All About Information

I spoke at our annual pension and benefit conference this morning on the role of the company medical advisor and data breach due diligence. The latter issue is as topical as ever, and I was happy to drive home the message that managing the personal habits and attitudes of employees is critical to a complete due diligence program. I’ve posted a copy of my slides here.

It’s at the obscure end of what I’ll cover on this blog, but the Alberta Court of Appeal’s October 18th decision in R. v. Patrick contains an intriguing debate about an individual’s expectation of informational privacy in garbage.

Conrad J., in dissent, held that the Calgary Police violated an accused individual’s section 8 Charter rights by seizing information…

• in garbage…
• in opaque garbage bags…
• inside garbage cans…
• that were placed in a receptacle…
• on the accused individual’s property.

Good use of bullet points? They’re a cute prelude to the point Conrad J. makes about the accused individual’s expectation of privacy:

In this case, the appellant put his garbage out for municipal collection. Municipalities have an interest in the orderly collection and disposal of garbage. Citizens are forbidden from burning garbage in their homes and citizens pay taxes for this municipal collection service. A homeowner, such as the appellant, places his garbage out for collection on the understanding that his garbage will be treated in the same manner as his neighbour’s garbage – it will be picked up by the garbage collectors and placed inside a garbage truck where it will be mixed with other garbage. At this point, the homeowner’s privacy in respect of much of the information regarding his lifestyle and personal choices will be completely preserved because it will have become anonymous. Any privacy in garbage that identifies the homeowner directly, such as a discarded bank statement, will also be preserved, although not so completely, by the fact it is now contained within a vast pile of collected detritus that makes it almost impossible to find.

The last sentence in the above quote is significant because it endorses the concept of inaccessibility or practical obscurity of information: information can still be private (or one’s interest in keeping something private can subsist) even if it is exposed to unauthorized or limited authorized access. This concept may become more relevant given the prevalence of electronically stored information. For starters, think of the lost backup tape that can’t easily be restored and how a valid claim that the information on the tape is inaccessible might weigh against either a civil or statutory duty to warn. Accessibility may also be relevant in some disputes about waiver of a confidentiality interest or legal privilege.

Ritter J.A.’s majority judgement leaves Conrad J.’s practical obscurity point intact. Instead, and apparently taking judicial notice that garbage often goes to sorting facilities, he states, “With respect, I disagree with this assessment as it does not equate with the myriad of ways in which garbage is handled in Canada.”

In some chance timing given the release of the report on the Canadian investigation into the TJX breach, I presented today at a lunch meeting of the Association of Certified Forensic Investigators of Canada together with David Malamed of Grant Thonrton. We called the presentation “Data Breach Response: A Multidisciplinary Perspective.”

This is the first presentation David and I have given on an project we started at the beginning of the summer together with Karen Gordon, an expert crises communicator from Squeaky Wheel Communications. The idea we are promoting is that organizations should be using multi-disciplinary teams to manage breach response and, whether internal or external experts are used, the team should be defined in a formal breach response plan.

I’ve posted a copy of the presentation here.

The Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner of Alberta have released their joint report into the TJX/Winners data breach. They found that TJX breached the collection, retention and safeguarding rules in both the federal and Alberta commercial privacy statutes.

With respect to TJX’s system for preventing the fraudulent return of goods, the commissioners held that TJX breached both statutes by collecting drivers license and other provincial ID numbers to identify individuals who returned goods without a receipt. While they accepted the importance of identifying such individuals for purposes of fraud control, they also held that retaining this sensitive data was not necessary and that TJX also did not give adequate notice of the purposes for its collection. The commissioners said:

A driver’s license is proof that an individual is licensed to operate a motor vehicle; it is not an identifier for conducting analysis of shopping-return habits. Although licenses display a unique number that TJX can use for frequency analysis, the actual number is irrelevant to this purpose. TJX requires only a number—any number—that can be consistently linked to an individual (and one that has more longevity and is more accurate than a name and telephone number).

Moreover, a driver’s license number is an extremely valuable piece of data to fraudsters and identity thieves intent on creating false identification with valid information. After drivers’ license identity numbers have been compromised, they are difficult or impossible to change. For this reason, retailers and other organizations should ensure that they are not collecting identity information unless it is necessary for the transaction.

Having made this finding, they accepted TJX’s proposal to create unique identifiers from provincial ID numbers by using cryptographic hashing and approved of a three-year retention period for this information.

On the collection and retention of payment card information for processing purposes, the commissioners held that TJX’s retention of information for 18 months in accordance with its contractual obligations to financial institutions was reasonable, but were critical of TJX’s practice of retaining the information for longer periods for “troubleshooting” purposes. They reasoned that TJX had not clearly established “troubleshooting” as a primary purpose for collection, nor had it established the need to retain information in order to troubleshoot.

