Canada Dashboard Digest

Are you sick of hearing about Heartbleed? If you are, you may want to skip some of the stories profiled in this week’s Dashboard Digest. If, however, you are like me, you might still be confused by the array of stories about the technical vulnerability, how it works and what damage it might have caused. I had to do a fair amount of self-study this week to prepare for an on-air interview with the CBC, and I must admit that the more I read about it, the more questions I had.

One thing is for sure: We work in an increasingly dynamic industry where things change faster than ever. What was once considered secure is actually not. Safeguards that you thought were good enough, aren't. I suppose that’s all the more reason the privacy professional needs tools like the Dashboard Digest—to try and stay on top of what’s going on.

With respect to the Heartbleed saga, we felt that you deserved even more opportunity to learn about it, so we have added a session to this year’s Symposium that promises to educate privacy professionals on exactly what they need to know about the vulnerability. I hope you can make it to Toronto if you're keen to learn more.

Somewhat overshadowed by Heartbleed were two rather significant decisions from Commissioners Denham and Cavoukian. Read on to learn more because these, too, are important events. 

Have a great weekend, and happy (Easter egg) hunting!

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

PRIVACY LAW

Commissioner: WiFi Case “Still Unresolved” (October 29, 2010)

Postmedia News reports that the Office of the Privacy Commissioner (OPC) has called issues around the collection of data from unsecured wireless networks by Google's Street View vehicles "that unintentionally led to serious breaches of Canadian privacy law 'still unresolved' as the company has not confirmed it will follow recommendations." Privacy Commissioner Jennifer Stoddart has not received any official communication from Google since learning the company inadvertently collected personal information on thousands of Canadians, the report states. "We await Google's official response," an OPC spokeswoman said at a parliamentary committee hearing on Thursday, noting the privacy commissioner "wants proof and evidence that (the recommendations) have been implemented."
Full Story

PRIVACY LAW

Commissioners Approve PbD Resolution (October 29, 2010)

At their annual conference in Jerusalem, international data protection and privacy commissioners today approved a landmark resolution recognizing privacy by design (PbD), a concept coined by Ontario Privacy Commissioner Ann Cavoukian, Science 2.0 reports. The resolution, co-sponsored by Canadian Privacy Commissioner Jennifer Stoddart and commissioners from Berlin, New Zealand, the Czech Republic and Estonia, encourages privacy as the default and invites commissioners to promote that privacy be built into companies as the default mode. It also encourages commissioners to foster PbD's foundation principles into privacy policies, and to push for legislation and research on PbD in their jurisdictions, the report states. At the event, Cavoukian called the current moment a tipping point for privacy.
Full Story

DATA PROTECTION

Privacy and Profit Don’t Often Play Nice (October 29, 2010)

At a recent security education conference in Toronto, a privacy impact assessment specialist with the Ontario government discussed the relationship between personal information, privacy and profit margins, IT World reports. Personal information has become not just an asset but a product, she said, and privacy the obstacle to selling it. She noted the failure of complex systems such as Payment Card Industry Data Security Standards and Social Security numbers in protecting data and advocates a rethink of the relationship between security and privacy. "When we start talking about security, it's too late to talk about privacy," she said. 
Full Story

HEALTHCARE PRIVACY

Are Doctors’ Offices Adequately Protecting Data? (October 29, 2010)

An audit of information found in Toronto dumpsters has revealed that doctors' offices are frequent offenders when it comes to improperly disposing of personal information, The Toronto Sun reports. The National Association for Information Destruction-Canada (NAID) hired a group of investigators to discover the amount of sensitive data found in commercial dumpsters. Of the 50 dumpsters audited, 75 percent of those at medical facilities contained personal financial or medical information. "The early indications are that a surprising amount of personal information is being put at risk," a NAID spokesman said, adding that medical identity theft is a growing problem and that some business sectors "still don't understand their responsibilities." 
Full Story

SOCIAL NETWORKING

Study Shows Most Proactive Countries for Privacy Settings (October 28, 2010)

