1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

IRS Warns About New Cyber Scam Targeting Taxpayers

Last month, the United States (US) Internal Revenue Service (IRS) issued a warning to US taxpayers that cyber criminals are increasing their efforts to steal more detailed financial information from taxpayers in order to provide a more detailed, realistic tax return and better impersonate legitimate taxpayers. These efforts include targeting tax professionals, human resource departments, businesses, and other enterprises that store large amounts of sensitive financial information. To mitigate against this threat, the IRS recommended that taxpayers and businesses that store taxpayer information take three steps:

  • Use Security Software. Use security software with firewall and anti-virus protections, and ensure the security software is always turned on and can automatically update. Encrypt sensitive files stored electronically, such as tax records, and use strong and unique passwords for each account.
  • Watch Out For Scams. Recognize and avoid phishing emails, threatening calls and texts from individuals posing as legitimate organizations, such as banks or credit card companies, or even the IRS. Do not click on links or download attachments from unknown or suspicious emails.
  • Protect Personal Data. Don’t routinely carry Social Security cards and make sure tax records are secure. Shop at reputable online retailers. Treat personal information like cash – don’t leave it lying around.

Recently, the IRS issued a specific warning of a quickly growing scam involving erroneous tax refunds being deposited into taxpayer bank accounts. Specifically, after stealing client data from tax professionals and filing fraudulent tax returns, cyber criminals are using taxpayers’ real bank accounts for the deposits and then using various tactics to reclaim the refund from taxpayers. In one version of the scam, criminals posing as debt collection agency officials acting on behalf of the IRS contact taxpayers to say a refund was deposited in error, and ask the taxpayers to forward the money to their collection agency. In another version, the taxpayer who receives the erroneous refund gets an automated call with a recorded voice saying the person is from the IRS. That person then threatens the taxpayer with criminal fraud charges, an arrest warrant and a “blacklisting” of their Social Security Number. The recorded voice gives the taxpayer a case number and a telephone number to call to return the refund.

In its new warning, the IRS repeats its call for tax professionals to increase the security of sensitive client tax and financial files, and outlines steps impacted individuals and enterprises may follow in the wake of a breach, including those outlined in Tax Topic Number 161-Returning an Erroneous Refund and the Taxpayer Guide to Identity Theft.

These new threats highlight the way cyber criminals are uniquely attempting to access sensitive personal information. As businesses increase their encryption and security efforts, these unique efforts by malicious actors will only increase. If you or your enterprise stores or transmits sensitive personal information, such as taxpayer identifying information, you should take time to audit your current practices surrounding how that data is secured, and how your relationships with third parties may impact that security. The Dentons cybersecurity team is prepared to help in those efforts.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. The Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

IRS Warns About New Cyber Scam Targeting Taxpayers

PIPEDA: Substantial Amendments Proposed by Parliamentary Committee

Since February 2017, the House of Commons Standing Committee on Access to Information, Privacy and Ethics has been reviewing Canada’s federal privacy statute – Personal Information Protection and Electronic Documents Act (PIPEDA) – including public meetings and submissions from stakeholders. A year later, the Committee issued its report outlining its recommendations that would see a significant overhaul of PIPEDA.

In the report titled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act, 19 recommendations are proposed to the Government of Canada that would see significant changes to the operation of, and individual rights, around personal information. It’s clear in the report and the recommendations themselves that Europe’s General Data Protection Regulations were an influence.

Some of the Committee’s recommendations include:

  • to explicitly provide for opt-in consent as the default for any use of personal information for secondary purposes, and with a view to implementing a default opt-in system regardless of purpose
  • providing measures to improve algorithmic transparency
  • an examination of the best ways of protecting depersonalized data
  • providing for a right to data portability
  • a framework for a right to erasure based on the model developed by the E.U. The model would, at minimum, include a right for young people to have information posted online either by themselves or through an organization taken down
  • modernizing the Regulations Specifying Publicly Available Information in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulations technology-neutral
  • clarification of the terms under which personal information can be used to satisfy legitimate business interests
  • a framework for the right to de-indexing
  • to give the Federal Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance
  • to give the Federal Privacy Commissioner broad audit powers, including the ability to choose which complaints to investigate

During his September 2017 annual report to Parliament, Daniel Therien, Canada’s Federal Privacy Commissioner, emphasized the urgency to revisit PIPEDA in order to meet the realities of today’s world, including requesting the new enforcement powers. Organizations have been equally considering how Canada’s status as an adequate country will be affected as a result of the GDPR.

