This and other similar news stories should serve as a reminder that PIPEDA requires organizations to exercise care in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information (for example, don’t dispose of sensitive tax information records in a back lane). Other provincial laws, such as Alberta’s PIPA and B.C.’s PIPA, have similar requirements. Disposal or destruction policies and procedures should focus on physical, organizational and technological measures.

From today’s news release:

The Honourable Tony Clement, Minister of Industry, and the Honourable Denis Lebel, Minister of State (Economic Development Agency of Canada for the Regions of Quebec), today announced two steps that the Government of Canada is taking to enhance the safety and security of the online marketplace. Together, the tabling of amendments to the legislation protecting the personal information of Canadians (Personal Information Protection and Electronic Documents Act, or PIPEDA) and the reintroduction of anti-spam legislation in the House of Commons (the proposed Fighting Internet and Wireless Spam Act, or FISA) are important steps towards positioning Canada as a leader in the digital economy.

Here’s the full Industry Canada news release.

(Hat tip to David Fraser’s Canadian Privacy Law Blog )

This really is the kind of personal information that identity thieves love so the OPC article is a useful read. In fact, businesses whose employees create accounts on their behalf would be well-advised to have employees read the OPC article.

Read more>>

The above link takes you to the Winnipeg Sun.  I’m delighted to have been asked by Sun Media Corp. to provide Comment columns like today’s on a monthly basis.  I hope you find them of interest!

Commissioner Work is as personable as he is professional. I’ve had the pleasure to speak at privacy conferences with Commissioner Work and let’s just say that I’m glad I presented first!  As privacy professionals will know, he’s a plain spoken, intelligent speaker and so his sessions are always a “must attend”.

Thanks to Commissioner Work for agreeing to engage in this online Q & A conversation.  If you’d like to learn more about Frank Work, the Office of the Information and Privacy Commissioner of Alberta (the “Alberta OIPC”) or the issues raised in this conversation, I’d encourage you to visit the Alberta OIPC’s website.

Q.  Your office has investigated identity theft arising from crystal meth abuse. What’s the link between the two?

A.  A couple of years ago the Edmonton police raided a hang out for meth users.  They found a lot of papers from businesses in the area, which they gave to us.  Cell phone contracts, credit bureau checks, credit card information and so on.  The police told me that meth users, unlike some other substance abusers, are pretty alert when they are high.  They don’t sleep.  They have lots of time to do the kind of detailed work necessary to engineer credit card fraud and identity theft.

Q.  So what can the public do to protect itself from that kind of identity theft?

A.  Individuals should shred bank and credit card statements.  They shouldn’t carry certain ID, like birth certificates, on them. These kinds of foundation documents are very useful for identity theft.  Always report lost or stolen credit cards, but also lost or stolen driver’s licences, birth certificates, and passports.  Check your bank and credit card statements to make sure someone else isn’t using them.  Do a credit bureau reference on yourself maybe once a year.  If your score is lower than you think, find out why.  If your score changes from one year to the next, find out why. Sometimes it can be identity theft (someone using your good name). Sometimes it can be an error on the part of the credit bureau.

The other side of the problem is organizations that have peoples’ info.  They must take proper care of it.  As I said, we have been given credit reports, draft mortgages, cell phone contracts, purchase of goods contracts and bookkeepers files, all thrown away.  These papers all have potential for fraudulent use.  Businesses need to shred this stuff.  Furthermore, for businesses that have customer databases, how well secured is it?  Who on their staff has access to it?  We have had cases where someone in the business is taking the info and using or selling it for fraud and identity theft.

Q.  Alberta’s private sector privacy legislation was recently amended to include mandatory breach notification. How will this impact privacy regulation in, and outside of, Alberta?

