October 6, 2009
BBC News is reporting that thousands of Hotmail accounts have been compromised in a phishing attack, which has reportedly affected at least 10,000 individuals.
Phishing involves identity thieves attempting to obtain personal information, such as user names, passwords and financial information, by pretending to be trustworthy organizations in need of such data.
Coincidentally, the Privacy Commissioner of Canada released her annual report today, which stresses the importance of making informed choices when sharing personal information online. The Privacy Commissioner reminds Canadians that there is a risk that unguarded personal information could be exploited by identity thieves. The Hotmail phishing attack, as well as the Privacy Commissioner’s annual report, should also remind businesses to remain vigilant in protecting their brands – or online reputations – from being damaged by identity thieves that use phishing attacks to exploit the well-earned trust that such businesses have built with their customers.
Leave a Comment » | 
Access to Information, Identity Theft, Internet, Online Reputation Management, Passwords, Personal Information, Phishing, Privacy, Safeguarding, Security | Tagged: Access to Information, E-mail Accounts, Hotmail, Identity Theft, Internet, Online Reputation Management, Passwords, Personal Information, Phishing, Privacy, Safeguarding, Security | 
Permalink
Posted by Brian Bowman
September 21, 2009
Peruse through your Inbox and look at the e-mails you have received this week. No doubt there will be a few that include legal notices at the bottom of messages warning you of the confidential nature of the correspondence and stressing that if you are not the intended addressee that you are to return the e-mail to the sender… immediately! These automatically generated e-mail disclaimers have become standard business practice. They have become so commonplace it begs the question: are e-mail disclaimers legally enforceable?
This very question has yet to be the focus of judicial consideration in Canada, and it appears as though it remains an unresolved issue in most other jurisdictions. Although bloggers and writers have analyzed e-mail disclaimers, there is no authoritative jurisprudence or legislation to shore up their arguments. There are a number of issues surrounding the enforceability discussion, including, among other things:
- the lack of consideration between parties to create binding contracts via typical e-mails;
- the timing of e-mail disclaimers (they come at the end of e-mails, after recipients have read the messages); and
- the otherwise lack of confidentiality associated with e-mails, which has come to light through the ever-increasing number of e-fraud cases.
That said, it is always safer to err on the side of caution. In the event your organization were unlucky enough to be sued for the contents of an e-mail, it may prove useful to have used an e-mail disclaimer. At the end of the day, even though the enforceability of e-mail disclaimers may not have yet been judicially considered, having an appropriately drafted e-mail disclaimer may help mitigate your businesses’ liability in the event of an unfortunate e-mail mishap.
E-mail disclaimers should be drafted with legal and business considerations in mind in such a manner that reflects the values, marketing strategy and risk tolerance of your organization. Please contact me if I can provide any assistance in drafting an e-mail disclaimer that suits your organization’s needs.
Leave a Comment » | E-mail Disclaimers, Internet, Marketing, Safeguarding, Security | Tagged: Businesses, E-mail Disclaimers, E-mails, Internet, Marketing, Privacy, Safeguards, Security | Permalink
Posted by Brian Bowman
September 10, 2009
A summer incident involving sensitive personal information on stolen laptops has brought the issue of data protection once again into the crosshairs of Frank Work, the Alberta Information and Privacy Commissioner.
In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007. The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information. A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted.
These incidents demonstrate how easily sensitive data can be compromised when stored on laptops. Encryption is a relatively easy way to improve the security of such information. But, where do you start? There are numerous encryption options available. Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.
Leave a Comment » | Access to Information, Data Encryption, Data Protection, Laptops, Mobile devices, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, PSDs, Safeguarding, Safekeeping, Security, Security Breach, Smartphones, Technology | Tagged: Data Encryption, Data Protection, Due Diligence, Information Technology, Laptop, Mobile devices, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Privacy Compliance, Safeguarding, Security, Technology | Permalink
Posted by Brian Bowman
August 24, 2009
The sound of ringing telephones has caused migraines for millions ever since Alexander Graham Bell placed the first call to Mr. Watson in 1876. But thanks to some newly released technology, that’s about to change. Got a headache? There is, to borrow a phrase from a successful ad campaign, an app for that. Bellaire, Texas med-web company BetterQOL is rolling out iHeadache, an iPhone application that purports to “classify” and assist with diagnosing a user’s headache. iHeadache is one of many cutting edge applications available for use with smartphones. Don’t expect this trend to stop any time soon: thanks to programs like Apple’s iPhone Developer (only $99 for the standard edition), it’s becoming even easier for technology-savvy businesses to create their own apps.
Still not convinced? Consider this list of impressive apps for today’s traveler: Pocket Express, an app that acts as a mobile concierge; Stanza, an app that allows a user to load magazines and books to their smartphone; and GoodFood, which helps a user pick and locate a restaurant based on an array of dining preferences. It’s a good time to be a smartphone user, but perhaps even a better time to be an entrepreneur. Smartphones are increasingly offering businesses a direct window into the hearts, minds and, yes, wallets of potential customers.
