Copy machines, a security risk?

May 11, 2010

CBS News has an excellent investigative report here (on YouTube) about the security risks associated with copy machines. Members of the Privacy Forum will already know about this issue because we’ve previously highlighted it and relevant risk mitigation steps in the Canadian privacy law context. However, if you’re not aware of the issue then this report is a “must-see”.


Today’s “buzz” on Google Buzz offers lesson for new service roll-outs

April 20, 2010

Canada’s Privacy Commissioner, Jennifer Stoddart, has teamed up with nine other country’s privacy watchdogs today to warn Google and other organizations to better respect people’s privacy rights. The privacy commissioners have sent a letter to Google, accusing it of overlooking privacy values and legislation in launching new online products.

The privacy commissioners’ letter states, “we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws… Unfortunately, Google Buzz is not an isolated case. Google Street View was launched in some countries without due consideration of privacy and data protection laws and cultural norms. In that instance, you addressed privacy concerns related to such matters as the retention of unblurred facial images only after the fact, and there is continued concern about the adequacy of the information you provide before the images are captured… We therefore call on you, like all organizations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services. That means, at a minimum:

  • collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
  • providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
  • creating privacy-protective default settings;
  • ensuring that privacy control settings are prominent and easy to use;
  • ensuring that all personal data is adequately protected, and
  • giving people simple procedures for deleting their accounts and honouring their requests in a timely way.”
  • The privacy commissioners’ demand that Google and other organizations better incorporate privacy into the design of new online services underscores the need for the “Privacy by Design” initiative that Ontario’s Information and Privacy Commissioner recently discussed in my “A Conversation with Dr. Ann Cavoukian” post. All organizations, regardless of their size (after all, we’re all not Google), would be well-advised to learn from today’s “buzz” about Google Buzz.


    Should you say “no” to the police?

    April 7, 2010

    Imagine this scenario… The police show up at your office and demand access to records relating to one of your customers. You want to help the police (as you should), but are concerned about violating your customer’s privacy rights. What should you do?

    Well, the first thing you should do is ask the police for written documentation relating to their request. You should also immediately contact a lawyer with appropriate expertise because this type of scenario can be a legal minefield. For example, are you actually dealing with the police or some bold scam artist? Do the police have the legal authority to demand the requested information? Should they have a warrant?

    Presuming that you end up providing the records to the police, you’ll need to ensure that you’re not providing too much information. If the records of your customer are co-mingled with another individual, you’ll need to consider whether you can legally provide the police with access to the other person’s information. Are you then barred from telling the customer that the police were at your office? What sort of internal records should you keep to document that the police accessed your files? How long do you need to keep those internal records?

    It’s never fun to say “no” to the police. They are, after all, typically armed. But hopefully the police will make it easy for you to satisfy yourself, and your lawyer, that working cooperatively with them won’t violate your customer’s privacy and unnecessarily exposing your business to liability.


    The top 5 mistakes of privacy awareness programs: Computerworld

    February 10, 2010

    Computerworld has just published an excellent article which highlights the top five (5) mistakes that companies often make when educating employees about data protection.

    Read the Computerworld article here!


    58% of employees prepared to illegally download company/competitive data

    November 28, 2009

    According to a Cyber-Ark survey entitled “The Global Recession and its effect on Work Ethics” (link below), 58% of U.S. employees surveyed said that if they thought their job was at risk they would, as a pre-emptive move, be prepared to download company/competitive data. Fifty two per cent (52%) said that if they were fired tomorrow they’d take their employer’s customer and contacts data.

    More disturbingly, 51% said it’s “easy” to take sensitive information out of their company and, as reported by Out-Law.com, 85% were aware that it’s illegal to download corporate information.  The favoured medium for stealing corporate information is a USB memory stick followed by e-mail. 