A.  It is early days yet.  Hopefully it will make organizations extra careful with personal information.  Will that raise the bar for organizations in other provinces?  Maybe.  If you are going to change your practices here, you might as well change them everywhere.  Possibly more provinces will legislate.  A big piece of the picture will be when the Federal government amends PIPEDA in this regard.  Maybe this will increase pressure to do so.  It will be a challenge to figure out what “a real risk of significant harm” is.  It will be a challenge to figure out in which cases there should be notice given and what kind of notice.

Q.  You’ve worked as a lawyer in different countries around the world. How does Canada’s approach to privacy compare to your experience in other places?

A.  We aren’t perfect but we are way ahead of most other jurisdictions.  The “commissioner” system of enforcement has served us well because we do not have the kind of well funded civil society organizations which can advocate for privacy.  Commissioners can and do advocate.  I mean, I would love to have an ACLU, or and EPIC or an EFF in Canada.  Our civil liberties people, like FIPA in BC do great work with the resources they have but resources are scarce.  We need some rich people to endow some of these groups.  The other thing is that I think, relative to other societies, Canadians have a disposition towards privacy.  We get it to some extent.  I like to think it is because we are, yes, polite, and respectful of other people.  That makes us respect each other’s space.  We must not lose that as the world becomes one big facebook/google culture.  Teach your children well.

Q.  Looking forward, what kind of privacy developments should we watch for in 2010?

A.  Cyber attacks, hacks and other losses will continue.  Governments will continue to bring surveillance technologies to bear every time anything bad happens. I will continue to get judicially reviewed.  I would like to think people will start resisting surveillance and other intrusions into their lives but I don’t see it happening.  Governments like surveillance.  Heck, the public likes surveillance because we are just so bad at risk assessment.  We are scared of everything it seems and we want someone to keep an eye on everything for us.  It will be interesting to see if technology begins to fail us.  For example, what if there is another airplane bombing attempt and the technology doesn’t prevent it?  They bring in new technology.  And that doesn’t prevent the next one (God forbid).  Maybe they run out of technology, although, for the money involved I don’t see that happening.  Someone will come up with a new toy.  Will someone ever say “this technology isn’t doing what we want it to and it is costing us a bundle?”  I think that will be a social shock.

Thanks to the bill, titled An Act to amend the Criminal Code (identity theft and related misconduct), there are now three new Criminal Code offences related to identity theft:

• Obtaining and possessing identity information with the intent to use the information deceptively, dishonestly or fraudulently in the commission of a crime;
• Trafficking in identity information, an offence that targets those who transfer or sell information to another person with knowledge of, or recklessness as to, the possible criminal use of the information; and
• Unlawfully possessing or trafficking in government-issued identity documents that contain information of another person.

Before Bill S-4 came into effect, police had to use other Criminal Code provisions to target identity theft. Today’s development should help law enforcement officials attack a growing problem: the Canadian Council of Better Business Bureaus has estimated that identity theft may cost Canadians more than $2 billion annually.

BBC News

Phishing involves identity thieves attempting to obtain personal information, such as user names, passwords and financial information, by pretending to be trustworthy organizations in need of such data.

Coincidentally, the Privacy Commissioner of Canada released her annual report today, which stresses the importance of making informed choices when sharing personal information online. The Privacy Commissioner reminds Canadians that there is a risk that unguarded personal information could be exploited by identity thieves. The Hotmail phishing attack, as well as the Privacy Commissioner’s annual report, should also remind businesses to remain vigilant in protecting their brands – or online reputations – from being damaged by identity thieves that use phishing attacks to exploit the well-earned trust that such businesses have built with their customers.

PIPEDA was introduced back in 2001. It requires the Canadian Government to review the law every five years.  To this end, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “House of Commons Committee”) conducted its review and held public hearings from November 2006 to February 2007, where it heard from over 60 witnesses and considered over 30 submissions from a wide range of interested organizations and individuals. I had the pleasure of appearing before the House of Commons Committee to present the Canadian Bar Association’s National Privacy & Access Law Section’s submission, which you can read here. The House of Commons Committee issued its report to Parliament in May 2007 (which outlined 25 recommended changes to the law), to which the Canadian Government subsequently issued its response in October 2007. As part of the Canadian Government’s response, further public consultation on key issues was requested.  A link to the Office of the Privacy Commissioner’s reply to this request can be read here and the Canadian Bar Association’s response can be read here.

