The formerly classified documents are tantalizing and the story behind Assange and his WikiLeaks website is fascinating. But amidst the media chatter about the damage inflicted by WikiLeaks itself, the circumstances surrounding the initial release of secret documents from the U.S. government to WikiLeaks should provide a wake up call for other governments and corporations here at home.

Read more>>

In this recent case involving Veteran Affairs, a veteran had filed a complaint with the Office of the Privacy Commissioner of Canada (“OPC”) alleging that Veterans Affairs had violated the Privacy Act by including excessively detailed and sensitive medical information in briefing notes to the Minister of Veterans Affairs. The complainant also alleged that Veteran Affairs had transferred his medical file to a hospital administered by Veterans Affairs without his consent.

The OPC has issued the following formal recommendations to Veterans Affairs, but they should also serve as useful recommendations to other organizations:

• “Take immediate steps to develop an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the department.
• Revise existing information-management practices and policies to ensure that personal information is shared within the department on a need-to-know basis only.  Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
• Provide training for employees about appropriate personal information-handling practices.
• Review procedures to ensure that consent is obtained prior to personal information being transferred to veterans’ hospitals.”

This and other similar news stories should serve as a reminder that PIPEDA requires organizations to exercise care in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information (for example, don’t dispose of sensitive tax information records in a back lane). Other provincial laws, such as Alberta’s PIPA and B.C.’s PIPA, have similar requirements. Disposal or destruction policies and procedures should focus on physical, organizational and technological measures.

The PWC survey demonstrates that spending is shifting to monitoring of company networks, at a time when more employees are bringing their own PDA’s and computers into the workplace.  But as PWC states, businesses should be making employees the first line of defence against data leaks. 

The PWC survey and commentary serves as a reminder of the need to focus resources for data security (and privacy law compliance) strategically. This means investing in technological safeguards but it should mean investing in privacy training for your staff.  It’s an important point because so many of the privacy breaches these days result from mistakes, or human error, by one’s own employees.  I’d suggest that you compare your organization’s line item for network monitoring with your line item (if it exists) for privacy training. Are your privacy risk mitigation efforts as strategic as they could be?

This situation is an example of redactions gone terribly wrong!  And it should serve as a reminder to public and private sector organizations to take extra care when making redactions in documents that will be released to third parties. Different redaction strategies can be implemented depending on the circumstances. One strategy that I implement when records will be posted online is to make my redactions and then physically scan the document and save it as a PDF. It’s a basic way to protect sensitive portions of records.  Please feel free to post a Comment below with other suggested strategies for making secure redactions.

More disturbingly, 51% said it’s “easy” to take sensitive information out of their company and, as reported by Out-Law.com, 85% were aware that it’s illegal to download corporate information.  The favoured medium for stealing corporate information is a USB memory stick followed by e-mail. 

As I’ve mentioned in previous posts rogue employees pose a risk to privacy compliance and, as a result, corporate information requires safekeeping.  In today’s economy, information is the most valuable corporate asset.  For this reason, businesses of all sizes should take proactive steps to protect corporate data.  Whether it’s customer or supplier lists, intellectual property or employee personal information, it’s information that needs safekeeping, especially when we see statistics like those reported above.

The Global Recession and its effect on Work Ethics

As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping. 

This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.

BBC News

Phishing involves identity thieves attempting to obtain personal information, such as user names, passwords and financial information, by pretending to be trustworthy organizations in need of such data.

Coincidentally, the Privacy Commissioner of Canada released her annual report today, which stresses the importance of making informed choices when sharing personal information online. The Privacy Commissioner reminds Canadians that there is a risk that unguarded personal information could be exploited by identity thieves. The Hotmail phishing attack, as well as the Privacy Commissioner’s annual report, should also remind businesses to remain vigilant in protecting their brands – or online reputations – from being damaged by identity thieves that use phishing attacks to exploit the well-earned trust that such businesses have built with their customers.

In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007.  The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information.  A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted. 

