ANZ Dashboard Digest

“All human beings have three lives: public, private and secret.” Gabriel Garcia Márquez: A Life

The Easter week witnessed the death of one of our greatest authors, Gabriel Garcia Marquez, and tomorrow we commemorate the ANZACs throughout Australia and New Zealand. This is also the second long weekend in a row meaning that, as most people have had 10 days holiday, some are likening us to the land of the Lotus eaters. And if you have been trying to work—it’s a bit like one hand clapping. I have found almost everyone I want to talk to is away. I think that includes a fair bit of media, as there is not much on our favourite topic this week. Just plenty of time for the Royals, which in itself has raised the question of private boundaries, as the Australian press took personal photos of the Royals with long-distance photo lenses. I really do have to wonder about the public interest versus privacy in this instance.

The Marquez quote is to me the essence of why privacy fascinates. The layers, the nuances and the importance for humanity to be able to live without detection is perfectly encapsulated by Marquez.

One of the articles below examines the blurry edges between the public and private lives. Omer Tene and Jules Polonetsky, CIPP/US, discuss the concept of what constitutes “creepy” behavior. The interesting aspect of this is that it changes with circumstance. Whilst it may annoy you when your airline e-mails you about hotel deals at your next destination if you are staying with your family, your reaction could be different if you were in need of accommodation. Reminds me of the story of a woman who was propositioned by a millionaire at a dinner party. Outraged, she asked, “What do you think I am?” To which he replied, “I will give you a million dollars if you spend the night with me.” She acquiesced. The millionaire replied, “Now that we have established what you are, let’s negotiate.”

Perhaps just one of the reasons we have privacy principles rather than laws is to countenance the fluidity of what privacy means to us all. Whatever that baseline is, protections and custodianship of our public, private and secret lives make being a privacy professional a joy.

Enjoy your Dawn Service, your Two Up and your ANZAC Day.

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

PRIVACY TECH

OWASP Looking for Volunteers for Privacy Top 10 Project (February 28, 2014)
In the cybersecurity community, the OWASP Top 10 Project is something of a touchstone. An open-source list of “the most critical web application security flaws,” it represents a consensus of experts as to what threats organizations should be most concerned with as they go about developing their projects. The project, first developed in 2007 by the Open Web Application Security Project and refreshed in 2010 and 2013, has been translated into seven of the world’s major languages, so it is a truly global tool. Sound like something privacy pros could use? Well, Florian Stahl, CIPP/IT, thought so, too. So, this month, he has launched the OWASP Top 10 Privacy Risks Project, and he’s looking for help.

PRIVACY LAW—AUSTRALIA

APP Guidelines Released; Some Experts Critical (February 27, 2014)

The Office of the Australian Information Commission (OAIC) has released guidelines for the Australian Privacy Principles (APPs), which go into effect 12 March, following public consultation, Computerworld Australia reports. Public and private organizations must adhere to the APPs along with the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which gives Australian Privacy Commissioner Timothy Pilgrim a mandate to seek civil penalties of up to $340,000 for individuals and $1.7 million for businesses in cases of serious beach incidents. In the guidelines, the OAIC has indicated it will not “hold organisations accountable for the exposure of personal information when accessed via a cyber-attack, as long as the office is satisfied with the level of security in place within the targeted systems.” Some security experts are criticising the guidelines.
Full Story

PRIVACY LAW—HONG KONG

Past, Prior PCPD Comment on Privacy, Business (February 27, 2014)

Out-Law.com reports on Privacy Commissioner for Personal Data (PCPD) Allan Chiang’s remarks at a recent conference organised by the Office of the PCPD. “Regulatory experience has shown time and again that privacy and data protection cannot be managed effectively if they are merely treated as a compliance issue, doing the least possible to comply with the legal requirements, but with little or no regard to customers’ privacy expectations," he said.  Meanwhile, former PCPD Stephen Lau writes about personal data as the currency the Digital Age, the value of data protection for business and related issues for an IDG News report. Editor’s Note: PCPD Allan Chiang will be one of the keynote speakers at The IAPP Asia Privacy Forum in Hong Kong on March 31.
Full Story

ONLINE PRIVACY

Making Online Privacy More User-Friendly (February 27, 2014)

With increased awareness about online privacy issues, both from the public and private sectors, a host of online privacy tools exist, but for the most part can be difficult to use. GigaOM reports on a group of experts attempting to make online privacy tools more user-friendly. Groups have been attempting to “redecentralize” the Internet, but, the report states, the open-source scene is often made up of users more concerned with function over the user experience. Eleanor Saitta, of the Open Internet Tools Project, said, “There are still a lot of people in the (developer) community who are, ‘If I can use this tool, why can’t everyone?’ A lot of people aren’t willing to acknowledge that if ordinary users can’t use it, they won’t.”
Full Story

MOBILE PRIVACY

Mozilla Rolling Out New Privacy Features (February 27, 2014)

In a partnership with Deutsche Telekom, Mozilla said it plans to release new privacy and security features for its Firefox operating system, ComputerWeekly reports. The focus of its Future of Mobile Privacy project is emerging markets. Mozilla has found the most prevalent concerns include lost/stolen mobile devices and the privacy of sharing personal information among friends and family. Mozilla Global Privacy and Public Policy Leader Alex Fowler said Mozilla will “be calling on the privacy and security community to start dreaming up what they think are exciting features and services, and we want to prototype and make those part of future releases as well.”
Full Story

BIG DATA

Surveys Offer Insights Into Consumer Perspectives (February 27, 2014)

Two recent studies offer insights to consumer perspectives on the use of their personal information (PI). A survey from content management and analytics firm SDL indicates “nearly two-thirds of consumers in the U.S. and around the world are worried about how marketers are using their personal information,” AdWeek reports. However, about 80 percent are willing to provide PI “to a trusted brand as long as brands are transparent about how they collect and use their information and as long as they get something in return.” A Fortinet study of Gen-Xers and Millenials, meanwhile, found differences in “philosophy about security and privacy” from one generation to the next.
Full Story

