Canada Dashboard Digest

Are you sick of hearing about Heartbleed? If you are, you may want to skip some of the stories profiled in this week’s Dashboard Digest. If, however, you are like me, you might still be confused by the array of stories about the technical vulnerability, how it works and what damage it might have caused. I had to do a fair amount of self-study this week to prepare for an on-air interview with the CBC, and I must admit that the more I read about it, the more questions I had.

One thing is for sure: We work in an increasingly dynamic industry where things change faster than ever. What was once considered secure is actually not. Safeguards that you thought were good enough, aren't. I suppose that’s all the more reason the privacy professional needs tools like the Dashboard Digest—to try and stay on top of what’s going on.

With respect to the Heartbleed saga, we felt that you deserved even more opportunity to learn about it, so we have added a session to this year’s Symposium that promises to educate privacy professionals on exactly what they need to know about the vulnerability. I hope you can make it to Toronto if you're keen to learn more.

Somewhat overshadowed by Heartbleed were two rather significant decisions from Commissioners Denham and Cavoukian. Read on to learn more because these, too, are important events. 

Have a great weekend, and happy (Easter egg) hunting!

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

PRIVACY TECH

OWASP Looking for Volunteers for Privacy Top 10 Project (February 28, 2014)
In the cybersecurity community, the OWASP Top 10 Project is something of a touchstone. An open-source list of “the most critical web application security flaws,” it represents a consensus of experts as to what threats organizations should be most concerned with as they go about developing their projects. The project, first developed in 2007 by the Open Web Application Security Project and refreshed in 2010 and 2013, has been translated into seven of the world’s major languages, so it is a truly global tool. Sound like something privacy pros could use? Well, Florian Stahl, CIPP/IT, thought so, too. So, this month, he has launched the OWASP Top 10 Privacy Risks Project, and he’s looking for help.

SURVEILLANCE

Is Gov’t Protecting You or Invading Privacy? (February 28, 2014)

In its “Life After Privacy” series, The Globe and Mail examines the question, “Is your government gathering masses of cellphone information to protect you, or to invade your privacy?” The report looks at how intelligence agencies in Canada and beyond have been “harvesting huge amounts of potentially private data from laptops, tablets and cellphones of millions of people, including their citizens” and questions whether this is necessary because of security threats or an infringement on citizens’ privacy. (Registration may be required to access this story.)
Full Story

PRIVACY COMMUNITY

Stoddart Joins IAPP Board (February 28, 2014)

The IAPP announced this week the new composition of its Board of Directors, with three notable additions, plus its newly appointed Executive Committee. Former Privacy Commissioner of Canada Jennifer Stoddart joins the IAPP’s board along with Bank of America CPO Christine Frye, CIPP/US, CIPM, and MasterCard Executive VP of Privacy and Information Guidance JoAnn Stonier. Further, Hewlett-Packard VP and CPO Scott Taylor, CIPP/US, has taken over for Past Chairman and Microsoft CPO Brendon Lynch, CIPP/US, as chairman of the board, and a new slate of officers have accepted positions. Please join us in thanking them for their service to the IAPP.
Full Story

PRIVACY LAW

Court Grants Plaintiffs Anonymity in Medical Marihuana Case (February 28, 2014)

The Federal Court of Canada has agreed that denying plaintiffs anonymity in a court proceeding “would disclose the very information they seek to protect and exacerbate the damage and/or risk of harm that has already been caused by Health Canada's mailing that identified them” as taking part in the Medical Marihuana Access Program, Canada NewsWire reports. Health Canada had argued public opinion on marihuana use is now “more accepting,” the report states, but the court rejected that argument, stating, “Disclosing their identities discloses that a course of treatment has been prescribed by them by a medical doctor and that they suffer from serious health conditions and symptoms.”
Full Story

DATA LOSS

Patient Data Breach, Teen Privacy Issue Examined (February 28, 2014)

New Brunswick health officials are examining allegations a doctor at the Dr. Georges-L.-Dumont University Hospital Centre in Moncton accessed personal information on 142 patients “without authorization,” The Canadian Press reports. New Brunswick Privacy Commissioner Anne Bertrand’s office has received “several complaints from affected patients,” CBC News confirms, noting a full report on the case is expected in a few months. The Canadian Press also reports on documents indicating a former police officer who is now a member of the Alberta Legislature “wouldn't give a statement to investigators probing a potential breach of a teen's privacy rights.”
Full Story

INFORMATION ACCESS

Series Considers Why Police Are Not Subject to FOIP (February 28, 2014)

The Regina Leader-Post examines why police are not subject to Saskatchewan’s information access and privacy laws, plans to review the act and what the process to change the law might involve. “Police chiefs in both Regina and Saskatoon have expressed concern that the Freedom of Information and Privacy (FOIP) Act would put police work and sensitive information at risk,” the report states, noting the province’s former privacy commissioner, Gary Dickson, disagrees. “Being subject to FOIP doesn't mean that a public body loses all control and all of the records can go out the door,” he said.
Full Story

