Saturday, December 31, 2005

ID thief trolled sex offender registry for targets

Here's an interesting one: Police in Arkansas have arrested a man for using information gleaned from the state's sex offender registry to get credit cards and tax refunds in the names of those offenders. He was busted at a routine traffic stop when the police officer noticed unusual files in the person's car.

See: Police: Ark. Man Stole Sex Offender IDs - Yahoo! News.

New privacy laws come into force in the US at midnight

January 1 is a convenient time to bring new laws into effect. It seems like only two years ago that PIPEDA came fully into force for those of us in Canada. (And almost two years since this blog came into being.) The Associated Press has a summary of new US state laws, some of which are in reaction to the high-profile privacy breaches of the last year. Check it out:

New Year Brings Array of New State Laws - Yahoo! News

...This year, several states will take action to guard against the theft and misuse of personal information as more and more commerce moves to the Internet; several companies admitted in 2005 that hackers got into their supposedly secure databases. New Jersey and Virginia will bar making public a person's Social Security number, while Minnesota will require businesses that hold such information to quickly notify clients if there is a breach of security.

David Canton's PIPEDA predictions for 2006

David Canton, in his regular London Free Press Column, is making a few predictions for 2006. He leads off his column with predictions about privacy in Canada:

London Free Press - Business - Expect PIPEDA debates

The Personal Information Protection and Electronic Documents Act (PIPEDA) is slated for review in 2006. Expect to debate to rage on controversial issues such as whether individuals should be notified if their personal information is compromised.

Another issue is processing data outside Canada, common in a connected world. It raises issues regarding the ability of foreign governments to view our personal information -- without our knowledge, without judicial oversight, and despite contractual arrangements to the contrary.

A privacy issue that may come before the privacy commissioner is the printing of full credit or debit card numbers on receipts. This matter has not been the focus of a complaint to the privacy commissioner's office.

Many privacy commentators, myself included, believe that putting full credit or debit card numbers on either the customer's or the company's copy of a receipt is a violation of PIPEDA. The printing of those numbers serves no purpose and increases the risks of fraud.

Thursday, December 29, 2005

2005 worst year for breaches of computer security

USA Today is reporting that 2005 has been the worst year yet for computer security and security of personal information. Maybe... Equally likely: it was the year that we heard about breaches that otherwise would have been swept under the carpet. The only difference is the range of laws following in California's footsteps. See: 2005 worst year for breaches of computer security - Yahoo! News.

Automated fare system upsets some in Boston

The ACLU is getting a bit hot and bothered about a new fare system about to be implemented by the Boston area transportation authority. Tokens are being phased out and replaced by debit-type fare cards. Riders can purchase a pre-loaded fare card that is discarded when used up, but others can opt for a reloadable pass that is connected to their bank account. The system will track where and when the cards are used (a sensible auditing function). The ACLU is concerned that riders who opt for this choice will be sacrificing privacy for convenience since their records will be available if the transit authority is served with a subpoena or a search warrant. It seems a little overblown, as long as consumers know they have the choice of an anonymous option and make the decision knowingly. See: T defends automated fare system against privacy concerns - The Boston Globe.

Files on welfare-to-work clients found in dumpster

After someone found files containing personal information on welfare-to-work clients (including names, addresses, SSNs) in a dumpster, the San Joaquin County Office of Education in California is investigating. Apparently they were left in a car sold by a former department employee who didn't care enough to collect them when informed by the buyer that a box of stuff was left in the car. See: County probes confidential files in trash.

Edmonton pawnshop owner takes a stand over electronic reporting of personal information of customers to police

As of January 1, 2006, pawnshop operators in the City of Edmonton will be required by a city bylaw to enter information about customers into a database that will be electronically transmitted to the police. He has always collected this sort of information, as required by law, but Kelly Buryuniuk is not at all happy with having to send it to the cops, particularly via a private contractor. He is concerned about the security of that data, he says. The pawnshop operator says he will defy the bylaw, even if it gets his license suspended. The Information and Privacy Comissioner of Alberta is reviewing the system. See: edmontonsun.com - Edmonton News - Standoff brewing.

Wednesday, December 28, 2005

Incident: Marriott missing backup tapes with records of 206,000

Marriot International's timeshare division has started to notify customers, employees and credit card companies that backup tapes with records (including SSNs) of two hundred six thousand individuals is missing. There is no info on whether the data has been used for nefarious purposes and Marriott cannot determine whether it is just missing or stolen. See: Marriott Discloses Missing Data Files.

Privacy concerns about online library service: patron records available for others to see

Mary Minnow, at the Library Law Blog has recently posted about a service called Library Elf. This service plugs into your local library's computer system so you can see what books you have checked out, when they are due back and what is the status of any holds you have. In using the system, Mary has found that you can see other patrons' records. She isn't happy about that.

See: LibraryLaw Blog: "This card is viewed by other accounts" - an update on the Library Elf and your privacy and LibraryLaw Blog: Breaking Discovery - Library Elf blasts a giant hole through privacy - and why I terminated my account.

Monday, December 26, 2005

Legal Analysis of the NSA Domestic Surveillance Program:

Orin Kerr at the Volokh Conspiracy has a lengthy Legal Analysis of the NSA Domestic Surveillance Program that is worth a read. The post also has hundreds of intelligent (and a few not so) comments from readers who are taking a close look at the legality of the recently-revealed and White House ordered NSA domestic surveillance operations.

Breach notification law debate continues in the US

Today's Los Angeles Times is running a lengthy article on the debate over federal legislative responses to security breach violations involving personal information. On on hand are organizations like EPIC and Consumers Union, which do not want the federal law to override stronger state laws and want to keep the threshold for notification low. On the other hand are banks and information brokers who want the federal law to preempt state laws and to only require notification if there is a "significant risk of fraud" using the compromised information. Othwise, it is argued, consumers will begin to ignore the flurry of notices they'll likely receive.

The article is also interesting because it sheds additional light on a study released this fall that suggested there is a low risk of fraud when information is compromised. I noted the study in this blog (The Canadian Privacy Law Blog: Study on data breach fallout), and noted that there was nothing in the original about its methodologies. The LA Times articles suggests it was flawed and may not actually measure anything particularly useful:

Data Brokers Press for U.S. Law - Los Angeles Times:

"It's an area of policy in which legislation is driven by hysteria," Cate said. "There's just very little theft of data going on that is actually being used to commit identity theft."

Another study was announced this month by San Diego-based ID Analytics Inc., which described its findings in House testimony, to senators on two relevant committees and to the media. That generated news stories with such headlines as "ID Theft Fears Overblown, Study Says" and "Good News on ID Theft."

The firm earns money by helping banks figure out whether credit card applications might be fraudulent, and banks are among the institutions most actively opposed to new notification requirements.

The company said it studied four major losses of personal information, which it didn't identify or explicitly claim were representative, and found that less than one person in 1,000 was victimized by fraud as a result.

But ID Analytics looked only for what it called signs of "organized misuse" — for example, if a criminal gave himself away by using the same contact telephone number for two people whose information had been obtained in the same breach. In an interview, ID Analytics Vice President Mike Cook said he didn't know what proportion of fraud would leave that sort of fingerprint.

He also acknowledged that to be detected by the study, a criminal needed to seek credit or make a purchase from a client of ID Analytics — largely unnamed banks and cellular phone companies.

"If someone steals identities and created checks, passed bad checks at a supermarket, we probably wouldn't catch that," Cook said.

A to Z in techlaw (with some privacy for good measure): 2005 in review

Michael Geist continues his annual tradition with Apple to Zundel, the year in tech law.

Credit card info taken from Guidance Software is used in fraudulent activity

I reported last week that Guidance Software Inc.'s customer database had been hacked (The Canadian Privacy Law Blog: Incident: Computer forensics firm hacked; credit card info of 3800 customers compromised). Now, there are some reports that some of the credit card numbers taken have been used in fraudulent activity:

The ChronicleHerald.ca: Hackers infiltrated key police database

...John Colbert, chief executive of Guidance, said the attack "is ironic, but it highlights that intrusions can happen to anybody. It’s not a matter of if, but of when, so nobody should be complacent about their (computer network) security."

The Los Angeles Electronic Crimes Task Force is leading an investigation, along with the U.S. Secret Service and FBI, Colbert said. He said the breach has led to "a few instances of fraud" involving the stolen credit card numbers.

.

For additional coverage, see:

Sunday, December 25, 2005

First-hand account of info leak scare

Today's Dallas Fort Worth Star Telegram has a first hand account written by a recipient of a letter from ABN AMRO warning that his personal information was among that temporarily lost by a courier company. The author, Dave Lieber, did a bit of digging around and found he wasn't alone. In fact, he was among 57 million individuals affected by more than 142 recently-reported data breaches/losses. As it turns out, his information was soon found but he's going to be keeping a more watchful eye on his bank statements and credit reports.
 

