Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—MEXICO

Mexico Passes Data Protection Act (April 30, 2010)

Mexico's Senate on Tuesday unanimously approved the Federal Data Protection Act. The law establishes the rights and principles of data protection in the private sector. The act is nine years in the making, according to Lina Ornelas of Mexico's Federal Institute of Access to Public Information, the organization that will oversee the protection of private individuals' personal information under the new law. The act "protects third-generation rights and takes into account the development of the internationally recognized principles of data protection," Ornelas says. Furthermore, she says, it incorporates elements from the OECD and APEC privacy frameworks.
Full Story

PRIVACY LAW—U.S.

Rockefeller: Congress Should Take “Hard Look” at COPPA (April 30, 2010)

During a subcommittee hearing yesterday, the Senate Commerce Chairman added his voice to those weighing in on whether the Children's Online Privacy Protection Act (COPPA) should be reformed, Tech Daily Dose reports. Noting that "the whole world has changed" since COPPA passed in 1998, Sen. John (Jay) Rockefeller (D-WV) said, "I really think Congress has to take a hard look at whether COPPA should be updated if the FTC is not going to do it." In its requisite five-year review of its COPPA rule, the Federal Trade Commission is currently considering whether COPPA reforms are necessary.
Full Story

DATA PROTECTION—U.S.

Markey Calls for FTC Investigation (April 30, 2010)

Adding one more to the mounting pile of privacy-related investigation requests the Federal Trade Commission has received in recent days, U.S. Rep. Edward Markey (D-MA) yesterday requested the commission look into the retention of documents on the hard drives of digital copy machines, The Washington Post reports. The request comes on the heels of a CBS News investigation revealing that sensitive data is readily accessible on many used copy machines intended for resale. "I am very concerned that these copy machines can be a treasure trove for identity thieves, allowing criminals to easily access highly sensitive personal information," Markey said in a press release.. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—SOUTH AFRICA

Data Protection Bill Delayed (April 30, 2010)

ITWeb reports on the progress of South Africa's Protection of Personal Information Bill. "We are at the end stages of the bill, but there's still a lot of work to be done," said Ananda Louw, principal state law advisor for the high court of South Africa. A technical subcommittee has been elected to work through the bill and review public comments, the report states, but Louw doesn't expect major changes at this point. The bill was submitted to Parliament in October and was expected to be enacted in May, however, the Parliamentary Portfolio Committee is now not expected to enact the bill before this summer's FIFA World Cup.
Full Story

PRIVACY LAW—CANADA

Alberta’s Breach Notification Requirement Begins Tomorrow (April 30, 2010)

Starting tomorrow when Alberta's Personal Information Protection Amendment Act takes effect, organizations covered by PIPA will have to notify the privacy commissioner when they experience a loss of personal information. Debbie Dresen of Davis LLP notes that "businesses that are not government bodies or public bodies will be subject to the new breach notification requirements." The legislation requires breaches to be reported where it has been determined that "a real risk of significant harm" is present. The commissioner may then require additional notifications."It will be interesting to see how organizations view and respond to the new requirements," Dresen writes. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Vermont Senate Passes Amendment Barring Employee Monitoring Software (April 30, 2010)

The topic of employee privacy is commanding attention from the Supreme Court to the Green Mountains. The State of Vermont has embarked on an initiative to deter state employees from inappropriate Web surfing on state equipment, outfitting state agencies with software to monitor employees' Web usage, the Associated Press reports. The effort prompted a state senator to introduce a budget bill amendment that would bar agency managers from using such software, the report states. The bill passed the Senate unanimously in voice vote and now moves to the House. However, experts say that such monitoring is common and "the key thing is that employees have informed consent."
Full Story

DATA LOSS—U.S.

Psychiatric Hospital Notifies 25,000 about Breach (April 30, 2010)

A psychiatric hospital in Kentucky is urging 24,600 affected patients to place fraud alerts on their credit reports after a flash drive containing their personal information went missing, The Courier Journal reports. The drive contained patient names, admission and discharge dates and dates of birth. Our Lady of Peace officials notified the hospital's privacy officer when the drive went missing around March 31. "We have taken this breach very seriously...Patient confidentiality is sacred to us and our patients," an official said in a statement. Meanwhile, St. Jude Heritage Healthcare has notified 22,000 patients about a breach after discovering that five hospital computers were stolen.
Full Story

PRIVACY LAW—EU

Hustinx Calls for Ambitious Approach to Framework (April 30, 2010)

Speaking at the European Privacy and Data Protection Commissioners' Conference in Prague yesterday, European Data Protection Supervisor Peter Hustinx called on the European Commission to be proactive on the legal framework for data protection. He said key elements of an effective framework would include integration of privacy by design into communications technologies, increased accountability for data controllers and stronger enforcement powers for data protection authorities. "It is essential that the commission comes up with proposals that take into account what is really needed and does not settle for less ambitious results," Hustinx said.
Full Story

Mexico passes Federal Data Protection Act (April 30, 2010)
After nine years of intense efforts and constant lobbying, the Federal Data Protection Act has been finally approved in Mexico. On Tuesday, the Senate unanimously approved the Federal Data Protection Act fulfilling the duty of the Mexican Constitution and international standards on the matter.

ONLINE PRIVACY—U.S.

Facebook: Participation in FTC Privacy Guidelines Should Be Voluntary (April 29, 2010)

In the wake of calls for the Federal Trade Commission (FTC) to create new online privacy rules and the FTC's announcement that it is developing guidelines on Internet privacy, the world's largest social networking service has indicated support for a framework based on voluntary participation, The Washington Post reports. "We are in an environment where innovation is constant," said Facebook Vice President of Communications Elliot Schrage of the company's support for privacy guidelines with a voluntary structure, "and we think it's a bad idea to have a framework that retards innovation." Privacy advocates, meanwhile, are pushing for stronger FTC guidelines for how such sites handle customer data and share personal information with third-party advertisers. (Registration may be required to access this story.)
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

EU Air Travel Privacy and Other Concerns Persist (April 29, 2010)

The New York Times reports that while airline passenger records may be the most prominent, other privacy issues--ranging from Internet mapping services to U.S. access to banking records to data breaches--have also "accentuated concerns among Europeans that governments and companies cannot be trusted to keep potentially sensitive information under lock and key." Meanwhile, some Americans want the U.S. to follow the EU's lead on privacy. "In many respects today, the United States has fallen behind Europe in its ability to develop appropriate safeguards for the use of technology," said Marc Rotenberg of the Electronic Privacy Information Center. "If the Europeans are successful in establishing a standard, there will be benefits to American citizens as well." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Google Opens up on Wi-Fi Data Collection (April 29, 2010)

Google is opening up about the data its Street View cars collect, reports The Wall Street Journal. A fresh wave of scrutiny surfaced last week after Germany's data protection commissioner learned that the camera-clad cars capturing photos for Google maps are also collecting Wi-Fi data. In a blog post on Tuesday, Google's global privacy counsel, Peter Fleischer, explained that the cars gather photos, Wi-Fi network information and 3-D building imagery. He said that other companies, including German companies, also collect the Wi-Fi data. Fleischer said "it's clear with hindsight that greater transparency would have been better." (Registration may be required to acceess this story.)
Full Story

DATA LOSS—UK

Health Plan at Top of Data Breach List (April 29, 2010)

The UK's national health plan has reported 287 data breaches since the end of 2007, 113 of which were due to data theft, BBC News reports. That's the greatest number of serious data breaches reported by UK organizations, said Deputy Information Commissioner David Smith at an event this week. He noted that the public sector's tendency to report breaches may have skewed the numbers. A spokesman for the British Medical Association thinks the number of breaches reflects in part the size and complexity of the NHS, the report states. "So many people have access to data and often human error is to blame," he said.
Full Story

DATA LOSS—U.S.

Federal Grand Jury Indicts Man Involved in UMC Breach (April 29, 2010)

An FBI probe into a privacy breach involving hospital patients' records has resulted in a federal grand jury indicting a man who is alleged to have paid a hospital employee for the information, the Las Vegas Sun reports. Richard W. Charette was indicted on one count of conspiracy to illegally disclose personal health information in violation of the Health Insurance Portability and Accountability Act, the report states. He is accused of purchasing hospital "face sheets" on traffic accident victims from a University Medical Center employee with the intent to solicit potential personal injury clients.
Full Story

HEALTHCARE PRIVACY—U.S.

Work Group Explores Patient Consent (April 29, 2010)

At its meeting on Monday, the Health IT Policy Committee worked to determine at what point in a health information exchange it becomes necessary for providers to obtain consumer consent, Government Health IT reports. The committee's co-chairperson said the group is grappling with the line "where the comfort level of a one-to-one exchange breaks down and leads us to have more stringent privacy and security requirements, such as consumer choice of opt in or opt out." The committee will reconvene on May 7.
Full Story

ONLINE PRIVACY—U.S.

FTC To Create Internet Privacy Framework (April 28, 2010)

Amid growing concerns from privacy advocates and legislators alike, the Federal Trade Commission (FTC) said Tuesday that it plans to create guidelines on Internet privacy to protect consumers from abuse of their personal data by social networking, Internet search and location tracking companies. The Washington Post reports the announcement came after a call by four senators seeking improved FTC enforcement and rules. "The FTC is examining how social networks collect and share data as part of a project to develop a comprehensive framework governing privacy going forward," said FTC spokeswoman Cecelia Prewett. "Our plan is to develop a framework that social networks and others will use to guide their data collection, use and sharing practices." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

UK ICO Says Breach Notification Law Coming (April 28, 2010)

The requirement for companies to notify national regulators about serious data breaches will expand beyond the telecommunications sector, according to UK Deputy Information Commissioner David Smith. At an event on Tuesday, Smith said that the European Commission has breach notification "on its agenda" and that its current review of data laws will likely require notifications from a wider range of businesses, ZDNet reports. There is "no logical reason" to confine the requirement to telcos, Smith said. Responding to his comments, one analyst said, "Notification promotes efficient publication of breaches, which encourages data protection." Smith, himself, described breach notification as a "double-edged sword" for regulators.
Full Story

PRIVACY LAW—ITALY

Legal Expert Says Google Conviction Based on Misinterpretation (April 28, 2010)

An Italian legal expert says that a legal error formed the basis of the conviction of three Google executives earlier this year, and the company would likely win an appeal to the conviction, OUT-LAW.COM reports. A Court of Milan judge sentenced the executives to a suspended jail term in February after finding them guilty of violating the nation's privacy laws. But Elvira Berlingieri, a legal consultant and academic who has studied the reasoning behind the verdict, says a judicial error in interpreting Italy's laws prompted the conviction. Berlingieri says the error involves confusion over Sections 13 and 167 of the Privacy Code.
Full Story

HEALTHCARE PRIVACY—U.S.

Prison Sentence Handed Down for HIPAA Violations (April 28, 2010)

NBC News is reporting that a former UCLA School of Medicine researcher was sentenced to four months in prison yesterday for illegally viewing the medical files of celebrities and others while employed there. According to the report, Huping Zhou is the first person ever sentenced to prison for violating the Health Insurance Portability and Accountability Act (HIPAA). Zhou pleaded guilty to accessing patient records more than 300 times in a one-week period in 2003. "Healthcare companies have to be very aware of these risks of inappropriate insider access to health information," Wiley Rein partner Kirk Nahra, CIPP, told the Daily Dashboard. "We are seeing problems across a wide range of entities, involving celebrities, personal relationships and more sinister motives, such as identity theft and healthcare fraud."  
Full Story

SOCIAL NETWORKING—U.S.

Senators, Others Call for Changes (April 28, 2010)

Four U.S. Senators yesterday called on Facebook to give its users more control over their personal information, the Los Angeles Times reports. Sens. Charles Schumer (D-NY), Mark Begich (D-AK), Al Franken (D-MN) and Michael Bennet (D-CO) sent a letter to CEO Mark Zuckerberg saying that "users need to have the ability to control their private information and fully understand how it's being used." The lawmakers and others have criticized recent changes the company has made, including one that will allow third parties to retain users' data indefinitely. Facebook asserts that its "highest priority is to keep and build the trust of [users]." To do that, the company must "address privacy on a global scale," says Forrester analyst Augie Ray. "It's part of the burden it carries to achieve what it wants to achieve." Meanwhile, the Electronic Privacy Information Center is readying a complaint for the Federal Trade Commission, and Facebook executives have scheduled a meeting with Schumer.
Full Story

ONLINE PRIVACY

Company Apologizes for Glitch that Exposed Customers’ Credit Cards Online (April 28, 2010)

Social networking site Blippy has apologized for its recent privacy glitch that accidentally exposed members' credit card information and is promising to hire a chief security officer and invest in more security, PC Magazine reports. The company will also have regular third-party audits, invest in its systems to filter out sensitive information, control caching of information in search engines and create a security and privacy center that includes information about how Blippy is protecting its customers, the report states. Blippy has reached out to eight customers whose information might have been compromised, the report states, and will assist in resolving any issues prompted by the data breach.
Full Story

PRIVACY LAW—U.S.

