e-mail. You need to be careful with e-mail. Check your e-mail before you send it. Take a deep breath. Look at the "TO:" line. Look at the "CC:" line. Re-read the message. Think ... would I want this in the Times, on the BBC, or in Yahoo! news. Only then should you click send.

A poor soul at the University of Kansas made a big mistake, according to Yahoo! News. An e-mail, sent to inform students who had failed all their courses that they would be ineligible for furhter student aid was accidentally sent to all 119 students. Mistakes happen, but mistakes like this can have big consequences.

E-Mail Embarrasses 119 Failing Students - Yahoo! News:

"LAWRENCE, Kan. - Due to an e-mail mistake by the University of Kansas, 119 students who failed all their classes during the last semester found out who shared their misfortune.

The students were notified earlier this week that they were in jeopardy of having their financial aid revoked. The e-mail sent Monday by the Office of Student Financial Aid asked for additional information to determine if they were still eligible for aid.

The e-mail address list included the names of all 119 students, with the result that everyone on it could see the names of all the others.

'It was a completely inadvertent, unintentional mistake,' university spokesman Todd Cohen said Thursday. 'It was our error, our mistake and we deeply regret it.'

Nancy George of Gardner, one of the students on the list, was livid, saying the mistake was tantamount to releasing the grades of students without their permission, which the Family Educational Rights and Privacy Act prohibits...."

When is inadequate security negligence?

David Canton considers this question at eLegal Canton: Is unintended release of personal information negligence?

Congress offers competing ideas on fighting ID theft

Computerworld has some pretty thorough coverage of the recent US Senate hearings on ID theft: Congress offers competing ideas on fighting ID theft - Computerworld.

Very little is private when it is sent by e-mail

An anonymous correspondent has pointed me to this story, which is getting a lot of traction since it was first published by the Times of London.

It has been said that you should never put anything in an e-mail message that you wouldn't want to see on the front page of the New York Times. The same can be said for the London Times, as an English lawyer has learned. E-mail has a very long memory and a click of the mouse can forward a message around the world. Unfortunately, not only do messages often reflect poorly on the author, but the name of their organization can get dragged through the mud as well.

Britain, UK news from The Times and The Sunday Times - Times Online:

"How a few ketchup splashes, a £4 bill and an e-mail have become the talk of the City

A CITY lawyer who made an office secretary pay £4 towards a dry-cleaning bill after she accidentally spilt ketchup on his trousers was paying dearly for his actions last night.


“Dear Jenny,” he wrote. “I went to the dry-cleaners at lunch and they said it would cost £4 to remove the ketchup stains.” He wrote that it would be “much appreciated” if he could have the money back.

Ms Amner replied: “I must apologise for not getting back to you straight away but due to my mother’s sudden illness, death and funeral I have had more pressing issues than your £4.” She went on: “I apologise for accidentally getting a few splashes of ketchup on your trousers. Obviously your financial need as a senior associate is greater than mine as a mere secretary.”

Ms Amner’s colleagues offered to hold a collection to raise the £4 but she paid the sum herself — while copying her colleagues in on the e-mail exchange. It has since been widely circulated on the internet. A tabloid newspaper was offering to pay £2,000 last night for a photograph of Mr Phillips. Among many unanswered questions is how the ketchup came to arrive on Mr Phillips’s trousers...."

In the BBC's coverage, they hit the nail on the head about the dangers of e-mail:

BBC NEWS | Technology | Ketchup spat embarrasses law firm:

"... Commercial anthropologist Dr Simon Roberts, research director of Ideas Bazaar consultancy, said he thought Mr Phillips had chosen to e-mail the request for the money, partly because email had become the 'de facto messaging medium' in business.

'Also, we find it easy to use e-mail to say things we would feel a bit uncomfortable saying in person because we feel more distant from the interaction.'

However, Mr Phillips may be regretting starting the exchange by e-mail because 'e-mails have a long memory', he added."