But it’s not all good news, privacy advocates remind us. Many smartphone apps guzzle fuel like your Dad’s ’70 GTO, except they’re eating personal user information instead of gasoline. For example, your app may record your location, gender and birth year before it spits out the location of that perfect sale you’ve been looking for. A sizeable amount of personal information is in play, but, fortunately, Ontario’s Office of the Information and Privacy Commissioner (“IPC”) has been ahead of the curve with its call for “Privacy by Design“. Initially unveiled over 10 years ago, the concept of Privacy by Design combines privacy and security measures at the design specification stage of a project. Instead of waiting until privacy problems pop up to deal with them, Privacy by Design contemplates a proactive approach toward potential privacy issues. This methodology uses Privacy Enhancing Technology such as encryption to provide both maximum security and privacy protection. It is, as the IPC bills it, a “win-win” situation. Other examples of Privacy by Design include anonymous billing systems and depersonalization software.
It’s an exciting time to be a technologically-inclined entrepreneur, but the privacy consequences of smartphone apps cannot (and should not) be ignored. Any business that is considering creating or otherwise implementing an app should consider the privacy implications of doing so, preferably at the early stages of project development.
1 Comment | Internet, Marketing, Mobile devices, PIPEDA, Privacy, Privacy Commissioner, Safeguarding, Security, Smartphones, Technology | Tagged: Businesses, Enterpreneurs, Marketing, Mobile devices, Privacy, Safeguarding, Security, Smartphone Applications, Smartphones, Technology | Permalink
Posted by Brian Bowman
August 17, 2009
The Los Angeles Times is reporting that the Palm Pre phone secretly uses GPS to report users’ locations to the company.
It is an interesting story because it illustrates the importance of having clear and understandable privacy policies that customers can understand. It is also an interesting story because it (once again) demonstrates the attention that the media place on privacy matters and the potentially explosive reaction that customers can have if they feel their privacy isn’t being respected.
Leave a Comment » | Access to Information, Privacy Breach, Safeguarding, Security, Smartphones, Technology | Tagged: Access to Information, Palm Pre phone, Privacy, Privacy Policy, Safeguarding, Security, Technology | Permalink
Posted by Brian Bowman
August 4, 2009
Headline after headline these days talk about the growing incidences of identity theft. But who really are these identity thieves? Do they work alone or for KAOS (Get Smart fans will understand this joke)? To answer this timely question, there is a recent post on the Office of the Privacy Commissioner of Canada’s blog entitled “Who are these identity thieves?“
The post cites an earlier survey by the Privacy Commissioner that shows that one Canadian out of six has been the victim of some form of identity theft and that more than 90% of Canadians report that they are concerned about identity theft. The Privacy Commissioner’s post also cites a report by Benoit Dupont, the Canada Research Chair in Security, Identity and Technology at l’Université de Montréal, and his colleague Guillaume Louis, which offers an illuminating profile of identity thieves. Here are some highlights:
- 1.7 million Canadians were affected by identity theft in 2008.
- More than 45% of cases of identity theft involve Internet use. However, the way “offenders” use the Internet is not as significant as we might think in terms of acquiring the victim’s personal information. On the contrary, it plays a greater role in actually committing fraud.
- “Women account for nearly 40% of offenders. We believe that this strong presence can be attributed to the absence of violence inherent to this sort of crime and the possibility of committing the crime without help from an accomplice.”
- “Identity thieves are relatively older than other offenders; the average age is 33 years.”
- “Offenders acted alone in the majority of cases (64.6%), which seems to contradict the theory of extensive involvement by organized crime in this type of offence.”
The Privacy Commissioner’s post also cites a 2008 report released by the McMaster eBusiness Research Centre that showed that victims spent more than 20 million hours and $150 million resolving problems associated with these crimes. If you’d like to read more about identity theft, please click on the “Identity theft” link under this blog’s Tags.
Leave a Comment » | Identity Theft, Internet, Privacy, Privacy Breach, Privacy Commissioner, Safeguarding, Safekeeping, Security | Tagged: Identity Theft, Personal Information, Privacy, Privacy Commissioner, Safeguarding, Security | Permalink
Posted by Brian Bowman
June 11, 2009
Today’s National Post story about a Nova Scotia judge’s decision to allow the publication of a private conversation between Natural Resources Minister Lisa Raitt and her former aide casts a spotlight on a murky area of privacy law.
As reported by the National Post, the unusual case raises questions about what constitutes a “reasonable expectation” of privacy in a world where digital recorders and handheld wireless devices are omnipresent. As I’m quoted in the story, “[researchers] said some years ago that new privacy rules were going to put existing business practices under a microscope. I think what we’re seeing now is technologies are putting existing legal principles under a microscope.” Fellow blogger Dan Michaluk is also quoted.