PRIVACY TECH

Cryptographers at RSA: “Users Seem To Now Mind Giving Up Privacy” (February 26, 2014)

If there are buzzwords at this year’s RSA conference, they are without question “mistrust” and “NSA.” And if there’s anywhere irrefutable impact of the “Summer of Snowden” reverberates, it’s through the corridors here at the Moscone Center in San Francisco, CA. During the Tuesday morning keynote, panelists Whitfield Diffie of SafeLogic, Brian LaMacchia of Microsoft Research, Paul Kocher of Cryptography Research, Inc., MIT’s Ron Rivest and Adi Shamir of Israel’s Weizmann Institute of Science expressed “shame” and “shock” at the NSA revelations but also offered up a vision of where cryptography is going and how it might affect the privacy industry. Angelique Carson, CIPP/US, gets you up-to-speed.
Full Story

PRIVACY COMMUNITY

IAPP Global Privacy Summit Is Sold Out (February 26, 2014)

The IAPP Events Team announced today that the Global Privacy Summit, happening next week in Washington, DC, is officially sold out. Were you procrastinating? Sorry about that. However, we have a couple of pieces of good news: our Show Daily newsletter, to which you can subscribe, and a discount on our next big U.S. event.
Full Story

ONLINE PRIVACY

RSA Dispatch: How Do Brands Establish Trust in This Time of Distrust? (February 25, 2014)
What Silicon Valley knows how to do best is collect user data without notifying the user it’s doing so, or for what purpose, and then sell it for profit. But it shouldn’t be that way, and it doesn’t have to be. That’s how Reputation.com’s Michael Fertik led off the IAPP’s first panel discussion at RSA Conference yesterday, offering a springboard for Jules Polonetsky, CIPP/US, Anne Toth and Stan Crosley, CIPP/US, CIPM, to talk about how brands can establish trust while they collect and use data in the post-Snowden era. Hint: IT and privacy professionals are going to have to work closely together. Angelique Carson, CIPP/US, fleshes out their solutions for The Privacy Advisor.

PRIVACY COMMUNITY

Frye, Stoddart, Stonier Join IAPP Board (February 25, 2014)

The IAPP announced this week the new composition of its Board of Directors, with three notable additions, plus its newly appointed Executive Committee. Joining the board are Bank of America CPO Christine Frye, CIPP/US, CIPM; Executive VP of Privacy and Information Guidance at MasterCard JoAnn Stonier, and former Privacy Commissioner of Canada Jennifer Stoddart. Further, Hewlett-Packard VP and CPO Scott Taylor, CIPP/US, has taken over for Past Chairman and Microsoft CPO Brendon Lynch, CIPP/US, as chairman of the board, and a new slate of officers have accepted positions. Please join us in thanking them for their service to the IAPP.
Full Story

PRIVACY BUSINESS

Oracle To Buy BlueKai for $400M (February 25, 2014)

AdAge reports that Oracle has agreed to acquire BlueKai for a reported $400 million, though terms were not publicly disclosed. Among BlueKai’s offerings is technology that allows for data transfer independent of cookies but with “the same transparency and notices that cookies have.” The report says Oracle plans to integrate BlueKai with other cloud marketing products Responsys and Eloqua to “give its customers the ability to more precisely personalize messages to consumers and B-to-B buyers—the people those products are used to reach.”
Full Story

MOBILE PRIVACY

IoT Focus at MWC (February 25, 2014)

The Mobile World Congress (MWC) is home to all the hottest new mobile devices, Forbes reports, and at this year’s event, the Internet of Things (IoT) and data are key themes. “Consumers currently expect ‘mobile device’ to mean smartphone and the apps we use on it, but a plethora of other device types are changing that expectation,” TJ McCue writes. He suggests that the prevalence of IoT sessions at the MWC indicate “the mobile community is taking the potential and implications of data seriously. The amount of data from IoT devices and the number of mobile products that help us share and make sense of it will only increase.”
Full Story

DATA PROTECTION

On Breach Response, 50 Percent of Execs Are in the Dark (February 25, 2014)

According to The Economist Intelligence Unit’s Information Risk report, one half of executives surveyed have not been trained in what to do in response to a data breach. The report surveyed 341 senior business leaders from around the world, almost half of whom are C-suite-level executives. The unit then conducted a series of in-depth interviews with 17 senior executives on managing digital assets. Of the key findings, the report states that data risk awareness does not extend evenly across most organizations. The most knowledgeable departments tend to be IT and finance, due to the sensitive information they deal with. “This low level of awareness across the company is equally true vertically,” the report states.
Full Story

CYBERSECURITY

SSL Bug Found in Apple Operating Systems (February 24, 2014)
Security researchers and experts discovered a coding flaw late last week in the operating systems that run Apple’s mobile devices and computers that could allow hackers to circumvent encrypted connections, Reuters reports. A single line in the software omitted commands to authenticate an encrypted website’s certificate, meaning hackers could impersonate sites and capture all the electronic data being communicated by users. Cryptography expert Matthew Green said, “It’s as bad as you could imagine; that’s all I can say.” Apple has offered a software update for mobile devices and said it would release a patch for Mac computers “very soon.” The bug has allegedly been present for months, and some have questioned whether it was a spy’s attempt to create a “back door” into the devices.