Dept. of Ed to Enhance FERPA Rules (April 28, 2010)

The U.S. Department of Education will soon propose new regulations governing student privacy rights, Inside Higher Ed reports. The department wants to strengthen enforcement provisions of the Family Educational Rights and Privacy Act of 1974 (FERPA) to cover additional recipients of students' information and to clarify how states can develop and use data in statewide longitudinal data systems (SLDS) "while ensuring protection of individual privacy under FERPA," according to the Federal Register notice. The latter topic was the subject of debate at a recent House committee hearing where one academic warned that many state data systems lack the privacy safeguards necessary for protecting students' data.
Full Story

HEALTHCARE PRIVACY—U.S.

Patient Data Loss on the Rise (April 28, 2010)

Even with the addition of procedures to better protect patient data, InformationWeek reports that the number of medical record breaches continues to increase--up six percent since 2008. Highlighting recent cases from New York, Tennessee and Florida where patient data--including medical records and Social Security numbers--was dumped outside medical centers or at recycling facilities where anyone could access it, the report criticizes healthcare providers for not doing more to protect their patients' personal information. Referencing a study by the Healthcare Information and Management Systems Society, the report points out that more than 110 healthcare organizations have reported the loss of sensitive patient information on 5,306,000 individuals in the past two years.
Full Story

HEALTHCARE PRIVACY—U.S.

Privacy, Choice and the Future of Health IT (April 28, 2010)

When the Health Information Technology Policy Committee met last week, health IT implementation issues including privacy, informed consent and patient control were a significant part of the discussion, Modern Healthcare reports, but leaders are not ready "to recommend that patients be put in full control over the flow of their own healthcare information." Deven McGraw of the Health Privacy Project said the consensus is that a comprehensive set of privacy and security protections building on current laws is critical to moving forward with the meaningful use of electronic health records. However, Deborah Peel of the Patient Privacy Rights Foundation suggests the best way to protect patient privacy is by giving patients full control over what information is or is not used, shared or exchanged. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Study: Data Breaches Most Expensive in U.S. (April 28, 2010)

The average cost of a data breach in the United States is higher than breach costs in Australia, France, Germany and the UK, NetworkWorld reports. The Ponemon Institute's "2009 Annual Study: Global Cost of a Data Breach," published today, found that the average cost of a U.S. data breach was $204 per compromised record, compared with $177 in Germany, $119 in France, $114 in Australia and $98 in the UK, the report states. Senior Ponemon Institute privacy analyst Mike Spinney, CIPP, said the difference is due to the United States' tough data-breach notification laws, which result in higher legal fees and loss of business, among other costs.
Full Story

BEHAVIORAL TARGETING

Your Life, As Collected By Marketers (April 28, 2010)

Another advertising industry trade publication is examining the consumer privacy implications of marketing efforts, asking readers to imagine if personal information ranging from their dates of birth to their mortgage balances to their favorite sports teams could be compiled by marketers into personal profiles for targeted advertising. Following an experiment conducted by Advertising Age, reporter Michael Bush describes how everything from how long he has lived in his house to his personal view that health is "a core value" was gathered by a database marketing company. Acknowledging the privacy debates around behavioral targeting, Bush writes that such information is "a necessity to deliver consumers highly targeted and relevant ad messages." The key, the report states, is meeting customer expectations about privacy and keeping their data secure. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—U.S.

Senators Call on FTC, Facebook to Take Action (April 27, 2010)

The Washington Post reports on calls for the Federal Trade Commission (FTC) to create guidelines on how social networking sites can use and share members' information. Senator Charles Schumer (D-NY) wrote to the commission on Sunday, saying that recent changes to Facebook's policies "can adversely affect users and, currently, there is little guidance on what social networking sites can and cannot do..." Schumer and Sens. Michael Bennet (D-CO) and Al Franken (D-MN) will send a letter to Facebook today, calling on the company to change its privacy policies. A Facebook spokesman said that none of the company's recent changes "removed or reduced people's control over their information..." (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Privacy Rule Changes Coming in May (April 27, 2010)

The Department of Health and Human Services (HHS) is expected to release a proposal next month to strengthen HIPAA privacy and security rules mandated under the HITECH Act. Government Health IT reports the proposed rule will strengthen "privacy, security and enforcement requirements for organizations that handle patients' health information." The focus will be on the liability of business associates, limitations on the sale of protected health information and strengthening individual rights to access electronic medical records and restrict disclosure, the report states. The department's semi-annual regulatory agenda, released Monday, identifies actions the department plans to take during the year ahead.
Full Story

DATA PROTECTION—U.S.

Report: Copy Machines Are a Pot of Gold (April 27, 2010)

A CBS News special investigation reveals that sensitive data is readily accessible on many used copy machines. The investigation follows the purchase of four used photocopiers awaiting resale at a New Jersey warehouse. After investigators ran a freely available forensic software program on the machines, the copiers' hard drives produced tens of thousands of previously scanned or copied documents. They included targets of drug raids from a police department's narcotics unit and wanted sex offenders from its sex crimes division, as well as 300 pages of individual medical records--including drug prescriptions, blood test results and a cancer diagnosis--from a New York insurance company.
Full Story

SOCIAL NETWORKING—EU

EC Says Buzz in Line with Data Laws (April 27, 2010)

While members of the U.S. Congress call for an investigation into Google's Buzz social networking platform and privacy regulators from 10 nations criticize the company's methods in rolling out the product, the European Commission (EC) has deemed it to be in line with the bloc's data protection guidelines as long as users' data was not used without prior and tacit consent, Euractiv reports. An EC spokesperson said it "is up to the member states to verify whether the amended privacy settings by Google...regarding their Buzz service comply with this prior informed consent principle." The spokesperson said the EC will cooperate with national data protection authorities to ensure the rules are respected.
Full Story

BEHAVIORAL TARGETING

Marketers Navigating Trust and Privacy Issues (April 27, 2010)

"Trust is the currency of effective advertising, and yet it's so curiously evasive and increasingly murky," Pete Blackshaw writes in an Advertising Age feature that suggests addressing privacy is among the key components to establishing and maintaining credibility. "At the heart of the privacy debate is apprehension that marketers will abuse personally identifiable data or the targeting opportunities of behavioral advertising," he writes. However, Blackshaw points out that many consumers volunteer personal information via social networks that would not have been shared publicly in the past, suggesting such changes require "a new dialogue and a new wave of thinking about how we nurture trust and the credibility of our conversations, platforms and models."
Full Story

ONLINE PRIVACY—U.S.

Blippy Snafu Reveals Need for Data Protection Focus (April 27, 2010)

Last week's announcement that an error at purchase-based social networking service Blippy exposed users' credit card information to Internet searches should serve as a warning to advertisers, MediaPost News reports. E.J. Hilbert of Epic Advertising's Online Intelligence Division says the breach demonstrates how easy it is for valuable and damaging data about companies and their clients to be exposed. When it comes to online advertising, he says, "Any company that collects data about clients, customers or employees needs to make sure they secure and protect that data as if the data was about the company CEO, president or other high-level executive prior to going live with their product."
Full Story

ONLINE PRIVACY—UK

ICO to Investigate Wi-Fi Data Uses (April 27, 2010)

The Information Commissioner's Office (ICO) will look into the details surrounding Google's practice of collecting data about Wi-Fi networks, The Register reports. The investigation follows the German data protection commissioner's discovery that Google's camera-equipped cars, which have been canvassing countries to capture photographs for its Street View feature, have been scanning private WLAN networks and recording users' unique Media Access Control addresses. An ICO spokeswoman said British regulators are interested in how the data is being processed and used by the company. "If it's just to tell you there's a café nearby--fine," the spokeswoman said.
Full Story

GENETIC PRIVACY—U.S.

Scientists Debating “Informed Consent” in DNA Research (April 26, 2010)

Recent lawsuits involving biomedical research subjects, including last week's settlement in favor of the Havasupai Indians in a case against Arizona State University, have scientists and bioethicists talking about the need to improve "informed consent" when it comes to large-scale genetic research. The New York Times reports that under federal guidelines, research subjects have a right to know how the genetic material they donate will be used. Studies have estimated that 90 percent of individuals are willing to share their data for biomedical research; however, issues around how to fully inform subjects of the many ways their data might be used, and questions about the inability to fully guarantee privacy, are raising concerns. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Online Sharing: Is There Such a Thing as TMI? (April 26, 2010)

The desire of some Internet users to share everything from what plastic surgery they've had to where they are eating and how much they've spent on the newest tech gadgets could have long-reaching ramifications. The New York Times reports that there seems to be no such thing as "too much information" on the Web. Privacy experts caution there are dangers, however. Purchase-based social networking service Blippy, for example, has inadvertently shared some users' credit card information online. "Ten years ago, people were afraid to buy stuff online. Now they're sharing everything they buy," said Barry Borsboom, creator of Please Rob Me. "Times are changing, and most people might not know where the dangers lie." (Registration may be required to access this story.)
Full Story

PRIVACY—CANADA

National Focus, Global Influence (April 26, 2010)

What began as a sole focus on the information access and privacy rights of the citizens of Quebec has evolved into a role of global influence for Canada's federal privacy commissioner. The Financial Post spoke with Commissioner Jennifer Stoddart recently about her decade-long engagement in the privacy sphere. Stoddart is in the last year of her seven-year term as the nation's top privacy regulator. She said she realized early on that "this job couldn't be done just in Canada." The article points to the global influence of her office's activities, such as its seminal investigation into Facebook's privacy practices and, more recently, the 10-nation accord calling to task Google, Inc., and other Internet companies to better respect the privacy of users.
Full Story

SOCIAL NETWORKING

Site Changes Concern Commissioner (April 26, 2010)

Canada's federal privacy commissioner has expressed concern about changes Facebook made last week that will allow third-party developers to retain users' data indefinitely, the Globe and Mail reports. "I'm very concerned about these changes," said Commissioner Jennifer Stoddart. "More than half a million developers will have access to this data." Stoddart indicated that the company seems to "be moving in the opposite direction" from that which it committed to move toward last summer when the company agreed to certain privacy reforms following an OPC investigation. Stoddart also reiterated concerns she and her global counterparts set forth last week in relation to online companies' actions impacting user privacy.
Full Story

DATA LOSS

Error Exposes Credit Card Numbers to Internet Searches (April 26, 2010)

Four users of a social networking service based on sharing information about purchases with other users have had their credit card information exposed via Internet searches. "A series of gaffes...exposed the credit card numbers of four individuals within Google search results for more than two months," CNET News reports. The discovery was first published via an Internet news source on Friday. The problem began when Blippy made changes to its Web site in February and inadvertently exposed raw bank data, including the credit card numbers, according to CNET News, which were then picked up by Google's Web crawling technology.
Full Story

SOCIAL NETWORKING—U.S.

Senator: FTC Should Create Social Networking Privacy Guidelines (April 26, 2010)

A New York senator wants the Federal Trade Commission (FTC) to craft guidelines for how social networking Web sites can use and share their users' personal information, the Associated Press reports. Sen. Charles Schumer (NY- D) has written a letter to the FTC in response to new features launched on Facebook last week. Schumer says the Web site's new privacy policies limit users' abilities to control the amount of personal information shared with third-party sites, the report states, but a Facebook spokesman says the company has introduced tools that restrict what information is shared.
Full Story

BEHAVIORAL TARGETING—U.S.

Leibowitz Thinks IP Addresses are Personal (April 26, 2010)

As Congress considers expanded rulemaking authority for the nation's consumer protection agency, Federal Trade Commission Chairman Jon Leibowitz discusses behavioral targeting and other issues with Bob Garfield, the host of National Public Radio's "On the Media" program. Leibowitz says that while targeted advertising is good for consumers in some ways, in others it can be disturbing. He says that to an extent, what is happening with behavioral targeting on the Internet is akin to having someone follow you through a shopping mall and then sell information on your shopping activities to interested parties. While Internet behavioral targeting generally involves anonymized consumer data, he says, the information could be tracked back to a user's IP address and there is an ongoing debate about whether an IP address should be considered personal information. "I kinda think it is," the chairman said.  
Full Story

DATA LOSS—UK

NHS Computers Hit with Malware Infection (April 26, 2010)

A number of National Health Service (NHS) computers have been hit with data-stealing malware, NetworkWorld reports. The computers were infected by Qakbot, a malicious software capable of stealing credit card information, passwords, Internet search histories and other data, the report states. However, according to the security company that discovered the breach, it does not appear patient information has been stolen. In an e-mailed statement, an NHS spokesman said, "This hasn't been raised with us as an issue within the NHS. The NHS requires its organizations to reach high standards of virus protection. We will investigate any incidents brought to our attention."
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Advisory Panel Considers Patient Consent (April 26, 2010)

An advisory group to the Health and Human Services (HHS) Department has begun considering a draft framework describing how health organizations should incorporate patients' consents and consent policies, Federal Computer Week reports. The Basic Patient Privacy Consent framework addresses collecting and sharing patient healthcare data in electronic health record systems, the report states. The framework would see the development of privacy and consent policies and would implement access-control within the electronic health record system, which would allow patients to select which policies apply to their records, including implicit and explicit opt-in and opt-out options, according to the report.
Full Story

FINANCIAL PRIVACY—EU & U.S.

