ANZ Dashboard Digest

A new approach to notice and consent has been around for at least a couple of years now. The Microsoft whitepaper was released late 2012, and several subsequent books by privacy thought-leaders have developed this theme, which makes sense. Individuals ought to be given the opportunity to shape their profiles and to have a role in transactions involving their data, and notice and consent will no longer suffice. Equally, entities that stand to benefit from the information should protect their source if they wish to guarantee the future supply of valuable data.

If this approach is accepted, some of the stories this week indicate that there is still a long journey ahead. Whilst many entities still appear to treat privacy as a compliance issue, and one where boundaries should be pressed, others continue to succeed based on adoption of the new approach. It will be interesting to see how this divide plays out in terms of commercial success. That other old chestnut of balancing the right to information against the right to privacy also gets some play this week in the opinion piece titled “Privacy starts to bite.” To hear all about it and ask your own questions of the experts, make sure you book your place at our Privacy Awareness Week breakfast discussion on 6 May as debate on the Australian Law Reform Commission paper on serious invasions to privacy in a digital age continues.

A safe and very Happy Easter to you all,

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

DATA PROTECTION

Industry Group Set To Fight Phishing E-mails (January 31, 2012)

In an attempt to reduce the amount of phishing scams, several e-mail providers and financial organizations, among others, are banding together to create an environment where consumers can feel secure about whether a message is authentic, The Wall Street Journal reports. Companies such as Yahoo, Google, Microsoft, Paypal and Bank of America have joined a group of 15 businesses to form DMARC.org. The goal is to promote technology standards that will help secure e-mails, the report states, and would include digital signatures and policies guiding e-mail providers to detect authentic messages. One representative from the messaging industry said, "If you are a big bank or a retailer, you have a very strong interest in making sure people trust your messages" and added that DMARC "has a lot of promise." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Alternative to the Privacy Policy, An Avatar? (January 30, 2012)

The problem with privacy policies, say many experts, is that people don't read them, and while the broad privacy policy is important--forcing companies to think about how they treat information and providing accountability, notes director of the Future of Privacy Forum Jules Polonetsky--a San Francisco Chronicle report explores other options, including restricting the collection and sharing of personal information and the privacy icon. Ryan Calo of Stanford's Center for Internet and Society suggests the appearance of an avatar when Internet users are being tracked or monitored might be an appropriate solution, citing studies that show people are more likely to pay for coffee on the honor system when a picture of eyes is nearby. "Experience as a form of privacy disclosure is worthy of further study before we give in to calls to abandon notice," he says.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Commissioner Recommends Privacy Provisions Clarified Under Bill (January 27, 2012)

In a submission to the Senate Standing Committee on Community Affairs, Australian Privacy Commissioner Timothy Pilgrim made recommendations to the Personally Controlled Electronic Health Records (PCEHR) Bill 2011. Pilgrim recommends that the Privacy Act be amended to confirm that the information commissioner may investigate anyone who has "contravened a civil penalty provision in the PCEHR Bill," that the commissioner may invoke the investigative powers provided under the Privacy Act and that the bill clarify the complaints-handling process for privacy issues, among other recommendations.
Full Story

DATA PROTECTION—AUSTRALIA

Commissioner: Must Protect Data Now More Than Ever (January 27, 2012)

Organisations should make sure their privacy practices are up-to-date and customers' personal information is secure to avoid embarrassing privacy breaches in 2012, says Australian Privacy Commissioner Timothy Pilgrim. "The effects of a privacy breach on business reputation can be significant. In 2011, we saw a number of businesses suffer from a loss in consumer confidence after major privacy breaches occurred," Pilgrim said. His office has published a Data Breach Guide in an effort to help organisations. Coinciding with Data Privacy Day tomorrow, the commissioner is also reminding students heading back to school to review their social media privacy settings.
Full Story

PRIVACY LAW—AUSTRALIA & U.S.

