Dear PrivaWorks Subscriber:
The PrivaWorks Risk Advisory Report provides structured analyses of developments in privacy that impact Canadian organizations.
January 2007 Developments in Privacy by Business Activity
|
|
Business Activity
|
Page Number(s) |
|
|
Application Development |
None |
|
|
Biometrics in the Workplace |
None |
|
|
Breach Response |
3, 4, 5(2), 16, 17 |
|
|
Customer Authentication |
25 |
|
|
Customer Service |
None |
|
|
Conducting Credit Checks |
19, 20 |
|
|
Conducting Investigations |
None |
|
|
Creating Employee Privacy Policies |
21 |
|
|
Cross-border transfers |
None |
|
|
Data Mining |
24 |
|
|
Defining Commercial Activity |
12 |
|
|
Defining Employee Personal Information |
24 |
|
|
Defining Personal Information |
8 |
|
|
Debt Collection |
10 |
|
|
Direct Marketing |
21 |
|
|
Disclosure Within the Organization |
8 |
|
|
Email Marketing |
24 |
|
|
Handling Access Requests |
7, 9, 12, 14 |
|
|
Handling Employee Complaints |
None |
|
|
Health and Safety Disclosures |
None |
|
|
Lawful Disclosure |
None |
|
|
Mergers & Acquisitions |
None |
|
|
Monitoring Internet/Email in the Workplace |
16 |
|
|
Monitoring for Changes in Privacy Law |
18 (2), 19 (3), 20 |
|
|
Monitoring Privacy Perceptions |
None |
|
|
Personal Information Handling Policies |
None |
|
|
Phishing Response |
None |
|
|
Privacy Impact Assessments |
None |
|
|
Privacy Audit |
None |
|
|
Privacy Notice |
None |
|
|
Records Destruction |
None |
|
|
Records Retention |
11 |
|
|
Recruiting Employees |
None |
|
|
Safeguarding Data |
5, 11, 14, 15, 17, 23 |
|
|
Secondary Marketing |
None |
|
|
Telemarketing |
None |
|
|
Training Employees on Privacy |
None |
|
|
Use of GPS |
6, 22 |
|
|
Use of RFID |
None |
|
|
Use of Third Parties |
4 |
The "Quick Read" with detailed analysis.
The PrivaWorks Risk Advisory Report is formatted to allow for the "quick read".
1. Scan the business "Activities" to determine if applicable to your organization;
2. If applicable, review the "Overview" to assess the resource's value;
3. If of value, read the "Relevance" and gain:
§ key knowledge of privacy risks;
§ sufficient information to determine
if you should access and review the resource; and
materials to easily alert managers of new business risks.
Table of Contents by Privacy Development Category
Fraud Alert: Winners Customers Warned
Retiree Data Lost In Laptop Theft
Nissan Investigation Concerning Customer Information
Findings/Orders/Investigations
PIPEDA Case Summary # 354- Fees for Access Questioned
PIPEDA Case Summary# 355- Funeral Home’s Disclosure In Pursuit Of a Debt Allowed under the Act
PIPEDA Case Summary# 356- Customer’s Banking Personal Information found In a Recycling Bin
Order P2005-005 – The Owners: Condominium Plan No.7710418
Settled Case Summary #27 – Clinic Discloses Client Information When Trying To Collect a Debt
P07-01-MS- Patient Seeks Access to Medical Records But Can’t Locate Doctor
P02-02-MS- Company Tightens Security after Personnel File Stolen
Responding to Privacy Breaches
Canada Blogging Guidelines for Employees: a Necessity in Today’s Workplace
Interview on ISO/IEC 27001 with Canadian Standards Association
The Personal Information Protection and Identity Theft Prevention Act
New Indiana Law Targets Unwanted Faxes
New ID Theft Protections in Hawaii
New ID Theft Law, But Who Knew?