PERSONAL PRIVACY

Privacy Issues Raised by 3D Room-Mapping Program (February 24, 2014)

Google recently announced Project Tango, an Android-based phone with built-in, super-advanced 3D sensors capable of mapping a given area around the device, including the interiors of buildings, Motherboard reports. In its announcement, Google asked, “What if you could capture the dimensions of your home simply by walking around with your phone before you went furniture shopping?” The technology is currently only available to 200 developers, and Google says the technology is still in the early stages, but the report suggests potential privacy implications, including where the maps would be stored and who would have access to them.
Full Story

ONLINE PRIVACY

How Baidu Wraps Privacy Into New Products (February 21, 2014)

The world's second-largest search engine, China-based Baidu, is continuing to look at expansion into emerging markets. Whenever it approaches a new market, Global Marketing Director Richard Lee explains, dedication to privacy is part of the company's communications. "China is actually doing a great deal to keep in line with modern times,” he tells The Privacy Advisor in this exclusive, adding, “I agree that maybe we at Baidu need to do more to prove that we respect privacy than some Western companies, but we don't lack those kinds of concepts here in China. We want to keep in line with international standards."
Full Story

INTERNET OF THINGS

The Rise of Bring-Your-Own Wearable Device (February 21, 2014)

V3.co.uk reports on the rise of wearable technology and how it has been and will be integrated into the work environment. Early adopters include Tesco, which gives smart armbands to workers to help track goods, distribute tasks and measure location movements. Another firm, Pru Health, offers employees Fitbug health devices as part of its “Vitality” program. These devices supplied by employers, as well as bring-your-own wearable devices (BYOWD), have robust personal data-gathering potential—including swaths of sensitive personal information. As smart glasses and wearable cameras become more integrated into the work environment, businesses will have to consider BYOWD policies to protect employees’ privacy expectations, the report states.
Full Story

DATA PROTECTION—HONG KONG

PCPD Releases Guidance on Privacy-Management Programs (February 21, 2014)

The Office of the Privacy Commissioner for Personal Data (PCPD) has released a guide outlining the foundations of privacy management programs. The Privacy Advisor takes a closer look at the guide, aimed at helping organizations as they develop or improve programs. The South China Morning Post reports from the PCPD’s event, spotlighting how privacy scandals, such as the much-publicized Octopus incident, can result in businesses choosing “to reconsider their approach to data protection.” Octopus Holdings Chief Executive Sunny Cheung said, "Legal rights do not save you from dissatisfied customers," explaining the company now collects “minimal” personal data and avoids “vague terms that could mislead customers about data policies,” the report states. Editor’s Note: PCPD Allan Chiang will be one of the keynote speakers at The IAPP Asia Privacy Forum in Hong Kong on March 31.
Full Story

DATA LOSS—AUSTRALIA

10,000 Asylum Seekers Could Be At Risk (February 20, 2014)

In what is being called once of the largest breaches in Australia’s history, Privacy commissioner Timothy Pilgrim has confirmed he will be investigating “how the personal details of some 10,000 people who have sought asylum in Australia became available on the Internet,” Business Insider Australia reports. The incident has many, including lawyers, legislators and advocacy groups, concerned the accidental exposure of the information could put the asylum seekers at risk. “I have spoken to the Department of Immigration and Border Protection and have been assured that the information is no longer publically available,” Pilgrim said, adding his office will work with department staff to ensure “they are fully aware of their privacy obligations and to ensure that incidents of this nature will not be repeated.” Border Protection has announced it has called in KPMG to audit the breach.
Full Story

PRIVACY—NEW ZEALAND

Edwards: Faith in Gov’t Agencies Must Be Rebuilt (February 20, 2014)

Privacy Commissioner John Edwards wants to help restore the public’s faith that government agencies will protect their personal data, TVNZ reports. "There are rules, and those rules need to be respected," Edwards said. The report examines several high-profile breaches in recent years, noting none were fined as a result of the incidents. Edwards said, “The harm that happens to the reputation of those organisations through being named and shamed by the commissioner is probably more substantial than the fine.” Meanwhile, in a new incident, Auckland City Council staff members have said their privacy was breached after auditors checked e-mails during an investigation.
Full Story

ONLINE PRIVACY—AUSTRALIA

Crime Site Called “Invasion of Privacy” (February 20, 2014)

CrimeMap.info, a privately run website that posts local crime information is being called “a dangerous invasion of privacy,” The Courier-Mail reports. The site includes data on the location of drug offenses, assaults and other crimes over the past 13 years. “Offences are shown at specific homes and businesses, unlike an official Queensland Police Service crime map, which hides addresses,” the report states, noting Queensland police are asking the site to remove addresses from the map to protect privacy.
Full Story

DATA PROTECTION—AUSTRALIA

The Dangers of Old Computer Hard Drives (February 20, 2014)

“Confidential, personal and company information including medical records, legal matters, financials, the entire contents of an e-mail inbox and personal mail from a Justice of the Peace are just some of the confidential data found on the hard drives of recycled computers,” IT Wire reports in this look at the dangers of discarding computers without wiping their hard drives. Australian individuals and organisations are at risk when computers are recycled without being wiped clean, a study from the National Association for Information Destruction (NAID) points out. “For the organisations recycling their drives, this is a data breach problem. For individuals, some of their most private information is at risk,” said NAID CEO Bob Johnson.
Full Story

FINANCIAL PRIVACY—SOUTH KOREA

FSS Announcing New Measures (February 20, 2014)

South Korea’s Financial Supervisory Service (FSS) is preparing to announce measures to “better protect personal information (PI) handled by financial firms following a recent massive data leak,” Yonhap News Agency reports. The measures include limiting financial firms from requesting "too much" PI. “The newly crafted measures may go into effect starting in April after preparation works,” said an FSS official. The breach that prompted the measures involved PI on “half of the country's 50-million population” from three credit card firms—KB Kookmin, NH Nonghyup and Lotte— and Kookmin Bank.
Full Story

PRIVACY PROFESSION

Ten Skills That Make a Good Privacy Officer (February 20, 2014)
While speaking to a group of law students recently, Align Technology Privacy Counsel K Royal, CIPP/US, CIPP/E, was asked what makes a good privacy officer. So she went to work. After searching related top 10 lists for compliance officers, salespeople, CEOs and managers, Royal compiled this list of 10 skills necessary to becoming a good privacy officer for Privacy Perspectives. From compliance to social work to janitorial skills, privacy officers need a swath of abilities to effectively do their jobs. “We need to follow from the front and make sure our employees succeed … Rarely do people comply with a mandate because it is a mandate."