Expert: Australian Data Is Subject to USA PATRIOT Act (January 27, 2012)

A legal expert is warning that data located in Australia but owned or handled by a U.S. company could be accessed under the USA PATRIOT Act, even if it violates National Privacy Principles, Computerworld reports. Attorney Connie Carnabuci says U.S. authorities have the ability to access data stored outside of the U.S. if they can establish a sufficient connection with the U.S and that though a formal subpoena process is in place, an informal request for information would allow for some disclosures. However, companies may have the option of requesting an exemption in some cases, Carnabuci says.
Full Story

ONLINE PRIVACY

Google Revises Privacy Policy, Regulators Take Note (January 27, 2012)

The Wall Street Journal reports on Google's revisions to its privacy policy, suggesting the changes could make it more difficult for online users to remain anonymous. The new policy indicates Google's decision to start combining the information it collects on an individual user to provide better services to customers, according to the company. "We'll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience," said Alma Whitten, director of privacy. The changes take effect March 1. Regulators in Ireland, France and elsewhere have taken note, Bloomberg reports. Deputy Data Protection Commissioner of Ireland, Gary Davis, said his agency will further assess "the implications of the changes." (Registration may be required to access this story).
Full Story

ONLINE PRIVACY

Davos Delves Into Big Data, Privacy (January 26, 2012)
At the World Economic Forum in Davos, Switzerland, the big topic is "lots of data," reports Nick Bilton of The New York Times. "Chancellors, bankers and educators meeting at the conference are being asked to discuss what the forum calls a growing data deluge and how to manage it," Bilton writes, adding "the discussion of privacy is not far behind."

SOCIAL NETWORKING

Facebook Exec: “Right Regulatory Environment” Needed (January 25, 2012)

Facebook Chief Operating Officer Sheryl Sandberg spoke Tuesday at a technology conference amidst discussions of the EU's revised privacy rules, highlighting the type of reactions "global technology companies doing business in Europe are expected to raise against the looming data protection regulation," The New York Times reports. "We want to make sure we have the right regulatory environment--a regulatory environment that promotes innovation and economic growth," Sandberg said. The Wall Street Journal, meanwhile, suggests Sandberg is asking whether the EU's call for a "right to be forgotten" and other data protection provisions is worth potentially jeopardizing €15.3 billion in economic impact. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

APF, CHF Question E-Health System (January 20, 2012)

In a Senate inquiry submission outlining concerns about the nation's e-health system (PCEHR), Australian Privacy Foundation (APF) Health Chair Juanita Fernando said new technical specifications are being rushed in order to finalise the legislation. "The bills do not embody informed consent arrangements," says Fernando, and they "will diminish data confidentiality, integrity and availability," reports The Australian. The Consumers Health Forum (CHF) has also submitted comments to the Senate calling for greater accountability and strong consumer controls over access to medical records under the plan. Citing jurisdictional concerns over locally held databases and the lack of an oversight authority, the CHF says, "To proceed without key components in place will greatly increase the risk for patients and participating health professionals." (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—AUSTRALIA & U.S.

Proposed U.S. Law Would Allow Easier Online Communication (January 20, 2012)

While the Australian Securities and Investments Commission (ASIC) cautions financial services professionals to be conscientious online, a proposed change to U.S. compliance rules would make it easier for financial advisors to use social media in business, reports Financial Standard. If the change is approved, U.S. financial planners would not have to file "retail communications that are posted on online interactive electronic forums," says the U.S. Financial Industry Regulatory Authority. "In practical terms," the report states, "social media forums...could potentially be a free space for advisers to communicate with clients and non-clients without fear of a compliance nightmare." An ASIC spokesperson told Financial Standard the commission uses the Internet to vigilantly monitor "the many conversations that are happening in the market to ensure fair market trading practices."
Full Story

ONLINE PRIVACY

If You Love Me, You’ll Give Me Your Password (January 19, 2012)

