Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

ONLINE PRIVACY—U.S.

All Eyes on Privacy at FTC Event (January 29, 2010)
At the Federal Trade Commission's second public discussion about online privacy in Berkeley, California yesterday, panelists discussed the ways that digital-era technologies impact individuals' privacy and what can be done about it, the San Francisco Chronicle reports. Experts explored Flash cookies, behavioral advertising, data matching, inadvertent sharing and other topics, and proposed solutions such as stricter regulations, greater oversight of third-party application developers and mandatory notice requirements. Others advocated for market-based solutions, saying that the market is already resolving many privacy problems and that privacy is becoming a competitive factor for businesses. The third and final FTC roundtable event will take place on March 17 in Washington, DC.
Full Story

PRIVACY LAW—U.S.

Congressman Close to Introducing Privacy Bill (January 29, 2010)
Representative Rick Boucher (D-VA) is close to introducing a privacy bill to the House of Representatives that is focused on opt-in/opt-out requirements for collecting data from Internet users. The bill has bipartisan co-sponsorship and, according to eSecurity Planet, seeks to codify recognized best practices from the interactive advertising industry. Earlier this week Boucher explained that, "Our goal in doing this is to enhance the confidence that Internet users have that their experience on the Web is secure." Boucher is a member of the Energy and Commerce Committee, which has been gathering information from a number of privacy stakeholders in recent weeks.
Full Story

PERSONAL PRIVACY

Opinion: Why Won’t People Pay for Privacy? (January 29, 2010)
In a CNET News article, Declan McCullagh explores historic attempts to create and sell technological solutions for protecting privacy, speculating on why they failed or fizzled and asking: "Why won't people pay for privacy?" Experts weigh in, with some alleging that people want privacy built into the technologies they use rather than having to purchase it separately, and others chalking it up to the complexity of human beings. McCullough notes "that the privacy-protecting technologies that have prospered are noncommercial," but one expert speculates that a retrospective privacy service could "be a very good business model."
Full Story

PRIVACY LAW—ITALY

EU Takes legal Action Against Italy (January 29, 2010)
The European Commission (EC) on Thursday took legal action against Italy for non-compliance with EU ePrivacy rules, according to a commission press release. The EC sent Italian authorities a formal notice for failing to notify individuals about the transfer of their personal information from phone directories to a marketing telecommunications database, the release states. "Not only is it worrying to see that Italian legislation does not comply with the privacy requirements set out in the [EU ePrivacy] Directive," said EU Telecoms Commissioner Viviane Reding, the commission is also concerned that Italian authorities failed to gain the consent of those whose personal data was affected. Italy has two months to reply.
Full Story

DATA LOSS—U.S.

Turnabout as Bank Sues Customer Hit by Cybertheft (January 29, 2010)
PlainsCapital Bank of Lubbock, Texas, has filed a lawsuit against its customer, Plano-based Hillary Machinery, following the theft of $800,000 from the company by cyberthieves operating out of Italy and Romania, according to Computerworld. The lawsuit followed Hillary Machinery's demands that the bank repay it for the balance of funds not recovered after the crime was detected. In the suit, PlainsCapital is seeking for the courts to affirm that the bank was not negligent in security procedures and that it did not breach its contract with the company. Hillary Vice President Troy Owen told Computerworld that the suit is an attempt to deny culpability through "bullying."
Full Story

FINANCIAL PRIVACY—EU & U.S.

Bank Data Deal to Take Effect Next Week (January 29, 2010)
A financial data-sharing agreement between the U.S. and EU will go into effect next week despite the European Parliament's request for a delay. European Voice reports that the so-called SWIFT agreement, which gives American officials access to the banking transaction data of European citizens to aid counter-terrorism efforts, will take effect on February 1. Members of Parliament (MEPs) and European Data Protection Supervisor Peter Hustinx have expressed concerns about the deal's privacy consequences, calling it a "privacy-intrusive" agreement that is insufficiently justified. MEPs will vote on the agreement the week of February 8.
Full Story

DATA BREACH—U.S.

Mass. Likely to be Lenient on Breach Law Enforcement (January 29, 2010)
Two Massachusetts officials updated Bay State businesses yesterday on the Commonwealth's new data breach law, MA 201 CMR 17, which goes into effect March 1. SearchSecurity reports that Diane Lawton, general counsel for the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) and Scott D. Schafer, chief of the consumer protection division at the state's office of the attorney general, said that prompt notice and cooperation with the state could help companies avoid prosecution if a breach occurs. "What we don't want to read about in the [newspapers] is a breach that we should've been notified about," Schafer said. "That's going to cause problems." The two appeared in Springfield at the Massachusetts Information Security Summit.
Full Story

SOCIAL NETWORKING—EU

New EU Laws Will Focus on Privacy and Social Networking (January 29, 2010)
The European Commission is planning comprehensive new laws to protect Internet users' privacy, euobserver.com reports. Incoming EU Justice Commissioner Viviane Reding said yesterday, "Whether we want it or not, almost every day we share personal data about ourselves." Reding named social media, specifically, in outlining her goals for privacy protection. "Data are being collected without our consent and often without our knowledge. This is where European law comes in." She is calling for "a change of approach" that focuses on protecting data and personal privacy right from the start rather than responding only after a new product or service is developed.
Full Story

ONLINE PRIVACY—U.S.

FTC Flash Focused at Roundtable (January 29, 2010)
At the Federal Trade Commission (FTC) privacy roundtable, held yesterday at the UC Berkeley School of Law, interactive advertising and the use of "Flash cookies" in particular, came under harsh scrutiny by consumer protection chief David Vladeck, who said the FTC hoped "to announce law enforcement actions later this year" against companies that attempt to circumvent consumer opt-outs, reports MediaPost. Eric Goldman of the High Tech Law Institute at Santa Clara University said the use of Flash cookies is but one example of how technical innovation outpaces the ability of regulators to respond to privacy challenges. Full Story

DATA THEFT - U.S.

Recovered UCSF Laptop Contained Thousands of Patient Files (January 29, 2010)
The University of California San Francisco (UCSF) is alerting 4,400 patients that their medical files were potentially exposed after the November theft of an employee's laptop, which was later recovered. The files contained patients' names, medical record numbers, ages and clinical information, the San Francisco Business Times reports. Patient records from the employee's prior workplace, Beth Israel Deaconess Medical Center in Boston, are also at risk. The university says though the patient files are vulnerable, "...there is no indication that unauthorized access to the files of the laptop actually took place." The Business Times reports tougher federal regulations on breaches of health data may be enforced as of mid-February.
Full Story

PRIVACY PROTECTION - U.S.

FTC Encourages Self-Regulation Innovation (January 29, 2010)
Forbes reports that the Federal Trade Commission's Pamela Jones Harbour called on technology companies to encourage innovation to come up with new ways to protect consumer privacy at yesterday's FTC privacy roundtable at the UC Berkeley School of Law. During a brainstorming session, part of a series of open forums held by the FTC in advance of its draft of new consumer protection regulations, Harbour suggested that Apple's application-development process could serve as a model for privacy innovation. "Apple requires all developers to submit potential apps for review," she said. "Through that process, the company could do more to regulate privacy disclosures."
Full Story

DATA LOSS—U.S.

Admin Backlog Delays Commerce’s Breach Notification (January 29, 2010)
A data breach at the U.S. Department of Commerce occurred on December 4, exposing the personally identifiable information of agency employees. A notice letter was drafted December 31, but an administrative backlog held up mailing and delivery of the letter until this week, the Washington Post reports. The delay was due, among other reasons, to preparations for mailing employees' W-2 tax forms, but some employees were not pleased to learn of the event, or the delay. One, speaking anonymously, told the Post, "When I contacted the three credit-reporting services this morning I felt like it was too little and too late." (Registration may be required to access this story.)
Full Story


BIOMETRICS - U.S.

This Week in Privacy History: The Snooper Bowl (January 29, 2010)
On January 28, 2001, when the crowds streamed into Raymond James Stadium in Tampa Bay, Florida for Super Bowl XXXV, they were being scanned by facial recognition cameras in an effort to catch criminals in what became known as the Snooper Bowl, Wired remembers. The experiment was a failure, as no criminals were identified that day, nor did the system work when later deployed on the streets of Tampa. Today, however, police in that city use digital cameras to take pictures of individuals stopped for traffic violations for comparison against a database of 7.5 million mug shots. More than 500 people have been arrested under the program.
Full Story

ONLINE PRIVACY

Company Plans Release of Anonymous Browsing Tool (January 28, 2010)
Ixquick, the company that earned the respect of privacy advocates when it decided in 2006 to stop collecting IP data from users of its search tool, is again drawing praise for its planned release of a new proxy browsing service that the company says will allow users to visit Web pages without the site owner's knowledge, OUT-LAW.COM reports. The company said it decided to offer the service because of what it saw as an opportunity to respond to increased consumer concern over their privacy while surfing the Web. "People are more concerned about online data retention policies than ever before," said CEO Robert Beens. "We wanted to offer them a useful tool and this proxy is a logical extension of our services."
Full Story

HEALTHCARE PRIVACY

Healthcare Data Thefts Increasing (January 28, 2010)
According to managed security firm SecureWorks, incidents of medical information theft in the fourth quarter of 2009 were double the previous three quarters, InfoSecurity.com reported. In a statement, SecureWorks said hacks and botnet attacks were responsible for many of the thefts, and that healthcare organizations represent attractive targets for hackers not only because of the information they collect, but also because of their inherent vulnerabilities. "Because of the nature of their business, healthcare organizations have large attack surfaces," said SecureWorks in an analysis of the healthcare attack figures.
Full Story

DATA PROTECTION—U.S.

Sweeping Mass. Regulations Take Effect March 1 (January 28, 2010)
Companies that possess personal information on Massachusetts residents have until March 1 to comply with what experts are calling the toughest data security requirements in the nation, GCN reports. The Massachusetts Data Breach Law requires personal data to be protected with safeguards including encryption, firewalls, antivirus programs and access controls. The law also requires a written information security plan (WISP). "It forces people to lock down their systems and know what they are doing," says Bradley Dinerman, president of the Boston chapter of the National Information Security Group. However, Dinerman points out that compliance and enforcement issues with the state law illustrate the need for a nationwide standard in data security and breach notification.
Full Story

SURVEILLANCE—EU

Anti-Piracy Software Examined (January 28, 2010)
Privacy International has asked the European Commission to look into the legality of anti-piracy software used by some ISPs to monitor for illegal file sharing, the BBC reports. Specifically, Privacy International is concerned about software developed by Detica, in use by Virgin Media, that employs deep packet inspection techniques to identify offending files transmitted over Virgin's network. Privacy International believes deep packet inspection poses a threat to privacy because of its ability to identify actual file names. Industry observers say as many as 40 percent of Virgin's customers may be subject to monitoring with the software, but Virgin said that subscriber privacy is not at risk.
Full Story

DATA LOSS—CANADA

Toronto Teacher Data Exposed by Laptop Theft (January 28, 2010)
More than 8,000 Toronto District School Board teachers have had their personally identifiable information exposed as a result of the theft of a laptop computer. CBC reports that the computer was stolen from the Waterloo offices of the Ontario Teachers Insurance Plan in what has been described as a "routine smash and grab" burglary. It is not known if the sensitive data has been accessed, but Ontario Assistant Privacy Commissioner Ken Anderson warns that some identity theft rings have become involved in the theft or trafficking of laptop computers specifically for the information they contain.
Full Story

PRIVACY

Happy Data Protection and Privacy Day (January 28, 2010)
Privacy and data protection interests around the world are today celebrating Data Privacy and Protection Day. In a video message, European Data Protection Supervisor, Peter Hustinx (EDPS), and Assistant EDPS Giovanni Buttarelli, say that the year ahead will bring important challenges and opportunities and we "must increase efforts to raise awareness that everyone will be affected by a lack of safeguards in privacy and data protection in his or her daily life." Hustinx adds that "We must resist the temptation to accept easy solutions for problems that will reduce privacy and data protection" and that legal frameworks must be improved. In North America, Richard Purcell of The Privacy Projects, an organizing sponsor of Data Privacy Day, said the day is about reaching individuals of all ages to "advance privacy awareness."
Data Privacy Day events

DATA LOSS—UK

ICO Warns UK Companies: Report Breaches or Else (January 28, 2010)
The Information Commissioner's Office (ICO) has issued a warning to UK businesses: report your breaches or face stiff sanctions, eGov Monitor reports. The ICO said that only 800 data breaches have been reported to its offices in the last two years, but that it is eager to work with companies that suffer a data breach to help address the situation. Deputy Commissioner David Smith said, "Talking to us may of course result in regulatory action. However, organizations must act responsibly; those that try to cover up breaches which we subsequently become aware of are likely to face tougher regulatory sanctions."
Full Story

ONLINE PRIVACY—U.S.

