Laptop searches at the border…again

June 1, 2010

Over a year ago, I commented on the privacy issues related to taking a laptop, cellphone or iPod across the U.S. border.  As reported here by Computerworld, a federal court has ruled in Michigan that the U.S. government has the right to “seize and transport a computer to a secondary inspection facility”, as long as there is a reasonable suspicion. Given the proliferation of tech devices in today’s workplace, you may want to consider if your business has the necessary policies and practices in place to protect data that’s probably leaving your doors today, and possibly going over the border via laptops and other mobile devices.

Leave a Comment » | Airport Security, Data Protection, Laptops, Mobile devices | Tagged: , , | Permalink
Posted by Brian Bowman

Feds introduce amendments to PIPEDA, re-introduce Anti-Spam Bill

May 25, 2010

The federal government introduced legislation today to amend PIPEDA and re-introduce the Anti-Spam Bill. I’ve previously posted here regarding the anticipated changes to PIPEDA and here about the Anti-Spam Bill.

From today’s news release:

The Honourable Tony Clement, Minister of Industry, and the Honourable Denis Lebel, Minister of State (Economic Development Agency of Canada for the Regions of Quebec), today announced two steps that the Government of Canada is taking to enhance the safety and security of the online marketplace. Together, the tabling of amendments to the legislation protecting the personal information of Canadians (Personal Information Protection and Electronic Documents Act, or PIPEDA) and the reintroduction of anti-spam legislation in the House of Commons (the proposed Fighting Internet and Wireless Spam Act, or FISA) are important steps towards positioning Canada as a leader in the digital economy.

Here’s the full Industry Canada news release.

(Hat tip to David Fraser’s Canadian Privacy Law Blog )

Leave a Comment » | Anti-Spam Legislation, Data Protection, PIPEDA, Privacy | Tagged: , , , | Permalink
Posted by Brian Bowman

Today’s “buzz” on Google Buzz offers lesson for new service roll-outs

April 20, 2010

Canada’s Privacy Commissioner, Jennifer Stoddart, has teamed up with nine other country’s privacy watchdogs today to warn Google and other organizations to better respect people’s privacy rights. The privacy commissioners have sent a letter to Google, accusing it of overlooking privacy values and legislation in launching new online products.

The privacy commissioners’ letter states, “we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws… Unfortunately, Google Buzz is not an isolated case. Google Street View was launched in some countries without due consideration of privacy and data protection laws and cultural norms. In that instance, you addressed privacy concerns related to such matters as the retention of unblurred facial images only after the fact, and there is continued concern about the adequacy of the information you provide before the images are captured… We therefore call on you, like all organizations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services. That means, at a minimum:

  • collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
  • providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
  • creating privacy-protective default settings;
  • ensuring that privacy control settings are prominent and easy to use;
  • ensuring that all personal data is adequately protected, and
  • giving people simple procedures for deleting their accounts and honouring their requests in a timely way.”

    • The privacy commissioners’ demand that Google and other organizations better incorporate privacy into the design of new online services underscores the need for the “Privacy by Design” initiative that Ontario’s Information and Privacy Commissioner recently discussed in my “A Conversation with Dr. Ann Cavoukian” post. All organizations, regardless of their size (after all, we’re all not Google), would be well-advised to learn from today’s “buzz” about Google Buzz.

    Leave a Comment » | Data Protection, Due Diligence, Ontario's Information and Privacy Commissioner, Personal Information, Privacy, Privacy Commissioner of Canada, Social Networking Websites, Technology | Tagged: , , , , , , | Permalink
    Posted by Brian Bowman

    The top 5 mistakes of privacy awareness programs: Computerworld

    February 10, 2010

    Computerworld has just published an excellent article which highlights the top five (5) mistakes that companies often make when educating employees about data protection.

    Read the Computerworld article here!

    Leave a Comment » | Data Protection, Privacy, Training | Tagged: , , | Permalink
    Posted by Brian Bowman

    Today is Data Privacy Day 2010!

    January 28, 2010

    January 28th is Data Privacy Day 2010! Canada’s Privacy Commissioner is marking the day by “urging companies to ensure they have the proper systems in place to safeguard information; and reminding individuals to think twice about what they post on the Internet.” See the Privacy Commissioner’s news release here.

    Leave a Comment » | Data Protection, Privacy, Privacy Commissioner | Tagged: , | Permalink
    Posted by Brian Bowman

    Redactions gone terribly wrong

    December 9, 2009

    CTV News is reporting that the U.S. federal government improperly posted an internal guide to its airport passenger screening procedures on the Internet in a way that could offer valuable tools to terrorists. The guide was posted on the U.S. Federal Business Opportunity website, but the sensitive information (which was electronically redacted, or blacked out) was not properly protected.  Some websites, using widely available software, were able to uncover the original text of sections that had been redacted.