The Unisys Security Index surveyed 10,575 consumers in 11 countries and found that 80 percent of social networking users in the U.S.--more than in any other country studied--said they regularly limit the personal information they post and restrict others' access to it, reports InformationWeek. Brazil and Germany were the next in line, with Brazil the most concerned with overall security, the report states. Patricia Titus, global chief information security officer at Unisys, says that the U.S. may be more proactive because it has "better reporting on social media issues here because Facebook is a U.S.-based company."
Full Story

ONLINE PRIVACY

Google’s Fleischer Discusses Privacy Perspectives (October 27, 2010)

Only a small fraction of users of the world's largest search engine are taking advantage of privacy controls that allow them to choose which ads are steered their way, the Associated Press reports. Peter Fleischer, Google's global privacy counsel, said he is "puzzled about why more people don't use more of the privacy controls." Google targets ads based on cookies left behind on users' Web browsers, but with its "ads preference manager," a user can wipe out cookies or alter the subject areas identified, the report states. Fleischer also spoke of the challenges of global Internet products with different nations having different privacy views, noting he expects more efforts to reach agreement on common privacy policies around the world.
Full Story

DATA PROTECTION—CANADA

Auditor Warns State Entities To Improve Practices (October 27, 2010)

Alberta's auditor general says the provincial government and the University of Calgary must do a better job of protecting data. The two entities came under fire in the auditor general's report, released Tuesday, for not demonstrating they've implemented adequate security policies, despite previous warnings, The Calgary Herald reports. The University of Calgary has been advised to improve its weak security controls regarding who has access to student information after it was admonished four times previously by the auditor general's office. The provincial government stores a vast amount of information--including personal health records--on servers across the province, the report states, which lack adequate protection to prevent unauthorized access.
Full Story

ONLINE PRIVACY

How Safe Is Your Login? (October 26, 2010)

Social networks are becoming the focus of new privacy questions about how their logins can be accessed through WiFi networks. The Wall Street Journal reports that Firesheep, a new add-on for the Web browser Firefox, "is designed to make it easy to intercept browser 'cookies' used by popular Web sites like Facebook, Twitter and others to identify their users, thereby allowing Firesheep users to log in to those Web sites posing as others." Eric Butler, a U.S. programmer who developed Firesheep, said he introduced the program as a way of bringing attention to a common weakness in Web site security. "On an open wireless network," he said, "cookies are basically shouted through the air, making these attacks extremely easy." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

Minister Apologizes for Breach of Veterans’ Data (October 26, 2010)

Former intelligence officer Sean Bruyea, whose medical information was found to be accessed 400 times by Veterans Affairs bureaucrats without permission, has said Veterans Affairs Minister Jean-Pierre Blackburn's formal apology is not enough, The Globe and Mail reports. The apology, which also acknowledged for the first time that other veterans may have suffered similar privacy invasions, was expressed Monday in a press release but should be delivered in person by Blackburn himself, Bruyea said. "The formal apology is not just for me," Bruyea said, but to "anyone who may have gone through the same situation." Privacy Commissioner Jennifer Stoddart has launched an investigation of the breach, which thus far has found systemic problems at Veterans Affairs involving the handling of personal information, the report states.
Full Story

PRIVACY LAW—CANADA

OPC Seeks Input on Draft Report (October 26, 2010)

The Office of the Privacy Commissioner of Canada (OPC) draft report summarizing its 2010 Consumer Privacy Consultations on online tracking, profiling and targeting and cloud computing is now available on the OPC's Web site. The office received 32 written submissions and held three public events in Toronto, Montreal and Calgary that were attended by representatives of industry and government, academics, advocates and members of the public. The report proposes specific actions the office plans to take in the future and identifies areas where more input is needed. The OPC is seeking public input on the draft by November 26.
Full Story

SOCIAL NETWORKING

More Sites Tagged With Info-Sharing Concerns (October 26, 2010)

Following an investigation into a privacy breach involving popular applications on Facebook, social network MySpace and some of its apps have been found to be transmitting user information to outside advertising companies, The Wall Street Journal reports. Rapleaf, a company which compiles profiles of Internet users and was cited in the investigation as providing such information to advertisers, has stated it no longer passes such user information on to advertising networks due to privacy concerns. "The MySpace leaks appear to be more limited than those at Facebook, which has far more users and requires them to make public their name, gender and country," the report states. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING

