Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—U.S.

Lawmakers to Hold Hearings on ECPA Reform (March 31, 2010)

The House Judiciary Committee has announced it will hold hearings this spring in consideration of reforms to the Electronic Communications Privacy Act of 1986 (ECPA). The Washington Post reports that House Judiciary Committee Chairman John Conyers (D-MI) and Reps. Jerrold Nadler (D-NY) and Robert Scott (D-VA) have called for hearings on privacy reforms in the wake of a request by a coalition of industry leaders including Google, Microsoft and AT&T and privacy advocates. The group, which calls itself the Digital Due Process coalition, has asked Congress to strengthen online privacy laws to protect digital personal information from government access. "As technology moves forward," Conyers said, "it is clearly necessary for industry, as well as all Americans, to adjust and clarify the law." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Court Upholds Employee E-mail Privacy (March 31, 2010)

The New Jersey Supreme Court has ruled that a company should not have read e-mails a former employee sent to her lawyer from a private Web account through her employer's computer, the Star-Ledger reports. The court, which determined the company's policy regarding e-mail use was vague, upheld the sanctity of attorney-client privilege in electronic communications, the report states. Marvin Goldstein, who represented the Employers Association of New Jersey, said he expects companies will use the decision to rewrite policy manuals on e-mail usage. "The court has recognized the very legitimate and real concerns with regards to privacy," he said. "This gives some guidance to employers in terms of how explicit policies need to be."
Full Story

ONLINE PRIVACY—U.S.

Administration Asked to Address “Digital Age” Privacy Challenges (March 31, 2010)

During President Barack Obama's campaign in 2008, he pledged to "strengthen privacy protections for the digital age," Declan McCullagh reports in a CNET News article questioning whether proposals from the business and advocacy group known as the Digital Due Process coalition will bring that effort to the administration's forefront. The collation is calling for a federal law requiring law enforcement officials to obtain search warrants before tracking cell phone locations or accessing e-mail and documents stored in the cloud. "All of the agencies know that this is an important balance," said Cathy Sloan of the Computer and Communications Industry Association, adding that Justice Department officials "...know they need to engage so we can strike the right balance."
Full Story

HEALTHCARE PRIVACY

I Read in Your Blog You’ve Been Feeling Depressed… (March 31, 2010)

The Washington Post delves into the ethical and professional questions arising over the online presence of mental health practitioners and their consumption of patients' online data in the course of treatment. The proliferation of publicly available patient data on social networks, blogs and elsewhere is raising new questions about the provider-patient relationship. "We are just beginning to understand what ethical issues the Internet is raising," says Stephen Behnke, ethics director for the American Psychological Association. Some therapists consider the Internet a valuable treatment tool, saying, "You could almost make the argument that it's negligent not to search online...," while others are skeptical. "To write rules that allow our field to grow and develop and yet prevent [patient] harm at the same time: That's the challenge," Behnke says. (Registration may be required to access this story.)
Full Story

RFID—CHINA

“Octopus” Card’s Reach into China Raises Concerns (March 31, 2010)

Stored-value cards widely used by Hong Kong residents to pay for everything from subway rides to fast food may soon reach mainland China, Reuters reports. The Hong Kong-based company Octopus is reportedly hoping Chinese citizens will use its cards for other services as well, as many Chinese municipalities want them to include medical records and benefits status that can be recalled upon swiping the cards. There are privacy concerns around the plan as well, the report states, as the cards would also store social security and birth registration data that could help officials enforce China's one-child policy and control citizens' movements.
Full Story

DATA LOSS—U.S.

AG Investigating Second HIPAA Breach (March 31, 2010)

Connecticut Attorney General Richard Blumenthal is investigating his second case involving HIPAA violations in three months, HealthLeaders Media reports. In a statement issued on Monday, Blumenthal's office confirmed it is investigating allegations that a radiologist formerly affiliated with a Connecticut hospital improperly accessed 957 of the hospital's patient records in February and March. "Patients rightly expect and demand that their medical information remain secure and confidential, viewed only by authorized individuals," Blumenthal said. "Unauthorized accessing of patient information is a violation of the federal HIPAA law that my office is empowered to enforce. I will seek strong and significant sanctions, if warranted by the facts."
Full Story

BIOMETRICS—U.S.

DEA Approves Interim Electronic Prescription Rule (March 31, 2010)

The Drug Enforcement Agency (DEA) has unveiled an interim final rule that would make it easier for physicians to e-prescribe controlled substances, Government IT Health reports. The rule requires two-factor authentication as a replacement for doctors' signatures and allows for biometric identifiers--such as fingerprints, iris scans or handprints--to be used as acceptable forms. That change aims to alleviate concerns raised by providers about in-person authorization requirements included in a 2008 notice of proposed rulemaking.
Full Story

PRIVACY LAW—U.S.

Coalition to Push for ECPA Rewrite (March 30, 2010)

A coalition of companies and advocacy groups wants federal privacy laws updated to protect mobile and cloud computing users, reports CNET News. The coalition will announce a major push to that end today. The group, which includes Google, Microsoft, the Progress and Freedom Foundation and Center for Democracy and Technology, among others, says the Electronic Communications Privacy Act (ECPA) needs to be simplified. "The main thing that's broken about ECPA is that it penalizes you for using cloud computing," says Marc Zwillinger of Zwillinger Genetski in Washington, DC.
Full Story

BEHAVIORAL TARGETING—U.S.

Industry Icon Set to Debut (March 30, 2010)

Online ad agencies plan to debut a new behavioral targeting icon within weeks, MediaPost reports. The icon is the industry's answer to the Federal Trade Commission's assertion that companies need to better inform consumers about online tracking and opting out, the report states. The icon features an 'i' within a blue circle. It will appear as an overlay on Internet advertisements. Better Advertising, the start-up that will oversee the initiative, is reportedly designing a landing page that will educate users about behavioral targeting and how to opt out.
Full Story

EMPLOYEE PRIVACY—GERMANY

Commission Finds Employee Blood Tests Illegal (March 30, 2010)

Stuttgart's state privacy office has warned automotive company Daimler that it is breaking the law by testing the blood and urine of all job applicants, Deutsche Presse-Agentur reports. The privacy commission said that taking the blood of applicants broke the law because it could reveal private matters of no relevance to a future employer and would only be legal if used to avoid potential health dangers in the workplace. The commission has not imposed a fine on the company for the practice. Daimler, which had already agreed to restrict the tests to applicants for jobs where there is a health risk, has said it may challenge portions of the ruling.
Full Story

PRIVACY LAW—U.S.

Senator Inspired to Expand Wiretapping Laws (March 30, 2010)

After a Senate subcommittee hearing on privacy and technology yesterday, Sen. Arlen Specter (D-PA) says he will introduce legislation to expand wiretapping laws to cover photo and video surveillance, the Philadelphia Inquirer reports. At the hearing, Specter questioned technology and law experts on the implications of a Lower Merion School District incident where administrators admittedly viewed students in their homes by remotely activating the Web cams on school-issued laptops. The district said it only activated the Web cams to locate stolen laptops. "The incident raises a question as to whether the law has kept up with technology," Specter said at the hearing.
Full Story

DATA LOSS—CANADA

Security Shortcomings Caused Toronto Hydro Breach (March 30, 2010)

The Information and Privacy Commissioner of Ontario has said Toronto Hydro Corporation must fix the "security shortcomings" that led to a breach of its e-billing system last year, the Toronto Star reports. The breach involved a third party's unauthorized access to account numbers for all of Toronto Hydro's 640,000 customers and the use of 179,000 of those numbers to create online billing accounts for customers without their consent, the report states. The commissioner is recommending Toronto Hydro include complex passwords, e-mail address verification and activation codes to improve e-billing security. "The fortunate thing in this case, we haven't seen any evidence it was used improperly," said Assistant Commissioner Brian Beamish.
Full Story

HEALTHCARE PRIVACY—UK

Scottish Gov’t Launches Paperless Records (March 30, 2010)

In spite of privacy concerns and delays with a similar project in England, The Times reports that a £44 million electronic data system intended to make the NHS paper-free has been launched by the Scottish government. The British Medical Association in Scotland has said that while there are advantages to the electronic system, there is serious concern across the UK about confidentiality and access to online records, the report states. According to the privacy advocate group Big Brother Watch, as many as 140,000 non-medical staff can access patient files in England, and those files will become even easier to access through the new NHS database.
Full Story

DATA THEFT—U.S.

More Company Names Disclosed in Gonzalez Data Breach Case (March 30, 2010)

JC Penney and The Wet Seal have been named among the retailers targeted in a 2008 data breach that resulted in the theft of 130 million credit card numbers, Computerworld reports. Albert Gonzalez, the man who orchestrated the thefts, was sentenced on Friday to 20 years in prison for what is being called the largest breach of credit card data on record. According to documents unsealed on Monday, JC Penney sought to keep its name out of the court proceedings because disclosure would cause "confusion and alarm." U.S. prosecutors disagreed, stating, "Most people want to know when their credit or debit card numbers have been put at risk, not simply if, and after, they have clearly been stolen."  
Full Story

ONLINE PRIVACY

It Now Takes More Clicks to Escape E-Mail Lists (March 29, 2010)

A study of 100 large online retailers has shown that five times more are requiring at least three clicks to escape from e-mail marketing lists than in 2008, the New York Times reports. The Responsys survey also indicates that the number requiring just one click to be removed from an e-mail list has dropped to three percent, down six percent in that same time period. The report states that while retailers may not want to let their subscribers get away too easily, Chad White of Responsys recommends they let customers leave with two clicks or fewer as the time it takes to opt out is "being measured against that one click on their report spam button." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Browser Fingerprinting Gains Attention (March 29, 2010)

A tracking technique that creates sophisticated digital fingerprints of Web users has emerged from the banking sector and seems poised to enter the wider Web. PCWorld reports on the browser fingerprinting method, which was developed originally to help banks detect online fraud but is now being sold as a Web service. The method involves the collection of identifying data on one's browser in addition to biometric identifiers such as typing speed and patterns, the report states. It has the attention of the Electronic Frontier Foundation, which describes the legality of the method as fuzzy.
Full Story

ONLINE PRIVACY

Global Data Protection Law Needed for Cloud (March 29, 2010)

European leaders are calling for a worldwide agreement on data protection to address data security weaknesses related to cloud computing, ComputerWeekly reports. Speaking before an international audience of 300 cyber law experts at the Council of Europe, Francesco Pizetti, president of Italy's data protection authority, said when it comes to the cloud, "It is not possible to continue to guarantee the protection of citizens' data without very strong international rules accepted by all countries around the world." Meanwhile, Udo Helmbrecht, executive director of the European Network and Information Security Agency (ENISA), said the agency is seeking European regulation to require cloud providers to notify customers about security breaches.
Full Story

SOCIAL NETWORKING

Facebook Privacy Changes, “Places” Feature Raise Concerns (March 29, 2010)

Facebook's announcement of changes to its privacy policy--including amendments permitting the site to share data with "pre-approved" third-party Web sites--and plans to add a new "places" feature to allow users to add their locations to their pages--are raising privacy concerns. The Financial Times reports that the privacy policy changes would allow sites to receive Facebook user information, including "names, profile pictures, gender, user IDs, connections and any content shared using the Everyone privacy setting," and potentially retain that information "to the extent permitted" under the third-party sites' policies. Marc Rotenberg of the Electronic Privacy Information Center (EPIC) said Facebook is "pushing the envelope," and EPIC is considering bringing a new complaint before the Federal Trade Commission. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—BRAZIL

Phorm Launches Commercial Operations (March 29, 2010)

Behavioral advertising company Phorm has partnered with five Internet service providers (ISPs) in Brazil and has secured millions in pre-booked ad revenue, reports ClickZ. Phorm's technology harvests ISP data, allowing advertisers to tailor promotions based on Web users' browsing activities. The company announced the deals in a notice to investors on Friday. The launch follows less successful attempts in other markets such as the U.S. and UK, where authorities have scrutinized the legality of the technology. The company has also partnered with a major Korean ISP, and CEO Kent Ertugrul said Phorm is "active in almost every other major Internet market worldwide."  
Full Story

DATA THEFT—U.S.

Personal Information of 3.3 Million Stolen (March 29, 2010)

A student loan firm is providing credit monitoring and protection services to some 3.3 million people affected by a data breach, the Washington Post reports. A spokesman for Educational Credit Management (ECMC), a nonprofit student loan guaranty agency headquartered in Minnesota, said portable media containing personally identifiable information was stolen in an "old-fashioned theft" from company headquarters. The stolen information included names, addresses, birth dates and Social Security numbers, but no banking information, an ECMC press release said. (Registration may be required to access this story.)
Full Story

BIOMETRICS—CANADA

ID Cards for Alberta’s Homeless? (March 29, 2010)

Housing Minister Jonathan Denis told the Calgary Herald that his department is discussing with Service Alberta the creation of an Alberta ID card for the homeless. The cards would allow the homeless to use a shelter as a proxy address and would likely include a photo and possibly a fingerprint or facial scan, the report states. "Identification does have value on the street and we have to make sure we have those adequate controls in place," said Denis. Some are raising concerns about the creation and management of a database to store the information, among others. A spokesperson from the provincial privacy commissioner's office said the card would have to work within the guidelines of the provincial privacy legislation.
Full Story

SOCIAL NETWORKING—U.S.

Members of Congress Call for Inquiry (March 29, 2010)

U.S. lawmakers are calling on the Federal Trade Commission (FTC) to investigate whether Google's social networking service, Buzz, has compromised users' privacy, Bloomberg reports. Ten members of Congress and the Virgin Islands delegate sent a letter to FTC Chairman Jon Leibowitz asking for an investigation, the report states. Reps. Joe Barton (R-TX) and John Barrow (D-GA) were among the letter's signers. They said the service could "disclose information about a consumer's medical history, political views and whereabouts..." Google received criticism about Buzz upon its introduction last month. A company spokesman said the company "moved quickly" to modify the service to quell the concerns.
Full Story

DATA LOSS—U.S.

FTC Busts Dave & Buster’s (March 29, 2010)

The entertainment operation Dave & Buster's, Inc., has agreed to settle Federal Trade Commission charges that the company failed to protect consumers' information, according to an FTC press release. The commission alleged that the company failed to detect and prevent unauthorized network access and failed to "use readily available security measures to limit access to its computer networks through wireless access points," among other failures, which enabled hackers to access 130,000 credit and debit cards. To settle the charges, the company will establish a program to protect customers' data and subject itself to biennial audits for the next decade.
Full Story

DATA PROTECTION—IRELAND

Survey Calls for Breach Notification Requirements (March 26, 2010)

Almost half of Irish Computer Society members taking part in a recent survey said they were not confident they would be contacted should their personal information be compromised in a data breach, SiliconRepublic.com reports. Unveiled at the Annual Data Protection Conference yesterday, the March 2010 survey also found that 81 percent of respondents said legislation should be enacted requiring organisations to notify the Data Protection Commission after a breach. Customers should be notified as well, 80 percent of respondents said. "Companies need to realize the importance of data protection in their companies and give it the time and training it deserves," said the Irish Computer Society's CEO.
Full Story

DATA LOSS—U.S.