    As I’ve mentioned in previous posts rogue employees pose a risk to privacy compliance and, as a result, corporate information requires safekeeping.  In today’s economy, information is the most valuable corporate asset.  For this reason, businesses of all sizes should take proactive steps to protect corporate data.  Whether it’s customer or supplier lists, intellectual property or employee personal information, it’s information that needs safekeeping, especially when we see statistics like those reported above.

    The Global Recession and its effect on Work Ethics


    2010 Privacy Prep Webinar: New dates added

    November 23, 2009

    I’ll be hosting a 2010 Privacy Prep Webinar on Tuesday, January 12th from 12:00 – 12:30 PM (CST). (FULL)  Due to high demand, new dates added: Wednesday, January 13th from 12:00 – 12:30 PM (CST) and Thursday, January 14th from 12:00 – 12:30 PM (CST).

    This complimentary 30 minute webinar will provide a plain language overview of the most significant privacy issues/events of 2009 and, more importantly, prepare you and your business for 2010.  Among other things, I’ll highlight notable court cases and privacy commissioner findings from 2009 as well as point out anticipated privacy issues likely to affect Canadian businesses in the coming year.

    Space is limited so please RSVP early by emailing me at bowman@pitblado.com.


    Rogue employees pose risk to privacy compliance, corporate info

    November 18, 2009

    The U.K.’s Huffington Post is reporting that a rogue employee of a major mobile phone company has illegally sold millions of customer records to rival companies.  Apparently, customers’ personal information (including contract expiry dates) was sold to several rivals, which then used the material to cold-call customers to offer them an alternative deal.

    As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping. 

    This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.


    Laptop Encryption: “I don’t know what we have to do to drive this message home” says Commissioner

    September 10, 2009

    Laptop 11A summer incident involving sensitive personal information on stolen laptops has brought the issue of data protection once again into the crosshairs of Frank Work, the Alberta Information and Privacy Commissioner

    In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007.  The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information.  A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted. 

    These incidents demonstrate how easily sensitive data can be compromised when stored on laptops.  Encryption is a relatively easy way to improve the security of such information.  But, where do you start? There are numerous encryption options available.  Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.


    Changes to PIPEDA may be coming soon

    August 10, 2009

    coming-soonHave you heard the saying “Just when you think you understand the situation, what you don’t understand is that the situation has changed”? If you think you understand The Personal Information Protection and Electronic Documents Act (“PIPEDA”), get ready… changes may be just around the corner. 

    PIPEDA was introduced back in 2001. It requires the Canadian Government to review the law every five years.  To this end, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “House of Commons Committee”) conducted its review and held public hearings from November 2006 to February 2007, where it heard from over 60 witnesses and considered over 30 submissions from a wide range of interested organizations and individuals. I had the pleasure of appearing before the House of Commons Committee to present the Canadian Bar Association’s National Privacy & Access Law Section’s submission, which you can read here. The House of Commons Committee issued its report to Parliament in May 2007 (which outlined 25 recommended changes to the law), to which the Canadian Government subsequently issued its response in October 2007. As part of the Canadian Government’s response, further public consultation on key issues was requested.  A link to the Office of the Privacy Commissioner’s reply to this request can be read here and the Canadian Bar Association’s response can be read here.

    Changes to PIPEDA may include:

    • a mandatory breach notification regime that would require organizations to promptly notify affected individuals and to report major data breaches to the Privacy Commissioner of Canada; 
    • amendments to account for the unique circumstances regarding consent in employer/employee relationships; and
    • modifications to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions.

    The Industry Canada website targets 2009/10 for the implementation of changes resulting from this first PIPEDA review.  Yet, there is no definitive time frame, so stay tuned. Changes may be just around the corner.


    When should businesses use the ® or ™ symbols?

    May 13, 2009

    RegisteredTM_svgYou have probably seen the ® or ™ symbol on products or in advertisements. But what do these symbols mean and when is it appropriate to use them?

    Generally, the ® or ™ symbols are used in connection with a trade-mark, which is a word, symbol or design used to distinguish the wares or services of one person or organization from those of others. Trade-marks can be valuable intellectual property.