EC Gets Go Ahead for New SWIFT Talks (April 23, 2010)

Reuters reports that European Union interior ministers on Friday agreed to let the European Commission negotiate a new financial data sharing deal with added privacy provisions. Fresh EU-U.S. talks on the deal will begin in May. The so-called SWIFT agreement involves the transfer of European citizens' banking transactions to U.S. officials for counter-terrorism purposes. The European Parliament rejected a proposed accord in February due to data privacy concerns, but the new negotiations are expected to include termination rights if privacy safeguards are not respected, according to the report. The EC also wants reciprocity. Members of the European Parliament this week expressed lingering concerns about data protection, but lead EU negotiator Jonathan Faull said, "We go into this determined to negotiate an agreement which provides greater protection for the personal data of Europeans."
Full story

STUDENT PRIVACY

Opinion: School Officials “Stumbled Badly” (April 23, 2010)

A Philadelphia Inquirer editorial asserts that Lower Merion School District officials "stumbled badly" by not informing students and their families that Web cams on their school-issued laptops could be activated as an anti-theft measure. "The sheer volume of Web cam photos snapped by [the district]...indicates how oblivious school officials were to students' privacy rights," the editorial states. Investigators revealed this week that the district collected 56,000 images. "The taking of these pictures without student consent in their homes was obviously wrong," said the attorney leading the school district's inquiry. The discovery that district officials had activated Web cams without students' knowledge has prompted a federal lawsuit, an FBI investigation and the introduction of the Surreptitious Video Surveillance Act.
Full Story

PRIVACY LAW—U.S.

CA Senate Passes Bill to Prohibit Posts about Minors (April 23, 2010)

The California Senate has approved a measure that would prohibit social networking sites from posting certain personal information about minors in California, the Mercury News  reports. If passed, sites will be required to remove the option allowing users to publicly post their home address or phone number if users say they are under the age of 18, the report states. The Assembly will consider the bill next. Author of the bill, Senator Ellen Corbett (D-San Leandro), says it will help protect against sexual predators and identity theft.
Full Story

PRIVACY LAW—U.S.

Survey: Most Security Pros Favor Federal Breach Law (April 23, 2010)

Seventy percent of IT security professionals polled by security vendor nCircle indicated that the federal government should pass data breach/data privacy legislation that would override the current patchwork of state legislation, reports Dark Reading. The survey of 257 professional also found that 76 percent believe the public sector is not doing an adequate job protecting personal data and 22 percent feel the level of cybersecurity investment in the U.S. private sector is sufficient given the risk environment, according to the report.
Full Story

DATA LOSS—U.S.

Army Hospital Patients’ Medical Data Exposed (April 23, 2010)

Officials have alerted patients of an Army hospital in Texas that their personal information may have been exposed, the Associated Press reports. An Army spokesman said a three-ring binder containing the names, phone numbers and health information of nearly 1,300 Brooke Army Medical Center patients was stolen from a case manager's car. The Army also notified police, the Department of Defense and the Department of Health and Human Services. The case worker received a letter of concern even though having information in a car off-post does not violate Army regulations.
Full Story

DATA PROTECTION

Survey: CIOs Restricting Use of Social Media (April 23, 2010)

Companies are increasingly limiting their employees' access to social networking sites, the Montreal Gazette reports. That's according to recruiting firm Robert Half Technology's recent survey, which found that 21 percent of chief information officers are limiting employees' personal use of social media sites like Facebook, Twitter and LinkedIn. "Social networking is becoming more and more of a business tool, so companies are re-evaluating their policies and ensuring they're in line with business objectives," a spokeswoman for the firm said. The study also found that most CIOs are becoming stricter in general when it comes to computing for personal use at work.
Full story

SOCIAL NETWORKING

“Exponential” Growth in Demand for Social Data (April 23, 2010)

VeriSign says its research arm, iDefense, has identified a data black market player called 'kirllos' who claimed to have for sale 1.5 million social networking accounts in bulk quantities, reports V3.co.uk. The two things that make this discovery interesting according to iDefense Director of Intelligence Rik Howard, are "the volume of social network account credentials discovered, and the fact we are seeing an eastern European hacker dip into western social networks." VeriSign is warning of an "exponential" growth in demand for black market data stolen from social networking sites, the report states. Howard warns social networking sites to make security a priority and urges companies to ensure employees use social networks with due care.
Full story

ONLINE PRIVACY—US

Commerce Department Launches Inquiry (April 22, 2010)

The U.S. Commerce Department wants to know more about how the Internet economy impacts individuals' privacy. Commerce Secretary Gary Locke launched an exploration of the issue yesterday, NetworkWorld reports. A source said the department "seeks to understand whether current privacy laws serve consumer interests and fundamental democratic values." The department will host a public meeting on May 7 and is seeking comments from various sectors and citizens. It hopes to issue a report in early autumn. According to the NetworkWorld report, the Commerce Department has also formed an Internet Policy Task Force that comprises staff members from the National Telecommunications and Information Agency, the International Trade Administration and other entities.

Full Story

SOCIAL NETWORKING—CANADA

PIAC Files Complaint, Seeks Investigation (April 22, 2010)

The Ottawa-based Public Interest Advocacy Centre has filed a complaint with Canada's federal privacy commissioner about the Nexopia social networking site, StraightGoods.ca reports. The 35-page complaint alleges that six of Nexopia's privacy practices violate the Personal Information Protection and Electronic Documents Act. "PIAC would like to see the privacy commissioner investigate Nexopia's privacy practices for compliance with Canadian privacy law, with special consideration to how Nexopia handles the privacy and personal information of minors," said PIAC counsel John Lawford. The complaint states that the company's very advanced search function "does not respect youth privacy," and its default settings "are set to share information with the whole world."

Full Story

PRIVACY LAW—TAIWAN

Data Protection Act’s “Consent” Requirement Criticized (April 22, 2010)

Some media associations are speaking out against a draft personal data protection act, saying it would jeopardize freedom of the press, the Taipai Times reports. The act, which passed a second reading at the Legislative Yuan on Tuesday, would require reporters to gain a person's approval before they could publish a story on that person. A spokeswoman for the self-disciplinary committee at the Satellite Television Broadcasting Association said the act signals a "backtracking democracy." Meanwhile, the National Communications Commission said yesterday it would discuss the serious consequences of a third passage of the draft act, the report states.

Full Story

DATA LOSS—U.S.

$975K Settlement for Breach (April 22, 2010)

Certegy Check Services will pay $850,000 to the state of Florida for a 2007 data breach that impacted nearly six million personal records, SC Magazine reports. The payment will reimburse investigative and legal expenses incurred by the state attorney general's office. In addition, the company will pay $125,000 to fund a statewide crime prevention program and will be required to undergo third-party security audits for a period of five years. Certegy settled a consumer class-action lawsuit related to the breach in 2008. In 2007, a former Certegy employee admitted to stealing the records. He is serving a 57-month sentence in federal prison, according to the report.

Full Story

BEHAVIORAL TARGETING—U.S.

Ads, Laws and Opt-ins (April 22, 2010)

Here are two of a cluster of articles in this week's privacy news that seems to reflect growing anxiety about the potential for increased regulation in the online advertising arena. In Advertising Age, media and marketing consultant Bob Garfield discusses behavioral targeting--the creepy factor, the opt-in debate and the "could-be" and "what ifs" associated with impending legislation from Congressman Rick Boucher. Meanwhile, MediaPost News reports on a paper published this week by Google executives that argues against laws requiring consumer opt-in to online data collection. The authors describe opt-in as "a rhetorical straw man" that would create "a number of unintended side effects, many of which are suboptimal for individual privacy."

Full Story

ONLINE PRIVACY—CANADA

Public Consultations to Begin (April 22, 2010)

Canada's federal privacy commissioner will soon embark on a series of public consultations about Canadians' use of social media, online gaming and cloud computing tools, reports SC Magazine. A spokesperson for the OPC said the sessions may influence changes to privacy legislation. "Although we feel that the Personal Information Protection and Electronic Documents Act is working relatively well, what we learn may shape the input we make to the next parliamentary review [in 2011]," said Anne-Marie Hayden. In Toronto and Montreal, the consultations will explore online tracking, profiling and targeting. The OPC will host a consultation about cloud computing in Calgary in June.

Full Story

SOCIAL NETWORKING

Zuckerberg: Building a Web Where the Default is Social (April 22, 2010)

Facebook CEO Mark Zuckerberg this week shed insight on his company's plans to make the Web more social by letting users share personal preferences on external sites across the Internet, TIME reports. The company's new Open Graph suite of products, unveiled this week at its annual developers' conference, includes a "Like" button that Facebook wants every page on the Web to have. "We are building a Web where the default is social," Zuckerberg said. The chairman of Electronic Frontiers Australia told the Sydney Morning Herald that expanding the offering to so many third-party sites will clearly bring privacy concerns.
Full Story

PRIVACY

Peter Hustinx Receives 2010 Privacy Leadership Award (April 21, 2010)

European Data Protection Supervisor Peter J. Hustinx has received the International Association of Privacy Professionals' 2010 Privacy Leadership Award for his commitment to ensuring individual privacy rights are respected. In a video acceptance speech Hustinx said, "I feel very honored and proud to have received this prestigious award from the International Association of Privacy Professionals." The award recognizes ongoing commitment to furthering privacy policy, promoting recognition of privacy issues and advancing the growth and visibility of the privacy profession. Hustinx has been involved in shaping national and international privacy law for nearly 40 years. He has served as European Data Protection Supervisor since January, 2004.

Full Story

ONLINE PRIVACY

Global Officials Warn Companies to Respect Users’ Privacy (April 21, 2010)

At a press conference in Washington, DC yesterday, global privacy officials issued a stern warning to Google Inc. and other Internet companies about their privacy practices. The data protection commissioners of Canada, Spain, Israel, France and the Netherlands convened to emphasize their commitment to enforcing data protection regulations, saying that, among other transgressions, companies are testing new products on consumers to the detriment of their privacy. The press event followed a letter signed by the data protection authorities of 10 nations that calls upon Google's CEO, Eric Schmidt, to "incorporate fundamental privacy principles directly into the design of new online services" and to set an example "as a leader in the online world." Joining the press conference by telephone, Dutch Data Protection Commissioner Jacob Kohnstamm said the letter serves as the "last warning" to online companies who fail to comply with global privacy regulations. He added that Europe's Article 29 Working Party supports this message. "Our legislation may vary across continents," Kohnstamm said, "but our privacy values are the same." Meanwhile, Google released a tool yesterday that broadcasts the number of data requests it and other companies receive from governments.

Full Story

PRIVACY LAW—U.S.

Amazon Files Suit Against State Tax Collectors (April 21, 2010)

Amazon wants to block one state's demands for customer data, CNET  reports. The online retailer has filed suit against the North Carolina Department of Revenue, saying that providing state officials with the names, addresses and purchase information of those North Carolinians who have purchased goods on Amazon between 2003 and 2010, as they have requested, would violate customers' privacy and First Amendment rights. An Amazon spokesperson said the best-case scenario for customers would be one where the state "withdraws their demand because they recognize that it violates the privacy rights of North Carolina residents." The company did provide the department with anonymized information about items shipped and zip codes, according to the report.

Full Story

ONLINE PRIVACY

Generational Differences Rooted in Awareness Levels (April 21, 2010)

The Wall Street Journal reports on research findings that suggest young people care about privacy to about the same degree as older adults but are less informed about the rules of the road. "In most cases young people think very much the same as older people when it comes to online privacy," said the co-author of one of the studies, Harvard Law School Professor John Palfrey. But University of California Berkeley and University of Pennsylvania researchers found that while the desire for privacy is similar, kids and teens believe that rules surrounding the privacy of their data are more stringent than they actually are, the report states.

Full Story

DATA LOSS—CANADA

Medical Records Faxed to Newspaper (April 21, 2010)

Alberta's Information and Privacy Commission is reviewing a breach involving the medical records of a woman, which were faxed to a provincial newspaper rather than her physician. The Calgary Sun received the 11-page fax. Privacy Commissioner Frank Work said the incident appears to have resulted from "human error, plain and simple." He said he hopes doctors learn from the mistake and would like to see more physicians move toward electronic records to help prevent such errors. Although Alberta is ahead of other provinces in electronic records adoption, federal Auditor General Sheila Fraser said this week that too few doctors nationwide are making the switch.

Full Story

SURVEILLANCE—U.S.

More Details Released in School Laptop Case (April 21, 2010)

Investigators have revealed that employees in Pennsylvania's Lower Merion School District activated Web cameras on school-issued laptops about 80 times in the past two years, capturing nearly 56,000 images and giving them a glimpse into high school students' at-home worlds and computing activities, the Philadelphia Inquirer reports. Most of the activations were the result of missing laptop reports, but in five instances the tracking software was not turned off after the laptops were located, the report states. The district's practices in this area have been under scrutiny and prompted an FBI investigation, a civil rights lawsuit and the introduction of the Surreptitious Video Surveillance Act.