Researchers: Ads Can Expose Personal Info (October 26, 2010)

Two recent academic papers focusing on targeted advertising found that ads can expose "sensitive profile information, like a person's sexual orientation or religion, even if the person is sharing that information only with a small circle of friends," The New York Times reports. Researchers in India and Germany, who focused on ads targeted to Facebook users, noted that by clicking on ads, users could reveal such personal information along with a unique identifier. In a separate study, a U.S. researcher said she was able to determine Facebook users' ages and sexual orientation by tailoring ads to their profiles. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Tools Enable Online Browsing Privacy (October 25, 2010)

Mercury News reports on various ways to maintain privacy on the Internet despite the pervasive tools used by search engines and marketing companies to track your movements online. Peter Eckersley of the Electronic Frontier Foundation says such ubiquitous online surveillance violates our right to "read in private," adding that "You might be reading the magazine, but it's reading you back." The report highlights a suite of tools available to increase online privacy, downloadable software to encrypt users' online searches and privacy modes within various Web browsers that allow for "private browsing," preventing the permanent storage of tracking technologies such as cookies.
Full Story

DATA LOSS—CANADA

High School Hacker Blamed for Breach (October 25, 2010)

The London Free Press reports on a massive security breach at Thames Valley District schools that left 27,000 area high school students racing to change their passwords for everything from their social networks to their bank accounts. The suspect in the incident is a 16-year-old student who hacked the district's student portal, exposing student passwords, the report states. According to the school board, the breach was shut down within an hour and the school board did not believe student marks could have been altered, but the superintendent noted, "concern now is if any student used that same password for something else."
Full Story

SOCIAL NETWORKING

Glitch Highlights Need for Apps To Comply (October 22, 2010)

A report that some of Facebook's most popular applications have been transmitting user information to Web tracking companies has privacy advocates and legislators sounding an alarm. U.S. legislators have sent a letter to the company seeking more information, and Canada’s Office of the Privacy Commissioner (OPC) said the discovery highlights the need for applications to comply with federal privacy law. "If applications covered by (privacy law) are disclosing personal information without consent, that's a significant concern to our office," the OPC said in a statement. Facebook issued a statement that there is "no evidence that any personal information was misused or even collected," but it has since released plans to introduce "new technical systems that will dramatically limit the sharing of user IDs."
Full story

PRIVACY LAW

DPAs Find Privacy Law Infractions (October 22, 2010)

The privacy authorities of Canada and Spain have concluded investigations into Google's collection of personal information from unencrypted WiFi networks via its Street View vehicles. Canada's Office of the Privacy Commissioner has concluded that the company's activities contravened the Personal Information Protection and Electronic Documents Act and has given Google until February 1, 2011, to implement recommendations for rectification. Spain's Agencia Española de Protección de Datos (AEPD), meanwhile, is bringing sanctions against the company for five infractions of Spanish law, the Latin American Herald Tribune reports, and is charging Google Spain with transferring data to the U.S. "without the guarantees required by Spain's Information Protection Law," the report states. Google has discontinued the WiFi data collection practice and has announced it has no plans to resume it.
Full Story

ONLINE PRIVACY

Commissioner Launches Privacy Tool for Businesses (October 22, 2010)

The Office of the Privacy Commissioner of Canada (OPC) has announced that during Small Business Week this week, it is launching an enhanced online tool to help businesses protect their customers' privacy. "Businesses--big and small--are now collecting personal information about their customers," explained Privacy Commissioner Jennifer Stoddart, "and while most follow privacy laws and handle data safely, many still need help to establish the necessary privacy practices that will protect their customers and garner their trust." The Privacy for Small Business online tool offers interactive privacy assessments and the information businesses need to comply with privacy laws and to provide customers with privacy protection.
Full Story

ONLINE PRIVACY

PEI Agency Challenging Commissioner’s Order (October 22, 2010)

