Identity Theft - Working Group Progress Report 2008


1 That paper is online: . The Working Group noted the concerns about the phrase “identity theft”, but accepted that the term has become one of convenient usage. Longer term solutions to the issue need a subtler analysis, however, and should not be limited to matters of identity nor to a single focus on questions of theft. One illustration of such an approach is included in the excerpt from the table found in the conclusion to this report.

2 The full resolution is here:

3 Whether to legislate on breach notification about personal information that is not otherwise protected by privacy legislation is discussed in section (j) (paragraphs 58 ff.) A province or territory that does not have privacy protection legislation could be asked to pass our uniform law as a free-standing separate obligation. PIPEDA would apply to most but not all such information in such a province.

4 See for example PIPEDA Schedule 1 s. 4.7 for the principles of safeguards for personal information.

5 See the site of the Payment Card Industry Security Standards Council: They require merchants dealing with payment cards to follow certain rules about handing, storage and transmission of credit card information. A quick overview is here: The Canadian Standards Association Model Privacy Code was originally a private standard (or private/public standard), before it became law imposed by PIPEDA. The appendix to Part I of PIPEDA reproduces part but not all of that standard.

6 See for example the suggestions for encryption standards for mobile devices, as published by the Information and Privacy Commissioner of Ontario in 2007: “Safeguarding Privacy in a Mobile Workplace; Protect the information you keep on your laptops, cellphones and PDAs”,

7 It might make more sense in this context, therefore, to speak of a “compromise” of security of personal information, rather than of a “breach”. The latter term is ambiguous, and could refer to a breach of the applicable standard rather than to a breach of security. Only the latter question is relevant here. However, the literature on the topic tends to use the two terms interchangeably. Whether there has been a “breach” or “compromise” is a different question from whether there has been a sufficient ‘loss’ to justify notification. That question too is independent – this paper submits – from the degree of compliance with the applicable standard. Reportability is addressed in paragraphs 20 ff.

8 See for example “A Chronology of Data Breaches” by Privacy Rights Clearinghouse, frequently updated:

9 Privacy Commissioner of Canada, “Key Steps for Organizations in Responding to Privacy Breaches”,, Step 2, (ii) (“Key Steps”). For similar advice from the United Kingdom’s Information Commissioner, see “Notification of Data Security Breaches to the Information Commissioner’s Office”,

10 The Privacy Commissioner of Canada defines privacy breach to include unauthorized collection or use of personal information as well as disclosure. See “Introduction to Key Steps for Organizations in Responding to Privacy Breaches”, The Information and Privacy Commissioner of Ontario says the same, in “What to do if a Privacy Breach Occurs: Guidelines for Government Organizations”,, p. 3 (“What to do”). Nevertheless all the recommendations, and all the statutes on the subject, refer in practice only to unauthorized access to or disclosure of information.

11 Privacy Commissioner of Canada, “Key Steps”, above, note 9, Step 2(iv) and Information and Privacy Commissioners of B.C. and Ontario, “Assessment Tool”, below, note 19, Step 1.

12 K. Kiefer Peretti, “Data Breaches: What the Underground World of ‘Carding’ Reveals”, 25 Santa Clara Computer and High Technology Jl, forthcoming, online:

13 M. Minik, “Medical ID Theft: A Threat to your Life and Wallet”, The National Notary, March 2008, p. 48. There may be more risk of use of medical information where the thief can take advantage of private health insurance already acquired by the person whose information is taken, including running up the maximum benefits under the policy.

14 See references to case law, note 31. See also a discussion of the availability of insurance for data holders: K.P. Kalinich, “Legal Exposure to the Maxx: Insurance for Breaches of Data Privacy and Information Security”, Aon Insurance 2008: and a blog discussion of this paper on Network World: tegiesal

15 There are also costs among data holders. For example, if a merchant compromises the information of
holders of credit cards, the card issuer may have to incur the considerable expense of reissuing many cards. In the United States, card issuers have sued merchants to recover these costs, though not yet successfully. D. Rice, “Civil Actions for Privacy Violations 2007: Where are we?” Howard Rice website: %20Where%20Are%20We.pdf at pp 2-4. Some states have enacted legislation to require merchants to compensate card issuers in some circumstances. See Minnesota Statutes ch. 325E, Bill H.F. 1758, Other states are considering such legislation. T. Probin, Privacy Law Blog, “In response to TJX Privacy breach, one state enacts legislation imposing new security and liability obligations; similar bills pending in five other states”, May 29, 2007:­state-enacts-legislation-imposing-new-security-and-liability-obligations-similar-bills-pending-in-five-other-states.