Full Story

ONLINE PRIVACY

Global Data Protection Authorities Write to Google (April 20, 2010)

The data protection authorities of 10 nations are expressing disappointment with the privacy practices of Google Inc. and other international corporations. The privacy regulators of Canada, France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom made their feelings known in a letter to Google CEO Eric Schmidt on Monday. They called on the company to "incorporate fundamental privacy principles directly into the design of new online services" and to set an example "as a leader in the online world." Several of the commissioners will gather to detail their concerns at a press conference today in Washington, DC. A Google spokesperson told the Daily Dashboard  that the company tries very hard to build meaningful controls into its products and that Google is eager to launch a new transparency tool. According to reports, this tool relates to subpoena requests around the world.

Full story

PRIVACY LAW—U.S.

Supreme Court Ponders Quon Case (April 20, 2010)

The U.S. Supreme Court yesterday began its review of a lower court's ruling on the privacy of employee text messages transmitted on employer-issued equipment, the Associated Press reports. In the closely watched case, City of Ontario v. Quon, municipal officials want overturned the Ninth Circuit Court of Appeals decision that they violated a police officer's privacy by reviewing his text messages without his knowledge or consent. In a Littler Mendelson blog post, human resources privacy attorney Philip L. Gordon drills down on the justices' questions and suggests the court's "ultimate ruling could be far narrower than anticipated by many." Gordon also notes the U.S. Government has "asked the court to adopt a bright-line rule that employers can defeat the reasonableness of any employee's expectation of privacy" through policies stating otherwise. (Registration may be required to access this story.)

Full Story

PRIVACY LAW—IRELAND

High Court Says “Three Strikes” Doesn’t Violate Law (April 20, 2010)

Ireland's High Court has ruled that a settlement reached between the Internet service provider Eircom and four major record labels does not breach data protection laws, reports OUT-LAW.COM. Under the settlement, Eircom agreed to disconnect Internet users suspected of copyright infringement if, after two written warnings, the suspected infringements endured. Data Protection Commissioner Billy Hawkes had raised questions about whether the monitoring of users' activities and use of users' Internet protocol (IP) addresses broke privacy laws. The High Court determined the deal does not violate data protection laws because the information processed in such instances does not count as "personal data."

Full Story

PRIVACY LAW—U.S.

Specter Introduces Patch for Wiretap Act (April 20, 2010)

Senator Arlen Specter (D-PA) and colleagues introduced legislation on Friday to update the decades old federal Wiretap Act, The Hill reports. The Surreptitious Video Surveillance Act comes three weeks after a Senate subcommittee hearing on a Pennsylvania school district's use of a laptop camera to view a student in his home. If the legislation passes, the practice of capturing and storing video without the taped user's consent would be outlawed, according to the report. "Many Americans would be surprised to learn that there is no federal statute to protect them from being secretly videotaped in their homes," said Sen. Russ Feingold (D-WI), who cosponsored the legislation along with Sen. Ted Kaufman (D-DE).

Full Story

ONLINE PRIVACY

Site Grades Privacy of Internet Apps (April 20, 2010)

A Stanford University project has ushered in a Web forum where Internet users can review and compare the privacy and security of Internet and mobile applications, the San Francisco Chronicle  reports. The WhatApp.org site, released in beta last month, grades applications based on reviewers' answers to questions about data collection and openness, for example. One news outlet described it as a mix of Consumer Reports, Yelp and Wikipedia, but with a privacy and security focus. Its creators hope the site will bring more attention to the issues. "We've been saying this for a while," said McAfee Labs director David Marcus. "If developers use security and privacy correctly, they can be used as a competitive advantage."

Full Story

PRIVACY LAW—U.S.

Opinion: Empty Oversight Board an “Embarassment” (April 20, 2010)

A Los Angeles Times  editorial describes the fallow Privacy and Civil Liberties Oversight Board as "an embarassment" to the Obama administration. The board was created in 2004 to provide oversight on potentially privacy invasive government initiatives but has since languished. Over the past several months, lawmakers and others have urged the administration to reconstitute the five-member board. The newspaper echoes those calls and adds that the president "should choose individuals of sufficient experience and stature to act as watchdogs over the intelligence community and the Justice Department." Earlier this month an Obama administration official said the White House was vetting candidates for the board.

Full Story

PRIVACY LAW—U.S.

FTC Sets Date for COPPA Roundtable (April 20, 2010)

The Federal Trade Commission has set the date for a public roundtable on the Children's Online Privacy Protection Act (COPPA), Tech Daily Dose reports. The commission will host a workshop on June 2 to examine whether it should amend its COPPA rule. The FTC is required to review the law every five years. In this year's review, the commission is considering updates to address such new issues as geo-location and behavioral targeting technologies. The commission is seeking public comments through June 30.

Full Story

DATA LOSS—U.S.

Student Loan Data Recovered (April 20, 2010)

A student loan firm that reported the theft of data pertaining to 3.3 million borrowers late last month says all of the data has been recovered, the Virginian-Pilot reports. Educational Credit Management Corp. (ECMC) says it will continue to honor the yearlong free credit monitoring services it offered those impacted upon discovering the breach. According to the report, investigators located the stolen discs and the data appears uncompromised.

Full Story

PRIVACY LAW—EU

Hustinx: Waste Directive Needs Data Protection Provisions (April 19, 2010)

European Data Protection Supervisor Peter Hustinx says European Union law should force digital equipment makers to include free and easy data-wiping capabilities within their products, reports OUT-LAW.COM. In an opinion published last week on planned changes to the Waste Electrical and Electronic Equipment (WEEE) Directive, Hustinx said there should also be a ban on the sale of used devices that have not been wiped of their data. Hustinx also recommended that makers of digital equipment build privacy and data protection into their products. "Respect for security measures and a 'privacy by design' approach should be seen as essential pre-conditions in order to effectively guarantee the right to the protection of personal data," he said.

Full Story

PRIVACY LAW—U.S.

Feds Withdraw Demands for E-mails (April 19, 2010)

In a Colorado court on Friday, federal authorities withdrew demands to obtain from Yahoo e-mail related to a pending and sealed criminal case, saying it would not be useful to their investigation, Wired  reports. The authorities had been seeking user-accessed e-mail that was less than six months old. In December, a Colorado magistrate ordered Yahoo to release the e-mail, but the company refused, citing the 1986 Stored Communications Act that requires the government to show probable cause, the report states. Had Friday's decision been different, "the vast majority of Americans' e-mail would be accessible to the government without probable cause," according to the report.

Full Story

DATA LOSS—UK

Police Security Breach Prompts Investigation (April 19, 2010)

A Gwent Police data management employee is facing a gross misconduct investigation and possible dismissal after accidentally sending the results of more than 10,000 Criminal Records Bureau checks to a newspaper. The Register reports it received a file containing the full names and dates of birth of 10,006 with the results of background checks dating back as far as 2001. The newspaper has deleted the file, which was not encrypted or password protected, and is assuring those affected that it will not publish their personal information. Investigators have indicated human error was to blame as the e-mail's author used the "auto complete" function for addresses and accidentally included the journalist's contact information with that of police officials, the report states.

Full Story

PRIVACY LAW—U.S.

California Senate Approves Notification Law Update (April 19, 2010)

The California Senate has approved a bill to update the state's data breach notification law, reports SC Magazine. The bill is a reintroduction of a measure vetoed by Governor Schwarzenegger last year. SB 1186 would require the inclusion of certain information into breach notification letters and would require data controllers to notify the state AG of breaches involving more than 500 residents. The bill's sponsor, state Senator Joe Simitian (D-Palo Alto), said, "This new measure makes modest but helpful changes to the law. It will also give law enforcement the ability to see the big picture and better understand the patterns and practices developing in connection with identity theft."

Full Story

HEALTHCARE PRIVACY—U.S.

Large-Scale Breaches Double, OCR May Take Away Consent Option (April 19, 2010)

The number of entities reporting large-scale breaches of patient information has doubled since February, reports HealthLeaders Media. The Office for Civil Rights (OCR) Web site now lists 64 entities as having reported breaches of unsecured personal health information affecting 500 or more individuals, the report states. The HITECH Act requires the OCR to make public such breaches. Eight of the 64 breaches involve unnamed sole practitioners. The OCR cannot release the names of those practitioners without their consent, but the agency filed a notice in the Federal Register last week indicating its intent to take away the "consent" option.

Full Story

RFID

Student Hopes New Technology Will Provide RFID Privacy (April 19, 2010)

A University of Calgary researcher is working on technology that could help protect private information included in RFID tags, PCWorld  reports. With the "always-on" RFID technology being embedded into everything from passports to credit cards, security becomes a concern, the report states. "We are building our own RFID cards and adding features to them to make it visible and noticeable when someone is accessing the information," Nicolai Marquardt, a Ph.D. student at the University of Calgary, explained at the U.S.-based Computer Human Interaction conference last week. Marquardt is working with Microsoft Research in the UK on the project, which he says could also make it possible for users to control when the information on the card is being accessed.

Full Story

PRIVACY LAW—U.S.

MA 201: Skimping on Education Could Cost You (April 19, 2010)

An InformationWeek report says the Massachusetts data protection law that took effect March 1 is "a prime example of the increasingly aggressive role states are taking to protect their citizens" and "could spur similar legislation in other states." The law is unique in that it requires any business that holds the personal information of Massachusetts residents to attest that it has a working information security program in place and to encrypt data in motion and at rest. The report suggests a three-pronged approach toward compliance, advising, among other things, that "End-user training is critical...skimping on education could cost you."

Full Story

DATA PROTECTION—NORTH AMERICA

Report on Cross-Border Data Flow Impediments Released (April 16, 2010)

The North American Trilateral Committee on Transborder Data Flows has released a report detailing the leading impediments to cross-border information sharing. "I am encouraged by the collaborative work that has been done to identify these impediments to free flow of information and international trade," said Under Secretary for International Trade Francisco Sanchez. "I am confident that we can work together with the North American business community to overcome these barriers." The Trilateral Committee, established in 2008, comprises representatives from the governments of Mexico, Canada and the United States.
Full Story

BEHAVIORAL TARGETING—U.S.

What We Share Via Social Networking is a Gold Mine for Advertisers (April 16, 2010)

Digital platforms make it easy to track users based on what they are reading, where they are shopping or even whether they are divorced, married or expecting a baby, Amy Manus writes in an article for ClickZ. All those online interactions provide a wealth of public information for companies to use in targeted advertising. "Behavioral targeting is often scrutinized by consumers and government legislation for the tracking of personally unidentifiable information," she writes, pointing out that, "these same consumers are also offering up their own personal information all around the Web for marketers to create their digital footprint...If there is such a concern over privacy, then consumers need to be their own personal advocates."
Full Story

STUDENT PRIVACY—U.S.

House Committee Hears about Student Privacy (April 16, 2010)

The topic of student privacy came up this week at a House Education and Labor Committee hearing about the longitudinal data systems used to track the academic progress of schoolchildren. Joel Reidenberg of the Fordham University School of Law warned that many state data systems lack the privacy safeguards necessary for protecting students' data and lack "clear legal limitations on the purpose for which data could be accessed and used." After the hearing, committee member Rep. John Kline (R-MN) said, "Efforts to expand data collection and standardize student tracking systems should not even be considered when weaknesses in the security of current data systems remain in question."
Full Story

PRIVACY LAW—U.S.

Agencies Release Tool for Model Consumer Privacy Notices (April 16, 2010)

Federal agencies released a tool yesterday to help financial institutions create customized versions of model consumer privacy notices. According to a joint press release, the Online Form Builder is based on the model form regulation published in the Federal Register last December under the Gramm-Leach-Bliley Act, and includes several options and instructions. "To obtain a legal 'safe harbor' and so satisfy the law's disclosure requirements, institutions must follow the instructions in the model form regulation when using the Online Form Builder," the release states. Eight agencies collaborated on the form.
Full Story

PRIVACY LAW—U.S.

