58% of employees prepared to illegally download company/competitive data

November 28, 2009

According to a Cyber-Ark survey entitled “The Global Recession and its effect on Work Ethics” (link below), 58% of U.S. employees surveyed said that if they thought their job was at risk they would, as a pre-emptive move, be prepared to download company/competitive data. Fifty two per cent (52%) said that if they were fired tomorrow they’d take their employer’s customer and contacts data.

More disturbingly, 51% said it’s “easy” to take sensitive information out of their company and, as reported by Out-Law.com, 85% were aware that it’s illegal to download corporate information.  The favoured medium for stealing corporate information is a USB memory stick followed by e-mail. 

As I’ve mentioned in previous posts rogue employees pose a risk to privacy compliance and, as a result, corporate information requires safekeeping.  In today’s economy, information is the most valuable corporate asset.  For this reason, businesses of all sizes should take proactive steps to protect corporate data.  Whether it’s customer or supplier lists, intellectual property or employee personal information, it’s information that needs safekeeping, especially when we see statistics like those reported above.

The Global Recession and its effect on Work Ethics

Leave a Comment » | Data Protection, Due Diligence, Mobile devices, Privacy, Safeguarding, Safekeeping | Tagged: , , , , , | Permalink
Posted by Brian Bowman

2010 Privacy Prep Webinar: New dates added

November 23, 2009

I’ll be hosting a 2010 Privacy Prep Webinar on Tuesday, January 12th from 12:00 – 12:30 PM (CST). (FULL)  Due to high demand, new dates added: Wednesday, January 13th from 12:00 – 12:30 PM (CST) and Thursday, January 14th from 12:00 – 12:30 PM (CST).

This complimentary 30 minute webinar will provide a plain language overview of the most significant privacy issues/events of 2009 and, more importantly, prepare you and your business for 2010.  Among other things, I’ll highlight notable court cases and privacy commissioner findings from 2009 as well as point out anticipated privacy issues likely to affect Canadian businesses in the coming year.

Space is limited so please RSVP early by emailing me at bowman@pitblado.com.

Leave a Comment » | Due Diligence, Privacy, Training | Tagged: , | Permalink
Posted by Brian Bowman

Rogue employees pose risk to privacy compliance, corporate info

November 18, 2009

The U.K.’s Huffington Post is reporting that a rogue employee of a major mobile phone company has illegally sold millions of customer records to rival companies.  Apparently, customers’ personal information (including contract expiry dates) was sold to several rivals, which then used the material to cold-call customers to offer them an alternative deal.

As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping. 

This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.

3 Comments | Data Protection, Due Diligence, Personal Information, PIPA, PIPEDA, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security | Tagged: , , , , , , , , , , | Permalink
Posted by Brian Bowman

Help me help you! Join the conversation.

November 13, 2009

In the words of Jerry Maguire, “Help me help you!” 

I’d like to know what topics you want discussed on this blog.  So please join the conversation by giving me your ideas on my new Submit a Topic! page.  I’ll then consider drafting a post on your topic!

I may not be able to “Show you the Money!”, but I’ll do my best to address cutting edge legal issues of interest to you and your business.

Leave a Comment » | Blogs, Social Networking Websites, Training, Website Discussion Boards | Permalink
Posted by Brian Bowman

Website discussion boards: Who’s responsible for defamatory comments?

November 9, 2009

Internet ForumA great feature of website discussion boards is that they allow people to instantly share thoughts on a given topic with others from their community or around the world.  However, they are fraught with complicated legal issues for the businesses, or website operators, who make them available on the Internet.

To prove defamation, a claimant must demonstrate that a defendant “published” defamatory words. Currently in Canada it’s clear that a person who posts defamatory comments about another person or business on a discussion board can be liable for defamation.  It’s also clear, as I’ve mentioned in a previous post, that a person or business may be liable in certain circumstances if they hyperlink to defamatory content on another website.  But what about defamatory comments made by others on your website? The answer is less than clear, primarily because of two generally competing public policy views. One view is that website operators should not be liable for defamatory content posted on their discussion boards because the task of monitoring is too onerous for most businesses; and that website operators aren’t “publishing” the defamatory content but are merely “distributing” (which generally doesn’t attract liability for defamation). The other view is that website operators should be liable because the potential for instantaneous and severe damage to claimant’s reputations caused by online defamation should compel website operators to monitor, and be responsible for, their discussion boards.

After American courts struggled with these competing public policy views, the U.S. Congress passed legislation granting immunity to businesses that operate website discussion boards, regardless of the level of control that website operators may have regarding posted comments.  The case of Finkel v. Facebook is a recent example of the immunity that can be provided to U.S. based companies. There is no similar “immunity” legislation in Canada, and the specific issue has not yet come before a Canadian court.  Of course, each case is decided on its own facts, and one would anticipate that key factors a Canadian court would consider would be a website’s Terms of Use, the degree of control and content monitoring by a website operator, and any actions a website operator took (or didn’t take) in response to a notice from a third party regarding defamatory comments.