For a lawyer, one might never live this down. Many lawyers use Google to find out about the lawyers on the other side of litigation or deals. After an incident like this, most of the hits on a search query will be related to the incident, not his or her practice. Be careful out there.

For more coverage, check out:

Also, this story reminds me of some other faux pas, this time with voice mail instead of e-mail: PIPEDA and Canadian Privacy Law: F-bomb-dropping attorney gets worldwide notoriety

Access to medical records in litigation trumps privacy

Thanks to a colleague in Newfoundland, I've obtained a copy of the decision in O'Dea v. Lucas, which I referred to yesterday (PIPEDA and Canadian Privacy Law: Insurance access trumps privacy: court). It has some interesting things to say about the right of litigants to relevant medical information in face of requests to limit access on the basis of privacy. If the information may be relevant to the resolution of the disputes between the parties, the privacy rights of the plaintiff must give way in the interests of justice.


CITATION: O’Dea v. Lucas et al, 2005 NLTD 98 Filing Date: 2005 06 09 Docket: 2003 01T 4224


Before: The Honourable Mr. Justice Robert M. Hall

Place of Hearing: St. John’s, Newfoundland and Labrador

Date of Hearing: January 27, 2005


Edward J. Shortall, Q.C. for the Plaintiff Rodney J. Zdebiak for the First and Second Defendants

Authorities Cited: Cases Considered: Furlano et al v. Calarco (1987), 60 O.R. (2d) 451, [1987] O.J. No. 744; Raymond Frenette et al v. Metropolitan Life Insurance Co., 1992 CanLII 85 (S.C.C.); A.Y. v. Gellately (2001), 198 Nfld. & P.E.I.R. 147; Micheli v. Sheppard, [1994] O.J. No. 1609 (Ontario Court of Justice - General Division). Rules Considered: 32.02 and 38.01.(1) of the Rules of the Supreme Court, 1986


Hall, J.:


[1] This matter comes before the Court by way of an interlocutory application on behalf of the plaintiff who suffered a soft tissue neck injury in a motor vehicle accident for which she claims the defendants are liable. In the statement of claim issued in this matter the only injury alleged by the plaintiff was a soft tissue injury to her neck, and she claims that as a result of the accident, and her injuries suffered therefrom, she has experienced pain and suffering and has undergone medical treatment for her injuries. The plaintiff has not made any claim for any cost of future care, loss of earning capacity, loss of housekeeping capacity, or any other form of pecuniary general damages. She has submitted a claim to the defendants claiming special damages, judgment interest, costs and non-pecuniary general damages only. The defendants have demanded production of the plaintiff’s family physician’s chart and her entire medicare billing history, as well as all pharmacy records for a 10 year period prior to the accident. The plaintiff takes the position that only conditions, treatments and medications relating to her neck would be relevant in the action and has agreed to the production of family physician’s records, MCP records and pharmacy records relating to the neck injury only and any other neck injuries whether before or after the accident in question, which injuries may be disclosed by such records. The plaintiff’s stated purpose is a desire to preserve her privacy with respect to conditions or treatments which she claims are not relevant to the action. She has not disclosed, even in the most summary way, what these might be. She therefore applies for an order, pursuant to Rules 32.02 and 38.01 of the Rules of the Supreme Court, 1986 that the discovery of medical records, including the family physician’s chart, MCP records and pharmacy records be limited to those relating to her neck.

Applicable Rules.

[2] Rule 32.02 deals with discovery and inspection of documents and it provides:

“32.02. The Court may at any time

(a) order any party to file and serve on any opposing party to a proceeding a list of documents in Form 32.01A, as provided by rule 32.01;

(b) order any party to make discovery, limited to certain documents or classes of documents only, or of documents related to the matters specified in the order;

(c) where it appears that any issue or question in the proceeding should be determined before the discovery of all or any of the documents is made, order that the issue or question be determined; or

(d) where satisfied that discovery of all or any of the documents is not necessary at that time or later, dismiss or adjourn the application; or

(e) make such other order as is just.”