PRIVACY COMMUNITY

IAPP Global Privacy Summit Is Sold Out (February 26, 2014)

The IAPP Events Team announced today that the Global Privacy Summit, happening next week in Washington, DC, is officially sold out. Were you procrastinating? Sorry about that. However, we have a couple of pieces of good news: our Show Daily newsletter, to which you can subscribe, and a discount on our next big U.S. event.
Full Story

PRIVACY BUSINESS

Oracle To Buy BlueKai for $400M (February 25, 2014)

AdAge reports that Oracle has agreed to acquire BlueKai for a reported $400 million, though terms were not publicly disclosed. Among BlueKai’s offerings is technology that allows for data transfer independent of cookies but with “the same transparency and notices that cookies have.” The report says Oracle plans to integrate BlueKai with other cloud marketing products Responsys and Eloqua to “give its customers the ability to more precisely personalize messages to consumers and B-to-B buyers—the people those products are used to reach.”
Full Story

MOBILE PRIVACY

IoT Focus at MWC (February 25, 2014)

The Mobile World Congress (MWC) is home to all the hottest new mobile devices, Forbes reports, and at this year’s event, the Internet of Things (IoT) and data are key themes. “Consumers currently expect ‘mobile device’ to mean smartphone and the apps we use on it, but a plethora of other device types are changing that expectation,” TJ McCue writes. He suggests that the prevalence of IoT sessions at the MWC indicate “the mobile community is taking the potential and implications of data seriously. The amount of data from IoT devices and the number of mobile products that help us share and make sense of it will only increase.”
Full Story

DATA PROTECTION

On Breach Response, 50 Percent of Execs Are in the Dark (February 25, 2014)

According to The Economist Intelligence Unit’s Information Risk report, one half of executives surveyed have not been trained in what to do in response to a data breach. The report surveyed 341 senior business leaders from around the world, almost half of whom are C-suite-level executives. The unit then conducted a series of in-depth interviews with 17 senior executives on managing digital assets. Of the key findings, the report states that data risk awareness does not extend evenly across most organizations. The most knowledgeable departments tend to be IT and finance, due to the sensitive information they deal with. “This low level of awareness across the company is equally true vertically,” the report states.
Full Story

CYBERSECURITY

SSL Bug Found in Apple Operating Systems (February 24, 2014)
Security researchers and experts discovered a coding flaw late last week in the operating systems that run Apple’s mobile devices and computers that could allow hackers to circumvent encrypted connections, Reuters reports. A single line in the software omitted commands to authenticate an encrypted website’s certificate, meaning hackers could impersonate sites and capture all the electronic data being communicated by users. Cryptography expert Matthew Green said, “It’s as bad as you could imagine; that’s all I can say.” Apple has offered a software update for mobile devices and said it would release a patch for Mac computers “very soon.” The bug has allegedly been present for months, and some have questioned whether it was a spy’s attempt to create a “back door” into the devices.

PERSONAL PRIVACY

Privacy Issues Raised by 3D Room-Mapping Program (February 24, 2014)

Google recently announced Project Tango, an Android-based phone with built-in, super-advanced 3D sensors capable of mapping a given area around the device, including the interiors of buildings, Motherboard reports. In its announcement, Google asked, “What if you could capture the dimensions of your home simply by walking around with your phone before you went furniture shopping?” The technology is currently only available to 200 developers, and Google says the technology is still in the early stages, but the report suggests potential privacy implications, including where the maps would be stored and who would have access to them.
Full Story

INTERNET OF THINGS

The Rise of Bring-Your-Own Wearable Device (February 21, 2014)

V3.co.uk reports on the rise of wearable technology and how it has been and will be integrated into the work environment. Early adopters include Tesco, which gives smart armbands to workers to help track goods, distribute tasks and measure location movements. Another firm, Pru Health, offers employees Fitbug health devices as part of its “Vitality” program. These devices supplied by employers, as well as bring-your-own wearable devices (BYOWD), have robust personal data-gathering potential—including swaths of sensitive personal information. As smart glasses and wearable cameras become more integrated into the work environment, businesses will have to consider BYOWD policies to protect employees’ privacy expectations, the report states.
Full Story

SURVEILLANCE

CSEC Ruling Disappoints Privacy Experts (February 21, 2014)

“A federal watchdog is attracting howls of protest from some privacy and Internet experts after absolving Canada’s electronic spy agency (CSEC) of using data from a Canadian airport Internet service to track thousands of passengers for days after they left the terminal,” CBC News reports. The body that oversees CSEC concluded it was not involved in “tracking of Canadians or persons in Canada.” Last week, CSEC’s John Forster told a Senate committee “a controversial effort to understand airport wireless systems did not breach the privacy of Canadians.” Ontario Information and Privacy Commissioner Ann Cavoukian is among those who have expressed disappointment over the ruling.
Full Story

 

PRIVACY LAW

Experts Examine Next Step for Alberta’s PIPA (February 21, 2014)