New State Law Fights Identity Theft
New State Law Aims To Prevent Identity theft
AG Says ‘Security Freeze’ Will Help Prevent Identity Theft
Defining Employee Personal Information- Risk Review
Creating Employee Privacy Policies- Risk Review
2007 Security Threats on the Rise
2006 Choice Stream Personalization Survey
Consumer Support for Biometrics
|
Title: |
Commissioner Launches Investigation of CIBC Breach of Talvest Customers’ Personal information and Talvest Issues Statement |
||||||||||||
|
Activity: |
Breach Response |
Source: |
News Article |
||||||||||
|
Overview: |
The federal Privacy Commissioner announced today that she is launching an investigation into a breach involving the personal information of close to half a million clients of Talvest Mutual Funds (“Talvest”), a subsidiary of CIBC.
Talvest also announced that a backup file containing client information has recently gone missing while in transit between its offices. The backup file contained information on the process used to open and administer approximately 470,000 current and former client accounts and may have included client names, addresses, signatures, date of birth, bank account numbers, beneficiary information and SIN. Talvest has retained original copies of their files on its secure website. |
||||||||||||
|
Relevance: |
Highlights: § the Commissioner: o was informed by the bank of the disappearance of the hard drive containing the personal information and has been working with the bank to: Ø establish the facts and sequence of events; Ø assess the privacy risks; and Ø provide advice on how to deal with the situation and notify the affected individuals. o admitted being “deeply troubled” about the magnitude of the breach which affects a large number of Canadians; o expressed commitment to carrying out a thorough investigation and ensuring preventative and corrective measures are in place; o determined that there is reasonable grounds for a Commissioner-initiated complaint against CIBC to ascertain whether there has been a contravention of PIPEDA.
§ Talvest: o noted there is no evidence to suggest the backup file has been inappropriately accessed but has taken the following precautionary measures: Ø notified affected customers by letter; Ø will compensate affected clients for monetary loss that directly arises from unauthorized access of personal information contained on this file; Ø providing affected clients the opportunity to enroll in a credit monitoring service at no charge. This service will provide added security on client credit files at major credit reporting agencies; Ø establishing a dedicated call centre and website to address any affected client enquiries; Ø advising clients to regularly review activity on all their financial accounts and report any unauthorized activity to their financial institution; Ø working with the police to investigate the incident and retrieve the backup file. o has provided links on its website to provide additional information and useful resources. |
||||||||||||
|
CURD: |
Disclosure |
Category: |
Breach Reports |
||||||||||
|
Industry: |
All |
Control: |
No |
PI: |
Customer |
Date: |
01/20/2007 |
||||||
|
CSA: |
Limiting Use, Disclosure and Retention |
GAPP: |
Disclosure to Third Parties |
||||||||||
|
Location: |
http://www.privcom.gc.ca/media/nr-c/2007/nr-c_070118_e.asp Commissioner’s Press Release
http://www.newswire.ca/en/releases/archive/January2007/18/c0828.html Talvest Press Release
http://www.talvest.com/pub/en/public/privacy/default.asp Talvest website |
||||||||||||
|
Title: |
Fraud Alert: Winners Customers Warned |
||||||||||||
|
Activity: |
Breach Response Use of Third-Parties |
Source: |
News Article |
||||||||||
|
Overview: |
Canadian customers of HomeSense and Winners are being warned of a potential security breach after computers at several locations of U.S. based discount chain TJX Co. were broken into. According to Framingham, Mass.-based TJX, several of the computers that handle customer interactions and store information at HomeSense and Winners (and its other stores in the USA, UK and Ireland), including credit card numbers, were tampered with. The exposed data covers 2003 and the period from mid-May through December 2006. While the investigation is in its early stages the number of accounts exposed could exceed 40 million. |
||||||||||||
|
Relevance: |
Highlights: § the tampering was discovered by an outside consultant who advised TJX that the network could be compromised; § TJX says it hired General Dynamics Corp. and IBM Corp. to monitor and evaluate the intrusion and identify the affected information- the companies have helped to secure and upgrade the system; § law enforcement (US and Canada) was contacted immediately and at their request the breach was kept confidential for a period of time; § TJX is conducting a full investigation into the intrusion- a limited number of credit card holders have been specifically identified; § major credit card companies, including American Express, Discover, MasterCard and VISA and TJX payment processors have been notified; § 28 banks in Massachusetts have been alerted by the credit card companies that some of their customers have had personal information that may have been exposed; § the banks are either monitoring customer accounts or reissuing customer debit cards- there is now evidence of fraud in the US; § helplines have been established for customers in the USA, Canada, the UK and Ireland; and § information is also available at the TJX website and an “Important Customer Alert” included on the Winners/ HomeSense websites.