[3] Rule 38.01.(1) provides:

“38.01.(1) The Court may, on the application of any party or on its own motion, at any time prior to a trial or hearing,

(a) determine any relevant question or issue of law or fact, or both;

(b) determine any question as to the admissibility of any evidence;

(c) order discovery or inspection to be delayed until the determination of any question or issue;

(d) give directions as to the procedure to govern the future course of any proceeding, which directions shall govern the proceeding notwithstanding the provision of any rule to the contrary;

(e) where the pleadings do not sufficiently define the issues of fact, direct the parties to define the issues or itself settle the issues to be tried, and give directions for the trial or hearing thereof; or

(f) order different questions or issues to be tried by different modes and at different places or times. “

Plaintiff’s Argument.

[4] Counsel for the plaintiff wishes to limit both document discovery and oral discovery in such manner that discovery is limited both in time frame and as to the nature of physical or other ailments suffered by the plaintiff. The plaintiff cites in favour of such restrictions a decision of the Ontario High Court of Justice in Furlano et al v. Calarco (1987), 60 O.R. (2d) 451, [1987] O.J. No. 744. In this case on discovery in a personal injury accident, the plaintiff gave evidence that prior to the accident she had suffered from depression and that she had injured her neck in an earlier accident. The defendant moved for an order requiring the plaintiff to produce medical records from the date of the prior accident onwards. The master directed the plaintiff to obtain a report or clinical notes relating to her condition of depression and to any prior neck injury only. The defendant appealed, seeking to set aside the limitation on the master’s order. Potts, J., after review of various cases, stated:

“I would conclude by noting that the balancing of a plaintiff’s interest in the confidentiality of medical records (and indeed, the interest of all patients whether currently involved in litigation or not) and a defendant’s interest in full disclosure of relevant materials is a delicate process. I would not agree with sweeping statements to the effect that once personal injuries are alleged in a lawsuit, a plaintiff’s entire medical history becomes a matter in issue. Criteria must be found by which to assess what part of a medical history is relevant and what is not. Because this case alleges broad physical and psychiatric injuries arising out of the accident, and there is evidence of both in the plaintiff’s recent pre-accident medical history, the defendant’s request for a review of the plaintiff’s clinical record from 1981 onward is not unreasonable. I am inclined however to limit this review to the medical conditions identified in the statement of claim or at the examination for discovery.”

[5] Rule 32.01(1) requires parties to provide a list of documents in a prescribed form “... of the documents of which the party has knowledge at that time relating to every matter in question in the proceeding ...”. In Raymond Frenette et al v. Metropolitan Life Insurance Company, 1992 CanLII 85 (S.C.C.), the Supreme Court of Canada considered issues arising concerning the production of documents under the Quebec Code of Civil Procedure. This Article 402 of the Code required that if, after a defence was filed, it appeared from the record that a document “relating to the issues between the parties” was in the possession of a third party, the third party may upon summons authorized by the Court be ordered to give communication of it to the parties unless he shows cause why he should not do so.