The New York Times reports on a new trend among young people as a way to express affection: sharing passwords. Young boyfriends and girlfriends are increasingly sharing them--at the risk of harm following a breakup such as the dissemination of private e-mails or scorned exes sending messages under each others' identities. A 2011 survey by the Pew Internet and American Life Project found that 30 percent of teenagers who regularly use the Internet had shared a password with a friend, boyfriend or girlfriend, and girls were almost twice as likely as boys to share, the report states. "It's a sign of trust," one teen said of sharing with her boyfriend. "I have nothing to hide from him, and he has nothing to hide from me." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—AUSTRALIA

Watchdogs: Don’t Respond to Cyber Attackers (January 19, 2012)

After a series of denial-of-service attacks on Australian businesses, the Computer Emergency Response Team (CERT Australia) and the Australian Federal Police (AFP) are telling companies to report cyber attacks immediately and not to respond to attackers, reports The Sydney Morning Herald. One company's website was shut down by millions of Web requests, and shortly afterwards, the managing director received an e-mail asking for money in order to stop the attack. It is unknown whether other companies received similar demands. CERT Australia is working with affected businesses.
Full Story

DATA LOSS

Analysts React to Zappos Breach Response (January 18, 2012)

PCWorld reports on Zappos' response to its recent breach affecting 24 million customers. The online shoe retailer notified affected customers via e-mail and has asked them to change passwords after discovering a hacker had gained unauthorized access to company servers containing names, e-mail addresses and billing addresses. But some analysts say that the company's response was the wrong one, and that deleting 24 million customer passwords makes the company look like it's in panic mode. Another expert and Zappos customer, however, says data encryption should have been more broadly applied because the "definition of what is sensitive is changing. It's not just card numbers anymore..."
Full Story

PRIVACY

Google Launches Educational Campaign (January 17, 2012)

Google will launch a new ad campaign designed to alleviate privacy concerns, reports the Los Angeles Times. The Good to Know campaign will encourage individuals to protect their personal information online and will appear in two dozen U.S. newspapers and magazines as well as in subways in New York and Washington, DC. "Given who we are, we have a strong incentive to make the Internet a place that people feel safe to do interesting things," said Alma Whitten, Google's director of privacy. The company launched the campaign in Britain in October. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING

Do-Not-Track Option Released for Browser (January 17, 2012)

Privacy expert Jonathan Mayer of Stanford University has released a do-not-track extension for Google's Chrome browser allowing users to opt out of tracking by targeted advertising companies, reports PC Pro. While other browsers have had do-not-track mechanisms for "quite some time," Mayer says Google has declined thus far to add the feature to Chrome. The do-not-track initiative has been criticized for being unenforceable, among other reasons, and while Mayer acknowledges the criticism, noting that "websites have to add support for it," he says "that line has largely faded, partly because researchers have demonstrated again and again how Web measurement tools can catch bad actors."
Full Story

DATA PROTECTION

Experts: Passwords Don’t Protect You (January 17, 2012)

Two researchers say that online passwords, while helpful for websites aiming to sign up millions of users, overlook "really scary and effective attacks." While password advice usually instructs users to choose something strong, memorable and a mix of numbers and letters, strong passwords aren't as important as they used to be, given more advanced hacking methods such as phishing and keylogging. Researchers Cormac Herley and Paul C. van Oorschot say in a new paper that the computer industry wrote off the significance of passwords a decade ago after Bill Gates said they'd become obsolete soon, so not enough work has gone into improving them and understanding how they get compromised, Wired reports.
Full Story

PERSONAL PRIVACY—AUSTRALIA

Census Questioning Raises Privacy Concerns (January 13, 2012)

