The Federal Privacy Commissioner recently (just over a week ago – I’m catching up after a week off) released guidelines to help organizations take the proper steps after they have a privacy breach. The list is worth a read to motivate organizations to do their best to prevent privacy breaches, as it makes clear the time, effort, and cost involved to deal with a breach.

Read the details via David Fraser’s blog

For the London Free Press – August 13, 2007

Read this on Canoe

Annoyed by the identification questions you’re asked before discussing your accounts over the telephone? It may be worth it.

Bell Canada, Telus Mobility and Fido were recently found to have breached the Personal Information Protection and Electronic Documents Act (PIPEDA) in a decision released by the Federal Privacy commissioner July 10. One purpose of PIPEDA is to ensure that organizations protect personal information from unauthorized access.

The investigation began after a November 2005 Maclean’s magazine article produced home phone records and Blackberry records of the Privacy Commissioner of Canada, Jennifer Stoddart, and cellphone records from an unnamed senior editor at Maclean’s. The telephone records were obtained by a reporter who purchased them from a U.S. data broker called Locatecell.com. Needless to say, the Maclean’s reporter made his point.

The investigation found the information was obtained by “pretexting,” or by pretending to be someone authorized to obtain the information. In other words, the data broker called the phone companies pretending to be Jennifer Stoddart. It was discovered that human error allowed the unauthorized information to be disclosed. Since the Maclean’s article was published, these telecommunications companies have all improved their identification and authentication procedures and provided additional training to workers.

An investigation against the U.S. company, Locatecell.com, was launched as well, but discontinued due to lack of jurisdiction. Despite the awareness created by the Maclean’s article, the ease by which unauthorized records are obtained is still considered a major problem in both countries. Both Canada (Federal bill C-299) and the U.S. have recently introduced draft legislation to eliminate pretexting.

Immediately after the Maclean’s article, the telecommunication companies changed their information security procedures. The assistant commissioner of the Office of the Privacy Commissioner of Canada (OPC) was not satisfied that enough had been done and made additional recommendations. The focus of the recommendations was on strengthening customer service representative training, limiting personal information disclosures, and improving authentication procedures.

The OPC’s guidelines for identification and authentication can be found on the agency’s website www.privcom.gc.ca.

These guidelines acknowledge that there is not a one-size-fits-all approach, and identifies several factors that should be considered when developing security safeguards. One guideline is that the level of authentication should be commensurate with the level of risk of the information being disclosed. Another is that authentication should not be based on permanent personal identity facts, such as date of birth, place of birth, or mother’s maiden name. Any information that can be acquired by someone else should not be used.

Since the probe, all three companies have implemented the OPC’s recommendations and the assistant commissioner concluded “the complaints against all three companies were well-founded, but have since been resolved given the corrective actions taken by the organizations.”

The assistant commissioner recognizes that some of the changes might be considered irritating for customers, and concluded individuals must also play a role by choosing difficult and random passwords.

The challenge is to strike the right balance between convenience and protection.

For the London Free Press – August 6, 2007

Read this on Canoe

Beware of what you post online — you never know who is looking.

In what is being described as the first Canadian case that refers to MySpace, an Ontario judge stated that a defendant was free to use the MySpace pages of a plaintiff to cross examine the plaintiff at trial.

In this case, the plaintiff alleged she sustained serious and permanent physical injuries as well as emotional and psychological trauma in a motor vehicle accident. To be successful in the case, she had to show that she had sustained a permanent serious impairment of an important physical, mental or psychological function.

After discoveries, but before trial, the defendant found the plaintiff’s MySpace page, which, among other things, had pictures of her skiing in the Swiss Alps after the accident. The defendant no doubt took delight in finding this and being able to use it to cross examine the plaintiff to cast doubt on the severity of the injuries.

The rise of blogging and social network websites such as MySpace and Facebook has made personal information about individuals all the more accessible. Individuals join these social networking groups with good intentions to meet new friends, maintain on-going friendships or rekindle old ones. They post private information, pictures and messages in the spirit of being social.

Many users treat these sites similar to personal conversations with close friends. While there is some ability to restrict access by everyone, the reality is that they are conversing with the world and preserved in the Internet forever.

When individuals post this personal data, they tend to forget how broadly that information is available.

Anyone wanting to know something about an individual for any legitimate reason should take advantage of this. It might be a personal injury case such as this one, or to check out a job applicant, or a contractor you wish to hire to do a particular job.

The tools to use include search engines such as Google, personal data aggregation sites such as Zoominfo, and social networking sites such as Facebook, MySpace, and LinkedIn.

Some caution is required though. Stick to publicly available information. Don’t hack into places meant to be private. Don’t resort to “pretexting,” or pretending to be the person you’re interested in, to get information. It’s also possible you could be accused of discrimination if a decision not to hire someone is based on information you’re not supposed to use.

And individuals posting information about themselves on the Internet should be mindful that it may be viewed by a wide audience. The immediacy of the Internet is one of its advantages, but also eliminates any time we might have to reflect on the appropriateness of our postings.

That comment or photo that may seem innocuous at the time may come back to haunt you. “It seemed like a good idea at the time” is little use as a defence or explanation later.

It seems that for every step in the right direction on copyright, we get at least 1 step back.

I’ll add my 2 cents worth to 2 cases in point that have been getting a lot of publicity over the past few days.

The step back is the arrest of a US woman for recording a 20 second clip of the Transformers movie on her still camera in a movie theatre. She did it to show her brother to convince him to see the movie. The theatre is insisting that she be prosecuted under an anti-camcording law because of their zero tolerance policy.

This is a classic example of using a law “because you can” rather than because the actions violate the intenion of the law. A few second clip taken on a still camera is certainly not headed for black market movie sales. The only real effect might have been to make the theatre a few more dollars in ticket sales. And of course it just makes the theatre look bad.

The step forward is the complaint filed with the FTC in the US over copyright notices used by broadcasters and publishers. We have all seen those. The problem is that they usually overstate the ambit of copyright protection, and ignore the fact that limited copying is legal under certain circumstances. (Called fair use in the US, fair dealing in Canada.)

A brief notice will never be able to accurately reflect the rights (its just too complex and the limits are often not clear in practice), but it would be nice to see more realistic ones.

Both of these are instances where I believe credibility is lost by those taking extreme positions. It is similar to the difference between position based vs interest based negotiation tactics. Interest based negotiations always get a better result for all parties.

In my view the entertainment industry needs to take a more realistic interests based approach to the copyright issue. In other words, look at the real risks and opportunities modern technology and consumer wants and behaviours entail and respond accordingly. Both the entertainment industry and consumers can win here. Its not a zero sum game.

For more detail on the camcording arrest see Howard’s post

For more detail on the copyright notice issue see Michael’s post

Interested in an IT management job? Take a look at CIO Insight’s article The 8 Hottest IT Management Jobs Today and Into 2008 that describes 8 positions and their salary ranges.

Read the article

The Toronto Star has an article today entitled Credit card slip-ups can carry a cost that talks about the fact that merchants still print debit and credit card numbers on receipts even though it violates privacy laws and card issuer rules.

Columnist Ellen Roseman suggests taking the approach offered by Visa – complain to your card issuer with the detals of the merchant name, location, and date. Also cross off the numbers from merchant copies of your receipts (I do that all the time.)

This is a pet peeve of mine. I don’t understand why merchants do this. It serves no purpose, violates privacy laws, is a fraud risk, and puts the merchant at risk. Another concern of mine is do they keep it electronically, which is just as bad.

For more info on this topic click on “debit card” or “credit card” in my tag cloud.

Read the Toronto Star article