Did you shop at either Winners or Home Sense in the second half of 2006? Then your Canadian credit card information is at serious risk after hackers breached computers in mid-December at the head office of the American parent company for the well-known discount chain stores in Canada.

 Delays add to resulting ID thefts in Canada

However, consumers in Canada, the United States and Puerto Rico were not alerted until Jan. 19, 2007 - a full month after TJX Companies Inc. discovered the significant identity theft.

Bruce Cran, president of the Consumers' Association of Canada, is raising somber questions about the belated consumer alert in Canada and lack of computer security for Canadian consumers. He says this financial information should never have been compromised because federal legislation exists to protect Canadian consumers from these types of situations.

"What's supposed to happen with your information is it is supposed to be used for the purpose that it was collected for, then disposed [of] in a proper manner," said Cran.

The Canadian consumer watchdog organization strongly suggests such sensitive data should not be stored on computers that are vulnerable to break-ins.

"I have no idea how Canadian information ended up in a storage facility in the United States," he said. "Maybe Canadians should wake up and write some letters to get something done about this."

Are Canadians properly protected by federal privacy laws? 

Last November, a parliamentary committee, the Standing Committee on Access to Information, Privacy and Ethics, started a review process calling for amendments to Canada's data-protection laws.

"If you want organizations to be notifying people when there is a security breach, that needs to be written into the law, "said Philippa Lawson, director of the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa.

"No one is speaking for the average consumer," she said.

The Personal Information Protection and Electronic Documents Act (PIPEDA) does not include any set requirements forcing Canadian organizations to notify customers if their personal security is breached, Lawson explained.

Most U.S. legislation includes a provision that allows for delays based on the discretion of law-enforcement officials, said Lawson. But, outside those considerations, up to 33 U.S. states are currently required to send notification of security breaches to American consumers.

For international companies, such as TJX, things can get thorny, she said.

"You are in an interesting situation where the company could, if they wanted to, look at the minimum they would have to do to comply," explained Lawson.

"They only inform the jurisdictions they are required to by law and not notify Canadian customers ... who are running the same risk because of the breach."

Damage control starts with admission of identity thefts from corporate computers 

Damage control finally started yesterday when representatives from Canadian banks held a conference call with major Canadian card issuers VISA and MasterCard to discuss the massive identity theft.

But it might be too little too late. A senior banking executive confirmed that stolen credit cards have already been used fraudulently, resulting in thousands of calls to Canadian banks and credit card companies about the compromised credit card activity.

Even law enforcement authorities disputed when they were first notified of the security lapse.

TJX, based in Framingham, Mass., said it became aware in mid-December of a security breach during which the credit and sales transaction information of "significantly less than millions of holders" was removed from company databases.

The company said computers that handle customer interactions and store information, including credit card numbers, were illegally accessed at a store location in December. Stores belonging to the TJX chain also accept American Express and Discover credit cards.

The compromised information was from transactions that took place at TJX stores in Canada, USA and Puerto Rico in 2003 and during the period between mid-May and December, 2006.

TJX operates several thousand chain stores in Canada and the United States. Winners is a leading Canadian discount apparel chain with more than 180 locations.

Home Sense, a discount giftware and home-accessories chain, has about 65 locations across the country. Other chains that may be affected include T.J. Maxx, Marshalls, Home Goods and A.J. Wright stores in the United States and Puerto Rico, as well as T.J. Maxx stores in Britain and Ireland.

On Wednesday, the company released a statement reporting the incident. It said following the discovery of the breach, "TJX immediately notified and began working closely with law-enforcement authorities" on both sides of the border including the RCMP.

But yesterday, RCMP Sergeant Nathalie Deschenes said the RCMP, who are not participating in the U.S.-led investigation, were not made aware of the breach until the day before the release.

TJX spokeswoman Sherry Lang said the breach was brought to the attention of the company through an "outside consultant" who advised it that its network could be compromised.

"We are certainly following all the laws, in both countries. Our obligation is to notify the banks and the credit-card holders, as we have done. It is the banks and credit cards [issuers] whose obligation, as I understand it, is to notify customers," she said.

Customers were not immediately informed of the breach for two reasons: To ensure that the criminal investigation was not compromised and "primarily because the company also believed that is was in the best interest of our customers, that we were protecting our customers," said Lang.

"This was a crime against the company. We do not know at this time who the intruder was."