May 25, 2010
The federal government introduced legislation today to amend PIPEDA and re-introduce the Anti-Spam Bill. I’ve previously posted here regarding the anticipated changes to PIPEDA and here about the Anti-Spam Bill.
From today’s news release:
The Honourable Tony Clement, Minister of Industry, and the Honourable Denis Lebel, Minister of State (Economic Development Agency of Canada for the Regions of Quebec), today announced two steps that the Government of Canada is taking to enhance the safety and security of the online marketplace. Together, the tabling of amendments to the legislation protecting the personal information of Canadians (Personal Information Protection and Electronic Documents Act, or PIPEDA) and the reintroduction of anti-spam legislation in the House of Commons (the proposed Fighting Internet and Wireless Spam Act, or FISA) are important steps towards positioning Canada as a leader in the digital economy.
Here’s the full Industry Canada news release.
(Hat tip to David Fraser’s Canadian Privacy Law Blog )
Leave a Comment » | 
Anti-Spam Legislation, Data Protection, PIPEDA, Privacy | Tagged: Electronic Commerce, Identity Theft, PIPEDA, Security | 
Permalink
Posted by Brian Bowman
May 11, 2010
CBS News has an excellent investigative report here (on YouTube) about the security risks associated with copy machines. Members of the Privacy Forum will already know about this issue because we’ve previously highlighted it and relevant risk mitigation steps in the Canadian privacy law context. However, if you’re not aware of the issue then this report is a “must-see”.
Leave a Comment » | Data Encryption, Due Diligence, Identity Theft, Privacy, Safeguarding, Safekeeping, Security, Technology | Tagged: Due Diligence, Identity Theft, Information Technology, Privacy, Safeguarding, Security | Permalink
Posted by Brian Bowman
February 5, 2010
It’s safe to say that the Alberta provincial government is regarded as being right wing. But Manitoba’s? Not at all. So why then is Alberta light years ahead of Manitoba at protecting workers’ privacy?
Read more>>
The above link takes you to the Winnipeg Sun. I’m delighted to have been asked by Sun Media Corp. to provide Comment columns like today’s on a monthly basis. I hope you find them of interest!
Leave a Comment » | Employee Monitoring, Government, Identity Theft, PIPA, PIPEDA, Personal Information, Privacy, Privacy Commissioner | Tagged: Employees, Government, Identity Theft, Manitoba, Personal Information | Permalink
Posted by Brian Bowman
February 3, 2010
Continuing a series of blog posts that I’m calling “A Conversation with…” (the first being A Conversation with Jennifer Stoddart, Privacy Commissioner of Canada), I’m delighted to post the following conversation with Frank Work.
Commissioner Work is as personable as he is professional. I’ve had the pleasure to speak at privacy conferences with Commissioner Work and let’s just say that I’m glad I presented first! As privacy professionals will know, he’s a plain spoken, intelligent speaker and so his sessions are always a “must attend”.
Thanks to Commissioner Work for agreeing to engage in this online Q & A conversation. If you’d like to learn more about Frank Work, the Office of the Information and Privacy Commissioner of Alberta (the “Alberta OIPC”) or the issues raised in this conversation, I’d encourage you to visit the Alberta OIPC’s website.
Q. Your office has investigated identity theft arising from crystal meth abuse. What’s the link between the two?
A. A couple of years ago the Edmonton police raided a hang out for meth users. They found a lot of papers from businesses in the area, which they gave to us. Cell phone contracts, credit bureau checks, credit card information and so on. The police told me that meth users, unlike some other substance abusers, are pretty alert when they are high. They don’t sleep. They have lots of time to do the kind of detailed work necessary to engineer credit card fraud and identity theft.
Q. So what can the public do to protect itself from that kind of identity theft?
A. Individuals should shred bank and credit card statements. They shouldn’t carry certain ID, like birth certificates, on them. These kinds of foundation documents are very useful for identity theft. Always report lost or stolen credit cards, but also lost or stolen driver’s licences, birth certificates, and passports. Check your bank and credit card statements to make sure someone else isn’t using them. Do a credit bureau reference on yourself maybe once a year. If your score is lower than you think, find out why. If your score changes from one year to the next, find out why. Sometimes it can be identity theft (someone using your good name). Sometimes it can be an error on the part of the credit bureau.