The best preventive measure is to regularly check your credit report for suspicious activity.

A Web site - www.annualcreditreport.com - lets you request a free credit report from each of the three major credit bureaus each year. Chris Hoofnagle, senior counsel with the Electronic Privacy Information Center, suggests you ask for one report every four months.

"You end up monitoring your credit so if something bad happens, you can quickly intervene," he said.

What are you looking for? "Anything that appears out of the ordinary," he said. Credit card "accounts that do not belong to you. Also, addresses and personal information that do not pertain to you. If there are errors, you call the credit reporting agencies and try to correct them."

Frederick Scholl, a security expert in New York, told me that he monitors his credit reports and his bank statements.

"People have gotten too lax," he said. "If you have Internet access, you can go in and check your statements on a regular basis and look for charges on your accounts. It just means you need to look at your own personal information statements on a regular basis more than you did in the past."

Hoofnagle says: "There's little an individual can do to prevent crime, but there are things you can do to reduce the risk.

Identity theft of hospital patients and the recently deceased

The Red Tape Chronicles from MSNBC.com recently ran an article on identity theft that is connected to hospital stays and what patients can do to protect themselves. The article itself is interesting, but there are dozens of comments that are equally iluminating:

Hospital ID theft: How to protect yourself - The Red Tape Chronicles - MSNBC.com

Stories of nurses, patients, and visitors stealing identities from the sick can be ripped from the headlines across America, like the story of a nurse in a Philadelphia hospital who gave terminally ill patients' identities to a crime ring. They drained the patients' accounts and obtained $10 million in fraudulent mortgages using the stolen personal information.

"They’re like vultures. You wonder how people can be so horrible," said Mari Frank, an ID theft victim lawyer and author of two books on the subject. "They think, 'Who cares, he's going to die anyway.' "

It's hard to imagine, particularly if you trust your doctor and your hospital. But do you trust the patient across the hallway? And all his visitors? The grim reality is, identity theft is a peril for hospital patients, another concern sick and dying people, and their families, must put on their checklists.

Fortunately, there are some things you can do to protect the privacy of people you love while they’re recovering in the hospital....

Thanks to Privacy Digest for the link.

Incident: Personal information of Iowa State University donors and employees hacked

Merry Christmas ... your information has been hacked: DesMoinesRegister.com: Computer security breaches raise identity theft concerns-- Hackers may have accessed the private data of ISU employees.

Saturday, December 24, 2005

New TSA passenger screening guidelines, courtesy of the Onion

New TSA Guidelines - click for full versionHere are the latest TSA guidelines for the traveling public, courtesy of The Onion, which bills itself as America's finest news source. Thanks to Schneier on Security for the link.

Story about feds visiting after request for Mao book is a hoax

From the same source that originally reported the story comes news that the story about a visit from federal agents following an interlibrary loan request for Mao's Little Red Book is a hoax. The student now admits making up the story:

Federal agents' visit was a hoax: 12/ 24/ 2005

Student admits he lied about Mao book

By AARON NICODEMUS, Standard-Times staff writer

NEW BEDFORD -- The UMass Dartmouth student who claimed to have been visited by Homeland Security agents over his request for "The Little Red Book" by Mao Zedong has admitted to making up the entire story.

The 22-year-old student tearfully admitted he made the story up to his history professor, Dr. Brian Glyn Williams, and his parents, after being confronted with the inconsistencies in his account.

Had the student stuck to his original story, it might never have been proved false.

But on Thursday, when the student told his tale in the office of UMass Dartmouth professor Dr. Robert Pontbriand to Dr. Williams, Dr. Pontbriand, university spokesman John Hoey and The Standard-Times, the student added new details.

The agents had returned, the student said, just last night. The two agents, the student, his parents and the student's uncle all signed confidentiality agreements, he claimed, to put an end to the matter.

But when Dr. Williams went to the student's home yesterday and relayed that part of the story to his parents, it was the first time they had heard it. The story began to unravel, and the student, faced with the truth, broke down and cried.

It was a dramatic turnaround from the day before.

For more than an hour on Thursday, he spoke of two visits from Homeland Security over his inter-library loan request for the 1965, Peking Press version of "Quotations from Chairman Mao Tse-Tung," which is the book's official title.

His basic tale remained the same: The book was on a government watch list, and his loan request had triggered a visit from an agent who was seeking to "tame" reading of particular books. He said he saw a long list of such books.

In the days after its initial reporting on Dec. 17 in The Standard-Times, the story had become an international phenomenon on the Internet. Media outlets from around the world were requesting interviews with the students, and a number of reporters had been asking UMass Dartmouth students and professors for information....

I reported on the original story (The Canadian Privacy Law Blog: Borrow the wrong book and get it personally delivered by the feds) as did hundreds of other blogs, assuming it to be true. Well, it simply was not which shows the risk of believing what you read about on a blog, or in the conventional media (since the story originated with the South Coast Times of Massachusetts).

I tend to agree with most of what Bruce Schneier observes on this latest turn of events:

"I don't know what the moral is, here. 1) He's an idiot. 2) Don't believe everything you read. 3) We live in such an invasive political climate that such stories are easily believable. 4) He's definitely an idiot."

I won't tell which parts I agree with most ...

US News reports that law enforcement monitored mosques and muslim homes for radioactivity without warrants

More information is coming out about the use of warrantless surveillance in the United States as part of the war on terrorism. One of the latest revelations comes from US News and World Report, which reports that US law enforcement have used radiation monitors to look for radioactive materials at mosques and the homes of muslims in the US. See: USNews.com: Nation and World: EXCLUSIVE: Nuclear Monitoring of Muslims Done Without Search Warrants (12/22/05).

This sort of surveillance raises some different issues than wiretapping or wholesale surveillance of communications. Is there an expectation of privacy in incidential emissions from your property? Is this different from infrared imaging (Supreme Court of Canada considers different species of personal privacy) or alcohol detectors (Alcohol sensor an invasion of privacy?)?

Handle your incident well and good publicity may follow

Being involved in an incident in which the records of two million customers go astray is not at all pleasant. But the good news is that, if you handle it right, you may actually get some good publicity. Case in point:

Three Cheers for ABN - Yahoo! News:

... So now for the good news: ABN AMRO is run by a bunch of standup folks, and the gents at DHL aren't far behind. True, I could criticize ABN for failing to, say, task a VP to personally cart its data tapes from warehouse to warehouse, and for instead shipping this valuable information like so many pounds of unwanted fruitcake. I could also place DHL in the same butterfingers basket at UPS. But in honor of the holiday season, I'll say instead what these companies did right.

DHL, for its part, upon learning on Nov. 18 that a data tape had gone missing, left no stone unturned trying to find it -- and ultimately did find it after a monthlong search. ABN gets credit for helping in the search and for (relatively) quickly informing its at-risk customers of the loss. But ABN gets extra credit for what it did after DHL found the tape.

Although the package containing the data tape was discovered apparently unopened, ABN volunteered to pay for one full year of credit monitoring for each of its 2 million clients who might conceivably have had their data compromised. That beats out Citigroup's June offer by 275 days, and it matches the offers from Ameritrade, ChoicePoint, and Reed.

Finally, ABN has determined that it will not let this situation ever happen again. For here on out, the company announced last week that it will discontinue outsourced shipping of sensitive personal data on tapes and switch to using only encrypted electronic means to transfer such data. Welcome to the 21st century, ABN. I just wish you had more company.

Incident: personal information-containing PC stolen from Ford Motor Co.

Seventy thousand employees of the Ford Motor Company are affected by the theft of a PC that contained employee data, including social security numbers, according to CNN: Tech crime gets personal at Ford; computer files stolen - Dec. 22, 2005. So far, investigations haven't shown any fraudulent use of the data.

Analyst calls for more action to protect consumer information

From Line 56, an eBusiness Executive Daily:

Line56.com: Data Loss Incidents:

After a lull during which there weren't many high-profile data loss/theft incidents, 2005 is finishing with a couple of embarrassments. This month, ABN AMRO Mortgage Group, Ford, and Sam's Club went through such incidents. ABN AMRO lost computer tape with information on roughly 2 million customers, Ford reported the theft of a company computer containing data about 70,000 current and former employees, and Sam's Club disclosed that 600 gas cardholders who had bought gas from the company had been hit by credit card fraud.

The bottom line, says Gartner Analyst Avivah Litan, is that 'despite more than a year's worth of highly publicized security breaches, not nearly enough has been done to protect U.S. consumers' data.' She points out that the problem begins at the top: 'Identity-theft-related legislation is currently stalled in Congress. Moreover, third-party data brokers remain entirely unregulated, so it is likely that many more serious breaches have not been brought to public attention.'