Two States, Two New Laws (April 16, 2010)

Two states enacted data breach-related laws recently. Late last month Washington Governor Christine Gregoire signed a law that lets banks recover certain costs and damages from retailers and credit card processors that suffer data breaches after failing to comply with Payment Card Industry standards. It takes effect July 1, 2010. Last week the state of Mississippi became the forty-sixth in the nation to enact a data breach notification law. According to a Kelley Drye & Warren report, the law "tracks the general language of data breach notification laws already enacted." It takes effect July 1, 2011. (Editor's note: Privacy Tracker subscribers can hear more about both laws on the archived March call, available here.
Full Story

ONLINE PRIVACY

Courts Raising Questions About Internet Anonymity (April 16, 2010)

A panel of Ottawa judges is considering whether Web sites named in libel actions must identify people who post anonymous defamatory comments, and that is raising concerns among some privacy and civil liberties organizations. The Ottawa Citizen reports on privacy advocates' view that, "if the judges support unmasking anonymous posters, that could erode their privacy by allowing others to piece together vast amounts of personal information." Meanwhile, a Nova Scotia Supreme Court judge has ordered that newspapers provide the identities of anonymous commentators in legal cases such as defamation suits, stating, "They, like other people, have to be accountable for their actions."
Full Story

ONLINE PRIVACY

Study: Young People Care about Online Privacy (April 16, 2010)

Young adults in the U.S. care about online privacy to a similar degree as older adults, according to survey findings released this week. The San Francisco Chronicle reports that researchers at two universities polled 1,000 Americans age 18 and older, finding that "older adults are more alike on many privacy topics than they are different." For example, 84 percent of 18- to 24-year-old respondents said a person should seek their consent before posting a photo or video of them to the Internet, while 90 percent of those ages 45 to 54 felt the same way. The researchers conclude that, "Public policy agendas should therefore not start with the proposition that young adults do not care about privacy..."
Full Story

PRIVACY LAW—IRELAND

Call for Data Breach Notification Law (April 16, 2010)

On the heels of the Data Protection Commissioner's annual report, which revealed a 50 percent increase in the number of data breaches, an Irish Times article says it is time for Ireland to legislate mandatory data breach disclosure. Without a notification law, "citizens cannot even take the most basic steps to protect themselves from becoming a victim of identity theft," writes Karlin Lillington. "We cannot sit about and wait for years for the subject to come back onto Europe's agenda." Lillington notes that although the government is working on legislation to allow for the retention of "huge amounts of sensitive data...little has been done to protect such data--as the Data Protection Commissioner's report makes all too clear."
Full Story

DATA PROTECTION—EU

E-Waste Can Be Treasure Trove for Criminals (April 16, 2010)

The wealth of sensitive personal data that often remains on old computers and mobile phones has prompted European Data Protection Supervisor Peter Hustinx to raise concerns about the European Commission's proposal to recast its old directive for waste electrical and electronic equipment, the EUobserver  reports. With the focus "solely on the environmental risks related to the disposal of e-waste," Hustinx said, the proposal "does not take into account other additional risks to individuals or organisations that may arise from the operations of disposal, reuse or recycling of e-waste, in particular those related to the likelihood of improper acquisition, disclosure or dissemination of personal data." Hustinx said appropriate security measures must be adopted at every stage of the processing of personal data.
Full Story

PRIVACY LAW—U.S.

SCOTUS To Hear Text Privacy Case Next Week (April 15, 2010)

Next week the U.S. Supreme Court will begin its review of a Ninth Circuit decision that has implications for employee privacy, reports National Public Radio. In City of Ontario v. Quon, the justices will determine whether a municipal police officer had a reasonable expectation of privacy in text messages transmitted on a department-issued pager. "The eventual decision could have huge repercussions," the report states, and public and private sector groups are watching. The National School Boards Association filed an amicus brief in February, saying that the outcome could impact "the ability of school districts to access employees' work-related communications."
Full Story

PRIVACY LAW—U.S.

CCIA: Supreme Court Needs Tech-Savvy Justice (April 15, 2010)

The Computer and Communications Industry Association (CCIA) has written to President Barack Obama urging him to appoint a Supreme Court justice with a background in technology to help the court as it faces more issues related to the Internet and privacy. PCWorld reports that the letter from CCIA President and CEO Ed Black discusses the possibility that the nation's highest court may face a number of tech-related issues in the coming years, including cases involving privacy. The letter goes on to recommend a nominee such as Rep. Zoe Lofgren (D-CA) who "has acted as a watchdog when the government or others infringed on the privacy of Internet users--or broke the law when collecting information on Americans."
Full Story

FINANCIAL PRIVACY—EU & U.S.

EU-U.S. to Resume Bank Data-Sharing Talks (April 15, 2010)

European Union interior ministers are expected to meet on April 22 to discuss and endorse the start of new negotiations between the European Commission and the U.S. on sharing bank transfer data that the U.S. contends is essential to the fight against terrorism. The European Voice reports the EU is considering new arrangements to replace those thrown out by the European Parliament in February due to data privacy concerns. According to the draft mandate, transfer requests from the U.S. will have to be approved by a designated judicial authority in the EU to ensure that EU citizens have the same administrative and judicial redress as U.S. citizens against any misuse of their data, the report states.
Full Story

PRIVACY LAW—U.S.

House Passes Act to Eliminate Notice Confusion (April 15, 2010)

The House of Representatives passed a bill yesterday that would nullify the need for some financial institutions to send annual privacy notices, the Star Tribune reports. The Eliminate Privacy Notice Confusion Act will cut "red tape and bureaucracy, while also protecting consumers from confusion over their privacy policies when nothing has changed," according to the office of Rep. Erik Paulsen (R-MN), who cosponsored the bill with Rep. Dennis Moore (D-KS). Debt buyers in particular are expected to benefit from the reform, according to PaymentsSource. The legislation now moves to the Senate.
Full Story

HEALTHCARE PRIVACY—CANADA

More Controls Needed for Healthcare Workers’ Access to Personal Information (April 15, 2010)

Information and Privacy Commissioner Gary Dickson says there needs to be a review of how Saskatchewan trains, approves and monitors healthcare workers and their use of personal health information. Dickson's report came after an investigation into a 2009 incident where a pharmacist was caught improperly accessing drug information about a former patient. CBC reports that the pharmacist looked up information about a patient and two family members a total of nine times for personal reasons. Dickson's report also recommends tighter restrictions on when and where pharmacists and other healthcare workers should be allowed to access computers to look up such information.
Full Story

TRAVELERS’ PRIVACY—EU

Report: Assess Privacy Risks before Deploying Passenger RFID Tags (April 15, 2010)

An EU cybersecurity agency has developed recommendations ahead of the implementation of RFID technology in air travel, The Register reports. The European Network and Information Security Agency (ENISA) report focuses on RFID luggage tags and biometric chips in electronic passports. The technologies are expected to streamline the air travel experience for both passengers and airport staff. But the report recommends further research in the areas of data protection and privacy, citing possible privacy and security risks, among others. ENISA also advises European Commission policymakers to mandate security and privacy impact assessments before the new technologies are deployed, the report states.
Full Story

BEHAVIORAL TARGETING

Marketers Are Following You To Build Better Ads (April 15, 2010)

In the age of the Internet, marketers are watching what their customers do online in an effort to better aim ads at potential consumers. The Wall Street Journal reports that major companies are turning to smaller start-ups to help them use social networking data to target their advertising, and the trend is raising concerns among privacy advocates. One company, for example, reports that it tracks five billion online connections to weigh the data included in friend-acquaintance connections. Such ad targeting practices are raising concerns about privacy at the federal level, the report states, with some lawmakers preparing to introduce legislation in the coming weeks to make Web site tactics for collecting information on their users more transparent. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING

Tech Specs Released for Icon Use (April 15, 2010)

The Interactive Advertising Bureau and Network Advertising Initiative have released technical standards to accompany a new icon designed to inform Internet users about targeted ads, MediaPost News reports. The CLEAR (Control Links for Education and Advertising Responsibly) Ad Notice Technical Specifications intend to guide ad networks and media companies on how to provide consumers with notice when serving ads that are the result of tracking. The icon is part of an industry effort to better inform consumers about the methods behind the ads they receive in order to stave off regulation. In the next few weeks, advertisers will begin testing the icon.
Full Story

ONLINE PRIVACY—U.S.

“Leave No Trace?” Not So Easy in a Digital World (April 15, 2010)

While many of us may love the simplicity of being able to tap our smartphones or click a computer mouse to find directions, order theatre tickets or make a quick bank transaction, all that convenience comes with a price, the loss of privacy. CNN reports that in this digital age, such information as personal interests and the locations of the places where you shop, eat or go out on the town is valuable data for companies and advertisers. "Almost anything you do in today's society involves leaving a track," said Doug Klunder, director of the American Civil Liberties Union of Washington's Privacy Project.
Full Story

HEALTHCARE PRIVACY—U.S.

Survey Shows Increased Use of Digital Medical Records, But Privacy Concerns Persist (April 14, 2010)

A survey of 1,850 Americans shows the number who are using digitized personal health records (PHRs) has doubled since 2008, the Wall Street Journal reports. However, that number remains at just seven percent of all patients, with respondents pointing to fears about privacy as the primary reason they are not making the move to digital records. Respondents also indicated they would be more likely to lie to their doctors if there was any chance their information could be shared with outside organizations. The survey indicates that two out of three Americans are concerned about the privacy of their health information, and that those who use the system are divided along socioeconomic lines. Mike Perry, a partner at Lake Research Partners, which conducted the survey, said, "The point is while privacy concerns remain high, most consumers want to move in the direction of adoption." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Coalition: Warrant Should Be Required for Gov’t Access to E-mail (April 14, 2010)

Privacy groups and Internet giant Google are supporting Yahoo's efforts to fend off a request from the U.S. Department of Justice to access e-mail messages, CNET reports. "This case is about protecting the privacy rights of all Internet users," a Google representative said. "E-mail stored in the cloud should have the same level of protection as the same information stored by a person at home." In a brief filed Tuesday afternoon, the coalition, which is also behind Digital Due Process, contends that a search warrant is necessary before the FBI or other police agencies can read the contents of e-mail messages. "Society expects and relies on the privacy of e-mail messages just as it relies on the privacy of the telephone system," the brief states.
Full Story

ONLINE PRIVACY

Privacy Changes Will Keep Flash Cookies Off Computers (April 14, 2010)

Adobe Flash Player 10.1 will honor each user's browser privacy setting, which means Flash cookies will no longer be "dropped on computers to track Web activity," NetworkWorld reports. Adobe officials noted in a statement that the enhancements will help users better control their personal information "so that when someone activates private browsing in their browser, it is also activated in Flash Player--meaning there is no local storage of information from that Flash Player session." The changes, which are intended to improve user privacy, could mean difficulties for online merchants and banks that use Flash cookies to identify returning customers, the report states.
Full Story

SOCIAL NETWORKING—GERMANY

Aigner Writes, Facebook Writes Back (April 14, 2010)

TIME reports on the open letter Germany's consumer protection minister sent to Facebook CEO Mark Zuckerberg last week in which she expressed dismay over the company's plans to begin sharing users' personal details with certain third-party Web sites. "Private information must remain private," wrote Ilse Aigner. The letter added to concerns already voiced by German data protection officials. In response to Aigner's letter, the company stated that the proposed changes do "not relate to the wholesale sharing of user data for commercial purposes as the minister fears." Aigner also established a Facebook group for discussing data protection.
Full Story

DATA PROTECTION—U.S.

NIST Releases Guidelines to Protect Personal Data (April 14, 2010)

The National Institute of Standards and Technology (NIST) has released guidelines aimed at helping agencies safeguard personal information, Government Computer News reports. Among other recommendations, the report suggests agencies take inventory of stored personally identifiable information (PII), and develop a risk-based approach to protecting it, placing emphasis on protecting the most critical information. The report states, "All PII is not created equal," and quotes a former presidential advisor who once told Congress, "If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds."
Full Story

HEALTHCARE PRIVACY—U.S.

DHHS Notice Explains Breach Data Uses (April 14, 2010)

The Office for Civil Rights (OCR) in the Department of Health and Human Services has published a notice detailing how it will use information from organizations reporting health data breaches, Health Data Management reports. According to the report, the notice explains new routine uses of the Program Information Management System, allowing the office to collect and list large breaches, collect and disseminate data necessary in breach investigations and reports to Congress, among others. The notice will become effective after a 40-day comment period that began yesterday.
Full Story

PRIVACY LAW—IRELAND

Doctor: Data Protection Legislation Needs Review (April 14, 2010)

The Irish Medical Office (IMO) is calling for a review of current data protection legislation and its impact on effective patient care, Irish Medical News reports. At the IMO's Annual General Meeting last week, Dr. Matt Sadlier proposed there be standard guidelines--renewed periodically to keep pace with technology--and encryption requirements for laptops storing healthcare data. "If you are traveling with medical notes in your car, 'here is how you hold them safely i.e., do you have them in a locked briefcase in a locked car' like you would with a drug," he said. Sadlier also proposed amending legislation to ensure doctors' home addresses are no longer published on the Medical Council Web site.
Full Story

PRIVACY LAW—U.S.