    The Trade-marks Act (Canada) (the “TM Act”) does not contain any marking requirements. However, trade-mark owners often indicate their registration through certain symbols, namely, ® (registered) or ™ (trade-mark). Although the TM Act does not require the use of these symbols, in Canada, the ™ and ® symbols may be used whether the trade-mark is registered or not. However, while this is not a requirement of the TM Act, the ® should be used only if the mark is registered with the Canadian Intellectual Property Office. If the ® is used and the mark is not in fact registered, it may be possible for someone to argue its use amounts to false advertising. The ™ suggests the mark is not registered, but can help establish distinctiveness in the mark.

    One should be especially careful using the ® outside in Canada. In certain jurisdictions, including the U.S., ® may only be used by the owner of a mark following registration with that jurisdiction’s trade-mark office. For example, if a Canadian company is marketing a product in the U.S. and its mark is not registered with the U.S. Patent and Trademark Office, it would not be able to use the ® in connection with its mark and could only use the ™, even if the company has been using ® in Canada all along.

    Businesses should consider having their intellectual property “audited” by legal counsel with an expertise in the field and, in doing so, developing an appropriate trade-marks business strategy. When I advise my clients on trade-marks matters I often rely on the expert counsel of my friends and colleagues Jolin Spencer (whom I should thank for this blog post), Robert Watchman and Howard Nerman, all of whom have expertise in trade-marks law.


    New generic Top Level Domain extensions announced

    May 5, 2009

    urls-2Earlier this year, the Internet Corporation for Assigned Names and Numbers (“ICANN”) announced that they will be opening up the generic Top Level Domain extensions (the “gTLDs”) to allow for personalized extensions.  I could (for a mere US$185,000.00+) now apply for a .brian or even a .privacy.  And while the chances of me starting a .brian are very slim, it will be interesting to see how many organizations pay the application fee and create their own .blank extension.  Opening up the gTLDs will likely force trademark owners to evaluate their brand strategies and, in doing so, weigh the costs and benefits of buying any or all gTLDs related to their brand.

    If you’re a trademark owner and you want to approach your strategy conservatively, then you may want to take a defensive position and register any of the gTLDs that relate to the business in which you’re engaged.  The list of commercial gTLDs would include .com, .net., .info, .org, .tel, .biz, .mobi, .tv and any other TLDs that seem to have a commercial application.  Additionally, you may want to register and maintain the country code domain names (ccTLDs) in the jurisdictions where your organization offers, or plans to offer, its products or services.  Once this is completed, you should then register any known variations of your trademark.

    While, in theory, this is a very effective strategy – in practice, this strategy will be more difficult to execute.  For example, the owners of Lego currently own 450 domain names within the TLDs.  They recently pursued and won a WIPO arbitration decision against a cybersquatter who had registered the domains Justlegos.com, legosonly.com, and onlylegos.com; illustrating that even the most vigilant defensive strategy for the registration of domains names cannot prevent all infringements.  As such, any brand strategy should be accompanied by vigorous monitoring and enforcement.  The decision about which TLDs to register is a business decision that must weigh the cost of brand enforcement from a defensive position and an offensive position.


    Bankruptcy and privacy considerations

    April 22, 2009

    bankruptcyThe current global economic climate has led to a growing number of bankruptcy and insolvency proceedings, particularly in the U.S. In dealing with these proceedings, many business leaders have not paid enough attention to the role of privacy law and its impact on the bottom line.

    A prime example is the bankruptcy of U.S. online toy retailer, Toysmart.com. Toysmart.com had collected vast amounts of personal information from its online consumers in accordance with its privacy policy, which stated that the company would never share its database with third parties. Despite the promise, Toysmart.com then made attempts to sell the database. The U.S. Federal Trade Commission (“FTC”) then sued Toysmart.com seeking injunctive and declaratory relief to prevent the sale of the database by Toysmart.com. The complaint alleged that Toysmart.com had violated U.S. law by misrepresenting to consumers that personal information would never be shared with third parties, and then disclosing, selling and offering that information for sale. Toysmart.com later settled with the FTC. The settlement agreement forbid the sale of the database except under very limited circumstances.