The other side of the problem is organizations that have peoples’ info. They must take proper care of it. As I said, we have been given credit reports, draft mortgages, cell phone contracts, purchase of goods contracts and bookkeepers files, all thrown away. These papers all have potential for fraudulent use. Businesses need to shred this stuff. Furthermore, for businesses that have customer databases, how well secured is it? Who on their staff has access to it? We have had cases where someone in the business is taking the info and using or selling it for fraud and identity theft.
Q. Alberta’s private sector privacy legislation was recently amended to include mandatory breach notification. How will this impact privacy regulation in, and outside of, Alberta?
A. It is early days yet. Hopefully it will make organizations extra careful with personal information. Will that raise the bar for organizations in other provinces? Maybe. If you are going to change your practices here, you might as well change them everywhere. Possibly more provinces will legislate. A big piece of the picture will be when the Federal government amends PIPEDA in this regard. Maybe this will increase pressure to do so. It will be a challenge to figure out what “a real risk of significant harm” is. It will be a challenge to figure out in which cases there should be notice given and what kind of notice.
Q. You’ve worked as a lawyer in different countries around the world. How does Canada’s approach to privacy compare to your experience in other places?
A. We aren’t perfect but we are way ahead of most other jurisdictions. The “commissioner” system of enforcement has served us well because we do not have the kind of well funded civil society organizations which can advocate for privacy. Commissioners can and do advocate. I mean, I would love to have an ACLU, or and EPIC or an EFF in Canada. Our civil liberties people, like FIPA in BC do great work with the resources they have but resources are scarce. We need some rich people to endow some of these groups. The other thing is that I think, relative to other societies, Canadians have a disposition towards privacy. We get it to some extent. I like to think it is because we are, yes, polite, and respectful of other people. That makes us respect each other’s space. We must not lose that as the world becomes one big facebook/google culture. Teach your children well.
Q. Looking forward, what kind of privacy developments should we watch for in 2010?
A. Cyber attacks, hacks and other losses will continue. Governments will continue to bring surveillance technologies to bear every time anything bad happens. I will continue to get judicially reviewed. I would like to think people will start resisting surveillance and other intrusions into their lives but I don’t see it happening. Governments like surveillance. Heck, the public likes surveillance because we are just so bad at risk assessment. We are scared of everything it seems and we want someone to keep an eye on everything for us. It will be interesting to see if technology begins to fail us. For example, what if there is another airplane bombing attempt and the technology doesn’t prevent it? They bring in new technology. And that doesn’t prevent the next one (God forbid). Maybe they run out of technology, although, for the money involved I don’t see that happening. Someone will come up with a new toy. Will someone ever say “this technology isn’t doing what we want it to and it is costing us a bundle?” I think that will be a social shock.
4 Comments | Airport Security, Identity Theft, PIPA, PIPEDA, Personal Information, Privacy, Privacy Breach, Privacy Commissioner, Security | Tagged: Identity Theft, Personal Information, PIPA, PIPEDA, Privacy, Privacy Commissioner, Privacy Compliance, Security | Permalink
Posted by Brian Bowman
October 27, 2009
You may know someone who has been a victim of identity theft. What you may not know is that, before today, police couldn’t charge fraudsters with “identity theft”. That changed when Bill S-4 was given Royal Assent by Parliament earlier today.
Thanks to the bill, titled An Act to amend the Criminal Code (identity theft and related misconduct), there are now three new Criminal Code offences related to identity theft:
- Obtaining and possessing identity information with the intent to use the information deceptively, dishonestly or fraudulently in the commission of a crime;
- Trafficking in identity information, an offence that targets those who transfer or sell information to another person with knowledge of, or recklessness as to, the possible criminal use of the information; and
- Unlawfully possessing or trafficking in government-issued identity documents that contain information of another person.
Before Bill S-4 came into effect, police had to use other Criminal Code provisions to target identity theft. Today’s development should help law enforcement officials attack a growing problem: the Canadian Council of Better Business Bureaus has estimated that identity theft may cost Canadians more than $2 billion annually.
Leave a Comment » | Data Protection, Identity Theft, Personal Information, Phishing, Privacy | Tagged: Identity Theft, Personal Information, Phishing | Permalink
Posted by Brian Bowman
October 6, 2009
BBC News is reporting that thousands of Hotmail accounts have been compromised in a phishing attack, which has reportedly affected at least 10,000 individuals.
Phishing involves identity thieves attempting to obtain personal information, such as user names, passwords and financial information, by pretending to be trustworthy organizations in need of such data.
