Computerworld has just published an excellent article which highlights the top five (5) mistakes that companies often make when educating employees about data protection.
Read the Computerworld article here!
The top 5 mistakes of privacy awareness programs: Computerworld
February 10, 2010
Leave a Comment » | 
Data Protection, Privacy, Training | Tagged: Due Diligence, Employees, Privacy | 
Permalink
Posted by Brian Bowman
58% of employees prepared to illegally download company/competitive data
November 28, 2009
According to a Cyber-Ark survey entitled “The Global Recession and its effect on Work Ethics” (link below), 58% of U.S. employees surveyed said that if they thought their job was at risk they would, as a pre-emptive move, be prepared to download company/competitive data. Fifty two per cent (52%) said that if they were fired tomorrow they’d take their employer’s customer and contacts data.
More disturbingly, 51% said it’s “easy” to take sensitive information out of their company and, as reported by Out-Law.com, 85% were aware that it’s illegal to download corporate information. The favoured medium for stealing corporate information is a USB memory stick followed by e-mail.
As I’ve mentioned in previous posts rogue employees pose a risk to privacy compliance and, as a result, corporate information requires safekeeping. In today’s economy, information is the most valuable corporate asset. For this reason, businesses of all sizes should take proactive steps to protect corporate data. Whether it’s customer or supplier lists, intellectual property or employee personal information, it’s information that needs safekeeping, especially when we see statistics like those reported above.
Leave a Comment » | Data Protection, Due Diligence, Mobile devices, Privacy, Safeguarding, Safekeeping | Tagged: Corporate Information, Due Diligence, Employees, Privacy Compliance, Safeguarding, Security | Permalink
Posted by Brian Bowman
2010 Privacy Prep Webinar: New dates added
November 23, 2009
I’ll be hosting a 2010 Privacy Prep Webinar on Tuesday, January 12th from 12:00 – 12:30 PM (CST). (FULL) Due to high demand, new dates added: Wednesday, January 13th from 12:00 – 12:30 PM (CST) and Thursday, January 14th from 12:00 – 12:30 PM (CST).
This complimentary 30 minute webinar will provide a plain language overview of the most significant privacy issues/events of 2009 and, more importantly, prepare you and your business for 2010. Among other things, I’ll highlight notable court cases and privacy commissioner findings from 2009 as well as point out anticipated privacy issues likely to affect Canadian businesses in the coming year.
Space is limited so please RSVP early by emailing me at bowman@pitblado.com.
Leave a Comment » | Due Diligence, Privacy, Training | Tagged: Due Diligence, Privacy Compliance | Permalink
Posted by Brian Bowman
Rogue employees pose risk to privacy compliance, corporate info
November 18, 2009
The U.K.’s Huffington Post is reporting that a rogue employee of a major mobile phone company has illegally sold millions of customer records to rival companies. Apparently, customers’ personal information (including contract expiry dates) was sold to several rivals, which then used the material to cold-call customers to offer them an alternative deal.
As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping.
This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.
3 Comments | Data Protection, Due Diligence, Personal Information, PIPA, PIPEDA, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security | Tagged: Businesses, Corporate Information, Due Diligence, Employees, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Compliance, Safeguarding, Security | Permalink
Posted by Brian Bowman
Laptop Encryption: “I don’t know what we have to do to drive this message home” says Commissioner
September 10, 2009
A summer incident involving sensitive personal information on stolen laptops has brought the issue of data protection once again into the crosshairs of Frank Work, the Alberta Information and Privacy Commissioner.
In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007. The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information. A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted.
These incidents demonstrate how easily sensitive data can be compromised when stored on laptops. Encryption is a relatively easy way to improve the security of such information. But, where do you start? There are numerous encryption options available. Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.
Leave a Comment » | Access to Information, Data Encryption, Data Protection, Laptops, Mobile devices, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, PSDs, Safeguarding, Safekeeping, Security, Security Breach, Smartphones, Technology | Tagged: Data Encryption, Data Protection, Due Diligence, Information Technology, Laptop, Mobile devices, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Privacy Compliance, Safeguarding, Security, Technology | Permalink
Posted by Brian Bowman
Changes to PIPEDA may be coming soon
August 10, 2009
Have you heard the saying “Just when you think you understand the situation, what you don’t understand is that the situation has changed”? If you think you understand The Personal Information Protection and Electronic Documents Act (“PIPEDA”), get ready… changes may be just around the corner.