ID Thief Gets 20 Years (March 26, 2010)

The man who orchestrated the theft of millions of credit and debit card numbers from major companies was sentenced to 20 years in prison yesterday, reports the Boston Globe. The sentence is one of the longest ever imposed for computer crime or identity theft, the report states. Albert Gonzalez hacked major retailers such as TJX Cos., BJs Wholesale Club and Dave & Buster's. (See related story below.) A data security lawyer said, "The long sentence corresponds to the magnitude of Mr. Gonzalez's crimes and will likely be a frequently cited indicator of the growing intolerance for cyber crime."
Full Story

HEALTHCARE PRIVACY—UK

Survey: Health Records Lack Proper Security (March 26, 2010)

More than 100,000 non-medical staff in NHS Trusts have access to confidential patient records, according to a recent Big Brother Watch Survey, BBC News reports. "The number of non-medical personnel with access to confidential medical records leaves the system wide open for abuse," said Big Brother Watch's director. But a government spokesman said the NHS's use of smartcards means that "when managed properly, it is not possible for an unauthorized member of staff to see clinical information." The Information Commissioner's Office (ICO) said it is vital that medical records remain private and secure.
Full Story

DATA PROTECTION

Condom e-Store Exposes Customer Data (March 26, 2010)

An Indian Web site that sold Durex condoms has threatened legal action against the person who exposed a data breach on the site. Earlier this month, a user of the site noticed that he could view customers' names, addresses, contact numbers and order details, The Register reports. Kohinoorpassion.com fixed the problem after the whistleblower notified all involved parties of the breach. Meanwhile, Durex says in a notice to customers on its India e-Store Web site that it has put modifications in place to "ensure that unauthorized access cannot happen again." Durex's parent company and a local marketing agency have jointly accused the whistleblower of downloading customer details, which he disputes.
Full Story

DATA PROTECTION—U.S.

CIO Council Creates Privacy Guidance (March 26, 2010)

The Federal Chief Information Officers Council has created a guidance document calling for privacy protections to be built into new or modified systems within the federal enterprise architecture, reports Federal Computer Week. According to the report, the guidance would establish "Privacy Control Families" that would be based on Fair Information Practice Principles. The document has been approved by the CIO Council's privacy committee, but awaits approval by the full council. Roanne Shaddox, a privacy specialist at the Federal Deposit Insurance Corporation, provided an overview of the initiative at a trade show in Washington, DC, yesterday.   
Full Story

SOCIAL NETWORKING—U.S.

FINRA Releases Social Networking Guidance (March 26, 2010)

The Financial Industry Regulatory Authority (FINRA) has issued guidance for financial institutions on how to develop social media policies, reports BankInfoSecurity. Regulatory Notice 10-06 covers the use of blogs and social networks. FINRA's Social Networking Task Force collaborated on its creation. "While many firms may find that the guidance in this notice is useful when establishing their own procedures, each firm must develop policies and procedures that are best designed to ensure that the firm and its personnel comply with all applicable requirements," the notice states.   
Full Story

PRIVACY LAW

New BC Gov’t Powers Raise Privacy Concerns (March 26, 2010)

In a move that is raising concerns about privacy implications, the British Columbia government presented an 88-page submission seeking expansion of its powers to collect and share citizens' private information to a special committee reviewing the Freedom of Information and Protection of Privacy Act this week. The Tyee reports that the provincial government has not only proposed the collection of personal information without consent, but also the storage of such information outside of Canada. "It's the scope of the thing," said Vincent Gogolek of the Freedom of Information and Privacy Association. "They really are looking to change the basis of the act to remove people's control over their own information...This is stuff you don't want bouncing around all over the place."
Full Story

PRIVACY LAW—U.S.

FTC Seeks Comments on COPPA (March 25, 2010)

The Federal Trade Commission (FTC) is seeking public input about protecting children's privacy online, reports MediaPost News. The commission is engaged in its second five-year review of the Children's Online Privacy Protection Act (COPPA), which took effect in 2000. COPPA requires Web site operators to obtain parental consent before collecting or using kids' personal information. The FTC says that changes in the online environment and "children's increasing use of mobile technology to access the Internet" might necessitate an update to the regulations. In a Federal Register notice, the commission asks how regulations should be modified to address new platforms, the report states.
Full Story

SOCIAL NETWORKING

Photo Tagging, Employee Tracking Raise Privacy Concerns (March 25, 2010)

In the wake of announcements that Swiss and German privacy authorities are examining whether the world's largest social networking site is infringing upon personal privacy by allowing its users to post content such as photos and e-mail addresses of other people, the Los Angeles Times reports that a Facebook spokeswoman said regulator reviews are a fairly standard practice. "We believe that Facebook's privacy features respect and are consistent with privacy laws, regulations and policies around the world, as well as, importantly, users' expectations and needs," she said. Meanwhile, a U.S. company has announced the creation of Social Sentry, a new program companies can use to automatically monitor their employees' public activities on social networking sites.
Full Story

FINANCIAL PRIVACY—U.S. & EU

EU to Revive SWIFT Talks, Set up Tracking Program (March 25, 2010)

The European Commission (EC) has revived negotiations on sharing banking data with the U.S., reports the New York Times. Citing data privacy concerns, the EU Parliament last month rejected the so-called SWIFT deal, which would have enabled the continued transfer of transaction data from the Belgium-based Society for Worldwide Interbank Financial Transactions (SWIFT) to the U.S. for use in counter-terrorism efforts. The EC adopted a mandate yesterday to begin new negotiations with the U.S. EU justice commissioner Viviane Reding said the new deal would address parliamentarians' data privacy concerns and would require reciprocity in the sharing of data. "We would like to set up our own [terrorist financing tracking program,]" Reding said.  (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

ICO Announces Plan to Boost IT Expertise (March 25, 2010)

The Information Commissioner's Office (ICO) will be staffing its policy and strategy division with more technical experts as part of its reorganisation process, Kable reports. Speaking before the Home Affairs Select Committee, Information Commissioner Christopher Graham said this technical expertise will help the ICO be more forward-looking and "spot the next big thing before it becomes a huge problem." Graham noted that while government entities have improved data protection processes, he does not expect issues around data-sharing to go away, the report states. The challenge, he said, is for the ICO to ensure "that what is proposed is proportionate, privacy friendly and thought through and complies with the Data Protection Act."
Full Story

DATA THEFT—UK

Survey Shows 100 Percent of Organizations Targeted for Data Theft (March 25, 2010)

In a recent survey of 115 UK executives, all reported attacks targeting corporate data within the past year and 77 percent reported their organizations have experienced a data breach in the past. InformationWeek reports that the study, which was conducted by the Ponemon Institute and sponsored by IBM, reveals growing concern about data protection. The survey indicates that more than 27 percent of the respondents doubt their organizations could avoid a data breach in the next 12 months. According to the survey, data protection initiatives result in an average cost savings or revenue improvement of £11 million ($16 million), the report states.
Full Story

HEALTHCARE PRIVACY

Opinion: Do-Not-Disclose Registry Needed (March 25, 2010)

There is already a lack of health record privacy and it will get worse as more records become digitized, according to Deborah Peel. In a Wall Street Journal editorial, Peel, a psychiatrist and founder of Patient Privacy Rights, says that without proper privacy controls, electronic records will expose patients to significant privacy risks, and may erode patient-doctor trust. Patient Privacy Rights is calling for Congress to pass legislation that would build an online registry where patients can control their electronic medical records' privacy settings. "When patients realize they can't control who sees their electronic health records, they will be far less likely to tell their doctors about drinking problems, feelings of depression, sexual problems or exposure to sexually transmitted diseases," she says. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Appeals Court Hears Arguments in Freedom of Speech, Privacy Case (March 25, 2010)

A three-judge panel of the 4th U.S. Circuit Court of Appeals heard arguments Tuesday in the Virginia attorney general's appeal of a 2009 decision allowing a Hanover County woman to publish state officials' Social Security numbers on her Web site. The Richmond Times-Dispatch reports that the American Civil Liberties Union (ACLU), which is representing Betty "BJ" Ostergren, contends the numbers are used for "shock value" to raise awareness of privacy concerns, and therefore constitute free speech. Appearing for the attorney general's office, E. Duncan Getchell Jr. said Ostergren's posting of the information invites criminal conduct, while Rebecca K. Glenberg of the ACLU of Virginia said the solution is for the state government to redact the information in question from its public Web sites.
Full Story

SOCIAL NETWORKING—EU

Regulators Probe “Tagging,” Consent (March 24, 2010)

European regulators are looking into whether the practice of posting photos and other information online without the consent of those featured is a breach of privacy laws, reports the Associated Press. Swiss Data Protection Commissioner Hanspeter Thuer has launched a preliminary probe and Thilo Weichert of the data protection commission in the German state of Schleswig Holstein said that his office has "written to Facebook and told them they're not abiding by the law in Europe." A Columbia University law professor says "If the European regulators get serious, it will create a significant conflict." Facebook's European policy director said the company has added a tool to facilitate nonuser data removal.
Full Story

ONLINE PRIVACY—UK

Gov’t Considers Moving Public Services to the Web (March 24, 2010)

Prime Minister Gordon Brown's move toward a paperless society calls for the creation of personalised Web sites and unique identifiers that would allow citizens to do everything from booking doctors' appointments to paying taxes to registering their cars from their home computers, The Times reports. However, data and identity protection are among the concerns being raised about the plan. Privacy experts and union leaders, including Jonathan Baume of the FDA, caution not to "underestimate a whole range of risk factors including upfront costs, data protection, identity theft...Roughly £12 billion of taxpayers' money has also just been wasted on the NHS IT project and there has been a long history of government computer problems."
Full Story

ONLINE PRIVACY—U.S.

Should Medical Professionals Examine Their Patients’ Online Lives? (March 24, 2010)

In an essay for the Harvard Review of Psychiatry, three doctors explore the potential benefits and the privacy pitfalls of a practice they call "patient-targeted Googling." The Wall Street Journal reports that authors David Brendel, Benjamin Silverman and Brian Clinton not only point out how such a practice can be beneficial, such as in emergency cases where patients are unconscious, but also caution that some are motivated by "curiosity, voyeurism and habit." In their paper, the three doctors have outlined a framework to help medical professionals decide whether to conduct such searches. Brendel points out that while some say "absolutely it should never be done; it's a breach of privacy," others suggest the data "is in the public domain, and it may be information that is clinically relevant." (Registration may be required to access this story.) (See related story on "The ethics of 'Googling' someone" from the December 2009  issue of the IAPP member newsletter, the Privacy Advisor.)
Full Story

PERSONAL PRIVACY—U.S.

Would You Give Up Privacy to Save on Your Car Insurance? (March 24, 2010)

The automobile insurance industry is trying to determine whether customers would agree to have their driving electronically monitored if it could result in lower premiums, the New York Times reports. "There is general interest and a desire on the part of a fair number of companies to move in the direction of offering pay-as-you-drive," explained Dave Snyder of the American Insurance Association. However, discussions of creating a "usage-based insurance" that would charge people based on not only how many miles they drive but on how they drive are raising privacy concerns, the report states. As one insurance company executive put it, "If you want the freedom of driving aggressively, then this program is not for you." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Hustinx: EU Laws Should Push ‘Privacy by Design’ (March 24, 2010)

EU data protection laws should change to force companies developing new information and communication technologies (ICTs) to design privacy features into them, says European Data Protection Supervisor (EDPS) Peter Hustinx. In a statement, the EDPS said that ICTs raise new concerns that are not accounted for in EU regulations thus far, making further action necessary, OUT-LAW.COM reports. In an opinion submitted to the European Commission recently, Hustinx said it's crucial to consumer trust in emerging ICTs that laws change to address social media, radio frequency identification and targeted advertising. "This need for a 'privacy by design' approach should be reflected in the EU data protection legal framework at different levels..." Hustinx said.
Full Story

HEALTHCARE PRIVACY—U.S.

Expert: Access Control Key to Protection of Online Medical Data (March 24, 2010)

The amount of personal medical information online will "increase exponentially" over the next four years, reports Computerworld, which is causing some to be concerned about the protection of that data. IDC researchers anticipate that by 2015, 60 percent of Americans will have an online health record, collectively amounting to petabytes of data. A major healthcare data breach is inevitable, according to Dr. William Braithwaite, who wrote portions of the Health Insurance Portability and Accountability Act (HIPAA). And security measures must include access controls, says another expert. "The fact that you did encryption doesn't mean you've protected medical information," said Dr. Taher Elgamal of Axway, "because access control is the real issue."
Full Story

ONLINE PRIVACY—U.S.

Legislators, Industry Leaders Disagree on Impact of Privacy Bill, New FTC Powers (March 24, 2010)

While legislators are promising online marketers that they don't need to worry about a new privacy bill expected to be introduced in the weeks ahead, advertising business leaders are raising concerns about that plan and new Federal Trade Commission (FTC) powers included in a separate bill, Mediaweek reports. Virginia Rep. Rick Boucher (D-VA), who is expected to introduce his privacy bill in the next few weeks, said the legislation will not deliver a crushing blow to the $25 billion online advertising industry. Meanwhile, a proposed financial reform bill aimed at cleaning up Wall Street has industry insiders worrying over expanded FTC powers to crack down on "shady advertisers" and "data abusers," the report states.
Full Story

BEHAVIORAL TARGETING—U.S.