PEI's Island Regulatory and Appeals Commission (IRAC) has asked for judicial review of the former privacy commissioner's decision in a public records case, the CBC reports. Former Commissioner Judy Haldemann ordered the body to remove the names of secondary witnesses involved in IRAC hearings going back 20 years from the Web. Haldemann cited the risk of identity theft in her decision. But IRAC wants the court to reconsider. "We'll be looking carefully at what the court decides in this case," said IRAC Executive Director Greg Howard.
Full Story

HEALTHCARE PRIVACY

Opinion: VA Must Take Immediate Steps To Rectify (October 22, 2010)

The Canadian Medical Association Journal this week published an editorial criticizing Veterans Affairs Canada for its mishandling of medical records. After investigating a veteran's complaint, the Office of the Privacy Commissioner (OPC) concluded earlier this month that Veterans Affairs contravened the Privacy Act in sharing his medical information among government officials. Department minister the Honourable Jean-Pierre Blackburn has described the incident as "completely unacceptable," but the medical journal's editors wrote that "Serving and protecting the health information of the individuals who protect and defend us requires more than moral outrage." They said, "Veterans Affairs should stop treating veterans like insurance claimants and start treating them like beneficiaries who paid their country in blood."
Full Story

PRIVACY

Looking to the Future: Essential Skills for CPOs (October 20, 2010)

In a feature for GovInfoSecurity, Upasana Gupta quotes a scenario written by IAPP Board Chairman Nuala O'Connor Kelly, CIPP, CIPP/G, of GE and Michelle Dennedy of Oracle on the future of privacy in a fully networked world where between waking and 9 a.m. each morning, "you've already generated a terabyte of data in your personal account in the cloud." With ever-changing technology, Gupta writes, the top four skills privacy leaders will need in the decade ahead are the understanding of IT security and risk, encryption technologies, international privacy laws and the implications of cloud computing. The privacy profession, she writes, "is moving from regulatory compliance and breach notifications to being identified by development in various applications."
Full Story

ONLINE PRIVACY

CEA: Personal Data Should Be Paid For (October 19, 2010)

BBC News reports on the U.S. Consumer Electronics Association (CEA) statement that companies seeking to make use of the personal information people share online should pay for it. "The mining of personal data is here to stay," said Sean Murphy of the CEA, noting, "Privacy is only going to continue to get increased attention in the years and months to come." With privacy topping the CEA's list of technology trends to watch for in the year ahead, advocates suggest the key is for consumers to be "fully informed, have control of their data and choose to opt in to some sort of scheme that offers payments" for sharing their personal information. Editor's note: For more on the view of personal data as a commodity, read "Valuing, protecting and commoditizing your personal information: Is 'data banking' the answer?" from the June issue of Inside 1to1: Privacy.
Full Story

DATA PROTECTION

BC Gives Tenants, Landlords Guidelines (October 15, 2010)

The Privacy Commissioner of British Columbia has released privacy guidelines for landlords and tenants, Straight.com reports. The guide answers 38 frequently asked questions and is intended to help landlords and tenants understand their rights and responsibilities under the Personal Information Protection Act. The guide advises tenants to "avoid disclosing" their social insurance number to landlords. "It is not necessary for a landlord to request a tenant's SIN in order to complete a credit check," the guide states. "All that is required is the tenant's full name, date of birth and current address." Tenants also have the right to request to see what information their landlord has collected about them.   
Full Story

PRIVACY LAW

FISA To Regulate Commercial Messages, Carry Steep Penalties (October 15, 2010)

On last week's Privacy Tracker call, experts discussed Canada's Fighting Internet and Wireless Spam Act (FISA), which has been reintroduced to the legislature and is expected to pass either by the end of this year or by summer 2011. The bill, also known as C-28, aims to deter spammers by requiring expressed opt-in consent before any commercial electronic message could be sent from or received on a computer located within Canada. It also includes provisions on malware and the alteration of transmission data through "phishing" and would grant the Canadian Radio-television and Telecommunications Commission new enforcement powers. But the scope of the law and its steep penalties, $1 million per violation for an individual and $10 million per violation for an organization, has some concerned. Privacy Tracker subscribers: Learn more about the bill in this post-call analysis on the Privacy Tracker Web site. Archived audio is also available. (Full story available to Privacy Tracker subscribers only.)
Full Story