PIPEDA was introduced back in 2001. It requires the Canadian Government to review the law every five years. To this end, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “House of Commons Committee”) conducted its review and held public hearings from November 2006 to February 2007, where it heard from over 60 witnesses and considered over 30 submissions from a wide range of interested organizations and individuals. I had the pleasure of appearing before the House of Commons Committee to present the Canadian Bar Association’s National Privacy & Access Law Section’s submission, which you can read here. The House of Commons Committee issued its report to Parliament in May 2007 (which outlined 25 recommended changes to the law), to which the Canadian Government subsequently issued its response in October 2007. As part of the Canadian Government’s response, further public consultation on key issues was requested. A link to the Office of the Privacy Commissioner’s reply to this request can be read here and the Canadian Bar Association’s response can be read here.
Changes to PIPEDA may include:
- a mandatory breach notification regime that would require organizations to promptly notify affected individuals and to report major data breaches to the Privacy Commissioner of Canada;
- amendments to account for the unique circumstances regarding consent in employer/employee relationships; and
- modifications to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions.
The Industry Canada website targets 2009/10 for the implementation of changes resulting from this first PIPEDA review. Yet, there is no definitive time frame, so stay tuned. Changes may be just around the corner.
1 Comment | Government, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Security Breach | Tagged: Businesses, Data Protection, Due Diligence, Employees, Identity Theft, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Privacy Compliance | Permalink
Posted by Brian Bowman
When should businesses use the ® or ™ symbols?
May 13, 2009
You have probably seen the ® or ™ symbol on products or in advertisements. But what do these symbols mean and when is it appropriate to use them?
Generally, the ® or ™ symbols are used in connection with a trade-mark, which is a word, symbol or design used to distinguish the wares or services of one person or organization from those of others. Trade-marks can be valuable intellectual property.
The Trade-marks Act (Canada) (the “TM Act”) does not contain any marking requirements. However, trade-mark owners often indicate their registration through certain symbols, namely, ® (registered) or ™ (trade-mark). Although the TM Act does not require the use of these symbols, in Canada, the ™ and ® symbols may be used whether the trade-mark is registered or not. However, while this is not a requirement of the TM Act, the ® should be used only if the mark is registered with the Canadian Intellectual Property Office. If the ® is used and the mark is not in fact registered, it may be possible for someone to argue its use amounts to false advertising. The ™ suggests the mark is not registered, but can help establish distinctiveness in the mark.
One should be especially careful using the ® outside in Canada. In certain jurisdictions, including the U.S., ® may only be used by the owner of a mark following registration with that jurisdiction’s trade-mark office. For example, if a Canadian company is marketing a product in the U.S. and its mark is not registered with the U.S. Patent and Trademark Office, it would not be able to use the ® in connection with its mark and could only use the ™, even if the company has been using ® in Canada all along.
Businesses should consider having their intellectual property “audited” by legal counsel with an expertise in the field and, in doing so, developing an appropriate trade-marks business strategy. When I advise my clients on trade-marks matters I often rely on the expert counsel of my friends and colleagues Jolin Spencer (whom I should thank for this blog post), Robert Watchman and Howard Nerman, all of whom have expertise in trade-marks law.
1 Comment | Copyright, Due Diligence, Industrial Design, Intellectual Property, Marketing, Patent, Trademark | Tagged: Copyright, Due Diligence, Industrial Design, Intellectual Property, Marketing, Patents, Trade Marks | Permalink
Posted by Brian Bowman
New generic Top Level Domain extensions announced
May 5, 2009
Earlier this year, the Internet Corporation for Assigned Names and Numbers (“ICANN”) announced that they will be opening up the generic Top Level Domain extensions (the “gTLDs”) to allow for personalized extensions. I could (for a mere US$185,000.00+) now apply for a .brian or even a .privacy. And while the chances of me starting a .brian are very slim, it will be interesting to see how many organizations pay the application fee and create their own .blank extension. Opening up the gTLDs will likely force trademark owners to evaluate their brand strategies and, in doing so, weigh the costs and benefits of buying any or all gTLDs related to their brand.