Litigation: § A class action lawsuit has been launched against Winners and HomeSense in various provinces seeking compensation on behalf of Canadians who may have been affected by this incident.
Complaint: § Canadian Internet Policy and Public Interest Clinic (“CIPPIC”) filed a formal complaint with the federal Privacy Commissioner on January 24 “requesting a formal investigation into the widely-reported security breach suffered by the Winners group of companies, and affecting consumers who shop at any Winners or HomeSense store in Canada”: o CIPPIC’s position is that Winners/HomeSense has violated PIPEDA provisions related to collection, use, retention and disclosure, consent and safeguards. § the Commissioner is being requested to investigate not only the incident but the general data practices of Winners/HomeSense that led to the incident; § highlights of the particular issues that the Commissioner is being requested to address include: o the specific information collected from customers; o how the information is collected; o the involvement of third-parties such as financial institutions in the collection; o mechanisms used to obtain customer consent to the collection, retention, use and disclosure of their personal information and the validity of the consent; o records retention and destruction policy and procedures; o sharing of the information- for what purposes and under what conditions; and o security measures applied to the database to prevent security breaches. |
||||||||||||
|
CURD: |
Disclosure |
Category: |
Breach Reports |
||||||||||
|
Industry: |
All |
Control: |
No |
PI: |
Customer |
Date: |
11/04/2006 |
||||||
|
CSA: |
Limiting Use, Disclosure and Retention |
GAPP: |
Disclosure to Third Parties |
||||||||||
|
Location: |
http://www.canada.com/vancouversun/news/story.html?id=37f4475f-845d-4de9-83d1-b782f328e2e8&k=43942
http://news.com.com/T.J.+Maxx+parent+says+customer+data+stolen/2100-1029_3-6151017.html
http://news.bostonherald.com/localRegional/view.bg?articleid=177792
http://www.merchantlaw.com/winners.html Litigation Information
http://www.cippic.ca/en/news/documents/winners2007jan23.pdf CIPPIC complaint
|
||||||||||||
|
Title: |
Retiree Data Lost In Laptop Theft |
||||||||||||
|
Activity: |
Breach Response |
Source: |
News Article |
||||||||||
|
Overview: |
Five laptops stolen last month contain the personal information of Towers Perrin clients, current and retired employees. In a released statement, the company said it recently became aware of the theft of the laptops, which affects an unknown number of individuals. Potentially, personal data available to Towers Perrin benefit planners includes names, addresses, Social Security numbers and account information. |
||||||||||||
|
Relevance: |
Highlights: § Towers Perrin: o is unaware whether any of the personal data available to benefit planners has been used; o confirmed that all laptops are password protected; o is compiling a list of employees impacted by the incident; o contacted the police who have arrested a former employee who may have been involved in the incident; o has notified its clients and have urged retirees to monitor their credit records; and o is reviewing its security measures.
|
||||||||||||
|
CURD: |
Disclosure |
Category: |
Breach Reports |
||||||||||
|
Industry: |
All |
Control: |
No |
PI: |
Cus/Emp |
Date: |
01/09/2007 |
||||||
|
CSA: |
Limiting Use, Disclosure and Retention |
GAPP: |
Disclosure to Third Parties |
||||||||||
|
Location: |
|||||||||||||
|
Title: |
Nissan Investigation Concerning Customer Information |
||||||||||||
|
Activity: |
Breach Response Safeguarding Data |
Source: |
News Article |
||||||||||
|
Overview: |
Nissan Motor Co Ltd announced that there might have been a leak of personal information from its customer database, potentially affecting up to 5.38 million individuals. From the data investigations, Nissan has concluded that the most likely timing for the leak to have occurred was between May 2003 and February 2004. A third-party research company conducted the investigations. |
||||||||||||
|
Relevance: |
Highlights: § Nissan has been unable to match the database with one that exists in the company; § the investigation has, however, identified certain matching items that could only have been sourced from within the company; § certain internal data may have been sourced from an old customer database; § letters have been sent to all potentially affected customers clarifying the situation and apologizing for the inconvenience; § Nissan security measures are as follows: o in January 2006 the entire customer database was replaced based upon a higher level of security system; o 2007 plans for additional security measures include the implementation of physical security systems including camera monitoring of secure areas, database monitoring and organizational changes.