It isn't just a question of government regulation, though. Litan points out that many different groups can do more when it comes to fighting the problem....

Domestic surveillance by the NSA much more widespread than first reported, according to the New York Times

There has been a huge amount of press in the last little while addressing the revelation that, since September 11, 2001, George Bush authorized interception of domestic communications by the National Security Agency without review by the Foreign Intelligence Surveillance Court. Now, the New York Times is reporting that the National Security Agency has collected much more information than originally reported and is using data mining techniques on the amassed trove of data:

Spy Agency Mined Vast Data Trove, Officials Report - New York Times:

WASHINGTON, Dec. 23 - The National Security Agency has traced and analyzed large volumes of telephone and Internet communications flowing into and out of the United States as part of the eavesdropping program that President Bush approved after the Sept. 11, 2001, attacks to hunt for evidence of terrorist activity, according to current and former government officials.

The volume of information harvested from telecommunication data and voice networks, without court-approved warrants, is much larger than the White House has acknowledged, the officials said. It was collected by tapping directly into some of the American telecommunication system's main arteries, they said.

As part of the program approved by President Bush for domestic surveillance without warrants, the N.S.A. has gained the cooperation of American telecommunications companies to obtain backdoor access to streams of domestic and international communications, the officials said.

Friday, December 23, 2005

All the best for the holidays from The Canadian Privacy Law Blog

To the readers of the Canadian Privacy Law Blog,

Merry Christmas, Happy Chanukah and all the best for 2006!

The above were drawn by two of the three best kids in the world. I haven't explained creative commons to them yet, so if you want to re-use either of them, you should probably drop me a line.

High visibility for Canadian law bloggers

Lately, Canadian blogging lawyers have been getting a lot of press in the more conventional media. Alan Gahtan's recent article in The Law Times (reproduced on his great blog) is a case in point, as is this recent article in the CBA's PracticeLink: New Media Marketing, Part I - Blogs--How Lawyers Can Become Thought Leaders in a Niche Market.

The CBA article in particular contains a bunch of pointers for any lawyers who are thinking about hopping on the bandwagon. It truly is amazing how easy it is to get started. Don't be intimidated because the technology lawyers were the first onboard. It is not because of any technical expertise prerequisite.

And blogging means you'll likely get to know some of the greatest lawyers around, like David Canton, Rob Hyndman, Alan Gahtan, Michael Geist, Johannes Schenk, and Michael Fitzgibbon.

Alcohol sensor an invasion of privacy?

Police in Florida (and elsewhere, I am sure) are adding to their arsenal against drinking and driving by deploying something called a Passive Alcohol Sensor. It looks like an ordinary flashlight, but it sucks in a sample of the air where it is pointed and analyses it for the presence of alcohol. Some are calling it an invasion of privacy while others say it is just an extension of a police officer's nose.

See some coverage from NBC-2 from Southwest Florida: NBC2 News Online - Alcohol sensor an invasion of privacy?. There's also a link to video of the story.

The Passive Alcohol Sensor is made by PAS International, which describes the technology thusly:

PAS IV:

The P.A.S. IV Alcohol Screening System combines: a) high-intensity, super-beam flashlight technology with b) a dynamic sampling system and c) a miniature alcohol sensor. It “sniffs” ambient air, the breath, open containers, or enclosed spaces for the presence of alcohol. The P.A.S. functions as a non-intrusive “extension of the operator’s nose.

The P.A.S. is a hand-held, rapid alcohol detection instrument using a platinum electrochemical fuel cell sensor of high alcohol specificity, accuracy and stability. Designed for law enforcement, industry, corrections, transportation agencies, and educational facilities. The operator-controlled sampling system guarantees accurate detection of alcohol, and is especially suited for quick subsequent measurements.

The P.A.S. is used to check alcohol presence/absence with or without a subject’s direct participation. When used without the subject’s direct participation it is known as passive sampling, as opposed to active testing where the subject blows directly into a mouthpiece or the intake port. The P.A.S. can also be used to detect open containers of alcoholic beverages, or to detect low, ambient levels of alcohol in enclosed spaces such as vehicles, jail cells, or classrooms.

Police track text message senders in Sydney riot investigation

The investigation of the recent racial riots in Sydney, Australia, are another reminder that text messages sent by cell phone are logged and are useful for police investigations: Police track text message senders - National - smh.com.au.

Thursday, December 22, 2005

Update: Tape containing information on 2M mortgage customers found

An update to my earlier post: The Canadian Privacy Law Blog: Incident: Tape containing records of 2 million mortgagors lost ...

The tape in question has been found, the company has announced. It apparently was in the local courier facility without its airbill attached. See: ABN Amro US mortgage unit retrieves lost data tape.

The company has also announced that it has suspended moving customer data by tape and will switch to encrypted, electronic communications.

Wednesday, December 21, 2005

Incident: Computer forensics firm hacked; credit card info of 3800 customers compromised

This has got to be a pretty embarrassing letter to write ...

More than three thousand customers of Guidance Software Inc. have been told that the company's network has been hacked, compromising credit card and personal data of customers.

Computer forensics firm’s database hacked
The credit card numbers of 3,800 Guidance Software people were exposed

DECEMBER 21, 2005 (COMPUTERWORLD) - The customer database of computer forensics firm Guidance Software Inc., a provider of software that diagnoses computer break-ins, has been hacked.

The Pasadena, Calif. company said in a Dec. 13 letter to its customers that the breached database contained credit card numbers of 3,800 people. The database also contained the expiration dates and card verification numbers of those credit cards as well the names, addresses and telephone numbers of the customers, according to the letter from Guidance CEO John Colbert. The database did not contain any customer financial data that could put them at risk of identify theft, he said.

“Guidance is taking this matter very seriously,” Colbert said in the letter. “Upon learning of the incident on December 7, we have been working quickly to investigate the unauthorized network activity and remediate the person’s method of access. The next day (December 8) we referred this incident to the U.S. Secret Service, who have begun their own investigation. Of course, our investigation is ongoing, and we will continue to cooperate fully with law enforcement in its investigation as well. To prevent any further unauthorized access of your personal information, we have also deleted all of your credit card information from our customer database.”

The letter from Colbert was provided to Computerworld by Michael Kessler, president of Kessler International, a New York-based computer forensics investigation company. A Guidance spokeswoman confirmed the information contained in the letter, but declined to comment further because of the ongoing investigation....

Well-respected US judge calls for wholesale electronic surveillance of US citiziens

This is one of the more interesting and surprising Op-ed pieces I have seen in a while. While most commentators are upset over the most recent revelations about domestic surveillance in the US, Justice Richard Posner of the US 7th Circuit Court of Appeals has written an opinion piece for the Washington Post calling for more widespread electronic surveillance of Americans. He argues that the review by computers is not an invasion of privacy, since it is only sifted by a computer rather than an actual person.

Our Domestic Intelligence Crisis

These programs are criticized as grave threats to civil liberties. They are not. Their significance is in flagging the existence of gaps in our defenses against terrorism. The Defense Department is rushing to fill those gaps, though there may be better ways.

The collection, mainly through electronic means, of vast amounts of personal data is said to invade privacy. But machine collection and processing of data cannot, as such, invade privacy. Because of their volume, the data are first sifted by computers, which search for names, addresses, phone numbers, etc., that may have intelligence value. This initial sifting, far from invading privacy (a computer is not a sentient being), keeps most private data from being read by any intelligence officer.

I expect we'll be hearing a lot about this piece as Justice Posner is not prone to ill-conceived or knee-jerk statements.

For some discussion and review, see Concurring Opinions: Judge Posner's Troubling Call for Massive Surveillance.

US FDIC releases information security guide for small entities under FACTA and GLB

The US FDIC has just released a compliance guide for small-entities to comply with the information security standards under Gramm-Leach-Bliley and the Fair and Accurace Credit Transactions Act. Here's the summary from the compliance guide:

Interagency Guidelines Establishing Information Security Standards
Small-Entity Compliance Guide
:

This Small-Entity Compliance Guide is intended to help financial institutions comply with the Interagency Guidelines Establishing Information Security Standards (Security Guidelines). The guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations. The appendix lists resources that may be helpful in assessing risks and designing and implementing information security programs.

Although this guide was designed to help financial institutions identify and comply with the requirements of the Security Guidelines, it is not a substitute for the Security Guidelines. Moreover, this guide only addresses obligations of financial institutions under the Security Guidelines and does not address the applicability of any other federal or state laws or regulations that may pertain to policies or practices for protecting customer records and information.

For a good summary and some additional background, also check out the Privacy and Security Law Blog: Federal Bank and Thrift Regulatory Agencies Publish Guide to Help Financial Institutions Comply with Information Security Guidelines.

