Home / Privacy Resources / Article Search / November 2003

November 2003

PrivaTalk

November 2003
Volume 3
Issue 9

Bank of Montreal Breaches Customer Privacy

BMO Financial Group recently recently suffered bad publicity after human error allowed two servers with confidential customer data to be momentarily offered on eBay.  According to the Bank of Montreal (BMO), two of its servers were shipped to Toronto resident Geoff Ellis. In an apparent case of mistaken identity, an employee of Ecosys Canada Inc. sent the wrong servers to Ellis. Ecosys is a Montreal-based subcontractor of Surrey, British Columbia-based Rider Computer Services Ltd., an outsourcing partner of BMO that deals with the bank’s outdated computer equipment. Instead of receiving machines wiped clean of all customer data, Ellis received two servers that hadn't yet been sanitized. Ellis, who resells computer equipment, subsequently offered the machines for sale through eBay Inc.'s Internet auction site.  


Information in one of the computers included the names, addresses and phone numbers of several hundred bank clients, along with their bank account information, including account type and number, balances and, in some cases, balances on GICs, RRSPs, lines of credit, credit cards and insurance.  Many of the files were dated as recently as late 2002, while some went back to 2000.  


Luckily for BMO, Ellis checked the machines just after he put them up for sale and noticed that the drives contained data. He then quickly pulled them off of eBay’s Web site and contacted the bank. No BMO data was compromised because of Ellis’ actions.  If it had been, the data could have been used to steal someone else’s identity for the purposes of fraud, a fast-growing crime known as identity theft.  BMO is contacting customers whose information was contained on two servers to reassure them that their personal information was never compromised.  


Though the outsourcers were immediately to blame, because erasing the drives was their responsibility, BMO’s Chief Information Security Officer didn’t shirk from BMO’s responsibility. The bank “has the accountability and the moral responsibility of ensuring that customer information is managed appropriately,” he said.  


Many corporate executives think this event is unlikely to occur at their businesses and agreed with the bank’s assessment that it was a fluke occurrence.  But one security expert at a large Canadian financial institution scoffed at the idea this was a unique incident. The expert, who wished to remain an anonymous, said these data-disposal problems commonly occur and can be blamed on improperly outsourced work. He said BMO certainly isn’t alone in dealing with the difficulties of corporate data disposal.  On more than one occasion, the security expert purchased seemingly new hard drives only to find them full of data from other companies.  


I would hope that one potential consequence of the BMO story is that companies may revisit outsourcing corporate data. The more rules and players added to the equation (such as different levels of disk sanitation for different business units and multiple outsourcers), the greater the likelihood of a problem like this occurring.   The Federal Privacy Commissioner is investigating the incident.  All financial institutions in Canada have been subject to the Personal Information Protection and Electronic Documents Act since Jan. 1, 2001. The law requires that “personal information shall be protected by security safeguards appropriate to the sensitivity of the information.”  The more sensitive the information, the higher the level of protection required.

Canadian Privacy Commissioner Releases Annual Report

In September of this year, Canada’s Interim Federal Privacy Commissioner, Robert Marleau, released his office’s 2002-03 Annual Report.  The report highlights the Office’s activities under both private sector and public sector privacy legislation.  The report, which provides insight into the new Commissioner’s perspectives on privacy, can be found at http://www.privcom.gc.ca/information/ar/02_04_11_e.pdf.  This article will highlight some of the interesting points made by the Commissioner with respect to the private sector law, the Personal Information Protection and Electronic Documents Act (PIPEDA).  


The practice of taping customer telephone calls was the subject of two complaints under PIPEDA.  In response, the Office developed a “best practices” guideline for recording customer telephone calls.  Essentially, the guideline states that the taping of calls involves the collection of personal information.  Thus, conversations should not be taped unless it is for a purpose that a reasonable person would consider appropriate in the circumstances.  The customer must be informed of the purposes for taping the call and must consent before the taping begins, except in certain limited cases.  The customer must also be offered an alternative, such as not taping the call, visiting a retail outlet, writing a letter, or conducting the transaction over the Internet. The commissioner stressed that a tape recording captures comments, accents and attitudes that are not relevant to the purpose for collecting the information.  Thus, an organization must be open with customers with respect to the fact that they are recording, why they are recording, and offer options other than recording.  


Another interesting conclusion drawn by the Commissioner is that although PIPEDA allows an organization to charge an individual a reasonable fee when responding to requests for access to personal information, “the bottom line for organizations when it comes to fees is this:  cost-recovery does not apply to access to information requests”.  This is a surprising statement and indicates that Marleau will not take a business-friendly approach when it comes to access requests.  He also stressed that the Act does not require an individual to explain why he or she wants access to personal information or require that he or she enter into any such discussions with an organization.  


The Commissioner’s Annual Report also provides a useful summary of conclusions that have been drawn in cases with respect to consent to secondary purposes.  Marleau takes a position similar to the one that Radwanski took, stating that positive, opt-in consent is always preferred, and negative or opt-out consent, which is weaker and less preferred, should only be used in limited circumstances.  An organization’s use of opt-out consent will be deemed justified only under the following circumstances:  


-        The personal information must be non-sensitive in nature.  The Commissioner pointed out that as set out in the Act, financial or medical information is always to be considered sensitive, however, other types of information may be considered sensitive depending on the context.