Opinion: Just (Let Us) Say No (January 28, 2010)
A consumer advocate says the Federal Trade Commission (FTC) should key in on "what business online companies are really in." In a San Francisco Chronicle article, John Simpson of Consumer Watchdog says that advertising is the business for some, and that the commission needs to determine "what regulations will be effective in letting consumers protect personal information." "The FTC's job is to make sure that consumers have control of what data is gathered, how it is used and how long it's kept," says Simpson, adding that new technology is no silver bullet for protecting privacy. "The FTC should keep it simple," he writes, "just let us tell the companies 'no.'"
Full Story

SOCIAL NETWORKING—CANADA

Privacy Commissioner Launches New Facebook Probe (January 28, 2010)
The Office of the Privacy Commissioner (OPC) has announced it is once again launching an investigation into Facebook. The probe comes on the heels of the OPC's extensive investigation last summer that resulted in Privacy Commissioner Jennifer Stoddart ordering Facebook to change its policies and practices to comply with Canada's privacy law, the National Post reports. The new investigation is focused on a complaint alleging a tool introduced last month requiring users to review their privacy settings--a change Facebook made in response to the commissioner's first investigation--actually exposes more personal information. The new complaint "mirrors some of the concerns that our office has heard and expressed to Facebook in recent months," says Assistant Privacy Commissioner Elizabeth Denham.
Full Story

STUDENT PRIVACY—U.S.

Professor’s Request for Advice Allegedly Violates FERPA (January 27, 2010)
West Virginia State Treasurer John Perdue and his legal counsel believe a Marshall University professor violated a federal law prohibiting faculty from releasing or discussing student grades with anyone except that student or university officials, the Charleston Gazette reports. The allegations stem from an incident where a professor sent an e-mail that included Perdue's daughter's name to the American Federation of Teachers when seeking advice on who should assign her grades for an independent study project. Perdue and his attorney believe the action violates the 1974 Family Education Rights and Privacy Act (FERPA), which states that records may only be released without student consent "if all personally identifiable information has been removed."
Full Story

DATA LOSS—U.S.

BCBS of Tennessee Breach Costs $7m…and Rising (January 27, 2010)
Blue Cross Blue Shield (BCBS) of Tennessee says that the October 2009 theft of 57 hard drives from the organization's training facility compromised the personally identifiable information of as many as 500,000 BCBS Tennessee subscribers. To date, the tab for investigating the incident, notifying customers, extending credit monitoring to individuals affected and working with attorneys general in 32 states has reached $7 million, according to iHealthBeat.com. Thus far, only 20,500 people have signed up for credit monitoring. BCBS officials say they are likely to spend significantly more as investigations continue and more people sign up for credit monitoring.
Full Story

BEHAVIORAL TARGETING—U.S.

Online Ad, Privacy Policing Needs Automation (January 27, 2010)
In an interview with MediaPost's Behavioral Insider, Better Advertising's Scott Meyer said that, in order for the online advertising industry to demonstrate to consumers, businesses and the Federal Trade Commission that self-regulation works, there needs to be an automated process for verifying compliance with best practices. The problem, Meyer says, is that while such a system is possible, it would be "super complex." Meyer argues that the payoff for such a system would be worthwhile, however, as it would build trust and confidence across all constituencies. "We know from conversations with agencies and brands that this will increase their confidence in online advertising."
Full Story

PERSONAL PRIVACY—AFRICA

Mobile Phone Policies Undermining Privacy (January 27, 2010)
New anti-crime policies in Ghana and Nigeria requiring mobile phone service subscribers to register their phones with the user's verified name and address are raising questions about personal privacy on the African continent, the BBC reports. Similar laws have been passed in Tanzania, South Africa and Mauritius, and proponents say the policies are needed to help prevent phone-based fraud schemes as well as malicious texting.
Full Story

PRIVACY

Data Protection & Privacy Day Tomorrow (January 27, 2010)
Tomorrow is Data Protection and Privacy Day. Events around the world will mark the occasion. In Brussels, the European Parliament, European Commission and EDPS will host a variety of workshops and the winners of the "Think Privacy," competition will be unveiled. In Canada, events will be held in Newfoundland and Labrador , Ontario, Alberta and elsewhere, with regulators and companies hosting various forums. For a comprehensive list of global events, visit the Data Privacy Day Web site. After hours, privacy pros will gather in cities across the world for IAPP Privacy After Hours events. Click here to find an event near you.
Full Story

SOCIAL NETWORKING

Trading Privacy for Ego (January 27, 2010)
On the TechTalk blog at CBS.com, author Daniel Sieberg offers commentary on the attraction of seeking instant feedback and approval through the Internet's broad reach, describing the process as trading privacy for ego. "Privacy is not the same thing as secrecy," Sieberg suggests, noting that in spite of an individual's propensity to share certain information behind the guise of an avatar, most people still withhold sensitive personal details of their lives. Even so, there's a subtle allure to social networking and, over time, individuals may become less and less cautious about what they share, a phenomenon that led Facebook founder Mark Zuckerberg to call this trend toward increasing openness the new "social norm."
Full Story

DATA LOSS—U.S.

State Department Clerk Gets Probation (January 27, 2010)
A State Department file clerk has been sentenced to one year of probation and 75 hours of community service for illegally accessing the confidential passport applications of 70 celebrities in 2007, AFP reports. Susan Holloman admitted to viewing the passport applications, which were protected under the U.S. Privacy Act, through a computer database. The files contained such personal data as photographs, dates and places of birth, addresses, telephone numbers and parent and spouse information. Holloman, who is the ninth State Department employee to plead guilty to similar charges, told prosecutors the reason she accessed the files was "idle curiosity."
Full Story

PRIVACY LAW—U.S.

NH House Passes Bill Banning Fingerprint IDs (January 27, 2010)
The New Hampshire House of Representatives has passed a bill that aims to ban fingerprinting as a "reasonable" mode of identification. The bill follows criticism of a Bank of America policy that requires noncustomers to provide fingerprint identification when cashing a check, the Nashua Telegraph reports. The new bill, NH HB 299, would amend an existing state law that lays out acceptable required forms of identification. The bill will next come before the Senate. Meanwhile, Bank of America has voluntarily agreed to stop its fingerprinting in New Hampshire as of February 8. A Telegraph editorial suggests that every state ban fingerprinting until adequate safeguards exist to protect customers' biometric data.
Full Story

BEHAVIORAL TARGETING

The Power of “i” TBD (January 27, 2010)
The Future of Privacy Forum will today introduce an icon designed to help advertisers better inform consumers about the methods behind their online ads, the New York Times reports. It is expected that major companies will begin using the icon, a blue circle with a white "i", by midsummer, the report states. The "Power I" is one outcome of calls for more effective self-regulation among advertisers who use behavioral targeting methods. Congress and the Federal Trade Commission (FTC) have been examining advertisers' practices in this area, and FTC officials will continue their exploration of behavioral targeting during a roundtable event tomorrow in Berkeley, California. (Registration may be required to access this story.)
Full Story

DATA THEFT—U.S.

Do the Data Crime, Serve Your Data Time (January 27, 2010)
A former employee of the New York Department of Taxation has been convicted of stealing the identities of the children and deceased relatives of taxpayers and using the information to open credit card accounts, running up more than $200,000 in charges. The Albany Times Union reports that Walter B. Healy will serve a six-month prison term with five years of probation and must make restitution for the full amount of the fraudulent charges. According to court records, Healy opened 90 credit card accounts with 20 different banks. Commenting on the case, Attorney General Andrew Cuomo said, "This case should stand as an example to others on public payrolls who think they can put personal gain above professional ethics."
Full Story

ONLINE PRIVACY—CHINA

China Mobile Assures Subscribers of Privacy (January 26, 2010)
China Mobile, China's largest mobile communications service provider, is responding to allegations that it is filtering subscriber text messages in search of pornographic content by assuring the public that their privacy is safe, the Web site CIOL.com reports. Concerns over filtering and surveillance arose after China Mobile installed a filtering system designed as a hedge against "unhealthy" Web content. "The freedom and privacy of individual users enjoys legal protection," said Li Kang of China Mobile. "China Mobile will do its best to protect consumers' rights and interests strictly in line with the relevant laws and regulations."
Full Story

STUDENT PRIVACY—AUSTRALIA

Teachers Cautioned on Data Portal (January 26, 2010)
Teachers in Queensland, Australia will face fines or a pay suspension if they interfere with a new Web site intended to provide access to student learning results, reports the Courier-Mail. Julia Gillard, education minister, says she is sending a stern warning that the Rudd government will take "any necessary action" to ensure the site contains as much information as possible. Myschool.edu, to be launched nationally this week, aims to give parents access to students' literacy and numeracy tests, as well as student-teacher ratios and attendance rates.
Full Story

IDENTITY THEFT—U.S.

Kids’ ID Theft in Focus (January 26, 2010)
The Identity Theft Resource Center in Tucson is working on a proposal that would give police and credit bureaus access to a list of minors' Social Security numbers, reports the Arizona Daily Star. The proposal is a response to an on-the-rise crime, in which parents use their children's Social Security numbers to obtain credit cards, loans or utility services. Arizona is recognized as the identity theft capital of America, the report states, and its child identity theft rate is more than double the national average. "It's very hard to get a handle on it," says Joanna Crane, identity theft program manager at the Federal Trade Commission.
Full Story

HEALTHCARE PRIVACY—U.S.

Vegas Hospital Admits Delay in Breach Action (January 26, 2010)
Officials at University Medical Center in Las Vegas admitted yesterday that there was a protracted period of data theft occurring at the hospital and that they only took action after the Las Vegas Sun contacted them about the incident. The Sun reports that it contacted the hospital in November when it learned of an insider scheme to steal medical files and sell them to personal injury attorneys. The hospital responded by saying that the leaks had been stopped, and CEO Kathy Silver told the paper she thought the situation was a "non issue." The hospital waited a month before notifying affected patients. The FBI is investigating the case for potential violations of the Health Insurance Portability and Accountability Act.
Full Story

HEALTHCARE PRIVACY—U.S.

Poll: Citizens Don’t Trust Others with Medical Privacy (January 26, 2010)
A new study by the Ponemon Institute suggests that the American public is not comfortable with a government-controlled national healthcare network, Forbes has reported. In a poll of 868 voters, only 27 percent said they trusted government to protect the privacy of their health records. Respondents expressed similar mistrust of tech companies that offer medical information services. This in contrast with 71 percent who said they trusted hospitals and clinics with the same responsibility. "There's a lot of angst around centralizing this information, no matter whether it's managed by private enterprise or government," said Ponemon Institute Chairman Larry Ponemon, CIPP.
Full Story

ONLINE PRIVACY—CANADA

Canadians Question Online Privacy Protection (January 26, 2010)
A government-sponsored survey indicates that only six percent of Canadians trust social networking sites to protect their personal information, the National Post reports. Avner Levin, director of the Privacy and Cyber Crime Institute at Ryerson University, notes that many people have concerns about their personal information, "but it doesn't translate into some kind of action, like, I'm going to stop using this particular Web site or this online service." The survey of 2,200 Canadians found that 74 percent believe the government should regulate how street-level images of residences are used on the Internet. While fewer than 20 percent believe businesses will protect their personal information, results were somewhat better for medical institutions and government agencies at 58 percent and 46 percent, respectively.
Full Story

SOCIAL NETWORKING

Sharing “TMI” on Social Media Sites Helps ID Thieves (January 26, 2010)
A recent study indicates that more than half of those ages 45 and older who use popular social networking sites could fall prey to identity thieves because they share too much information, the San Francisco Chronicle reports. The study, which polled more than 1,000 adults, found that 14 percent of respondents--and 20 percent of those over the age of 60--posted their full home addresses in their profiles, and about 50 percent revealed information that could tip thieves off to their bank account passwords. Experian, which commissioned the study, recommended avoiding posting specific personal details and being sure that online quizzes or games come from a reputable source.
Full Story

DATA PROTECTION—U.S.