|
||||||||||||
|
CURD: |
Disclosure |
Category: |
Breach Reports |
||||||||||
|
Industry: |
All |
Control: |
No |
PI: |
Customer |
Date: |
12/21/2006 |
||||||
|
CSA: |
Limiting Use, Disclosure and Retention , Safeguards |
GAPP: |
Disclosure to Third Parties, Security for Privacy |
||||||||||
|
Location: |
http://www.forbes.com/markets/feeds/afx/2006/12/21/afx3276888.html
http://www.autospectator.com/modules/news/article.php?storyid=7208 |
||||||||||||
|
Title: |
Do You Know Where Your Workers Are? GPS Surveillance of Employees Can Help Efficiency, But Raises Privacy Concerns |
||||||||||||
|
Activity: |
Use of GPS |
Source: |
News Article |
||||||||||
|
Overview: |
This article identifies Canadian companies using GPS technology, the reasons for its implementation, benefits received and the concerns raised by privacy advocates. |
||||||||||||
|
Relevance: |
Highlights: § Victoria-based Ryan Vending that fills and services vending machines, installed GPS devices into a portion of their 30-vehicle fleet to help determine whether its drivers were being adequately compensated for the hours and kilometres they logged on their delivery routes: o it helped the company confirm its pay calculations were fair and balanced; o improved service call response times; o saved money on fuel by improving distribution routes; o ensures drivers obey speed limits; and o stopped employees from abusing the privilege of taking trucks home overnight. § drivers, who carry a lot of cash, immediately saw the security benefits of the technology; § the technology is called telematics and companies are able to use it to: o provide information on vehicles’ location; o supply data on when vehicle doors are opened, engines turned on or when cargo is picked up; and o can also enable a business to remotely control a vehicle by turning off its engine, locking a door or disabling the ignition. § recent research confirms that the use of telematics is expected to grow into a US $1.2. billion industry by the end of the year; § The Miller Group, which operates road construction, waste management and transit services world-wide has used telematics from Toronto-based AirIQ for two years: o benefits the waste and recycling division- able to supply municipalities with a record of where trucks have been on any given day; o also important in refining maintenance schedules, logging waste-diversion rates and monitoring driver habits. § privacy advocates are concerned about use of the technology: o tracking workers violates their privacy; o employees are unaware that that they are being monitored; o for some employees having their movements tracked is a condition of employment; o workers unions are carefully reviewing the technology and some are negotiating restrictions on monitoring workers in collective agreements.
|
||||||||||||
|
CURD: |
Collection, Use |
Category: |
Corporate Initiatives |
||||||||||
|
Industry: |
All |
Control: |
No |
PI: |
Employee |
Date: |
01/2007 |
||||||
|
CSA: |
Limiting Use, Disclosure and Retention, Limiting Collection |
GAPP: |
Use and Retention, Collection |
||||||||||
|
Location: |
http://www.theglobeandmail.com/servlet/story/LAC.20070118.TWTRACKING18/TPStory/Business |
||||||||||||
Findings/Orders/Investigations
|
Title: |
PIPEDA Case Summary#352- Airline Delays Granting Access to Personal Information; Citing Ongoing Litigation |
||||||||||||
|
Activity: |
Handling Access Requests |
Source: |
OPC Canada |
||||||||||
|
Overview: |
The Assistant Privacy Commissioner determined to be “well-founded” a complaint by an individual that an airline denied him access to his personal information. The airline had banned the individual from traveling with it and this led to him requesting information concerning the events of a specific date that had led to the ban. He had also initiated legal proceedings against the airline. Despite conceding that the airline ultimately provided the information, the Assistant Commissioner expressed concern about the improper handling of the access request and noted that the airline ignored its PIPEDA obligations. |
||||||||||||
|
Relevance: |
Finding highlights: § a written request was submitted to the airline by the complainant’s brother requiring clarification of the determination that the complainant posed a risk to the safety and comfort of its passengers and crew; § the airline responded that it was prevented from disclosing the information by | ||||||||||||