Opinion: Business Practices Must Be Considered in ECPA Changes (April 14, 2010)

When it comes to updating the 24-year-old Electronic Communications Privacy Act (ECPA), Congress needs to look not only at new technology but also at the way business practices have changed. That is the message Electronic Privacy Information Center (EPIC) Director Marc Rotenberg shares in response to a recent editorial on the need for updates to the federal law. While the need is there to address changes in technology, he writes in a letter to the New York Times, "Equally important are the dramatic changes in business practices. Companies now gather and use personal information in ways that the Congress that drafted the 1986 law could not have imagined."(Registration may be required to access this story.)
Full Story

IDENTITY THEFT

Fake Tax Returns Net $4 Million, Charges Filed (April 14, 2010)

Wired reports that two men are being charged with 35 counts of wire fraud, 35 counts of identity theft, one count of unauthorized computer access and two counts of mail fraud for the theft of about $4 million in tax returns. According to the report, the IRS processes electronically-filed tax returns without verifying the taxpayer's information--including whether they are alive--and will then direct deposit any requisite refund into a specified bank account. The thieves used this system between 2005 and 2008 to file more than 1,900 fake returns, duping the IRS into depositing about $4 million into more than 170 bank accounts they had opened with fake names and Social Security numbers.  
Full Story

DATA PROTECTION

Tips to Avoid Identity Theft (April 14, 2010)

A New York Times report offers advice on avoiding data theft such as frequently checking financial statements and credit reports, maintaining updated firewall and spyware on computers and changing security passwords often. In addition, it's wise to limit debit transactions and instead use credit cards, the report states. "If a thief steals a debit card, he's getting your money out of your bank account. It's more difficult to get your money back once it's gone. For credit cards, federal law establishes your maximum liability for unauthorized charges at $50 per card." According to the Identity Theft Resource Center, more than 220 million consumer records were leaked last year in nearly 500 separate breaches. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Your Conscience, in a Pop-Up Box (April 14, 2010)

A security company has created a way for users to think twice about the data they access. Techworld reports on a data leak prevention system developed by Check Point that can detect when sensitive data is being accessed and potentially misused. If the system senses a user is accessing data subject to certain corporate data policies, it will deploy an e-mail or pop-up box to remind him or her about the policies. A Check Point spokesperson told the Daily Dashboard the user will be given three options: discard, send or review. Regardless of what the user selects, the system logs the fact that a pop-up or e-mail was issued.
Full Story

PRIVACY LAW—ITALY

Milan Court Files Reasoning behind Google Convictions (April 13, 2010)

Yesterday, the Milan Court filed the judicial reasoning behind the February conviction of three Google executives for violating Italian privacy code, the New York Times reports. In the 111-page document, Judge Oscar Magi said the employees were convicted and sentenced based on Italian law that prohibits the use of someone's personal information with the intent of making a profit. "In simple terms," Magi wrote, "it is not the writing on the wall that constitutes a crime for the owner of the wall, but its commercial exploitation can." Italian lawyer Rocco Panetta told the Daily Dashboard the reasoning confirms "Google had no obligation to filter and/or prior remove the eventual illegal content," nor was this "a case around freedom of speech." Rather, "it was a matter of compliance with laws and regulations dealing with personal data processing currently in force," Panetta said. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Eight Fired or Disciplined for Accessing Data (April 13, 2010)

Eight Virginia Beach human services employees have been fired or disciplined in the past year for wrongfully accessing personal information contained in state databases, reports the Virginian-Pilot. City officials are now expanding the probe that revealed the breaches. "We need to look at the magnitude of the problem," said city auditor Lyndon Remias. Human Services Director Robert Morin said that most of the breaches involved city workers accessing information about people they knew. The 330 department employees have varying degrees of access to up to 13 state and federal databases, according to the report.
Full Story

ONLINE PRIVACY—CANADA & U.S.

Commissioner OKs University’s Move to Gmail (April 13, 2010)

Alberta Information and Privacy Commissioner Frank Work has given the University of Alberta the approval to convert its e-mail accounts to Google's Gmail service--as long as university officials warn users about the possibility that their e-mails could be examined by U.S. authorities. The Edmonton Journal reports the commissioner's decision came after the university supplied him with a privacy assessment of the Gmail plan. In his decision, Work said the university has done what it reasonably can to ensure the protection of personal information, but because the e-mails are stored on American servers, they could fall under the U.S. Patriot Act. Under that law, e-mails could be secretly viewed by American authorities, the report states.
Full Story

PRIVACY LAW—U.S.

Virginia Passes Medical Breach Notification Law (April 13, 2010)

The state of Virginia has passed a law requiring notice of security breaches involving medical information, according to an Information Law Group report. It requires that breached entities notify affected Virginia residents and the state's Office of Attorney General. "The Attorney General can bring an action for violations of the law and impose civil penalties of up to $150,000 per breach," writes Info Law Group's David Navetta, CIPP. "The law does not apply to persons or entities that must report the breach under the HITECH Act." The new rules become effective in January.
Full Story

BIOMETRICS—NEW ZEALAND

Commissioner: Build Privacy into Biometrics (April 13, 2010)

Privacy Commissioner Marie Shroff believes that when it comes to biometrics, privacy should be built in from the beginning of the design, Computerworld reports. Speaking at a recent Biometrics Institute conference, Shroff noted that while biometrics do not currently have specific regulation under New Zealand's Privacy Act, regulation is "never off the table." Shroff said that may not be necessary, however, if biometrics developers and vendors focus on privacy principles when creating systems and managing data. Aaron Baker of the Department of Labour's immigration unit, which is participating in a five-country collaborative development of biometrics-aided immigration procedures with Australia, the UK, Canada and the U.S., said privacy will be built into any such system.
Full Story

DATA PROTECTION—U.S.

Advice for Advisors (April 13, 2010)

In an Investment News report, Brendon Tavelli, of the law firm Proskauer Rose, provides an overview of the laws financial advisors should be aware of and steps they can take to protect their clients' privacy and prevent legal problems. Suggested steps include publishing a privacy policy, encrypting personal information and carefully selecting outsourced service providers. "Vendors that will be given access to personal information should be vetted to ensure that they can protect it," Tavelli writes. "They should be contractually required to maintain appropriate safeguards for the life of the engagement." Additionally, Tavelli says advisors should be allowed to audit vendors' compliance periodically.
Full Story

PRIVACY LAW—U.S.

Opinion: Online Privacy Law Needs to Enter the 21st Century (April 13, 2010)

"The Internet has given the government powerful 21st-century tools for invading people's privacy and monitoring their activities, but the main federal law governing online privacy is a 20th-century relic," a New York Times editorial suggests. Supporting the recent efforts by Digital Due Process, a coalition of technology companies and privacy advocates, to see the 1986 Electronic Communications and Privacy Act (ECPA) updated, the editorial describes the law as not comprehensive enough to cover the many technological advances of the past 24 years. "In the absence of strong federal law," the report states, "the courts have been adrift on many important Internet privacy issues." The Senate and House Judiciary Committees plan to hold hearings on changes to the law this spring. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—CANADA

Audits Reveal Many Deficiencies (April 12, 2010)

Recent audits of BC Ferries have revealed deficiencies in the company's data protection safeguards, reports the Globe and Mail. The company's president assured the problems will be addressed by fall and said, "We are confident that our system is safe and won't be compromised." An audit conducted last fall revealed up to 45 security deficiencies, including insufficient password protocols and a failure to audit database access. The audit also revealed that the company is storing several years' worth of unnecessary credit card data across multiple databases and that "the encryption routine is not fully secure or monitored/audited."
Full Story

PERSONAL PRIVACY—ISRAEL

Ministries Taking Second Look at Medication Benefit (April 12, 2010)

The Finance Ministry is considering creating a special commission to look into privacy issues associated with its plan to reduce medication costs for Holocaust survivors, Haaretz.com reports. Since announcing plans for the program, the ministry has received dozens of letters from individuals concerned about the personal data they would be required to provide in order to benefit from the program. Some requested to be kept off the list of those eligible for the benefit, while others called for laws to prohibit the disclosure of their survivor status. The Social Affairs Ministry is also examining the issue.  
Full Story

PRIVACY LAW—NEW ZEALAND

Law Would Give Banks Access to Validation System (April 12, 2010)

New Zealand's government will introduce legislation this year to allow private sector access to its data validation service, reports the New Zealand Herald. The law would let financial institutions validate individuals' identities by cross-checking them with information on the Interior Ministry's site, which includes citizens' personal details but not those of a sensitive nature, according to Internal Affairs Minister Nathan Guy. Giving banks access to the system is expected to help them comply with certain laws and track terrorism financing, the report states. Privacy Commissioner Marie Shroff said, "So far we are satisfied that it appears to be on the right track, and we will be keeping closely involved with its development."
Full Story

FINANCIAL PRIVACY—EU & U.S.

Negotiations Underway for New Data-Sharing Deal (April 12, 2010)

While the EU remains focused on assuring privacy is protected, EU and U.S. officials are hopeful they will be able to agree on a new data-sharing deal aimed at anti-terrorism investigations, AFP reports. "The right to privacy for European Union citizens cannot be held 'hostage' by the fight against terrorism," said Viviane Reding, the EU's justice commissioner. She stressed that in their efforts to fight terrorism, officials "cannot overstep the mark." Following meetings on Thursday and Friday in Spain, U.S. Homeland Security Secretary Janet Napolitano said, "I believe we can reach an agreement with the full appreciation of the privacy issues involved, which are issues that are important to the United States as well as to the European Union."
Full Story

GEO PRIVACY

Apple “Taking Privacy Further” (April 12, 2010)

Apple introduced its iAd mobile advertising platform last week and previewed the next version of the iPhone operating system, which will include features to help users control their geo privacy, reports the New York Times. "We're taking privacy several steps further," with iPhone OS 4, Apple's senior vice president of iPhone software said at a preview event on Thursday. Among them, OS 4 will include a status bar arrow that indicates when a user's location is being tracked as well as other "fine-grained settings" to improve users' awareness and control. Jules Polonetsky, CIPP, of the Future of Privacy Forum, said the move shows "how treating data use as a feature is a better way to communicate to users than legal policies" about privacy. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Sites Rethinking the Anonymity Model (April 12, 2010)

News sites are rethinking the anonymity option for readers who post comments in response to articles. The New York Times reports that journalists and the organizations they work for may be losing patience with those who use anonymity to make inappropriate comments. "As the rules of the road are changing and the Internet is growing up, the trend is away from anonymity," says Huffington Post founder Arianna Huffington, whose site will soon implement a ranking system for commenters. Other sites, such as the Washington Post, are considering similar changes to their comments policies. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Nearly One Million Now Said to Be Impacted (April 12, 2010)

The number of those affected by the BlueCross BlueShield of Tennessee data theft last October has increased to 998,422 since the last count in March, Health Data Management reports. The insurer began notifying those potentially affected in January. To date, the tab for investigating the incident, notifying customers, extending credit monitoring to individuals affected and working with attorneys general in 32 states has reached $7 million. The insurer plans to release a final report when the process is complete, the report states.
Full Story

TRAVELERS’ PRIVACY—U.S. & AFRICA

Officials Discuss Airline Security, Privacy Concerns (April 12, 2010)

Privacy concerns and cultural sensitivities to body-scanning technology should not keep nations from working together toward improved air travel security, U.S. Homeland Security Secretary Janet Napolitano told African ministers in advance of a regional conference set to begin today. AFP reports that Napolitano told ministers from 37 African countries and other international experts that while nations "have unique legal traditions, cultural differences and political realities" that should not "keep us from working towards a common goal and even stronger partnership with respect to security and privacy." The three-day meeting in Nigeria comes in the wake of concerns that the use of new security technology such as airport body scanners violates privacy laws in some countries.
Full Story

FINANCIAL PRIVACY

Keeping Credit Scores Private Can Mean Increased Insurance Costs (April 9, 2010)

Insurance companies across Canada are increasingly using credit scores to determine the cost of premiums, CBC-TV reports, and for those who choose privacy over sharing their scores, the costs can be significant. While companies report they do not force customers to reveal their credit scores, those who choose to keep the information private can face rate hikes. Some consumers, however, say they are willing to pay that price. "My exact words were I'll eat the discount... to keep my privacy private," said Paul Renny of Ontario. Credit scoring has been banned in Ontario and Alberta for auto insurance, the report states, while New Brunswick has become the first province to ban the practice outright for any type of insurance.
Full Story

FINANCIAL PRIVACY—EU & U.S.

Holder Says “Extensive Privacy Safeguards” in Place (April 9, 2010)

Speaking at a news conference in Madrid yesterday, U.S. Attorney General Eric Holder acknowledged European concerns about an accord that would enable the sharing of EU citizens' bank transaction data with U.S. officials for counterterrorism efforts, the New York Times reports. "We recognize that there have been questions raised in Europe, and one of our goals is to highlight the extensive privacy safeguards that have been put in place," Mr. Holder said. American and European justice and interior ministers are meeting today to discuss financial data sharing and other matters. The European Commission recently announced intentions to create its own terror financing tracking system. A senior U.S. Treasury official said yesterday that Washington is committed to working with it "under the basis of reciprocity," but stopped short at saying whether the U.S. would grant the EC access to American citizens' banking data, an arrangement EC officials will push for in today's meeting.
Full Story

ONLINE PRIVACY

Location, Location, Location (April 9, 2010)

When it comes to data, location matters. That's according to an E-Commerce Times report on the growing popularity of cloud computing and Software as a Service (SaaS). Customers are bringing the "location of data" question "back to the table," said one executive. Gartner VP Jay Heiser added that such models are increasing risk factors. "If you don't know where your data is, you have very little basis for understanding the risks associated with it, including availability," Heiser said. In addition, a "sticking point" for a growing number of organizations is the USA Patriot Act, according to the report, which asserts "There is increasing concern that the practice may be in direct conflict with national privacy laws outside the U.S."
Full Story

PRIVACY—U.S.

