The premier weekly newspaper for the legal profession in Ontario
Issue link: https://digital.lawtimesnews.com/i/68188
Law times • SEPTEMBER 15, 2008 FOCUS PAGE 11 iven the number of high-profile data breach- es affecting hundreds of thousands of Canadians in 2007, it should be no surprise that fed- eral Privacy Commissioner Jen- nifer Stoddart's 2007 report on the Personal Information Protec- tion and Electronic Documents Act has focused on information technology and identity-fraud management as strategic priori- ties going forward. "Both these issues relate to security, which has become the most significant aspect in the privacy sphere," says David Young of Lang Michener LLP's Toronto office. The report, released in June, calls IT an "obvious choice" be- cause "virtually every current privacy issue and privacy com- plaint we receive contains an IT component." As for the identity-manage- ment component, much of the focus will be online. "People are finding the per- sonal information they've posted online being used in ways they never imagined," the report states. "In some cases, entire profiles — name, photo, and other personal details — have been hijacked by imposters." By way of mitigation, the Of- fice of the Privacy Commissioner is developing tools to help individ- uals manage their online identity. Other strategic priorities in- volve national security measures. "Too often, these measures have focused on the collection and sharing of personal infor- mation with little oversight and scant consideration of privacy and other individual rights," the report states. "A growing list of private-sector organizations — airlines, banks and accounting firms, for example — have been deputized to collect personal in- formation for the state." Advances in genetics are also a concern, as they have led to an increasing interest in obtaining genetic information. "Genetic testing for employ- ment, criminal matters, research, medical care, access to insurance and to determine family rela- tionships all raise significant and deeply sensitive privacy issues," the report's authors write. In the end, however, too many data breaches are occurring because companies have been ignoring basic steps — such as laptop encryption — necessary Privacy Commission closed 420 complaints last year G BY JULIUS MELNITZER For Law Times The ease with which the crime was perpetrated was al- most laughable. It was common knowledge that the encryption protocol protecting the TJX net- work could be easily bypassed. Indeed, detailed instructions for doing so were readily available on the internet. The OPC's investigation, conducted jointly with Alberta Information and Privacy Com- missioner Frank Work, conclud- ed that TJX did not comply with federal or provincial privacy laws. In particular, TJX collected too much information and kept it far too long, failed to update its security systems in a timely way, and did not adequately monitor the system for signs of intrusion. In the summer of 2007, the OPC developed voluntary pri- vacy breach guidelines with business and consumer groups. They appear to be effective. In the first five months of 2008, the OPC received 21 voluntary breach reports, compared to 34 for all of 2007 and 20 in 2006. Financial institutions reported the largest number of voluntary breaches, with telecommunica- tion, insurance, and retail com- panies also in the mix. Few re- ports, however, came from small and medium-sized businesses. Apart from unencrypted lap- tops, which accounted for 90 per cent of individuals affected by data breaches, reported breaches included lost data tapes, im- properly discarded papers, and wayward faxes. Some breaches occurred because employees did not follow company practices; others because only one-third of Canadian businesses have for the protection of personal information. The breaches at TJX Companies Inc., the U.S. discount retail giant that owns Winners and HomeSense stores in Canada, is the most signifi- cant example. It began in the summer of 2005, when thieves armed with an antenna, a laptop computer, and specialized software set up camp outside a Marshalls store in Miami and broke into what the OPC calls the store's "poorly protected" wireless local net- works. This led them to custom- er information from hundreds of stores in the U.S. and Canada, which they accessed for some 18 months during which they col- lected information relating to at least 94 million credit and debit cards and other personal infor- mation such as that found on drivers' licences. munications, insurance, sales, and transportation sectors also contributing significant num- bers of complaints. Security has 'become the most significant aspect in the priva- cy sphere,' says David Young. ongoing privacy training. But despite the success of the voluntary breach report- ing guidelines, the OPC con- tinues to support mandatory data-breach notification. Late in 2007, the federal government launched public consultations on PIPEDA reform measures, including breach notification. On the complaint side, the OPC received 350 complaints in 2007. One-third of the total complaints involved financial institutions, with the telecom- plaints represented a decrease from the 424 complaints re- ceived in 2006, the 400 received in 2005, and the 723 received in 2004, it doesn't mean the OPC's complaints workload has eased. "The year-over-year decrease in complaints is, in part, the re- sult of a streamlined complaint- acceptance process introduced in 2007," the report maintains. Under the new process, the OPC offers complainants in- voking factual situations that are similar to complaints already un- der investigation, or complaints in respect of which findings have been made, the option of hold- ing back their complaints and referring to the similar findings as a way to resolve the issues they may have with an organization. By way of example, the OPC has underway five inves- tigations involving drug test- ing for employment, while an additional 27 people agreed not to file official complaints about the same issue. And while the 350 com- The OPC closed 420 com- plaints in 2007, with an aver- age of 15.7 months passing be- Trust [ Aleks Mladenovic | tween the date a complaint was filed and the report of finding mailed. Thirty per cent of com- plaints settled, 21 per cent were discontinued, 15 per cent were not well founded, with an equal percentage in the "well-founded resolved" category, meaning that the respondent organiza- tion agreed to comply with the OPC's recommendations. In 2007, only four organiza- tions chose not to implement OPC recommendations but finally agreed to comply either before or after the OPC referred the matter for litigation in the Federal Court. It is the 2008 report, how- ever, that may make the most direct hit on the legal profes- sion. In a speech to the Cana- dian Bar Association's annual convention in August 2008, Stoddart suggested that in- dividuals' names be redacted from online case reports. "Stoddart probably made that suggestion because she felt she had to," says Barbara McIsaac of McCarthy Tétrault LLP's Ot- tawa office. "But it does throw the door wide open to a debate over the proper balance between maintaining open court process- es and preserving the privacy of personal information." LT Every time you refer a client to our firm, you're putting your reputation on the line. It's all about trust well placed. Richard Halpern | Sloan Mandel For over 70 years Thomson, Rogers has built a strong, trusting, and collegial relationship with hundreds of lawyers across the province. As a law firm specializing in civil litigation, we have a record of accomplishment second to none. With a group of 30 litigators and a support staff of over 100 people, we have the resources to achieve the best possible result for your client. Moreover, we are exceptionally fair when it comes to referral fees. We welcome the chance to speak or meet with you about any potential referral. We look forward to creating a solid relationship with you that will benefit the clients we serve. THOMSON, ROGERS Barristers and Solicitors 416-868-3100 Toll free 1-888-223-0448 www.thomsonrogers.com YOUR ADVANTAGE, in and out of the courtroom Untitled-4 1www.lawtimesnews.com 8/18/08 10:21:02 AM