[6] The bolded sections of our Rule 32.01(1) and s. 402 of the Quebec Code of Civil Procedure are in my view identical in effect in that the document must “relate to” the “issues between the parties” (Quebec) or “every matter in question in the proceeding” (Newfoundland). In the Frenette case the appellant insurer had issued a policy of life insurance on the respondent’s son. Under the policy there was a basic indemnity plus a rider which provided a supplemental indemnity for accident death. Death resulting from suicide was expressly excluded as a risk. The deceased’s body was found in a river. The autopsy revealed that the probable cause of death was asphyxiation as a result of drowning but, given the advanced state of decomposition of the insured’s body, no chemical tests were performed on the insured’s tissues to detect traces of alcohol or toxins. The insurer paid the basic indemnity but refused to pay the supplemental indemnity for accident death, claiming the drowning was not accident but a suicide. Those beliefs were based on information gathered from the medical records the insurer had been able to obtain during its investigation. These records indicated that two days before his disappearance, the insured had been rushed to the emergency ward of a hospital and questioned for a possible drug overdose. Despite a 1983 authorization releasing all medical information, the hospital refused to release medical records. The Court decided that the waiver determined the issue and that the requisite information ought to be released. The Court held that even if there had been no waiver to the right of confidentiality the insurer was still entitled under Article 402 of the Code of Civil Procedure to have access to the insured’s complete medical records. The Supreme Court of Canada held that a Court must exercise its discretion to grant access to medical records according to the degree of relevance and importance to the information sought relevant to the issue between the parties. In exercising that discretion, a Court must weigh the diverse interest in conflict – the interest of justice against the right of privacy and confidentiality of an individual. In the Frenette case, the cause of the insured’s death was central to the litigation. Access to information sought became inextricably linked to the ability to prepare a full defence. Moreover, the records provide the best evidence or pertain most directly to the cause of the insured’s death. As for the scope of access, the complete records of the insured held by the hospital are relevant and should be given to the insured. Access to the insured’s complete medical records would not constitute an unjustified intrusion into his private life. The records covered only a brief period of the insured’s life. The nature of the claim put into question a whole series of events which may have led to the questionable cause of death and render these medical records crucial to the issues being litigated. In these circumstances, access to the records did not constitute a fishing expedition.

[7] Plaintiff’s counsel referred also to comments by McLachlin, J. as she then was, referred to by Barry, J. in this Court in the case of A.Y. v. Gellately (2001), 198 Nfld. & P.E.I.R. 147. In A.Y. v. Gellately Barry, J. referred to McLachlin, J. in A.N. v. Ryan, [1997] 1 S.C.R. 157. Ryan involved a case where the plaintiff alleged she had been sexually assaulted by her former psychiatrist and had sustained injuries as a result of the assault. In order to deal with her problems she had sought psychiatric treatments from another psychiatrist. At the commencement of her treatment by the second psychiatrist she had expressed concern that her communications with the second psychiatrist remain confidential. The first psychiatrist requested production of the second psychiatrist’s records and notes. At para. 9 of his decision in A.Y. v. Gellately, Barry, J. referring to the decision of McLachlin, J. in Ryan states:

“At paragraph 18 of her decision, Madam Justice McLachlin noted:
‘The degree of protection conferred by the privilege may be absolute or partial, depending on what is required to strike the proper balance between the interest in protecting the communication from disclosure and the interest in proper disposition of the litigation. Partial privilege may signify that only some of the documents in a given class must be produced. Documents should be considered individually or by subgroups on a “case-by-case” basis.’” (Emphasis added by Barry, J.)

[8] Further at para. 13 of Gellately, Barry, J. refers to the following quote from para. 38 of Ryan by McLachlin, J.:

“It remains to consider the argument that by commencing the proceedings against the respondent, Dr. Ryan, the appellant has forfeited her right to confidentiality. I accept that a litigant must accept such intrusions upon her privacy as are necessary to enable the judge or jury to get to the truth and render a just verdict. But I do not accept that by claiming such damages as the law allows, a litigant grants her opponent a license to delve into private aspects of her life which need not be probed for the proper disposition of the litigation.”

[9] Put simplistically the plaintiff’s position in this case is that what is involved is non-pecuniary general damages for a straightforward neck injury and that the plaintiff ought to be entitled only to examine such documents or to conduct oral examinations if the documents and the examinations are confined to the “same area” and must deal with conditions which:

(a) aggravate the symptomatic injury for which claim is made;

(b) deal with pre-existing non-symptomatic conditions which would not but for the accident in question, have become symptomatic – i.e., the application of “thin skull” principles; and

(c) other injuries in the same area which would have become symptomatic.

Defendants’ Argument.

[10] The defendants’ counsel takes the position that disclosure should not be governed by the size of the claim. He cites the principle applicable in tort damages assessments, i.e. restitutio in integrum. He questions how his client can be expected to put the plaintiff back into the position where she was without knowing what her baseline medical assessment was prior to the accident. He contends that unless he gets enough information he cannot know the size of the problem that he has to deal with.