    This situation is an example of redactions gone terribly wrong!  And it should serve as a reminder to public and private sector organizations to take extra care when making redactions in documents that will be released to third parties. Different redaction strategies can be implemented depending on the circumstances. One strategy that I implement when records will be posted online is to make my redactions and then physically scan the document and save it as a PDF. It’s a basic way to protect sensitive portions of records.  Please feel free to post a Comment below with other suggested strategies for making secure redactions.

    Leave a Comment » | Airport Security, Data Protection, Personal Information, Privacy, Redactions, Safeguarding, Security, Security Breach | Tagged: , , , , , , | Permalink
    Posted by Brian Bowman

    58% of employees prepared to illegally download company/competitive data

    November 28, 2009

    According to a Cyber-Ark survey entitled “The Global Recession and its effect on Work Ethics” (link below), 58% of U.S. employees surveyed said that if they thought their job was at risk they would, as a pre-emptive move, be prepared to download company/competitive data. Fifty two per cent (52%) said that if they were fired tomorrow they’d take their employer’s customer and contacts data.

    More disturbingly, 51% said it’s “easy” to take sensitive information out of their company and, as reported by Out-Law.com, 85% were aware that it’s illegal to download corporate information.  The favoured medium for stealing corporate information is a USB memory stick followed by e-mail. 

    As I’ve mentioned in previous posts rogue employees pose a risk to privacy compliance and, as a result, corporate information requires safekeeping.  In today’s economy, information is the most valuable corporate asset.  For this reason, businesses of all sizes should take proactive steps to protect corporate data.  Whether it’s customer or supplier lists, intellectual property or employee personal information, it’s information that needs safekeeping, especially when we see statistics like those reported above.

    The Global Recession and its effect on Work Ethics

    Leave a Comment » | Data Protection, Due Diligence, Mobile devices, Privacy, Safeguarding, Safekeeping | Tagged: , , , , , | Permalink
    Posted by Brian Bowman

    Rogue employees pose risk to privacy compliance, corporate info

    November 18, 2009

    The U.K.’s Huffington Post is reporting that a rogue employee of a major mobile phone company has illegally sold millions of customer records to rival companies.  Apparently, customers’ personal information (including contract expiry dates) was sold to several rivals, which then used the material to cold-call customers to offer them an alternative deal.

    As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping. 

    This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.

    3 Comments | Data Protection, Due Diligence, PIPA, PIPEDA, Personal Information, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security | Tagged: , , , , , , , , , , | Permalink
    Posted by Brian Bowman

    “Identity theft” law comes into force

    October 27, 2009

    You may know someone who has been a victim of identity theft. What you may not know is that, before today, police couldn’t charge fraudsters with “identity theft”. That changed when Bill S-4 was given Royal Assent by Parliament earlier today.

    Thanks to the bill, titled An Act to amend the Criminal Code (identity theft and related misconduct), there are now three new Criminal Code offences related to identity theft:

    • Obtaining and possessing identity information with the intent to use the information deceptively, dishonestly or fraudulently in the commission of a crime;
    • Trafficking in identity information, an offence that targets those who transfer or sell information to another person with knowledge of, or recklessness as to, the possible criminal use of the information; and
    • Unlawfully possessing or trafficking in government-issued identity documents that contain information of another person.

    Before Bill S-4 came into effect, police had to use other Criminal Code provisions to target identity theft. Today’s development should help law enforcement officials attack a growing problem: the Canadian Council of Better Business Bureaus has estimated that identity theft may cost Canadians more than $2 billion annually.

    Leave a Comment » | Data Protection, Identity Theft, Personal Information, Phishing, Privacy | Tagged: , , | Permalink
    Posted by Brian Bowman

    Laptop Encryption: “I don’t know what we have to do to drive this message home” says Commissioner

    September 10, 2009

    Laptop 11A summer incident involving sensitive personal information on stolen laptops has brought the issue of data protection once again into the crosshairs of Frank Work, the Alberta Information and Privacy Commissioner

    In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007.  The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information.  A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted. 

    These incidents demonstrate how easily sensitive data can be compromised when stored on laptops.  Encryption is a relatively easy way to improve the security of such information.  But, where do you start? There are numerous encryption options available.  Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.

    Leave a Comment » | Access to Information, Data Encryption, Data Protection, Laptops, Mobile devices, PIPEDA, PSDs, Personal Information, Privacy, Privacy Breach, Privacy Commissioner, Safeguarding, Safekeeping, Security, Security Breach, Smartphones, Technology | Tagged: , , , , , , , , , , , , , , | Permalink
    Posted by Brian Bowman