FTC: 35K Fine, Other Conditions, for Mortgage Broker (January 26, 2010)
A mortgage broker charged with improperly disposing of consumers' personal financial records has paid a $35,000 settlement to the Federal Trade Commission (FTC). Gregory Navone, of Las Vegas, disposed of about 40 boxes of sensitive consumer records in a public dumpster, according to the December 2008 FTC complaint. The records included tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers' licenses and at least 230 credit reports. The settlement also requires Navone to employ an information security program for sensitive consumer information, and to hire an independent, third-party security professional to conduct compliance audits annually for the next 10 years.
Full Story

ONLINE PRIVACY—EU

EU to Enunciate Online Privacy Rights (January 26, 2010)
On Thursday, January 28--International Data Protection Day--Viviane Reding, the European Union's new commissioner in charge of fundamental rights, will spell out her agenda for Internet privacy, EurActive reports. During her confirmation hearing earlier this month, Reding told the European Parliament, "You can be sure that fundamental rights, including data protection, will be top of my list." Sources close to Reding have said that a comprehensive review of the 1995 Data Protection Directive will be among her first priorities.
Full Story

PRIVACY—CANADA

BC Names Interim Privacy Chief (January 26, 2010)
Six days after former Information and Privacy Commissioner David Loukidelis resigned to accept another post within the British Columbian government, the province has named an interim commissioner, the Globe and Mail reports. Paul Fraser, former conflict of interest commissioner, will assume the privacy commissioner role until a permanent replacement is appointed when the legislature reconvenes in the spring. The six-day delay in replacing Loukidelis had prompted some to suggest that the government does not take privacy seriously enough, but BC House Speaker Bill Barisoff said the delay was not excessive in order to accommodate the right choice of replacement.
Full Story

PRIVACY—CANADA

Loukidelis’ Departure Leaves BC Privacy in Limbo (January 25, 2010)
The Globe and Mail reports that last week's departure of British Columbia's privacy chief, David Loukidelis, has left the province's privacy enforcement apparatus up in the air. Loukidelis vacated his post as information and privacy commissioner to become BC's deputy attorney general, prompting Mary Carlson of the privacy office to write to the Speaker of the House that, "The office has been forced to refrain from any activity requiring delegated authority, which includes opening appeal files and privacy complaints...[and] policing the timelines of government responses to access requests." Carlson is concerned that, according to counsel, the commission has no legal authority to act on privacy matters without a commissioner.
Full Story

CONSUMER PRIVACY—U.S.

Companies Stop Sharing Customer Info (January 25, 2010)
Eight online retailers have announced they will no longer allow third-party marketing firms to offer discount memberships that result in retailers sharing consumers' credit and debit card information without their knowledge, Tech Daily Dose reports. The third-party marketing firms recently announced they will soon require consumers to provide their full credit and debit card information to enroll in the discount clubs. The retailers that have discontinued the practice include Fandango, 1-800-Flowers, Priceline and several airlines. The investigation will continue, Senate Commerce Committee Chairman John (Jay) Rockefeller (D-WV) says, until other online retailers also do away with the practice.
Full Story

HEALTHCARE PRIVACY—U.S.

Group Says Patient Privacy at Risk in Takeover (January 25, 2010)
The Connecticut State Medical Society is asking Attorney General Richard Blumenthal to investigate the privacy implications of United Health Group's takeover of HealthNet, reports newstimes.com. The Medical Society alleges that the $510 million deal will give United Health wrongful access to the personal health records of hundreds of thousands of state customers, the report states. AG Blumenthal confirmed that his office had received the request and that the takeover "raises serious questions." Blumenthal filed suit against HealthNet of Connecticut earlier this month for the company's 2009 data breach that affected 446,000 people.
Full Story

PRIVACY—U.S.

Opinion: What is Missing? The Privacy and Civil Liberties Oversight Board (January 25, 2010)
In a Washington Post op-ed, Alan Charles Raul informs readers that a recent report entitled "FBI broke law for years in phone record searches" is missing a primary component of the story: the lack of attention to privacy issues on the part of the federal government itself. Pointing out that the Privacy and Civil Liberties Oversight Board implemented on the recommendation of the Sept. 11 commission was allowed to lapse in early 2008, Raul states, "The American people are counting on the government to go after terrorists hard, and this means it must be equally serious about protecting our privacy and civil liberties. Right now it is not clear that these responsibilities are being discharged seriously." (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—UK

Behavioral Targeting Faces Paradox (January 25, 2010)
Marketing Week reports that, according to a new poll, 95 percent of the UK's Internet users say they are interested in receiving online marketing tailored to their interests. That's good news for the interactive marketing industry. However, 77 percent of those same people say they always opt out of Internet marketing campaigns. The study also reveals that a quarter of consumers are rebuffing communication from brands they know and trust, up from 18 percent a year ago. "Through well-publicized instances of data breaches and the mishandling of personal information by large organizations, consumers are sensibly becoming more selective about who they share their personal details with," said the Direct Marketing Association's Robert Keitch.
Full Story

DATA LOSS—U.S.

Study Saw Breach Costs Rise Again in 2009 (January 25, 2010)
According to the Ponemon Institute's annual Cost of a Data Breach study, released today, the financial impact of a privacy failure rose to a per-record average of $204 and a per-incident average of $6.75 million, CNET reports. Breach costs have risen every year since the study was first launched in 2005. The Ponemon Institute also found that breaches that were the result of malicious attacks doubled from 12 percent in 2008 to 24 percent last year, and for the first time, data-stealing malware was cited as the cause of a data breach. The Ponemon Institute's study was derived from a case-study analysis of 45 actual data breaches affecting companies in a broad variety of industries.
Full Story

ONLINE PRIVACY—U.S.

IAB Asks FCC to Back Off on Broadband (January 25, 2010)
The Interactive Advertising Bureau (IAB) has called on the Federal Communications Commission (FCC) to take a hands-off approach to the broadband privacy debate, saying that the commission risks creating confusion by introducing restrictions and potentially conflicting privacy regulations that could hamper commercial activity online. MediaPost News reports that the IAB's statement came in response to a request for public comment from the Center for Democracy and Technology as the federal government considers the privacy implications of new broadband technologies. In a letter, the IAB said, "Existing robust self-regulatory principles provide consumers with strong protections in a manner that has allowed the Internet to thrive, thereby benefiting the U.S. economy."
Full Story

FINANCIAL PRIVACY—SWITZERLAND & U.S.

Swiss Court Prohibits Release of UBS Client Data (January 25, 2010)
A client of Swiss bank UBS won her appeal to prevent the bank from turning over data to the United States when a Swiss administrative court ruled that a disclosure agreement between the two countries only applied to cases of "fraud or the like," the New York Times reports. The lawsuit was prompted by the Swiss government's decision to hand over information for 4,450 customers with Swiss bank accounts to U.S. authorities. Twenty five similar lawsuits remain pending and there is a possibility of appeal, but the ruling held that the language in the agreement did not apply to individuals accused of simple tax evasion. (Registration may be required to access this story.)
Full Story

DATA THEFT—UK

For Sale: Private Information on UK Gamblers (January 25, 2010)
A data theft has hit British bookmaker Ladbrokes, compromising the confidential data of 4.5 million of the gambling house's customers, reports the Daily Mail. The Mail became aware of the theft when an individual identifying himself as "Daniel" contacted the paper and offered to sell information on 10,000 Ladbrokes' customers. The paper said it immediately contacted Ladbrokes and the Information Commissioner's Office, which has launched an investigation. "Daniel" claimed to be a former Ladbrokes computer security expert now working for DSS Enterprises in Melbourne, Australia. DSS founder Dinitha Subasinghe denied any involvement in the case.
Full Story

SSN PRIVACY—U.S.

Court Rules for State in Montana Privacy Challenge (January 22, 2010)
The Montana Supreme Court has rejected a challenge to the state's law that requires individuals to supply the last four digits of their Social Security numbers as part of the process to receive fishing or trapping licenses, Courthouse News Service reports. The Montana Shooting Sports Association filed the suit, claiming the disclosure requirement was in violation of the fundamental right to privacy. Supreme Court Justice William Leaphart wrote that as the data is linked to federal child support funding, its collection is legitimate. He also termed the plaintiffs' expectation of privacy as "unreasonable" as other avenues exist to apply for the required licenses without disclosing the Social Security information.
Full Story

PRIVACY—U.S.

Data Privacy Day in Washington, DC (January 22, 2010)
Data Privacy Day will be recognized worldwide on Wednesday, January 28. In Washington, DC, the schedule of events is filling up quickly. The Federal Trade Commission this week announced the agenda for its January 28 Second Roundtable on Consumer Privacy, which will focus on how technology affects consumer privacy. Last year, Congressman Cliff Stearns (R-FL) filed legislation in the House of Representatives calling for an official recognition of Data Privacy Day in the U.S. and the measure has bipartisan support from 14 of his colleagues. A similar bill has yet to be introduced to the Senate.
Full Story

ONLINE PRIVACY

Does Your Password Say “Hack Me?” (January 22, 2010)
Last month's theft of 32 million passwords from a social networking software company has given researchers a unique window into just how insecure many security passwords may be, the New York Times reports. Among the passwords examined, the top five include "123456," "12345," "123456789," "password" and "iloveyou." When it comes to creating easy passwords, "I guess it's just a genetic flaw in humans," says Amichai Shulman, chief technology officer at Imperva, a company that develops software to block hack attacks. "We've been following the same patterns since the 1990s." Hackers, however, have mastered the art of breaking into many accounts at once, often just by choosing from those most commonly used passwords. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

MN to Probe Background Check Controversy (January 22, 2010)
Minnesota's legislative auditor said this week he plans an investigation into a Texas company's problematic background-checking program that resulted in a data breach affecting 500 new state employees. According to Minnesota Public Radio, the trouble began last year when the state engaged Lookout Services to conduct background investigations on job candidates at the urging of Governor Tim Pawlenty. In October, a state employee notified a supervisor of a security flaw that gave employees access to sensitive information and in December the state began the process of notifying individuals whose personal information may have been exposed. Auditor Jim Nobles expects to finalize the incident report in the spring.
Full Story

BEHAVIORAL TARGETING—U.S.

Microsoft: 2010 Will Be Watershed Year for BT (January 22, 2010)
Jeff Lanctot, Microsoft's managing director of advertiser and publisher solutions, told MediaPost's Behavioral Insider that, after a rancorous 2009, 2010 will be a year when many questions related to behavioral targeting (BT) and online marketing will be defined and answered. Such definition will be necessary, Lanctot argues, because of looming intervention by the Federal Trade Commission (FTC), which has cited the industry's failure to effectively self-regulate as its motivation to step in. "Some view targeted advertising as a bad thing that we should repress, while others in Congress and the FTC know self-regulation can work," Lanctot said. "My sense is that those who know more about the ad businesses understand how to put those self-regulation tools in place." When asked about consumer privacy online, Lanctot responded, "Do they have it, or do they care?"
Full Story

TRAVELERS’ PRIVACY

U.S., Europe Meet over Airline Security (January 22, 2010)
U.S. Department of Homeland Security (DHS) Secretary Janet Napolitano met this week with her European counterparts to address issues hampering international cooperation over air travel security, the New York Times reports. The conference, held in Toledo, Spain, was prompted by the failed Christmas Day terror plot to blow up a Detroit-bound jetliner. At the meeting, privacy concerns over whole-body scanners were discussed, as some EU member states continue to resist implementation of the controversial devices. On that point Napolitano said, "I don't think the issues of aviation security pivot only on whole-body scanners." Meanwhile, Spain's interior minister, Alfredo Pérez Rubalcaba, promised that progress would be made in advance of a previously scheduled April summit in Luxembourg. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Privacy’s Influence on Law Looms Large (January 22, 2010)
Since the privacy provisions of the Gramm Leach Bliley Act took effect in 2000, the issue of privacy has had a major influence on state and federal law in the U.S., according to a Debevoise & Plimpton LLP report on Lexology.com. Financial institutions in particular have been the focus of a steady stream of privacy-focused regulations. In 2009, lawmakers addressed a number of privacy-related issues in the financial sector, including the safeguarding of customer data, issuance of privacy policy notices, data breach notification and the use of third-party data for marketing. In 2010 the trend is likely to continue, according to the report, as the newly created Consumer Financial Protection Agency carves out its role on the regulatory landscape. (Registration may be required to access this story.)
Full Story

EMPLOYEE PRIVACY—U.S.