[11] Defendants’ counsel contends that while evidence with respect to the neck injury claimed is important it does not help entirely with determination of the question of quantum. Implicit in the claim for non-pecuniary general damages is a claim for loss of amenities of life. Defendants’ counsel asks how he can determine if the plaintiff has lost an amenity by reason of a neck injury if she had already lost that amenity of life due to some other pre-existing condition. Hypothetically the question could be “How can the defendant compensate the plaintiff for no longer being able to engage in a game of bowling because of the neck when she already could not engage in a game of bowling because of a leg injury?”.

[12] The defendant also points out that there may be other conditions at play, for example, degenerative disc disease in the lumbar or thoracic spine which may impact upon the claimed neck injury. If he is limited in his examination and discovery he claims that he can never determine if the spinal condition is general. Even when dealing with normally unrelated medical conditions, defendants’ counsel claims that the same principle applies. He postulates the question “What if the plaintiff could not bowl any more due to stomach cancer?” or “What if the life expectancy of the plaintiff was less due to some unrelated condition such as cancer?”.

[13] Defendants’ counsel also points out the risk of receiving false information or information being withheld from him. He claims that without full disclosure he has no way to know if the information provided to him is true or false. In addition, he points to simple fragility in the plaintiff’s memory as her personal health historian and he cannot, without full disclosure, test her memory in that regard. Defendants’ counsel contends that the injury and symptoms claimed by the plaintiff are not ones which are easily segregated. He postulates that a shoulder injury from some other causation may refer pain to the neck. If he is unable to measure her baseline condition prior to the accident he contends he is placed at a serious disadvantage.

[14] Additionally, defendants’ counsel submits that the plaintiff has failed to adduce any evidence to show that disclosure of medical evidence beyond the medical evidence specifically relevant to the plaintiff’s neck would result in some further physical or emotional harm and asserts that the onus should be on the plaintiff to demonstrate this situation before any consideration should be given to restricting discovery.


[15] I accept that information sought by the defendants might be of a highly personal or sensitive nature, the release of which might cause some anxiety on the part of the plaintiff. However I have not been provided with any medical evidence that this will in fact result. I must therefore balance the general privacy interest of the plaintiff against the interest of pursuing truth and disposing properly of the litigation, and in this regard I conclude that justice requires me to find that the plaintiff’s privacy interest must give way to the right of the defendants to access to all reasonably relevant information relating to the plaintiff’s medical condition before and since the accident.

[16] I am not satisfied that the injury claimed to be suffered by the plaintiff is sufficiently discrete and detached from impacts by reason of other physical conditions, that the examination of her medical records can property be confined only to her “neck” without seriously and negatively impacting upon the ability of the defendants to investigate whether pre-existing or subsequently arising conditions have caused or may cause loss of amenities of life claimed by the plaintiff to be attributable to the neck injury. In this regard the case is significantly different from that relied upon by the plaintiff in Micheli v. Sheppard, [1994] O.J. No. 1609 (Ontario Court of Justice - General Division), where the plaintiff suffered a serious eye injury and the master dismissed the defendant’s motion for production of clinical notes and records. In Micheli the Court held that the key to disclosure was relevance to the issues raised in the matter and that while the pleadings were broad the plaintiff was asserting a claim referable only to his eye. The Court held that the master was correct in concluding that the defendant’s broad and general request for all of the plaintiff’s clinical records in these circumstances went beyond the limits of relevance. However, in our circumstances I am not satisfied that the defendant’s requests for clinical records and pharmacy records do in fact go beyond the limits of relevance, and therefore in terms of disclosure in its purest form I deny the plaintiff’s application with costs to the defendant.


[17] It may well be however that certain restrictions on the disclosure or the dissemination of information beyond those persons within an immediate need to know might be appropriate. These could be of the nature ordered by Barry, J. in A.Y. v. Gellately (para. 21). If this is an issue between the parties, it can be dealt with on a subsequent application.


