Reckless Vulnerability?

Rapid7 announced that an attacker with a directional antenna and a laptop can eavesdrop on wireless keyboards manufactured by Microsoft, Logitech, and other vendors, capturing every keystroke from a distance of over 30 feet away. This leaves corporate networks open to illicit intrusion and data theft that will probably look like a data breach originating from within the company.

For a look at the hacker will get, go to this interesting presentation.

Would this be Reckless Personal Information Handling if this vulnerability was exploited at your company?

Ten Private Investigators Indicted

Ten private investigators were indicted on December 5, 2007,in Seattle, WA, by the U.S. Attorney’s office.

The alleged defendants collected information via pretext from the I.R.S., Social Security Administration, various State Unemployment Insurance Departments, private financial institutions, banks, pharmacies and hospitals. The alleged defendants fraudulently posed as the individuals about who information was sought.

If this is true, they broke Rule #1.

Washington State requires a Private Investigator to be licensed. However, it seems that BNT Investigations and the three named individuals in Washington state might not have state-issued Private Investigator’s licences. I don’t know the licence status of the others.

This type of behaviour is not new. In Canada, this issue was, in part, dealt with during the Royal Commission of Inquiry into the Confidentiality of Health Records in Ontario, Canada, by Mr. Justice Horace Krever.

The Royal Commission heard from over 500 witnesses, including private investigation firms, insurance companies, hospitals, and others. During 1976 and 1977, the Royal Commission found evidence of hundreds of successful efforts to acquire health information from Ontario hospitals and doctors under pretext.

The Insurance Bureau of Canada admitted to the Royal Commission that its members had gathered medical information through “various sources” without the authorization of the patients.

Several investigation companies went out of business due to the Royal Commission exposing their activities.

Where there are clients willing to pay for this improper and unprofessional behaviour, there will be providers of such services.


Reckless Personal Information Handling

If Bill C-27 (2nd Session, 39th Parliament with first reading on 21 Nov 07) will make it an offence to recklessly make available or sell personal information knowing it will be used to commit fraud.

The wording that concerns me:

Everyone commits an offence who transmits, makes available, distributes, sells or offers for sale another person’s identity information, or has it in their possession for any of those purposes, knowing or believing that or being reckless as to whether the information will be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence

How will the term “reckless” be defined and measured? The people writing this law need to take into consideration what has happened with the requirement to safely store firearms.

In the case of the law requiring the safe storage of firearms, a group of street gang members rappeled down the side of an apartment building and broke into an apartment, and for four days, they continuously used industrial power tools to open a huge money safe and steal some handguns. Without a clear definition in law of what constitutes “safe storage”, the gun owner was charged with unsafe storage of the firearms. This type of malicious misuse will surely follow if Bill-C27 is passed without a clear definition of what constitutes being reckless.

Tort for Negligent Investigations

The Supreme Court of Canada has recognised the tort for incompetent investigation. This area of law has been receiving more attention over the past decade and I expect we will see a case involving a Private Investigator over the next few years.

Read more

Privacy & Stupidity

The CRA vs. Canadian men
by Karen Selick, National Post Published: Wednesday, November 07, 2007

A wonderful article about the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act and the infinite stupidity of the bureaucrats enforcing acts written by inept people who do not understand or care about the consequences of the laws they create.

Industry Canada Launches Public Consultation on PIPEDA Reforms

The following appeared on Michael Geist’s Blog:

The government’s response to the PIPEDA review included a promise to consult on possible reforms to the law, including the creation of a mandatory data breach notification requirement. On Friday, Industry Canada published the promised consultation in the Canada Gazette, asking Canadians for comments on the data breach requirement along with a series of smaller changes to Canada’s national privacy law. For those that don’t have PIPEDA consultation fatigue – this is effectively the third consultation on these issues in the past 18 months (the Privacy Commissioner consultation, the Ethics Committee hearings, and now the Industry Canada consultation) – the deadline for responses is January 15, 2008.

Restrictive covenants enforced against departing employees

From Landon P. Young of Stringer Brisbin Humphrey

Two disgruntled senior employees resign effective immediately without notice. The company is caught off guard. The departing employees join a competitor that has just opened a new office and take a significant chunk of business and support staff with them…

…the employees had signed employment contracts that included restrictive covenants. These covenants enabled Staebler to sue the former employees, as well as their new employer, for damages…

… the (Ontario) judge concluded that the covenants were enforceable…

The Companies’ Creditors Arrangement Act

The Companies Creditors Arrangement Act ( R.S.C., 1985, c. C-36 ) (CCAA) allows a plan of compromise between debtor and creditors to resolve the financial problems of a distressed company. The CCAA may only be applied where claims against the debtor company exceed $5 million. In short, the CCAA provides the insolvent company protection from the actions of creditors and allows the insolvent company to continue operations while a plan of arrangement is constructed.

To date, CCAA information is scattered across the country in various court offices, without any centralized recording. At the outset of a recent study, Industry Canada estimated 175 cases exist; the study located 219 cases under the act. There may be more that the study did not find.

Currently no requirements exist for debtor corporations in CCAA proceedings to report data or to publicly disclose it in a consistent way. Financial information and pension deficit information need to be reported in a consistent and accurate format. This is particularily important regarding pensions, as unfunded pension liabilities have impelled many recent CCAA filings.

A proposed amendment to the Bankruptcy and Insolvency Act, may force the Office of the Superintendent of Bankruptcy to collect uniform data into a cross-country database.

Escorts, Incalls, and Massage Parlours

It’s not unusual for a Private Investigator to seek evidence of prostitution or encounter it by chance.

When I was doing surveillance, I followed quite a few prostitutes. I followed them to hotels, homes, massage parlors, and once during the 80’s, to a popular street corner. An associate recently followed one to court.

With street prostitution in Toronto nearly wiped-out by legislation, PI’s normally encounter Escorts, Incalls, and Massage Parlours. Here is my short primer on the subject.

Read more