Changes to PIPEDA may include:

• a mandatory breach notification regime that would require organizations to promptly notify affected individuals and to report major data breaches to the Privacy Commissioner of Canada; 
• amendments to account for the unique circumstances regarding consent in employer/employee relationships; and
• modifications to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions.

The Industry Canada website targets 2009/10 for the implementation of changes resulting from this first PIPEDA review.  Yet, there is no definitive time frame, so stay tuned. Changes may be just around the corner.

The post cites an earlier survey by the Privacy Commissioner that shows that one Canadian out of six has been the victim of some form of identity theft and that more than 90% of Canadians report that they are concerned about identity theft. The Privacy Commissioner’s post also cites a report by Benoit Dupont, the Canada Research Chair in Security, Identity and Technology at l’Université de Montréal, and his colleague Guillaume Louis, which offers an illuminating profile of identity thieves. Here are some highlights:

• 1.7 million Canadians were affected by identity theft in 2008.
• More than 45% of cases of identity theft involve Internet use. However, the way “offenders” use the Internet is not as significant as we might think in terms of acquiring the victim’s personal information. On the contrary, it plays a greater role in actually committing fraud.
• “Women account for nearly 40% of offenders. We believe that this strong presence can be attributed to the absence of violence inherent to this sort of crime and the possibility of committing the crime without help from an accomplice.”
• “Identity thieves are relatively older than other offenders; the average age is 33 years.”
• “Offenders acted alone in the majority of cases (64.6%), which seems to contradict the theory of extensive involvement by organized crime in this type of offence.”

The Privacy Commissioner’s post also cites a 2008 report released by the McMaster eBusiness Research Centre that showed that victims spent more than 20 million hours and $150 million resolving problems associated with these crimes.  If you’d like to read more about identity theft, please click on the “Identity theft” link under this blog’s Tags.

The Bill has been introduced as a private member’s Bill by Mavis Taillieu of the Opposition Progressive Conservative Party of Manitoba. It seeks to regulate the collection, use and disclosure of personal information by organizations in the private sector and is intended to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).  It would also establish a duty for organizations to notify individuals who may be affected when the personal information an organization has collected is lost, stolen or compromised.  Such a requirement would be groundbreaking in Canada (notwithstanding Ontario’s Personal Health Information Protection Act, which has a mandatory breach notification requirement).

Regrettably, the Government of Manitoba indicated in the Legislative Assembly debate last week that it has two primary concerns with the Bill.  The first concern is that the Bill lacks an independent oversight body such as a Privacy Commissioner of Manitoba. Legislative rules prevent private member’s Bills from containing financial penalties and so the Bill could not contain such provisions.  However, the government could add those provisions in amendments.  In fact, I assisted with the drafting of the Bill and would happily provide the government with the relevant provisions. The second concern raised by the government is that the Bill would introduce legislation in Manitoba that (according to the government) would regulate activities in the private sector already governed by PIPEDA. However, PIPEDA does not apply to the activities of private sector organizations in provinces such as Alberta and British Columbia, both of whom have Personal Information Protection Acts, because PIPEDA does not apply where “substantially similar” provincial legislation exists.

The Bill was first introduced in 2005 and since that time the need for such a law has significantly grown.  It’s modelled after Alberta’s Personal Information Protection Act, which provides a more business-friendly and clear legislative scheme than PIPEDA.  As I’ve previously argued, it would be good policy for the Government of Manitoba to support the Bill and I once again urge them to do so. 

If you want a more business-friendly privacy law in Manitoba, I’d strongly encourage you to contact the Government of Manitoba and Mavis Taillieu to indicate your support. 

Additional coverage on this topic by the Canadian HR Reporter here.

