1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Who’s Minding The Store?

Late last week, the office of the Privacy Commissioner of Canada announced a major breach within its own office with the loss of an unencrypted hard drive containing sensitive personal information relating to over 800 of its current and past employees.  The loss provides a test to Interim Privacy Commissioner Chantal Bernier, who recently took over the top job on an interim basis from departing Commissioner Jennifer Stoddart.

The Privacy Commissioner’s office announced that the information first went missing in mid-February during an office move, and that the breach was discovered in mid-March.  It was not until early April that it was determined that the hard drive contained sensitive financial information, including salaries.  Adding insult to injury, some of the missing personal information dated back 12 years. It is not clear what retention period should have applied to the data. Under Privacy Act regulations, the Commissioner would be required to retain the personal information for at least 2 years. Indefinite retention would be contrary to best practices; however, the Privacy Commissioner may be constrained by the provisions of the Library and Archives of Canada Act from destruction of the information without permission of the Librarian and Archivist depending on the exact nature of the records.   Likewise, the Office of the Information and Privacy Commissioner of Ontario has different obligations.  In any event, this lengthy retention raises questions about appropriate retention periods and whether the information ought to have been securely destroyed after an applicable retention period expired.

In fairness to the Commissioner’s office, it is believed that the missing information is not accessible without specialized software and technical knowledge, and that the information taken cannot result in identity theft.  But it may be a concern to Canadian entities bound by the Personal Information Protection and Electronic Documents Act as well as the Privacy Act to know that not only did the breach occur, but the Commissioner’s office did not notify employees or the media immediately, and did not file a police report.  On the good news front, Commissioner Bernier has stated that the breach gives her better insight as to what amount of time is reasonable for an organization to investigate a possible breach prior to taking action.

, ,

Who’s Minding The Store?

The Importance of Policies

A recent settlement with the US Department of Health and Human Services Office of Civil Rights (OCR) demonstrates the importance of privacy and security policies, even other violations of regulations do not occur.  APDerm, a Massachusetts-based dermatology practice, agreed to pay $150,000 to settle claims that it violated HIPAA and HITECH regulations by failing to have in place breach notification policies and procedures.

OCR began an investigation of APDerm after receiving a report of a lost USB thumb drive that may have included the PHI of up to 2,200 individuals.  Despite uncovering no evidence of actual harm or that PHI had been accessed, and a timely notification to potentially affected individuals, APDerm lacked written policies and procedures regarding the notification rule or to train workforce members, among other alleged HIPAA violations.

Story here

, ,

The Importance of Policies

California Court Interprets E-Mail Addresses under the Song-Beverly Act

One of the most interesting and important developments in retail privacy cases is a recent unpublished decision, Capp v. Nordstrom.  The Court in Capp interprets the California Song-Beverly Act’s application to email addresses.  Nordstrom requested an email address from its customer in order to send an electronic version of the customer’s receipt.  The Court, in a matter of first impression, found the email address constituted “PII” [Personal Identification Information] as defined in the Credit Card Act at Cal. Civ. Code section 1747.08(b).  The broader potential implication of Capp, is that the Court did not find the exception for “special purpose” applied.  This exception allows the collection of PII, ” for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information related to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.”  The rational in the Nordstrom case was that even where retailors obtain and use PII for a special purpose, that  does not then allow the retailor to use the information for all purposes.  This issue is going to be hotly contested in California and other jurisdictions with similar exceptions and may implicate the use of loyalty programs.  How courts determine this issue will likely turn on what the program agreements provide in terms of how the information will be used, an issue not previously dealt with in any of the current case authority.

There is some practical, if not limited, guidance provided in the opinion on the importance of when retailors ask for PII at the point of sale.  While the Court rejects Nordstrom’s argument that the federal CAN-SPAM Act pre-empts the Song-Beverly Act from governing email, the court suggests that if the information [here the customer’s E-mail]  is requested after the transaction is complete, it would comply with the Song-Beverly Act and could also comply with the federal CAN-SPAM objectives.   This provides support for the position that the temporal aspect of the request is key.  Thus, if the transaction is over and a retailor obtains a customer’s PII and an agreement from the customer about future uses, the retailor can comply with the Act.

This case adds to the issues for retailers regarding point of sale requests for information, the use email even for special purposes such as giving receipts.  The case signifies a trend where courts are likely to expand the definition of PII to include any type of information that can link to a customer’s identify for use in marketing or other data mining.

Story Here

, ,

California Court Interprets E-Mail Addresses under the Song-Beverly Act