Read the full story here…
Leave a Comment » | Privacy, Safeguarding, Safekeeping, Technology | Tagged: Information Technology, Mobile devices, Privacy, Safeguarding, Technology | Permalink
Posted by Brian Bowman
May 25, 2009
The posting of a YouTube video of a woman throwing a tantrum at the Hong Kong International Airport should serve as a reminder to Canadian businesses that employees these days can (and do) easily record and post videos online from their mobile phones.
The three minute video shows a Cathay Pacific customer yelling and flailing her limbs as she lies on the floor after missing her flight from Hong Kong to San Francisco. I’ve been upset at missing a flight before, but the woman in this video takes things to an entirely new level. The video has drawn over five millions views and nearly 21,000 comments, which has resulted in some incredibly cruel and objectionable online commentary about the woman. Since the release of the video, Cathay Pacific has disciplined the gate worker who recorded the video on his mobile phone (although the video was posted on YouTube by a third party) and the company has issued a formal apology to the woman.
The video is noteworthy because it demonstrates the power of new technologies such as YouTube and the corresponding risks to Canadian businesses. Had the video been recorded by an employee of a Canadian business, subject to Canadian privacy laws, the potential privacy complaint and/or lawsuit by the woman in the video could have been substantial.
Canadian businesses should be reminded of the need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy policies and procedures.
Canadian businesses don’t need to look too far to find examples where more effective employee privacy training may have mitigated, or even prevented, privacy complaints.
Read the rest of this entry »
1 Comment | Internet, Online Reputation Management, PIPEDA, Privacy, Safeguarding, Safekeeping, Technology, Training, Video Surveillance, You Tube | Tagged: Customers, Employees, Internet, Mobile devices, Online Reputation Management, Personal Information, Privacy, Privacy Compliance, Safeguarding, YouTube | Permalink
Posted by Brian Bowman
May 21, 2009
The Manitoba Legislature is currently debating Bill 219 – The Personal Information Protection and Identity Theft Protection Act.
The Bill has been introduced as a private member’s Bill by Mavis Taillieu of the Opposition Progressive Conservative Party of Manitoba. It seeks to regulate the collection, use and disclosure of personal information by organizations in the private sector and is intended to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). It would also establish a duty for organizations to notify individuals who may be affected when the personal information an organization has collected is lost, stolen or compromised. Such a requirement would be groundbreaking in Canada (notwithstanding Ontario’s Personal Health Information Protection Act, which has a mandatory breach notification requirement).
Regrettably, the Government of Manitoba indicated in the Legislative Assembly debate last week that it has two primary concerns with the Bill. The first concern is that the Bill lacks an independent oversight body such as a Privacy Commissioner of Manitoba. Legislative rules prevent private member’s Bills from containing financial penalties and so the Bill could not contain such provisions. However, the government could add those provisions in amendments. In fact, I assisted with the drafting of the Bill and would happily provide the government with the relevant provisions. The second concern raised by the government is that the Bill would introduce legislation in Manitoba that (according to the government) would regulate activities in the private sector already governed by PIPEDA. However, PIPEDA does not apply to the activities of private sector organizations in provinces such as Alberta and British Columbia, both of whom have Personal Information Protection Acts, because PIPEDA does not apply where “substantially similar” provincial legislation exists.
The Bill was first introduced in 2005 and since that time the need for such a law has significantly grown. It’s modelled after Alberta’s Personal Information Protection Act, which provides a more business-friendly and clear legislative scheme than PIPEDA. As I’ve previously argued, it would be good policy for the Government of Manitoba to support the Bill and I once again urge them to do so.
If you want a more business-friendly privacy law in Manitoba, I’d strongly encourage you to contact the Government of Manitoba and Mavis Taillieu to indicate your support.
Additional coverage on this topic by the Canadian HR Reporter here.
2 Comments | Employee Monitoring, Government, Identity Theft, Ombudsman, PIPEDA, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security Breach | Tagged: Employees, Government, Identity Theft, Manitoba, Personal Information, PIPEDA, Privacy, Privacy Commissioner | Permalink
Posted by Brian Bowman
April 30, 2009
Are you a parent with children who use the Internet? Do your children have a better understanding of this new and constantly changing technology? Have your children ever texted “fts” or told you to “bma” in an online message ? I sure hope not!
If you have children, I’d encourage you to visit the Internet 101 website, which provides some great information to increase your computer knowledge. The site provides excellent resources including Tutorials to help you learn more about the online world, Technical Tips to help keep your computer secure, Chat Lingo to help you learn the online lingo, Popular Online Activities to expose you to what today’s youth are doing online, and an Internet Agreement to be signed between parents and children to help your family stay safe in the online world.
Even if you don’t have children, there is some valuable information on the site worth reading.
Leave a Comment » | Blogs, Facebook, Identity Theft, Internet, Privacy, Safeguarding, Social Networking Websites, Technology, Youth | Tagged: E-mail, Facebook, Information Technology, Internet, Social Networking, Youth | Permalink
Posted by Brian Bowman