Tuesday, December 20, 2005

Manitoba opposition politicians introduce security breach notification bill

The opposition Conservatives in Manitoba have introduced a bill in the provincial legislature to be substantially similar to PIPEDA and to be the first general application statute to provide for security breach notification. The CBC article on the bill (CBC Manitoba - Proposed law forces companies to report information leaks) quotes Brian Bowman, Manitoba's leading privacy lawyer, who himself has been a victim of identity theft.

The relevant sections of Bill 207 read:

The Personal Information Protection and Identity Theft Prevention Act:

"Notice if control of information lost

34(2) An organization must, as soon as reasonably practicable and in the prescribed manner, notify an individual if personal information about the individual that is in its custody or under its control is stolen, lost or accessed in an unauthorized manner.

Exception re law enforcement agency investigation

34(3) The requirement to notify an individual under subsection (2) does not apply where

(a) the organization is instructed to refrain from doing so by a law enforcement agency that is investigating the theft, loss or unauthorized accessing of the personal information; or

(b) the organization is satisfied that it is not reasonably possible for the personal information to be used unlawfully.

Right of action

34(4) An individual may commence an action in a court of competent jurisdiction against an organization for damages arising from its failure to

(a) protect personal information that is in its custody or under its control; or

(b) provide an individual notice under subsection (2), if it was not reasonable for the organization to have been satisfied that the personal information that was stolen, lost or accessed in an unauthorized manner would not be used unlawfully.

Other rights not affected

34(5) The right of action under this section is in addition to any other right of action or remedy available at law. But where the court deems it just, damages awarded in an action under this section may be taken into account in assessing damages in any other proceeding arising out of the failure of the organization to protect personal information in its custody or under its control.

Retention of information

35 Notwithstanding that a consent has been withdrawn or varied under section 9, an organization may for legal or business purposes retain personal information as long as is reasonable."

Privacy commissioner calls on Yukon gov't to act

I think that Information and Privacy Commissioners in Canada are used to being ignored by the governments they keep tabs on. It is a bit of a thankless task. But the Yukon ombudsman is speaking out. CBC is reporting that Hank Moorlag is disappointed that, a year after filing his 2004 report the government has yet to respond to his recommendations. The ministers responsible for the various legislation say the recommendations are being addressed, including a review of the Access to Information law which is taking place behind closed doors. Mr. Moorlag is not too impressed. See CBC North - Privacy commissioner calls on Yukon gov't to act.

Data Privacy Issues to Persist Next Year

On the data privacy front, the new year will bring more of the same, according to eWeek:

Data Privacy Issues to Persist Next Year:

"People may remember 2005 as the year that corporate America woke up to the problem of data breaches and the importance of data privacy. Data leaks at Bank of America Corp., LexisNexis' Seisint division, ChoicePoint Inc. and CardSystems Inc. fed headlines for months, spawned countless lawsuits on behalf of aggrieved consumers and provided the impetus for federal legislation--still pending--to protect consumer data. But what will 2006 bring?

More of the same, say leading security experts.

More than ever before, enterprise IT managers will have to fight a battle on two fronts next year. On one side, more sophisticated and targeted attacks from organized, online criminal groups will test networks in new ways that are hard to detect...."

Incident: Police supplier database hacked, credit card and other info compromised

According to Security Fix - Brian Krebs on Computer and Internet Security, a supplier of nametags to law enforcement (Reeves) recently had its database hacked, and credit card numbers of customers are now circulating among IRC groups devoted to trading such info.

Monday, December 19, 2005

Thanks ... slaw.ca

I have to offer Simon Chester a very public thank-you for the incredibly kind words he wrote about this blog in his recent posting to Slaw.ca and an article in the OBA magazine.

Slaw | Archive | My Take on Blogging - and Slaw:

"... When a young lawyer in Halifax started building his practice in a novel area, he noticed that there was no single place to track new developments in the Canadian law of privacy. Now the Canadian Privacy Law Blog has been running for two years, and David Fraser has become the leading privacy lawyer in Atlantic Canada, with a thriving practice and an enviable presence...."

Simon is an incredible gentleman whom I first met about a year or so ago, thanks entirely to my blog. Blogging as a lawyer has many benefits, primary among them are meeting some very interesting and well respected colleagues at the bar (and colleagues in the bar).

NYT notices CMA Journal controversy

This morning's New York Times is covering the controversy over the Canadian Medical Association's attempt to pull an article on privacy in the CMA Journal. See: Journal Faults a Medical Group in a Dispute Over Independence - New York Times.

For other coverage, see The Canadian Privacy Law Blog: CMAJ charges editorial interference over privacy-related story.

Sunday, December 18, 2005

Borrow the wrong book and get it personally delivered by the feds

One of the problems with widespread monitoring is the huge incidence of "false positives". This example from the University of Massachusetts is instructive and a bit chilling to those who have commented upon it.

A senior at UMass Dartmouth was doing a research paper on communism in a class on fascism and totalitarianism. As part of his research, he requested a copy of Chairman Mao's Little Red Book using the interlibrary loans system. (Why a major univeristy library does not have its own copy of the book raises completely different questions.) Instead of the book, he received a visit from officials from the Department of Homeland Security. The agents told the students that the book is on a "watch list". Actually, the agents brought the book with them, but did not leave it with him.

Privacy advocates aren't generally pleased with any watching of what people read, but the chilling effect of this is significant. The professor who teaches the class has decided against teaching a planned class on terrorism because he does not want to put his students at risk of this sort of surveillance and profiling.

Read the coverage here: Agents' visit chills UMass Dartmouth senior: 12/ 17/ 2005, Student Gets Surprise From Mao's Book. Some comment here: Gardistan in Vision: Political censorship in Bush's USA, The Dark Wraith Forums: Special Report: Feds Question Student for Requesting Book of Mao Tse-Tung Quotations, Villa Beausoleil: Fascism comes to New Bedford, David Farrar: Book Monitoring.

UPDATE: There is speculation at Boing Boing that this story is a hoax. Boing Boing: DHS agents visit student over Little Red Book - HOAX DEBATE. As I hear more, I'll post here.

UPDATE 2: The Canadian Privacy Law Blog: Story about feds visiting after request for Mao book is a hoax.

Meth addicts' other habit: Online theft

USA Today is running a lengthy article on the intersection between methamphetamine addiction and identity theft. The article, Meth addicts' other habit: Online theft, chonicles investigations that began in Edomonton and Calgary, Alberta and forcefully brought this connection to the attention of Canadian law enforcement.

Intersection of crimes

... What's happening in Edmonton is happening to one degree or another in communities across the USA and Canada — anywhere meth addicts are engaging in identity theft and can get on the Internet, say police, federal law enforcement officials and Internet security experts.

Internet Relay Chat channels, private areas on the Internet where real-time text messaging takes place, are rife with communications between organized cybercrime groups and meth users and traffickers discussing how they can assist each other. "It's big time," says San Diego-based security consultant Lance James, who monitors IRC channels.

Such collaboration seems almost preordained. "This hits at the intersection of two of the more complex law enforcement investigations: computer crimes and drug crimes," says Howard Schmidt, CEO of R&H Security Consulting and former White House cyber-security adviser.

Identity theft has fast become the crime of preference among meth users for three reasons: It is non-violent, criminal penalties for first-time offenders are light — usually a few days or weeks in jail — and the use of computers and the Internet offers crooks anonymity and speed with which to work. Meth is a cheap, highly addictive street derivative of amphetamine pills; it turns users into automatons willing to take on risky, street-level crime.

Meanwhile, global cybercrime groups control e-mail phishing attacks, keystroke-stealing Trojan horse programs and insider database thefts that swell the pool of stolen personal and financial information. They also have ready access to hijacked online-banking accounts. But converting assets in compromised accounts into cash is never easy. That's where the meth users come in.

Sophisticated meth theft rings, like the one in Edmonton, control local bank accounts — and underlings who are willing to extract ill-gotten funds from such accounts. The two men at the seedy motel were helping outside crime groups link up with local accounts under their control when a tipster guided police to them in December 2004....

The article is worth the read.

Theft of scanning equipment from Pittsburgh-area hospital compromises patient names, DOBs and SSNs

I am not sure why a bone density scanner would contain the names, dates of birth and social security numbers of patients, but apparently they do. And when such a scanner is stolen, the bigger issue is the theft of that data:

Theft at hospital - PittsburghLIVE.com:

Patients who underwent bone density scans at Mercy Jeannette Hospital have been notified that personal information may be compromised due to a theft of scanning equipment.

According to a news release issued by the hospital, the theft took place during the week of Nov. 21. While the computer component used with the scanning equipment did not contain medical diagnoses or test results, it did contain patients' names, birth dates and Social Security numbers, according to the release.

Officials at the hospital were not available for comment Friday and provided the press release instead....