In a Mondaq report, James Bond, Robert W. Pakrul and Eileen Vanderburgh look back at the November decision by the Supreme Court that Alberta's Personal Information Protection Act (PIPA) is unconstitutional and consider what will come next. “Varying degrees of scope of amendment could possibly be advanced to deal with the constitutional issues arising from PIPA's structure, which establishes a broad prohibition against any information collection, use or disclosure absent consent,” they write. Alberta Information and Privacy Commissioner Jill Clayton’s recommendation is “that the most appropriate scope of change is the narrowest one,” they write, citing her desire to “would preserve the delicate balance between freedom of expression rights, and legitimate privacy expectations of individuals, which PIPA is designed to protect.”
Full Story

 

PRIVACY LAW

Court Generates List of Factors for Metadata Cases (February 21, 2014)

Mondaq reports on a recent Nova Scotia Court of Appeal case on “questions of relevance, proportionality and privacy in the context of whether or not to order the production of electronic information.” Laushway v. Messervey resulted in a court order requiring a plaintiff to produce a hard drive containing metadata for forensic review, and the court has created “a list of factors for judges to consider when deciding whether to grant a production order in similar circumstances,” the report states. Among the factors the court recommends in its list are privacy, balancing, objectivity, discoverability and reliability.
Full Story

 

PRIVACY PROFESSION

Ten Skills That Make a Good Privacy Officer (February 20, 2014)
While speaking to a group of law students recently, Align Technology Privacy Counsel K Royal, CIPP/US, CIPP/E, was asked what makes a good privacy officer. So she went to work. After searching related top 10 lists for compliance officers, salespeople, CEOs and managers, Royal compiled this list of 10 skills necessary to becoming a good privacy officer for Privacy Perspectives. From compliance to social work to janitorial skills, privacy officers need a swath of abilities to effectively do their jobs. “We need to follow from the front and make sure our employees succeed … Rarely do people comply with a mandate because it is a mandate."

DATA PROTECTION

Data-Centric Security: Reducing Risk at the Endpoints (February 20, 2014)

In this time of increased attacks on IT networks, the king's men are in overdrive attempting to stay ahead of these threats targeted at stealing our information. CIOs and CISOs are in a constant state of evaluating, implementing and reevaluating processes and solutions that secure the perimeter and safeguard the networks and the devices within the organization. In this exclusive for The Privacy Advisor, Jim Wyne, CIPP/US, looks at data-centric security as a method to mitigate risk and "ensure the most important asset of the business, the data, is protected."
Full Story

SOCIAL NETWORKING

Dating App Vulnerability Allowed for Pinpointing User Locations (February 20, 2014)

Tinder, an app facilitating spur-of-the-moment dating, reportedly has a security problem leading to users’ exact physical locations being divulged without their consent, The Washington Post reports. Instead of rounding to the nearest mile when searching for potential dates in your immediate vicinity, the app’s servers were giving out data that would allow hackers with “rudimentary skills” to determine a user’s location within 100 feet. Security researchers told Tinder about the security lapse in October; the company responded in December and addressed the problem, the report states. (Registration may be required to access this story.)
Full Story

BIOMETRICS—CANADA

Citizenship and Immigration May Share More Data (February 20, 2014)

The Canadian Press reports on a memorandum prepared for Citizenship and Immigration Minister Chris Alexander indicating “the government is building an information technology system that could be used for the systematic exchange of biometric data with Britain, Australia and New Zealand” in addition to the perimeter security pact with the U.S. "Systematic sharing is preferable to manual case-by-case sharing because it can generate faster responses and be done at higher volumes," according to the memo. The Office of the Privacy Commissioner has voiced concern “about high-volume, routine information sharing with other countries, saying it may be impossible to control what happens to that data once sent abroad,” the report states.
Full Story

CLOUD COMPUTING

On Contracting and Compliance: Are You Up-to-Speed? (February 19, 2014)
With more and more organizations embracing cloud computing while others in highly regulated industries such as government, healthcare and finance remain hesitant, “it is time to get to grips with cloud computing,” writes Christopher Millard, a professor of privacy and information law at the Centre for Commercial Law Studies, Queen Mary, University of London. In this Privacy Perspectives post, which also previews a full-day preconference workshop at next month’s IAPP Global Privacy Summit, Millard makes the case for why privacy pros need to get up-to-speed on what can be a very complex undertaking. Editor’s Note: Millard’s series of articles on cloud computing and European law are available to IAPP members in the IAPP Resource Center.