NAI Study Shows Value of Targeted Ads (March 24, 2010)

The Network Advertising Initiative (NAI) has released study results that show targeted ads are more valuable than run-of-network ads, reports MediaPost News. The study surveyed 12 ad networks about their 2009 ad revenues, the report states, finding that marketers paid more than twice as much for ads targeted to Web users' behaviors than for run-of-network ads. "It's clear that behavioral targeting has the potential to significantly elevate the value of the inventory--to the advertiser, to the publisher and to the network," said report author Howard Beales, former head of consumer protection at the Federal Trade Commission (FTC). The NAI plans to submit the study to the FTC, which is exploring the privacy implications of behavioral targeting.
Full Story

PRIVACY LAW—CANADA

Law Group Examines Breach Notification Requirements (March 24, 2010)

When it comes to notification requirements for security breaches involving Canadian data, federal and provincial privacy commissioners have established guidelines for companies to follow in the event of data loss or theft. W. Scott Blackener of Information Law Group points out that while Canada does not have the legally enforceable breach notice statutes in place in the U.S., "courts are likely to defer to the expert commissions and consult the guidelines in deciding whether an organization suffering a security breach has violated PIPEDA or a provincial PIPA, or whether the organization has met contractual expectations or a duty of reasonable care under tort law." Blackener also points out that Special Commissions at the federal level and in the provinces of Alberta and British Columbia have recommended amending privacy legislation to mandate notification of material security breaches.
Full Story

DATA PROTECTION—FRANCE

CNIL Unveils 2010 Inspections Report (March 23, 2010)

The French Data Protection Authority (CNIL) plans to conduct at least 300 on-site inspections in 2010, with a special focus on compliance issues, the Hunton and Williams Privacy and Information Security Law Blog reports. In 2009, the CNIL conducted 270 on-site inspections, with 22 percent leading to warnings or sanctions. In its recently adopted 2010 inspections report, the CNIL lists its areas of focus as including ensuring data controller compliance and assessing the effectiveness of data protection officers within organizations. The CNIL also intends to focus on certain business sectors and concerns, the report states, including the airline and real estate industries, the protection of minors and the use of closed-circuit television (CCTV) for video surveillance.
Full Story

DATA PROTECTION—ASIA

$1M to Build Asian Privacy Watchdog (March 23, 2010)

The Canadian International Development Research Centre has awarded a $1 million contract to civil rights group Privacy International for the establishment of an Asian privacy monitoring and awareness regime, reports ComputerWeekly. The effort will monitor threats to citizen privacy and raise awareness about the need for privacy in the digital world, the report states. Asian countries to be involved include Bangladesh, India, Malaysia, Pakistan, the Philippines and Thailand. A 2009 Privacy International report on the region found "a mounting level of concern about telemarketing, the abuse of databases and financial information, identity fraud and other privacy-related issues."
Full Story

DATA LOSS—UK

Report Recommends Personal Compensation for Data Breaches (March 23, 2010)

A study commissioned by the Information Commissioner's Office (ICO) and Consumer Focus recommends putting a price on privacy breaches to deter organisations from losing or misusing personal information, The Telegraph reports. The study also recommends giving consumers more control over how their data is used, requiring regulators to name organisations that mishandle data and providing the ICO with new powers to administer fines when information is misused. "The study points the way for the ICO to meet its commitment to respond to the real concerns of real people," said Information Commissioner Christopher Graham. "Consumers want to be in effective control of their personal information and privacy and there is support for tougher penalties for misuse of information by rogue individuals within organisations."
Full Story

PRIVACY LAW—U.S.

Privacy v. Free Speech Case Heads to Court (March 23, 2010)

The Virginia attorney general's appeal of a ruling allowing a privacy advocate to republish state officials' Social Security numbers on her Web site is now before the 4th U.S. Circuit Court of Appeals, the Richmond Times-Dispatch reports. The appeal came after U.S. District Judge Robert E. Payne ordered the state to stop enforcing a law that prohibited Betty "BJ" Ostergren from republishing the numbers of Virginia officials in records that are already accessible to the public, ruling the law violated her right to free speech. Ostergren has said her goal is to show that such information should not be accessible through government Web sites, the report states. The state's appeal, meanwhile, contends, "Criminals have, in fact, turned to Ostergren's Web site to obtain SSNs for criminal purposes."
Full Story

ONLINE PRIVACY—U.S.

CPUC Focuses on Smart Grid (March 23, 2010)

The California Public Utilities Commission (PUC) held a three-day hearing last week to explore smart grid policies, Earth2Tech reports. Among other topics, participants discussed ways to mitigate privacy risks. Jim Dempsey of the Center for Democracy and Technology said one solution is to minimize the amount of consumer data collected and allow consumers control over how that data is used. But others noted that the push to minimize data could become problematic, given recent innovations by companies like Microsoft and Google to create home energy management systems open to third-party developers. Meanwhile, U.S. Rep. Edward Markey (D-MA) introduced a bill this week that would mandate giving Americans "free, timely and secure data about their electricity prices and usage patterns."
Full Story

PERSONAL PRIVACY

I Always Feel Like Somebody’s Watching Me (March 23, 2010)

The use of video surveillance in retail stores is growing and so is concern about loss of privacy, reports the New York Times. Stores are tracking customers' browsing habits and then studying them to identify potential changes that might improve the shopping experiencing and increase sales. But some question the ethics of these methods, especially as facial recognition software is added to the mix. "I think it is absolutely inevitable that this stuff is going to be linked to individuals," says Katherine Albrecht, founder of Consumers Against Supermarket Privacy Invasion and Numbering. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Opinion: Prescription Drug Database an Infringement on Privacy (March 23, 2010)

A Georgia bill that would see the creation of a statewide database to monitor prescription pain medications raises serious privacy concerns. That's according to Atlanta-Journal Constitution columnist and former Libertarian party presidential candidate Bob Barr, who says that the bill is "defective and unnecessary legislation." Barr says that monitoring prescription drug abuse can be done in a far less intrusive way than collecting and analyzing Georgians' private medical records. He adds that the database, promoted by the Drug Enforcement Administration and the Georgia Drugs and Narcotic Agency, among others, aims to "monitor everybody in order to catch the [relatively] few abusers."
Full Story

ONLINE PRIVACY

Privacy in the Video Everywhere World (March 22, 2010)

The emerging online video revolution begs a new definition of the word privacy, The Guardian reports. New sites are making online video more immediate and communal, says author Victor Keegan, giving us a "taste of the future when everyone will have instantaneous access to almost anyone else." Archiving video in the cloud would be an "amazing tool...if anyone ever has the time to go through it," but could also come at the expense of our privacy. "Indeed..." writes Keegan, "Whatever our fears about governments collecting data about ourselves, we seem to be two steps ahead of them in revealing it all ourselves voluntarily."
Full Story

ONLINE PRIVACY

Privacy Eroding? Look Within. (March 22, 2010)

The Atlantic responds to recent articles about the loss of privacy in the online environment, saying "Don't blame Facebook" for its erosion. Derek Thompson writes that our privacy is vanishing online because we want it to. "Occasionally Facebook screws up," he writes. "But mostly, we sacrifice our privacy online for the human instinct to share and feel connected. If you want somebody to blame, look in the mirror." Thompson says Cornell University Professor Jon Kleinberg offers words to live by in saying, "When you're doing stuff online, you should behave as if you're doing it in public--because increasingly it is."  
Full Story

STUDENT PRIVACY—U.S.

Senate Subcommittee Sets Hearing on School Webcam Case (March 22, 2010)

The Senate Judiciary Subcommittee on Crime and Drugs will hold a hearing on Monday, March 29, on a Pennsylvania school district's alleged use of school-issued laptops to spy on students in their homes, Computerworld reports. A spokeswoman for Sen. Arlen Specter (D-PA) has said the goal is to consider whether federal laws have kept up with technological changes such as those allowing school officials to remotely activate webcams in student laptops, as is alleged in the Lower Merion School District case. Meanwhile, some of the district's parents have expressed outrage at a lawsuit by the family of the student involved in the case seeking monetary damages. Six parents have filed a motion in federal court seeking a resolution "that does not involve the class-action lawsuit," the report states.
Full Story

DATA PROTECTION

Copy Machines a ‘Gold Mine’ for Data Thieves (March 22, 2010)

The Toronto Star reports on the potential privacy implications of photocopiers in the work place. Multi-purpose copy machines store a wealth of information on their hard drives and it can be easily hacked, the report states. One security expert who reconfigures used copy machines says businesses are unaware of the privacy breach risks when a copier is replaced. "In almost all the machines I have seen, the files, phone numbers, fax numbers and e-mail addresses are left there as if it was still in the office," he says, adding that he often comes across files from insurance companies and medical facilities. Another expert says if linked to an unsecured network, copier data can be found and tracked online.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Concerns over Privacy May Further Delay E-Health System (March 22, 2010)

The electronic patient identifier system may be delayed until after the election due to concerns over security and privacy, the Sydney Morning Herald reports. Victorian Privacy Commissioner Helen Versey and University of NSW Prof. Graham Greenleaf are among those calling for amendments to the legislation. E-health advocates, meanwhile, point to privacy breaches and healthcare mistakes with the current paper-based system in supporting the new plan. Chief clinical adviser Dr. Mukesh Haikerwal contends it is being derailed by those who "are out defending the privacy of the agenda to the exclusion of all thought of benefits to the individual brought about by better healthcare.''
Full Story

ONLINE PRIVACY

Bills Worry Marketeers (March 22, 2010)

The imminence of two bills has online publishers and advertisers concerned, reports Mediaweek. One bill, expected to be introduced by Virginia Rep. Rick Boucher in the coming weeks, could place restrictions on the practices of online advertisers. Another, the financial reform bill, includes language that would give the Federal Trade Commission (FTC) greater Administrative Procedure Act rule-making authority and fining potential. However, FTC chairman Jon Leibowitz told Mediaweek that the commission would "not be looking at rule making" in the behavioral targeting area. "It doesn't make sense to initiate rule making where business practices and consumer attitudes are still evolving..." the chairman said.
Full Story

PRIVACY—CANADA

Opinion: Show Dickson the Money (March 22, 2010)

A StarPhoenix editorial calls the Saskatchewan government's denial of more funding for the privacy commissioner's office "short-sighted." Despite a 113 percent increase in demand for services in the past year and a 12 to 18 month wait time for case resolution, Commissioner Gary Dickson's request for an additional investigator has been denied for a third time. Instead, Justice Minister Don Morgan has suggested "internal shuffling" of resources to alleviate the backlog. But "It's absurd to expect that even adding one more investigator to the current complement of three can keep abreast of the workload involved in serving the privacy-related consultation and advisory needs" of so many, the report states.
Full Story

CHILDREN’S PRIVACY—GERMANY

Nutrition Game Asks Kids for Data (March 19, 2010)

The German educational foundation Stiftung Lesen is facing criticism for its collaboration with food company Nestlé on a Web-based nutrition game that is being distributed to schools across the nation, The Local reports.  Opponents say although the game does not collect data from children when they play during school hours, when they play at home the program asks for their names, e-mail addresses and birth dates, among other data. The head of Berlin's state parents' committee said, "this data does not belong on the Internet." A Nestlé spokesperson said the company has since changed the game's registration requirements. Data protection officials in Darmstadt are looking into the matter.
Full Story

CHILDREN’S PRIVACY—UK

New Code of Practice Restricts Data Collection (March 19, 2010)

Advertising industry groups have released a new code of practice that outlaws the collection of personal data from children under the age of 12 without parental consent, reports OUT-LAW.COM. The rules, which will be enforced by the Advertising Standards Authority, will take effect on September 1. The rule also prohibits marketers from collecting personal information about other people from children under the age of 16, the report states. The Direct Marketing Code of Practice requires parental consent before the online collection of data from children under the age of 16.
Full Story

FINANCIAL PRIVACY—EU

Reding Assures Parliament on Bank Transfer Conditions (March 19, 2010)

EU justice commissioner Viviane Reding has assured members of the European Parliament that their demands for data protection concerning European bank transfers "will be guaranteed," reports theParliament.com. Parliament recently rejected an agreement to share bank transfer data with the U.S. on the grounds that the accord failed to adequately consider the privacy of EU citizens. At a European Policy Centre debate in Brussels yesterday, Reding said, "I can tell you that, following discussions with the American authorities, the guarantees regarding privacy which were required by parliament will be met." German MEP Martin Schulz said, "The EU and U.S. Obama administration have accepted MEP concerns."
Full Story

DATA PROTECTION—EU

Art. 29 Working Party Defines Terms (March 19, 2010)

The Article 29 Working Party has created guidance on two terms in the EU Data Protection Directive in order to help organizations apply the directive in practice, reports OUT-LAW.COM. The guidance provides detailed definitions of "data processor" and "data controller," terms on which the application of the directive hinges. The group said a potential lack of clarity around the terms has led to inconsistencies.
Full Story

BIOMETRICS—SOUTH AFRICA

Bank Biometric System Raising Security Concerns (March 19, 2010)

A biometrics deal between the South African Banking Risk Information Centre and the Department of Home Affairs aimed at reducing identity theft is raising some security concerns, ITWeb reports. The deal allows banks to conduct online fingerprint verification of clients and gives the banks access to the Home Affairs National Identification System to verify their identity, the report states. "The information is very sensitive, so we have to see that the proper security measures are in place," explains Frank Rizzo of KPMG, adding, "The advantages are huge. It's a very strong method for the proof of authentication. I think the initiative is great, but I'd like to see the proper security measures in place."
Full Story

SOCIAL NETWORKING—UK

Study Raises Questions About Teens and Privacy (March 19, 2010)

When it comes to privacy issues and social networking, a Fast Company report suggests the real question is whether the next generation is concerned at all about online security. A recent UK survey of 1,150 teenagers showed that 25 percent had attempted to hack into their friends' social networking accounts, the report states. Tufin Technologies, the firm that commissioned the study, suggests the results demonstrate the need for education about what is and is not acceptable when it comes to online privacy. "There's a fine line at which point it becomes something bad," a Tufin spokesperson said. "Children don't always understand where that line is."
Full Story

ONLINE PRIVACY—U.S.