The Australian reports on the data collection tactics used for the Survey of Income and Housing 2011-12 (SIH) and the privacy concerns subsequently raised by some citizens and privacy activists. The Australian Bureau of Statistics (ABS) randomly selects about 15,000 citizens that--when chosen--must by law answer the SIH questions. Failure to comply can result in a fine of $110 per day. One couple interviewed in the report was asked by the ABS to provide pay slips, tax returns, account statements, investment documentation and personal loan details, among other items. The ABS website says, "The information collected...will enable an assessment of the economic and social wellbeing of Australians," but some privacy activists are concerned about how the data is collected, stored and used. (Registration may be required to access this story.) 
Full Story

PERSONAL PRIVACY—AUSTRALIA

Opinion: Privacy Is Not Dead, It’s About Choice (January 13, 2012)

In a column for WAtoday, Kathryn Koromilas asserts that what may surprise individuals "arguing that privacy is in a terminal decline is the fact that many of us already guard our privacy online." Koromilas cites an Asia Pacific Privacy Authority survey on social media, which found that a majority of respondents already know how to control a site's privacy settings. "We would no more retreat from Facebook" she writes, "than we would from family and friends on the basis that we might be subject to gossip." Emerging technologies not only improve our ability to share information, but, she adds, "consider what levels of control this technology offers...What is evident here is that we are exercising a choice." Meanwhile, in a separate article, Stephanie Dowrick opines, "An indifference to what privacy means and allows demeans our public culture."
Full Story

DATA PROTECTION—HONG KONG

Commission Publishes Data Erasure Guidance (January 13, 2012)

Hong Kong Privacy Commissioner for Personal Data Allan Chiang has published guidance for organisations on the proper retention and disposal of personal data. "It is important for organisations to manage personal data throughout its lifecycle, from data collection to data destruction," Chiang said. "Not all of them do a good job of determining the appropriate duration of retention of the data with due regard to the purpose of data collection and destroying it at the end of its useful life." The guidance covers legal requirements under the Personal Data (Privacy) Ordinance; outsourcing data erasure responsibilities; staff and management engagement, and risks, among other topics.
Full Story

RFID—PHILIPPINES

Bureau of Customs Upgrades ID System (January 13, 2012)

Journal Online reports that the Bureau of Customs is currently finalising the introduction of a new "color-coded" Radio Frequency Identification System (RFID). Accordingly, "duly appointed personnel," or those with approved tenure with the agency, will be issued a new ID. Individuals without an "employee-employer relationship" with the bureau--including daily visitors, Commission on Audit, ombudsman and vendors--will be issued a "visitor's access pass." 
Full Story

DATA LOSS—AUSTRALIA

Commissioner Investigating Breach at Bank (January 12, 2012)

The privacy commissioner is investigating a cybersecurity breach after bank customers were sent strangers' account data. ANZ Bank has shut down its online bank statement service after the incident, The Australian reports, which the bank became aware of on Monday while reinstating statements that were disabled after a different security bug last month. The banks says it will apologize to the 60 customers affected by the breach and will compensate those potentially affected by fraud. Privacy Commissioner Timothy Pilgrim says he is pleased the bank "promptly sought to notify affected customers." (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY

Searls: Goodbye Data Collection, Hello Intention Economy (January 12, 2012)

In the Harvard Business Review, tech guru Doc Searls says the age of collecting data on customers is over. The intention economy will soon arrive, he says, and it will render unnecessary the mining and amassing techniques companies have used to get to know their customers better. "Businesses soon will no longer own the data...customers will." Searls says when this happens, vendors will realize greater benefits than they do now because when customers own and control their data, "demand will drive supply more efficiently than supply currently drives demand. Customers not only will collect and manage their own data but will be equipped with tools for declaring their intentions directly to the whole marketplace."
Full Story

DATA LOSS—CHINA

Four Detained, Eight Punished In Hacking Incident (January 11, 2012)