DATA PROTECTION

Data-Centric Security: Reducing Risk at the Endpoints (February 20, 2014)

In this time of increased attacks on IT networks, the king's men are in overdrive attempting to stay ahead of these threats targeted at stealing our information. CIOs and CISOs are in a constant state of evaluating, implementing and reevaluating processes and solutions that secure the perimeter and safeguard the networks and the devices within the organization. In this exclusive for The Privacy Advisor, Jim Wyne, CIPP/US, looks at data-centric security as a method to mitigate risk and "ensure the most important asset of the business, the data, is protected."
Full Story

SOCIAL NETWORKING

Dating App Vulnerability Allowed for Pinpointing User Locations (February 20, 2014)

Tinder, an app facilitating spur-of-the-moment dating, reportedly has a security problem leading to users’ exact physical locations being divulged without their consent, The Washington Post reports. Instead of rounding to the nearest mile when searching for potential dates in your immediate vicinity, the app’s servers were giving out data that would allow hackers with “rudimentary skills” to determine a user’s location within 100 feet. Security researchers told Tinder about the security lapse in October; the company responded in December and addressed the problem, the report states. (Registration may be required to access this story.)
Full Story

CLOUD COMPUTING

On Contracting and Compliance: Are You Up-to-Speed? (February 19, 2014)
With more and more organizations embracing cloud computing while others in highly regulated industries such as government, healthcare and finance remain hesitant, “it is time to get to grips with cloud computing,” writes Christopher Millard, a professor of privacy and information law at the Centre for Commercial Law Studies, Queen Mary, University of London. In this Privacy Perspectives post, which also previews a full-day preconference workshop at next month’s IAPP Global Privacy Summit, Millard makes the case for why privacy pros need to get up-to-speed on what can be a very complex undertaking. Editor’s Note: Millard’s series of articles on cloud computing and European law are available to IAPP members in the IAPP Resource Center.

DATA PROTECTION

Dutch Telecom and Silent Circle To Encrypt Phone Calls (February 19, 2014)

Dutch telecommunications provider KPN has struck a deal with encryption service Silent Circle to provide customers in Belgium, Germany and The Netherlands with encrypted phone calls and text messages, PCWorld reports. Silent Circle currently has servers in Canada and has plans for one in Switzerland. KPN has said it plans to build a server in The Netherlands so that data doesn’t leave the country, the report states. This June, KPN customers will be able to download Silent Circle services Silent Phone and Silent Text. Silent Circle has also been working with Geeksphone to create the Blackphone, a smartphone designed to protect user privacy.
Full Story

SOCIAL NETWORKING

New Program Manages Privacy Settings (February 19, 2014)

GigaOM reports on My Face Privacy, a new product from Israeli software firm CallingID, designed to manage the privacy settings of multiple social networking sites—including Facebook, Twitter, Google+ and LinkedIn. The desktop-only application works like a password manager and offers four preset privacy settings. “Social networks are trying to make as much information visible to as many groups as they can,” said CallingID Executive Vice President Yair Nissan. “They have a default set of privacy policies, which is not restrictive at all. They complicated the way that you can change and manage your privacy settings—you have to go through many screens, and unless you’re an expert, you probably won’t find all the different parameters because they’re hiding them very well.”
Full Story

PRIVACY LAW

German Advocates Get Right To Sue; U.S. States Continue on Anti-Surveillance Path (February 18, 2014)

In this Privacy Tracker weekly legislative roundup, read about the prospects of German advocacy groups getting the right to sue businesses, the status of the Philippines’ cybercrime law and proposals in the U.S. pushing for less data collection and more consumer protections. The Utah attorney general has stopped using administrative subpoenas for cellphone and Internet data, saying “writing yourself a note to go after that stuff without any check is too dangerous,” while the Senate looks at a bill that would mean law enforcement needs a judge’s order as well. Also, Orin Kerr has published an article supposing what a communication privacy act might look like if the U.S. scrapped ECPA and started from scratch, and there’s a handy interactive map outlining the status of social media privacy laws throughout the U.S. (IAPP member login required.)
Full Story

PRIVACY COMMUNITY

The Perspectives Conversation, Past and Future (February 18, 2014)

Last February, we unveiled our very first blog, Privacy Perspectives, and in the year since, we’ve received a range of contributions from privacy pros working in the public and private sectors, across virtually all industries. This Perspectives installment pauses to take a look back at the last calendar year, one filled with major privacy news stories—from the EU-U.S. data protection debate, to the Snowden disclosures, to the Target breach. But not all contributions were based on breaking news. Perspectives also featured personal tales within the privacy profession, insider tips for day-to-day operations, our changing social and legal norms and the difficult debates that are shaping how organizations, policy-makers and privacy professionals think about privacy.
Full Story

PRIVACY LAW

Cline: U.S. Leads World in Privacy Violation Fines (February 18, 2014)

Jay Cline, CIPP/US, writes for Computerworld on EU leaders’ belief that the U.S. has not adequately enforced the EU-U.S. Safe Harbor agreement, citing research showing that is not the case. “Any way you cut the data,” Cline writes, “the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.” Cline’s report looks at the history of Safe Harbor, highlighting his team’s research on fines of $100,000 or more imposed by government agencies for privacy violations. “We also set out to rank-order the top privacy fines in history,” he writes. “When we did this, the U.S. dominated the leader board.”
Full Story

DATA PROTECTION

Survey: Users More Hesitant To Click on Ads, Use Unknown Apps (February 18, 2014)

TRUSTe has released its third annual consumer confidence privacy research survey, which found that privacy concerns are up significantly from last year, with 74 percent indicating they are more concerned about privacy than they were a year ago. While 70 percent said they are more confident than one year ago that they can manage their online privacy, that may have negative repercussions for industry, with those surveyed indicating that means not clicking on ads or using apps they don’t recognize.
Full Story

PERSONAL PRIVACY

Privacy Is Not Dead: “It’s Aliiiive” (February 14, 2014)
In honor of both Valentine’s Day and the zombie genre, Intel Chief Privacy and Security Counsel Ruby A. Zefo, CIPP/US, CIPM, shares her love of the undead by exploring 10 ways privacy is not dead. “At worst, it is the living dead,” she writes in this post for Privacy Perspectives. “Perhaps like Frankenstein’s monster, you thought it was dead, but in fact, it’s allliiiive!”