    Of course, Canadian companies are subject to Canadian privacy laws such as PIPEDA, which require the consent of individuals for the disclosure of personal information to third parties. In structuring privacy policies, Canadian companies should consider all outcomes including bankruptcy. As a result, privacy policies should be carefully drafted with consideration of the possibility that personal information may be shared with third parties in the event of bankruptcy.  Doing so will almost certainly not be enough to fully comply with Canadian legal requirements, but it’s a prudent step in the right direction – especially in these uncertain economic times.


    “Digital footprints”: What’s being left behind in the electronic world?

    April 15, 2009

    footprints-6Businesses are increasingly being asked to reduce their “carbon footprint”. And while many customers are interested in doing business with organizations that are trying to reduce their carbon footprint, many customers are also concerned about their own “digital footprints“. 

    The Discovery Channel has an interesting online tool that allows you to play a simple scenario by conducting your normal transactions as you would on any given day. Doing so shows you how often you provide your personal information to businesses and governments. You can then play the scenario again to try to reduce your digital footprint. Click here to play!

    Businesses can help reduce their customer’s digital footprints by ensuring they only collect the personal information of customers necessary for the purposes identified by the organization and required for particular transactions. Additionally, businesses should avoid collecting personal information indiscriminately. As I’ve mentioned in a previous post, reducing the volume of personal information that a business collects (and is then responsible for safeguarding and destroying in accordance with applicable privacy laws) helps customers to reduce their “digital footprints”.  It also helps businesses to comply with privacy laws like PIPEDA and improve customer relations.


    Upcoming Canadian Privacy Law Conferences

    April 13, 2009

    business-concepts-22Ongoing privacy training is a vital tool to assist with privacy law compliance. In this respect, the following Canadian privacy law conferences in the coming months may be of interest to you or others in your organization:

  • On May 20, 2009, the Manitoba Bar Association will be hosting an IP/Technology Section luncheon where I will be speaking about emerging privacy issues. Of course, you need to be a member or a guest of the Manitoba Bar Association to attend.
  • On May 27 and 28, 2009, I will be one of several speakers in Toronto for The Canadian Institute‘s Meeting your Privacy Obligations conference where I will be speaking on the topic of ‘Demystifying the confusing area of lawful disclosure’.
  • From June 10-12th, the University of Alberta will be hosting the 2009 Access and Privacy Conference: The Pursuit of Truth.
  • From June 17 – 19th, I will be speaking in Winnipeg at the National Credit Institute‘s 2009 CIC National Conference: “Back to our Roots, Forward to our Future” on the privacy law matters affecting those in the credit industry.
  • The Privacy Security Trust 2009 (PST2009) will be hosting the Seventh Annual International Conference on Privacy, Security and Trust in Saint John, New Brunswick from August 25 – 27, 2009.
  • The 2009 IEEE International Conference on Information Privacy, Security, Risk and Trust will be held in Vancouver, British Columbia from August 29 – 31, 2009.
  • If there are other Canadian privacy law conferences in the coming months that I haven’t listed, please post a Comment or drop me an e-mail so I can update this post. If you, or your industry association, are interested in more focussed privacy training, please let me know as I regularly conduct in-house privacy training sessions for clients.


    Escrow as a new tool for privacy

    March 23, 2009

    keys-2Bell Canada recently announced that it would acquire The Source, a national electronics dealer.  Bell has indicated that it will be acquiring substantially all of the assets of The Source.

    I don’t know what those assets will be, but I think it is an interesting example of the fact that even in recessions we still see acquisitions of companies.  When an organization’s assets are bought, one of the most valuable assets that are purchased is often its customer list.   