FBI wants US ISPs to keep logs for longer

From Declan McCullagh at CNet:

Your ISP as Net watchdog | CNET

"The U.S. Department of Justice is quietly shopping around the explosive idea of requiring Internet service providers to retain records of their customers' online activities.

Data retention rules could permit police to obtain records of e-mail chatter, Web browsing or chat-room activity months after Internet providers ordinarily would have deleted the logs--that is, if logs were ever kept in the first place. No U.S. law currently mandates that such logs be kept.

In theory, at least, data retention could permit successful criminal and terrorism prosecutions that otherwise would have failed because of insufficient evidence. But privacy worries and questions about the practicality of assembling massive databases of customer behavior have caused a similar proposal to stall in Europe and could engender stiff opposition domestically...."

Canadian credit agency reports data breach

CNet is reporting the credit reports of 600 British Columbians have been disclosed without authorization from the databases of Equifax:

Canadian credit agency reports data breach | CNET

"The credit files of about 600 Canadian consumers were accessed without authorization, credit reporting agency Equifax Canada said Thursday. The breach resulted from what appears to be improper use of the access codes and passwords of one of Equifax's customers, the company said in a statement. Most of the affected people are in British Columbia, and all have been contacted and offered a one-year subscription to a credit monitoring service, Equifax said...."

Thursday, June 16, 2005

Insurance access trumps privacy: court

I have not read the judge's decision in this case, but I am not surprised by the conclusion. Apparently, according to the Canadian Broadcasting Corporation, a judge of the Supreme Court of Nova Scotia has concluded that a defendant in a personal injury lawsuit has a right to review the complete medical records of the plaintiff for the last five years to review for pre-existing injuries.

This appears consistent with previous judgements, such as the decision of the Ontario courts in Ferenczy v. MCI Medical Clinic (see: PIPEDA and Canadian Privacy Law: PIPEDA and Video Surveillance: Guidance from the Ontario Courts).

CBC Newfoundland and Labrador - Insurance access trumps privacy: court:

"ST. JOHN'S - The Supreme Court of Newfoundland and Labrador has ruled an insurance company's right to access personal information may override an individual's right to privacy.

Mount Pearl resident Roseanne O'Dea applied to the court to restrict an insurance company from obtaining her medical records.

O'Dea had been in a collision with a taxi in 2003.

The Insurance Corporation of Newfoundland, which is representing the taxi company, said it wanted to review her medical and pharmacy records for the past decade before it proceeded with any compensation.

O'Dea refused, calling the request an unacceptable breach of her privacy.

Justice Robert Hall ruled there are occasions when an insurance company's access to records should be limited.

However, Hall ruled that O'Dea's privacy must give way to the right of the company to access all potentially relevant information.

Hall said pre-existing medical conditions could be relevant to O'Dea's claim.

Don Forgeron, Atlantic vice-president of the Insurance Bureau of Canada, welcomed Thursday's ruling.

In the past, he said, courts have determined rights of access on a case-by-case basis.

'In the course of settling a claim, there needs to be appropriate medical information put forward to assess the extent of the injuries,' Forgeron said.

'We would look to the courts, as they have done in the past, to apply the appropriate tests to determine whether or not the information being requested is relevant to the proceedings.'"

Adding Privacy to the Constitution

This is a new one ... amid all the calls for legislation to protect personal information in the United States, a commentator in Business Week Online is calling for an amendment to the US Constitution to protect consumer privacy: Adding Privacy to the Constitution.

Wednesday, June 15, 2005

Irish cabinet working group to consider privacy law

According to the Irish Times, that country's cabinet is studying privacy laws to rein in the press: Irish Times Article - Working group to consider privacy law.