DATA LOSS

Store, Healthcare Entities, Hotels, Bank Announce Breaches (February 14, 2014)

A number of brands have announced breaches this month, including Tesco, which was the victim of a breach not because of its own systems but as a result of breaches at various websites in which users employ the same username and password across multiple sites. A U.S. senator recently said data breaches are simply a “fact of life” these days, and an eSecurity Planet report explains why brands’ stock prices may actually rise after breaches. The Privacy Advisor examines these and other recent breach reports.
Full Story

PRIVACY LAW—AUSTRALIA

How To Prepare For Those New Laws (February 13, 2014)

With the deadline to comply with Australia’s new data privacy laws fast approaching, Minter Ellison’s Tarryn Ryan and Veronica Scott examine one of the key features of the Australian Privacy Principles (APPS)—effectively legislating for the concept of Privacy by Design—in this exclusive for The Privacy Advisor. In a related story, CIO offers tips on how to best comply, noting the new legislation will allow the privacy commissioner to seek penalties—up to $340,000 for individuals and $1.7 million for companies—for serious breaches. Ryan and Scott note, “For the first time there will be a stand-alone provision that requires organisations to manage personal information in an open and transparent way.” Meanwhile, speaking at a an iappANZ event, Privacy Commissioner Timothy Pilgrim, who will release guidance on the new legislation next week, “said he will not rule out putting his new enforcement powers to the test in their first 12 months, but said his office would take into account the steps an organisation had taken to achieve compliance with new privacy legislation before applying fines,” ITnews reports.
Full Story

PRIVACY—NEW ZEALAND

Privacy To Be “Major Election Issue” in 2014 (February 13, 2014)

“Last year was not a good one for New Zealand privacy-wise,” University of Auckland Business School Associate Prof. Gehan Gunasekara writes in this feature for The Privacy Advisor, looking back over the developments of 2013 and venturing “some predictions as to what may lie in store in 2014.” Gunasekara examines many of the headline-making issues of the past year. Looking toward the future, he writes, “Privacy will be a major election issue this year,” and suggests, “There is still time for the government to redeem itself by introducing the long-promised Privacy Act replacement, but time is running out.”
Full Story

DATA LOSS—NEW ZEALAND

Breaches Shed Light on Need for Privacy Protection (February 13, 2014)

Recent years’ high-profile breaches at Accident Compensation Corporation, Ministry of Social Development and the Earthquake Commission “have shed an unprecedented light” on the need for protecting personal information, KPMG Advisory Practice Partner Souella Cumming writes for The Privacy Advisor. Looking at the implications for the year ahead and beyond, she writes, “One of the benefits of the high-profile breaches is the increased public awareness about the safety of the information they entrust to public- and private-sector organisations … Public- and private-sector organisations need to respond to these expectations and find enhanced ways of providing confidence to their customers and stakeholders.”
Full Story

BEHAVIOURAL TARGETING—AUSTRALIA

Survey: Loyalty Program Members “Happy” To Share Data for Benefits (February 13, 2014)

The new study “Share the Love: 2014 Consumer Study into Australian Loyalty Programs” has found that 73 percent of respondents “are happy for organisations to analyse their data for personal benefits, but half don't want third-party organisations getting their hands on their information,” CMO reports. The report, which was produced by customer loyalty consultant Directivity and digital marketing agency Citrus, also found that members are more likely to provide such information as gender at 87 percent, postcodes at 83 percent and e-mail addresses at 78 percent. Respondents were less likely to share mobile phone numbers and income information.
Full Story

EMPLOYEE PRIVACY—AUSTRALIA

Commissioner Makes Updated Ruling on Applicant PI (February 13, 2014)

PSnews reports on Australian Information Commissioner John McMillan’s updated ruling involving “the disclosure of personal information of a successful applicant in Australian Public Service (APS) recruitment processes.” McMillan ruled that other than the successful applicant's name and a statement noting the applicant was selected for promotion, “the remaining vocational assessment information was the personal information of the successful applicant,” the report states. Disclosing such information “would be unreasonable under the FOI Act and contrary to the public interest,” McMillan said, noting the prior perception that it was reasonable to disclose assessment information needed reassessment.
Full Story

CHILDREN’S PRIVACY—NEW ZEALAND

New Resource Advises of Online Dangers (February 13, 2014)

Privacy Commissioner Marie Shroff and cyber-safety watchdog NetSafe have produced an online resource that teachers can use in their classrooms to help children learn about online dangers, Radio New Zealand News reports. "We've moved into a digital environment. It's the digital century,” Shroff said, adding, “These children are going to grow up as digital citizens, so it's never too early to provide the teachers with the resource to help them guide the children towards safe internet activity.”
Full Story

HEALTHCARE PRIVACY—AUSTRALIA & NEW ZEALAND

Report Examines Scrapping of Global “Injury Passports” (February 13, 2014)

The Sydney Morning Herald reports how “International Rugby Board (IRB) lawyers scuppered a plan to use ‘injury passports’ to monitor at-risk players for concussion more than two years ago” due to privacy concerns in a story involving a championship-winning player on indefinite leave due to concussions. “IRB was thwarted in an attempt to develop a global player database that would document and transfer information on players with a legacy of head injuries,” the report states, noting, “A similar program has been up and running in New Zealand for a decade … The Australian Rugby Union also maintains a similar database.”
Full Story