If you’re a trademark owner and you want to approach your strategy conservatively, then you may want to take a defensive position and register any of the gTLDs that relate to the business in which you’re engaged. The list of commercial gTLDs would include .com, .net., .info, .org, .tel, .biz, .mobi, .tv and any other TLDs that seem to have a commercial application. Additionally, you may want to register and maintain the country code domain names (ccTLDs) in the jurisdictions where your organization offers, or plans to offer, its products or services. Once this is completed, you should then register any known variations of your trademark.
While, in theory, this is a very effective strategy – in practice, this strategy will be more difficult to execute. For example, the owners of Lego currently own 450 domain names within the TLDs. They recently pursued and won a WIPO arbitration decision against a cybersquatter who had registered the domains Justlegos.com, legosonly.com, and onlylegos.com; illustrating that even the most vigilant defensive strategy for the registration of domains names cannot prevent all infringements. As such, any brand strategy should be accompanied by vigorous monitoring and enforcement. The decision about which TLDs to register is a business decision that must weigh the cost of brand enforcement from a defensive position and an offensive position.
Leave a Comment » | Domain Names, Due Diligence, Intellectual Property, Internet, Technology, Trademark | Tagged: Domain Names, Due Diligence, Internet, Technology | Permalink
Posted by Brian Bowman
Bankruptcy and privacy considerations
April 22, 2009
The current global economic climate has led to a growing number of bankruptcy and insolvency proceedings, particularly in the U.S. In dealing with these proceedings, many business leaders have not paid enough attention to the role of privacy law and its impact on the bottom line.
A prime example is the bankruptcy of U.S. online toy retailer, Toysmart.com. Toysmart.com had collected vast amounts of personal information from its online consumers in accordance with its privacy policy, which stated that the company would never share its database with third parties. Despite the promise, Toysmart.com then made attempts to sell the database. The U.S. Federal Trade Commission (“FTC”) then sued Toysmart.com seeking injunctive and declaratory relief to prevent the sale of the database by Toysmart.com. The complaint alleged that Toysmart.com had violated U.S. law by misrepresenting to consumers that personal information would never be shared with third parties, and then disclosing, selling and offering that information for sale. Toysmart.com later settled with the FTC. The settlement agreement forbid the sale of the database except under very limited circumstances.
Of course, Canadian companies are subject to Canadian privacy laws such as PIPEDA, which require the consent of individuals for the disclosure of personal information to third parties. In structuring privacy policies, Canadian companies should consider all outcomes including bankruptcy. As a result, privacy policies should be carefully drafted with consideration of the possibility that personal information may be shared with third parties in the event of bankruptcy. Doing so will almost certainly not be enough to fully comply with Canadian legal requirements, but it’s a prudent step in the right direction – especially in these uncertain economic times.
Leave a Comment » | Due Diligence, Internet, PIPEDA, Privacy, Privacy Breach, Sale Transactions | Tagged: Businesses, Customers, Due Diligence, Personal Information, PIPEDA, Privacy, Privacy Compliance | Permalink
Posted by Brian Bowman
“Digital footprints”: What’s being left behind in the electronic world?
April 15, 2009
Businesses are increasingly being asked to reduce their “carbon footprint”. And while many customers are interested in doing business with organizations that are trying to reduce their carbon footprint, many customers are also concerned about their own “digital footprints“.
The Discovery Channel has an interesting online tool that allows you to play a simple scenario by conducting your normal transactions as you would on any given day. Doing so shows you how often you provide your personal information to businesses and governments. You can then play the scenario again to try to reduce your digital footprint. Click here to play!
Businesses can help reduce their customer’s digital footprints by ensuring they only collect the personal information of customers necessary for the purposes identified by the organization and required for particular transactions. Additionally, businesses should avoid collecting personal information indiscriminately. As I’ve mentioned in a previous post, reducing the volume of personal information that a business collects (and is then responsible for safeguarding and destroying in accordance with applicable privacy laws) helps customers to reduce their “digital footprints”. It also helps businesses to comply with privacy laws like PIPEDA and improve customer relations.
Leave a Comment » | Due Diligence, Identity Theft, Internet, PIPEDA, Privacy, Safeguarding, Safekeeping, Security, Technology | Tagged: Businesses, Customers, Due Diligence, Identity Theft, Information Technology, Personal Information, PIPEDA, Privacy Compliance, Retention, Safeguarding | Permalink
Posted by Brian Bowman