Background Checks? There’s an App for That (January 22, 2010)
PCWorld reports that a new iPhone application gives users the ability to conduct up to three free background checks using their mobile device. Tony Bradley, author of the article, contacted the company's CEO to ask whether he thought the company's new product might be viewed as an intrusion on an individual's perceived right to privacy.The company said that while it anticipated some controversy, no complaints have yet arisen from the launch, and 400,000 users have downloaded the application to date with more than a million background checks conducted so far.
Full Story

DATA LOSS—U.S.

Bank Shares Customer Info Against Her Wishes (January 22, 2010)
A Chase Bank customer, who regularly told the bank that she did not wish for it to share her personal information with other organizations was dismayed recently when she received a letter from the bank informing her that information about her that had been shared with another company was exposed online, the Los Angeles Times reports. Victoria Afonina, a computer programmer, said she was upset when she read the notification. "I know that it only takes a fraction of a second for someone to copy files that appear on a Web site," she said. A Chase representative contacted by the paper declined to give specific details of the incident.
Full Story

PRIVACY LAW—U.S.

Law Would Ban Broad Information Gathering (January 20, 2010)
A Maine senator has introduced legislation in response to a new surveillance system employed by Maine police, citing its infringement on privacy, reports the Boston Globe. Sen. Dennis Damon (R-Trenton) says the system, which automatically reads license plates and checks them in a national database, could be misused to track people. "To me, it's too much of a concern that I might lose my privacy and freedoms that are afforded to me as a citizen of this state and nation," he said. Police say the system will help find wanted criminals and missing persons more quickly.
Full Story

DATA PROTECTION

Stakes Rising in Fight to Protect Info (January 20, 2010)
DATA PROTECTION
Stakes Rising in Fight to Protect Info
Google's recent disclosure that its China operation was hacked, and that critical intellectual property was pilfered as a result, illustrates the growing level of sophistication of cybercriminals as well as the struggle companies have to keep sensitive information safe, the San Jose Mercury News reports. The hack prompted a summit between Secretary of State Hillary Clinton and executives from Google, Cisco, Twitter and Microsoft in advance of a policy speech on the topic of digital freedom of speech. "This was the secretary of state engaging Silicon Valley on how to harness technology in service of America's diplomatic goals," said Clinton senior adviser Alec Ross.
Full Story

ONLINE PRIVACY—INDIA

Is Privacy Necessary in Digital Age? (January 20, 2010)
Around the world, changes in Internet technology have sparked dialog about the importance, need and relevance of privacy in the digital age, according to Silicon India. Facebook founder Mark Zuckerberg's recent comments about privacy no longer being a "social norm" have raised protests among some and strong agreement from others. Rajesh Lalwani, founder of Internet properties Blogworks.in and Pitchh.com is among those who see privacy as a fading ethic."Today, as advanced communication devices and new sites are being launched, youth are sharing more stuff online," Lalwani said. "When we talk about our online privacy, we should also ask ourselves if we respect others' privacy."
Full Story

SOCIAL NETWORKING—U.S.

EPIC Facebook Complaint May Spur FTC Probe (January 20, 2010)
A letter of complaint sent by the Electronic Privacy Information Center (EPIC) to the Federal Trade Commission (FTC) has received the attention of consumer protection chief David Vladeck, who responded recently by saying that EPIC's letter "raises issues of particular interest for us at this time," MediaPost reports. EPIC has taken issue with recent changes to Facebook's privacy policy and tools and, although the FTC will neither confirm nor deny that it plans an investigation, it has asked for a follow-up meeting with EPIC. Responding to EPIC, Vladeck wrote, "As the amount of personal information shared on social networking sites grows, and the number of third parties and advertising networks with access to such information grows, it is important that consumers understand how their data is being shared and what privacy rules apply."
Full Story

HEALTHCARE PRIVACY—U.S.

Hospital Says It Shared Data Legally (January 20, 2010)
St. Joseph's Hospital in Dickinson, North Dakota makes a practice of sharing patient names and phone numbers with a Maryland-based survey company, and the hospital says it is legal under HIPAA--and that failing to do so may result in a loss of federal Medicare and Medicaid reimbursement, reports the Dickinson Press. St. Joseph's says patient surveys are too expensive to conduct on its own. Paulette Thomas, in-house council for St. Joseph's parent company, Catholic Health Initiatives, told the paper, "It is a permissible use of their information [under HIPAA] in order to improve the quality of care that is delivered to patients."
Full Story

ONLINE PRIVACY—GREECE

Greek Government to Allow Street Images (January 20, 2010)
In a decision seen as opening the door for Google Street View, the Greek Data Protection Authority (DPA) has given the okay for kapou.gr to provide its panoramic street-level image service, according to an Associated Press report in the Atlanta Journal Constitution. The DPA's approval was granted following kapou.gr assurances related to face-blurring technology and limits on the storage of images. Talks between the DPA and Google related to the launch of Street View in Greek cities are ongoing, and while the kapou.gr decision makes it likely that Google will be granted similar approval, no timeline has been given by the DPA.
Full Story

DATA RETENTION

Microsoft Reduces Search Data Storage Limit (January 20, 2010)
Microsoft has announced that it will further reduce the length of time it holds data entered into its Bing search engine, the New York Times reports. The decision comes in response to criticism related to search data management from within the European Union and will be implemented over the next 18 months for users everywhere, not just in the EU. Professor Hendrik Speck of the University of Applied Sciences in Kaiserslautern, Germany predicts that the move will prompt Bing competitors to follow suit, saying, "Google and other engines are starting to realize that consumers around the world are placing an increasing value on privacy and that can have business consequences." (Registration may be required to view story.)
Full Story

DATA RETENTION—EU

Google Calls for EU Privacy Panel (January 20, 2010)
Google says that the recent hack of its Chinese operation shows why it needs to retain user search data and will this week call on the Article 29 Working Party to establish a privacy and security panel to encourage productive dialogue on the proper use and protection of such data, PCWorld reports. "You can't discuss privacy in a vacuum," said Google global privacy counsel Peter Fleischer. Google retains search users' full IP addresses for nine months. "We find it incomprehensible that a company would throw away useful data when holding it poses no privacy threat," Fleischer said.
Full Story

SOCIAL NETWORKING—UK

Most Employers Screening Candidates Online (January 19, 2010)
According to a new report, 53 percent of all UK employers review the public profiles of job candidates before making a hire, and 20 percent say they have rejected candidates based on what they have found, PC Advisor reports. The study, conducted by CareerBuilder, found that both social networking sites and popular search engines are commonly used to evaluate a job candidate; and of the organizations not using them, 12 percent said they plan to in the future. The study also found that 28 percent of companies surveyed said that they had fired an employee because of negative information about the company or a coworker posted to a social networking site.
Full Story

HEALTHCARE PRIVACY—U.S.

Healthcare Network Requires Trust, Privacy (January 19, 2010)
Writing for CNNMoney.com, IBM's Vice President Security Counsel and Chief Privacy Officer Harriet Pearson cautions that the billions of dollars being spent on the development of a national health information network may be undermined if the network is not built with proper consideration for information security and patient privacy. "Without trust in the security and privacy of the electronic networks," Pearson writes, " the vital exchange of information and the ambitious federal goal of electronic health records for all Americans by 2014 will be stymied."
Full Story

SOCIAL NETWORKING—U.S.

Tweeting for Better Credit (January 19, 2010)
According to a report on CNBC.com, some organizations have taken to analyzing consumer chatter over popular social networking channels such as Twitter, Facebook and LinkedIn as part of their credit evaluation process. Comments and profiles available publicly on social platforms, as well as the profiles of others in a person's network, can be used in part to determine if an individual is a good credit risk. "We use social chatter as a way to bring risk down. It's a wealth of information about a person," said Rob Garcia, director of product strategy for Lending Club. "If a person says he lives in a different area than the one on the application, it could be a flag. But if it matches, it greatly increases confidence."
Full Story

DATA LOSS

Breach Media Reports Down (January 19, 2010)
ITWire.com reports that the number of data breaches reported to the media has declined significantly over the past 18 months. The article cites an Open Security Foundation blog post that says the number of breaches reported in global media has dropped from about 1,000 per month between 2005 and 2008, to about 500 per month. The blog speculates that boredom in the press may be a cause. "Just another data breach" isn't news anymore, the report states.
Full Story

DATA LOSS—U.S.

Password Error May Have Exposed 1.2 Million (January 19, 2010)
Financial services firm Lincoln National has begun notifying as many as 1.2 million customers after discovering that a policy of shared passwords, established a decade ago, may have exposed their confidential data, PCWorld reports. According to a letter posted to the New Hampshire Department of Justice Web site, an anonymous source provided the agency with a shared username/password combination that gave Lincoln National employees access to customer files. Lincoln National says it is voluntarily notifying its customers even though it does not believe the situation constitutes a data breach under New Hampshire state law.
Full Story

GEO PRIVACY—U.S.

Many Ways to Track Individuals (January 19, 2010)
A multiplicity of technologies can be used to infringe upon an individual's "location privacy," according to a story in the Boston Globe. From a stop at the ATM, use of a public transportation pass, credit card purchase, communication with a mobile device or an automatic toll road transponder, the things we rely on to make our lives more convenient can be used to track our movements throughout the day. According to Professor Andrew Blumberg, author of a recent paper published by the Electronic Frontier Foundation, the dangers are creeping up on an unsuspecting public. "We've all gotten used to nothing bad happening with this kind of data,'' Blumberg said. "In fact, when you do hear about it, it's often being used for good: locating missing children, or tracking criminal activity... That's why we're sort of sliding into it.''
Full Story

BEHAVIORAL TARGETING—U.S.

Flash Cookies Could Become Privacy Flash Point (January 19, 2010)
The growing use of cookie-like local shared objects--also known as Flash cookies--may force regulators to draft new restrictions if the technology is used to override consumer preferences and track their browsing habits, reports MediaPost. Because Flash cookies are not cleaned through the same process that deletes regular cookies, many consumers are unaware that their online movements are being tracked. Researcher Eric Peterson says use of Flash cookies should be disclosed in online privacy policies, but Future of Privacy Forum Director Jules Polonetsky, CIPP, says disclosure doesn't go far enough, and believes they should not be used as a tracking tool. "To use a mechanism that most users are unaware of to track them is extremely poor privacy behavior," Polonetsky says.
Full Story

DATA LOSS

Malice Outpaces Error as Breach Cause (January 15, 2010)
In its annual report on data breaches The Identity Theft Resource Center (ITRC) says that 2009 marks the first time that malicious attacks have moved beyond human error as the leading cause of data breach, Dark Reading reports. According to the ITRC's "2009 Data Breach Report," hackers and insider theft accounted for 36.4 percent of breaches, human error 27.5 percent. The ITRC also found that compromised paper documents were involved in 26 percent of data breaches. In the 2009 report, the ITRC says that while the number of officially reported data breaches fell in 2009, it cannot determine if the overall breach rate is falling because of the number of unreported breaches.
Full Story

HEALTHCARE PRIVACY—U.S.

Hospitals Hiding Behind HIPAA? (January 15, 2010)
Patients who ask for copies of their medical records, even in cases where emergency care may hang in the balance, are running into reluctance and delays, according to a report from CNN. The experience of Fred Holliday and his family illustrates the difficulty and consequences when hospitals fail to provide data in a timely manner, and have many asking, "Who owns a patient's records?" "Every patient has a right to get their medical records," said Elizabeth Lietz of the American Hospital Association. "Our goal is to work with patients to get their records while at the same time protecting their privacy rights." Mr. Holliday suffered in pain from kidney cancer while his wife struggled to have his records released for treatment at another hospital. When asked about the situation, the hospital told CNN: "HIPAA rules don't allow us to talk about a patient."
Full Story

DATA LOSS—U.S.

Long Island Bank Suffers Breach (January 15, 2010)
Suffolk County National Bank (SCNB) has disclosed that the servers hosting its online banking service suffered a breach lasting six days in November, BankInfoSecurity reports. The breach was discovered in late December and a subsequent internal investigation found that data from more than 8,000 accounts was stolen. Bank officials say they have notified law enforcement agencies and state and industry regulators, and have taken steps to notify and extend protection to its customers. No money was taken from any compromised accounts. "Although the intrusion was limited in duration and scope, SCNB immediately isolated and rebuilt the compromised server and took other measures to ensure the security of data on the server," the bank said in a statement.
Full Story

DATA LOSS—U.S.