These incidents demonstrate how easily sensitive data can be compromised when stored on laptops.  Encryption is a relatively easy way to improve the security of such information.  But, where do you start? There are numerous encryption options available.  Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.

Still not convinced? Consider this list of impressive apps for today’s traveler: Pocket Express, an app that acts as a mobile concierge; Stanza, an app that allows a user to load magazines and books to their smartphone; and GoodFood, which helps a user pick and locate a restaurant based on an array of dining preferences. It’s a good time to be a smartphone user, but perhaps even a better time to be an entrepreneur. Smartphones are increasingly offering businesses a direct window into the hearts, minds and, yes, wallets of potential customers.

But it’s not all good news, privacy advocates remind us. Many smartphone apps guzzle fuel like your Dad’s ’70 GTO, except they’re eating personal user information instead of gasoline. For example, your app may record your location, gender and birth year before it spits out the location of that perfect sale you’ve been looking for. A sizeable amount of personal information is in play, but, fortunately, Ontario’s Office of the Information and Privacy Commissioner (“IPC”) has been ahead of the curve with its call for “Privacy by Design“. Initially unveiled over 10 years ago, the concept of Privacy by Design combines privacy and security measures at the design specification stage of a project. Instead of waiting until privacy problems pop up to deal with them, Privacy by Design contemplates a proactive approach toward potential privacy issues. This methodology uses Privacy Enhancing Technology such as encryption to provide both maximum security and privacy protection. It is, as the IPC bills it, a “win-win” situation. Other examples of Privacy by Design include anonymous billing systems and depersonalization software.

It’s an exciting time to be a technologically-inclined entrepreneur, but the privacy consequences of smartphone apps cannot (and should not) be ignored. Any business that is considering creating or otherwise implementing an app should consider the privacy implications of doing so, preferably at the early stages of project development.

The Los Angeles Times

It is an interesting story because it illustrates the importance of having clear and understandable privacy policies that customers can understand. It is also an interesting story because it (once again) demonstrates the attention that the media place on privacy matters and the potentially explosive reaction that customers can have if they feel their privacy isn’t being respected.

The post cites an earlier survey by the Privacy Commissioner that shows that one Canadian out of six has been the victim of some form of identity theft and that more than 90% of Canadians report that they are concerned about identity theft. The Privacy Commissioner’s post also cites a report by Benoit Dupont, the Canada Research Chair in Security, Identity and Technology at l’Université de Montréal, and his colleague Guillaume Louis, which offers an illuminating profile of identity thieves. Here are some highlights:

• 1.7 million Canadians were affected by identity theft in 2008.
• More than 45% of cases of identity theft involve Internet use. However, the way “offenders” use the Internet is not as significant as we might think in terms of acquiring the victim’s personal information. On the contrary, it plays a greater role in actually committing fraud.
• “Women account for nearly 40% of offenders. We believe that this strong presence can be attributed to the absence of violence inherent to this sort of crime and the possibility of committing the crime without help from an accomplice.”
• “Identity thieves are relatively older than other offenders; the average age is 33 years.”
• “Offenders acted alone in the majority of cases (64.6%), which seems to contradict the theory of extensive involvement by organized crime in this type of offence.”

The Privacy Commissioner’s post also cites a 2008 report released by the McMaster eBusiness Research Centre that showed that victims spent more than 20 million hours and $150 million resolving problems associated with these crimes.  If you’d like to read more about identity theft, please click on the “Identity theft” link under this blog’s Tags.

As reported by the National Post, the unusual case raises questions about what constitutes a “reasonable expectation” of privacy in a world where digital recorders and handheld wireless devices are omnipresent. As I’m quoted in the story, “[researchers] said some years ago that new privacy rules were going to put existing business practices under a microscope. I think what we’re seeing now is technologies are putting existing legal principles under a microscope.” Fellow blogger Dan Michaluk  is also quoted.