This is a rapidly emerging area of law, and businesses should consult a lawyer with relevant expertise to assist in drafting adequate Terms of Use and to discuss potential risks prior to launching, or continuing to host, a website discussion board.

Leave a Comment » | Defamation, Facebook, Internet, Online Reputation Management, Social Networking Websites, Website Discussion Boards | Tagged: , , | Permalink
Posted by Brian Bowman

I don’t want ANY spam! Misconceptions and marketing research

November 4, 2009

I’d like to dispel a misconception about Bill C-27, An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying Out Commercial Activities (the “Anti-Spam Bill”), which is working its way right now through the Parliamentary Committee process. When passed, the Anti-Spam Bill will provide much-needed relief from insidious electronic Spam like phishing and spyware. There is, however, an unfortunate misconception that the Anti-Spam Bill might create “loopholes” for spammers.

As originally drafted, the Anti-Spam Bill didn’t clearly define which types of electronic communication would be subject to regulation. While spyware and phishing would clearly be outlawed, questions arose as to whether other decidedly non-Spam and legitimate activities could possibly be caught within the scope of regulation. That’s because the Anti-Spam Bill was drafted to regulate “commercial activity”. Unfortunately, it didn’t clearly explain what this term meant. Here’s where the misconception comes in.

Some think “marketing research” is the same thing as telemarketing. In reality, the two activities have very little in common. Legitimate marketing research organizations do not try to sell products or services (in fact, if they are members of Canada’s Marketing Research and Intelligence Association (the “MRIA”), they are bound by a professional code of conduct which expressly prohibits such activities). Maybe you’ve heard of “mugging” (marketing under the guise of research) and “sugging” (selling under the guise of research). Let’s be clear: legitimate marketing research organizations do neither. If someone is trying to sell you something under the guise of a survey, they are not conducting legitimate marketing research. Nevertheless, comparisons of online marketing research to telemarketing abound, even though the Anti-Spam Bill will regulate online activity, not telephone calls.

Polls tell us that Canadians support the Anti-Spam Bill. How do we know this?  Because members of the MRIA were able to conduct marketing research, quite likely, using an online survey. These surveys are fuel for polls that provide valuable and timely information to Canadian decision-makers. What’s more, online surveys are quick and convenient for participants. I have the privilege of serving as the MRIA’s legal counsel, and am also a member, so I ‘ve seen marketing research activities first hand and know the value they provide to Canadians.

My understanding and reading of the Anti-Spam Bill is that online marketing research is not intended to be caught by the law. But that’s the problem: given the ambiguity of the Anti-Spam Bill, it’s impossible to definitively say that online marketing research would not be regulated. Ambiguity leads to uncertainty, which is good for no one. The Personal Information Protection and Electronic Documents Act, for instance, has been criticized for being far too subjective. We should learn from this experience and cut as much ambiguity as possible from the Anti-Spam Bill. That’s why the Anti-Spam Bill should be clarified to ensure it’s clear that it won’t apply to online marketing research. Doing so would not create loopholes, as some have argued; it would simply ensure that online marketing research is not lumped into the annoying Spam that everyone wants to ban. Bringing clarity to the Anti-Spam Bill would also be consistent with the actions of other countries that have already created specific exemptions for marketing research in their anti-spam laws. 

The bottom line is that no one likes Spam, except perhaps for these guys from Monty Python. Parliament still has an opportunity to clarify misconceptions and introduce a strong, effective law. Marketing research isn’t Spam, however, and the Anti-Spam Bill should clearly reflect this fact.

2 Comments | Internet, Privacy, Spam | Tagged: , | Permalink
Posted by Brian Bowman

“Naked” airport scanners get green light

November 3, 2009

FlasherDon’t let anyone tell you that something can’t be done because of privacy laws. For example, how many times have you heard someone say, “privacy laws handcuff the ability of law enforcement to protect Canadians” or “businesses can’t compete because of heavy-handed privacy laws”?  Yes, in very limited circumstances privacy laws can restrict certain activities.  But, these cases are few and far between.  In many more circumstances, privacy considerations simply need to be built into the design of a product or service. 

Case in point is the recent coverage that Assistant Privacy Commissioner of Canada, Chantal Bernier, has approved the use of airport scanners that can see through your clothes.  Who would have thought that the Office of the Privacy Commissioner of Canada would ever approve what have been refered to as “naked” airport scanners?  But if you look at the manner in which the scanners will apparently be rolled out, there appears to be a balance between security and privacy considerations.  As I’ve previously posted, “Privacy by Design” can help those with a “can-do” attitude. 

Regardless of whether I agree that the “naked” airport scanners are lawful (and regardless of whether I’ll choose to walk through one of these scanners myself), it’s great to see an attempt at “Privacy by Design” in action. To be honest, however, my greatest concern is for the poor airport security professionals who may one day have to look at my less than stellar outline.  I’m not sure how much they get paid, but it’s probably not enough!

Leave a Comment » | Privacy, Privacy Commissioner, Security | Tagged: , , , , | Permalink
Posted by Brian Bowman

Follow

Get every new post delivered to your Inbox.

Join 104 other followers