DATA PROTECTION

Dutch Telecom and Silent Circle To Encrypt Phone Calls (February 19, 2014)

Dutch telecommunications provider KPN has struck a deal with encryption service Silent Circle to provide customers in Belgium, Germany and The Netherlands with encrypted phone calls and text messages, PCWorld reports. Silent Circle currently has servers in Canada and has plans for one in Switzerland. KPN has said it plans to build a server in The Netherlands so that data doesn’t leave the country, the report states. This June, KPN customers will be able to download Silent Circle services Silent Phone and Silent Text. Silent Circle has also been working with Geeksphone to create the Blackphone, a smartphone designed to protect user privacy.
Full Story

SOCIAL NETWORKING

New Program Manages Privacy Settings (February 19, 2014)

GigaOM reports on My Face Privacy, a new product from Israeli software firm CallingID, designed to manage the privacy settings of multiple social networking sites—including Facebook, Twitter, Google+ and LinkedIn. The desktop-only application works like a password manager and offers four preset privacy settings. “Social networks are trying to make as much information visible to as many groups as they can,” said CallingID Executive Vice President Yair Nissan. “They have a default set of privacy policies, which is not restrictive at all. They complicated the way that you can change and manage your privacy settings—you have to go through many screens, and unless you’re an expert, you probably won’t find all the different parameters because they’re hiding them very well.”
Full Story

PRIVACY COMMUNITY

The Perspectives Conversation, Past and Future (February 18, 2014)

Last February, we unveiled our very first blog, Privacy Perspectives, and in the year since, we’ve received a range of contributions from privacy pros working in the public and private sectors, across virtually all industries. This Perspectives installment pauses to take a look back at the last calendar year, one filled with major privacy news stories—from the EU-U.S. data protection debate, to the Snowden disclosures, to the Target breach. But not all contributions were based on breaking news. Perspectives also featured personal tales within the privacy profession, insider tips for day-to-day operations, our changing social and legal norms and the difficult debates that are shaping how organizations, policy-makers and privacy professionals think about privacy.
Full Story

PRIVACY LAW

Cline: U.S. Leads World in Privacy Violation Fines (February 18, 2014)

Jay Cline, CIPP/US, writes for Computerworld on EU leaders’ belief that the U.S. has not adequately enforced the EU-U.S. Safe Harbor agreement, citing research showing that is not the case. “Any way you cut the data,” Cline writes, “the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.” Cline’s report looks at the history of Safe Harbor, highlighting his team’s research on fines of $100,000 or more imposed by government agencies for privacy violations. “We also set out to rank-order the top privacy fines in history,” he writes. “When we did this, the U.S. dominated the leader board.”
Full Story

DATA PROTECTION

Survey: Users More Hesitant To Click on Ads, Use Unknown Apps (February 18, 2014)

TRUSTe has released its third annual consumer confidence privacy research survey, which found that privacy concerns are up significantly from last year, with 74 percent indicating they are more concerned about privacy than they were a year ago. While 70 percent said they are more confident than one year ago that they can manage their online privacy, that may have negative repercussions for industry, with those surveyed indicating that means not clicking on ads or using apps they don’t recognize.
Full Story

PERSONAL PRIVACY

Privacy Is Not Dead: “It’s Aliiiive” (February 14, 2014)
In honor of both Valentine’s Day and the zombie genre, Intel Chief Privacy and Security Counsel Ruby A. Zefo, CIPP/US, CIPM, shares her love of the undead by exploring 10 ways privacy is not dead. “At worst, it is the living dead,” she writes in this post for Privacy Perspectives. “Perhaps like Frankenstein’s monster, you thought it was dead, but in fact, it’s allliiiive!”

DATA LOSS

Store, Healthcare Entities, Hotels, Bank Announce Breaches (February 14, 2014)

A number of brands have announced breaches this month, including Tesco, which was the victim of a breach not because of its own systems but as a result of breaches at various websites in which users employ the same username and password across multiple sites. A U.S. senator recently said data breaches are simply a “fact of life” these days, and an eSecurity Planet report explains why brands’ stock prices may actually rise after breaches. The Privacy Advisor examines these and other recent breach reports.
Full Story

PRIVACY LAW

Two-Decade Battle Ends with Supreme Court Ruling (February 14, 2014)

Elizabeth Bernard’s 23-year battle to keep the Canada Revenue Agency (CRA), her employer, from providing public service unions with her home address and phone number has ended with the Supreme Court deciding “providing home contact information didn’t breach her privacy rights,” the Ottawa Citizen reports. The ruling states, “In our view, the compelled disclosure of home contact information in order to allow a union to carry out its representational obligations to all bargaining unit members does not engage Ms. Bernard’s freedom not to associate with the union.” The court also determined that disclosing home contact information “didn’t breach the Privacy Act because the union’s use of it was ‘consistent’ with the employment reasons that CRA collected the information for in the first place,” the report states.
Full Story

PRIVACY LAW

Commissioner: Gov’t Should Overhaul Laws (February 14, 2014)

SC Magazine reports on Interim Privacy Commissioner Chantal Bernier’s recent call for the government to overhaul Canada’s privacy legislation, citing her January report on the changing context of privacy protection. “Intelligence activities are now turned towards individuals dispersed within the general population," Bernier’s report states, recommending such changes for the government as using privacy impact assessments for new programs and demonstrating the need for any personal information collected. In a recent Privacy Perspectives post, Bernier wrote that Canadians “can expect to see a plethora of challenging new issues flowing from the intersection of technology and privacy.”
Full Story

SURVEILLANCE

CSEC Head: Agency Not Spying on Canadians (February 14, 2014)