Read the full story here…

It’s been a thrilling week for my colleagues at Pitblado LLP as it was announced earlier this week that we were to be the 1st Canadian law firm to be a guest blogger on the must-read slaw.ca.  Yours truly, three of my colleagues from our firm’s Information & Ideas Practice Group as well as our firm’s librarian each contributed one post a day this week to slaw.ca on cutting edge legal topics.  Here’s what we covered…

On Monday, I posted “What Would Happen If One of your Employees Posted a Video of an Irate Customer on YouTube?”, which I cross posted on my blog earlier this week.  The post highlights a YouTube video of an irrate customer as a reminder to Canadian businesses of the powers of new technologies such as YouTube and the corresponding need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy and procedures.

On Tuesday, Carol Lynn Schafer posted “Do TOS Have the Final Word on our Fundamental Rights and Freedoms?”, which discusses the controversial effects of Terms of Service on popular websites such as Facebook and Twitter.  As Carol Lynn notes, Terms of Service should be drafted with the bigger picture in mind and can no longer be seen as standard agreements that can be treated with a one size fits all approach.

On Wednesday, Jolin Spencer posted “Whose Property Is It, Anyway?”, which discusses the questions that come into play when employees leave their positions.  For example, what can an employee take, and what must they leave, when they vacate their position? As Jolin points out, no business wants its intellectual property assets walking out the door with a former employee.

On Thursday, our firm’s librarian, Karen Sawatsky, posted “Legal Research Bootcamp – Winnipeg Style”, which discusses her experience collaborating with members of the Manitoba Bar Association and the Law Society of Manitoba to create a CLE for articling students on legal research. The Legal Research Bootcamp is a first for Manitoba students, and aims to bridge the gap between when students start their articles and when CPLED begins in the fall.

And last but not least, today Adam Herstein posted “Manitoba: Innovative Fighter of Child Sexual Exploitation”, which focuses on Manitoba’s recent enactment of The Child and Family Services Amendment Act (Child Pornography Reporting) (Manitoba) and how Manitoba is the first province in Canada to enact legislation that makes it mandatory for a person who encounters child pornography to report it to authorities.  Adam also notes that Canada has a national tipline called Cybertip.ca for reporting the sexual exploitation of children.

Thanks to slaw.ca for the opportunity to contribute!

The posting of a YouTube video of a woman throwing a tantrum at the Hong Kong International Airport should serve as a reminder to Canadian businesses that employees these days can (and do) easily record and post videos online from their mobile phones.

The three minute video shows a Cathay Pacific customer yelling and flailing her limbs as she lies on the floor after missing her flight from Hong Kong to San Francisco. I’ve been upset at missing a flight before, but the woman in this video takes things to an entirely new level. The video has drawn over five millions views and nearly 21,000 comments, which has resulted in some incredibly cruel and objectionable online commentary about the woman. Since the release of the video, Cathay Pacific has disciplined the gate worker who recorded the video on his mobile phone (although the video was posted on YouTube by a third party) and the company has issued a formal apology to the woman.

The video is noteworthy because it demonstrates the power of new technologies such as YouTube and the corresponding risks to Canadian businesses. Had the video been recorded by an employee of a Canadian business, subject to Canadian privacy laws, the potential privacy complaint and/or lawsuit by the woman in the video could have been substantial. 

Canadian businesses should be reminded of the need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy policies and procedures.

Canadian businesses don’t need to look too far to find examples where more effective employee privacy training may have mitigated, or even prevented, privacy complaints.

A case in point was the high profile finding by the Office of the Privacy Commissioner of Canada (OPC) against TJX Companies Inc., the parent company of HomeSense and Winners. The OPC noted that the massive data breach was caused by inadequate encryption software which didn’t protect the company’s wireless network. New software had apparently been purchased by the company a year prior, but employees of TJX had not installed the programming on a timely basis.

In 2008 a laptop computer containing the personal information of over 800 customers was stolen from the office of a bank employee. The computer was left unmonitored and unsecured in an area of the office that was easily accessible to the public. In the resulting finding, the OPC stressed the importance of procedural safeguards and the need to periodically re-educate employees on privacy policies and procedures.