Coincidentally, the Privacy Commissioner of Canada released her annual report today, which stresses the importance of making informed choices when sharing personal information online. The Privacy Commissioner reminds Canadians that there is a risk that unguarded personal information could be exploited by identity thieves. The Hotmail phishing attack, as well as the Privacy Commissioner’s annual report, should also remind businesses to remain vigilant in protecting their brands – or online reputations – from being damaged by identity thieves that use phishing attacks to exploit the well-earned trust that such businesses have built with their customers.
Leave a Comment » | Access to Information, Identity Theft, Internet, Online Reputation Management, Passwords, Personal Information, Phishing, Privacy, Safeguarding, Security | Tagged: Access to Information, E-mail Accounts, Hotmail, Identity Theft, Internet, Online Reputation Management, Passwords, Personal Information, Phishing, Privacy, Safeguarding, Security | Permalink
Posted by Brian Bowman
August 10, 2009
Have you heard the saying “Just when you think you understand the situation, what you don’t understand is that the situation has changed”? If you think you understand The Personal Information Protection and Electronic Documents Act (“PIPEDA”), get ready… changes may be just around the corner.
PIPEDA was introduced back in 2001. It requires the Canadian Government to review the law every five years. To this end, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “House of Commons Committee”) conducted its review and held public hearings from November 2006 to February 2007, where it heard from over 60 witnesses and considered over 30 submissions from a wide range of interested organizations and individuals. I had the pleasure of appearing before the House of Commons Committee to present the Canadian Bar Association’s National Privacy & Access Law Section’s submission, which you can read here. The House of Commons Committee issued its report to Parliament in May 2007 (which outlined 25 recommended changes to the law), to which the Canadian Government subsequently issued its response in October 2007. As part of the Canadian Government’s response, further public consultation on key issues was requested. A link to the Office of the Privacy Commissioner’s reply to this request can be read here and the Canadian Bar Association’s response can be read here.
Changes to PIPEDA may include:
- a mandatory breach notification regime that would require organizations to promptly notify affected individuals and to report major data breaches to the Privacy Commissioner of Canada;
- amendments to account for the unique circumstances regarding consent in employer/employee relationships; and
- modifications to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions.
The Industry Canada website targets 2009/10 for the implementation of changes resulting from this first PIPEDA review. Yet, there is no definitive time frame, so stay tuned. Changes may be just around the corner.
1 Comment | Government, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Security Breach | Tagged: Businesses, Data Protection, Due Diligence, Employees, Identity Theft, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Privacy Compliance | Permalink
Posted by Brian Bowman
August 4, 2009
Headline after headline these days talk about the growing incidences of identity theft. But who really are these identity thieves? Do they work alone or for KAOS (Get Smart fans will understand this joke)? To answer this timely question, there is a recent post on the Office of the Privacy Commissioner of Canada’s blog entitled “Who are these identity thieves?“
The post cites an earlier survey by the Privacy Commissioner that shows that one Canadian out of six has been the victim of some form of identity theft and that more than 90% of Canadians report that they are concerned about identity theft. The Privacy Commissioner’s post also cites a report by Benoit Dupont, the Canada Research Chair in Security, Identity and Technology at l’Université de Montréal, and his colleague Guillaume Louis, which offers an illuminating profile of identity thieves. Here are some highlights:
- 1.7 million Canadians were affected by identity theft in 2008.
- More than 45% of cases of identity theft involve Internet use. However, the way “offenders” use the Internet is not as significant as we might think in terms of acquiring the victim’s personal information. On the contrary, it plays a greater role in actually committing fraud.
- “Women account for nearly 40% of offenders. We believe that this strong presence can be attributed to the absence of violence inherent to this sort of crime and the possibility of committing the crime without help from an accomplice.”
- “Identity thieves are relatively older than other offenders; the average age is 33 years.”
- “Offenders acted alone in the majority of cases (64.6%), which seems to contradict the theory of extensive involvement by organized crime in this type of offence.”
The Privacy Commissioner’s post also cites a 2008 report released by the McMaster eBusiness Research Centre that showed that victims spent more than 20 million hours and $150 million resolving problems associated with these crimes. If you’d like to read more about identity theft, please click on the “Identity theft” link under this blog’s Tags.