DATA LOSS—SOUTH KOREA

FSC To Deal “Sternly” with Breach (February 13, 2014)

Yonhap reports the Financial Services Commission (FSC) has reiterated “it will sternly deal with a recent massive data breach and overhaul measures to better protect personal information.” The FSC revealed last month “that some 20 million clients' personal data, including bank account numbers, addresses and credit ratings, had been leaked from three credit card firms,” the report states, noting there was also a breach involving a bank sharing customer data with an affiliated credit card company. The FSC “plans to suspend the card firms' operations for three months, barring them from taking applications for new plastic cards or selling financial products,” and the FSC’s chairman noted, "Top executives of the credit card firms will face harsher punishment as well, including dismissals.”
Full Story

DATA LOSS

More Breaches Announced; U.S. FBI Says Target Breach Just a Foreshadow (February 13, 2014)

A Verizon report has found that a vast majority of companies who achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS) annually fail to maintain that status, leaving them exposed to potential breaches and other security risks, Computerworld reports. The report found that 11 percent maintained compliance status between each PCI DSS assessment. Sebastian Maza, Verizon’s head of PCI DSS Asia Pacific, told The Sydney Morning Herald that businesses struggle to detect and address cyber-attacks. Meanwhile, the FBI recently warned retailers that the recent attacks against Target and other brands foreshadow events to come, and a number of brands have announced new breaches.
Full Story

PRIVACY PROFESSION

Which Drives Leadership: Compliance or Strategy? (February 13, 2014)
The privacy profession has changed dramatically during the past 20 years, as has its role within an organization, prompting Information Accountability Foundation Executive Director Martin Abrams to query, “What drives leadership in 2014? Is it the need to have a highly compliant organization in an era where compliance is very complex? Or is a strategic approach to information governance when data moves from being a business facilitator to the driver of innovation?” In this post for Privacy Perspectives, Abrams looks into this debate, observes that skill sets are changing and warns that organizations that think privacy “is just another compliance program will be sitting ducks for strategic errors that will get in the way of innovation.”

PRIVACY COMMUNITY

IAPP Hits 15k Members (February 13, 2014)

At about 10 a.m. EST yesterday, the IAPP gained its 15,000th active member, a milestone that was celebrated here in our Portsmouth, NH, offices with a company-wide e-mail containing 72-point font. And then everyone got back to doing the training, certification, education and member support work that got all those members to join us in the first place. We here on the IAPP Publications Team are grateful to all of you members for the trust you place in us by reading our work and the valuable feedback and volunteerism so many of you contribute on a daily basis.
Full Story

ONLINE PRIVACY

Smart Cities Are Evolving, But Are We Ready? (February 13, 2014)

Computerworld reports on the not-so-distant future of smart cities. To some extent, they’re already here, as governments increasingly use wireless networks, Big Data, web portals and social media, among other technological tools. But a smart city—aimed at enhancing citizens’ quality of life, improving government processes and reducing energy use, among other goals—brings with it a multitude of privacy and data security implications, the report states. Five U.S. cities in particular are taking on initiatives to help manage the change to “smart.”
Full Story

INTERNET OF THINGS

The Privacy Pro’s Guide to the Internet of Things (February 12, 2014)
The rise in Internet of Things (IoT) technology has brought with it a slew of new and difficult challenges for privacy professionals and “will test our skills in the same way the more traditional Internet uses have been challenging our professional ability to identify risks, assess their likely impact and deploy practical solutions for everyone’s benefit,” writes privacy expert Eduardo Ustaran, CIPP/E. In this post for Privacy Perspectives, Ustaran provides privacy professionals with some tips—from notice to security—on navigating the IoT landscape today and into the future.

PRIVACY RESOURCES

Employee Awareness: Where the Rubber Hits the Road (February 12, 2014)

A workforce educated in proper data handling might be one of the most important tools an organization can have for preventing a data breach. Almost all of an organization’s employees touch data of some sort, yet multiple studies have shown insider negligence and disregard for policies are leading factors in breaches. This close-up on employee education and awareness offers tools, tips and insight on how to get everybody on the privacy bandwagon. Find new ways to convey the importance of privacy throughout your organization with posters, videos and tips sheets—including the IAPP’s own “Prudence the Privacy Pro” comic strip. (IAPP member login required.)
Close-Up: Employee Awareness and Education

PRIVACY LAW

Review: Transborder Data Flows and Data Privacy Law Is “Must-Have” (February 12, 2014)

Few people personify the field they work in as much as Christopher Kuner. As a lawyer, European-American, academic and professor, and longtime leader of the ICC, Kuner straddles the fault lines of the privacy world with ease,” IAPP Vice President of Research and Education Omer Tene writes for The Privacy Advisor in his review of Kuner’s latest work, Transborder Data Flows and Data Privacy Law. Tene examines the wealth of information included in Kuner’s book, suggesting it may “constitute one of the building blocks for a new legal edifice being designed and erected these very days, a regulatory model for a technologically borderless world.” Editor's Note: Kuner shares some thoughts from his book in this post for Privacy Perspectives.
Full Story

SURVEILLANCE

Internet Giants, Users Worldwide Take Part in “The Day We Fight Back” (February 11, 2014)

Gizmodo reports on protests happening around the world today as part of “The Day We Fight Back,” a global initiative against governments’ surveillance programs. The Electronic Frontier Foundation is among those calling on Internet users worldwide to participate in the movement, which asserts mass surveillance violates human rights law. Google, Microsoft, Facebook and other tech giants have signed on to the roster of participating groups, National Journal reports. Rep. Matt Salmon (R-AZ) says the U.S. is locked in a “fight of epic proportions” over the constitutional right to privacy, The Hill reports.
Full Story

ONLINE PRIVACY

Google, comScore Team Up; Alternative Search Traffic on the Rise (February 11, 2014)