Congress Must Deal With ID Theft

Not surprisingly, Wired thinks that the US government should step in to address identity theft. The suggestions seem to be picking up traction, if you listen to other commentators in the media recently:

Wired News: Congress Must Deal With ID Theft
  • Require businesses to secure data and levy fines against those who don't.
  • Require companies to encrypt all sensitive customer data.
  • Keep the plan simple and provide authority and funds to the FTC to ensure legislation is enforced.
  • Keep Social Security numbers for Social Security.
  • Force credit agencies to scrutinize credit-card applications and verify the identity of credit-card applicants.
  • Extend fraud alerts beyond 90 days.
  • Allow individuals to freeze their credit records so that no one can access the records without the individuals' approval.
  • Require opt-in rather than opt-out permission before companies can share or sell data.
  • Require companies to notify consumers of any privacy breaches, without preventing states from enacting even tougher local laws.

Data leaks stunt e-commerce, survey suggests

MSNBC is reporting on a survey that suggests the recent publicity about privacy breaches is starting to affect consumer attitudes:

Data leaks stunt e-commerce, survey suggests - Consumer Security -

"Nearly half of all Americans avoid shopping on the Internet because they are worried their personal information will be stolen, according to a survey released Wednesday by an industry group. The survey also found nearly all Americans think identity theft and spyware are serious problems, but only 28 percent think the government is doing enough to address the issues. About 70 percent said new laws are necessary to protect consumer privacy...."

Lower overseas rates of identity theft could guide U.S. lawmakers

New York Newsday is running an article by AP Business writers Brian Bergstein and Matt Moore, suggesting that the United States may be able to learn a thing or two from other countries when it comes to protecting privacy and reducing the incidence of identity theft. It considers the privacy and credit environment of the UK, other European countries, Japan and Canada. Worth reading: New York City: Lower overseas rates of identity theft could guide U.S. lawmakers

New findings from the Federal Privacy Commissioner

The Commissioner's Office has just released three new "findings" under the Personal Information Protection and Electronic Documents Act. In short, they are:

Commissioner's Findings - Privacy Commissioner of Canada

Tuesday, June 14, 2005

Privacy Officers: Security Types Need Convincing

People often confuse privacy and security. Security is a part of privacy. (Security is also an important part of protecting other corporate assets.) Some may that privacy is the latest buzzword for applying security to personal information. It's more than that.

In IT Management, Ray Everett-Church writes about how to explain privacy to security-types, and particularly the need to have a privacy officer.

Privacy Officers: Security Types Need Convincing:

"I've spent much of the last six or seven years promoting the importance of privacy officers. Much to my dismay, over the course of the years, some of the greatest skepticism I've met has come from security professionals.

Much of the skepticism boils down to some basic misconceptions about the relationship between privacy and security, and fears that privacy officers are just going to be competing for the same organizational ''turf''. But as I have sat with security professionals to explain why the role of the privacy officer is complimentary, but fundamentally different, the concerns and misconceptions are easily dispelled.

Indeed, many security executives quickly realize that privacy officers get to deal with many of the murkier, subjective, and often politically-charged issues that many security officers try to avoid being drawn into -- such as marketing strategies or legal and regulatory compliance.

But let's not miss the bigger point here.

Assuming Congress could fix the law so it would require the auditing of privacy practices, instead of the day-to-day work of the privacy officer, this is something that should be encouraged. A critical element of the Federal Trade Commission's enforcement actions in the realm of privacy has been the requirement that companies bring in outside auditors to oversee their privacy fixes and ongoing practices.

If this panel believes you should only audit after a problem is discovered, then they don't appear to have a good grasp on the reality of today's privacy methodology in use at the most enlightened organizations the world over.

The methodology is pretty simple... I ought to know. I helped develop it. The four elements of a coherent privacy program are:

  • Know your current privacy-related practices;
  • Articulate those practices in a privacy policy;
  • Implement those practices through training and oversight, and
  • Audit those practices, from within and without, to ensure compliance.

All of this may be for naught, however.

According to reports, Rep. Tom Davis (R-Va.), chairman of the U.S. House of Representatives Government Reform Committee, is pushing legislation that would repeal the appropriations language that mandated the CPO appointments. But if the Davis proposal does not become law by year's end, the ranks of America's CPO population will grow by a few dozen, and somebody will finally be accountable for privacy practices at federal agencies.