Harbour: Consumer Privacy Cannot Be Run in Beta (March 18, 2010)

In her opening address for yesterday's Federal Trade Commission (FTC) roundtable on Internet privacy, FTC Commissioner Pamela Jones Harbour said technology companies are setting a dangerous precedent of publicly exposing consumer data during new product rollout, the Wall Street Journal reports. She said the throw-it-up-against-the-wall-and-see-if-it-sticks approach to product launches comes at the expense of consumers' privacy and that "Unlike a lot of tech products, consumer privacy cannot be run in beta." It was the third and final FTC roundtable dedicated to online privacy. Among other topics, participants discussed the privacy of health information, the notice-and-choice framework and privacy policies, which one panelist described as "an unmitigated disaster." In the months to come, the commission will synthesize its  findings and gather comments from the public. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Settlement Approved, Foundation to be Established (March 18, 2010)

A federal judge has approved Facebook Inc.'s settlement of a lawsuit related to its Beacon service, Bloomberg reports. Yesterday, U.S. District Court Judge Richard Seeborg in San Jose ruled that the settlement, which will see Facebook establish a privacy foundation, is a better use of the funds than distributing them among the 3.7 million people represented in the class action. Some had objected to the proposed settlement, questioning the fact a charity, rather than class members, would benefit, and suggesting that because Facebook would establish the foundation, it would be "paying itself." But in yesterday's ruling, Judge Seeborg said, "there is no persuasive showing that the foundation will be a mere publicity tool for Facebook."
Full Story

DATA LOSS

Hotels a Hot Target for Hackers (March 18, 2010)

Hotels are attractive targets for hackers seeking customer credit card data, the Wall Street Journal reports. According a recent SpiderLabs study, 38 percent of its 2009 data breach investigations occurred at hotels, more than in any other industry. Verizon Business manager Dave Ostertag says his company has also noticed an increase in hotel breaches. Once a hacker finds a flaw or weakness, Ostertag says, "they want to replicate it as many times as they can." Experts recommend that hotels become compliant with the Payment Card Industry Data Security Standard (PCI DSS) in order to help prevent breaches. "Complying with the PCI DSS standard is one of the most effective ways to minimize risk as it relates to data security around credit card information," Navigate LLC founder Chris Zoladz, CIPP, tells the Daily Dashboard. A former privacy executive in the hotel industry, Zoladz says that while the PCI DSS is not perfect, "at the end of the day...hotels and other companies that follow the standard will have less risk than if they didn't follow it." (Registration may be required to access this story.)   
Full Story

DATA LOSS—CANADA

Bank Mails Customers the Wrong Data (March 18, 2010)

An Ottawa man says he will leave his bank after it mailed him another customer's personal information. The statement included someone else's name, mailing address and deposit date as well as their RRSP and social insurance numbers. Scotiabank acknowledges that a small number of customers received the wrong tax receipts, the Ottawa Citizen reports. The bank notified the Office of the Privacy Commissioner (OPC). An OPC spokesperson says that although institutions aren't legally required to report data breaches, "the banking sector is one of the industries that is proactively doing so."
Full Story

ONLINE PRIVACY

Developers Discuss Concerns of “Real-Time Web” (March 18, 2010)

Before the Web can begin providing information to users in real time, Internet professionals need to figure out how to protect personal privacy, CNN reports. "A lot of this data that people would like to make available, they wouldn't necessarily want to make available to everyone," Jack Moffitt of Collecta explained during the South by Southwest Interactive Festival. "I think we'll be wrestling with privacy issues around real-time data for a long time." Brett Slatkin of Google suggested one option would be for developers to create a way for users to set their online privacy settings in one place and then have those settings apply across the Internet. "We're going to see a definition, at the technical level, of what sharing means," he said.
Full Story

PRIVACY LAW—GHANA

Data Protection Law Coming (March 18, 2010)

The government of Ghana will establish a data protection law this year, reports myjoyonline.com. Speaking at a mobile telephony event in Accra this week, Communications Minister Haruna Iddrisu announced the Data Protection Bill would help secure personal data. The event was to celebrate the launch of Zain Zap, a service to enable mobile banking via cell phones. Minister Iddrisu called on Zain Ghana managers to "inspire customer confidence in the service" by protecting the information consumers divulge when registering their SIM cards. He said the "government will continue to uphold and respect the privacy of the communication of every Ghanaian."
Full Story

SOCIAL NETWORKING—U.S.

Your New “Friend” Could Be a Federal Agent (March 18, 2010)

U.S. law enforcement officials are regular visitors to social networking sites, the Associated Press reports, so that new "friend request" you received might just be from an undercover agent. A Justice Department document obtained in a Freedom of Information Act suit "makes clear that U.S. agents are already logging on surreptitiously to exchange messages with suspects, identify a target's friends or relatives and browse private information such as postings, personal photographs and video clips," the report states. The document also includes recommendations for government attorneys, including advising trial lawyers to look up defense witnesses on social networking sites while telling their own witnesses to "think carefully about what they post."
Full Story

PRIVACY

The Future of the Privacy Profession (March 17, 2010)

At the IAPP's tenth anniversary celebration yesterday, experts offered insight on the future of the data protection field and those who work in it. The privacy professional of the future must be agile, multicultural and engaged in the technologies that are stirring privacy debates, said a panel of seasoned privacy pros. In a moderated forum at the National Press Club in Washington, DC, panelists discussed the growth and evolution of the privacy field over the past decade and offered a sneak peak at what it will look like in the year 2020. Picture this: acrobatic regulators, data protection in the mainstream and, potentially, an ethical code for privacy professionals.
Watch online

SOCIAL NETWORKING—U.S.

Internet Can Be Treasure Trove for Data Miners (March 17, 2010)

Even if you decide not to share your personal information online, your friends and colleagues may be doing it for you, the New York Times reports. While social network users can adopt strict privacy controls, that is often not enough to protect their personal information "in the interconnected world of the Internet," the report states. Researchers like Ralph Gross and Alessandro Acquisti, who will be a featured presenter at the IAPP Global Privacy Summit in April, have shown just how much information can be gathered by "data mining" the Internet. The two Carnegie Mellon researchers were able to accurately predict Social Security numbers for 8.5 percent of those born in the United States between 1989 and 2003. The FTC is exploring these and other online privacy issues at its third and final roundtable today. (Registration may be required to access this story.)
Full Story

PRIVACY

Commissioner: Creativity is Essential in Facing New Privacy Challenges (March 17, 2010)

When it comes to addressing the new challenges arising from rapidly developing technologies, Canadian Privacy Commissioner Jennifer Stoddart is urging privacy professionals to be more creative and strategic than ever before. "Increasingly, those responsible for privacy within organizations need to think outside the box," said Stoddart, who was participating in a panel discussion as part of the International Association of Privacy Professionals (IAPP) 10th Anniversary Celebration in Washington, DC. "My message to privacy professionals is that they need to go beyond the strict requirements of the law," she said, urging them to ask the question, "What do we need to do to respect people's privacy and minimize the intrusion on that privacy?"
Full Story

PRIVACY LAW

What is Social Networking’s Place in the Courtroom? (March 17, 2010)

Law Times reports that evidence gathered from social networking sites has been used increasingly in areas such as criminal justice, family law and jury selection in the U.S., while many Canadian employers monitor staff members' online profiles for derogatory statements about their work. "Social networking sites can provide a wealth of information for lawyers," writes author and attorney John Browning. "From educational background and work history to intimate revelations and incriminating video, this digital treasure trove is yours for the taking when access is unlimited." When it comes to use of such material, the report states, some argue that "privacy is becoming an anachronism" while, on the other side, "there's the reality that people are willingly offering up intimate details of their lives by posting blogs and photographs."
Full Story

DATA LOSS—CANADA

Breach Affects 697 Former Parliament Staffers (March 17, 2010)

The House of Commons has launched an internal probe after an administrative error resulted in 647 personal income tax forms being mailed to the wrong addresses, the Ottawa Citizen reports. The forms, sent to Parliament members' former staffers, contained personal information including social insurance numbers, employee earnings and other identifying information. A House spokesman said the unintended recipients have been instructed to return the sensitive information, though some reported already having destroyed it. The spokesman also said steps were being taken to prevent future breaches. Meanwhile, the House has set up a hotline and consulted credit agencies to monitor the affected employees for identity theft.
Full Story

PRIVACY—U.S.

Officials Question Why President Has Yet to Appoint Privacy Board Members (March 17, 2010)

Privacy advocates and members of Congress are asking why President Barack Obama has not yet appointed nominees to the Privacy and Civil Liberties Oversight Board, NPR reports. The board, which was created in 2004 at the recommendation of the 9/11 Commission, has been defunct for more than two years, the report states. "I wish they'd hurry up and get the nominations up here," said Senate Judiciary Committee Chairman Patrick Leahy (D-VT). "I've written to President Obama and told him that this shouldn't lag any longer." A White House spokesman has said the positions will be filled soon, and that the president is committed to reviving the board. Despite some issues with the board's structure, former member Lanny Davis said it was "extremely effective" during its existence.
Full Story

PRIVACY LAW—IRELAND

High Court to Rule on Privacy Rights (March 17, 2010)

A number of major record companies have asked the High Court to rule on data protection issues based on agreements to disclose the Internet protocol (IP) addresses of people involved in music piracy, the Irish Times reports. In a settlement last year, broadband provider Eircom agreed to implement several measures aimed at stopping illegal downloading, including disclosing the implicated IP addresses. But the issue has come before the High Court again after the data protection commissioner said that disclosing the IP addresses violates the Data Protection Act. The record companies claim, however, that privacy rights are overruled when a person commits copyright infringement. A judge is expected to rule on the issue next week.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Health ID Bill Consideration Set for May 11 (March 17, 2010)

Following a week of testimony and a report recommending its adoption by the Senate Community Affairs Committee, the full Senate's consideration of the government's proposed Healthcare Identifiers Bill is not scheduled to take place until budget day on May 11, The Australian reports. Medical software specialists and privacy advocates are among those who have been raising questions about the service, which is to be overseen initially by Medicare Australia. "I'm really pleased the government is not going to try and steamroller this one," said Prof. Graham Greenleaf, co-director of the Cyberspace Law and Policy Centre at the University of NSW, adding the bill should not move forward "until the whole package for electronic health records legislation is put before Parliament."
Full Story

DATA LOSS—CANADA

Prescription Records Litter Street (March 17, 2010)

The Ontario Information and Privacy Commissioner is investigating a data breach after thousands of old prescription records ended up on an Ottawa road last week, the Ottawa Citizen reports. Several garbage bags containing the records fell out of a dump-bound truck after a pharmacist found the records in his store's basement and asked a friend to dispose of them. The records apparently belonged to pharmacies that occupied the building previously. A spokesman for the commissioner said the incident is being investigated to make sure it doesn't happen again.
Full Story

BEHAVIORAL TARGETING

Industry under “Fairly Significant Assault” (March 17, 2010)

While some in the advertising industry are warning peers to be mindful of their practices as the threat of increased regulation looms, others are experimenting with methods that would be considered privacy invasive by some, reports MediaPost News. At the Collaborative Alliance meeting this week, advertising industry thought leaders heard from Interactive Advertising Bureau (IAB) CEO Randall Rothenberg, who warned "If there's something that's going to freak out your consumers, don't do it." Following his presentation, attendees heard from the managing director of an out-of-home ad agency about a recent digital billboard campaign that involved a company's employees watching passersby and directing targeted messages to them in order to "drive engagement."
Full Story

ONLINE PRIVACY—U.S.

FCC National Broadband Plan to Include Privacy Provisions (March 16, 2010)

The Federal Communications Commission (FCC) released the executive summary of its national broadband plan yesterday, and privacy is part of it, MediaPost News reports. In the summary the FCC signals its intent to call for measures that would increase transparency about firms' data collection practices and give consumers the right to control the disclosure of their personal information to third parties, among other measures. "Now that the FCC is issuing privacy recommendations...early indications are that the commission might have incorporated standards that are fast becoming outdated," the report states, citing an emphasis on notice-and-choice, a regime that some consider passé.
Full Story

PRIVACY—CANADA

Stoddart: Global Data Flow Complicates Privacy Regulations (March 16, 2010)

Real-time globalization and the instantaneous worldwide flow of data are changing the terrain of privacy regulation. That's according to Jennifer Stoddart, Canada's privacy commissioner, speaking at last month's Privacy and Security Conference in Victoria. Stoddart said the changes in international data flow, among others, have resulted in significant challenges for administering protective privacy regulations for Canadians' personal information. The Spanish Initiative, a draft international privacy standard recently endorsed in Madrid, is a "valuable first step towards a harmonized approach to data protection" she said, adding that Canada is working more closely with other countries to create uniform rules and standards, the London Free Press reports. However, Stoddard acknowledged that "a single, enforceable global standard for privacy won't materialize overnight--if ever."
Full Story

ONLINE PRIVACY—U.S.

Internet Privacy Isn’t Dead, It’s Just More Complex (March 16, 2010)

Internet users may love to share their stories via social media, but they also care about their privacy, the Washington Post reports. According to researchers, there is a delicate balance of "privacy and publicity in the social networking age," the report states. "Fundamentally, privacy is about having control over how information flows," says Danah Boyd of Microsoft Research New England. "When they feel as though control has been taken away from them or when they lack the control they need to do the right thing, they scream privacy foul." Mary Madden of the Pew Center's Internet & American Life Project says "there is going to be more outrage or stronger reaction simply as more people get engaged with social media and they have more invested in it. There is more to lose." (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Senate Committee Supports Health ID Bill, But Privacy Concerns Persist (March 16, 2010)

Despite lingering concerns over its privacy implications, the Senate Community Affairs Committee has recommended passage of the Healthcare Identifiers Bill, The Australian reports. The committee members opposed to the bill issued a report stating, "Amendments are required to ensure the privacy of health consumers is maintained, and that individual identifiers cannot become de facto Australia Cards." The Australian Privacy Foundation, the Public Interest Advocacy Centre and the Cyberspace Law and Policy Centre were among those who raised concerns about the plan during recent hearings on Health ID. Going forward, the committee recommends developing a plan to introduce the service over the next two years, the report states, and including a period for public comment before it goes into effect.
Full Story

PRIVACY LAW—U.S.

Proposed HITECH Rules Forthcoming (March 16, 2010)

The Office of Civil Rights (OCR) has announced it expects to release proposed rules regarding the privacy and security provisions of HITECH, but HealthLeaders Media reports that just when that will happen remains to be seen. Attorneys have been discussing enforcement delays in HITECH provisions that went into effect on February 17 until the OCR formally publishes rules on such issues as business associate liability, individual rights to access electronic medical records and limitations on the sale of personal health information, the report states. Adam H. Greene of the Office of the General Counsel for OCR told HealthLeaders that the OCR's rulemaking will elaborate on the expected date of compliance.
Full Story

ONLINE PRIVACY—SWEDEN

New Company Manages Your Online Life After Death (March 16, 2010)

For those who have ever wondered what will become of their social networking pages and photos or their online games, posts and blogs after they pass away, a Swedish online company may have the answer. Lisa Granberg and Elin Tybring's new company, Webwill, solves the problem of what happens to that content when family or friends are unable to access or delete social networking profiles after the loss of a loved one, Deutsche Welle reports. "You create an account and tell us which online services you use, and what changes we should make after your death," Granberg says. "...Once we're informed of your death, we execute your digital will, so to speak."
Full Story

PRIVACY LAW—U.S.

Insurance Company Sued over Disclosing Medical Records (March 16, 2010)

Minnesota's largest health insurer is facing a lawsuit after accidentally publishing a customer's medical records in a handbook, the Star Tribune reports. According to the suit, Blue Cross and Blue Shield violated the Minnesota Health Records Act and breached the unnamed plaintiff's privacy by disclosing her name and confidential information, including dates and locations of her medical treatment and the costs of her care. According to Minnesota law, insurers cannot disclose such "personal or privileged information" without their clients' written authorization, the report states. A Blue Cross spokeswoman said that when the company discovered the mistake last year, it immediately discontinued the material in question.
Full Story

GENETIC PRIVACY—U.S.