Google and comScore have announced a partnership to better determine the effectiveness of web-based ads in real time and help businesses change ads on the fly, The New York Times reports. A Google representative said, “It’s going to, for the very first time, give advertisers and publishers real-time insights into whether their campaigns are delivering.” In a blog post, Google said it’s part of a larger plan to bring more transparency to advertising. Forbes reports on the rise in traffic to non-Google search sites. The CEO of Startpage and Ixquick said, “The consciousness is only slowly building on the dangers … It is very easy to see how this treasure trove of data can be misused in the future.” (Registration may be required to access this story.)
Full Story

BIOMETRICS

Facial Recognition Tech Used in Sochi; Expanded Uses Expected (February 11, 2014)

San Jose Mercury News reports on facial recognition software being used at the international airport in Sochi, Russia. Made by U.S.-based Artec Group, the technology uses a 3D camera to identify individual faces with the intent of improving airport security. Artec Group Chief Executive Artyom Yukhin said the software can differentiate between identical twins, isn’t fooled by disguises and has been tested in airports around the world, the report states. Meanwhile, a World Economic Forum report predicts that facial recognition will be implemented as part of fully automatic check-in systems at airports and border crossings by 2025. And last week, the U.S. NTIA kicked off talks aimed at creating a voluntary code of conduct for facial recognition technology.
Full Story

PRIVACY LAW

Two Countries Seek Increased Gov’t Access to Digital Data (February 10, 2014)
Nigeria and Turkey are both considering government-proposed legislation that would require service providers to turn over to law enforcement customers’ data upon request—with fines, and possible jail time for company officers, for noncompliance in Nigeria. In the U.S., senators are addressing breach response and online privacy concerns with bills of their own as the fallout continues from the Target and Neiman Marcus breaches as well as the Snowden revelations. And in Australia, the deadline for the Australian Privacy Principles looms large. The Privacy Tracker’s weekly legislative roundup covers all this and more. (IAPP member login required.)

BEHAVIORAL TARGETING

Verizon Ad Program Will Track Web Habits (February 10, 2014)

Computerworld reports on recent changes to Verizon Wireless’ Relevant Mobile Advertising Program allowing it “to track your desktop surfing habits on the web and use that information to help advertisers deliver targeted ads to your mobile phone.” In his report, Robert L. Mitchell discusses why he chose to opt out of the program, which will assign users “anonymous unique identifiers” that link back to mobile phones, allowing the company to offer advertisers information to deliver targeted ads. Mitchell writes, “Information is the coin of the realm. So if you have a choice, why give it away? What's your personal data worth? Are you giving it up? And if so, are you getting value in return?”
Full Story

PRIVACY

Tips To Determine If Your Printer has Internal Storage (February 7, 2014)

Some high-end printers and copiers retain digital copies of documents in their internal storage. This PC Magazine report offers tips from its lead analyst for printers and scanners, M. David Stone, on how to determine whether your printer is one of those, and if it is, what precautions to take to be sure it’s inaccessible when you get rid of it. If your printer has private printing or the ability to re-order the print queue via an embedded webpage, it may have internal storage capabilities, Stone says. When in doubt, he recommends opening it up and poking around: “Take it out to the street, and bang on it with a hammer until the insides rattle nicely,” says Stone.
Full Story

INFORMATION ACCESS

Twitter Wants To Tell Customers More (February 7, 2014)

Though the Department of Justice recently announced a deal with major Internet firms to “allow more detailed disclosures about the number of national security orders and requests,” Twitter says the deal doesn’t go far enough. A blog post by Jeremy Kessel, manager of global legal policy, reads, “While this agreement is a step in the right direction, these ranges do not provide meaningful or sufficient transparency for the public.” Twitter wants to disclose numbers of national security requests of all kinds separately from all other requests and believes the ranges are too broad to be meaningful. Further, Twitter wants to disclose “that we do not receive certain types of requests, if, in fact, we have not received any.”
Full Story

PRIVACY LAW—AUSTRALIA

As Deadline Approaches, APPs Continue To Make Headlines (February 6, 2014)

With the 13 Australian Privacy Principles (APPs) set to replace the Information Privacy Principles and National Privacy Principles in March, many articles are offering tips on what organisations should be doing to prepare. In a report for The Guardian, Paul Farrell details how the new laws will work, and in her feature for The Sydney Morning Herald, Sylvia Pennington writes that those organisations that don’t take “reasonable steps” to comply “face the prospect of a big stick as the Office of the Australian Information Commissioner will have greater powers to investigate and the ability to impose penalties of up to $1.7 million for those found to be in breach.” Pennington highlights seven tips for organisations preparing for the APPs. Meanwhile, Australasian communications firm SenateSHJ predicts privacy will be one of the top issues and trends for 2014.
Full Story

SURVEILLANCE—AUSTRALIA

McMillan: Intelligence Should Be Subject to FoI (February 6, 2014)

In a recent interview, Information Commissioner Prof. John McMillan tells The Guardian intelligence agencies should be subject to Freedom of Information (FoI) laws. “My preference would be at least for the FoI Act to apply to the intelligence agencies,” McMillan said, adding, “I think the FoI Act can suitably apply to any agencies, parliamentary departments and the intelligence agencies. The exemptions are adequate to protect whatever has to be protected.” The report notes which agencies are currently exempt from FoI legislation, and quotes McMillan as saying despite his perspective, “I think it unlikely in the near future that there’s going to be any change.” Meanwhile, in other surveillance-related headlines this week, Google, Microsoft, Apple, Yahoo, Facebook and LinkedIn have published new U.S. government data request statistics.
Full Story

DATA LOSS—NEW ZEALAND

MPs’ Banking Details Shared (February 6, 2014)

Parliamentary Service has shared the banking information of nine MPs with Vodafone in its “second privacy blunder” last year, Stuff.co.nz reports. The other breach involved the release of “e-mails and swipe card details of Fairfax journalist Andrea Vance and UnitedFuture leader Peter Dunne” and resulted in the resignation of Parliamentary Service’s general manager. A financial review by the government states the most recent breach was “caused by an electronically generated system error … A manual system is now being used to stop this happening again, and the service has formed an internal group to improve risk awareness.”
Full Story