16 Privacy Commissioner of Canada, “Key Steps”, above, note 9, Step 3.

17 Ibid.

18 “barring exceptional circumstances.” IPC Ontario, “What to do”, above, note 10, p.4.

19 Information and Privacy Commission of British Columbia, “Key Steps in Responding to Privacy Breaches”,, p. 3. (“Key Steps – BC”).

20 IPC – BC and IPC – ON, “Breach Notification Assessment Tool”, December 2006, .

21 This is essentially what the federal government appears to be proposing for PIPEDA, according to press reports.

22 This eliminates the “substantial” test for the risk ,but leaves the “serious” test for the harm.

23 This requires the risk to relate to the statutory standards for treating the information. It does not focus on harm as such, but presumes that the statutory standards were created to prevent harm. This is the recommendation of the CIPPIC submission to Parliament in January 2008. CIPPIC Submission to Industry Canada re: PIPEDA reform issues:, page 8ff.

24 See the discussion below at paragraphs 45 ff about enforcement.

25 K. Kiefer Peretti, “Data Breaches”, above, note 12, at page 28: “These reporting requirements are vital to the ability of law enforcement to investigate the types of crimes involving large scale data breaches”. The author is an attorney with the U.S. Department of Justice.

26 See CIPPIC submission on PIPEDA, above, note 23 page 6.

27 The term “relevant” privacy commissioner avoids concern with the constitutionality of particular statutes. Quebec has challenged the constitutional status of PIPEDA’s privacy rules. The outcome of that challenge may affect which commissioner has the power to act, and thus which will be “relevant” for the present obligation. The resolution of such questions is beyond the scope of this paper.

28 See above, paragraph 25.

29 It is beyond the scope of this paper to discuss and a fortiori to provide the other remedies - especially civil – that the law may allow. See however the discussion in paragraphs 53 ff.

30 Industry Canada’s information is at

31 See for example Pisciotta v. Old National Bankcorp,(2007) 7th circuit Court of Appeals: American courts, like Canadian, are reluctant to give damages for pure economic loss, which is how they have characterized the harm of identity theft, despite the psychological stress and the time spent making one’s reputation good. See A. Ramasastry, “Stolen Laptops and Data Theft”, June 15, 2006:, However, recently a court refused to strike out a class action based on similar facts:

32 See the discussion of alternative remedies at paragraphs 53 ff below. A British study of damages awarded for intentional breaches of privacy show that even they are low. Farrer & Co., “Privacy Damages and Harassment”, January 2008,

33 The legislation is reported at on May 12, 2008:

34 The general U.S. law provides one free check a year. Victims of identity theft are often given additional rights to check for free.

35 Security freeze legislation in particular is analysed by Consumers Union: See also and

36 A number of private services offer what they say are methods to prevent or repair identity theft. For a review of such services, see

37 There is still a risk that someone will use an existing account, rather than opening a new one.

38 The ULCC working group has not yet consulted consumer credit reporting agencies about the desirability or management of such a requirement.

39 For a quick summary as of the end of 2006, see the report of the Privacy Commissioner of Canada to Parliament, Appendix VI: “Overview of American Data Breach Notification Laws”: A very thorough “Security Breach Notification Chart” is provided by the Perkins Coie law firm at:

40 It is not clear to the writer whether PIPEDA purports to apply to all personal information in the territories.

41 The nature, scope and function of these provisions is described in documents available from the Office of Privacy Protection within the California Department of Consumer Affairs. An overview is provided in “How to Use the

California Identity Theft Registry: A Guide for Victims of ‘Criminal’ Identity Theft”, available at

42 “Report of the BJS/SEARCH National Focus Group on Identity Theft Victimization and Criminal Record Repository Operations”, Bureau of Justice Statistics and the National Consortium for Justice Information and Statistics (SEARCH), page 3, available online at

43 “How to use the California Identity Theft Registry: A Guide for Victims of ‘Criminal’ Identity Theft”, California Department of Consumer Affairs Office of Privacy Protection, page 2, available online at

44 Presentation of Beth Givens, Director , Privacy Rights Clearinghouse, to the Identity Theft Summit in California, 2005, available online at, “Establishing a National Research Agenda on Identity Management and Information Protection: Report of the CIMIP Identity Management Research Workshop”, pages 16, 28. Center for Identity Management and Information Protection, Utica College July 2007. Research papers from this organization are available online at

45 See for example, “Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement”, Gordon, Rebovich, Choo, Gordon, Center for Identity Management and Information Protection, Utica College October 2007.