Last month, hackers infiltrated a popular social networking site and a programmers' site exposing the information of six million users and undermining trust in China's Internet security, Reuters reports. Amid the actual breaches, rumors of attacks on other websites surfaced online--many of which turned out to be fictitious. Chinese authorities have detained four people and punished eight after an investigation showed nine cases of reselling user data and three cases of "fabricating and promoting speculation of data leaks," the report states.
Full Story

ONLINE PRIVACY

Google Searches May Include Google+ Info (January 11, 2012)

Google search results will now include photos and commentary from its Google+ social network, the Huffington Post reports. "The Internet search leader eventually hopes to know enough about each of its users so it can tailor its results to fit the unique interests of each person looking for something," the report states, in what the company has described as "the new era of social and private data search." The new feature, which was rolled out on Tuesday, will be the default "for all English-language searches made by users logged into Google," the report states, but can be turned off permanently with a settings change or on a per-case basis via an icon.
Full Story

DATA LOSS—NEW ZEALAND & U.S.

Hackers Expose Security Company Data (January 6, 2012)

The hacker collective Anonymous has exposed personal information--including credit card numbers--of 860,000 users of the U.S.-based intelligence firm Stratfor, putting the information of some New Zealand companies and government agencies at risk. Stuff.co.nz reports that the Department of Prime Minister and Cabinet, Air New Zealand, police and fire services and some banks are clients of Stratfor. The hackers posted the information online, and unauthorised activities have occurred on some of the stolen credit cards. The company, which provides reports and analysis on international security, shut down its website pending a review by outside experts. A Department of Prime Minister and Cabinet spokesman said while the department will not discontinue the service, it hopes Stratfor will improve security and it will watch its account.
Full Story

PRIVACY LAW—AUSTRALIA

Gambler Compensated After Breach (January 6, 2012)

The Sydney Morning Herald reports on Privacy Commissioner Timothy Pilgrim's determination awarding a man $7,500 after details about his gambling habits at a Sydney casino were given to the gambler's former partner during the couple's divorce. The gambler, known as "D," complained to the Office of the Australian Information Commissioner, which determined that the Wentworthville Leagues Club should apologise and compensate the gambler for the breach as well as review its staff training on legal requests. The club disclosed the details--including the balance of the gambler's account, total winnings, losses and membership status--when the gambler's former partner requested the records.
Full Story

PRIVACY—NEW SOUTH WALES

OIC Describes Role of Community Liaison (January 6, 2012)

In its OIC News, the Office of the Information Commissioner (OIC) details the work of Community Liaison Officer Gabe Morahan since joining the office and her "whirlwind nine months meeting with community groups and people from disadvantaged backgrounds to discuss how to access government-held information and the need to keep personal information safe." The feature highlights her efforts to meet hundreds of people at an array of events across New South Wales. "My job is to build relationships, build networks, open channels of communications that allow me to talk to and educate people about their rights to access government information and about privacy issues," Morahan noted.
Full Story

STUDENT PRIVACY—HONG KONG

PCPD Launches Educational Programme (January 6, 2012)

Hong Kong's Office of the Privacy Commissioner for Personal Data (PCPD) will offer an educational program to students and staff of the University of Hong Kong aimed at promoting the importance of protecting personal data privacy, reports IT Services News. The exhibition, taking place on 12-13 March, will include seminars, informational panels, data privacy quizzes and the Information Security Awareness Creativity Contest. "One of the main functions of the PCPD is to raise the public's awareness and understanding of personal data privacy protection," said Commissioner Allan Chiang. "We are now taking a step forward by conducting face-to-face and interactive promotional activities in the university campuses."
Full Story

DATA PROTECTION

Cyber Insurance May Become More Popular (January 6, 2012)