Opinion: Want to Stop Crime? Share your DNA (March 16, 2010)

In a recent interview with "America's Most Wanted" host John Walsh, President Barack Obama spoke of the value of collecting DNA from anyone who is arrested to "continue to tighten the grip around folks who have perpetrated these crimes." Others question the plan, citing the bias against members of certain racial or ethnic groups as reflected in their arrest rates. In a New York Times opinion piece, Michael Seringhaus suggests that a better solution would be "to keep every American's DNA profile on file." He contends that "the genetic privacy risk from such profiling is virtually nil, because these records include none of the health and biological data present in one's genome as a whole...Provided our privacy remains secure, there is no excuse not to use every bit of science we can in the fight against crime." (Registration may be required to access this story.)
Full Story

STUDENT PRIVACY—U.S.

Principal’s List of Failing Students May Have Violated FERPA (March 16, 2010)

A principal at a Wisconsin middle school may have violated the Family Educational Rights and Privacy Act (FERPA) when he posted the names of about 100 students in "a misguided attempt to address failing grades," the Wausau Daily Herald reports. Marshfield Middle School Principal Dave Schoepke posted the list outside his office in an effort to notify students to turn in assignments so that they could raise their grades prior to a school dance, the report states, because school policy bars those with failing grades from such extracurricular activities. Schoepke, who took the list down after receiving complaints, has said he made a poor choice. "Is there something that is legally wrong? I would have to say 'yes,'" he said.
Full Story

PERSONAL PRIVACY—U.S.

Man Protests Smart Meter Installation (March 16, 2010)

A California man is refusing to allow Pacific Gas and Electric (PG&E) to install a smart meter at his home, citing an unconstitutional invasion of his privacy. Smart meters report household electricity consumption back to utility companies, sometimes down to the appliance level. "It permits PG&E to actually come into your home at any time during the day," the man says. "This is corporate intrusion on your life." He has locked up his current meter and claims it will take a court order and a "whole bunch of police officers," before PG&E can replace it, CBS 5 reports. Meanwhile, in a joint filing to the California Public Utilities Commission last week, privacy advocates called for new rules on the collection and use of smart meter data.
Full Story

ONLINE PRIVACY—U.S.

Netflix Cancels Plans for Second Contest (March 15, 2010)

Netflix has canceled plans to carry out the sequel of a contest that has elicited a lawsuit and attention from the Federal Trade Commission, the Wall Street Journal reports. The contest opened up anonymized Netflix user data to researchers who were competing to find better ways to predict customers' movie preferences. But other researchers questioned the anonymity of users, and an in-the-closet lesbian mother filed suit against the company, saying its release of insufficiently anonymized datasets violated her privacy. Netflix has since settled the suit. On the company blog, Chief Product Officer Neil Hunt announced the cancelation of the contest's sequel. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—U.S.

Firms Merging Offline, Online Data to Improve Ad Targeting (March 15, 2010)

Consumer research firm Nielsen and Web data collection company eXelate Media are forming a new alliance aimed at creating more detailed consumer profiles, the Wall Street Journal reports. Advertisers will be able to purchase data from eXelate's research on more than 150 million Internet users and Nielsen's database on 115 million American households, the report states. "We can build profiles from any building blocks," says Meir Zohar, chief executive of eXelate, which has offices in New York and Israel. "Age, gender, purchase intent, interests, parents, bargain shoppers--you can assemble anything." Lawmakers, regulators and privacy advocates, however, are warning such a move could be too intrusive. "If consumers learn that information about them has been compiled from multiple different sources, it certainly could cause them to be concerned," says Christopher Olsen of the Federal Trade Commission. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—NEW ZEALAND

Law Commission Weighs in on Do-Not-Call Registry, Breach Notification (March 15, 2010)

The Law Commission is accepting public comments until April 30 on its 500-page report detailing the results of its examination into how the nation's privacy laws could be tightened. The commission looked at privacy concerns associated with direct marketing, data breaches, cloud computing, Web 2.0, social networking, radio frequency identification and biometrics, according to Stuff.co.nz. The commission views the creation of a do-not-call registry as "an efficient, user-friendly remedy" for citizens who do not want to be solicited by phone, but offers a less "firm view" on the possibility of a data breach notification requirement, another subject discussed in the report.
Full Story

PRIVACY LAW—UK

ICO Pushes for Jail Terms (March 15, 2010)

The information commissioner wants dormant legislation brought to life and is urging Tories to act, reports The Register. The legislation imposes jail sentences of up to two years on data thieves. Speaking at a conference in London last week, Christopher Graham urged Conservatives to activate the sentences if they win the May 7 election, saying that the failure to impose custodial sentences is stopping him from doing his job. "It's there to be taken off the shelf," Graham said. "But there has been remarkable reluctance by ministers to take it."
Full Story

FINANCIAL PRIVACY—SWITZERLAND

Swiss People Want Secrecy Laws Upheld (March 15, 2010)

A Swiss Bankers Association survey of more than 1,000 Swiss citizens has found that the majority oppose ending banking secrecy laws in the state. Seventy-three percent of respondents want the laws maintained, down five percent from last year's poll. In addition to wanting confidentiality laws upheld, 40 percent of respondents indicate that their government should do more to protect the tradition and 70 percent say they object to the automatic exchange of banking information with other governments. The Swiss government has been facing international pressure to relax the rules in order to assist international tax evasion investigations.
Full Story

ONLINE PRIVACY—U.S.

Opinion: Why No One Cares about Privacy Anymore (March 15, 2010)

In an analysis that contradicts much of the current debate about data privacy, CNET's Declan McCullagh offers a lengthy argument on how changing norms have led to reduced outrage about moves that advocates would typically consider privacy violations. "Norms are changing," McCullagh writes, "with confidentiality giving way to openness." He cites the widespread embracing of Google's social networking feature, Buzz, which activists jumped on but "relatively few Google Buzz users seem to mind." McCullagh says that "Internet users have grown accustomed to informational exhibitionism" and cites a psychology professor's theory that "If one can choose how much or little to divulge about oneself to another voluntarily, privacy is maintained."
Full Story

BEHAVIORAL TARGETING—U.S.

Speed, Precision and Online Ads (March 15, 2010)

The New York Times reports on Web publishers' use of real-time bidding, a sales method that lets advertisers "examine site visitors one by one and bid to serve them ads almost instantly," the reports states. Some hope the method will revive the online ad market. Publishers and advertisers like it for its revenue and return-on-investment potential, among other benefits. But not everyone is excited. "The fact that you can be auctioned off in 12 milliseconds or less just illustrates how privacy in this country has rapidly eroded," says one consumer advocate. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—CANADA

Opinion: While Technology Continues to Evolve, Privacy is Still the Social Norm (March 15, 2010)

Privacy has not ceased to be the norm, Ontario Information and Privacy Commissioner Ann Cavoukian writes in an opinion piece for the Globe and Mail. Instead, she writes, privacy "is a dynamic that is a complex function based on an individual's needs and choices--choices that must be respected and strongly protected if we are to maintain freedom and liberty in our society." Pointing out that modern technology has transformed the way personal information can be disseminated, she stresses that it should still be up to individuals what they share. "The human condition requires connection: We are social animals who seek contact with each other," she writes. "We also seek privacy: moments of solitude, intimacy, quiet, reserve and control--personal control."
Full Story

DATA THEFT—SWITZERLAND

Data Theft Involves 24,000 Swiss Bank Clients (March 12, 2010)

A security breach at a private bank in Switzerland is much more serious than was first believed, with personal information on about 24,000 clients compromised during the theft in 2006, the Financial Times reports. HSBC has confirmed that the theft, which was uncovered last year, affects 15 percent of the bank's total private client base, the report states. The data was stolen by a former IT specialist who then provided it to French tax officials. Although the authorities had used the stolen data to launch a crackdown on tax evaders, the report states that they have since returned those files to the Swiss federal prosecutor, which is leading a criminal investigation.
Full Story

PRIVACY LAW—U.S.

Maine Committee Votes to Repeal Marketing Law (March 12, 2010)

A Maine legislative committee voted Thursday to repeal the state's Act to Prevent Predatory Marketing Practices Against Minors, citing challenges that the law is unconstitutional, MediaPost News reports. A proposal for a narrower measure to ban only the collection of data for the purpose of marketing prescriptions was also withdrawn due to constitutional concerns. The 2009 law prohibits companies from gathering personal information from anyone under the age of 18 without parental consent and bans the sale or transfer of health information that identifies minors. NetChoice, a coalition of Web companies, is praising the decision, with the coalition's legal counsel contending that legislation restricting marketing to minors "could cause grief for the state--legally and financially." The full Maine legislature is expected to vote on the repeal within a few weeks, the report states.
Full Story

PERSONAL PRIVACY—U.S.

Groups Urge PUC to Protect Smart Meter Data (March 12, 2010)

As smart meters are deployed in California, advocates are urging the state's Public Utilities Commission (PUC) to adopt rules and regulations to protect the privacy of consumers' energy data. Smart meters will record household electricity consumption down to the appliance level. In a joint filing, the Center for Democracy and Technology and the Electronic Frontier Foundation (EFF) urged the PUC to adopt "comprehensive privacy standards for the collection, retention, use and disclosure" of the data, infoZine reports. The recommendations call for transparency on how data is used and restrictions on data disclosure. "We must have meaningful rules to protect this extremely sensitive information," says EFF lawyer Lee Tien.
Full Story

HEALTHCARE PRIVACY—U.S.

HIT Workgroup Discusses Privacy Concerns (March 12, 2010)

The Health IT Policy Committee's Strategic Planning Workgroup is debating how to balance privacy concerns with improved healthcare, InformationWeek reports. Patricia Brennan of the University of Wisconsin described the group's work so far as "very restrictive" in terms of data exchange. Don Detmer, retired president and CEO of the American Medical Informatics Association, said the workgroup "should not force privacy to be more important than health." Dr. Steve Stack of the American Medical Association Board of Trustees, however, said a presentation by Dan Ariely gave him the perspective that for the initiative to work, "preserving our rights, liberties and freedoms is essential." Ariely will be a keynote speaker at the IAPP Global Privacy Summit in April.
Full Story

HEALTHCARE PRIVACY—U.S.

Five Hospital Employees Reinstated (March 12, 2010)

Five of the 16 hospital employees fired last fall for violating patient privacy have been reinstated, reports the Houston Chronicle. Harris County Hospital District CEO David Lopez said that "extenuating circumstances" led to the reinstatement. The employees were fired for the inappropriate viewing of the medical records of a first-year resident at Ben Taub General Hospital who was being treated at the facility. Lopez said that although the reinstated five technically violated the Health Insurance Portability and Accountability Act by looking at the patient's data, "they may have been inadvertent as opposed to intentional, so that's a little bit different ball game."  
Full Story

PERSONAL PRIVACY

Mobile Phone for Employers? (March 12, 2010)

A Japanese company has created a mobile phone capable of tracking its users' physical movements, BBC News reports. KDDI Corporation has developed phone technology capable of deciphering precise movements such as scrubbing, sweeping and walking, for example. KDDI plans to sell the phone to managers, foremen and employment agencies, the report states. Some say it introduces an increased opportunity for abuse. "...There will surely be negative consequences when applied to employee tracking or salesforce optimization," said the director of the International University of Japan's mobile consumer lab.  
Full Story

PERSONAL PRIVACY

Billboards That Read You (March 12, 2010)

The Telegraph reports on a new facial recognition technology being developed by Japanese electronics company NEC. Similar to that seen in futuristic films, the digital billboard technology comprises small cameras and flat-panel monitors that analyze the age and gender of individuals that pass by in order to tailor advertisements. The longer a person lingers, the more accurate the data. NEC's vice president of strategic alliances acknowledges that privacy concerns exist but assures, "NEC's Ad Measurement technology was developed to be totally anonymous." Currently being tested in Japan, the billboards are slated to be trialed in the U.S. later this year.
Full Story

ONLINE PRIVACY—U.S.

Ratté Discusses FTC’s Cloud Computing Inquiry (March 12, 2010)

Federal News Radio talks to Federal Trade Commission (FTC) attorney Kathryn Ratté about the commission's examination of cloud computing. Ratté says that although cloud computing has been around for a while, more businesses are storing consumers' information on the cloud, which is "increasing the amount of consumer data that may be out there." The FTC wants to know "how widespread the practice is and whether there's anything quantitatively new here." The commission is still in the exploratory phase, according to Ratté. She says it's too soon to know the outcome of the inquiry.  
Full Story

BIOMETRICS

School District Mulls Facial Recognition on Buses (March 12, 2010)

A Seekonk, Massachusetts company wants to pilot its GPS and facial recognition technology on the district's school buses, reports EastBayRI.com. School committee members are reportedly weighing a proposal from Volpe Industries Inc. (VPI), which is developing a system that combines monitoring and biometric technologies, the report states. "The concept is to mount two small cameras, a mini computer and GPS tracking in each bus," VPI's president wrote in a proposal to district officials. He says the system could give school adminstrators real-time bus location information as well as a glimpse of the interiors of all buses on which the technology is deployed.
Full Story

PERSONAL PRIVACY—U.S.

Loyalty Card Data Used to Find Salmonella Source (March 11, 2010)

Customer loyalty card data helps supermarkets and other retailers promote products. Recently such data was used for a different gain. The U.S. Centers for Disease Control and Prevention (CDC) recently used the information to successfully pinpoint the source of a salmonella outbreak, reports the Associated Press. It is the first time the CDC has used loyalty card data to aid an investigation. The centers sought patient permission before mining the data. "It was a break in the investigation for sure," said CDC epidemiologist Casey Barton Behravesh. Some have expressed concern, however, that the breakthrough could lead to mandatory involvement in customer loyalty programs.  
Full Story

HEALTHCARE PRIVACY—CANADA

Commissioner Issues Warning on Health Storage Services (March 11, 2010)

Saskatchewan's Information and Privacy Commissioner is warning physicians and citizens about health record storage services being offered by an Ontario company, the Winnipeg Free Press reports. Commissioner Gary Dickson says that although DOCUdavit Services Inc. claims to provide safe and secure storage for medical information, the company does not appear to follow provincial health privacy laws. Dickson has shared his concerns with Saskatchewan Health and the Saskatchewan Medical Association, among others.
Full Story

PRIVACY LAW—U.S.