    PIPEDA and other applicable privacy laws, of course, govern transactions involving personal information.   In the course of such transactions some companies are now implementing concepts once used only to secure physical assets.  For example, many organizations are choosing to employ “escrow” arrangements to ensure the security of personal information.

    Most businesses now understand that the implications of violating applicable privacy laws can be very serious to the reputation and bottom line of both the vendor and purchaser.  As part of a sale of a customer list, and depending on the specific circumstances, both parties may agree that the customer list be placed in escrow until the transaction is completed.  This ensures that what is likely the most valuable asset in the transaction – the customer list – is protected from unintended disclosures prior to the actual transfer of the business.



    Privacy Commissioner pens guidelines for outsourcing

    March 3, 2009

    The Office of the Privacy Commissioner of Canada (OPC) has published some useful Guidelines for Processing Personal Data Across Borders to explain how the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to transfers of personal information to third parties, including third parties operating outside of Canada, for processing.

    As the OPC points out, PIPEDA does not prohibit organizations in Canada from transferring personal information to organizations in other jurisdictions for processing, but Canadian organizations are still accountable and the OPC can investigate complaints and audit privacy practices of Canadian organizations.

    PIPEDA provides that

    an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

    The primary means by which an organization can protect personal information that it transfers to a third party for processing is through a contract. Organizations must also be transparent about their privacy practices, including advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction, it may be accessed by the courts, law enforcement and national security authorities.

    Check out the OPC’s Guidelines, and if your business hasn’t yet signed privacy contracts with all third parties to whom you transfer or disclose personal information, now may be the time.


    Businesses should conduct regular staff privacy training

    February 20, 2009

    meeting-roomPrivacy professionals will know first hand the importance of conducting regular staff privacy training, which can mitigate customer privacy complaints and (as a result) the overall costs of privacy compliance.  I certainly know from my practice that the costs to businesses can be quite significant when having to deal with serious privacy complaints.  These costs can include settlements, legal fees and lost productivity.  Obviously, it’s better to be proactive and reduce the chances of having to deal with privacy complaints.  That’s where regular staff privacy training comes in!  Businesses really should conduct staff privacy training on a regular basis – in my view, at least on an annual basis.

    In a recent speech to the 10th Annual Privacy and Security Conference in Victoria, B.C., Privacy Commissioner Jennifer Stoddart commented, “Polling for my Office in 2007 found that only a third of all businesses reported having trained staff about their responsibilities under Canada’s privacy laws.  This is a huge concern!  We recently conducted an analysis of 86 breaches reported to my Office and found that employee awareness and training was the most important contributing factor.  It was an issue in more than half of the spills we examined! We found that very basic mistakes – human errors – often lead to breaches. Breaches are caused mostly by employee misconduct and human error, not technological weaknesses.”  The full speech is entitled, “A Privacy Check Up For Canadians: Is the Glass Half Empty or Half Full?” and is definitely worth reading.


    Canada, U.S. laws on privacy complex

    February 12, 2009

    canada-us-relations-2Canada, U.S. laws on privacy complex

    My September 3, 2008 column in the Winnipeg Free Press reports on the findings of the Privacy Commissioner of Canada regarding canada.com’s  outsourcing to a U.S. based service provider. The finding highlights the complexities of Canadian and U.S. laws as they relate to the personal information of customers and reminds Canadian businesses of the need to have legal agreements with third party service providers, especially those located in the U.S.


    Data “packrats” failing customers

    February 12, 2009

    challengeData “packrats” failing customers: Companies need policies on retention

    My December 3, 2008 column in the Winnipeg Free Press details the problems businesses can get in to when they keep every single piece of information on their customers, even when they no longer need it.


    Buying or selling a business

    February 6, 2009

    agreementsBuying or selling a business requires due diligence

    My June 7, 2006 column in the Winnipeg Free Press considers PIPEDA Case Summary #325, which sets out the rules regarding sharing customer lists of businesses being considered for sale.