Incident: Tape containing records of 2 million mortgagors lost

Another missing tape incident. No evidence of fraud, but notable nevertheless:

ABN AMRO data lost:

"Homeowners should monitor credit reports

December 17, 2005

If you have a home mortgage through LaSalle Bank or the former Standard Federal Bank, look out for a letter from your lender warning you about a missing computer tape -- a tape that includes your Social Security number and payment history.

Friday, ABN AMRO Mortgage Group, a subsidiary of LaSalle Bank Corp., announced that a computer tape containing data for about 2 million mortgage customers had been lost.

About 320,000 homeowners in Michigan would have been included on that tape.

The homeowners could have gotten an ABN AMRO mortgage through LaSalle Bank branches, the former Standard Federal Bank, outside mortgage brokers or ABN AMRO's own Mortgage.com.

Thomas M. Goldstein, chairman and chief executive officer of ABN AMRO Mortgage Group in Chicago, said the lender deeply regrets the mix-up but has seen no signs of identity theft or misuse of the information at this point....

Update: The Canadian Privacy Law Blog: Update: Tape containing information on 2M mortgage customers found.

Meth users and identity theft go together like rats and garbage

Evidence linking methamphetamine addiction and identity theft is getting more compelling all the time. The San Jose Mercury News is running an AP story on the connection between the two, particularly focusing on California.

AP Wire | 12/17/2005 | Meth users turning to identity theft to pay for their habit:

RIVERSIDE, Calif. - Stealing mail. Digging through trash. Days spent in front of a computer trying to unlock financial information.

All to score methamphetamine.Authorities are discovering that more and more desperate users of the drug are turning to identity theft to pay for their habit, creating a criminal nexus costing Americans millions of dollars.

The trend is sweeping the West and spreading to other parts of the country, with one hub of activity in the garages and trailer parks of Riverside and San Bernardino counties on the fringe of suburban Los Angeles.

The region was the site of a third of California's nearly 500 meth lab busts in 2004 and is home to the second-highest number of identity theft victims in the nation.

'It's been said the two crimes go together like rats and garbage,' said Jack Lucky, a Riverside County prosecutor who nearly became a victim of identity theft himself before his personal information was found at a meth lab.'It's a pervasive problem,' he said...

Drug addiction and crime have always been linked as addicts are in need of quick cash to fuel their habits. Muggings and burglaries have generally had a strong connection with drug abuse. As addicts move to ID theft and similar forms of fraud, the amount of money they are able to get is greater and the risk of violence is much lower. Some might even say that this is a good thing.

ABC News asks: Why Do They Want My Phone Number?

ABC News online considers the increasingly common practice of stores asking for consumers' phone numbers. Part of the answer to the question quoted above is to track customers. Phone numbers provide more detailed information than zip codes, which are also often asked for. Stores are able to take the phone number and "enhance" it with additional data gleaned from database providers. All the stores interviewed in the article will go ahead with the transactions if you refuse to provide the number, so the conclusion is to just say no. See: ABC News: Why Do They Want My Phone Number?.

While this is a very common practice in the US, it is much less so in Canada because of consumer-protecting privacy laws. Companies in Canada can ask for the info, but have to tell you why they want it and what they'll do with it.

Friday, December 16, 2005

Every Move You Make, Part Three: Why Law Enforcement Should Have to Get a Warrant Before Tracking Us Via our Cell Phones

Check out Anita Ramasastry's latest Cyberlaw column at Findlaw. Good reading:

FindLaw's Modern Practice - Every Move You Make, Part Three: Why Law Enforcement Should Have to Get a Warrant Before Tracking Us Via our Cell Phones:

We have a reasonable expectation of privacy with respect to our movements, as we go about our daily business. Though sometimes we may be seen by passersby and by security cameras, at other times we will not be; and sometimes, we will be in the privacy of our own homes or offices when we carry our cell phones. Our expectation of privacy should be honored, as the Texas and New York courts held.

But other courts in other jurisdictions have held otherwise. For that reason, Congress should now step in and ensure, by statute, that the warrant requirement applies under these circumstances.

The balance of privacy and security is a delicate one - and the warrant requirement is an appropriate check on law enforcement's ability to track, via cell phone data, every move we make....

Thanks to Sabrina Pacifici's beSpacific for the link: beSpacific: Commentary on Privacy and Cell Phone Tracking.

Thursday, December 15, 2005

'Tis the season for returns

Chris Hoofnagle at EPIC West is today discussing the use of drivers' license swiping and returns tracking database Verify-1. The database tracks your returns and categorizes customers based on whether they "abuse" returns. He raises an interesting point about the database and how it may fit in American consumer reporting laws:

EPIC West: Electronic Privacy Information Center West Coast Office: Return Exchange Database Tracking:

... The Return Exchange database skates right on the edge of the Fair Credit Reporting Act's definition for a consumer reporting database. If Return Exchange is sharing data on consumers across retailers (not just across chains within a certain retailer), the data it issues will be a 'consumer report,' and all sorts of rights will kick in to protect shoppers. Until then, a big black box system will have your driver's license data and make decisions about you with no transparency. ...

The same conclusion may apply with respect to similar provincial laws in Canada.

OPC and Ontario pharmacists release new guidelines on dispensing Plan B emergency contraception

This just came over the wires ...

New Privacy-Protective Guidelines for the Provision of 'Plan B' Emergency Contraception by Pharmacists in Ontario:

TORONTO, Dec. 15 /CNW/ - New guidelines for pharmacists have been issued in record time through a highly successful collaboration between the Ontario College of Pharmacists, the Ontario Pharmacists' Association and the Information and Privacy Commissioner of Ontario.

Dr. Ann Cavoukian, Ontario's Information and Privacy Commissioner, stated, "Within a short week of voicing my concerns, I am delighted to say that our joint working group has successfully collaborated and reached an agreement on made-in-Ontario guidelines for pharmacists providing Plan B."

These guidelines follow the issuance of the College's December 8, 2005 notice advising pharmacists not to use the "Screening Form for Emergency Contraceptive Pills (ECPs)," developed by the Canadian Pharmacists Association, which recommended the collection of detailed personal information.

Ontario's new guidelines (available at www.ocpinfo.com) emphasize that pharmacists should continue to seek information from the patient only as necessary to clarify the appropriateness of providing Plan B, keeping in mind the need to respect the individual's right to remain anonymous and to decline responding to personally sensitive questions.

"I was assured by the College that pharmacists do not routinely collect personally identifiable information with regard to the provision of Schedule II products," said the Commissioner. Personally identifiable information should not be recorded except when requested by the patient for reimbursement purposes or in those rare instances where it is deemed important for continuity of care of the patient.

Under the Personal Health Information Protection Act (PHIPA), which was enacted last year to protect the health information of Ontarians, health information custodians must minimize their collections of personal health information and must not collect identifiable information if other information will serve the same purpose.

The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is an independent officer of the Legislature. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act, and commenting on other access and privacy issues.


December 15, 2005

Notice to Pharmacists

Re: Ontario Guidelines for Provision of Plan B (Schedule II)

Following the issuance of an Ontario College of Pharmacists Notice to Pharmacists last week concerning a specific form being used in some cases when the Schedule II product, Plan B, was requested, a working group was formed, consisting of staff from the College, the Ontario Pharmacists Association, and the Office of the Information and Privacy Commissioner of Ontario.

The goal of the group was to develop and agree on guidelines which could be used by pharmacists in Ontario to ensure that their ongoing practice with respect to the sale of this product meets all applicable legislation, including Standards of Practice. The attached document will serve to clarify the expectations of the College that pharmacists will continue to serve their patients well by providing appropriate information and counselling and to add value to the sale of Plan B as they would for any Schedule II product.

It is suggested that existing tools and practice be examined at this time to ensure compliance with these guidelines.

Yours truly,

(signed)

Anne Resnick, R.Ph., B.Sc.Phm

Associate Director, Professional Practice Programs

Attachment


Ontario College of Pharmacists - December 15, 2005

Ontario Guidelines for Provision of Plan B (Schedule II)

Pharmacists are health care professionals whose practice is guided by the Code of Ethics and Standards of Practice established by their regulatory body, the Ontario College of Pharmacists (OCP). Pharmacists practice in accordance with all applicable legislation and regulations including Ontario's privacy legislation, the Personal Health Information Protection Act, 2004 (PHIPA). These guidelines are the result of the joint efforts of the OCP, the Office of the Information and Privacy Commissioner of Ontario (IPC), and the Ontario Pharmacists' Association (OPA). These guidelines follow the issuance of OCP's December 8, 2005 notice which advised pharmacists not to use the "Screening Form for Emergency Contraceptive Pills (ECPs)," developed by the Canadian Pharmacists Association (CPhA).