Communications Security Establishment Canada’s John Forster spoke before a Senate committee Monday, telling the lawmakers “a controversial effort to understand airport wireless systems did not breach the privacy of Canadians,” The Canadian Press reports. The agency was collecting metadata and not actual content of messages and calls, the report states.  One day later, Gizmodo reported on protests happening around the world as part of “The Day We Fight Back,” a global initiative against governments’ surveillance programs. The Electronic Frontier Foundation was among those calling on Internet users worldwide to participate in the movement, which asserts mass surveillance violates human rights law. Google, Microsoft, Facebook and other tech giants signed on to the roster of participating groups, National Journal reports.
Full Story

PRIVACY LAW

BC May Give Police More Investigative Powers (February 14, 2014)

A bill introduced to the BC legislature on Thursday “would allow police to get a court order forcing someone to hand over a missing person’s records,” The Vancouver Sun reports. If approved, the bill would also allow police to seek court orders “to enter a private home or other location where they believe a minor, vulnerable person or person at risk is,” and in some emergencies, police could “go ahead without waiting for a court order.” The BC Civil Liberties Association’s Micheal Vonn questioned, “What will happen with that information once it’s acquired? We have some concerns, even at this preliminary stage, that the legislation allows data that is collected to be used in criminal proceedings.”
Full Story

DATA BREACH

Credit Cards Compromised (February 14, 2014)

The Globe and Mail reports that nearly 700 Canadian credit cards were compromised as a result of a “new strain of computer malware infecting payment card terminals” used in restaurants and gas stations. “The viral code, JackPOS, infects point-of-sales terminals, a security breach similar to other highly publicized recent cases that struck victims such as the Target retailing chain or the White Lodging hotel management firm,” the report states, citing a map from U.S.-based security firm IntelCrawler LLC that indicated JackPOS accessed data from 400 credit cards in Vancouver and 280 cards in Quebec. IntelCrawler CEO Andrew Komarov said, “It provides (hackers) good results, as the security in this sector is surprisingly really very poor.”
Full Story

HEALTHCARE PRIVACY

Minister Reiterates Call for Breach Update (February 14, 2014)

Alberta Health Minister Fred Horne said Tuesday that “no one has yet provided him with a progress report on the response to Alberta’s largest ever breach of personal information, involving the health data of some 620,000 patients of Medicentres Canada,” Edmonton Journal reports. A spokeswoman for the province’s privacy commissioner has indicated it would not be appropriate to provide updates while the investigation is ongoing. In a separate story for the Journal, Paula Simons writes that Horne “should stop saying things that sound a lot like attacks on the privacy commissioner.” Meanwhile, several healthcare professionals have submitted letters to The Star sharing their perspectives on the potential for medical data breaches and issues surrounding patient privacy.
Full Story

INFORMATION ACCESS

NL Commissioner: Concerns Being Addressed (February 14, 2014)

Newfoundland and Labrador Privacy Commissioner Ed Ring has said the government has addressed his concerns about a failure to meet legislated access to information request timelines, VOCM reports. While his office may still have active reviews, Ring believes “the issue of failure of public bodies to meet timelines has been appropriately addressed,” the report states.
Full Story

DATA LOSS

More Breaches Announced; U.S. FBI Says Target Breach Just a Foreshadow (February 13, 2014)

A Verizon report has found that a vast majority of companies who achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS) annually fail to maintain that status, leaving them exposed to potential breaches and other security risks, Computerworld reports. The report found that 11 percent maintained compliance status between each PCI DSS assessment. Sebastian Maza, Verizon’s head of PCI DSS Asia Pacific, told The Sydney Morning Herald that businesses struggle to detect and address cyber-attacks. Meanwhile, the FBI recently warned retailers that the recent attacks against Target and other brands foreshadow events to come, and a number of brands have announced new breaches.
Full Story

PRIVACY PROFESSION

Which Drives Leadership: Compliance or Strategy? (February 13, 2014)
The privacy profession has changed dramatically during the past 20 years, as has its role within an organization, prompting Information Accountability Foundation Executive Director Martin Abrams to query, “What drives leadership in 2014? Is it the need to have a highly compliant organization in an era where compliance is very complex? Or is a strategic approach to information governance when data moves from being a business facilitator to the driver of innovation?” In this post for Privacy Perspectives, Abrams looks into this debate, observes that skill sets are changing and warns that organizations that think privacy “is just another compliance program will be sitting ducks for strategic errors that will get in the way of innovation.”