CHILDREN’S PRIVACY

Study Shows Most Canadian Toddlers Have Photos Online (October 15, 2010)

The security firm AVG has released study results that show 82 percent of kids under the age of two in 10 nations have an online presence, the National Post reports. Newborns and toddlers in the U.S., New Zealand, Canada and Australia are the most likely to appear online in photographs, the report states. "It reinforces the need for parents to be aware of the privacy settings they have set on their social network profiles. Otherwise, you may be sharing your baby's picture not only with your friends and family but with the whole online world,"said AVG Managing Director Peter Cameron
Full Story

PRIVACY LAW

Data Protection Laws Expanding Worldwide (October 14, 2010)

Dark Reading reports on the expansion of data protection laws across the globe as detailed in the report "A New Era of Compliance: Raising the Bar for Organizations Worldwide" from the RSA and the Security for Business Innovation Council (SBIC). The report analyzes how new legislation and strengthened regulations are forcing businesses to change their approaches to compliance. In the report, which includes recommendations from SBIC for enterprise security teams, Art Coviello of the RSA notes, "Regulators are making it clear that you're on the hook for ensuring the protection of your data at all times, even when it's being processed by a service provider."
Full Story

SOCIAL NETWORKING

Common Sense and Trust Key To Preserving Patient Privacy (October 14, 2010)

The key to protecting patient data in an age of social media is hiring good employees. Good employees know better than to breach patient confidence, says a HealthLeaders Media report. "The problem is," says Arthur Derse, director of the Center for Bioethics and Medical Humanities at the Medical College of Wisconsin, "students and employees and younger folks coming into work think of Facebook and Twitter as something you do." He says patient information is like radioactive material. "It must be contained." Pamela Paulk of Johns Hopkins Hospital says it's a matter of trust. "We really do believe that our employees are going to do the right thing," Paulk.
Full Story

ONLINE PRIVACY

HTML 5 Concerns Persist (October 14, 2010)

HTML 5 is already being used to create new ways of experiencing online content and is raising privacy concerns as it is expected to provide improved opportunities for tracking consumers' online activities. The New York Times "Tech Talk" podcast features a discussion of the implications of the new technology, including the ability to collect personal data. The report notes that such information as browsing histories, blog text, photos and messages can be collected and stored, and deleting HTML 5 storage "can be tricky." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

Gov’t Data Sharing “A General Concern” (October 13, 2010)

The findings of the federal privacy commissioner's investigation into Veterans Affairs Canada's data handling have prompted concerns that other federal departments may be disseminating personal information about government critics, The Hill Times reports. Commissioner Jennifer Stoddart last week released investigation results indicating that Veterans Affairs contravened the Privacy Act in sharing a veteran's sensitive records with certain government officials. Stoddart told The Hill Times that the potential that other departments may be engaging in similar activities is "a general concern," but "At the present time, I have no indication that this is happening in other departments," Stoddart said.
Full Story

SOCIAL NETWORKING

Advocates Pleased with Facebook Changes (October 12, 2010)

Privacy advocates are voicing approval of Facebook's new privacy features, which will allow users greater control over their personal data, OUT-LAW.com reports. The changes include a "dashboard," which will display to users which applications are active and the data they collect. The Electronic Frontier Foundation welcomed the change, the report states. "We think that this is an important step forward in terms of providing more transparency to users about where their Facebook data is going and who is using it." Additional features will allow users to export all of their uploaded data from the site and create private groups for communications.
Full Story

PRIVACY LAW—CANADA

Veterans Affairs Minister Responds to Findings (October 12, 2010)

The Minister of Veterans Affairs Canada has responded to the federal privacy commissioner's conclusions following an investigation into the department's handling of a veteran's personal information. In a report released last week, Privacy Commissioner Jennifer Stoddart described her office's findings as "alarming," stating that the department contravened the Privacy Act in sharing veteran Sean Bruyea's sensitive records, according to a Toronto Star report. The Honourable Jean-Pierre Blackburn said in a statement that he is taking the report "very seriously" and that a senior government expert will assist his department in implementing Stoddart's recommendations. Meanwhile, Bruyea is suing the federal government for $200,000.
Full Story