Judge Dismisses Security Breach Lawsuit (March 11, 2010)

A federal judge has dismissed a class action suit against Aetna Inc. after finding that a security breach resulted in "a mere possibility of an increased risk of identity theft" and not a "credible threat of identity theft," Law.com reports. "At best, plaintiff has alleged a mere possibility of an increased risk of identity theft, which is insufficient for purposes of standing, and he certainly has not asserted a credible threat of identity theft," U.S. District Judge Legrome D. Davis wrote in his 14-page opinion. The case came after it was reported that personal data belonging to as many as 450,000 job applicants could have been compromised when the company's job application site was hacked in 2009.
Full Story

ONLINE PRIVACY—U.S.

EFF Questions Focus on “Sensitive” Data (March 11, 2010)

The Electronic Frontier Foundation (EFF) casts doubt about the sensibility of crafting different privacy rules for sensitive information, reports MediaPost. In an FTC filing, the EFF says it sees "considerable problems with attempting to regulate sensitive information more tightly than other consumer data in the general online environment..." The comments were in response to questions the commission posed to help shape the conversation at its privacy roundtable next week in Washington, DC. The EFF authors suggest "The online consumer privacy problem is sufficiently grave that the focus should be on consumer data in general."
Full Story

GEO PRIVACY

Location-Based Services Raise Privacy Concerns (March 11, 2010)

A proliferation of services that let social networkers share their locations have some concerned about the privacy ramifications. Facebook and Twitter will soon offer location-based features, and dozens of similar services already exist, the Wall Street Journal reports. "There are a lot of concerns about the government being able to subpoena this information," says Carnegie Mellon University researcher Lorrie Cranor, citing other potential and possibly unwelcome uses of such information. Cranor was involved in a recent Carnegie Mellon study of 80 location services that found the majority either don't have a privacy policy or collect and save all data for an indefinite amount of time, according to the WSJ report. (Registration may be required to access story.)
Full Story

DATA LOSS—U.S.

Data on 35,000 Guardsmen Exposed (March 11, 2010)

Members of the Arkansas National Guard are learning this week that their personal information may have been exposed. ESecurity Planet reports that 35,000 guardsmen are impacted by the breach, which involves a misplaced external hard drive at Camp Joseph T. Robinson base in North Little Rock. The unencrypted drive contains information--including names and Social Security numbers--on guard personnel dating back to 1991, the report states. "This inappropriate handling of our soldiers' personal information is an isolated incident, which is now under investigation to help ensure steps are taken to help prevent such an incident from occurring in the future," the National Guard said in a statement.
Full Story

ONLINE PRIVACY

Want Online Privacy? Be Ready to Fight for It (March 11, 2010)

Security expert Bruce Schneier believes that when it comes to the future of online privacy, the public needs to fight for better laws protecting personal information. NetworkWorld reports on Schneier's contention that the longer privacy policies are left up in the air, the more likely it will become that they never will be set. A key issue is balancing control over data to maximize individuals' liberty, the report states, pointing out that because digital information is easier and less expensive to store than to delete, it effectively never dies. "If you give an individual privacy, he gets more power," Schneier says, "...We can accept the new balance or set the balance."
Full Story

PRIVACY LAW—U.S.

Supreme Court to Hear Another Info Privacy Case (March 10, 2010)

The U.S. Supreme Court (USSC) has agreed to hear another case related to information privacy. Wired reports on the justices' decision to review a lower court's ruling on background checks of prospective federal employees. The Ninth Circuit Court of Appeals ruled last year that pre-employment background checks on nearly three dozen National Aeronautics and Space Administration contractors were invasive and unconstitutional. The USSC will likely hear the case this fall, the report states. The justices will review another Ninth Circuit decision next month. The oral argument in City of Ontario v. Quon is set for April 19. The decision is expected to impact employee-monitoring policies.  
Full Story

PRIVACY LAW—EU

MEPs Want More Time on Passenger Data Vote (March 10, 2010)

The European Parliament Civil Liberties Committee has asked that a vote on the sharing of passenger name records with the U.S. be postponed, reports ZDNet. The committee says that a "no" vote would hamper carriers, which are required to provide passenger name records (PNRs) under U.S. law. The European Court of Justice ruled in 2004 that a temporary agreement to share air passengers' names, itineraries, payment details and other information was illegal. Committee rapporteur Sophie In 't Veld said the EU needs "to systematically harmonise the set of principles [around PNR]," and that she would push for the PNR data provision to comply with EU data protection law, the report states.
Full Story

TRAVELERS’ PRIVACY

UN Expert Says Airport Scanners Violate Human Rights (March 10, 2010)

Is the use of full-body scanners in airport security a breach of individual rights? Yes, according to Martin Scheinin, the UN special rapporteur on the protection of human rights. The Montreal Gazette reports that Scheinin believes the scanners are not only an excessive intrusion into individual privacy but also ineffective in preventing terrorist attacks. "The use of a full-body scanner which reveals graphic details of the human body, including the most private parts of it, very easily is a violation of human rights," Scheinin says. He has told the UN Human Rights Council that different technology would better protect personal privacy, the report states.
Full Story

PRIVACY—U.S.

Senator Calls for Renewal of Oversight Board (March 10, 2010)

Senator Patrick Leahy (D-VT) is the latest lawmaker to urge President Obama to reinstitute the Privacy and Civil Liberties Oversight Board, reports Gov Info Security. The board was created in 2004 on the recommendation of the 9/11 Commission, but has since languished. In a letter this week, Leahy wrote, "Having a fully functional Privacy and Civil Liberties Oversight Board is a key step in protecting the privacy and civil liberties of all Americans...the vital board has remained vacant for far too long." Two members of Congress sent a similar urging to the president last month.
Full Story

SOCIAL NETWORKING

What’s on Your Mind? Where Are You? (March 10, 2010)

The world's largest social networking site will soon make it easier for users to share their location data with friends, reports the New York Times. Facebook will launch a location feature next month. The feature, which has been in the works for about a year, will be made available to users on an opt-in basis, according to the company's privacy policy. The company will also release software tools for outside developers so they can offer their own location-based services to users of the site, the report states. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

VA Inspector General Investigating Incident (March 10, 2010)

The Veterans Affairs (VA) Department's inspector general has launched an investigation into a potential breach incident, reports NextGov. A physician's assistant at the VA's Atlanta medical center allegedly downloaded veterans' clinical data onto a personal laptop for research purposes, the report states. VA spokesperson Katie Roberts confirmed that an investigation is underway, saying that the VA is "trying to gather more details about the circumstances, including the number of veterans whose information was involved and the nature of the information affected." Roberts said, "The results of the investigation and analysis will help determine whether to send notifications...to the affected veterans."
Full Story

PERSONAL PRIVACY—U.S.

Copy Machines Pose Privacy Risks (March 10, 2010)

Boston's WBZ-TV reports on a privacy threat looming in homes and offices: copy machines. Security expert John Juntunen demonstrated how easily accessible a copy machine's stored data can be, connecting his laptop to a copier and downloading a child support document and one woman's IRA application containing her address, Social Security number and date of birth. Another hard drive produced contact information for Caroline Kennedy. Though companies are supposed to wipe used hard drives clean before selling a machine, that isn't always executed, the report states. "I think it's an issue that's going to have major ramifications," says security expert Sean O'Leary.
Full Story

IDENTITY THEFT—U.S.

FTC Announces $12 Million Settlement in LifeLock Case (March 9, 2010)

Federal Trade Commission Chairman Jon Leibowitz and Illinois Attorney General Lisa Madigan announced a settlement today that requires LifeLock, Inc., to pay a total of $12 million to settle charges that its claims of providing comprehensive identity theft protection were false. According to the FTC, LifeLock did offer some protection against specific types of ID theft, but the company's practice had no effect on the most common form: the misuse of existing credit card and bank accounts. "While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it," Leibowitz said.
Full Story

PRIVACY LAW—U.S.

HHS Works on HIPAA Privacy Rule Proposals (March 9, 2010)

The Department of Health and Human Services (HHS) is developing guidance and a notice of proposed rulemaking on the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, Thompson.com reports. The HHS Office for Civil Rights (OCR) held a two-day workshop recently to collect comments and recommendations on methods for de-identification of protected health information, mandated by Congress under last year's Health Information Technology for Economic and Clinical Health Act. Speaking at the workshop, Susan McAndrew, deputy director of health information privacy at the OCR, said that there would be a need for changes over time to keep up with technology. "The future is now and it only took 10 years," she said. The OCR will accept written comments on proposed changes through March 12.
Full Story

SOCIAL NETWORKING—U.S.

Classmates.com Sued Over Privacy Settings Change (March 9, 2010)

Two members of Classmates.com have filed suit in federal court alleging the social networking site violated their privacy by revising its default settings to make members' information more accessible on the Internet, MediaPost News reports. The complaint alleges that the changes, which were announced via e-mail in January, could expose members to identity theft, harassment and stalking. The violations of the federal Electronic Communications Privacy Act alleged in the suit may be difficult to prove, Seattle lawyer Venkat Balasubramani says, as the act only applies to certain types of stored data. However, he says, "At a basic level, if you're going to change your privacy practices, the change has to be clear."
Full Story

HEALTHCARE PRIVACY—U.S. & EU

Proposed Info Sharing Agreement in Focus (March 9, 2010)

U.S. Department of Health and Human Services Secretary Kathleen Sebelius and her Spanish counterpart, Minister of Health and Social Policy Trinidad Jimenez, met to discuss a proposed digital healthcare data sharing program last week, reports ZDNet. "The aim is to create a scenario for clinical information exchange and technical interoperability..." said the EU presidency in a statement. The European Data Protection Supervisor's office (EDPS) has "taken note of the initiative," the report states. "This legal framework [for information exchange] will require special safeguards for the protection of sensitive personal data and...under the Lisbon Treaty, be subject to approval by the European Parliament," the EDPS said.
Full Story

ONLINE PRIVACY—U.S.

Big BT Focus Next Week (March 9, 2010)

BtoB reports on two upcoming events that could impact the behavioral advertising industry. Next Monday, several advertisers will begin using an icon designed to better inform Web users about targeted advertisements. "Self-regulation is key here," said Mike Zaneis of the Interactive Advertising Bureau, whose members are among those who will begin using the new icon. Also next week, the Federal Trade Commission will hold its third  online privacy roundtable in Washington, DC. It will be the final roundtable in the commission's series dedicated to the issue. Participants will explore the collection of consumers' data for behavioral advertising purposes.
Full Story

PRIVACY LAW—U.S.

Boucher Discusses Bill (March 9, 2010)

Rep. Rick Boucher (D-VA) discusses the year ahead with The Hill's Kim Hart. Boucher says the House Energy and Commerce Subcommittee on Communications, Technology and the Internet will see a bill later this year that would require companies to notify Internet users about what information is collected about them, and would allow them to opt out of having that information collected and used. "By bestowing that set of rights, I think we instill a confidence in Internet users that their Web experience is more secure," and will encourage increased Internet use, Boucher said. "Our goal is to enhance electronic commerce, and not in any way to retard it."
Full Story

HEALTHCARE PRIVACY—U.S.

HHS: Certain Photos Will Not Bring HIPAA Violations (March 9, 2010)

In the wake of a recent case where several hospital employees were disciplined for sharing cell phone photographs of a shark attack victim, medical professionals are questioning whether patient photos by friends and family could trigger HIPAA violations, HealthLeaders Media reports. One issue the report raises is whether visitors with camera phones in emergency rooms or hospitals are putting those facilities at risk. The report points out that while healthcare plans and providers are responsible for their employees' actions, the Department of Health and Human Services' Office of Civil Rights states that in general under HIPAA, they "would not be responsible for the actions by a patient's friends or family."
Full Story

TRAVELERS’ PRIVACY—U.S.

Complaints Filed about Body Scanners (March 9, 2010)

More than two dozen complaints were filed by travelers subjected to whole body scans at U.S. airports within the last year, according to documents obtained by the Electronic Privacy Information Center (EPIC). The complaints included travelers' objections to not being informed of the scanning process or of alternatives to the scans. Travelers also complained about a lack of signage, Bloomberg reports. An EPIC spokesman says the complaints refute the Transportation Security Administration's (TSA) claims that travelers "will be made aware of what these machines are and of the alternatives that are available." The TSA plans to install nearly 900 body scanners at U.S. airports by 2014.
Full Story

PRIVACY LAW—U.S.

Buzz Faces New Lawsuit as FTC Shows Interest in Prior Complaint (March 9, 2010)

Google is facing a new lawsuit over its Buzz social networking service, InformationWeek reports. The complaint, filed last week in Rhode Island, alleges "Google intentionally exceeded its authorization to access and control confidential and private information," violating the Stored Communications Act and Electronic Communications Act. Meanwhile, the Federal Trade Commission (FTC) has expressed interest in a recent Electronic Privacy Information Center (EPIC) complaint about Google Buzz. The complaint raises issues "that relate to consumer expectations about the collection and use of their data," FTC Bureau of Consumer Protection Director David Vladeck wrote in a letter to EPIC, noting, "it is critical that consumers understand how their data will be used and have the opportunity to exercise meaningful control over such uses."
Full Story

FTC: LifeLock Will Pay $12 Million in Settlement over False Identity Theft Prevention Claims (March 9, 2010)
In a press conference held Tuesday, March 9, Federal Trade Commission (FTC) Chairman Jon Leibowitz and Illinois Attorney General Lisa Madigan announced that LifeLock, Inc., has agreed to pay $11 million to the FTC and $1 million to a group of 35 state attorneys general to settle charges that the company’s claims of providing 100-percent protection against identity theft were false.