As there are already educational resources available to pharmacists for Plan B, these guidelines will not duplicate those efforts, but will outline the appropriate application of OCP's Standards of Practice and Code of Ethics and PHIPA in the context of providing Plan B.

The IPC recognizes the important health care services pharmacists provide. The IPC's mandate is to ensure that personal health information is collected, used and disclosed in the most privacy protective manner possible. Specifically, under PHIPA, health information custodians shall not collect, use or disclose personal health information if other information will serve the purpose. Moreover, PHIPA restricts the collection, use and disclosure of personal health information to that which is reasonably necessary to meet the purpose of providing health care. OCP's Code of Ethics and Standards of Practice provide the framework for pharmacists' practice. Many components of the Code of Ethics and Standards of Practice protect patient privacy and reinforce the Ontario health privacy legislation, PHIPA.

For the provision of Plan B, as with any other Schedule II product, the pharmacist must always be involved in the decision to provide the medication. As with other medications, prior to its sale, the pharmacist has a professional responsibility to be assured of the appropriateness of the drug for the individual.

Pharmacists should continue to seek information from the patient only as necessary to clarify the appropriateness of providing Plan B, keeping in mind the need to respect the individual's right to remain anonymous and to decline responding to personally sensitive questions. As with all Schedule II products, if a pharmacist makes a decision not to sell Plan B, reasons should be communicated to the patient.

Pharmacists do not routinely collect personally identifiable information as it relates to the provision of Schedule II products. In the case of Plan B, personally identifiable information should not be recorded except when requested by the patient for reimbursement purposes or in those rare instances where it is deemed important for continuity of care of the patient.

For some background, see

EU Data Retention law passed

This news is a little late, but the European Parliament has passed the data retention directive that has been the subject of some debate.

For more info, see:

Federal Court on biometric voice authentication: Turner v. Telus Communications Inc.

The Federal Court has recently released its decision in the application made by certain employees of Telus Communications, complaining about the use of voice recognition technology for some of its internal management systems. (For more info, see my post on the original complaint: The Canadian Privacy Law Blog: PIPEDA Case Summary #281: Organization uses biometrics for authentication purposes.)

A group of employees refused to consent to the use of the technology and were threatened by Telus with "progressive disclipline". The applicants (including the union) sought an order preventing the use of this system and for unspecified damages. Justice Gibson of the Federal Court dismissed the application.

The judge concluded:

  • the use of biometric voice authentication in these cirucmstances is reasonable;
  • the threat of progressive discipline is not withholding goods or services contrary to principle 4.3.3;
  • the categories of consent exceptions ("except where inappropriate") may not be a closed list set out in Section 7; and
  • an employer can implement progressive discipline for those who do not consent to collections, uses and disclosures of their information that are reasonable.

The judge also declined to order costs against the union or the individual applicants.

Below is a condensed version of the conclusion reached by Justice Gibson:

Turner v. Telus Communications Inc., 2005 FC 1601 (CanLII):

[52] On the facts of this matter, Telus sought to obtain voice prints from a substantial number of its employees and the vast majority of that number consented. Those who did not consent knew that Telus wished to obtain their consent. They continued to refuse to consent so that their consent could not be obtained in "...a timely way". They exercised their right to complain to the Commissioner. They received a report from the Commissioner which concluded that Telus' wish to obtain their consent was reasonable. The non-consenting employees exercised their right to come to this Court for a de novo review of the situation. Assuming that they will be unsuccessful in this Court, and they will be, it would not be in the interests of justice that a stalemate result.

[53] I am satisfied that this is one of the circumstances to which paragraph 7(1)(a) of PIPEDA is directed. While that paragraph will not enable Telus to proceed with full and complete implementation of e.Speak and to force employee enrollment, it will, I am satisfied, enable Telus to continue with the implementation of e.Speak at its current level and, if persons such as the Individual Applicants continue to withhold their consent, it will entitle Telus to proceed with "progressive discipline" in relation to all or any of them that is reasonable in all the circumstances.

[54] By contrast, I am satisfied that paragraph 7(1)(d) of PIPEDA is of no assistance to Telus in the current circumstances. While it is arguable that voice characteristics are "publicly available", that form of personal information is not specified by any regulations made under the authority of PIPEDA.

[55] If I am determined to be wrong in my analysis regarding the scope of paragraph 7(1)(a) of PIPEDA, there remains, I am satisfied, an alternative solution to the impasse that I perceive might flow from an absolute requirement to obtain consent from each and every individual affected. My analysis in that regard follows.

[56] It was not in dispute before the Court that three (3) of the Individual Applicants have never consented to take part in the Nuance Verifier enrollment process. While the fourth Individual Applicant did consent and did take part, he withdrew his consent as he was entitled to do under Principle 4.3.8.

[57] Counsel for the Individual Applicants urges that consent to disclosure of biometric personal information is a term or condition of employment and that, as such, given the collective agreement in force between Telus and TWU representing certain of its employees, including the Individual Applicants, even if the Individual Applicants had consented, that consent is of no force or effect since "...terms and conditions of employment must be negotiated with The Telecommunications Workers Union and that had not taken place in respect of the disclosures for which consent is sought in the context of this proceeding."

[58] Counsel for Telus urges that consent to the disclosure of the personal information here at issue is simply not a term or condition of employment and that therefore Telus' efforts to obtain consent directly from the Individual Applicants was entirely appropriate and TWU had no role to play regarding the consents.

[59] I accept the position urged on behalf of Telus in this regard. That being said, in circumstances where it is a matter of public knowledge that was clear to the Court, that the relationship between Telus and TWU on behalf of a significant number of Telus' employees was, at all relevant times, less than cordial, it was at least surprising and, perhaps more appropriately, astonishing, that Telus had apparently not engaged TWU in the process of attempting to achieve consents to the implementation of e.Speak.

[60] It was not in dispute before the Court that, while the three Individual Applicants had not consented to provide voice samples, and the fourth withdrew his consent, by far the vast majority of their colleagues at Telus in respect of whom Telus sought to implement e.Speak had consented and had provided voice samples for the purposes of Nuance Verifier. It was also not in dispute that one individual who had volunteered to provide a voice sample was incapable, for medical reasons, of fulfilling the appropriate requirements. In her case, special arrangements had been made to accommodate her situation. Finally, it was also not in dispute that, although Telus had "threatened", "progressive discipline" for those from whom it sought enrollment and who refused to consent to enrollment, no such discipline had been imposed and there was no evidence before the Court that such discipline would reach the level of dismissal, thus making the discipline imposed effectively reach to the level of a term or condition of employment.

[61] I am satisfied on the evidence before the Court that Telus was somewhat high handed in its efforts to achieve consent to enrollment and had been, since the commencement of the enrollment process, something less than forthcoming as to what it meant by "progressive discipline". That being said, I am satisfied that Telus was reasonably forthcoming in other respects in its consultations with its employees that it sought to enroll, that it was reasonably patient in that process and that, generally speaking, it neither bullied nor harassed its employees towards enrollment.

[62] The issue then reduces itself to the question: "What are the implications where Telus fails to achieve consent from a small minority of affected employees, such as the Individual Applicants, to enrollment in the e.Speak programme, where implementation of "progressive discipline" for failure to consent is not only implied but expressed, and where there is absolutely no evidence before the Court that Telus will escalate such "progressive discipline" to the point of termination, thus effectively making consent a term or condition of employment?

[63] I am satisfied that the foregoing question remains an issue for another day. Telus has, to a very large extent, implemented e.Speak. A very small minority, perhaps only the Individual Applicants, but perhaps also others, remain principled hold-outs. There is no basis on which to conclude that "progressive discipline" that might be implemented against hold-outs will reach the level of termination. To this point, I adopt the urgings of counsel for Telus that Telus has simply engaged, in what it considers to be the best interests of its business and, thus, arguably of its employees, including the Individual Applicants, in the exercise of its residual management rights. I cannot conclude that the obligation on the part of Telus to obtain consent to the implementation of the e.Speak system, in respect of the Individual Applicants, precludes Telus from implementing that system in respect of the vast majority of its employees to which it wishes to make the e.Speak system applicable.

[64] Counsel for the Individual Applicants cites Principle 4.3.3 against the conclusion I have reached in this regard. That principle, reproduced in the Schedule to these reasons, is reproduced here for ease of reference:

An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.

With great respect, I am not satisfied that Telus' efforts to achieve the consent of the Individual Applicants to participate in the e.Speak system is being sought as "...a condition of the supply of a product or service,...". In the result, while my conclusion in this regard does not affect the result herein, I am not satisfied that the Individual Applicants are entitled to rely on Principle 4.3.3 in respect of this matter.