And know knows... maybe by then some government committee will have grasped what these new CPOs are supposed to be doing!"

At least in Canada's legal environment, the status quo may not be acceptable. I would therefore suggest that a coherent privacy program has the following elements:

  1. Know your current personal information management practices: where it comes from, where it is kept, how it is used and to whom it is disclosed;
  2. Benchmark your current personal information management practices against a recognized standard, such as the Canadian Standards Association Model Code for the Protection of Personal Information;
  3. Modify your practices to accord with the standard (collect only what you need, use and disclose it only in the ways you've articlated, secure the information)
  4. Articulate your new practices in an easy to understand privacy statement and document them in an operational policy;
  5. Train all staff to implement your new practices; and
  6. Audit your practices.

The Rising Threat from Bad Data

I have previously pointed to items addressing the issue of data quality and data aggregators, but this piece from Baseline Magazine shows a real human side of the potential consequences of bad data:

The Rising Threat from Bad Data:

"Steven Calderon had a clean record, a clean conscience and no reason to think that his new employer's routine background check would cause any problem at all. Then the sheriff showed up at the office and took him to jail on warrants for child molestation and rape.

A nightmare? Sure, but Calderon figured it was a mistake that could be cleared up pretty quickly. He'd reported the theft of his Social Security number and birth certificate in 1993, so it was obvious that the bad guy was whoever had stolen Calderon's identity.

A week later he was still in jail, a victim of bad information from data broker ChoicePoint -- and of the blind belief held by his employer, the police and everyone else involved that he was more likely to be lying than the data was...."

Inicdent: Ottawa medical info trashed and then dumped in driveway

It's bad enough that sensitive medical information was being thrown out instead of being shredded, but someone dropped the bag of "trash" on a Manotick man's driveway. But it gets worse ... this is the second time.

The Ottawa Sun is reporting in incident involving the medical waste and health information originating from Gamma-Dynacare in a suburb of Ottawa.

Ottawa Sun Online: NEWS - Patient info in trash: "Homeowner finds medical waste, including personal data, in his driveway for second time

A MANOTICK homeowner was shocked last week to find used medical supplies and private health information in a garbage bag dumped in his driveway.

Anthony Heembrock opened the bag Thursday to find out who'd dumped garbage on Rideau Bend Cres. for a second week in a row.

He says he found medical debris, including bloodied gauze and lab test forms with patients' names, addresses, phone and OHIP numbers.

"What if my animals or my kids got into this stuff?" Heembrock said. "What about patients' confidentiality?"

He's worried that kids and pets are at risk from handling medical waste and patients from identity theft or fraud if the information fell into the wrong hands.

Heembrock said the forms listed the Gamma-Dynacare Medical Laboratories, which shares a building with the Manotick Medical Centre. Gamma-Dynacare didn't return calls yesterday.

Dr. Ann Fillingham, a physician at the health centre, says the public was never at risk from the bag of garbage but how it disappeared is under investigation, she said.

The medical items Heembrock found, including urine specimen bottles, had never been used, she said. The bag did contain cotton balls that are taped to patients' arms after blood tests because patients throw them in the trash.

The clinic has secure disposal of needles and blood products and shreds all sensitive patient information, Fillingham said.


She said the records found were requisition forms from the lab, not medical centre patient records.

Someone must have grabbed the garbage in the few minutes between when it's collected from the building and put in a locked dumpster, Fillingham said. It's now locked up at all times.

"How the garbage got to where it got twice doesn't make sense," Fillingham said. "Something is going on. We're not letting it happen again."

Having health information turn up in the garbage could violate new health privacy legislation, said Bob Spence, spokesman for the province's information and privacy commissioner.

The Personal Health Information Protection Act requires health care workers to store, share and discard private information securely.

"Anyone who works in health would be encouraged to destroy health information rather than throwing it out in the trash," said Spence. "Once we obtain more information, we will be launching a privacy investigation into this."..."