PRIVACY—HONG KONG

Opinion: Privacy Loopholes Must Be Plugged (February 6, 2014)

In an editorial, the South China Morning Post details the busy year the Hong Kong Privacy Commission has had, including “a record number of complaints and more warnings and enforcement notices issued than before.” The editors suggest, “While the increase may stem from stronger public awareness, it also shows privacy protection still leaves a lot to be desired.” The editorial points to the need to regulate cross-border personal data transfers: “As urged by the watchdog, the provision should be enforced as soon as possible or Hong Kong's status as a financial and regional information hub will be undermined. Editor’s Note: The IAPP Asia Privacy Forum is coming to Hong Kong on 31 March.
Full Story

DATA PROTECTION—SOUTH KOREA

Commissioner Fines Google Over Street View (February 6, 2014)

South Korea’s communications regulator is fining Google over its Street View operations there. It’s the regulator’s first fine of a global company for privacy violations. The $196,000 fine results from the collection of residents’ personal data while the company took pictures for its Street View service, The Korean Herald reports. The move follows similar actions in Canada and France, among other jurisdictions. “This commission will punish those who collect information of the Korean public without exception,” said Korea Communications Commission Chairman Lee Kyung-jae. Meanwhile, the Financial Services Commission has found Prudential Life Insurance provided clients’ personal information to outsiders by granting access to the company’s intranet.
Full Story

PRIVACY COMMUNITY

What’s Bruce Schneier Doing at Co3? (February 6, 2014)

Why would an internationally known thinker on security issues leave a gig as chief security technology officer at a large telecom to serve as CTO of a much smaller software company? That was a question some observers might have been pondering when incident response software maker Co3 announced that Bruce Schneier was joining the company. In this exclusive for The Privacy Advisor, Schneier answers that question and shares his thoughts on how Co3 can help the security and privacy communities.
Full Story

CLOUD COMPUTING

CPO Discusses Data Sovereignty and Future of the Cloud (February 6, 2014)

In a Q&A with itbusiness.ca, McAfee CPO Michelle Dennedy, CIPP/US, CIPM, discusses data privacy and the cloud. “It’s great that there are a couple of companies … discussing privacy at all in the boardroom, but typically it is coming out of the audit committees or it’s coming as a reaction to fines that have been levied” when it should be thought of as an “asset value,” she said. Regarding in-country cloud providers, Dennedy said “the mentality that dirt can actually be a boundary for data is a mistake,” predicting a satellite cloud company will eventually be “the cloud provider of all.” Meanwhile, UpCloud, which complies with Finnish privacy law, plans to open a data center in the U.S., and ZDNet reports that hosting cloud services outside the U.S. may increase NSA surveillance.
Full Story

MOBILE PRIVACY

Apple Cracks Down on Tracking Apps; Developers Unhappy (February 5, 2014)

NBC News reports that Apple has started cracking down on mobile apps that collect Identifiers for Advertisers (IFAs) without actually showing any advertisements to the user. Until this week, a clause Apple added in its developer license agreement had gone unenforced. Mixpanel’s Suhail Doshi said, “I really believe that most developers using IFA are trying to (understand) if spending money on advertising was cost effective—as opposed to ‘spying on their users.’” Doshi also warned, “The new policies around it are now likely to cause app developers, as a last resort, to do things that will be worse for consumer privacy as they work around IFA—with far less transparency.”
Full Story

DATA PROTECTION

How To Change Employee Password Habits (February 4, 2014)
Password reuse across multiple websites and company logins is a major weak link in company security systems. In a survey CSID conducted in 2012 on password habits, 61 percent of the respondents reused the same password for multiple sites, and 44 percent of respondents reported they change their passwords once a year or less. Employee password reuse creates a new layer of risk for businesses, especially when major enterprises are hacked. A breach today can affect more than just the initial company—it can affect your business and many others, writes Joe Ross in this exclusive for The Privacy Advisor.

INTERNET OF THINGS

Thierer: Let’s Not Hit the Panic Button Just Yet (February 4, 2014)

The rise of Internet of Things (IoT) connectivity has brought with it increasing concerns about privacy protection and “the potential for massive security threats and privacy violations in a world of always-on, always-sensing devices,” writes Adam Thierer, a senior research fellow at George Mason University’s Mercatus Center. Though “there are some valid reasons for concern,” he notes, “it may be the case that some of the problems we fear today never come about.” In this post for Privacy Perspectives, Thierer argues that there isn’t yet need to hit the panic button as “most of us will likely quickly adapt to this new era” and “will likely find practical solutions to many of the problems that arise.”
Full Story

DATA PROTECTION

Lawmakers Optimistic Data Privacy Law Will Pass; PCI DSS “Remains Solid” (February 4, 2014)

While SC Magazine reports on the current state of global data breach legislation, The Hill reports some U.S. lawmakers are optimistic that a data privacy law will pass this year. Rep. Joe Barton (R-TX) said, “It’s one of the few issues in the next 10 months that the House and Senate can work with the president on … I’ll go out on a limb here and predict that we’ll actually do that.” Meanwhile, in an interview with Computerworld, the Payment Card Industry Security Standards Council's Bob Russo said the standards are solid, and the Independent Community Bankers of America said at a hearing Monday that retailers should ultimately pay for a breach when hit by one. In healthcare, a recent study revealed that breaches cost healthcare providers $1.6 billion per year.
Full Story

PRIVACY

Ten Steps to a Quality Privacy Program, Part Six: Test Your Incident Response Program (February 3, 2014)
In part six of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, looks at testing incident response programs. This can involve key stakeholders from various departments and potentially happen twice a year, involving a number of action items. "You do not want to find yourself in the middle of an incident and realize that you do not have what is needed to respond efficiently and effectively," Rodriguez writes in this exclusive for The Privacy Advisor.