According to the government’s News Release, the ECPA would allow businesses and individuals to initiate civil actions against anyone who violates the law.  The ECPA deals with unsolicited text messages, or “cellphone spam”, as a form of “unsolicited commercial electronic message”.

It would establish a regulatory enforcement regime that would enable the CRTC to impose penalties of up to $1 million for individuals and $10 million in all other cases.  The Competition Bureau would use a penalty regime already provided for in the Competition Act, and the federal Privacy Commissioner‘s powers to cooperate and exchange information with her counterparts would be expanded in respect of the Personal Information Protection and Electronic Documents Act.

The ECPA is nearly 70 pages long.  Stay tuned to this blog.  As soon as I’ve been able to digest the content I’ll post again on how the ECPA is likely going to affect Canadian businesses, especially those enaged in online marketing.

The Discovery Channel has an interesting online tool that allows you to play a simple scenario by conducting your normal transactions as you would on any given day. Doing so shows you how often you provide your personal information to businesses and governments. You can then play the scenario again to try to reduce your digital footprint. Click here to play!

Businesses can help reduce their customer’s digital footprints by ensuring they only collect the personal information of customers necessary for the purposes identified by the organization and required for particular transactions. Additionally, businesses should avoid collecting personal information indiscriminately. As I’ve mentioned in a previous post, reducing the volume of personal information that a business collects (and is then responsible for safeguarding and destroying in accordance with applicable privacy laws) helps customers to reduce their “digital footprints”.  It also helps businesses to comply with privacy laws like PIPEDA and improve customer relations.

Online shopping a risky transaction: Protect yourself from identity thieves

My November 5, 2008 column in the Winnipeg Free Press provides some tips on how to be a savvy online shopper and the benefits to online retailers of  having sercure websites and comprehensive online privacy policies.

Mobile devices prone to I.D. theft

My August 1, 2007 column in the Winnipeg Free Press points out the security risks inherent with mobile data holders such as USB drives, laptops and portable hard drives.

Businesses must take steps to prevent I.D. theft

My July 4, 2007 column in the Winnipeg Free Press points out the fine-tuning to PIPEDA and what businesses will have to do to remain compliant.

Province failing on privacy issues; citizens deserve better protection

My May 2, 2007 column in the Winnipeg Free Press poses a challenge to the participants in the upcoming provincial election of May 22, 2007 to follow through on promises of a Manitoba privacy commissioner.

Protecting IDs is good business, and it’s the law

With March being Fraud Prevention Month, my March 7, 2007 column in the Winnipeg Free Press lists some of the procedures businesses should have in place to ensure they are compliant with privacy legislation.

Identity theft growing rapidly

My February 7, 2007 column in the Winnipeg Free Press revisits identity theft with the publication of major data breaches by Winners and CIBC.

ID thieves steal your money the modern way … they dumpster-dive, “phish” online to get your info

My April 4, 2005 column in the Winnipeg Free Press details the more imaginative ways thieves have come up with to take over your identity and your life.

Identity theft, loss of privacy face people in a wired world

My February 7, 2005 column in the Winnipeg Free Press concerns identity theft and workplace surveillance.

Timely questions for those seeking to run the nation: technology, intellectual property should be on politicians’ agendas

My December 7, 2005 column in the Winnipeg Free Press poses potential technology and privacy questions to the candidates in the upcoming federal election.

Privacy protection should be at top of resolutions: develop policies, procedures in a customer-friendly way

My January 4, 2006 column for the Winnipeg Free Press suggests three cutting edge new year’s resolutions for corporate success.

NDP should support privacy bill or say why not

My March 1, 2006 column in the Winnipeg Free Press discusses a private member’s bill,  Bill 207, The Personal Information Protection and Identity Theft Prevention Act and why the NDP government should support it.

Identity thieves steal business reputations; privacy law audit a good place to begin prevention

In my May 4, 2005 column in the Winnipeg Free Press I talk about online reputation management.