46 “First Estimates from the National Crime Victimization Survey: Identity Theft, 2004”, Katrina Baum, Bureau of Justice Statistics Bulletin, April 2006.

47 Federal Trade Commission 2006 Identity Theft Survey Report, at pages 61-4, Synovate, November 2007.

48 See for example, “Report on Identity Theft”, Bi-National Working Group on Cross Border Mass Marketing Fraud, October 2004, available online at

49 Many reports contain compelling anecdotal accounts. See for example, “Identity Theft” in Problem Oriented Guides for Police: Problem Specific Guide Series No. 25, pages 17-19, Office of Community Oriented Policing Services, United States Department of Justice, Beth Givens presentation, supra.

50 Many articles describe these aspects of the problem, including, Report of the BJS/Search Focus Group, supra, at pages 4-5, “Report of the National Task Force on the Commercial Sale of Criminal Justice Record Information”, The National Consortium for Justice Information Statistics, 2005, available online at

51 Focus Group, supra, at page 8.

52 Focus Group, supra, page 6.

53 See for example, “Do you have the Background Check Blues” in Privacy Update No.1:8, December 17, 2003, Privacy Rights Clearinghouse. This document is available online at

54 Focus Group, supra, page 6.

55 Focus Group, supra, page 7.

56 Minnesota HF 1943, Session 84, Wyoming Senate File SF0053, Arizona HB 2716, Illinois, 20 ICLS 2630/5(b).

57 How to use the California Identity Theft Registry, supra, at pages 2-3.

58 How to use the California Identity Theft Registry, supra, page 5.

59 How to use the California Identity Theft Registry, supra, page 6.

60 California Penal Code California Penal Code 530.6, 851.8(a)-(d).

61 California Penal Code 851.8(h).

62 Testimony of Joanne McNabb, Chief, California Office of Privacy Protection, March 21, 2007, Senate Judiciary Committee. This evidence is available online at See also, “Locking up the Evil Twin: A Summit on Identity Theft Solutions”, March 1, 2005, at page 8. This document is available online at

63 “Identity Theft Victim Verification/Passport Demonstration Program”, Office for Victims of Crime, Department of Justice, February 2004, available online at, “Passport Helps Rescue Ohio Identity Theft Victims”, Nevin Barich, National Notary Association, Notary News August 15, 2005, See also,

64 “Identity Theft Statutes and Criminal Penalties”, June 13, 2006, “2007 Enacted Identity Theft Legislation” National Conference of State Legislatures, available online at­legis.htm.

65 “Combating Identity Theft: A Strategic Plan”, April 2007, President’s Task Force on Identity Theft, available online at

66 “Identity Theft Verification PASSPORT Program: Fiscal Year 2006 Annual Report”, Crime Victim Services Section, Office of the Ohio Attorney General, available online at

67 “The National Crime Information Center Identity Theft File” Vernon M. Keenan, Director, and Marsha O’Neal, Criminal Justice Information System Operations Manager, Georgia Bureau of Investigation, Decatur, Georgia available at See also, Focus Group, supra at page 8, “National Crime Information Center (NCIC) Technical and Operational Update”, 06-1, April 28, 2006, available online at This information can only be included with the consent of the victim, “National Crime Information Center (NCIC) Technical and Operational Update, 06-1, April 28, 2006”, available online at, “Information Bulletin 05-14BCIA”, National Crime Information Center (NCIC) Identity Theft File, California Department of Justice, June 1, 2005.

67 For example, constitutional issues related to the subject matter in question were a factor to be addressed in consultations relating to the creation of a DNA Missing Persons Index, available online at­

68 For example, constitutional issues related to the subject matter in question were a factor to be addressed in consultations relating to the creation of a DNA Missing Persons Index, available online at­

69 Identification of Criminals Act, R.S.C. 1985, C. I-1, s. 2(1).

70 Personal Information Protection and Electronic Documents Act 2000 c.5, Schedule 1, Principle 4.3. The exemption for designated investigative bodies does not apply in the context of background checks.

71 For example, see the Instructions for the Civil Fingerprinting Service of the RCMP at http://www.rcmp­

72 Both of the documents described in these paragraphs were prepared by Jeanne Proulx, Counsel and Legislative Draftsperson, Quebec. They are entitled Protection contre l’appropriation d’information, volet prevention, and Appropriation d'information, grille d'analyse. Unfortunately, due to the size of these documents they could not be included in this report, but may be made available on request.

Next Annual Meeting

2020 Annual Meeting

Place to be Announced

August 9 – 13, 2020