HEALTHCARE PRIVACY

Hospital Sets Policy, IPC Satisfied, Case Closed (October 8, 2010)

The Peterborough Regional Health Center (PRHC) announced that an investigation into how St. Joseph's hospital left 25,000 medical files and about 70 hard drives behind when it relocated is now closed. The Peterborough Examiner reports that after working with the Office of the Information and Privacy Commissioner of Ontario, PRHC's privacy officer developed a decommissioning policy to be used when moving buildings or offices to ensure that nothing is left behind, and all staff will now take mandatory yearly online privacy education. "PRHC is pleased to have received confirmation that the file is now closed and the commission is satisfied with the follow up work we have done," the hospital said in a press release.
Full Story

HEALTHCARE PRIVACY

Opinion: Electronic Medical Records Are Intrusive (October 8, 2010)

The Canadian Medical Association's plan to provide electronic access to personal medical records to family doctors, local clinics and other medical professionals continues to raise privacy concerns, William Taylor writes in an op-ed piece for the Ottawa Citizen. He asks whether "anyone ever asked us, the people, whether we want to spend another $423 million to spread our medical records around so indiscriminately? Has anyone ever asked us whether we want such an intrusive system at all?" Taylor contends that the plan is a waste of public funding, speaking out against having "personal data gathered up for broad dissemination without a smidgeon of consultation with the people who will be affected."
Full Story

PRIVACY

Dickson: Delays Due to Understaffing (October 8, 2010)

The receipt of a long-delayed freedom of information resolution has prompted a Saskatchewan city official to ask the provincial information and privacy commissioner to come up with a "more efficient process to deal with the backlog." In response, Commissioner Gary Dickson said, "I would never suggest the delays we're seeing here are acceptable." But, he added, understaffing, not inefficiency, is what causes the delays in complaint resolution. Dickson told The Star Phoenix that his requests for an additional investigator have been denied by legislative committee for the past three years and that his office handles an ever-growing number of complaints.
Full Story

PRIVACY LAW

Judge Denies Appeal Based on Juror Vetting (October 8, 2010)

The Ontario Court of Appeals has dismissed an appeal by three men who claimed their murder trial was unfair because police and prosecutors conducted secret background checks on jurors, the Toronto Star reports. Justice David Watt wrote in Tuesday's 3-0 decision that there was "not a peep from a quintet of experienced defense counsel," on the matter and that the verdicts would not have been different had the defense been made aware of the vetting process sooner. The background checks elicited concerns from Ontario Privacy Commissioner Ann Cavoukian, who said they violated privacy legislation. Cavoukian also asked the attorney general to create a centralized juror-screening process as a result.
Full Story

DATA PROTECTION

Commissioner to Tech Industry: Build in Privacy (October 8, 2010)

At the Government Technology Conference yesterday, Privacy Commissioner Jennifer Stoddart said that private sector developers need to incorporate privacy safeguards into new technology, the Ottawa Citizen reports. Stoddart said federal departments "need to know that developers in the private sector are incorporating the privacy safeguards that the public expects." Audit trails and privacy impact assessments can fail, she said, if security is not built into the hardware and programming the government buys. "Every chain is only as strong as its weakest link," Stoddart said. The commissioner also mentioned the need for updating decades-old privacy legislation, which she described as "almost quaint."
Full Story

DATA PROTECTION

PCI Supports Encryption (October 8, 2010)

The Payment Card Industry (PCI) Security Standards Council has released new guidance on card security standards, including the use of point-to-point encryption, InformationWeek reports. Troy Leach of the PCI Security Standards Council said the goal is to help organizations "understand how they can better secure their payment card data and how specific technologies may assist them in meeting the requirements of the PCI Data Security Standard." The guidance also discusses EMV card security, which requires consumers to enter a personal identification number when paying with a credit or debit card in person. Jeremy King, European regional director for PCI, said "the devil is in the details" when it comes to introducing PCI changes.
Full Story

PRIVACY LAW—CANADA

Stoddart: Veterans Affairs Mishandled Personal Information (October 8, 2010)