DATA LOSS—CANADA

CIBC to Compensate Customers for Breach (March 8, 2010)

The Canadian Imperial Bank of Commerce will compensate customers whose personal information was mistakenly sent to businesses in the U.S. and Quebec, Bloomberg reports. A Toronto judge approved the deal last week, settling a class-action lawsuit filed by customers whose names, social insurance numbers, account numbers and balances, addresses and signatures were exposed in faxes the bank sent to a Maryland auto accessory manufacturer and a Quebec business. In his decision, Ontario Superior Court Judge George Strathy said that class members' claims are likely to be "fairly modest." CIBC will offer settlements to each individual affected and will pay $100,000 to the Public Interest Advocacy Centre, the report states.
Full Story

HEALTHCARE PRIVACY—CANADA

When Doctors Pass Away, What Happens to Patient Health Records? (March 8, 2010)

Saskatchewan Privacy Commissioner Gary Dickson believes more needs to be done to protect sensitive, personal health information left behind when doctors retire or pass away, the Canadian Press reports. At issue, he says, is the lack of appropriate arrangements to ensure such records are either turned over to another medical professional or secured in an appropriate archive. Currently, those records could end up anywhere from a spouse's basement to an empty office. Acknowledging that some believe electronic health records will be the best solution, Dickson points out that the move to digitization will take time, adding, "If we do a crummy job protecting the privacy of patients now with paper records, is that not going to impair trust when it comes to electronic records?"
Full Story

HEALTHCARE PRIVACY—UK

Privacy in Question with Health Database (March 8, 2010)

Privacy advocates, human rights activists and doctors are voicing concerns about patients' privacy rights in the creation of individual summary care records (SCR), reports The Guardian. Intended to ease information sharing among healthcare providers and potentially improve patient care, the NHS has created 1.24 million SCRs so far and plans to create SCRs for more than 50 million people overall. Concerns abound regarding the security of the records and NHS's "implied consent" method for gaining patient permission to create the SCRs, a method one advocate describes as "inaccessible and virtually meaningless." A Cambridge University security expert worries about accessibility. "You just can't keep a secret if 300,000 people have access to it."
Full Story

HEALTHCARE PRIVACY—CANADA

BC Health Authority Again Criticized for Privacy Lapse (March 8, 2010)

Privacy Commissioner Paul Fraser believes Vancouver Coastal Health Authority did not consider privacy concerns when it launched a database of personal health information that was accessible to about 4,000 users, including nonprofit agencies and other public entities, CBC News reports. Fraser's report supports the findings of BC's auditor general regarding the health authority's handling of its Primary Access Regional Information System (PARIS) database, which contains such information as patient finances, social insurance numbers and diagnoses. Fraser stressed that other health authorities need to "learn from the mistakes identified in this investigation by ensuring that privacy is not added on at the end, but baked into the entire functional design."
Full Story

DATA LOSS—U.S.

Hotel Reports Potential Breach (March 8, 2010)

The Westin Bonaventure Hotel and Suites in Los Angeles is offering free credit monitoring services for customers whose payment card information may have been exposed. A letter on the Westin's Web site alerts customers that hackers may have accessed the point-of-sale systems for the hotel's four restaurants and its valet parking operation. Hotel officials contacted law enforcement after discovering that customer payment card information--including names, card numbers and expiration dates--may have been exposed between April and December, Computerworld reports. Concerned guests are "encouraged to review their statements from that time period," hotel officials said. They are also encouraged to place a fraud alert on their credit files.
Full Story

PRIVACY LAW—AUSTRALIA

Bill Would Allow Greater Government Access to Tax Data (March 8, 2010)

New legislation would allow government agencies, including police and prosecutors, access to Australians' tax returns to "prevent or lessen" a serious threat to public health or safety. Under the Tax Laws Amendment Bill, the Australian Taxation Office would also be allowed to distribute tax information to the Fair Work Ombudsman and state and territory workers' compensation boards. Current secrecy laws allow police access to tax information for investigation of serious offences, but do not generally allow the information to be used in court, The Australian reports. "Taxpayer information has proved to be a valuable source of intelligence information for the investigation of activities such as money laundering and social security fraud," states the legislation's explanatory memorandum. The bill has been referred to the Senate economics committee for review.
Full Story

BEHAVIORAL TARGETING

Self-Service Ads: Serving Some Better than Others? (March 5, 2010)

The New York Times reports on reactions to Facebook's self-service ad system, which lets advertisers target promotions to users based on information they post to their profiles. Major advertisers have begun using the program, which was previously the domain of small businesses. "When it works, it's amazingly impactful," says Chicago consultant Tim Hanlon. When it doesn't work, "it's not only creepy but off-putting," Hanlon adds. Facebook members report that some targeted ads seem presumptuous and nonsensical. "What a marketer might think is endearing, by knowing a little bit about you, actually crosses the line pretty easily," Hanlon says. A Facebook spokesperson says the platform has come a long way in the past year and will continue to improve. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

Making the Business Case for Data Protection (March 5, 2010)

The Information Commissioner's Office (ICO) wants businesses to put a value on personal information and invest in systems to protect it, reports eWeek. The ICO released a report this week to help organizations make a business case for data protection. The Privacy Dividend report includes tools and calculation sheets to help companies assess the value of the information they hold. "No organisation can neglect to protect people's privacy," said Information Commissioner Christopher Graham. "This report provides organisations with the tools to produce a financial business case for data protection, ensuring privacy protection is hardwired into organisational culture and governance."
Full Story

BEHAVIORAL TARGETING—U.S.

Confirmations in Line with FTC’s Privacy Focus (March 5, 2010)

The Senate this week confirmed two new Federal Trade commissioners, and one is known for her support of privacy laws, reports MediaPost. Edith Ramirez and Julie Brill received the nod of approval on Wednesday. During her tenure with the Vermont Attorney General's Office, Brill received an award from Privacy International for her efforts to require state banks to obtain consumers' written opt-in consent before sharing information with third-parties, the report states. The confirmations come at a time when the commission has expressed a growing interest in online privacy issues and a growing impatience with online advertisers' self-regulatory efforts. In a statement, Vermont Senator Patrick Leahy lauded the confirmation, saying "I am especially encouraged by [Brill's] expertise on antitrust and privacy issues."
Full Story

ONLINE PRIVACY—U.S.

Talks of Expanding Federal Internet Monitoring Raise Concerns (March 5, 2010)

Department of Homeland Security discussions about extending use of its Einstein technology for detecting and preventing electronic attacks on federal networks into the private sector is raising privacy concerns, CNET reports. While few details are known about Einstein, the report states that the White House has confirmed the technology shares information with the National Security Agency to thwart attacks. "It's one thing for the government to monitor its own systems for malicious code and intrusions," says Greg Nojeim of the Center for Democracy and Technology. "It's quite another for the government to monitor private networks for those intrusions." Greg Schaffer, assistant secretary for cybersecurity and communications, suggests, however, that it can be done in a privacy-sensitive manner.
Full Story

TRAVELERS’ PRIVACY—CANADA & U.S.

Baird Wants Review of Secure Flight (March 5, 2010)

The U.S. Secure Flight program is set to take effect in December, and Canada's Federal Transport Minister wants the Office of the Federal Privacy Commissioner (OPC) involved, reports the Ottawa Citizen. Secure Flight will require Canadian airlines flying through U.S. airspace to provide the American government with personal information on all passengers, the report states. Passengers who raise suspicions can be prevented from boarding. Transport Minister John Baird said he will consult with the OPC. "There has to be consent for the information to be shared," Baird said yesterday. In January, Canada's major airlines said that sharing passenger data with the U.S. would force carriers to breach the Personal Information Protection and Electronic Documents Act.  
Full Story

SOCIAL NETWORKING—U.S.

Professor on Leave for Facebook Posts (March 5, 2010)

A college professor has been placed on administrative leave for statements she posted to her Facebook profile, reports USA Today. The East Stroudsburg University sociology professor expressed surprise that a student could see her status updates, in which she mused about wanting to kill students. A change in Facebook's privacy settings in December nulled the privacy preferences she had set so that only certain people could see her posts. "I don't invite students into that part of my life," Professor Gloria Gadsden said. Although East Stroudsburg does not have a social media policy, some universities have begun enacting such policies, the report states. "Privacy does not exist in the world of social media," says that of Ball State.
Full Story

DATA LOSS—UK

Lawyers Allege Breach of DPA (March 5, 2010)

Lawyers for the former leader of the Glasgow City Council have asked the Information Commissioner's Office (ICO) to investigate an alleged breach of medical information, reports the Herald Scotland. They say that the council violated the Data Protection Act in reporting the councilor had a chemical dependency. The council denies that it released such information. "The council believes it has complied with the terms of the Data Protection Act and will deal with any complaint on that basis," said a spokesperson. The ICO confirmed that it had received a complaint and said, "We are looking into the complaint to establish the full facts."
Full Story

IDENTITY THEFT—U.S.

The High Costs of Medical ID Theft (March 5, 2010)

A new survey from the Ponemon Institute shows that nearly six percent of American adults have been victims of medical identity theft, with an average cost per victim of $20,160. The cost comes from the efforts victims face to sort out what happened with concerned parties such as doctors, hospitals, insurance companies and credit agencies, the San Francisco Chronicle reports. "The National Study on Medical Identity Theft" is based on findings from 156,000 people who agreed to discuss the general topic of identity theft, with 5.8 percent confirming they had been the targets of medical ID theft. Based on those statistics, the study estimates that 1.42 million adults in the U.S. may have experienced the theft of their medical identification information.
Full Story

BEHAVIORAL TARGETING

Neuromarketing: Can You Read My Mind? (March 5, 2010)

Neuromarketing, which uses advanced scientific tools such as the functional MRI in an effort to determine what consumers like and dislike, has some wondering if this product-testing science will literally allow marketers to read people's minds, Duke News reports. Dan Ariely of Duke University and Gregory S. Berns of Emory University analyze the science in "Neuromarketing: the hope and hype of neuroimaging in business," published in the journal Nature Reviews Neuroscience. In their article, Burns and Ariely, who will also be a keynote speaker at the IAPP Global Privacy Summit 2010 in April, explore such issues as the potential ethical considerations of neuromarketing.
Full Story

PRIVACY LAW—GERMANY

Court Decision Pleases Some, Rattles Others (March 4, 2010)

Germany's Federal Constitutional Court this week overturned a law requiring the retention of certain communications data and ordered the immediate destruction of stored e-mail, telephone and text message data. Police and security experts are reacting with "shock and alarm," while civil libertarians are celebrating, reports the Financial Times. Other EU states are reacting to the decision as well. The law required six-month retention of phone and e-mail data for use in counterterrorism efforts. It was unpopular with Germans; 35,000 had appealed for it to be overturned and Data Protection Commissioner Peter Schaar had also spoken out against it. The court said that such retention violated Germans' constitutional rights and failed to balance privacy rights against the need to provide security.
Full Story

DATA THEFT—U.S.

Communication with Law Enforcement is Key to Stopping Cybercrime (March 4, 2010)

When it comes to battling cybercriminals, the key is to share data breach information with law enforcement officials, SearchSecurity.com reports. "The only way we can fight this is to get good support," explained Kimberly Kiefer Peretti, senior counsel with the Department of Justice's Computer Crime Section. Experts speaking at the RSA conference point out that cybercriminals are becoming increasingly more skilled at compromising valuable data. John Woods of Hunton & Williams LLP noted that giving information to law enforcement can not only help catch criminals, but has also helped to reduce his clients' exposure in the wake of data breaches. "If we do better information sharing," said David Burg of PricewaterhouseCoopers, "we can do a better job of understanding the threat."
Full Story

ONLINE PRIVACY

Security Fears Keeping Cloud Computing from Getting off the Ground (March 4, 2010)

When it comes to cloud computing, security and data protection are the key concerns for many organizations, says IBM Chief Privacy Officer Harriet Pearson, CIPP. Pearson, who is a member of the IAPP Board of Directors, is quoted in a recent CBR Security report as stating that in IBM's recent study of chief information officers and potential users of cloud computing "about 80 percent said that the top issue on their mind that would affect their willingness to use it was data security." Pearson and Charles Palmer, chief technologist of cybersecurity and privacy for IBM Research, stress the importance of forethought and planning when it comes to moving data to the cloud.  
Full Story

Gov’t to Open Privacy Commissioner Search Soon (March 4, 2010)

The government announced Thursday that it will soon conduct an open recruitment exercise for the next privacy commissioner. Current commissioner Roderick Woo this week announced that he will not seek another term when his comes to a close on July 31. "A selection board will consider the candidates and recommend the most suitable candidate to the chief executive," according to the government's statement. The selection board comprises academics, government officials and others. The Hong Kong privacy commissioner serves a five-year term.
Full Story

PRIVACY LAW—EU

Google May Not Renew Street View in Europe (March 3, 2010)

Google may not map the continent again if European Union data-protection regulators decide to cut the image storage time for the company's Street View service from one year to six months, BusinessWeek reports. "I think we would consider whether we want to drive through Europe again, because it would make the expense so draining," said Michael Jones, founder of Google Earth, noting the need for longer storage time due to software constraints. "I think that privacy is more important than technology but for privacy people it is only about privacy," Jones said, while, "for us it is also about technology. We have to be actually able to do what they want us to do. What we want is to have enough time."
Full Story

PRIVACY LAW—U.S.

Court Reviews Charitable Aspect of Proposed Facebook Settlement (March 3, 2010)

A proposed class-action settlement by Facebook that would see 70 percent of $9.5 million going to a privacy rights charity has rekindled criticisms about using charitable contributions to reach settlements in large cases, the Wall Street Journal reports. A San Francisco federal judge has heard an objection by consumer rights organization Public Citizen alleging that by helping to set up the charity, "In essence, Facebook is paying itself money to gain a broad release of its users' legal claims." Meanwhile, some legal experts are questioning whether judges should ever be the ones to choose which charities should benefit from such cases, the report states. However, in Facebook's case, Scott Kamber, the plaintiffs' counsel, said the charitable donation will provide more benefit to the 3.5 million class members than would a nominal settlement check. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Compliance Costly and No Guarantee, Study Finds (March 3, 2010)

A recent study found that more than half of qualified security assessors (QSA) say merchants are not proactively managing data privacy and security in their environments, NetworkWorld reports. The Ponemon Institute study surveyed 155 QSAs certified by the Payment Card Industry Data Security Standards (PSI DSS). Those surveyed also said that despite merchants' significant financial investments in compliance audits--on average costing $225,000 each year--two percent of merchants fail. "That's a large chunk of change to be doing each and every year," said the institute's founder, Larry Ponemon, CIPP, adding that sometimes the annual audit "leads to better security posture, but not always." The survey also found that more than half of merchants investing in audits feel PCI DSS is too costly.  
Full Story

HEALTHCARE PRIVACY—U.S.

Proposed Rule Coming Soon (March 3, 2010)

A proposed rule regarding business associate (BA) provisions in the HITECH Act will be released soon, reports HealthLeaders Media. A lawyer at the Health and Human Services Office for Civil Rights conveyed that the rule will come "shortly" and will provide more details on the anticipated compliance date, the report states. HITECH required that BAs come into compliance with the HIPAA Security Rule and certain provisions of the privacy rule by February 17.
Full Story

GEO PRIVACY

Some Sites Share Users’ Location Data (March 3, 2010)

Some users of social media are now more tentative about posting personal location details after learning about some of the privacy implications. One user tells of his surprise after he logged on to social networking site Foursquare, which flagged his physical location online. That information made its way onto pleaserobme.com, a site that aggregates social media data to create a clearinghouse of who's home and who's not. The Globe and Mail reports on the dangers users face in posting their whereabouts to social networking sites. One expert suggests "the normalization of online over-sharing means most don't give a second thought to what they post since 'everyone else is doing it.'"  
Full Story

PRIVACY—HONG KONG

Privacy Commissioner Will Not Seek Another Term (March 3, 2010)

In the wake of his announcement that he will not seek another term, the Hong Kong Government is offering praise for the work of Privacy Commissioner Roderick Woo, 7thSpace.com reports. "During his tenure, Mr. Woo has made a very important contribution to the protection of personal data privacy in Hong Kong," a government spokesman said. The government praised Woo's efforts to strengthen the Personal Data Privacy Ordinance (PDPO). "We respect the decision of Mr. Woo for not seeking re-appointment," the spokesman said. "As for matters relating to the appointment of the next privacy commissioner, we will announce the details shortly." Woo's term will come to an end on July 31.
Full Story

BEHAVIORAL TARGETING—U.S.