Another example occurred when a bank’s customer learned that his personal banking information was found in a recycling bin. Two employees who were cleaning out the desk of a former employee had placed the documents in the recycling bin, rather than ensuring the information was shredded. This situation (and many others) may very well have been prevented had the respective employees been better educated in the area of privacy.

Canada’s Privacy Commissioner, Jennifer Stoddart, recently gave a speech which addressed the importance of employee privacy training. In her remarks, Stoddart cited research from 2007 that reported that only one-third of Canadian businesses polled had conducted employee privacy training. Furthermore, Stoddart demonstrated that over half of the complaints received by the OPC could have been prevented had there been adequate employee privacy training.

Pro-active businesses are hearing the message loud and clear. Privacy training is an essential feature of employee training especially in this era of rapid technological advancements. This type of training should help to prevent unnecessary headaches such as privacy complaints and lawsuits. .

Therefore, the question remains, what would happen if one of your employees recorded a video of an irate customer and then uploaded the video on YouTube. The answer is, it’s best not to find out.

(Cross-posted to slaw.ca)

The Discovery Channel has an interesting online tool that allows you to play a simple scenario by conducting your normal transactions as you would on any given day. Doing so shows you how often you provide your personal information to businesses and governments. You can then play the scenario again to try to reduce your digital footprint. Click here to play!

Businesses can help reduce their customer’s digital footprints by ensuring they only collect the personal information of customers necessary for the purposes identified by the organization and required for particular transactions. Additionally, businesses should avoid collecting personal information indiscriminately. As I’ve mentioned in a previous post, reducing the volume of personal information that a business collects (and is then responsible for safeguarding and destroying in accordance with applicable privacy laws) helps customers to reduce their “digital footprints”.  It also helps businesses to comply with privacy laws like PIPEDA and improve customer relations.

For the basics on metadata, read here. As you’ll learn in more detail, “metadata” is data about data. It’s detailed information that is automatically created about an electronic document when you use Microsoft Word, PowerPoint or Excel. It can include the name of the person or organization that created a document, the date that it was created, the identities of people who modified a document, including the time and day they did so, the name of the computer that was used to create a document and detailed revisions to a document, including past modifications and deleted text not visible on your computer screen. If not properly managed, metadata can help other businesses steal your intellectual property, learn about your business processes and view personal information that you’re legally required to protect under privacy laws.

One practical way to deal with metadata is to use metadata scrubber software. Some are costly but well worth it, including Payne Metadata Assistant and Workshare Protect. There are also free tools available including a Microsoft one (but it is only for Office 2007) and one offered by Javacool Software. Of course, I’d recommend that you work with technology professionals to determine the best metadata scrubber software for your business. Regardless of whether you use one of these or other tools, it’s important that you deal with metadata in some fashion. I hope these links help provide you with a good place to start!  Feel free to Leave a Comment below if you know of other metadata scrubber software worth recommending.

As the OPC points out, PIPEDA does not prohibit organizations in Canada from transferring personal information to organizations in other jurisdictions for processing, but Canadian organizations are still accountable and the OPC can investigate complaints and audit privacy practices of Canadian organizations.

PIPEDA provides that

an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

The primary means by which an organization can protect personal information that it transfers to a third party for processing is through a contract. Organizations must also be transparent about their privacy practices, including advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction, it may be accessed by the courts, law enforcement and national security authorities.

Check out the OPC’s Guidelines, and if your business hasn’t yet signed privacy contracts with all third parties to whom you transfer or disclose personal information, now may be the time.