Click to read the report in full Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act.

 

PIPEDA: Substantial Amendments Proposed by Parliamentary Committee

CASL: A Call for Clarity

Today the Standing Committee on Industry, Science and Technology presented its report on Canada’s Anti-Spam Law (CASL) to the House of Commons, as part of the three-year CASL statutory review.

The report title is telling:  Canada’s Anti-Spam Legislation: Clarifications are in Order.  Having heard 40 witnesses ranging from CRTC counsel and enforcement staff, to small and large businesses and business associations, to consumer protection and privacy experts, the Committee made a strong call for clearer legislation, guidance, and compliance decisions.

The Committee noted that those affected by CASL (for better or worse) disagreed on important issues such as whether CASL has actually reduced spam, and whether the proposed private right of action (currently on hold indefinitely) should be enacted, amended, or scuttled altogether.  However, stakeholders almost all agreed on the need for the CRTC – the government’s principal enforcement agency – to step up with better guidance, in the form of more, and more accessible, interpretation guidelines and decisions.

It is worth noting that 6 of the 13 Committee recommendations expressly called to “clarify” aspects of the legislation or its application.  These recommendations refer to fundamental aspects of the law including what exactly is a “commercial electronic message”, which is the very subject of the anti-spam component of the Act.

Indeed, CRTC staff pointed to inconsistencies and redundancies in the law with respect to core definitions and exceptions.

The Committee appears to have clearly heard how time-consuming, resource-intensive and costly it can be for an organization to implement and operate a CASL compliance program, given both the details and uncertainties involved.  The published decisions and compliance undertakings made publicly available in the past three years have not provided much additional information or certainty.  Various witnesses before the Committee raised concerns that enforcement has focused on “well meaning” organizations that made errors in judgment or implementation, rather than the real “bad actors” responsible for malicious or disruptive electronic messages.

We agree with the Committee that clarifications are in order, particularly (but not only) if the government has any intention of revisiting the private right of action under CASL.

The Committee has requested that the government table a substantive reponse to its report.  We’ll be watching to see how far the government will go to address perceived shortcomings in this regime.  Three years is long enough to assess those shortcomings, and long enough to wait for clarity.

 

CASL: A Call for Clarity

NIST Releases Draft Update To Cybersecurity Framework

In 2014, the National Institute of Standards and Technology (NIST) released its first version of the Framework for Improving Critical Infrastructure Cybersecurity (Cyber Framework). The Cyber Framework was originally developed as a voluntary framework to help private organizations and government agencies manage cybersecurity risk in the critical infrastructure space (e.g., bridges, power grid, etc.). Since then, it has been widely adopted across industry as a benchmark standard for measuring an enterprise’s cybersecurity readiness.

Following feedback NIST received in December 2015 from a Request for Information, and comments from attendees at the Cybersecurity Framework Workshop in 2016 held at the NIST campus in Maryland, NIST released a draft update to the Cyber Framework in January 2017 called Version 1.1. Some of the key changes in the draft update included:

  • Adding a new section on cybersecurity measurement to discuss the correlation of business results to cybersecurity risk management metrics and measures;
  • Expanding the use and understanding of cyber supply chain risk management frameworks;
  • Accounting for authentication, authorization, and identity proofing in the access control section of the framework; and
  • Better explaining the relationship between the various implementation tiers and profiles.

Last week, NIST released a second draft of Version 1.1, which is open for public comment through January 20, 2018. The new draft expands on issues such as supply chain security and vulnerability disclosure programs. It also emphasizes the need for companies using the framework to develop metrics to quantify their progress. NIST says it hopes to finalize Version 1.1 in the spring of 2018.

If you are interested in submitting comments on the new draft of Version 1.1, or learning more about its proposed changes that will likely take effect in 2018, the Dentons Privacy and Cybersecurity Group is ready to assist.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral NetworkDentons’ Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

NIST Releases Draft Update To Cybersecurity Framework

Canada’s Privacy Commissioner Pursues a Stronger Consent Framework and More Proactive Enforcement

On September 21st, 2017, Daniel Therrien, Canada’s Federal Privacy Commissioner, tabled his annual report to Canada’s Parliament today. The report to Parliament includes results and recommendations with respect to the OPC’s study on consent. In addition, the Commissioner requests Parliament overhaul Canada’s federal private sector legislation – the Personal Information Protection and Electronic Documents Act (PIPEDA).