-        If the personal information is to be disclosed to third parties, they must be identified by name or type.


-        The organization must state its purposes in clear, specific terms in a format that is easy to read and understand.


-        The organization must provide an appropriate “opt-out” mechanism, that is, a convenient opportunity and procedure for withdrawing consent.  


Marleau’s Annual Report clearly shows that he will not be deviating from Radwanski’s perspectives on privacy.  This preserves the integrity of past decisions of the office.  However, it is hoped that over time, Marleau will display a more business friendly approach than that taken by Radwanski.

How will the Marketing Industry Cope with PIPEDA?

The private sector has two months to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), which will come into full effect on January 1, 2004.  


With that in mind, the Canadian Marketing Association [ http://www.the-cma.org/ ] will update its self-regulating guidelines with a clause about making it easier for customers to opt out of mailing lists. The clause is designed to show the marketing industry is being proactive in responding to the public's privacy concerns.  


John Wright, senior vice-president of the Air Miles reward program at The Loyalty Group [ http://www.loyalty.com/ ], said in a keynote speech recently that marketing executives should play a quarterback role in shaping the development of improved privacy policies. He stated that: "We need to move away from seeing it as a legal initiative and more as a marketing imperative."  


Wright admitted that the Privacy Commissioner of Canada had received complaints in the past from special interest groups who claimed Air Miles wasn't doing enough to protect the personal information of the 14.5 million Canadians who actively collect points. The road to compliance, he said, included a nine-month privacy audit in which the company went through all necessary IT systems and filing cabinets to determine how to better protect privacy.  


The critical and difficult part about privacy compliance for the marketing industry is providing the ability to opt out.  There are still wildly different interpretations of PIPEDA that make the implications for mailing list owners difficult to understand.   


Most list brokers follow the CMA code first introduced 10 years ago, but there are still significant attempts to hide opt-out information (for example, in tiny font at the back of a magazine). Meanwhile, those purchasing mailing lists are demanding that their list brokers obtain adequate consent.  Another interesting issue arises when a company who purchased a mailing list is told, “I never asked to receive marketing material from you…get me off your list, and let whoever gave you my name know that I don’t want my information sold”.  Is there any responsibility on the list purchaser, who is just using the list for a one time mailing, to inform the list broker of the request?  PIPEDA is silent on this point.  


According to many in the marketing industry, government does not understand the list business.  Marketing professionals that are truly attempting to achieve privacy compliance will tell you that privacy regulation sounds good on the floor of the House of Commons but in the real world it has all kinds of complications.  

Developments in Australia’s Privacy Landscape

The Australian government recently announced plans to amend its privacy law.  The amendments will address issues such as:



  • clarifying the application of the Privacy Act to personal information of non-Australian citizens;

  • permiting voluntary industry codes to cover certain exempt matters; and

  • addressing the use of government identifiers for the purposes of Commonwealth payroll.

The government also plans to review children’s information privacy in the coming year  The Privacy Act 1988 protects personal information of all persons regardless of age.  In May 2001, the Attorney General convened a Consultative Group to advise him on whether additional legislative provisions are required for the protection of personal information of children.  A discussion paper prepared by the Department with assistance from the Consultative Group will be released for broader public consultation in late 2003.


The Australian government is also planning to review the extent of privacy protection required for employee records and whether there is a need for further measures. 


Another interesting development in Australia’s privacy landscape is that after five years in the job, the Federal Privacy Commissioner Malcom Crompton, has announced he will quit the position in April of 2004.


A spokesperson at the Attorney General’s department expressed initial surprise at the announcement and would not comment on whether relations between the AG and Crompton had soured following the government’s hard stance that privacy issues must come second to national security.  


Under the light-touch privacy law in Australia, businesses were expected to self-regulate by establishing and administering industry-specific codes.  But with the recent launch of only the third such code, Crompton admits the burden of investigating complaints has fallen on his office.  


The Market and Social Research Privacy Code recently joined the Insurance Council of Australia and Queensland Clubs as the only industries to complete the approval process since the law came into effect. Only two other bodies have applications before the commissioner – the Internet Industry Association and the Australian Casino Association.  


There are some disincentives to creating a code, including the costs of developing a code and the associated consultation process, plus ongoing administration of the code.  Given that the law exists and the Privacy Commissioner is there to enforce the law, a business would need a compelling reason to go further, and a limited number seem to have found those reasons.  As a result, self regulation has yet to emerge.  


According to Crompton, his office is handling complaints and inquiries at rates vastly in excess of their funding and resource levels.  The Australian office is getting more than 30,000 inquiries a year – about 1000 written complaints and hundreds requiring formal investigation. In practical terms, this means complaints may not be acted upon for months and there are no resources to spare for public education.  To draw a comparison, the Commissioner’s office in Canada, dealing with a similarly sized population, has four times the staffing and financing of the Australian office.