Privacy Commissioner Jennifer Stoddart has concluded an investigation into Veterans Affairs Canada's handling of vets' personal information and has described the findings as "alarming." The investigation followed a complaint by veteran Sean Bruyea, who discovered that his sensitive records had been shared among government officials. Stoddart confirmed this, saying Bruyea's "sensitive medical and personal information was shared--seemingly with no controls--among departmental officials who had no legitimate need to see it." Stoddart said the department's actions contravened the Privacy Act, the Toronto Star reports. She recommended specific steps for the department to take immediately. The commissioner will also launch an audit of the department.
Full Story

SOCIAL NETWORKING

Facebook Unveils Privacy Changes (October 7, 2010)

Facebook has released new privacy options, it announced at a press conference yesterday, allowing users more control over their data and communications, NPR reports. Users will now be able to create "closed" groups in order to communicate with Facebook friends privately and can also use a "dashboard," allowing them to view what personal information has been collected by games and third-party applications on the site and letting them disable some of those features. An analyst at Forrester Research called the changes a smart move for Facebook, adding the announcement "helps move the ball forward in terms of greater control and greater transparency."
Full Story

ONLINE PRIVACY

Self-Regulatory Program Overview Released (October 7, 2010)

Morrison & Foerster has released an overview of the self-regulatory program for online behavioral advertising announced earlier this week. The program features an "Advertising Option Icon" to alert users when data is collected for behavioral targeting. The Morrison & Foerster report, which is now available in the IAPP Knowledge Center, looks at the efforts by several leading media and marketing associations to address issues of consumer control. The report includes background on the origin of the program, its goals and frequently asked questions.
Full Story

PRIVACY—CANADA

Commissioner: Gaps Found in Gov’t Data Handling (October 6, 2010)

After conducting an audit of five governmental departments' data protection practices, Privacy Commissioner Jennifer Stoddart says not enough is being done to protect citizens' personal information, The Globe and Mail reports. In a report released Tuesday, the commissioner identified gaps in areas including government use of wireless devices, password protections, data destruction and encryption. "Our audits turned up some disturbing gaps in the privacy policies and practices of government institutions," Stoddart said, adding the government must be held to the highest standards. Stoddart last week received the 2010 IAPP Privacy Vanguard Award for her leadership, knowledge and creativity in privacy and data protection.
Full Story

BEHAVIORAL TARGETING

The Cookie Business is Booming (October 6, 2010)

NPR reports on the increasingly lucrative world of display ads capable of targeting specific customers by tracking their online behaviors. The online display ad market is projected to grow six percent in the next four years, the report states, but some say the tracking may go too far. "You're talking about a commercial system that's a digital dossier about your innermost secrets, concerns and personal matters," said Jeff Chester of the Center for Digital Democracy. On Monday, the online advertising industry launched a self-regulatory program aimed at better informing Web users about ad targeting.
Full Story

PRIVACY LAW—CANADA

Commissioner: Legislation Needed Ahead of EHRs (October 5, 2010)

CBC News reports on Nunavut's transition to electronic health records (EHRs) despite an absence of laws to protect patient information. Health officials plan to introduce EHRs in Nunavut in the next six months, the report states, but the territory's information and privacy commissioner says she doesn't have the power to investigate privacy violations involving patient records. "Unfortunately, the Access to Information and Protection of Privacy Act has privacy rules but no oversight and no way to address breaches," said Commissioner Elaine Keenan Bengts. "Legislation should precede the electronic record. That's not going to happen here." Bengts suggested amending Nunavut's privacy law to allow her to review breaches.
Full Story

DATA PROTECTION

Study: PCI DSS Security Compliance Often Unmet (October 5, 2010)

Organizations that suffer a data breach are 50 percent less likely to have achieved or maintained compliance with the Payment Card Industry Data Security Standards (PCI DSS) than the average organization, InformationWeek reports. That's according to a study released Monday by Verizon that polled 200 PCI assessments, which also found that the top techniques used to steal payment card data were malware and hacking. The study found that the top three requirements for PCI DSS are the most difficult for organizations to meet and also the most vulnerable to breaches. Only 22 percent of organizations comply with PCI at their initial compliance assessments, the report states.
Full Story

