Commissioner initiated complaints against Internet pharmacies

PIPEDA Case Summary #2005-310

(Principles 4.3 and 4.7)

Complaint

In 2004, the Office of the Privacy Commissioner of Canada received a number of letters and inquiries from U.S. customers of a particular Canadian internet pharmacy, alleging that their personal information had been disclosed without their consent and that the company had failed to implement security safeguards appropriate to the sensitivity of the information. All of the complainants had been contacted by other internet pharmacies, some of which appeared to possess detailed knowledge concerning the medications the customers had been receiving.

All of the complainants asked the Office to keep their identity confidential, as per subsection 27(1) of the Personal Information Protection and Electronic Documents Act^{Footnote 1}, as the purchase of prescription drugs from Canadian internet pharmacies is contrary to the U.S. Food and Drug Act. The company, which had admitted to the Office that there had been a breach of the security of the personal information it held, would not share additional information about the issue with the Office unless there was a formal complaint. Subsection 11(2) of the Act states that if the Commissioner is satisfied that there are reasonable grounds to investigate a matter under Part I, the Commissioner may initiate a complaint in respect of that matter. Accordingly, the Assistant Privacy Commissioner initiated six complaints against three companies: disclosure and safeguards complaints against the company whose information was breached (Company A); and collection and use complaints against two other companies that purchased the information of the first company’s customers (Companies B and C).

Summary of Investigation – Company A

Company A admitted that there had been a breach of security of the personal information it held. In 2003, two staff members of Company A collaborated to steal the company’s customer list. It was downloaded onto disk and sold to an American who was operating an internet pharmacy in the United States and had also set up a Canadian company. He, in turn, sold all or parts of the customer list to two other internet pharmacies through his Canadian company in 2003. Neither his Canadian company, nor its U.S. parent, is still in business; accordingly, the Office could not initiate complaints against it.

Company A believed that the information stolen included the first and last names of customers, their addresses, telephone numbers, and age. The company also believed, but could not confirm, that the customer list included prescription information for each client. The Office could not confirm that the customers’ prescription drug use information had been stolen or sold.

As a result of the incident, Company A conducted a review of its safeguards. It enhanced a number of security measures, including several that did not figure in the theft of its customer list. It has become a paperless information system, and uses improved IT software. It is no longer possible to access its computer system remotely, nor is it possible to download the customer list from a single workstation. There is daily tracking of activity on the computer system. Existing customer records are stored in a room that locks automatically and uses an electronic keypad instead of keys.

Findings

Issued May 20, 2005

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate; Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Given that the disclosure of personal information and the lack of safeguards which resulted in the theft of customer data occurred in 2003, prior to the Act coming into full force on January 1, 2004, the Assistant Commissioner concluded that she did not have jurisdiction to issue findings on the disclosure and safeguards issue. Nevertheless, she was pleased that Company A had taken steps to improve its security safeguards of customer personal information.

Summary of Investigation – Company B

In 2003, Company B purchased a list of approximately 40,000 names, all of them allegedly customers of defunct U.S.-based on-line pharmacies. One of the conditions of the sale was that Company B would be able to contact a random sample of the names on the list, in advance of the purchase, to confirm the identity of the individuals and their potential willingness to pursue a business relationship with Company B. Company B made approximately 300 calls, and was satisfied that the list was genuine.

According to the company, the only information it obtained through the purchase of the list was the name, address, and telephone number of the customer. The Office examined Company B’s database, and confirmed that it only had the basic contact information of the individuals who had approached our Office with their concerns.

Once it had finalized the purchase of the list, Company B sent out a standard form letter inviting the person to contact it. The company followed up with a telephone call. It noticed that a number of people it had contacted indicated that they were clients of Company A. Company B assured these individuals that it did not have any medical information about them.

Findings

Issued May 25, 2005

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

On the matter of collection, the Assistant Commissioner determined that she did not have jurisdiction to issue findings in this regard since the collection occurred prior to the Act’s full implementation on January 1, 2004 . She noted that the only way the Office would have had jurisdiction would be if Company B had disclosed the information across borders for consideration. While Company B is located in a different province from the one that had sold it the personal information, it did not disclose the information.

However, the Assistant Commissioner noted that the personal information of Company A’s customers was used in 2004 without their knowledge and consent. She therefore found Company B in contravention of Principle 4.3.

Thus, while the Assistant Commissioner lacked jurisdiction on the matter of collection and could not issue a finding, she had jurisdiction with regard to the use of the personal information, and considered that complaint well-founded.

Summary of Investigation – Company C

With the assistance of an intermediary, Company C purchased a list of approximately 15, 000 names, all allegedly customers of a defunct Canadian on-line pharmacy. As with Company B, one of the conditions of sale was that Company C would be able to contact a random sample of the names on the list, in advance of the purchase, to confirm the identity of the individuals and their potential willingness to pursue a business relationship with Company C. The company made approximately 100 calls, asking if individuals had been customers of an internet pharmacy that was now out of business. Company C also asked if they were interested in receiving further information about its business. Based on the responses it received, Company C was satisfied that the list was genuine.

The Office reviewed the list in question, and noticed that it consisted of the name, address, and telephone number of individuals, all of whom were allegedly former clients of the defunct Canadian-based internet pharmacy.

Findings

Issued May 20, 2005

Application : Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

As in the case of Company B, the Assistant Commissioner determined that she did not have jurisdiction to issue findings on the collection of personal information as the collection occurred prior to the Act’s full implementation on January 1, 2004 . The only way in which the Office would have had jurisdiction would be if Company C had disclosed the personal information across borders. The transaction, however, was entirely within one province, and did not involve a disclosure on the part of Company C.

However, with respect to the use of personal information of clients of Company A, she had jurisdiction, as the events occurred in 2004. It was clear to the Assistant Commissioner that the personal information of individuals was used, without their knowledge and consent, to contact them in an attempt to establish a commercial relationship. She therefore found Company C in contravention of Principle 4.3.

Thus, while the Assistant Commissioner lacked jurisdiction on the matter of collection and could not issue a finding, she had jurisdiction with regard to the use of the personal information, and considered that complaint well-founded.

Final Comment

The Assistant Commissioner noted that all three companies were victims of fraud. Companies B and C acted in good faith when they purchased the list not realizing that it had been stolen by a former employee of Company A. Although both companies took steps to ensure that the customer list was being acquired legally, they were duped. All three companies have increased their vigilance to ensure that a similar situation does not reoccur.