There are a growing number of articles that are highlighting the threat of “cyber-terrorism”.  It’s a scary topic that is surely consuming the time of government technology infrastructure professionals in the U.S. and Canada.  Some of these articles discuss the remote possibility that terrorists may perpetrate cyber-attacks against critical online government and corporate infrastructure.  Other articles discuss the very real possibility that terrorists may simply use the Internet (and the information contained online) to plan attacks in the real world. Don Cavender, a special agent and instructor with the FBI’s Computer Training Unit at Quantico, Virginia, is quoted in an excellent ZDNet article and says that “the worry right now is not so much a cyberterrorism event…but when the terrorists use the Internet to facilitate the planning of these attacks.” 

We all know that the Internet is filling up with vast amounts of data including people’s personal information, as well as corporate and government data.  The lesson that I take from all of these “cyber-terrorism” related articles is that businesses should make sure that they are working with technology professionals to secure their databases and limit the amount of personal information and corporate data available online.  Of course, there are many reasons for businesses to secure their databases and to limit what information is available online.  For example, privacy laws such as Canada’s PIPEDA regulate the safeguarding of personal information.  And, there are good business reasons to limit the availability of proprietary corporate data online.  But, if you ever wished you were Jack Bauer, then here’s your chance to fight terrorism…one corporate move at a time.

Canada, U.S. laws on privacy complex

My September 3, 2008 column in the Winnipeg Free Press reports on the findings of the Privacy Commissioner of Canada regarding canada.com’s  outsourcing to a U.S. based service provider. The finding highlights the complexities of Canadian and U.S. laws as they relate to the personal information of customers and reminds Canadian businesses of the need to have legal agreements with third party service providers, especially those located in the U.S.

Online shopping a risky transaction: Protect yourself from identity thieves

My November 5, 2008 column in the Winnipeg Free Press provides some tips on how to be a savvy online shopper and the benefits to online retailers of  having sercure websites and comprehensive online privacy policies.

Privacy matters to most customers: Staff should be able to handle concerns

My October 1, 2008 column in the Winnipeg Free Press reports on a survey released by the Privacy Commissioner of Canada and the vital need for businesses to train their staff to identify and deal with privacy issues.  Privacy training, or lack thereof, can affect the bottom line.

Data “packrats” failing customers: Companies need policies on retention

My December 3, 2008 column in the Winnipeg Free Press details the problems businesses can get in to when they keep every single piece of information on their customers, even when they no longer need it.

Businesses face challenge in winning people’s trust

My November 7, 2007 column in the Winnipeg Free Press discusses the Privacy Commissioner of Canada’s annual report and what it means to private sector businesses.

Privacy ultimately your responsibility

My October 3, 2007 column in the Winnipeg Free Press emphasizes the importance of protecting your personal information by not handing it over to strangers, among other strategies.

Privacy resolutions for 2008

My January 2, 2008 column in the Winnipeg Free Press makes some suggestions for businesses to improve their privacy efforts before legislation forces them to make them.

Mobile devices prone to I.D. theft

My August 1, 2007 column in the Winnipeg Free Press points out the security risks inherent with mobile data holders such as USB drives, laptops and portable hard drives.

Protecting IDs is good business, and it’s the law

With March being Fraud Prevention Month, my March 7, 2007 column in the Winnipeg Free Press lists some of the procedures businesses should have in place to ensure they are compliant with privacy legislation.

Don’t expose your metadata – it might be embarrassing

My December 6, 2006 column in the Winnipeg Free Press defines metadata and why businesses need to know how to eliminate it.

ID thieves steal your money the modern way … they dumpster-dive, “phish” online to get your info

My April 4, 2005 column in the Winnipeg Free Press details the more imaginative ways thieves have come up with to take over your identity and your life.

New privacy law evolves rapidly, changes consumer attitudes

My January 4, 2005 column for the Winnipeg Free Press reviews privacy issues of 2004 and what is coming ahead in 2005.

Warning: Inventor holds copyright

In my September 7, 2005 column in the Winnipeg Free Press I discuss ownership of intellectual property.

Information requires safekeeping

In today’s economy, information is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping. My September 6, 2006 column for the Winnipeg Free Press discusses the importance of protecting corporate information.