Northern California Kaiser Suffers Breach (January 15, 2010)
The personal and sensitive medical information of about 15,500 patients of Northern California Kaiser were compromised last month after an external storage drive was stolen from an employee's car, according to the San Francisco Chronicle. The breach, which was disclosed this week, occurred in December and Kaiser officials say the compromised information may include names, addresses, telephone numbers, medical record numbers, age, gender and information related to treatment. No Social Security numbers or financial information was included on the drive, the hospital said. Kaiser said it has fired the individual responsible for the breach for unauthorized use of electronic medical data.
Full Story

DATA PROTECTION—CANADA

IPC Orders Widespread Encryption (January 15, 2010)
Ontario's Information and Privacy Commissioner (IPC) has ordered provincial health authorities to encrypt all personal health information stored on portable devices such as memory sticks and laptops, reports the CBC. The order follows the IPC's investigation into the loss of an unencrypted USB storage device that contained the sensitive personal information of 83,000 people who attended H1N1 flu clinics in the Durham Health Region last fall. Commissioner Ann Cavoukian warned victims to be on alert for identity theft. The commissioner has also questioned the amount of information collected from those who attended the clinics, saying that minimizing the data collected helps prevent such losses.
Full Story

SOCIAL NETWORKING—U.S.

Pepsi Social Network Launches into Privacy Storm (January 15, 2010)
Rather than invest in a Super Bowl advertising campaign, Pepsi instead has invested $20 million in a social networking marketing strategy called Pepsi Refresh that, within hours of its launch, faced serious technical and privacy concerns, reports the Washington Post. In addition to encountering errors with the interface used to submit ideas to Pepsi Refresh, users reported that the personally identifiable information of other subscribers became linked to ideas they submitted. Pepsi acknowledged the problem in a statement that said: "We are aware of site issues and are working towards getting everything resolved." (Registration may be required to access this story.)
Full Story

CONSUMER PRIVACY—U.S.

Expect a More Aggressive FTC in 2010 (January 15, 2010)
MediaPost reports that statements made by a Federal Trade Commission (FTC) official during a discussion at the law firm Venable LLC, send a strong signal that, under new management, industry can expect the agency to be much more aggressive this year on issues such as privacy and advertising to children. The FTC's Northeast Regional Director Leonard Gordon told attendees that recent appointees, such as Chairman John Liebowitz, Consumer Protection Director David Vladeck and a number of new commissioners are "aggressive" and "willing to take hard positions." Notice and consent, behavioral targeting and data collection disclosures will be among the privacy issues attracting FTC attention, Gordon said.
Full Story

Help Raise Awareness About Data Privacy

Take Part in Data Privacy Day 2010 (January 14, 2010)
Join the IAPP and privacy professionals across North America on January 28 as we celebrate Data Privacy Day 2010. Data Privacy Day is designed to raise awareness about the importance of data privacy practices and rights. Help us spread the word: The IAPP is encouraging privacy professionals to give presentations about privacy in their own organizations or at local high schools, colleges and universities on or during the week of January 28.



Visit the Data Privacy Day Web page for more ideas on how you can get involved, including scheduled events, resources and educational materials. Don't forget, the IAPP is also celebrating Data Privacy Day with Privacy After Hours events around the world on the evening of January 28. RSVP to an event in your area!

Healthcare Privacy - U.S.

HITECH May Pose Challenge for Healthcare Orgs (January 14, 2010)
The healthcare industry is sending mixed signals about its technical readiness to qualify for federal incentive payments under the HITECH Act, HealthLeaders Media reports. While many hospital administrators say their organizations are on track with the government's technical requirements, healthcare professional organizations seem to think the new rules are complex and may hinder progress toward a national healthcare network. A recent survey by healthcare technology services provider CSC found that, while 98 percent of healthcare organizations have policies in place related to information security and privacy, only 52 percent are currently using encryption or data anonymization technology.
Full Story

Healthcare Privacy - U.S.

Online STD Testing (January 14, 2010)
According to a story in Medill Reports, a Chicago company has launched a new online service that uses the anonymity of the Internet to help individuals test for sexually transmitted diseases, but the service is also raising questions from some about the security of such sensitive information online. The service helps people find local clinics where they can be tested for one of eight STDs, and even provides online notice if a test returns negative. Patients may receive direct notification from a professional in the event of a positive test result. Mark Hodar of the Howard Brown Health Center in Chicago expressed concerns about the privacy and sensitivity of sharing information online, while acknowledging the potential advantages.
Full Story

GEO Privacy - Canada

Backpacks That Track (January 14, 2010)
A portable GPS device that can be inserted into a backpack and used to monitor a child's whereabouts is being tested in Canada, Wired reports. Word of the device, called the Entourage PS, has sparked discussion over the advantages and disadvantages of parental surveillance, including the possibility of obsessively checking a child's location on a handheld device, sending police after a lost child should there be a bag mix-up at school or using the device to surreptitiously track other people. The question of security was also raised, including the potentially negative implications of a data security failure, allowing other people to also track a child.
Full Story

Social Networking

Facebook Employees Accessed Accounts…Or Did They? (January 14, 2010)
An anonymous former Facebook employee has said that employees of the social networking company routinely used a "general password" to access subscriber accounts, and that two employees were fired because of the snooping, MSNBC.com reports. The unidentified former employee also claimed that all messages sent using Facebook's message feature are saved in an unsecure database. Facebook denied the allegations in an e-mail, telling MSNBC.com that, "This piece contains the kind of inaccuracies and misrepresentations you would expect from something sourced 'anonymously,' and we'll leave it at that."
Full Story

Consumer Privacy - U.S.

Opinion: Government Agencies Need Privacy Definition (January 14, 2010)
Writing for The Hill, Center for Democracy and Technology Vice President and COO Ari Schwartz says he believes consumer protection agencies need standardized language in order to clarify consumer complaints. Schwartz's opinion follows an essay published by IAB president Randall Rothenberg, which claimed that a lack of consumer privacy complaints gives clear evidence that self-regulation online is working. Schwartz counters that thousands of complaints related to spyware, identity theft and Internet fraud have clear privacy implications. "Consumer concerns on privacy will continue to grow until we can be sure that we are addressing the basic complaints," Schwartz writes. "If agencies cannot even tell each other what these complaints are, progress will not be possible."
Full Story

Online Privacy - U.S.

FCC Wants Comments on Privacy (January 14, 2010)
The Federal Communications Commission (FCC) is seeking public comments about online privacy, reports MediaPost News. The move follows a Center for Democracy & Technology request for the commission to include an exploration of privacy issues as it creates a national broadband plan. The Federal Trade Commission made a similar urging in September. The FCC asks for comments about "the use of personal information and privacy in an online, broadband world," according to the report. The commission is also seeking comments about online privacy as it relates to cloud computing. Full story

Healthcare Privacy - U.S.

Connecticut AG Sues Health Net (January 14, 2010)
Connecticut Attorney General Richard Blumenthal filed a suit against health insurer Health Net of Connecticut alleging negligence in a data breach that affected nearly 450,000 residents, TheDay.com reports. In addition to the security failure, Blumenthal charges the company with a failure to provide prompt notice to breach victims following the discovery of a missing computer disk from Health Net's Shelton offices. Blumenthal said the suit is the first by a state AG under the Health Insurance Portability and Accountability Act (HIPAA). A spokesperson for Health Net said the company has not yet seen the details of the lawsuit, but pledged to "continue to work cooperatively with the attorney general."
Full Story

SURVEILLANCE—U.S.

Mass. Police Arresting Call Recorders (January 13, 2010)

Police in Massachusetts have begun arresting individuals who have recorded their phone conversations with on-duty police officers without the officer's consent, Reason Magazine reports. Individuals arrested have been charged with violating the state's wiretapping laws which require two-party consent, in keeping with a 2001 state supreme court ruling that said, "Secret tape recording by private individuals has been unequivocally banned, and, unless and until the Legislature changes the statute, what was done here cannot be done lawfully." Boston police argue in support of the arrests by stating that the recordings violate their privacy rights, and interfere with their ability to do their jobs.
Full Story

Philippines RFID

Philippines Courts to Transportation Office: No RFID (January 13, 2010)
The Philippines Supreme Court has ordered the country's Land Transportation Office (LTO) to halt its plan to require motor vehicles to be equipped with radio frequency identification (RFID) systems, The Inquirer reports. The order came in response to petitions filed against the LTO by political and transportation trade organizations opposed to the plan on privacy grounds. The order will remain in effect until a decision is made in the case. Court spokesman Jose Midas Marquez said, "[The status quo ante order] means that the prevailing situation prior to the implementation of the RFID would be implemented in the meantime until further orders from the court."
Full Story

CONSUMER PRIVACY—U.S.

Opinion: U.S. Consumer Protection Could Stymie Internet (January 13, 2010)

In an opinion essay published in The Hill, Randall Rothenberg, president and CEO of the Interactive Advertising Bureau, says proposed legislation aimed at protecting consumer privacy online will have a detrimental effect on the Internet as a commercial conduit by placing the burden of privacy protection on individual Web sites through a strict opt-in model. Rothenberg's opinion is directed at Rep. Rick Boucher (D-VA), whose proposed legislation Rothenberg has called the "Spam Preservation Act of 2010." Rothenberg argues that industry self-regulation is working and that, of the thousands of Internet-abuse consumer complaints received by the FTC during 2006-07, only one was related to privacy.
Full Story

PERSONAL PRIVACY—INDIA

India High Court to Telecoms: Respect Consumer Privacy (January 13, 2010)

Cellular telecommunications companies in India this week received a sharp reprimand from a Bombay court which ruled Vodaphone violated consumer privacy rights by sharing database information with call centers and other organizations, DNA India reports. In his ruling, Justice S.D. Dharmadhikari made a distinction between the type of information formerly made publicly available through telephone directories and the kind of information being sold by the cellular telephone company: "Subscribers' numbers are made available to call centers and other agencies. It appears that unlike telephone directories, which were maintained in earlier days, all the details of subscribers are put up [for sale] by service providers."
Full Story

TRAVELERS’ PRIVACY

Anti-Scanner Sentiment Builds Overseas (January 13, 2010)

The planned deployment of whole-body scanners in airports around the world faces a challenge as officials from Europe and the Middle East voice their concerns with the program, reports the New York Times. EU Justice Commissioner-designee Viviane Reding recently told the European Parliament, "Our citizens are not objects. They are human beings." Meanwhile, officials from the Mid East are concerned about discriminatory treatment. Tarek Mitri, Lebanon's Information Minister said, "citizens of different countries are singled out in a discriminatory fashion.'' (Registration may be required to access article.)
Full Story

DATA PROTECTION—EU

Reding: Privacy High on My Agenda (January 13, 2010)
Speaking to members of the European Parliament (MEPs) in Brussels yesterday, commissioner-designate Viviane Reding outlined her top priority areas should she be confirmed to the post of Commissioner of Justice, Fundamental Rights and Citizenship, Europolitics reports. Data protection, she said, "will be high on my agenda." Reding said that privacy protections need to be strengthened in the areas of law enforcement, crime prevention and international relations. "The fight against terrorism is important, there can be no doubt," she said. "But I am not convinced that we really need so many new laws and new restrictions on our citizens' privacy to achieve this purpose." Reding also cautioned MEPs on the hasty introduction of airport security scanners. (Registation may be required to access this story.)
Full Story

PRIVACY LAW—CHINA

China Passes Privacy Protections Law (January 13, 2010)
A Hunton and Williams Client Alert reports that the Chinese government has enacted a sweeping tort liability law--the PRC Tort Liability Law--that includes provisions specific to the protection of personal privacy. The law, passed on December 26 and expected to take effect on July 1, covers not only privacy, but also environmental damage and animal bites while establishing parameters for liability in cases where organizations are found to have mishandled personal information. For the first time, PRC Tort Liability Law creates specific private rights of action for citizens in cases where they believe their privacy has been violated.
Full Story

PERSONAL PRIVACY—AUSTRALIA

Charity Accused of Abusing Trust (January 12, 2010)
The Australia Privacy Foundation has accused the St. Vincent de Paul Society of betraying donor trust by allowing a data broker to help develop a survey mailed to donors over the Christmas season, and then sharing the information with the company, The Age reports. The charity defended its actions--which may have violated aspects of the Privacy Act--by saying that it opened its donor list in order to build a mailing list which was then used to distribute the four-page questionnaire to 20,000 people. The survey was conducted under the data broker's privacy policy, not the charity's. For its part, the broker says it complied with privacy legislation.
Full Story