White House: “Wheels Are Turning” on Privacy Board (April 9, 2010)

The Obama Administration is facing mounting pressure to fill the five vacant seats on the Privacy and Civil Liberties Board, the Washington Post reports. A member of the House Homeland Security Committee said this week that "It's important, especially as we ramp up on domestic intelligence issues, that we have an independent watchdog" for privacy and civil liberties. An administration official said "the wheels are turning." He said the White House is vetting someone for one of the three Democratic seats on the board, and Republicans on the Hill "will have names to us in two weeks," according to the report.
Full Story

PERSONAL PRIVACY

TMI and the Workplace (April 9, 2010)

"It's official: The TMI phenomenon--as in 'too much information'--has invaded the workplace," Elizabeth Bernstein writes in a Wall Street Journal report. She suggests that reality TV and social networking have created "a culture where people are encouraged to share every sordid--or boring--detail of their lives," and the result is that "they have desensitized us to the idea that some things are meant to be private." She also suggests that use of e-mail has blurred the privacy lines. Highlighting the most uncomfortable instances of office TMI, Bernstein shares tips on how to stop "privacy-challenged" coworkers from over-sharing without ruining work relationships.
Full Story

BEHAVIORAL TARGETING—U.S.

Groups File FTC Complaint on Real-Time Ad Auctions (April 9, 2010)

Three privacy groups filed a complaint with the Federal Trade Commission (FTC) Thursday morning seeking a review of the practice of "real-time auctions" for online advertising slots, the New York Times reports. In their 32-page filing, the World Privacy Forum, U.S. Public Interest Research Group (PIRG) and the Center for Digital Democracy are calling the technology a "privacy threat" that enables "the real-time profiling, targeting and auctioning of consumers..." The complaint cautions that the data sources available for sale online provide detailed information on consumers. "Consumers will be most shocked to learn that companies are instantaneously combining the details of their online lives with information from previously unconnected offline databases without their knowledge, let alone consent," says Ed Mierzwinski of U.S. PIRG.
Full Story

SOCIAL NETWORKING—FRANCE

Rumors About Leaders’ Private Lives Spark Judicial Inquiry (April 9, 2010)

Social networking site postings and online blogs focused on the personal lives of President Nicolas Sarkozy and his wife, Carla Bruni, are testing the limits of privacy, The Economist reports. Denouncing the stories as "totally unfounded," Sarkozy's attorney has said a judicial inquiry is looking into the origins of the rumors, the report states. Noting that France's strict privacy laws allow public figures to sue even when stories are true, the report points out that many media organizations have adopted the practice of "publish first and pay the penalty later." Social networking users, meanwhile, who are not required to provide proof or check for accuracy, "make enforcement of the privacy laws harder."
Full Story

SOCIAL NETWORKING—U.S.

Healthcare Providers Need Social Media Policies (April 9, 2010)

When it comes to employees' social networking use, healthcare providers can be in the precarious position of trying to protect not only their image but also patient privacy, ADVANCE reports. Attorney Teresa Tracy urges employers to make it clear that postings of patient information violate HIPAA, noting, "Some employees, strange as it may seem, really are not aware these things are not allowed." Experts also caution that privacy breaches are not always so clear, and even posts about unnamed patients can lead to violations. "It's a rapidly evolving medium," says Paul Matsen of the Cleveland Clinic, "so you need to stay attuned to how it's growing and adapt your policies as you need to going forward."
Full Story

BEHAVIORAL TARGETING—U.S.

FTC Complaint Focuses on Tracking, Profiling Consumers (April 8, 2010)

The Center for Digital Democracy, U.S. PIRG and World Privacy Forum plan to file a complaint today with the Federal Trade Commission (FTC) questioning the tracking and profiling practices Internet companies use to target consumer advertising, the Mercury News reports. The privacy advocates contend that newer methods of targeted advertising are especially problematic because of the detailed user profiles that result from integrating online and offline information. The groups allege this "massive and stealth data collection apparatus threatens user privacy," the report states, and are asking the FTC to compel companies to obtain express consent from consumers before targeting them with ads based on their online activities.
Full Story

DATA PROTECTION—EU & U.S.

EU-U.S. Data-Sharing Agreements Back in Discussion (April 8, 2010)

U.S. and EU officials are meeting today in Spain on data-sharing issues that the U.S. contends are essential to fighting terrorism but that the EU views as violating privacy and civil liberties. The Associated Press reports that the EU plans to add new data protection guarantees to a bank data-sharing deal with the U.S., including a ban on transferring bulk data and requirements that data be held no longer than five years. EU justice commissioner Viviane Reding will also soon decide changes to a second counterterrorism cooperation deal allowing Europe and the U.S. to swap details on airplane passengers, the report states. The EU will discuss that deal on April 23.
Full Story

PRIVACY LAW—U.S.

Adzilla Suit Settled, Questions Remain (April 8, 2010)

MediaPost News reports that a privacy lawsuit launched against behavioral targeting company Adzilla and its partners last year has been settled, but the settlement "leaves unresolved whether it's legal to target Web users based on data purchased from Internet service providers." Under the settlement terms, Adzilla must "require opt-in consent of consumers" should it resume ISP-based ad targeting in the U.S. The company halted operations in 2008, the report states. A Richmond, Virginia, resident brought the suit forward after realizing that Adzilla had been tracking her online activity via her ISP.
Full Story

DATA PROTECTION—IRELAND

Report: Tighter Control of Data Needed (April 8, 2010)

Data Protection Commissioner Billy Hawkes released his annual report for 2009 today. The commission investigated 914 complaints last year, which is slightly less than the two previous years, the Belfast Telegraph reports. The commission issued several calls for increased data protection in 2009. Among them, it ordered the Health Service Executive (HSE) to increase controls around patient data. "The HSE holds the most sensitive detail about people--patient data," Hawkes said. "It's very important that is minded carefully so that we can all trust the health service when we use it."
Full Story

SURVEILLANCE—UK

Film Explores Escaping the “Surveillance State” (April 8, 2010)

The advocacy group Privacy International has ranked the UK just behind such nations as Russia and China in terms of its use of surveillance, TIME reports. In an interview with filmmaker David Bond, the magazine explores Bond's experiment spending a month escaping detection, which was prompted by the government's loss of his newborn daughter's personal information in 2007. Bond's experiences resulted in the creation of a documentary entitled "Erasing David." Going "off the grid," Bond says he learned that, "We're normalized to living an utterly exposed life. But there's value in privacy--it's a tremendously uplifting and strengthening feeling, to feel like you can withdraw. Not because you've got anything to hide, just because you want to."
Full Story

GENETIC PRIVACY—UK

DNA Bill Moving Forward (April 8, 2010)

The government's crime and security bill, which includes provisions allowing police to retain DNA profiles of anyone charged with a crime for up to six years, is moving forward, The Guardian reports. However, opponents have pledged to bring in early legislation to ensure the DNA profiles of innocent people arrested for minor offences would not be retained on the national database, the report states. The DNA register has been criticized on the basis of privacy concerns, and the government is now required to limit the time that DNA samples are stored following a European Court of Human Rights ruling that indefinite retention was illegal.
Full Story

HEALTHCARE PRIVACY—U.S.

Lost Media Top Reason for Data Exposures (April 8, 2010)

Since January 2008, more than 110 healthcare organizations have reported the loss of sensitive patient data affecting more than five million people, InformationWeek reports. That's according to a 2010 Healthcare Information and Management Systems Society study on the security of patient data. The study found that 40 percent of respondents said data losses were due to laptop and other media thefts. The study also found that although organizations are training staff on data protection practices, a lack of consensus on who should be responsible for data security persists.
Full Story

BEHAVIORAL TARGETING

Criteo Says Privacy Advantage Coming to U.S. Market (April 8, 2010)

The CEO of a Paris-based retargeting company says its experience in Europe has given it a privacy advantage that it will now introduce to the U.S. market. Criteo has moved its headquarters to Palo Alto, California, according to a MediaPost News report. JB Rudelle, chief executive of Criteo, says, "We have been working in countries like Germany, which is probably the most demanding country in the world when it comes to privacy. We put a direct opt-out link on all retargeting display banners in Europe and hope to bring this feature into the U.S. market."
Full Story

ONLINE PRIVACY

Companies Leverage Privacy as Competitive Advantage (April 8, 2010)

The Register explores how companies are using privacy practices as a competitive advantage. Namely, the report outlines how recent Microsoft communications seem to be leveraging privacy to differentiate the company from its competitors. The Register cites a recent company pledge to refrain from indexing Hotmail users' information for the purpose of serving targeted advertisements.
Full Story

DATA PROTECTION—EU

At Madrid Meeting, EC Will Seek Privacy, Reciprocity (April 7, 2010)

During a meeting with U.S. officials in Madrid this week, the European Commission (EC) will seek the right for its citizens to sue in American courts if they believe airline passenger data transmitted to the U.S. has been misused, the New York Times reports. The commission will also ask U.S. Attorney General Eric Holder and Homeland Security Secretary Janet Napolitano to share information about U.S. travelers, the report states. "We need a balance between security and justice and a relationship based on real reciprocity," EU justice commissioner Viviane Reding said. At the Thursday-Friday meeting, officials will also discuss EU-U.S. sharing of bank transfer data and airport body scanners. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—CANADA

Info Sharing Irks Privacy Commissioner (April 7, 2010)

While hospital foundations are lauding a decision by the Saskatchewan government to give them access to the names and addresses of those who have used hospital services in order to aid fundraising efforts, others are less enthused, reports CBC News. Provincial privacy commissioner Gary Dickson says, "Information that's provided so we can be diagnosed and treated shouldn't be shared with any third party without the consent of the patient. This obviously violates that." However, Provincial Health Privacy Officer Jacqueline Messer-Lepage says patients will be allowed to opt out of having their information shared with fundraisers and that "certain health regions may choose to go with an opt-in process."
Full Story

CONSUMER PRIVACY—U.S.

New FTC Commissioners Take Oaths (April 7, 2010)

Julie Brill and Edith Ramirez took their oaths of office this week, bringing the Federal Trade Commission's roster up to five and facilitating its new tougher stance on privacy, according to the Hunton and Williams Privacy and Information Security Law Blog. During her tenure with the Vermont Attorney General's Office, Brill received an award from Privacy International for her efforts to require state banks to obtain consumers' written opt-in consent before sharing information with third parties. "These individuals bring a depth of experience to their respective roles, and I am confident they will serve my administration and the American people well," said President Barack Obama in a statement earlier this year.
Full Story

DATA LOSS—U.S.

Class Action Seeks $20 Million in Damages (April 7, 2010)

Sixteen named plaintiffs have filed a class action suit against Countrywide Financial, Countrywide Home Loans and Bank of America, which bought Countrywide, alleging Countrywide Financial employees stole and sold customers' personal financial information. Courthouse News Service reports that the class action suit, which seeks more than $20 million in damages, claims customers' privacy was invaded, exposing them to identity theft. "Countrywide delayed several months before informing their customers," the complaint states. "Finally, Countrywide informed only certain of their customers by letter and offered in settlement to refer the customers/borrowers to counseling, when it was Countrywide that needed to review and repair its internal procedures..."
Full Story

SOCIAL NETWORKING—U.S.

Suit Claims Google Buzz Violated Privacy (April 7, 2010)

A class action suit filed Monday in federal court alleges Google's Buzz social networking service violated the privacy rights of users of the company's e-mail service when it automatically displayed their contacts to other users, BusinessWeek reports. Following customer complaints, Google modified the service, but the lawsuit contends the changes "do not go far enough" and the error "already caused damage because the Buzz program disclosed private user information the moment Google launched the service." This week's lawsuit follows a letter last month to federal antitrust authorities from 10 members of Congress requesting an investigation into whether Buzz compromised users' privacy, the report states.
Full Story

DATA PROTECTION

Survey: Compliance Focus Leaves Secrets Vulnerable (April 7, 2010)

Many companies' IT departments are making significant investments in data protection compliance, possibly to the detriment of company trade secrets. That's according to a recent survey of 305 companies worldwide. The Forrester Consulting study, funded by Microsoft and RSA, found that 39 percent of enterprise budgets are devoted to compliance-related security programs aimed at protecting custodial data, even though "trade secrets" comprise more than half of data stored, esecurityplanet.com reports. "This strongly suggests that investments are overweighed by compliance," the report states. The authors recommend remedies for correcting the imbalance, such as determining data value and creating a "risk register."
Full Story

SOCIAL NETWORKING—U.S.

