It is a perilous path when companies and governments decide that the law does not matter and the corporation is merely an agent of the state for however it may wish to monitor customers.
Yesterday, it was reported that the customer records of more than 3.4 million Canadians were stolen in mid-January. It took four weeks before the theft was revealed to Bell Canada’s customers. And while the information was eventually recovered, no explanation has been provided as to what shortcomings existed in its system that would have permitted such a huge breach of privacy. It is hard to imagine that these records were adequately protected if they could be stolen on such a scale. And their theft raises serious questions about how well more sensitive data, including the banking records of customers, is protected. The delay in bringing the breach to the public’s attention shows again that there is need for legislation that would force companies to advise customers immediately when a theft of their information occurs –not weeks after the fact.
Once again, we note that Canada’s Privacy Commissioner is noticeably absent from this file. Twenty-four hours after the theft was made public, the Commissioner’s website hasn’t even acknowledged the incident, much less indicated that it has commenced an investigation. Speed is not a function typically associated with this office. There still has been no explanation of the result of any investigation in connection with the disappearance in 2006 of the personal financial information of 470,000 CIBC customers, which we wrote about here.
In the United States, a breach of a different kind occurred yesterday, when the Senate voted to give giant telecoms immunity from lawsuits as a result of their assisting authorities in the warrantless wiretapping of calls made by their customers to overseas destinations. The telecoms, including giant AT&T, lobbied the Bush Administration and Congress for the bill, and they were more than happy to oblige. For its part, business expects that customers will play by the rules. Legions of lawyers are employed to ensure that they do. It is not unreasonable, it seems to us, that customers are entitled to expect that business will also play by the rules as they exist at the time, and when its does not, whether in privacy matters or wiretapping, consequences should follow.
Retroactive legislation seldom makes for good law or sound public policy. It is a perilous path when companies and governments decide that the law does not matter and that the corporation is merely an agent of the state for however it may wish to monitor customers. Yahoo’s CEO was recently castigated by the House Foreign Affairs Committee for that company’s role in turning over customer emails to security officials of the government of China. In the 1930s, major players in the German business sector eager to be seen as cooperating with the new Hitler Reich during its infamous Gleichschaltung period, volunteered to turn over personal information about their Jewish customers and employees. They argued it was in the national interest to do so.
Fighting terror is a necessary cause in the preservation of liberty and civilization. But in that fight, the distinction between the values of the terrorists and the values of their democratic targets must never be lost. Islamic extremists do not value individual rights, personal freedom or privacy. These are the hallmarks of western democracies. And when elected governments begin to erode these rights in the so-called defence of democracy, they place both in jeopardy.
Telecoms routinely boast about their commitments to protecting customer privacy. But these events show that individuals can depend little on such claims and even less upon the public officials and policy makers who are supposed to be on the frontline of ensuring that protection.
Talvest customers’ records missing more than three months and still no explanation from company or privacy watchdog as to what happened.
It has now been more than three months since Talvest Mutual Funds, a division of CIBC, reported to the public that a back-up computer record went “missing” during transit. The actual loss took place in December of last year. We have written on this subject on a number of occasions since. Still, after all this time, there is no follow-up to be found on the Talvest or CIBC websites or that of the federal privacy commission of Canada. One gets the impression that everyone connected with the problem would just like to see it go away with no explanation offered as to what happened that could have so seriously compromised the personal financial information of thousands of customers —everyone except the customers, that is.
Some months ago we posed the question: Why do these privacy breaches continue to happen so frequently? The answer, in part, can be found in this example of how companies and government officials deal with such issues. It is a classic case of a failure to follow up, a failure to keep customers informed and a failure on the part of the regulator to show that it is taking the matter seriously.
Last January it was the huge privacy breaches involving Winner stores and Talvest Mutual Funds. As we noted with considerable dismay at the time on these pages, Canada’s federal Privacy Commissioner waited weeks before going public with the information, leaving customers whose privacy had been compromised in the dark. Now, the problem involves Rogers Communications Inc., one of Canada’s largest telecommunications carriers. (more…)
The Centre for Corporate & Public Governance has written to the chairman of Canada’s Senate Banking Committee to urge that it commence hearings into recent privacy violations involving the personal financial information of millions of Canadians. The call was made in response to the tremendous number of inquiries and comments the think tank has received from people concerned about these massive breaches of personal information. They want explanations and action.
They were also alarmed at the tortoise-like approach of Canada’s Privacy Commissioner, as reported in The Centre’s statement. Several expressed additional episodes of frustration in dealing with that office. As a result of this response, The Centre has also called on the Committee to examine the actions of the Privacy Commissioner in respect of her delay in making recent breaches public as well as problems experienced by individuals in seeking the involvement of her office in privacy matters.
The full text of the letter to Senator Jerahmiel Grafstein is available here.