TRAVELERS’ PRIVACY

Advocates Rally Against Scanners (January 12, 2010)
In the United States and around the world, political figures, privacy advocates and civil libertarians are speaking out against the use of whole body scanners, reports the Chicago Tribune. "We don't need to look at naked eight-year-olds and grandmothers to secure airplanes," said Congressman Jason Chaffetz (R-Utah) in a statement that reflects the popular view of those opposed to the devices, which generate a revealing image of the human body. Chaffetz, who introduced a legislative amendment against the scanners last year, is joined by the ACLU. Meanwhile in Germany, members of the Pirate Party protested the scanners by demonstrating in a number of German airports.
Full Story
National Archives Discuss Breaches (January 12, 2010)

Gary Stern, general counsel for the National Archives and Records Administration (NARA), spoke with Federal News Radio about recent data breaches at the agency, including what happened, how the agency is  responding and lessons learned from the experience. An investigation is ongoing at NARA, and thus far the agency has extended free credit monitoring to as many as 150,000 people affected by the breach. "These are computer files from the 1990s, and in the world of IT that's like centuries old," Stern said. "Having to be able to go back and read some of this old data through old systems is complex and slow, and that's why we're still doing it even though we discovered this breach last spring."
Full Story

TRAVELERS’ PRIVACY

Privacy Group Refutes TSA Claims on Scanners (January 12, 2010)
The Electronic Privacy Information Center (EPIC) has taken issue with the Transportation Safety Administration's (TSA) claims that the controversial whole body scanners being deployed to airports around the world cannot be used to store and transmit near-naked images of the human body, Computerworld reports. Using information gained following a Freedom of Information Act lawsuit Mark Rotenberg, EPIC's executive director, asserts that the scanners include hard disk storage, USB interfaces, and Ethernet connectivity and are fully capable of storing and transmitting images.
Full Story

PERSONAL PRIVACY

Saskatchewan Not Gambling with Gamer Privacy (January 12, 2010)
Government-owned casinos in Saskatchewan have announced a change in policy that means patrons purchasing event tickets with cash will no longer be required to provide personal information, CBC reports. Saskatchewan Information and Privacy Commissioner Gary Dickson announced the change this week after reviewing the ticket purchasing policies at Casino Regina and Casino Moose Jaw. Dickson believes businesses should only collect the information needed to transact business and told the CBC: "We started investigating and we had a number of discussions with Saskatchewan Gaming and have worked with them over the last year to redo their policy. They now have signage at the casinos in Moose Jaw and Regina indicating that if people are paying cash for a ticket, they don't have to provide personal information."
Full Story

SOCIAL NETWORKING

Zuckerberg: Privacy No Longer the ‘Social Norm’ (January 12, 2010)
Facebook founder Mark Zuckerberg recently told TechCrunch that a desire for privacy is no longer the "social norm," PCWorld reports. Despite protests from Facebook's critics, the success of that social networking platform may be all the evidence needed to support his assertion. "People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people," Zuckerberg said. "That social norm is just something that's evolved over time." The challenge today, says the report, is in striking a balance between allowing people to share information about themselves online and in providing tools to help them make better decisions about how to share.
Full Story
Leibowitz Feels that FTC May Lean Towards Online Opt-In (January 12, 2010)

In a meeting with the New York Times yesterday, top Federal Trade Commission (FTC) officials suggested that the Internet has evolved past privacy policies and that when it comes to online privacy, we might be moving to a post-disclosure era. "I have a sense, and it's still amorphous, that we might head toward opt-in," Federal Trade Commission Chairman Jon Leibowitz said during the meeting with editors and reporters. FTC Bureau of Consumer Protection chief David Vladeck reiterated the commission's viewpoint that industry groups' efforts to improve notice are "helpful," but incomplete. The views  represent a shift in the harm-based focus of previous commissions. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Consortium Outlines Cloud Definition, Components, Guidelines (January 11, 2010)

In an effort to help establish clarity, the Cloud Security Alliance (CSA) has issued a paper that it hopes will help to ecreate greater standardization around what cloud computing is, Industry Week reports. The CSA warns that security presents a number of challenges for companies moving operations to the cloud. "Integrating security into these solutions is often perceived as making them more rigid," the paper states. "This rigidity often manifests in the inability to gain parity in security control deployment in cloud environments compared to traditional IT."
Full Story

GENETIC PRIVACY—UK

Online DNA Matchmaking (January 11, 2010)
Today's progressive dating services may seek to go beyond a picture and a paragraph, but tomorrow's online matchmakers may ask for a DNA sample to find your soulmate. In fact, more and more people are eschewing personal chemistry in favor of genetic science in their search for a mate, reports the Daily Mail. Services such as ScientificMatch and GenePartner.com are gaining in popularity, but Eric Holzel of ScientificMatch says he sees a difference in the age groups signing onto his service. "Generally we find that those under 45 love the idea because they realize that it's going to make things a lot easier for them," Holzel said. "Those over 45 are less keen and generally far more likely to have privacy concerns."
Full Story

DATA LOSS

Visa to Receive $60M for Heartland Costs (January 11, 2010)

In the latest settlement related to the 2008 Heartland Payment Systems data breach, PCWorld reports that U.S. and international Visa debit and credit card issuers will receive payments totaling as much as $60 million to pay for costs incurred as a result of the security gaffe that affected more than 130 million card holders. Heartland agreed to a $3.6 million settlement with American Express last month. Heartland CEO Bob Carr called the settlement "fair" and said the company was committed to helping card issuers reduce the risks of a data breach.
Full Story

TRAVELERS’ PRIVACY

Differing Views Complicate Int’l Travel Security (January 11, 2010)
As the U.S. amends its air travel security policy in the wake of the failed Christmas Day terror attempt, it will likely find that differences in the ways other nations approach personal privacy issues will complicate security negotiations, the Washington Post reports. The article states that, while the U.S. has authority where a flight is headed there, in practice any changes to security will be influenced by the laws and social norms of the host country. Approaches to data collection and security screening depend on the relationship with the nation in question. "We have very little control in the United States over the way people apply standards overseas," said former Homeland Security secretary Michael Chertoff. "It only works with the cooperation of foreign governments." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—UK & U.S.

CIOs Wary of Social Network Use (January 11, 2010)
With an increasing number of employees and companies engaging professionally on social networking utilities such as Facebook and Twitter, CIOs remain wary of the potential impact on information security, reports NetworkWorld. Two recent polls show that more than half of U.S. CIOs have restricted access to social nets, and more than three quarters of UK companies do not use Twitter. But the reluctance of CIOs to embrace social nets does not reflect a changing business reality, according to IDC analyst Caroline Dangson. "This concept of trying to control or block [social media usage], it is not going to work," Dangson told NetworkWorld. "There's going to be a divide, with some companies that shun public social networks and are fearful of using them, and some who embrace it and take the risk."
Full Story

HEALTHCARE PRIVACY—U.S.

UCLA Employee Pleads Guilty to Health Record Snooping (January 11, 2010)

Federal authorities announced on Friday that former UCLA Healthcare System employee Huping Zhou admitted to accessing the hospital's system to snoop through the medical records of celebrity patients at the facility, the LA Weekly reports. Zhou's act constitutes a violation of the Health Insurance Portability and Accountability Act (HIPAA). Zhou is alleged to have improperly accessed the network 323 times. The Zhou case is not the first time a UCLA Health System employee improperly accessed celebrity medical records. In 2008, UCLA employee Lawanda Jackson pleaded guilty to selling celebrity medical records.
Full Story

PRIVACY—SINGAPORE

New Law Oks Research Access to Public Data (January 11, 2010)
Following a change to its Statistics Act earlier this month, Singapore's Department of Statistics will allow researchers to access data collected by public agencies, provided the information contains no personal identifiers, reports ChannelNewsAsia.com. Parliament made the change despite lingering privacy and ethics concerns. West Coast GRC MP Ho Geok Choo says, "There is a concern of accidentally revealing the identity or sensitive information. It is imperative that Singapore safeguards the data obtained and ensures that it does not fall into unauthorised hands."
Full Story
Privacy Tracker Experts Recap 2009, Forecast 2010 (January 8, 2010)

Dial in to the next Privacy Tracker monthly call on Thursday, January 14 to hear experts share their 2010 privacy forecasts and recap the 2009 developments that affect your business now. Privacy Tracker keeps you up-to-date on all federal and state privacy legislation with monthly interactive audio conferences where you can request specific coverage, weekly e-mails and a Web dashboard of timely articles and reports. Privacy is the hot issue for 2010--subscribe today to keep up with the latest privacy developments affecting your business.
Subscribe NOW!

IAPP CERTIFICATION TESTING DATES


Washington, DC
January 27

Victoria, BC
February 24

St. Paul, MN
February 26

Washington, DC
April 21

ONLINE PRIVACY

Opinion: Technology Changed, is Changing Everything (January 8, 2010)

Writing for Forbes, Quentin Hardy opines that the evolution of technology was a primary influencing factor in the decade just concluded, and that in the future the impact of technology will bring about radical change in everything from the global economy to national identities to privacy. Of the latter, Hardy writes: "By 2020, you will have to go to a museum to understand what [privacy] meant. Privacy eroded, due to cameras everywhere and increasing sophistication of data analysis. Most people, considering themselves good at heart, traded it away for the sake of better search results."
Full Story

TRAVELERS’ PRIVACY—CANADA

Cavoukian: Scanners Don’t Have to Violate Privacy (January 8, 2010)

A paper published last year by Ontario Information and Privacy Commissioner Ann Cavoukian on the subject of airport full-body imaging scanners is receiving new attention following the foiled Christmas Day terror attack of a jetliner in Detroit, according to OUT-LAW.COM. In the paper, Cavoukian said that the use of the controversial scanners, which generate a near-naked image of an individual's body beneath their clothing, "need not come at the expense of privacy -- both may be achieved together." The key to protecting passenger privacy lies in strict use policies, Cavoukian says, including rendering body images as a "chalk outline" and only showing details of materials that are not made of skin, and prohibiting the capture and storage of images.
Full Story

CHILDREN’S PRIVACY—U.S.

FTC Soliciting Public Comment on New COPPA Guidelines (January 8, 2010)

The Federal Trade Commission (FTC) this week issued a call for public comment on a set of proposed guidelines to help businesses comply with the Children's Online Privacy Protection Act (COPPA). The proposed guidelines were submitted by iSafe, a nonprofit organization dedicated to promoting a safe online experience for children. If adopted by the FTC, the guidelines--designed to encourage better self regulation among Web sites targeting children under the age of 13, or sites that knowingly collect information from children under the age of 13--would constitute a safe harbor program under COPPA. The public comment period will last 45 days from January 6.
Full Story

PERSONAL PRIVACY—UK

National ID Registry Includes National Insurance Data (January 8, 2010)

Home Secretary Alan Johnson confirmed for Parliament this week that among the data included in the country's National Identification Registry are National Insurance numbers as well as challenge questions used to speed the customer service process, ZDNet reports. The revelation is likely to reinvigorate critics of the program who maintain a mandatory national identification card is a threat to personal privacy. Currently the program is voluntary for UK residents and mandatory for non-resident skilled workers. Biometric data is also collected for the registry.
Full Story

HEALTHCARE PRIVACY—U.S.

Trash Pickers Target Pharmacy Refuse (January 8, 2010)

Police in Delaware have issued a warning to citizens to be careful about what they throw away after leaving the pharmacy, reports the Delaware News-Journal. They describe an organized effort to comb the trash for information that may help theives target patients receiving prescriptions for Oxycontin and Vicodin. The thieves collect discarded pill bottles or paperwork and use the information to fraudulently obtain refills under the victim's insurance. Agent Bruce DiVincenzo said the thieves come from within Delaware as well as from neighboring Pennsylvania and Maryland. "They're making their own scripts by ordering paper from the Internet," he said. "It's the patient's name that they want, because that person is actively listed as a customer of the pharmacy and will not raise suspicion."
Full Story

TRAVELERS’ PRIVACY

Opinion: Airport Security Merely “Theater” (January 8, 2010)

George Washington University law professor Jeffrey Rosen told National Public Radio's Michel Martin that beefed-up security in response to the failed Christmas Day terror attack amounts to little more than "security theater." In the interview, archived on NPR's "Two-Way" blog, Rosen asserts that the changes, including increased use of "naked scanners," provides little in the way of additional safety, but does succeed in violating the privacy rights and religious beliefs of many passengers. Rosen, author of the 2004 book The Naked Crowd, offers policy advice for using the controversial scanning machines as well as other surveillance techniques.
Full Story

ONLINE PRIVACY—U.S.