Finally, the commissioners held that TJX did not meet the safeguarding standard in both acts, primarily because it failed to upgrade its wireless encryption protocol within a reasonable period of time. Version 1.1 of the Payment Card Industry Data Security was released in September 2006 and endorsed the “Wi-fi Protected Access” or “WPA” encryption protocol. The commissioners said that TJX should have been adhering to this standard by “late 2006.” They commented:

TJX relied on a weak encryption protocol and failed to convert to a stronger encryption standard within a reasonable period of time. The breach occurred in July 2005, conversion began in October 2005, and the pilot project was completed in January 2007. We are also aware that the final conversion to a higher level of encryption will be completed soon.

Furthermore, while TJX took the steps to implement a higher level of encryption, there is no indication that it segregated its data so that cardholder data could be held on a secure server while it undertook its conversion to WPA.

TJX had a duty to monitor its systems vigorously. If adequate monitoring of security threats was in place, then TJX should have been aware of an intrusion prior to December 2006.

This comes just days after a settlement was announced in the related class action lawsuit.

Report of an Investigation into the Security, Collection and Retention of Personal Information (26 September 2007, C.P.P. and Alberta O.I.P.C.).

An American court has dismissed another data breach claim because the plaintiffs did not allege any damage other than the cost of obtaining credit monitoring services.

The plaintiffs provided their personal information to the defendant, a bank, in an online application for services. Their information was hosted by a third party and was subject to a malicious hacking attack in 2005. The Seventh Circuit upheld the bank’s motion to dismiss based on the inadequacy of the plaintiffs’ pleadings. It made the following comment on the recent court decisions that weigh against recovery of credit monitoring costs borne as a result of a data breach:

Although some of these cases involve different types of information losses, all of the cases rely on the same basic premise: Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.

The outcome and reasoning in this case is similar to that in Kahle v. Litton Loan Servicing LP, discussed here.

Pisciotta v. Old National Bancorp (23 August 2007, 7th Cir.).

Paul Broad and I posted our fall edition of the Hicks Morley Information and Privacy Post today. It’s available here. In addition to some brief commentary on “data breach low hanging fruit,” we’ve included summaries of cases that we’ve reviewed since publishing our spring edition. The top draws in our current edition:

• The Divisional Court’s FOI decision on the annonymization of databases and whether replacing a unique identifier (that is also personal information) creates a new record
• The Ontario Court of Appeal’s finding that the public interest override in Ontario’s FOI legislation is unconstitutional and its reading-in remedy
• A decision by labour arbitrator Paula Knopf on a challenge to an employer’s short term disability administration practices
• The latest Ontario decision in the recent flare-up in drug testing litigation, a decision by labour arbitrator Jane Devlin
• A June 27th American e-discovery case that illustrates how not to manage a complex e-discovery project

Please check out the Post. Hope you enjoy!

This significant data breach case recently came to my attention. In it, the Southern District Court of Ohio dismissed a motion to certify a class proceeding because the plaintiff had not alleged any damage other than the cost of obtaining credit monitoring services.

The defendant, a mortgage loan service provider, experienced a break-in in August 2005. The thieves took over $60,000 in computer hardware, including four hard drives containing the personal information of over 229,000 individuals. About four weeks after the break-in, the defendant notified individuals of the breach. In its notification letter, the defendant recommended that affected individuals place a fraud alert on their credit files but did not offer to pay for credit monitoring services.

The plaintiff claimed the defendant was negligent in securing the hard drives and negligent in terminating its internal investigation of the breach before identifying the perpetrators. The resulting loss, as alleged in the claim, was the cost of obtaining credit monitoring services “for many years” and “at great expense.”

The Court held that the plaintiff did not have standing to bring a claim in negligence because she did not establish a genuine issue of material fact in respect of her own claim. It cited a series of American cases from the last two years for the proposition that the cost of responding to an increased risk of identity theft, when merely speculative, is not an actionable loss. The following paragraph is a nice summary of the factual basis for the Court’s decision:

Although the above cited cases are not binding on this Court, this Court finds them to be persuasive. Plaintiff has admitted, that to her knowledge, no unauthorized use of her personal information has occurred. She has not been a victim of identity fraud since the theft, which occurred 20 months ago. Additionally, Plaintiff waited until almost one full year after the theft to obtain credit monitoring and chose not to place a free fraud alert on her credit report. She also failed to allege in her complaint that the information was the target of the theft. Although in her briefs she theorizes that the break-in was an “inside job” and that the information was targeted there is no evidence to support this. The four hard drives were among $60,000 worth of equipment that was stolen from the server room. There is no evidence that the information was the target of the theft as opposed to the actual hard drive themselves. Neither the Atlanta Police Department nor the private investigator hired by Litton came to any such a determination. Furthermore, even if the information was the target of the theft, there is no evidence that the thieves or other unauthorized individuals were able to access that information or if accessed that it would be used for unlawful purposes. Thus, any injury of Plaintiff is purely speculative. It is Plaintiff’s choice to obtain credit monitoring in this situation; however, without direct evidence that the information was accessed or specific evidence of identity fraud this Court can not find the cost of obtaining that credit monitoring to amount to damages in a negligence claim.

Kahle v. Litton Loan Servicing LP, 486 F. Supp. 2d 205, 706-07 (S.D. Ohio 2007).