CDD Says New Regulations Needed (March 2, 2010)

The Center for Digital Democracy is calling for new regulations on how pharmaceutical companies market their products, reports Tech Daily Dose. In a Food and Drug Administration filing, the group says the companies' use of behavioral targeting poses risks to consumers, the report states. The FDA is seeking comments through this week on "how to apply existing regulations to promotion in...newer media." In the filing, the CDD writes that "Few U.S. health consumers are aware that they are being identified, labeled, profiled and tracked on the Internet while they search for access information on specific conditions or concerns."
Full Story

PRIVACY LAW—GERMANY

Court Overturns Data Retention Law (March 2, 2010)

The Federal Constitutional Court today overturned a law requiring the retention of certain communications data, describing it as "...an especially grave intrusion," reports the Associated Press. The law required six-month retention of phone and e-mail data for use in counterterrorism efforts. It was unpopular with Germans; 35,000 had appealed for it to be overturned and Data Protection Commissioner Peter Schaar had also spoken out against it. In its decision, the court said that such retention violated Germans' constitutional rights and failed to balance privacy rights against the need to provide security, the report states.
Full Story

PRIVACY LAW—SOUTH AFRICA

Law Will Bring Big Implementation Costs (March 2, 2010)

The Protection of Personal Information Bill will require implementation expenditures in the billions, experts estimate. The bill, which aims to protect personal information held by public and private bodies, is making its way through the legislature, reports ITWeb. "The way a company interacts with its customers will need to change," once the bill is enacted, says Frank Rizzo, a managing partner at KPMG. Rizzo expects that certain companies will spend R200 million on implementation. KPMG's Ryan Ruthven points out that non-compliance could bring even greater costs. Companies will have a year to come into compliance once the bill is enacted.  
Full Story

PRIVACY LAW—U.S.

FTC to Appeal Red Flags Decision (March 2, 2010)

The Federal Trade Commission will appeal a December 2009 decision of the DC District Court related to the FTC Red Flags Rule. According to the Hunton & Williams Privacy and Information Security Law Blog, the commission filed a notice last week stating its intention to appeal the court's judgment in American Bar Association v. FTC. The court ruled in favor of the ABA's claim that the Red Flags Rule does not apply to attorneys or law firms.
Full Story

DATA THEFT—U.S.

Price to Fix Data Theft: $7 Million and Counting (March 2, 2010)

The theft of 57 unencrypted hard drives from BlueCross-BlueShield of Tennessee has given thieves access to personal data on upwards of 500,000 customers and is costing millions to fix, PCWorld reports. The drives contained recordings of more than one million customer support calls as well as 300,000 screen shots, which in some cases included names, birthdates and Social Security numbers. BlueCross is now auditing its security practices, the report states. The process of investigating the breach and notifying customers has cost more than $7 million so far. According to Michael Spinney of the Ponemon Institute, while the average data breach costs $6.75 million, the company could be paying much more due to the complexity of the breach.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Public Given One Week to Respond to Health ID Bill (March 2, 2010)

A bill to assign unique ID numbers to all Australians was sent to the Senate Standing Committee on Community Affairs on February 26 for examination, giving members of the public wishing to offer comment until March 5 to do so, iTWire reports. According to the Rudd government, the 16-digit Individual Healthcare Identifiers that would be required under the bill are needed to identify patients and healthcare providers and "as a further step to ensure the privacy and security of an e-health system," the report states. The committee is expected to review such issues as privacy safeguards, including who will have access to the identifier numbers, and issue a report on March 15.
Full Story

PERSONAL PRIVACY—INDIA

Nilekani: Privacy Protections in Place for UID (March 2, 2010)

The Indian government has allocated Rs.19 billion for the Unique ID Number (UID) program scheduled to roll out in late 2010, and according to Nandan Nilekani, chairperson of the Unique Identification Authority, citizens' privacy concerns are being addressed, reports the Economic Times. According to the report, the program is aimed at establishing citizenship, addressing security and identity-related issues and preventing leakages in different government schemes. Some legal experts have expressed concerns about leaks and misuse of personal information inherent in a centralised database of this kind, but "We are making all efforts technically and legally to see privacy is protected," says Nilekani.
Full Story

IDENTITY THEFT—U.S.

Stealing IDs to Get Healthcare (March 2, 2010)

Medical identity theft--using stolen personal information to obtain healthcare services--is on the rise, with one Missouri hospital reporting four such cases in the past 45 days alone. NPR reports that in addition to privacy violations, serious health risks can occur when inaccurate information--such as blood types or drug allergies--is recorded in victims' medical records. Stephen Niemczak, a special agent with the U.S. Department of Health and Human Services Office of the Inspector General, says ID theft is "a large problem that affects most corners of our country." Pam Dixon, executive director of the World Privacy Forum, points out that there is currently no national standard for dealing with medical identity theft, advising patients to get copies of their medical records.
Full Story

PRIVACY LAW—U.S.

HITECH Deadline Passed, Many Non-Compliant (March 2, 2010)

Many covered entities missed a February 17 deadline to update their business associate contracts to comply with new privacy and security provisions in the HITECH Act. That's according to Mary Rita Hyland, vice president of government relations at the SSI Group Inc. Speaking at the HIMSS conference in Atlanta, Hyland said that with the government providing increasing resources for privacy and security enforcement, organizations should conduct HITECH-mandated audits and analyses before someone else audits for them, Health Data Management reports.
Full Story

ONLINE PRIVACY

Internet of Things More Reality than Fiction (March 2, 2010)

A new McKinsey consultancy report suggests that the "Internet of things" is closer than ever to becoming a reality, The Guardian reports. The system would see everyday objects like shoes and food become capable of communicating data about their position, status and location through GPS and RFID systems, the report states. "Pill-shaped micro-cameras already traverse the human digestive tract and send back thousands of images to pinpoint sources of illness," the authors write, describing the potential benefits of the Internet of things. But they acknowledge the downsides, as well, saying that companies working on such technological advances must consider privacy, security and data protection concerns.
Full Story

HEALTHCARE PRIVACY—U.S.

Hospital Employees Disciplined for Cell Phone Pictures (March 2, 2010)

Several employees at a Florida hospital have been disciplined after taking cell phone pictures of a shark attack victim who later died. Hospital officials at Martin Memorial Medical Center launched an investigation after learning that employees may have violated HIPAA laws, HealthLeaders Media reports. Officials are asking anyone with copies of the photos to destroy them. Disciplinary actions have included written warnings, suspensions and demotions, though nobody was fired. "Ultimately, we have determined that these inappropriate actions were taken by good people who exercised poor judgment," the hospital said in a statement. It has started a re-education and re-training program on patient privacy laws and cell phone usage for hospital employees, the report states.
Full Story

DATA THEFT—U.S.

Hotel Suffers Third Breach (March 2, 2010)

Wyndham Hotels and Resorts has notified the U.S. Secret Service and several state attorneys that hackers stole customer names and payment card information from its computer system, v3.co.uk reports. Wyndham has since notified credit card companies so that affected cardholders' accounts may be monitored. It also has hired a firm to investigate the breach and assist in data security improvements. "Importantly, we believe that it is unlikely that identity theft will occur because of the limited amount of information that was compromised. Birthdates, Social Security numbers, addresses or other personally identifying information were not...part of the compromise," a letter on Wyndham's Web site reads. This is the company's third data breach in one year.
Full Story

PRIVACY LAW—U.S.

Mass. Regs Effective Today (March 1, 2010)

After implementation delays and rule changes, new data protection regulations that are widely considered the most stringent in the nation take effect today. The Massachusetts data security regulations require institutions that hold personal data on Massachusetts citizens to encrypt that information and implement written data protection policies, reports the Boston Globe. While the state's undersecretary of consumer affairs and business regulation expressed confidence that most companies are ready to comply, the head of the Smaller Business Association of New England isn't convinced. "I think people are still anesthetized by [the law]," said Bob Baker. State agencies must also meet the new standards per an executive order signed by Massachusetts Governor Deval Patrick in 2008.
Full Story

ONLINE PRIVACY—U.S.

Giving Privacy a “Nudge” (March 1, 2010)

The march of technology has rendered inadequate the notice-and-choice model for protecting privacy on the Internet, reports the New York Times. But "rules and tools" could help fix it, according to the report. Rules--aka regulations--are a proceed-with-caution area, experts warn. Too many and the Internet economy could suffer. Enter tools. From "privacy nudges" to "visceral notices" to "less promiscuous" browsers, researchers across the U.S. are at work on those that could help enhance notice, choice and privacy. Lorrie Faith Cranor, a computer scientist at Carnegie Mellon and author of the IAPP's CIPP/IT textbook, says there are many ways we inadvertently give up privacy online. Her group is working on tools to help reverse that--software "nudges" that prompt users to recognize actions that have privacy implications. (Registration may be required to access this story.)
Full Story

BEHAVIOURAL TARGETING—UK

BT Facing Criminal Probe (March 1, 2010)

British Internet service provider BT is facing a criminal investigation for allegedly selling consumer data to a behavioural targeting company, MediaPost News reports. Britain's Crown Prosecution Service is said to be probing allegations that BT sold consumers' Web activity data to Phorm, which uses such data to serve relevant ads to users. "The Crown Prosecution Service is working hard to review the evidence in this legally and factually complex matter," a spokeswoman said. "We have requested and received technical and expert evidence...which is being very carefully considered." BT has taken heat from the European Commission for its secret trials of Phorm's platform in 2006.
Full Story

BEHAVIORAL TARGETING

Company to Target Ads Based on IP Addresses (March 1, 2010)

In a move that promises to push the debate on whether IP addresses should be considered personally identifiable information, a behavioral targeting company says it will soon launch an ad platform that is based on users' IP addresses. MediaPost reports that ClearSight Interactive has acquired 100 million IP addresses--along with postal and e-mail addresses--from publishers. The company says it has enough data to reliably link 65 million IP addresses to specific individuals, and it intends to begin serving ads to visitors based on their neighborhoods within four to six weeks, according to the report.
Full Story

PRIVACY LAW—FRANCE

Court: IP Address Not Enough to ID User (March 1, 2010)

EDRI-gram reports on the Paris Appeal Court's recent ruling that an IP address does not allow the identification of an Internet user and, therefore, can be collected without the prior authorization of the French data protection authority, the CNIL. The decision backs the Cassation Court's decision of January 13, 2009, which classified the IP address as "nominal data." The Appeal Court said the IP address "cannot be considered personal data because it does not identify the user," the report states. A techdirt commentary on the ruling says that while some will not like it, it's good that "courts recognize that an IP address does not identify a user, even if it means that IP addresses aren't considered private info."
Full Story

ONLINE PRIVACY—EU & U.S.

Cultures Collide on Privacy (March 1, 2010)

The New York Times explores the fundamental differences between American and European attitudes toward privacy--a topic that has become front of mind for many in the days following last week's conviction of three Google executives in an Italian court. "Americans to this day don't fully appreciate how Europeans regard privacy," says Jane Kirtley of the University of Minnesota. The European framework, describes Google lawyer Nicole Wong, sees privacy as a human-dignity right. "As enforced in the U.S., it's a consumer-protection right," Wong adds. Indiana University Professor Fred Cate explains how the origins of Europe's privacy protectiveness--the response to totalitarian regimes' myriad privacy-intrusive methods for maintaining power--differentiate it from America's, where free speech often trumps privacy. Meanwhile, a University of Michigan professor offers an alternate, less privacy-centric theory on why the Italian court was keen to convict the Google executives. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—NEW ZEALAND

Commission Recommends Law to Prohibit Tracking (March 1, 2010)

In its latest report in a series on privacy issues, the Law Commission recommends a new law that would prohibit certain types of tracking, reports the New Zealand Herald. "Surveillance is not well regulated by current law," says Law Commissioner Sir Geoffrey Palmer, SC. "Technology is developing rapidly and continually creating new ways of invading our privacy." The commission says that the installation of tracking devices on cell phones or vehicles and the use of visual surveillance devices without consent should be outlawed via a Surveillance Devices Act. "It is important to put boundaries in place to control [technology's] harmful use before it is too late," the commission says in its report.
Full Story

PERSONAL PRIVACY—CANADA

Police: Vehicle Signs Do Not Breach Privacy Laws (March 1, 2010)

Niagara Regional Police believe vehicle-mounted signs announcing drug searches are substantially different from those placed in front of homes by another department and found in breach of privacy laws last year, The Standard reports. The Office of the Information and Privacy Commissioner of Ontario determined in October that signs posted by Cornwall police in front of properties violated privacy laws by divulging addresses where police had executed search warrants. Niagara police, meanwhile, recently began posting signs on a van used during marijuana investigations. "It's not meant in any way to comment on the residents of the home," said Deputy Chief Joe Matthews, "just to provide the public with an understanding of what the police activity is."
Full Story

ONLINE PRIVACY

Dealing with the Data Deluge (March 1, 2010)

It is expected that in 2010, mankind will create 150 exabytes (billion gigabytes) of data. The Economist reports on the "data deluge" which "has great potential for good," as long as mankind makes the right choices about when to restrict versus encourage its flow. The article highlights which industries are best at gathering and making use of data ("plucking the diamond from the waste"), and discusses the risks: missing disks, lost laptops, unexpected changes to social networking sites' privacy policies, for example. "The best way to deal with these drawbacks of the data deluge is," the report states, "paradoxically, to make more data available in the right way..."
Full Story

SURVEILLANCE—U.S.

Who Holds the Key to the Cache of Car Data? (March 1, 2010)

Consumer advocates are warning that controls are needed to protect the motorists' data recorded by commercial outfits, reports the New York Times. "It's a huge Pandora's box," says Jack Gillis of the Consumer Federation of America, citing the potential for "tremendous violations." Database and auto-repossession companies are among those who use automatic license plate recognition technology in their daily operations. Advocates say that, among others, this begs the following questions: How long are the photos stored? How secure is the data? Is the data shared? Marc Rotenberg of the Electronic Privacy Information Center offers a scenario of misuse, noting that while many companies say their data is encrypted, "you have to ask, 'who has the key?'" (Registration may be required to access this story.)
Full Story