Marketers Mining Social Networking Data (January 8, 2010)

According to Wired, the recent changes to Facebook's privacy settings may have opened a door allowing "rogue marketers" to harvest e-mail addresses and profile data from subscribers. The hack was publicized by blogger Max Klein. All that is needed to exploit the vulnerability is a subscriber's e-mail address, the report states, giving hackers access to profiles for everyone in the subscriber's network. News of the vulnerability has raised the hackles of privacy advocates such as the Electronic Frontier Foundation's Kevin Bankston who said: "Just because Facebook users want to share personal info with their friends does not mean they want to share it with any nefarious parties on the Internet..."
Full Story

SOCIAL NETWORKING

Your Posts Diminish Everyone’s Privacy (January 8, 2010)

The Intimacy 2.0 era has dawned and it's not just those who post intimate details about their lives online whose privacy is diminished. A university fellow says that such sharing undermines everyone else's right to privacy, reports BBC News. "As more private lives are exported online, reasonable expectations are diminishing," says Kieron O'Hara of the University of Southampton. "When our reasonable expectations diminish, as they have, by necessity our legal protection diminishes."
Full Story

GENETIC PRIVACY—IRELAND

DPC Investigates Blood Sample Bank (January 8, 2010)

The Data Protection Commissioner has expressed shock about a Dublin hospital's database of infants' DNA, reports the Times Online. Commissioner Billy Hawkes is investigating the database, which contains the blood samples of almost every person born in Ireland since 1984, according to the report. The Children's University hospital stores the samples indefinitely, and has the genetic information of a million and a half in the database so far. The samples come from infant 'heel prick tests.' Parental consent is not sought before the tests are conducted. The hospital has, on four occasions, shared anonymized DNA data with university and hospital researchers.  
Full Story

DATA PROTECTION

USB Sticks Recalled (January 8, 2010)

At least three vendors have recalled hardware-encrypted USB memory sticks after penetration testers discovered a vulnerability that could allow hackers access to the data contained on the devices, reports CSO. According to one of the USB vendors affected by the flaw, "a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data..." The flaw pertains to the drives' access-control mechanisms.

Full Story

DATA PROTECTION—U.S.

Twelve Months Later, Heartland Debate Rages (January 7, 2010)

Nearly a year following the disclosure of a Heartland Payment Systems data breach affecting 130 million credit and debit card holders, the debate over the effectiveness of basic compliance continues to rage, reports Computerworld. Critics point out that mere compliance with the Payment Card Industry (PCI) Data Security Standard is never enough, and that the routine method hackers used to access Heartland's system underscores the futility of relying on baseline standards. Gartner privacy and security analyst Avivah Litan told the magazine that the breach served to offer "stark realization that passing a PCI security audit does not make a company secure. This was known well before the breach, but Heartland served as a big pail of ice water thrown on the face of companies complying with PCI."
Full Story

TRAVELERS’ PRIVACY—GERMANY

Schaar: Don’t be Hasty With Airport Scanners (January 7, 2010)

The German government is exploring the possibility of testing full-body scanners at airports, but the country's data protection commissioner has warned against their hasty introduction, reports The Mercury. Peter Schaar raised concerns about personal rights, adding that although the scanners can be calibrated to produce a less revealing image, "the mere development that the monitors no longer show naked images is not enough."  
Full Story

FINANCIAL PRIVACY—INDIA

Information Law Could Expose Personal Tax Info in India (January 7, 2010)

DNA India reports that a recent Right to Information Act ruling could result in making individual tax returns available to any citizen who asks for a copy. The information commissioner's decision on a request filed by Rakesh Kumar Gupta against executives of Escorts Heart Research Institute stated that, "information provided by an assessee to the department for purposes of income tax assessment is information disclosed in relation to a public activity and, therefore... section 8(1)(j) is inapplicable in the present case." The ruling, certain to be appealed, could have broad implications for private citizens.
Full Story

RFID—PHILIPPINES

Government Assures Motorists of RFID Safety in Philippines (January 7, 2010)

In response to privacy concerns voiced by the Commission on Human Rights (CHR), the Philippines Land Transportation Office (LTO) has moved to assure motorists in that country that a new RFID motor vehicle tagging technology does not have the capability to allow tracking of vehicles, and that its staff will be properly trained in using the new system, reports the Manila Bulletin. LTO Chief Arturo Lomibao told the CHR that the tags do not function as a global positioning system and cannot be tracked, nor will the tags contain a driver's personally identifiable information. Further, Lomibao said the tags can only be read from a distance of 10 - 12 meters.
Full Story

PERSONAL PRIVACY—U.S.

Abandoned Building Stuffed with PII (January 7, 2010)

Years after Hurricane Katrina devastated the U.S. Gulf Coast, a Housing Authority of New Orleans (HANO) building in Algiers, Louisiana, abandoned because of storm damage, containing reams of personal identifiable documents, remains unsecured. WWL TV reports that the HANO building is open to anyone, and a community organizer showed reporters documents, including Section 8 housing paperwork, payroll records, photocopies of driver's licenses and other documents rich with personally identifiable information. "Here's a person's drivers license. His Social Security number," said community organizer Malik Rahim. "I mean everything that's pertinent to that person's history is just left and abandoned." Confronted with the information, a HANO representative said it was the first they'd heard of the situation.
Full Story

RFID—U.S.

New Hampshire Moves to Ban RFID Implants (January 7, 2010)

The New Hampshire House of Representatives has voted to prohibit the implantation of tracking devices in humans without their written consent, WBZ News reports. The bill, approved by a 186-170 vote yesterday, also includes a provision banning the use of radio frequency identification (RFID) tags to track consumers, and would require consumer notice for any goods implanted with an RFID tag. Furthermore, the bill would prohibit cloning of RFID-enabled debit and credit cards. The bill must now be considered by the Senate before being signed into law.
Full Story

ONLINE PRIVACY—FRANCE

Privacy Agency Holds Up “Three Strikes” Copyright Law (January 7, 2010)

France's Commission nationale de l'informatique et des libertés (CNIL), established in the 1970s to review national legislation for potential privacy impacts, is holding up enactment of a pending "three strikes" law for online copyright infringers, Ars Technica reports. The delay, says the report, is due to privacy concerns with the new authority, HADOPI, created to compile and manage the database used to track offenders. Before CNIL will provide the necessary endorsement, the agency wants to know more about how the information will be collected and archived.
Full Story

PRIVACY LAW—U.S.

Maine Legislature Presents New Marketing-to-Minors Law (January 7, 2010)

The Maine legislative session opened this week with the introduction of a new predatory marketing bill--LD 1677. According to a NetChoice summary, the bill would repeal the beleaguered LD 1883, which was signed to law last year, but faced major opposition from industry groups, leading Maine's attorney general to promise not to enforce the law. The new bill applies to online information only and is limited to pharmaceutical marketing. It gives the attorney general the power to adopt rules to determine its scope. Violation of the law would be considered an unfair trade practice.
Full Story

PRIVACY—MARIANAS

Marianas Call For Alien Registry (January 6, 2010)

The Fitial Administration of the Commonwealth of the Northern Mariana Islands (CNMI) has called for a mandatory national registry for any aliens who remain in the islands for more than 90 days, reports the Saipan Tribune. The registry has been proposed in response to a change in U.S. law that places CNMI immigration under the direct control of the U.S. federal government and was drafted in cooperation with the U.S. Department of Homeland Security. Registration would likely include biometric data, such as fingerprints, photographs and other personal information. The public comment period for the policy ends on January 8.
Full Story

PERSONAL PRIVACY—U.S.

U.S. Navy’s InfoSec Chief Suffers Sixth Breach (January 6, 2010)

The Navy's Chief Information Officer Robert Carey recently received notification of a compromise of his personally identifiable information (PII), reports govinfosecurity.com. For Carey, it was the sixth such notification, and came from the Army--where he hasn't worked in 24 years. Carey used the event to describe his philosophy on data protection and enumerate a seven-point summary of his department's efforts to reduce the risk of a breach within the Department of the Navy. "In today's Information Age, PII must be treated with extreme care because unauthorized access to someone's digital identity can and does cause grave consequences," Carey wrote.
Full Story

TRAVELERS’ PRIVACY—CANADA & UK

Arrivals: Full Body Scanners (January 6, 2010)

Airports in both Canada and the UK will soon deploy controversial full body scanning x-ray machines to enhance security, reports the Toronto Star. The devices, which provide a near-naked view of the human body to reveal weapons and other security threats, will be installed at 44 Canadian airports with the first eight machines in place by March. In the UK officials hope to have the first scanners in use at London's Heathrow Airport by the end of January, but the initiative may be slowed by fears that the devices may be considered sexually exploitative of children. The group Action on Rights for Children believes it may be a criminal offense if the machines generate an image of a person under the age of 18.
Full Story

GENETIC PRIVACY—U.S.

Texas To Destroy Infant Blood Samples (January 6, 2010)

In order to settle a lawsuit, the State of Texas has been ordered to destroy millions of infant blood samples taken without parental consent, states a report in Modern Healthcare. Texas began collecting infants' dried blood spot samples in the 1960s to screen for health disorders, but the suit against the Texas Department of State Health Services was sparked when the samples were transferred to the Texas A&M Health Science Center--representing a change in purpose from the original law and done without parental consent. As a result, the state passed a new law giving parents the option to have the sample destroyed, and all samples collected before that date must be destroyed. (Registration may be required to access story.)
Full Story

EMPLOYEE PRIVACY—GERMANY

Massive Employee Database Begins Operation (January 6, 2010)

In what has been described as Germany's "largest ever data acquisition program," ELENA--a new employment database--began operation on January 1. Employers are required to submit employee income data monthly to the country's ELENA system to track eligibility for social payment programs. Deutsche-Welle reports income data will be aggregated beginning in 2012 whether or not individuals qualify for social welfare benefits. Peter Schaar of Germany's Data Protection and Freedom of Information Commission has sharply criticized the project, saying "I've got a big problem with this. Until now, such information on salary declarations has not appeared, and their general storage in a central file is not legally nor constitutionally allowed."
Full Story

DATA BREACH—U.S.

Three Breaches Compromise 30,000 at Penn State (January 6, 2010)

The Pittsburgh Post-Gazette reports that Penn State has begun the process of notifying nearly 30,000 individuals that their personally identifiable information (PII), including Social Security numbers, may have been compromised as a result of three separate malware infections discovered in late December. The school said it has no evidence that the individual or organization behind the malware gained access to the PII, but has decided to notify as a precautionary measure. "We do not have any indication that it was accessed by unauthorized parties. We prefer to err on the side of caution," said spokesperson Annemarie Mountz. The event was the second known breach at Penn State in 2009.
Full Story

HEALTHCARE PRIVACY—U.S.

Feds to test data anonymity (January 6, 2010)

The United States Department of Health and Human Services (HHS) plans to hire a contractor to test whether de-identified data--records stripped of information tying it to specific individuals--can truly protect the privacy of individuals, reports Washington Technology. De-identification and re-identification of healthcare records has become an important issue as the U.S. moves to create a national electronic health data network. Data de-identification is a critical component to maintaining privacy under HIPAA rules. According to the HHS notice, "The contractor shall take one or more HIPAA Privacy Rule de-identified data sets and, using methods and technologies that exclude 'brute force' matching, demonstrate the ability or inability to re-identify the data."
Full Story

DATA PROTECTION—ISRAEL, ANDORRA & EU

Israel receives adequacy status (January 6, 2010)

The Article 29 Data Protection Working Party has deemed that Israel offers an adequate level of data protection. The party released its Opinion 6/2009 yesterday. "The Working Party believes that Israel guarantees an adequate level of protection according to provision 6 of Article 25 of Directive 95/46/EC...on the protection of individuals with regard to the processing of personal data..." the document states. The principality of Andorra also has received adequacy status from the Working Party.
Full Story

Are you ready for the EU Cookie Consent Law? (January 6, 2010)

 

New Web conference: The New EU Cookie Consent Law: What Is Your Strategy?