ONLINE PRIVACY

Paper Raises Concerns About Smartphone Security (October 4, 2010)

The user data collected by some smartphone applications can be correlated to real-world identities, Ars Technica reports, posing privacy risks to users of such popular devices as the iPhone, iPod and iPad. According to a paper by Bucknell University Assistant Director of Information Security and Networking Eric Smith entitled "iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)," many applications request personally identifiable information affiliated with users' accounts. Smith noted that such data, combined with "extremely long-lived" tracking cookies, could result in companies tracking users' online activities for extended periods of time and across multiple devices, the report states.
Full Story

PRIVACY

Stoddart Receives Vanguard Award (October 1, 2010)

At a reception in Baltimore, Maryland last night, Canadian Privacy Commissioner Jennifer Stoddart received the 2010 IAPP Privacy Vanguard Award for her outstanding leadership, knowledge and creativity in privacy and data protection. In presenting the award, Jeff Green, CIPP/C, of the Royal Bank of Canada, described Stoddart as "a catalyst for a global approach" to privacy protection. Winners of the eighth HP-IAPP Privacy Innovation Awards were also honored at the event, with Symcor, Inc., Minnesota Privacy Consultants and Microsoft Corporation taking this year's honors.
Full Story

GEO PRIVACY

Social Network Launches Location Feature (October 1, 2010)

CBC reports on Facebook's launch of its Places feature, which allows users to share location information with their friends using the GPS on their smartphones. The feature comes with a variety of privacy setting options, the report states, and, as with photos on the site, users may "tag" their friends' locations, though there is an option for friends to disallow the location tagging feature. Facebook briefed the Office of the Privacy Commissioner (OPC) on Places before its release last week, the report states. "Obviously, we wouldn't have any complaints about it at this stage, so I don't think I can say whether it complies with federal privacy law or not," said Anne-Marie Hayden of the OPC, who noted that geolocation is "something we are very interested in, obviously, because there are obvious privacy issues."
Full Story

PRIVACY

Opinion: Stoddart, “Smart, Tough and Informed” (October 1, 2010)

An Edmonton Journal editorial lauds Canadian Privacy Commissioner Jennifer Stoddart for "singlehandedly" putting Canada on the map "among tech-savvy nations seeking to find an acceptable balance that encourages innovation while determined to protect privacy rights." Citing Stoddart's recent success in persuading Facebook to comply with Canadian privacy laws while continuing to press the company on other concerns, the article says, "No doubt, she will continue to be assiduous at the task of keeping global tech firms sensitive to the needs of legitimate privacy protection without smothering creators with undue bureaucratic strictures."
Full Story

PRIVACY

Opinion: Breaches Are Serious Crimes (October 1, 2010)

The Star Phoenix reports that the biggest threat to personal medical information isn't coming from hackers but "from those within the bureaucracy who access and share these records for personal or political purposes." The solution, the report states, is for governments to treat such breaches as serious crimes. The report suggests that in addressing illegal access, it is irrelevant why the information was breached, quoting Saskatchewan Privacy Commissioner Gary Dickson as stating, "In my experience, it's cold and empty comfort to the violated patient whose information has been collected, used or disclosed unlawfully, to be informed that the perpetrator was not an identity thief."
Full Story

PRIVACY

Sustaining a “Culture of Privacy” (October 1, 2010)

U.S. Department of Homeland Security CPO Mary Ellen Callahan, CIPP, and GE Senior Counsel, Information Governance and Chief Privacy Leader Nuala O'Connor Kelly, CIPP, CIPP/G, offered their insights on how to maintain privacy as a priority throughout organizations that must also balance competing demands and diverse regulatory requirements. Speaking at the IAPP Privacy Academy in Baltimore, MD, both shared their experiences and conclusions, suggesting that people--in the form of allies within and beyond a given organization--are invaluable assets to privacy protection. Privacy officers should focus on building a team, both agreed, as one person cannot know everything that goes on in an organization the size of the Department of Homeland Security or GE.
Full Story