PRIVACY COMMUNITY

IAPP Hits 15k Members (February 13, 2014)

At about 10 a.m. EST yesterday, the IAPP gained its 15,000th active member, a milestone that was celebrated here in our Portsmouth, NH, offices with a company-wide e-mail containing 72-point font. And then everyone got back to doing the training, certification, education and member support work that got all those members to join us in the first place. We here on the IAPP Publications Team are grateful to all of you members for the trust you place in us by reading our work and the valuable feedback and volunteerism so many of you contribute on a daily basis.
Full Story

ONLINE PRIVACY

Smart Cities Are Evolving, But Are We Ready? (February 13, 2014)

Computerworld reports on the not-so-distant future of smart cities. To some extent, they’re already here, as governments increasingly use wireless networks, Big Data, web portals and social media, among other technological tools. But a smart city—aimed at enhancing citizens’ quality of life, improving government processes and reducing energy use, among other goals—brings with it a multitude of privacy and data security implications, the report states. Five U.S. cities in particular are taking on initiatives to help manage the change to “smart.”
Full Story

INTERNET OF THINGS

The Privacy Pro’s Guide to the Internet of Things (February 12, 2014)
The rise in Internet of Things (IoT) technology has brought with it a slew of new and difficult challenges for privacy professionals and “will test our skills in the same way the more traditional Internet uses have been challenging our professional ability to identify risks, assess their likely impact and deploy practical solutions for everyone’s benefit,” writes privacy expert Eduardo Ustaran, CIPP/E. In this post for Privacy Perspectives, Ustaran provides privacy professionals with some tips—from notice to security—on navigating the IoT landscape today and into the future.

PRIVACY RESOURCES

Employee Awareness: Where the Rubber Hits the Road (February 12, 2014)

A workforce educated in proper data handling might be one of the most important tools an organization can have for preventing a data breach. Almost all of an organization’s employees touch data of some sort, yet multiple studies have shown insider negligence and disregard for policies are leading factors in breaches. This close-up on employee education and awareness offers tools, tips and insight on how to get everybody on the privacy bandwagon. Find new ways to convey the importance of privacy throughout your organization with posters, videos and tips sheets—including the IAPP’s own “Prudence the Privacy Pro” comic strip. (IAPP member login required.)
Close-Up: Employee Awareness and Education

PRIVACY LAW

Review: Transborder Data Flows and Data Privacy Law Is “Must-Have” (February 12, 2014)

Few people personify the field they work in as much as Christopher Kuner. As a lawyer, European-American, academic and professor, and longtime leader of the ICC, Kuner straddles the fault lines of the privacy world with ease,” IAPP Vice President of Research and Education Omer Tene writes for The Privacy Advisor in his review of Kuner’s latest work, Transborder Data Flows and Data Privacy Law. Tene examines the wealth of information included in Kuner’s book, suggesting it may “constitute one of the building blocks for a new legal edifice being designed and erected these very days, a regulatory model for a technologically borderless world.” Editor's Note: Kuner shares some thoughts from his book in this post for Privacy Perspectives.
Full Story

ONLINE PRIVACY

Google, comScore Team Up; Alternative Search Traffic on the Rise (February 11, 2014)

Google and comScore have announced a partnership to better determine the effectiveness of web-based ads in real time and help businesses change ads on the fly, The New York Times reports. A Google representative said, “It’s going to, for the very first time, give advertisers and publishers real-time insights into whether their campaigns are delivering.” In a blog post, Google said it’s part of a larger plan to bring more transparency to advertising. Forbes reports on the rise in traffic to non-Google search sites. The CEO of Startpage and Ixquick said, “The consciousness is only slowly building on the dangers … It is very easy to see how this treasure trove of data can be misused in the future.” (Registration may be required to access this story.)
Full Story

BIOMETRICS

Facial Recognition Tech Used in Sochi; Expanded Uses Expected (February 11, 2014)

San Jose Mercury News reports on facial recognition software being used at the international airport in Sochi, Russia. Made by U.S.-based Artec Group, the technology uses a 3D camera to identify individual faces with the intent of improving airport security. Artec Group Chief Executive Artyom Yukhin said the software can differentiate between identical twins, isn’t fooled by disguises and has been tested in airports around the world, the report states. Meanwhile, a World Economic Forum report predicts that facial recognition will be implemented as part of fully automatic check-in systems at airports and border crossings by 2025. And last week, the U.S. NTIA kicked off talks aimed at creating a voluntary code of conduct for facial recognition technology.
Full Story

PRIVACY LAW

Two Countries Seek Increased Gov’t Access to Digital Data (February 10, 2014)
Nigeria and Turkey are both considering government-proposed legislation that would require service providers to turn over to law enforcement customers’ data upon request—with fines, and possible jail time for company officers, for noncompliance in Nigeria. In the U.S., senators are addressing breach response and online privacy concerns with bills of their own as the fallout continues from the Target and Neiman Marcus breaches as well as the Snowden revelations. And in Australia, the deadline for the Australian Privacy Principles looms large. The Privacy Tracker’s weekly legislative roundup covers all this and more. (IAPP member login required.)