Leave a Comment » | Identity Theft, Internet, Privacy, Privacy Breach, Privacy Commissioner, Safeguarding, Safekeeping, Security | Tagged: Identity Theft, Personal Information, Privacy, Privacy Commissioner, Safeguarding, Security | Permalink
Posted by Brian Bowman
May 21, 2009
The Manitoba Legislature is currently debating Bill 219 – The Personal Information Protection and Identity Theft Protection Act.
The Bill has been introduced as a private member’s Bill by Mavis Taillieu of the Opposition Progressive Conservative Party of Manitoba. It seeks to regulate the collection, use and disclosure of personal information by organizations in the private sector and is intended to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). It would also establish a duty for organizations to notify individuals who may be affected when the personal information an organization has collected is lost, stolen or compromised. Such a requirement would be groundbreaking in Canada (notwithstanding Ontario’s Personal Health Information Protection Act, which has a mandatory breach notification requirement).
Regrettably, the Government of Manitoba indicated in the Legislative Assembly debate last week that it has two primary concerns with the Bill. The first concern is that the Bill lacks an independent oversight body such as a Privacy Commissioner of Manitoba. Legislative rules prevent private member’s Bills from containing financial penalties and so the Bill could not contain such provisions. However, the government could add those provisions in amendments. In fact, I assisted with the drafting of the Bill and would happily provide the government with the relevant provisions. The second concern raised by the government is that the Bill would introduce legislation in Manitoba that (according to the government) would regulate activities in the private sector already governed by PIPEDA. However, PIPEDA does not apply to the activities of private sector organizations in provinces such as Alberta and British Columbia, both of whom have Personal Information Protection Acts, because PIPEDA does not apply where “substantially similar” provincial legislation exists.
The Bill was first introduced in 2005 and since that time the need for such a law has significantly grown. It’s modelled after Alberta’s Personal Information Protection Act, which provides a more business-friendly and clear legislative scheme than PIPEDA. As I’ve previously argued, it would be good policy for the Government of Manitoba to support the Bill and I once again urge them to do so.
If you want a more business-friendly privacy law in Manitoba, I’d strongly encourage you to contact the Government of Manitoba and Mavis Taillieu to indicate your support.
Additional coverage on this topic by the Canadian HR Reporter here.
2 Comments | Employee Monitoring, Government, Identity Theft, Ombudsman, PIPEDA, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security Breach | Tagged: Employees, Government, Identity Theft, Manitoba, Personal Information, PIPEDA, Privacy, Privacy Commissioner | Permalink
Posted by Brian Bowman
April 24, 2009
The Government of Canada announced today the introduction of anti-spam legislation called the Electronic Commerce Protection Act (“ECPA”) that “aims to boost confidence in online commerce by protecting the privacy and personal security concerns that are associated with spam, counterfeit websites and spyware.”
According to the government’s News Release, the ECPA would allow businesses and individuals to initiate civil actions against anyone who violates the law. The ECPA deals with unsolicited text messages, or “cellphone spam”, as a form of “unsolicited commercial electronic message”.
It would establish a regulatory enforcement regime that would enable the CRTC to impose penalties of up to $1 million for individuals and $10 million in all other cases. The Competition Bureau would use a penalty regime already provided for in the Competition Act, and the federal Privacy Commissioner‘s powers to cooperate and exchange information with her counterparts would be expanded in respect of the Personal Information Protection and Electronic Documents Act.
The ECPA is nearly 70 pages long. Stay tuned to this blog. As soon as I’ve been able to digest the content I’ll post again on how the ECPA is likely going to affect Canadian businesses, especially those enaged in online marketing.
2 Comments | Government, Identity Theft, Internet, Marketing, Online Shopping, PIPEDA, Privacy, Spam | Tagged: Businesses, Customers, Identity Theft, Information Technology, Internet, Marketing, PIPEDA, Privacy, Privacy Commissioner, Privacy Compliance, Spam | Permalink
Posted by Brian Bowman
April 15, 2009
Businesses are increasingly being asked to reduce their “carbon footprint”. And while many customers are interested in doing business with organizations that are trying to reduce their carbon footprint, many customers are also concerned about their own “digital footprints“.
The Discovery Channel has an interesting online tool that allows you to play a simple scenario by conducting your normal transactions as you would on any given day. Doing so shows you how often you provide your personal information to businesses and governments. You can then play the scenario again to try to reduce your digital footprint. Click here to play!