Thursday, January 14, 11 a.m. - 12:30 p.m. EST
A recently passed amendment to the EU Privacy Directive  will require the consent of Internet users before cookies can be placed on their computers. Join us for this upcoming Web conference to explore the legal, regulatory and financial impact of the new law, and get expert insights into how it may affect your organization's online advertising and e-commerce strategy.
Speakers:
Rosa Barcelo, Senior Lawyer, European Data Protection Supervisor's Office
Eduardo Ustaran, Partner and Head of the Privacy and Information Law Group, Field Fisher Waterhouse LLP
Justin B. Weiss, CIPP, International Privacy Officer, Yahoo Inc.

DATA LOSS— U.S.

EWU Notifying 130,000 (January 5, 2010)

Officials at Eastern Washington University (EWU) are notifying up to 130,000 current and former students that their personal information may have been exposed in a security breach, reports the Seattle Times. The data involved includes names, Social Security numbers and dates of birth for students going back to the year 1987. Information technology staff discovered the breach during a network assessment. "EWU regrets that anyone's personal information may have been subject to unauthorized disclosure," said university President Rodolfo Arevalo in a statement. "The university is taking this matter seriously and is committed to maintaining everyone's privacy."
Full Story

ONLINE PRIVACY—U.S.

FTC Looking at Cloud (January 5, 2010)

The Federal Trade Commission (FTC) is investigating the privacy and security implications of cloud computing, reports The Hill. In a filing with the Federal Communications Commission, FTC Consumer Protection Bureau chief David Vladeck wrote that while the commission recognizes the cost-savings potential of the cloud, "the storage of data on remote computers may also raise privacy and security concerns for consumers." The FTC is also examining identity management systems, according to the report.
Full Story

PRIVACY LAW—U.S.

Federal privacy bill not a foregone conclusion (January 5, 2010)

Recent Congressional activity and growing concerns about identity fraud suggest that lawmakers are taking substantive steps to overhaul the country's data privacy laws, reports Compliance Week. This article examines the legislative activity of late 2009 and outlines the "fine print" of bills currently making their way through Congress. While federal legislation has wide support in Washington, a federal privacy law isn't a foregone conclusion for the coming year, the report states. The article also looks at the state data security laws of Massachusetts and Nevada, which mandate more stringency in data protection efforts, particularly with regards to encryption.  
Full Story

PRIVACY LAW—U.S.

Privacy Law Outlook for 2010 (January 5, 2010)

In an eSecurity Planet article, Kenneth Corbin previews the privacy law landscape for the upcoming year. The FTC has taken a greater interest in the issue and advocates, Corbin writes, are looking ahead with high hopes that 2010 will bring online privacy laws and regulations. Most expect that Rep. Rick Boucher will introduce a bill in the early part of the year and binding regulations for online marketers from the FTC are likely, according to the report. But industry's ramped up efforts to police itself could prompt a wait-and-see attitude on the Hill and "without a major privacy crisis...the push to legislate will be a slow grind."
Full Story

DATA LOSS— U.S.

Hacker in Heartland, Hannafoard Breaches Pleads Guilty (January 5, 2010)

A Miami hacker has pleaded guilty to charges associated with the Heartland Payment Systems and Hannaford Brothers data breaches, reports CNET News. Albert Gonzalez, a former U.S. government informant, had already pleaded guilty to charges associated with data breaches at TJ Maxx, OfficeMax and other retailers. He faces several sentences of up to 20 or 25 years, according to the report. Sentencing will take place in March.
Full Story

ONLINE PRIVACY

Profile Purgers Come Under Fire (January 5, 2010)

Services that help social networkers expunge their accounts have come under the scrutiny of Facebook, reports MediaPost. According to the report, last month the company sent a cease-and-desist letter to Les Liens Invisibles, the company behind the Seppukoo.com platform that assists users in committing "Facebook suicide." A Facebook spokesperson said the service causes users to violate Facebook terms of service and breaks anti-hacking and spam laws, among others. The Los Angeles Times reports that Facebook is also blocking the IP address of Web 2.0 Suicide Machine, another deactivation platform, and has filed a lawsuit against social networking data aggregator, Power.com.   
Full Story

DATA LOSS— U.S.

Preliminary Settlement Approval in Class Action (January 5, 2010)

A federal judge in Kentucky last week granted preliminary approval to settle a class-action lawsuit related to the Countrywide Financial data breach that exposed the personal data of millions, reports SC Magazine. The settlement would provide victims with free credit monitoring and up to $50,000 remuneration for incidents of identity theft. Two Californians were charged with downloading batches of Countrywide customer data over a period of two years. A final approval hearing on the settlement is pending.
Full Story

HEALTHCARE PRIVACY—U.S.

Class Actions Filed in Wisconsin Courts (January 4, 2010)

The Associated Press reports that a Wisconsin healthcare provider is being sued by patients who believe the company violated their privacy when it disclosed their personal medical information in bankruptcy court. Patients of Aurora Health Care Inc. want their medical information removed from debtors' files and are seeking $25,000 in damages for each patient whose information was disclosed, the report states.
Full Story

ONLINE PRIVACY—U.S.

A look at Leibowitz (January 4, 2010)

The Washington Post looks at Jon Leibowitz's tenure as chairman of the Federal Trade Commission. Despite his former role as Hollywood lobbyist, Leibowitz has not been soft on emerging technologies and privacy, as expected by some. One advocate described his chairmanship thus far as having "helped waken an agency that was in a deep digital slumber." The commission recently embarked on a series of "privacy roundtables" and has extended its examination of a mobile advertising-related merger. In a December Privacy in Focus report, Wiley Rein partner William Baker says a more aggressive FTC approach to consumer privacy protection is expected. "There is much afoot," Baker writes, "and businesses should pay close heed."
Full Story

Healthcare Privacy - US (January 4, 2010)
CEO Fires Two for Accessing Record

The head of the Mayo Clinic has fired two employees who violated privacy policies, reports the Post-Bulletin. Mayo's national CEO Dr. John Noseworthy said that a Mayo physician and another staff member were fired for accessing and reviewing a patient's record. In a letter to employees, Noseworthy said the actions of those terminated "violated the sacred trust each of us holds with our patients, and this cannot, and will not, be tolerated." The president of a Minnesota-based healthcare advocacy group speculates that others also may have accessed the patient's record, saying that the development of electronic medical records has enabled greater access.
Full Story

Social Networking - Germany (January 4, 2010)
Schaar Proposes Grading Agency for Social Networks

German data protection commissioner Peter Schaar has proposed an independent ratings agency to alert users to the risks of social networking, reports Deutsche Welle. Peter Schaar says that the privacy policies of many social networks fail to protect users' data, and that an independent consumer protection agency could grade social networks on their privacy offerings. "What's important to me," Schaar said, "is that people are aware of what they're doing, what information they're putting on the Internet and the problems associated with certain activities."
Full Story

Data Loss - U.S. (January 4, 2010)
RockYou Facing Proposed Class Action

Third-party app provider RockYou.com is facing a proposed class-action lawsuit, reports Wired. The suit follows the December 4 breach that exposed the e-mail addresses and passwords of 32 million registered users of RockYou. The suit accuses the company of poor data security and a failure to promptly notify those affected. "RockYou failed to use hashing, salting or any other common and reasonable method of data protection and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of Web security," says the complaint, which was filed late last month in San Francisco federal court.
Full Story

Behavioral Targeting - U.S. & Europe (January 4, 2010)

 

2010 to be "Decisive" Year for Online Ads

Regulatory scrutiny in the online ad space will continue and 2010 will be a decisive year for behavioral targeting. That's according to a ClickZ report that reviews last year's developments in the space and previews what is to come. The year ahead "could provide a few headaches for online ad firms both in the U.S. and across Europe," the report states. In the U.S., Congress is expected to put forward legislation on the issue. Across the Atlantic, EU member states will be busy interpreting and implementing the directive passed in October that requires users' consent before cookies may be dropped on their machines.
Full Story

Travelers’ Privacy (January 4, 2010)
Revived Interest in Full-Body Scanners

The thwarted Christmas Day terrorist attack on a Detroit-bound plane has prompted a new interest in bringing full-body imaging scanners to airports worldwide, the Washington Post reports. The U.S. Transportation Security Administration (TSA) has ordered 150 scanners to add to its complement of 40 already in place at American airports, and has received funding approval for an additional 300. Leaders in Britain, Germany and elsewhere have signaled that they will install the scanners despite concerns about the revealing images produced by the scans, and Dutch officials will now require all U.S.-bound passengers to pass through the machines. U.S. lawmakers are expected to debate the issue upon reconvening this month.
Full Story

ONLINE PRIVACY—ITALY

Defense Rests in Milan (January 4, 2010)
Defense rests in Italian online privacy trial against Google.
New EU Cookie Consent Law: New Web Conference (January 4, 2010)

Thursday, January 14, 11 a.m. - 12:30 p.m. EST
A recently passed amendment to the EU Privacy Directive  will require the consent of Internet users before cookies can be placed on their computers. Join us for this upcoming Web conference to explore the legal, regulatory and financial impact of the new law, and get expert insights into how it may affect your organization's online advertising and e-commerce strategy.
Speakers:
Rosa Barcelo, Senior Lawyer, European Data Protection Supervisor's Office
Eduardo Ustaran, Partner and Head of the Privacy and Information Law Group, Field Fisher Waterhouse LLP
Justin B. Weiss, CIPP, International Privacy Officer, Yahoo Inc.

HEALTHCARE PRIVACY—U.S.

CEO Fires Two for Accessing Record (January 4, 2010)
The head of the Mayo Clinic has fired two employees who violated privacy policies, reports the Post-Bulletin. Mayo's national CEO Dr. John Noseworthy said that a Mayo physician and another staff member were fired for accessing and reviewing a patient's record. In a letter to employees, Noseworthy said the actions of those terminated "violated the sacred trust each of us holds with our patients, and this cannot, and will not, be tolerated." The president of a Minnesota-based healthcare advocacy group speculates that others also may have accessed the patient's record, saying that the development of electronic medical records has enabled greater access.
Full Story

SOCIAL NETWORKING—GERMANY

Schaar Proposes Grading Agency for Social Networks (January 4, 2010)
German data protection commissioner Peter Schaar has proposed an independent ratings agency to alert users to the risks of social networking, reports Deutsche Welle Peter Schaar says that the privacy policies of many social networks fail to protect users' data, and that an independent consumer protection agency could grade social networks on their privacy offerings. "What's important to me," Schaar said, "is that people are aware of what they're doing, what information they're putting on the Internet and the problems associated with certain activities."
Full Story

DATA LOSS—U.S.

RockYou Facing Proposed Class Action (January 4, 2010)
Third-party app provider RockYou.com is facing a proposed class-action lawsuit, reports Wired. The suit follows the December 4 breach that exposed the e-mail addresses and passwords of 32 million registered users of RockYou. The suit accuses the company of poor data security and a failure to promptly notify those affected. "RockYou failed to use hashing, salting or any other common and reasonable method of data protection and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of Web security," says the complaint, which was filed late last month in San Francisco federal court.
Full Story

BEHAVIORAL TARGETING—U.S. & EUROPE

2010 to be Decisive Year for Online Ads (January 4, 2010)
Regulatory scrutiny in the online ad space will continue and 2010 will be a decisive year for behavioral targeting. That's according to a ClickZ report that reviews last year's developments in the space and previews what is to come. The year ahead "could provide a few headaches for online ad firms both in the U.S. and across Europe," the report states. In the U.S., Congress is expected to put forward legislation on the issue. Across the Atlantic, EU member states will be busy interpreting and implementing the directive passed in October that requires users' consent before cookies may be dropped on their machines.
Full Story

TRAVELERS’ PRIVACY

Revived Interest in Full-Body Scanners (January 4, 2010)
The thwarted Christmas Day terrorist attack on a Detroit-bound plane has prompted a new interest in bringing full-body imaging scanners to airports worldwide, the Washington Post reports. The U.S. Transportation Security Administration (TSA) has ordered 150 scanners to add to its complement of 40 already in place at American airports, and has received funding approval for an additional 300. Leaders in Britain, Germany and elsewhere have signaled that they will install the scanners despite concerns about the revealing images produced by the scans, and Dutch officials will now require all U.S.-bound passengers to pass through the machines. U.S. lawmakers are expected to debate the issue upon reconvening this month.
Full Story