Global Study – Increasing Monitoring and Restrictions on Web Usage

Far from being a haven for civil liberties and free speech, it seems the Web is now prey to increasing monitoring and restrictions, according to a global study into internet censorship that was recently released.  


While countries with poor human rights records, such as Zimbabwe and Burma, are already well known for their Internet censorship, the US and Western Europe don’t escape criticism from the report for their growing fondness for monitoring the activities of Web users.  


The study, Silenced, launched at the World Summit on the Information Society in Geneva, condemned governments’ use of the events of September 11th to introduce measures that would previously have been unacceptable.  


The report says: “There has been an acceleration of legal authority for snooping, from increased email monitoring to the retention of web logs and communications data. Simultaneously, governments have become more secretive about their own activities, reducing information that was previously available and refusing to adhere to policies on freedom of information.”  


One of the report’s editors, Simon Davies, director of Privacy International, said in a statement: “It is clear that democratic nations such as the US and the UK have failed to set an acceptable benchmark for free speech. Non-democratic regimes look to the West for technologies and techniques of repression.”  


The report highlights how non-democratic regimes are already using internet surveillance and censorship for political purposes but, without technology supplied by Western nations, wouldn’t be able to achieve the same level of monitoring.  


But it’s not just global governments who will take an interest in censorship and surveillance in the future. The report says: “It is arguable that in the first decade of the 21st century, corporations will rival governments in threatening Internet freedoms. Aggressive protection of corporate intellectual property has resulted in substantial legal action against users, and a corresponding deterioration in trust across the Internet.”  


The report does list positive developments in the sphere of Internet monitoring, including countries establishing privacy legislation, but warns against complacency: “Technological developments are being implemented to protect a free Internet but the knowledge gap between radical innovators and restrictive institutions appears to be closing.”  


The report is available at http://www.privacyinternational.org/survey/censorship .      

Wireless Communication Options and their Security Implications

Adoption of wireless communication is growing rapidly. We see more and more laptops and PDAs with little antennas sprouting out the side.  Wireless communication enables individuals to connect to their e-mail and the Web wherever they are, as if they were sitting at their PCs.  


The major ways to stay connected are through the 1X or GSM/GPRS cellular telephone networks or through a network technology called Wi-Fi that’s becoming more widely available.  


Wi-Fi is the abbreviation for wireless fidelity. It is the popular term for a wireless local area network or WLAN. It can be used instead of the common wired LAN to which most PCs are attached. Wi-Fi is a convenient solution when installation of LAN wiring is a big problem in a home or a business.  Wi-Fi access points are commonly called hot spots because their range is limited to about 100 metres at a data transmission speed of about 20,000 kbps. That speed is one third of the effective speed of a typical wired LAN.  


Businesses are installing private hot spots for corporate applications, e-mail and Web access for employees who move around a lot in a warehouse or a manufacturing facility. The installation cost for a private hot spot is $150 to $200 per PC or about the same as for a wired LAN connection. The monthly costs are negligible.  


Some businesses are concerned about security breaches because anyone with a laptop, parked in the executive parking lot, can easily access the corporate network via the hot spot if no security precautions are implemented. As shocking as it may seem, many hot spots, do not have the Wired Equivalent Privacy (WEP) encryption, which prevents unauthorized access, turned on.  


Public hot spots are being installed in airports, coffee shops, fast food restaurants, and hotels. Businesses are attracted to providing hot spots in the hopes that customers will stay longer and spend more.  


At a public hot spot, the data transmission speed tends to be limited not by the wireless speed but by the 1,800 kbps speed of the typical ADSL connection to the Internet backbone.  


The number of hot spots in North America already exceeds 10,000. Industry analysts differ widely in their estimated growth rate, but all agree that it will be significant. Bell Canada is currently conducting Wi-Fi pilots at Air Canada Maple Leaf Lounges at various airports including Calgary International Airport. Telus and others are conducting a Wi-Fi pilot in downtown Calgary.  


The limitations of public hot spots relate mostly to the spotty coverage. Many years will elapse before major urban areas are well covered. Due to the short range of hot spots, rural areas can forget about it.  Wired connections continue to be faster and more reliable than Wi-Fi.  


For wireless communication, the alternatives to Wi-Fi are the 1X cellular telephone networks, operated by Telus or Bell, and the GSM/GPRS cellular telephone network, operated by Rogers AT&T Wireless. These networks offer an effective speed of about 50 to 70 kbps. (That speed compares favorably to most modems that provide about 40 to 42 kbps.) The 1X or the GSM/GPRS speed is a huge jump in throughput compared with the previous generation of cellular service.  


The limitations of the cellular telephone networks are the connection costs that tend to be proportional to monthly usage and the slower speed compared with Wi-Fi. However, the cost and speed issues are outweighed by the hugely wider coverage that cellular offers in comparison to Wi-Fi.  


A Wi-Fi network is the preferred wireless choice within business premises.  The cellular telephone networks are superior when wireless access outside of business premises is a must.  Security concerns of wireless transmissions cannot be ignored and is an issue that has not been given enough attention by the wireless industry.