Businesses can help reduce their customer’s digital footprints by ensuring they only collect the personal information of customers necessary for the purposes identified by the organization and required for particular transactions. Additionally, businesses should avoid collecting personal information indiscriminately. As I’ve mentioned in a previous post, reducing the volume of personal information that a business collects (and is then responsible for safeguarding and destroying in accordance with applicable privacy laws) helps customers to reduce their “digital footprints”. It also helps businesses to comply with privacy laws like PIPEDA and improve customer relations.
Leave a Comment » | Due Diligence, Identity Theft, Internet, PIPEDA, Privacy, Safeguarding, Safekeeping, Security, Technology | Tagged: Businesses, Customers, Due Diligence, Identity Theft, Information Technology, Personal Information, PIPEDA, Privacy Compliance, Retention, Safeguarding | Permalink
Posted by Brian Bowman
February 12, 2009
Leave a Comment » | Identity Theft, Internet, Online Reputation Management, Online Shopping, Safeguarding, Security | Tagged: Businesses, Identity Theft, Internet, Online Reputation Management, Online Shopping, Personal Information, Privacy Policy, Safeguarding, Security | Permalink
Posted by Brian Bowman
February 6, 2009
Leave a Comment » | Identity Theft, Privacy, Safeguarding, Security, Technology | Tagged: Corporate Information, Identity Theft, Laptops, Mobile devices, Personal Information, Privacy, Safeguarding, Security | Permalink
Posted by Brian Bowman
February 6, 2009
Leave a Comment » | Access to Information, Identity Theft, PIPEDA, Privacy, Security | Tagged: Access to Information, Breach Notification, Businesses, Identity Theft, PIPEDA, Privacy, Privacy Breach, Privacy Compliance | Permalink
Posted by Brian Bowman
February 6, 2009
Leave a Comment » | Access to Information, Identity Theft, Privacy, Security | Tagged: Access to Information, Election, Identity Theft, Manitoba, Privacy, Privacy Commissioner, Security | Permalink
Posted by Brian Bowman
February 6, 2009
Leave a Comment » | Access to Information, Identity Theft, Privacy, Security | Tagged: Access to Information, Businesses, Fraud Prevention, Identity Theft, Legislation, Personal Information, Privacy, Safeguarding, Security | Permalink
Posted by Brian Bowman
February 6, 2009
Leave a Comment » | Identity Theft, Privacy, Privacy Breach, Security, Technology | Tagged: Data Breach, Identity Theft, Privacy, Privacy Breach, Privacy Commissioner, Security, Technology | Permalink
Posted by Brian Bowman
February 5, 2009
Leave a Comment » | Identity Theft, Online Reputation Management, Privacy, Video Surveillance | Tagged: Identity Theft, Information Technology, Online Reputation Management, PIPEDA, Privacy, Video Surveillance, Workplace Surveillance | Permalink
Posted by Brian Bowman
February 5, 2009
Leave a Comment » | Identity Theft, Intellectual Property, Privacy, Technology | Tagged: "Lawful Access" Proposal, Bill C-60, Copyright, Federal Election, Identity Theft, Intellectual Property, ISP, PIPEDA, Politicians, Privacy, Spam, Technology | Permalink
Posted by Brian Bowman
February 5, 2009
Leave a Comment » | Identity Theft, PIPEDA, Privacy, Security, Technology | Tagged: Identity Theft, Information Technology, Intellectual Property, PIPEDA, Privacy, Privacy Compliance, Resolutions, Security | Permalink
Posted by Brian Bowman
The federal government introduced legislation today to amend PIPEDA and re-introduce the Anti-Spam Bill. I’ve previously posted here regarding the anticipated changes to PIPEDA and here about the Anti-Spam Bill.
Online shopping a risky transaction: Protect yourself from identity thieves
Mobile devices prone to I.D. theft
Businesses must take steps to prevent I.D. theft
Province failing on privacy issues; citizens deserve better protection
Protecting IDs is good business, and it’s the law
Identity theft growing rapidly
ID thieves steal your money the modern way … they dumpster-dive, “phish” online to get your info
Identity theft, loss of privacy face people in a wired world 
Timely questions for those seeking to run the nation: technology, intellectual property should be on politicians’ agendas 
Privacy protection should be at top of resolutions: develop policies, procedures in a customer-friendly way
NDP should support privacy bill or say why not
Identity thieves steal business reputations; privacy law audit a good place to begin prevention