When it comes to cyber insurance, "Everybody needs it, and most companies don't realise they don't have it until it's too late," says one expert in a report for The New York Times. Despite recent high-profile cyber attacks, only one-third of companies surveyed said they had purchased a policy. But experts say new regulations by the Security and Exchange Commission--specifically, a provision that requires companies to disclose a description of relevant insurance coverage to shareholders--will likely change that. Experts advise small businesses to look closely at what kind of cyber-insurance coverage they need based on the amount of personal information handled. (Registration may be required to access this story.) Editor's Note: The IAPP recently hosted a Web conference on Evaluating Cyber Liability Insurance. The archive is available on our website.   
Full Story

DATA PROTECTION

Survey Respondents Focused on Data Security (January 5, 2012)

SC Magazine reports on its fifth annual "Guarding Against a Data Breach" survey, which found that 63 percent of 488 respondents "are confident that their company's IT security departments have the power, executive support and budget/resources necessary to safeguard customer, client and other critical corporate data." That share is up from 58 percent of last year's respondents. The report also highlights concerns that 2012 "promises still more of the advanced cyber attacks" that occurred in 2011, as well as increases in regulatory audit "and a continuation of end-users and consumers relying on an array of vulnerable technologies to conduct business."
Full Story

PERSONAL PRIVACY

PRC Releases Privacy Complaint Tool (January 3, 2012)

To help consumers who have experienced privacy abuse, the Privacy Rights Clearinghouse (PRC) has released an interactive online complaint tool. PRC Director Beth Givens says this new tool will not only help streamline and simplify the complaint process, but will educate consumers and connect them with the appropriate channels for help. In this Daily Dashboard exclusive, Givens describes the catalyst for the online mechanism, how it works and why it might help consumers and organizations.
Full Story

PERSONAL PRIVACY—CHINA

Forthcoming Marriage Database Incites Concerns (January 3, 2012)

The Chinese government has announced that it will launch a national online marriage database, inciting concerns about privacy, CNN reports. The database, which will be available next year and completed in five, aims to fight bigamy--a problem in China, according to the report. The announcement comes amidst reports that hackers gained access to six million China Software Developer Network users' personal information last week.    
Full Story

ONLINE PRIVACY

User Authentication Goes High-Tech (January 3, 2012)

Studies show that sophisticated technologies are making it easier for hackers to crack the current system of user authentication--passwords--meaning some tech firms are looking at other ways of identifying users, reports The New York Times. A recent blog post predicted that users may no longer need passwords, pointing to biometrics as the wave of the future, but one Web researcher says a problem with biometric authentication is "once your digital biometric signature is compromised, you cannot even replace it." A security expert warns all authentication has drawbacks, and using more than one is always best. One tech giant recently launched a behavioral password system using gestures in addition to a password and facial recognition. (Registration may be required to access this story.)
Full Story

DATA LOSS —AUSTRALIA

Company Admits to Second Breach (January 2, 2012)

The personal information of approximately 1,500 Telstra customers was accessible last Friday when a spreadsheet was posted online, International Business Times reports. The spreadsheet reportedly contained customers' e-mail addresses, phone numbers and postal addresses, but the company said it has "no reason to believe it contained passwords or credit or financial information." Some customers have expressed concern that they have yet to be notified by the company. A spokesman said, "Customers are being progressively contacted either by phone or e-mail as we work through the data that was contained on the spreadsheet." Telstra has also notified the appropriate authorities, the report states. Last month, nearly 800,000 Telstra customers were affected when their private data was accessible through the company's website search tool.
Full Story

ONLINE PRIVACY

Accidental E-mail Incites Concerns (January 2, 2012)

The New York Times says data security has not been compromised after it accidentally sent an e-mail to 8 million people telling them that they had canceled their subscriptions. A Times employee erroneously sent the message to a list of people who'd previously given their e-mail addresses to the company. Initially, the company indicated via its Twitter feed that the message had been spam, inciting concerns from some recipients about who had access to their data. But The Times later confirmed that it sent the e-mail. "We regret the error and we regret our earlier communication noting that this e-mail was spam," a Times spokesperson said. (Registration may be required to access this story.)
Full Story