BEHAVIORAL TARGETING

Verizon Ad Program Will Track Web Habits (February 10, 2014)

Computerworld reports on recent changes to Verizon Wireless’ Relevant Mobile Advertising Program allowing it “to track your desktop surfing habits on the web and use that information to help advertisers deliver targeted ads to your mobile phone.” In his report, Robert L. Mitchell discusses why he chose to opt out of the program, which will assign users “anonymous unique identifiers” that link back to mobile phones, allowing the company to offer advertisers information to deliver targeted ads. Mitchell writes, “Information is the coin of the realm. So if you have a choice, why give it away? What's your personal data worth? Are you giving it up? And if so, are you getting value in return?”
Full Story

PRIVACY

Tips To Determine If Your Printer has Internal Storage (February 7, 2014)

Some high-end printers and copiers retain digital copies of documents in their internal storage. This PC Magazine report offers tips from its lead analyst for printers and scanners, M. David Stone, on how to determine whether your printer is one of those, and if it is, what precautions to take to be sure it’s inaccessible when you get rid of it. If your printer has private printing or the ability to re-order the print queue via an embedded webpage, it may have internal storage capabilities, Stone says. When in doubt, he recommends opening it up and poking around: “Take it out to the street, and bang on it with a hammer until the insides rattle nicely,” says Stone.
Full Story

INFORMATION ACCESS

Twitter Wants To Tell Customers More (February 7, 2014)

Though the Department of Justice recently announced a deal with major Internet firms to “allow more detailed disclosures about the number of national security orders and requests,” Twitter says the deal doesn’t go far enough. A blog post by Jeremy Kessel, manager of global legal policy, reads, “While this agreement is a step in the right direction, these ranges do not provide meaningful or sufficient transparency for the public.” Twitter wants to disclose numbers of national security requests of all kinds separately from all other requests and believes the ranges are too broad to be meaningful. Further, Twitter wants to disclose “that we do not receive certain types of requests, if, in fact, we have not received any.”
Full Story

PRIVACY

Bernier: Expect a Challenging Year (February 7, 2014)

Appointed as Interim Privacy Commissioner just more than two months ago, Chantal Bernier is hardly new to the job. She served as Assistant Privacy Commissioner of Canada for five years under Jennifer Stoddart and she now looks forward to the most significant privacy issues facing Canadians in 2014 and beyond. In this exclusive for Privacy Perspectives, Bernier outlines what she sees as most likely to come across her desk in the coming year, including the conundrum of wearable computing, how drones will be appropriately deployed and regulated, biometric databases and the emerging field of predictive analytics. “The technological revolution,” she writes, “holds the promise of new opportunities but also brings new risks.”
Full Story

PRIVACY COMMUNITY

McCallum Calls Removal “Lack of Respect” (February 7, 2014)

CBC News reports that Nova Scotia’s “privacy and information watchdog,” Duclie McCallum, was “shocked” when she learned she had been given two weeks’ notice and would not be reappointed after seven years on the job. Saying she had worked “night and day” in the post, she told the CBC “it just kind of shows a lack of respect for me and the office and our work. If you don’t get reasons, somehow it tends to impugn the character of the person.” Office director Carmen Stuart will serve as acting review officer until a new full-time officer is appointed. Jamie Baillie, leader of the Progressive Conservatives, backed McCallum, calling her ouster a “disturbing development.” NDP Leader Maureen MacDonald implied the Liberals wanted someone in the position more in line with their political views. A government spokesman said there could be no official comment, as it was a personnel issue.
Full Story

DATA LOSS

Western Health Class-Action Continues; Bell Canada Breach Reported (February 7, 2014)

A class-action lawsuit over a medical information breach at Western Health in 2012 continues, VOCM reports, noting a hearing scheduled for this week will dictate whether the suit will move forward. “Over two years ago, 1,043 people had their medical information accessed by a Western Health worker who did not have the authority to do so. That individual was terminated shortly thereafter,” the report states. The lawyer behind the case notes breach of privacy is not currently a "cause of action" in the province, stating it should be. Meanwhile, Bell Canada has reported more than 22,000 of its small business customers have had their account information compromised, and SC Magazine reports on the current state of global data breach legislation.
Full Story

EMPLOYEE PRIVACY

Denham Concerned About Background Checks (February 7, 2014)

The CBC reports on B.C. Privacy Commissioner Elizabeth Denham’s expressed concerns about the rise in police information checks in the hiring process. Denham worries that the results of these checks contain more information than is necessary for hiring managers: “One individual,” she told CBC, “had had a mental health apprehension—a suicide attempt—and when she tried to find a job doing regular office work, what came back was ‘suicide attempt’ written on the bottom of the police information check.” She did not get the job. The Vancouver Police Department says they use discretion, however, and that of 15,825 checks last year, just 49 contained any mental health information. Denham’s office is taking public comment on the matter until Feb. 21.
Full Story

PRIVACY LAW

Opinion: Employee PI Decision Noteworthy (February 7, 2014)

In a feature for Canadian Employment Law Today, Meghan Cowan examines a recent decision by the Office of the Alberta Information and Privacy Commissioner on the collection, use and disclosure of employees’ personal information. Cowan suggests the December decision, which stems from a complaint an employee filed under the Personal Information Protection Act (PIPA), “provides a noteworthy lesson for employers when managing sensitive employee medical information.” The information in question related to medical leave and disability benefits, the report states, meeting the definition of personal employee information under PIPA. “This decision is significant not only for delineating the consent and disclosure requirements around employee medical information in Alberta, but for privacy legislation in other Canadian jurisdictions,” Cowan writes.
Full Story

EMPLOYEE PRIVACY

Dickson Whacks Workers’ Comp Board on Way Out (February 7, 2014)