[65] The foregoing being said, quite apart from my analysis regarding the interpretation of paragraph 7(1)(a), of PIPEDA, I nonetheless conclude that Telus has fulfilled its consent obligations under PIPEDA in respect of the implementation of e.Speak. In introducing e.Speak applicable only to those who consented to enrollment, Telus acted within its residual management rights. The impact of "progressive discipline" against the small minority who have withheld their consent, as they are entitled to do, is for another day and for another forum.

d) Additional issues raised on behalf of the Commissioner

[66] As earlier indicated in these reasons, counsel for the Commissioner raised issues including the appropriate weight to be given to the factors taken into consideration by the Commissioner in her Report leading to this proceeding, whether this Court should apply the legal analytical framework and factors considered by the Commissioner in balancing the interests of the parties as required by subsection 5(3) of PIPEDA, the role of TWU in the process of seeking consent from the Individual Applicants and the appropriate principles in assessing whether the Individual Applicants consented to the collection and use of their personal information.

[67] To some extent, these issues have been addressed, directly or indirectly, in the foregoing analysis. To the extent that they have not been so addressed, I am reluctant to respond to them because they indirectly invite the Court to answer questions that would only be appropriate if this matter were in the nature of judicial review. Where the foregoing issues have not been addressed, the Court's response is that it must be guided by jurisprudence from the Federal Court of Appeal and where no such guidance exists, by guidance provided by other decisions of this Court in an appropriate context and, further, where that guidance is also lacking, the Court must act in accordance with what it, itself, considers to be required by PIPEDA. Put another way, and more briefly, it is not for the Commissioner, however knowledgeable and informed she or he might be with respect to the issues here coming before the Court, to set the agenda of this Court where hearings such as this are in the nature of de novo proceedings.

[68] In the result, I decline to address the issues raised on behalf of the Commissioner, to the extent that they have not already been addressed in these reasons.

CONCLUSION

[69] These applications will be dismissed. As earlier indicated, orders will go striking out The Telecommunications Workers Union as a party Applicant in each proceeding."

Wednesday, December 14, 2005

PHIPA declared substantially similar

Thanks to a regular correspondent for pointing this out ...

The Personal Health Information Protection Act of Ontario has been declared to be substantially similar to PIPEDA:

Canada Gazette:

Health Information Custodians in the Province of Ontario Exemption Order

P.C. 2005-2224 November 28, 2005

Whereas the Governor in Council is satisfied that the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Schedule A, of the Province of Ontario, which is substantially similar to Part 1 of the Personal Information Protection and Electronic Documents Act (see footnote a), applies to the health information custodians referred to in the annexed Order;

Therefore, Her Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to paragraph 26(2)(b) of the Personal Information Protection and Electronic Documents Act (see footnote b), hereby makes the annexed Health Information Custodians in the Province of Ontario Exemption Order.

HEALTH INFORMATION CUSTODIANS IN THE PROVINCE OF ONTARIO EXEMPTION ORDER

EXEMPTION

1. Any health information custodian to which the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Schedule A, applies is exempt from the application of Part 1 of the Personal Information Protection and Electronic Documents Act in respect of the collection, use and disclosure of personal information that occurs within the Province of Ontario.

COMING INTO FORCE

2. This Order comes into force on the day on which it is registered.

The year in review in data security

CNET News is running a retrospective of their major privacy/security articles from the last year. What a year it has been: Year in review: Insecurity over ID theft | CNET News.com.

Churches and the federal privacy law

Focus on the Family is running the following article in their "Today's Family News":

Churches fear breaching privacy laws

December 14, 2005

Recent privacy legislation is causing some churches to fear they could be breaking the law simply by circulating the addresses of members, praying aloud for people by name, and – at least in Ontario – making hospital visits, the Ottawa Citizen reported.

At the heart of their concern, which some think is exaggerated, is the Personal Information Protection and Electronic Documents Act, which Parliament passed in January 2004. It primarily affects businesses and would only apply to churches that sold their parish or membership lists or charged for their services.

Even so, it has prompted some pastors to question whether even making public the names and addresses of the people in their congregations might be deemed illegal under the Act.

One church in Halifax, for example, removed a “prayer board” in its foyer listing the names of people in hospital. Others have adopted privacy policies and some have even appointed privacy officers to oversee the correct handling of information.

For clergy in Ontario, the province’s year-old Personal Health Information Protection Act has made it more difficult from them to visit hospital patients, even if they belong to the same denomination.

Patients when being admitted have the option of indicating their faith background, which James Christie, dean of the faculty of theology at the University of Winnipeg, says clergy have assumed indicated they would welcome “some sort of pastoral presence.” But now, as he told the Citizen, “that graciousness is gone.”

But London, Ontario, lawyer Janet Allinson, a specialist in privacy law, believes many churches “are misunderstanding the legislation altogether. I get quite a few calls from people very concerned, they are so afraid of the Privacy Act.”

"I think it's important that they don't lose the spirit and treat it like a business" added Allinson.

The impact of the federal private sector privacy law has been very misunderstood by churches and other non-profits.

The Personal Information Protection and Electronic Documents Act, or PIPEDA as it is commonly known, applies to the collection, use and disclosure of personal information in the course of commercial activities, except in those provinces that have enacted substantially similar legislation. Ontario has not enacted legislation that is substantially similar to PIPEDA (other than the Personal Health Information Protection Act which may hinder the abilities of health information custodians to share information with visiting clergy, but does not regulate churches directly). In short, PIPEDA applies to personal information that is handled in connection with commercial activities, other than in Alberta, BC and Quebec.

The reason for the commercial activity connection is that the Federal Government is relying upon its constitutional jurisdiction over general trade and commerce in Canada to implement PIPEDA. It can use this power to regulate commerce generally, but is not able to regulate the non-profit sector using this power except to the extent that the non-profit organization actually is engaged in commercial activity. There are some activities that a non-profit can engage in that are deemed commercial activities and some activities can be sufficiently commercial to invoke PIPEDA. The deemed activities are generally limited to certain kinds of dealing with membership and donor lists. If a church exchanges, sells, trades or leases its membership list, that is a deemed commercial activity and PIPEDA applies (including requiring consent for the transfer). The key is an exchange of value. If a list is freely given with no expectation of any value in return, there is no commercial activity and PIPEDA is not triggered. Also, if a church veers away from its core not-for-profit objectives, it can be seen to be engaged in commercial activity. Charging admission to a benefit concert for the church is not commercial activity. Operating a business within the church may be commercial. Church fund-raising is not a commercial activity, nor is praying out loud or listing members in a directory.

This does not mean that a church or a non-profit shoudn't follow fair information practices. This is not because it is required by PIPEDA or any other law, but rather because it is just the right thing to do. Churches are entrusted with sensitive personal information. Having a privacy policy that is reasonable and consistently followed sends a positive message to the members of the congregation who are more privacy aware.

Korea Solves the Identity Theft Problem

Rob Hyndman is pointing to Schneier on Security: Korea Solves the Identity Theft Problem. Apparently, Korea is about to pass a law placing full responsibility for losses on the banks for identity theft and online financial fraud, even if the bank is only partially responsible. This will provide the incentive to put in place fraud-blocking measures.

The next questions are: (i) will it work? and (ii) will it only be a Korean phenomenon?

US court upholds random subway bag searches

A US Federal Judge has upheld as constitutional the practice of random bag searches in the New York subways: Judge upholds random subway bag searches.

Discussion of Canadian Plan B and privacy issues in the BMJ

The British Medical Journal has an article on the current controversy in Canada over the collection of personal information in connection with dispensing the morning after pill, aka Plan B: Advice to pharmacists on dispensing contraception an "invasion of privacy" -- Spurgeon 331 (7529): 1360 -- BMJ.

There is also a letter to the editor in the December 9 edition that raises one of the most significant issues for pharmacists. Namely, the role of pharmacists in the dispensing of such drugs:

bmj.com Rapid Responses for Spurgeon, 331 (7529) 1360:

Spurgeon's news(1) seems to fall into a recurrent BMJ bias: forgetting the clinical role of the pharmacist. The text seems to state that pharmacists gathering relevant clinical information are invading patient privacy. This leads to a dichotomy: Is a physician invading patient privacy when gathering patient clinical information? Or, do pharmacists invade patient privacy because they should not act clinically?

Obviously, there is no doubt to the first question. Assessing clinical situations requires some information about patient health status, but also about patient life style. So, a healthcare professional needs information to make a decision, and sometimes this information can be considered as private. Thus, confidentiality is expected.

But, what about the second question? Is this the never-ending story? When are we going to shoot(2) the pharmacist? How big should be the evidence of the benefits of the clinical role of pharmacist working together with the other healthcare professionals?

And the most important question, why do not give the right to choice to the patient? If patients want to give that private information to their pharmacists, why should another healthcare professional disagree?

