Recent ESP data thefts draw attention to new Canadian identity theft and anti-spam laws

There have been several recent email list breaches involving some of the largest email service providers ("ESPs") in the U.S. In each case, an unauthorized third party has gained access to the user accounts of a number of large brands (McDonald's, Walgreens, online retailer Play.com, and Honda, to name only a few). The subscribers of the compromised lists have in turn been hit with spam, mostly messages purporting  to be from Adobe or Skype in an attempt to scam the recipient into divulging credit card information, or infect them with malware. In total, millions and millions of email addresses are now in hands of some of the sleaziest spammers out there.

Breaches like this are obviously bad for everyone involved – the ESPs, the brands, and, most importantly, the consumers who are bombarded with spam, and whose computers are potentially infected. We know that American law enforcement agencies are involved, and we would not be surprised to even see some lawsuits in the near future.

This has led us to consider the potential legal remedies that would be available if such a breach were to occur in Canada.

Depending on how much information has been stolen from the ESP, the recently added "Identity Theft and Identity Fraud" provisions of the Criminal Code might prove useful. In particular, section 402.2 makes it a criminal offence to knowingly obtain, possess or traffic in "identity information". The threshold issue in this case, however, is whether the information obtained from the ESPs would fit within the meaning of identity information, which is defined as

any information — including biological or physiological information — of a type that is commonly used alone or in combination with other information to identify or purport to identify an individual, including a fingerprint, voice print, retina image, iris image, DNA profile, name, address, date of birth, written signature, electronic signature, digital signature, user name, credit card number, debit card number, financial institution account number, passport number, Social Insurance Number, health insurance number, driver’s licence number or password.

This probably would not apply to the email addresses stolen from the ESPs client accounts, as an email address is likely not "identity information" – especially if it is obtained and used on its own.

However, it could apply to the information that was stolen in order to enable the spammers to log in to the ESPs' client user accounts in the first; i.e., user name, password, and any other information. This information is obtained and used specifically for the purpose of personating the ESP clients, which seems to fit within the definition of "Identity Fraud". Thus, it is a crime to obtain the identity information, and a crime again when it is used.

The identity theft and identity fraud provisions would also apply where spam is used in phishing attacks  to obtain personal information about subscribers on the ESP clients' email lists (which is, we assume, the ultimate goal for the spammers in a lot of the cases).

There is also a lesser-known provision within Canada’s  Anti-Spam Legislation (CASL) that could apply as well. CASL,  which was passed in December, amends the federal privacy legislation, the Personal Information Protection and Electronic Documents Act (or "PIPEDA") to specifically prohibit the collection of personal information "through any means of telecommunication, if the collection is made by accessing a computer system or causing a computer system to be accessed in contravention of an Act of Parliament" in a new subsection 7.1(3).

The definition of personal information under PIPEDA is broader than the definition of identity information under the Criminal Code, and would include email addresses. Therefore, any spammer who fraudulently logs in to an ESP client account is collecting personal information, and is doing so contrary to the identity fraud provisions of the Criminal Code (see above).

So what? Anyone who has any experience PIPEDA knows that it is toothless, and a violation might get you a tersely worded letter from the Privacy Commissioner, who lacks order-making powers or the ability to impose fines. At the very worst, you could be hit with nominal damages by the Federal Court (in over ten years of existence, there has been one case where damages have been awarded, for a whopping total of $5,000).

That is not the end of the story, however. The private right of action under CASL applies not only to a violation of that law, but also to a contravention of PIPEDA "that relates to a collection or use described in subsection 7.1(2) or (3)". This means that the private right of action could be applied to any person who obtains personal information (including email addresses) through unauthorized access to a user account. This would allow anyone affected by the recent ESP breaches – including the ESPs, their clients, and the individuals who have been spammed – to sue the people who illegally accessed the ESP user accounts to steal email lists, potentially for several millions of dollars.

So there you have it – a sleeper data breach provision within PIPEDA, added as a result of the new anti-spam legislation (which should come into force later this year), that most people do not even know exists!

Of course, there are a few obvious limitations to using a private right of action in these circumstances. Those who perpetrate the type of fraud and theft the likes of which has been happening to ESPs of late tend to be hardcore criminals. And, even if these people can be identified and located, they are unlikely to ever pay the millions that they may owe you.

– Shaun Brown, CAUCE