Though he has left his position as Privacy Commissioner in Saskatchewan, Gary Dickson is still making privacy news with a final report delineating a privacy breach by the province’s Workers’ Compensation Board, relating to an incident in 2011. His report recommends that WCB apologize to a woman whose personal health information was given to an employer erroneously. Further, the board should try to get the information back and examine its procedures, the report says. After initial consultation with WCB came to naught, Dickson told CBC he decided to issue the report because the board “is not willing to improve its practices.”
Full Story

SURVEILLANCE

CSEC Defends Use of Metadata; Is New Law Needed? (February 7, 2014)

John Forster, the head of Communications Security Establishment Canada (CSEC), is defending CSEC “over revelations contained in a document released by U.S. National Security Agency whistleblower Edward Snowden,” CBC News reports. Forster’s comments followed a report CSEC used airport WiFi to track Canadian passengers’ movements, the report states, noting, “Forster did not deny the story but said CSEC was acting within the law.” Ontario Information and Privacy Commissioner Ann Cavoukian said the law should be updated as metadata appears nowhere in the current act, and Interim Privacy Commissioner Chantal Bernier has indicated the “potential for privacy invasion calls for commensurate protection, including an updated law,” the report states. In other surveillance-related news, Google, Microsoft, Apple, Yahoo, Facebook and LinkedIn have published new U.S. government data request statistics.
Full Story

PRIVACY COMMUNITY

What’s Bruce Schneier Doing at Co3? (February 6, 2014)

Why would an internationally known thinker on security issues leave a gig as chief security technology officer at a large telecom to serve as CTO of a much smaller software company? That was a question some observers might have been pondering when incident response software maker Co3 announced that Bruce Schneier was joining the company. In this exclusive for The Privacy Advisor, Schneier answers that question and shares his thoughts on how Co3 can help the security and privacy communities.
Full Story

CLOUD COMPUTING

CPO Discusses Data Sovereignty and Future of the Cloud (February 6, 2014)

In a Q&A with itbusiness.ca, McAfee CPO Michelle Dennedy, CIPP/US, CIPM, discusses data privacy and the cloud. “It’s great that there are a couple of companies … discussing privacy at all in the boardroom, but typically it is coming out of the audit committees or it’s coming as a reaction to fines that have been levied” when it should be thought of as an “asset value,” she said. Regarding in-country cloud providers, Dennedy said “the mentality that dirt can actually be a boundary for data is a mistake,” predicting a satellite cloud company will eventually be “the cloud provider of all.” Meanwhile, UpCloud, which complies with Finnish privacy law, plans to open a data center in the U.S., and ZDNet reports that hosting cloud services outside the U.S. may increase NSA surveillance.
Full Story

MOBILE PRIVACY

Apple Cracks Down on Tracking Apps; Developers Unhappy (February 5, 2014)

NBC News reports that Apple has started cracking down on mobile apps that collect Identifiers for Advertisers (IFAs) without actually showing any advertisements to the user. Until this week, a clause Apple added in its developer license agreement had gone unenforced. Mixpanel’s Suhail Doshi said, “I really believe that most developers using IFA are trying to (understand) if spending money on advertising was cost effective—as opposed to ‘spying on their users.’” Doshi also warned, “The new policies around it are now likely to cause app developers, as a last resort, to do things that will be worse for consumer privacy as they work around IFA—with far less transparency.”
Full Story

DATA PROTECTION

How To Change Employee Password Habits (February 4, 2014)
Password reuse across multiple websites and company logins is a major weak link in company security systems. In a survey CSID conducted in 2012 on password habits, 61 percent of the respondents reused the same password for multiple sites, and 44 percent of respondents reported they change their passwords once a year or less. Employee password reuse creates a new layer of risk for businesses, especially when major enterprises are hacked. A breach today can affect more than just the initial company—it can affect your business and many others, writes Joe Ross in this exclusive for The Privacy Advisor.

INTERNET OF THINGS

Thierer: Let’s Not Hit the Panic Button Just Yet (February 4, 2014)

The rise of Internet of Things (IoT) connectivity has brought with it increasing concerns about privacy protection and “the potential for massive security threats and privacy violations in a world of always-on, always-sensing devices,” writes Adam Thierer, a senior research fellow at George Mason University’s Mercatus Center. Though “there are some valid reasons for concern,” he notes, “it may be the case that some of the problems we fear today never come about.” In this post for Privacy Perspectives, Thierer argues that there isn’t yet need to hit the panic button as “most of us will likely quickly adapt to this new era” and “will likely find practical solutions to many of the problems that arise.”
Full Story

PRIVACY

Ten Steps to a Quality Privacy Program, Part Six: Test Your Incident Response Program (February 3, 2014)
In part six of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, looks at testing incident response programs. This can involve key stakeholders from various departments and potentially happen twice a year, involving a number of action items. "You do not want to find yourself in the middle of an incident and realize that you do not have what is needed to respond efficiently and effectively," Rodriguez writes in this exclusive for The Privacy Advisor.