Internet Geeky hackers replaced by for-profit criminals

From Canoe's CNEWS:

CANOE -- CNEWS - Tech News: Internet Geeky hackers replaced by for-profit criminals:

Experts in combating cyber threats say they’ve seen a fundamental change in the past year, from the kinds of hacker attacks aimed at bringing down networks to targeted probes by criminals after money.

“I think that probably the overarching theme we’re looking at is that crime for profit motivation has really found the Internet,” says Vincent Weafer, Los Angeles-based senior director of development for Symantec Security Response, which markets the Norton suite of computer security products.

It’s enough to produce nostalgia for the days of basement-dwelling geeks who simply wanted to erase your hard drive for fun.

Today, says Weafer, full-blown thieves lurk in cyberspace armed with tools capable of sucking confidential information out of unprotected computers. They can also turn them into zombies and rent them to organized crime for a few hundred dollars as part of a so-called “bot nets” used to flood the web with dubious spam."

Princeton students protest network configuration that discloses their identities

A group of students at Princeton University has put together a petition, urging the administration to change how their network is configured. The addresses of computers on the DormNet network discloses the userid of the user, in this form: netid.student.princeton.edu. Every website they visit and every ad provider thus knows the identity of the visitor. See their petition: Princeton Dormnet Exposes Student Identities.

Via The Daily Princetonian - Students lobby for Internet privacy and SpywareInfo >> Students lobby for Internet privacy.

Tuesday, December 13, 2005

Incident: ID fraudsters target job centre staff using UK tax credit website

From the Register:

ID fraudsters target job centre staff | The Register:

Crooks may have defrauded the UK tax credit system out of millions after exploiting a lack of safeguards in an internet site designed to service claimants.

HM Revenue & Customs shut down its tax credit portal website at the start of December after uncovering an attempt to defraud the system using the identities of Department of Work and Pensions (DWP) staff.

Initially it was thought that up to 1,500 job centre workers might have had personal information stolen. Now it is feared that up to 13,000 job centre staff might have been exposed to attack, with some reporting fraudulent claims made in their name. Fraudsters are reckoned to have secured the National Insurance numbers, names and dates of birth of thousands of job centre staff working in London, Glasgow, Lancashire and Pembrokeshire.

The information obtained was enough to make fraudulent tax credit claims redirected upon false addresses and accounts controlled by crooks. False claims of up to £1,000 a year appear to have been siphoned into fraudsters' bank accounts, PCS spokesman Alex Flynn told The Independent. 'Some people have had shadow bank accounts set up and their money diverted to that account. Other people have had their accounts hijacked,' he said....

We are experiencing technical difficulties. Please stand by.

Or at least that's what I would have said if I had been able to actually post anything to my blog since Monday morning. My service provider moved their data centre, which caused dodgy connections and then a complete inability to update the site. I am told we are back to normal. I reserve judgement.

Monday, December 12, 2005

Incident: Security breach at Sam's Club exposes credit card data

From Computerworld:

Security breach at Sam's Club exposes credit card data - Computerworld

DECEMBER 12, 2005 (COMPUTERWORLD) - Sam's Club, a division of Wal-Mart Stores Inc., is investigating a security breach that has exposed credit card data belonging to an unspecified number of customers who purchased gas at the wholesaler's stations between Sept 21 and Oct. 2. In a brief statement released Dec. 2, the Bentonville, Ark.-based company said it was alerted to the problem by credit card issuers who reported that customers were complaining of fraudulent charges on their statements.

It's still not clear how the data was obtained, according to the statement. But "electronic systems and databases used inside its stores and for Samsclub.com are not involved," the company said.

Sam's Club is currently working with both Visa International Inc. and MasterCard International Inc. to investigate the breach. The company also has notified the U.S. Attorney's Office for the Western District of Arkansas and the U.S. Secret Service .

Sam's Club officials didn't respond to calls for comment.

In a statement, Visa said it has alerted all of the affected financial institutions, asked them to provide independent fraud-monitoring services to affected customers and requested that they issue new cards as needed.

Incident: hackers nab details of 2000 donors from UK online charity

Out-law.com, via the Register, is reporting that hackers recenly breached the website of a UK charity, Aid to the Church in Need, and swiped personal information of about 2,000 donors. Some donors have been contacted by the thieves. See: Hackers target Christian charity | The Register.

CMAJ charges editorial interference over privacy-related story

The Canadian Medical Association Journal, a well-respected medical journal, has accused its parent, the Canadian Medical Association, of censorship as part of the fallout over recent privacy issues surrounding the dispensing of Plan B, also known as the "morning after pill". The Journal has accused the CMA of trying to pressure the journal to not publish its article on the dispensing of Plan B that highlighted questions to be asked of patients (Privacy issues raised over Plan B: women asked for names, addresses, sexual history -- Eggertson and Sibbald 173 (12): 1435 -- Canadian Medical Association Journal.) The CMAJ has released an editorial on the issue and highlights the recent experience with the article in question (The editorial autonomy of the CMAJ). (See the CPhA Patient Screening Form.)

For more coverage, see: Medical journal charges medical association with editorial interference - Yahoo! News; The Globe and Mail: Furor erupts at medical journal. Also, check out the CPhA Patient Screening Form.

Credit Card Security: Where Are We Now?

E-Commerce Times is running a three-part series of articles, the first of which is E-Commerce News: E-Commerce: Credit Card Security: Where Are We Now?. It discusses what credit card companies are doing in the wake of the high profile breaches in the past year or so.

Sunday, December 11, 2005

Greater risk of fraud if personal data is stolen in smaller batches

According to Finance Tech, a recent study suggests that individuals are at greater risk of indentity theft and other fraud if their personal information is compromised in smaller batches. Much of the focus of media attention has been on large breaches, but fraudsters would have to work overtime for years to exploit all that data. See: Small Data Breaches Pose Big Identity Theft Risks.

Cardsystems acquisition closes

The acquisition of Cardsystems by Pay by Touch announced in October (The Canadian Privacy Law Blog: Another suitor for CardSystems) has been concluded, according to a release issued on Friday: Pay By Touch Completes Acquisition of CardSystems Solutions: Financial News - Yahoo! Finance.

For those who may have forgotten, Cardsystems was involved in a high-profile data breach earlier this year: The Canadian Privacy Law Blog: Incident: Security Breach at CardSystems Solutions Inc. Could Expose 40M to Fraud.

Canadian draft guidelines to shield personal information from the USA Patriot Act

The Canadian Press just released a story about new draft guidelines for Canadian federal government departments designed to (at least try to) shield information about Canadians from the reach of the USA Patriot Act. The guidelines remain in draft form as the election has intervened to prevent them from being tabled in Parliament this fall and more internal consultations are taking place.

Canada drafts proposals to shield personal data from U.S. anti-terror law - Yahoo! News

... The draft guidance document suggests, in the interest of upholding Canadian privacy laws, that federal databases of sensitive personal information created by contractors be located in Canada and be accessible only within the country.

However, it recognizes international trade obligations may make this impossible. In such cases, the government suggests contractors must agree to respect Canadian privacy laws as a condition of contract.

The guidelines say that if the privacy risk is considered high, a federal department might go so far as to cut off the flow of personal information to a foreign firm should it be "presented with an order" - such as an FBI notice - compelling release of data about Canadians.

In general, the guidelines encourage departments to assess each potential contract case-by-case to gauge the possibility of privacy invasion, the expectations of Canadians, and likelihood of injury to a person's "career, reputation, financial position, safety, health or well-being."

Treasury Board spokesman Robert Makichuk said the draft guidelines were undergoing revision following internal federal consultations....

Saturday, December 10, 2005

The fight over mobile phone-derived location information

Today's New York Times has a good and thorough piece on the fight over location information from mobile phones and other unwired devices:

Live Tracking of Mobile Phones Prompts Court Fights on Privacy - New York Times:

In recent years, law enforcement officials have turned to cellular technology as a tool for easily and secretly monitoring the movements of suspects as they occur. But this kind of surveillance - which investigators have been able to conduct with easily obtained court orders - has now come under tougher legal scrutiny.

In the last four months, three federal judges have denied prosecutors the right to get cellphone tracking information from wireless companies without first showing 'probable cause' to believe that a crime has been or is being committed. That is the same standard applied to requests for search warrants.

The rulings, issued by magistrate judges in New York, Texas and Maryland, underscore the growing debate over privacy rights and government surveillance in the digital age.

With mobile phones becoming as prevalent as conventional phones (there are 195 million cellular subscribers in this country), wireless companies are starting to exploit the phones' tracking abilities. For example, companies are marketing services that turn phones into even more precise global positioning devices for driving or allowing parents to track the whereabouts of their children through the handsets.

Not surprisingly, law enforcement agencies want to exploit this technology, too - which means more courts are bound to wrestle with what legal standard applies when government agents ask to conduct such surveillance....