Once again, privacy, or the breach of it, is in the news. Millions of customers of retail chain TJX in Canada and the United States have had their financial information and credit card numbers exposed to hackers. In Canada, Talvest Mutual Funds, a division of CIBC, one of that country’s largest banks, said a backup computer file had disappeared with the personal financial information of half a million customers. It happened late last month, but was only revealed to the public this week.
CIBC has had similar problems before, with records of customers repeatedly being faxed to a dump site in West Virginia and the bank refusing to take action to stop it until it became a public relations disaster.
There are many unanswered questions about these recent events, some of which are set out in a statement by The Centre for Corporate & Public Governance. Normally, such occurrences would be sufficient cause for outrage on the part of customers and concerned citizens. But the real story here, as The Centre has stated, is the existence of a culture of complacency, if not outright negligence, in the safeguarding and protection of personal information. Time and again, companies confess breaches in the safeguarding of personal information. Time and again, governments fail to act.
As The Centre notes in its statement, Canada’s privacy watchdog has disappointed many Canadians in the handling of their complaints.
…many individuals are of the view that privacy authorities have displayed an overly casual, and in some circumstances, inept, approach to the enforcement of existing privacy laws, which has compromised their confidence in the current privacy protection regime. The Centre regularly receives complaints from individuals about inadequate and unacceptable treatment by government privacy watchdogs, including the office of the federal privacy commissioner. In a number of cases, complainants were either ignored entirely or received only a perfunctory response after several attempts were made to have issues addressed. In one situation, the federal privacy office took no action and refused even to commence an investigation when senior officials of a Canadian chartered bank could not account for the whereabouts of a letter containing the customer’s personal information that was faxed to them. In other cases, complainants were of the view that the privacy watchdog had a disturbing predisposition to accept the word of the institution it was supposed to be investigating without inquiring into the facts, including at least one situation where a customer had inadvertently been sent electronic files containing the personal information of dozens of employees of a major financial institution.
There is a need, in an increasingly networked age, for a more robust approach on the part of the corporate sector and governments to the protection of individual privacy. The need is urgent. When a major financial institution can become a second offender in failing to protect sensitive information entrusted to it –and some might suggest there have been more episodes at this bank– there is clearly a problem in enforcement.
This most recent breach came to the attention of Canada’s privacy commissioner before Christmas. It is just coming to public attention now. What has she done? Little detail is being provided as to whether the information was protected by encryption and passwords, much less the circumstances surrounding the disappearance of the data. Canada’s privacy commissioner looks like a hapless spectator in yet another CIBC privacy fiasco when she should have been a pit bull on the scene demanding answers and ensuring quick disclosure of the loss.
As The Centre’s statement observes, there is a need for tougher laws that will protect Canadians and punish offenders. It has called on the federal government to initiate that process and on committees of the House of Commons and Senate to hold hearings that will bring forward witnesses from the corporate sector and those who have had their privacy violated and identity stolen. But Canada also needs an aggressive watchdog who will change the culture of complacency over the safeguarding of personal information to one of fear for the consequences if a company fails to protect personal information. It begins by treating individuals who come forward with instances of breaches in their personal information with respect and the seriousness they deserve, not by ignoring them or sloughing them off. And it means having a privacy commissioner who will be a watchdog that bites when repeat offenders are discovered, not a lapdog that squeaks out a press release.
Canada’s top privacy guardian allowed too much time to pass between when these breaches occurred and when they were made public, and too many important questions to go unanswered. In the process, she has lost her leadership role and let down Canadians who depend upon her, which is why the privacy commissioner’s handling of her duties over this most recent fiasco is the Outrage of the Week.
The celebration of Martin Luther King day serves also as a reminder that America has produced other kings who have changed the world for the better. Civil rights and music are two contributions that have given the United States a unique place in the hearts of many, regardless of native language or culture.
This is perhaps a good thing to reflect upon during this time of America’s testing in Iraq and the unsettling effect it continues to have on the American image abroad. Its reminder is all the more timely given that almost each day seems to bring more troubling stories about another new instance of domestic surveillance and with it a further incursion into the privacy of citizens.
The forces that liberate the soul and allow people to be treated with dignity and respect still remain music to the ears of countless millions –and to most Americans themselves. This was something Dr. King uniquely understood and gave such eloquent voice to. The other kings provided the melody in their own equally distinct fashions.
For more youthful readers, the fellow in the middle photo is Benny Goodman, known in his time as “the king of swing.” Benny was a pioneer of civil rights in the music industry, showcasing many African Americans who were shunned by other top bands, including a young Lionel Hampton. In the 1930s, the Benny Goodman trio and quartet were among the first racially integrated jazz groups to record and play before wide audiences. Take it from a one-time aspiring jazz musician, this cat played one cool stick. He was a favorite of both Dr. King and Elvis for the “content of his character” as well as the quality of his talent.