Consent and Technology

A key issue for regulators and businesses is how to obtain meaningful and valid consent to collect and use personal information in the digital age. Revisiting and enhancing the consent model under PIPEDA is grounded in the Commissioner’s five year strategic privacy priorities. In 2016, the OPC issued a consultation paper regarding the challenges of obtaining meaningful consent in a continuously evolving technological ecosystem where the traditional “privacy policy” may not always be suitable. The OPC received feedback through roundtables, focus groups, surveys and receipt of 51 submissions from organizations, information technology specialists, academics, advocacy groups and other stakeholders.

Four Key Elements in Privacy Policies: The Commissioner stated that the OPC will be issuing an updated version of its consent guidelines that will require businesses and organizations to highlight in a user friendly way the following four key elements in their privacy notices:

  1. What information is being collected
  2. Who is it being shared with, including an enumeration of third parties
  3. The purposes for collecting, using or sharing including an explanation of purposes that are not integral to the service, and
  4. Identify the risk of harm to individuals, if any.

Risk of Harm: The OPC is amending its guidelines to require organizations to consider the risk of harm to individuals when considering the form of consent used. This consideration will be in addition to the sensitivity of the personal information and the reasonable expectations of the individual. We expect to learn more about this in the updated guidelines.

No-Go Zones: Expect new guidance for businesses and no-go zones where the use of information, even with consent, should be prohibited as inappropriate. The guidance will be aimed to provide clarity on what the OPC considers “inappropriate uses” under subsection 5(1) of PIPEDA.

Alternatives to Consent: The Commissioner outlined three potential solutions for enhancing privacy protection where traditional consent models conflict with advances in technology, including:

  1. De-identification: In some circumstances, like big data, de-identification protocols may be the right solution. The OPC will be issuing guidance on de-identification that will help businesses assess their protocols and reduce risk of re-identification to a low level where the information may be used without consent.
  2. Publicly available information: The Commissioner agrees that the categories of publicly available information in PIPEDA’s regulations are out of date, and should be revisited by Parliament. For now these exceptions remain the same, but we may someday see changes to the regulations.
  3. Call for reform of new exceptions: The Commissioner has requested that PIPEDA be amended to include new exceptions to consent (section 7 of PIPEDA) to address social activities not contemplated when PIPEDA was first drafted. The goal is to help organizations use data for new purposes that would benefit individuals and obtaining consent is not practical. For example, a mobile app wishes to now use information collected for geolocation mapping, and the business can demonstrate that the benefit of the new use of information outweighs the privacy incursion. This option would be considered a last resort and require pre-approval by the OPC.

Overhaul of PIPEDA including new Powers

The Commissioner reported that it is time to revisit how Canada’s federal privacy legislation, enacted in 2000, meets the realities of today’s digital world, including advances technology as well the addition of new enforcement powers already used by the OPC’s counterparts in the U.S. and Europe. The Commissioner proposed to Parliament that this overhaul include a new enforcement model that emphasizes proactive powers that are backed up by order-making authorities, including:

  • involuntary audits
  • issuing binding orders, and
  • impose administrative monetary penalties.

The request for reform of PIPEDA is certainly a hot topic as businesses and organizations await how Canada’s status as an adequate country is, or is not affected as a result of Europe’s General Data Protection Regulations.

Expect a more aggressive OPC

However, do not expect the OPC to wait for new powers. The Commissioner ended his report to Parliament adding that, beginning today, we can expect a more proactive and aggressive OPC with respect to enforcement. The OPC is sending a signal that complaints to the OPC will no longer be the primary tool and the OPC will be shifting itself as a proactive regulator ready to initiate investigations. The Commissioner reported that a complaint-driven model has its limits:

People are unlikely to file a complaint about something they do not know is happening, and in the age of big data and the Internet of Things, it is very difficult to know and understand what is happening to our personal information. My Office, however, is better positioned to examine these often opaque data flows and to make determinations as to their appropriateness under PIPEDA.

This is an important message. The Commissioner is not waiting for legislative reform and has put businesses and organizations on notice to expect a more active OPC, one that will be on the lookout for “specific issues or chronic problems” that must be addressed – possibly resulting in more Commissioner-initiated investigations.

More information

You can read the OPC’s news release here.

You can read the Commissioner’s remarks and full Annual Report to Parliament here.

Canada’s Privacy Commissioner Pursues a Stronger Consent Framework and More Proactive Enforcement