Entrepreneur Deletes Social Networking Data to Avoid Lawsuit (April 7, 2010)

A Colorado entrepreneur has destroyed a database reflecting regional patterns among 210 million Facebook users after the company threatened to sue him for allegedly misusing the social networking site. Pete Warden says he gathered the data to share with researchers, while Facebook contends he did so without the company's permission, violating the rules of the site, the Associated Press reports. Warden started compiling the data while developing a search engine, the report states, and while he was not convinced his actions were against the law, he deleted the database because "he couldn't afford to fight a lawsuit."
Full Story

PRIVACY LAW—MALAYSIA

House Passes Data Protection Bill (April 6, 2010)

Malaysia's Lower House of Parliament yesterday passed The Personal Data Protection Bill, Bernama.com reports. The bill seeks to prevent data theft and misuse of personal data. It will bring the appointment of a personal data protection commissioner, and will require credit agencies to apply to the commissioner's office before they can store individuals' personal data in databases. It will also establish a code of practice to regulate dealings with personal information. The bill will now move to Parliament's Upper House. If passed into law, offenders could face two-year jail terms, fines of up to RM200,000, or both.
Full Story

ONLINE PRIVACY

Professional Reference Hub in Beta (April 6, 2010)

A new Web site designed to help employers find out more about job candidates has some concerned about its potential for damaging professional reputations, reports San Diego Entertainer. Currently in beta and only accessible through Facebook, the Unvarnished site lets individuals create profiles of themselves or someone else. Other users can then build upon the profiles anonymously, adding feedback on professional performance. Once created, the profiles cannot be removed, the report states. Critics say the site could damage the professional patinas of "unsuspecting individuals."  
Full Story

BIOMETRICS—INDIA

2010 Census Will Help Build National Database (April 6, 2010)

India's 2010 national census is now underway as the government attempts to count the nation's one billion people and gather data on everything from fertility, literacy and mortality to the number of mobile phones and Internet connections in households, The Times reports. Ultimately, the census will help build India's National Population Register, a biometric database that includes photographs and fingerprints of every "usual resident" over the age of 15, the report states. The goal is to create a national identity card for everyone over 18, and the plan is raising concerns about the privacy implications. Usha Ramanathan writes in an op-ed for The Hindu that the ID database "will act as a bridge between silos of information that will help profile the individual."
Full Story

PRIVACY LAW—U.S.

Employee E-mail Decision Spurs More Questions (April 6, 2010)

Last week's New Jersey Supreme Court decision that employees should have an expectation of privacy when they use personal e-mail accounts on corporate computers is raising new questions, NetworkWorld reports. The court's decision specified that when it comes to monitoring employees' actions online, "employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy." Jen Rubin, attorney at Mintz Levin in New York, says the decision brings up new questions about employer ownership of e-mail created on company-issued computers and is likely to have businesses taking much closer looks at their e-mail policies.
Full Story

CHILDREN’S PRIVACY—U.S.

FTC Considering COPPA Revision (April 6, 2010)

The Federal Trade Commission (FTC) is considering changes to its rules requiring Web sites to seek parental consent to collect information from children under the age of 13. By law, the FTC is required to review the Children's Online Privacy Protection Act (COPPA) every five years, The Hill reports, and has announced that "changes to the online environment over the past five years, including but not limited to children's increasing use of mobile technology to access the Internet, warrant reexamining the rule at this time." The FTC is seeking comment on proposed changes to address such issues as geolocation and behavioral targeting technologies, with all submissions due by June 30.  
Full Story

PRIVACY LAW—CANADA

Pending Case Could “Radically” Change Privacy Law (April 6, 2010)

Later this month, Canada's Federal Court will hear a case that has the potential to radically change the nation's privacy protections, reports the Toronto Star. Law Professor and regular Star columnist Michael Geist says State Farm Mutual Automobile Insurance Co. will argue that Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), enacted in 2000, oversteps the federal government's jurisdictional power. The case stems from a 2005 State Farm customer's request to know which third parties had access to his personal information, which State Farm refused to provide. Geist writes that "if successful, PIPEDA would no longer apply to thousands of Canadian businesses and new legislation such as the Electronic Commerce Protection Act (ECPA) would be imperilled."
Full Story

SOCIAL NETWORKING

Google Buzz Gets New Privacy Controls (April 6, 2010)

Google has created new privacy controls for its Buzz social networking service, MediaPost News reports. The new privacy setting, which went into effect on Monday, includes a confirmation screen requiring users to confirm their privacy settings when they log onto Buzz, the report states. The new privacy controls include approving a list of subscribers to users' Buzz feeds. Admitting the company "didn't get everything right" when Buzz was launched in February, Google Product Manager Todd Jackson notes that Google has moved "as fast as possible" to improve it and protect the privacy of its users.
Full Story

DATA LOSS—U.S.

Stolen Laptops Put 5,000 Patients’ Data at Risk (April 6, 2010)

A California Hospital is providing one year of free identity theft protection to 5,450 patients whose personal and health information was potentially breached after the theft of two laptop computers, San Francisco Business Times reports. Officials at John Muir Health notified police and the U.S. Department of Health and Human Services after discovering the theft two months ago. The laptops were password protected and "contained data in a format that would not be readily accessible," said Muir's chief compliance and privacy officer, though the data was not encrypted. Muir officials say there is no evidence that the patient data has been compromised, and that it has now installed encryption software on the hospital system's laptops.
Full Story

DATA PROTECTION

UN Privacy Treaty Possible (April 5, 2010)

New Zealand Privacy Commissioner Marie Shroff says that huge increases in international data flows necessitate global privacy standards and enforcement, reports Stuff.co.nz. "We have to look at whether and how we can regulate to provide certainty for businesses and protections for individual citizens," Shroff says. A United Nations treaty might be a way to get there, according to the report. Such a treaty could address issues including search engine data collection, call centre outsourcing and payment card privacy. Shroff says she hopes it would apply to government uses of information as well, since "One of the drivers of international data flows is counterterrorism."
Full Story

SOCIAL NETWORKING—GERMANY

German Minister Pens Open Letter to Facebook (April 5, 2010)

In an open letter, German Consumer Protection Minister Ilse Aigner has urged Facebook CEO Mark Zuckerberg to revise the company's privacy policy "without delay," reports the Washington Post. Referring to more planned changes to the site's privacy settings, Aigner wrote, "I was astonished to discover that, despite the concerns of users and severe criticism from consumer activists, Facebook would like to relax data protection regulations on the network even further." According to the report, Aigner stressed that the company should not allow users' personal data to be shared with third parties for commercial purposes without users' consent. "Private information must remain private," Aigner wrote. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Former DOJ Lawyers: ECPA Outdated (April 5, 2010)

Former Department of Justice (DOJ) attorneys are among those calling for updates to the Electronic Communications Privacy Act (ECPA), stressing the 1986 law is out of date with new technologies, Main Justice reports. Several former DOJ lawyers, including Marc Zwillinger and Paul Ohm, are echoing concerns raised by Digital Due Process, a coalition of technological leaders and privacy advocates. Digital Due Process is asking Congress to revamp ECPA to address issues such as government access to e-mail and personal information stored on the Internet. Both Senate Judiciary Committee and House Judiciary Committee members have confirmed they will be holding hearings this spring to consider how to balance privacy and security concerns.
Full Story

PRIVACY LAW—U.S.

Massachusetts Data Regulations Raising Concerns (April 5, 2010)

New data security regulations adopted by the state of Massachusetts, which are considered among the most stringent rules of their kind, are creating challenges for businesses. Business Insurance reports that some legal experts believe the regulations--which went into effect in March and apply to any company that possesses personal information on Massachusetts residents, regardless of where the business is located--could lead to increased litigation against firms. "I think it's an invitation to a greater amount of lawsuits against organizations," said Tracey Vispoli, global cybersecurity manager for a New Jersey-based corporation, pointing out that the regulations set a "pretty high bar for companies to establish that they put reasonable security measures in place."
Full Story

PRIVACY LAW—UK

New Breach Fines Effective Tuesday (April 5, 2010)

The Information Commissioner's new fining powers--up to £500,000 for serious breaches--begin tomorrow, but a survey shows that many are unaware of the change, reports The Register. Parliament approved the new powers three months ago in order to deter negligent breaches, but a Cyber-Ark study has found that 65 percent of workers have not been informed. According to the survey, 64 percent of respondents carry customer data on mobile devices, and just 12 percent using encryption. Some say many organizations think they are invincible to data breaches, and the fines will make little difference in corporate behaviour. Stonewood CEO Chris McIntosh says the fines do not "address the crucial issue of organisations trusting to luck."
Full Story

PRIVACY LAW—U.S.

Legislation Would Remove Birth Dates from Open Records (April 5, 2010)

Two Oklahoma senators have introduced legislation that would exempt government employees' birth dates from the state's Open Records Act, The Oklahoman reports. Senate Bill 1753 aims to protect the employees from identity theft. Within the last five years, the state has made at least $65 million from the sale of millions of motor vehicle records, according to Oklahoma Department of Public Safety records. The information, which includes birth dates of state drivers, is largely sold to insurance companies seeking driver history information, the report states. But one privacy expert claims that concealing birth dates in public records won't thwart identity theft because the information is widely available elsewhere. "Stop trying to shut the barn door after the horses are gone," he said.
Full Story

SOCIAL NETWORKING

Digital Suicide: Saying Goodbye to Online Life (April 5, 2010)

There's a new movement afoot among some social networking users to take back privacy by ending their online lives. The Globe and Mail reports on recent instances where users have decided to become "digital dropouts." Reasons behind the decision to say goodbye have ranged from concerns about online friends tracking users into their offline lives to social networking interactions becoming "someone else's entertainment." While two of the most recent online suicide sites, Web 2.0 Suicide Machine and Seppukoo, are now defunct, experts agree many issues come into play when making the decision of whether to delete or not to delete online information.
Full Story

PRIVACY LAW—U.S.

Calls for ECPA Changes Continue (April 2, 2010)

Senate Judiciary Committee Chairman Patrick Leahy (D-VT) has announced he plans to hold hearings on what he described as "much-needed updates" to the Electronic Communications Privacy Act of 1986 (ECPA), InformationWeek reports. The House Judiciary Committee has also confirmed it will hold ECPA hearings this spring. The announcements have come in the midst of requests by Digital Due Process, a coalition of technological leaders and privacy advocates, to address issues of law enforcement and privacy rights. "While the question of how best to balance privacy and security in the twenty-first century has no simple answer, what is clear is that our federal electronic privacy laws are woefully outdated," Leahy said.
Full Story

SOCIAL NETWORKING

Potential Facebook Privacy Changes in the Works (April 2, 2010)

The world's most popular social networking site is inviting its 400 million users to comment on its most recent proposed changes, which could include sharing personal information with third-party Web sites. The Washington Post reports that the new experiment would allow sites to access users' personal information if they are logged into Facebook in the same browser they are using to visit the secondary sites. One example offered by Bret Taylor, a Facebook product director, would be posting a link to a song on your wall and then visiting the record label's site, where you would be told which of your Facebook friends also liked the song. Facebook has said it will include opt-out functions for individual sites and for the program as a whole, the report states. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Navy Confirms Breach (April 2, 2010)

Government employee organizations are asking the Navy for identity-theft insurance following the notification that the personal data of 244 employees was inadvertently released to a "non-government entity," the Washington Post reports. The breach occurred in June of 2008, but employees were not notified until October of 2009, the report states. According to the notification letter sent to the employees, Navy officials are "not aware of any evidence to suggest that your PII (personally identifiable information) has been misused or further distributed..." However, the National Association of Government Employees is concerned about the risk of "loss of reputation" and, potentially, "loss of their security clearance" due to the breach, the report states. (Registration may be required to access this story.)
Full Story

PRIVACY—EU

PRESCIENT Will Examine Emerging Technologies (April 2, 2010)

A three-year project funded by the European Commission will explore the privacy implications of emerging technologies ranging from identification and surveillance to biometrics and on-the-spot DNA sequencing, Security Management Today reports. PRESCIENT, which stands for Privacy and Emerging Sciences and Technologies, aims to establish a new framework for privacy and ethical considerations arising from emerging technologies. According to PRESCIENT's Web site, the project "will identify and analyse ethical issues posed by new technologies and discuss them with interested stakeholders and, in due course, provide scientifically based recommendations to policymakers on how to address privacy issues..." Michael Friedewald, the project's coordinator, says it is essential "to reconceptualise privacy in ethical, social, cultural and other dimensions, and to examine both how these different conceptualisations impact upon each other and how they can be bridged."
Full Story

PRIVACY LAW—U.S.

Washington Law Lets Banks Recover Breach Costs (April 2, 2010)

A new law in Washington will let banks recover certain costs and damages from retailers and credit card processors that suffer data breaches after failing to comply with Payment Card Industry (PCI) standards, reports esecurityplanet.com. Washington is the third state to enact such a law; Nevada and Minnesota impose similar requirements. The law will "put more pressure on companies to ratchet up their PCI compliance schedule," said Jim Halpert, a partner at DLA Piper in Washington, DC, on yesterday's Privacy Tracker monthly call. (Privacy Tracker subscribers may access the archived call here.)
Full Story

PRIVACY LAW

Fraser: FIPPA Changes Unnecessary, Gov’t Needs CPO (April 2, 2010)

BC's acting privacy commissioner says that the government's proposed changes to the provincial privacy law are unnecessary, The Tyee reports. Acting Privacy Commissioner Paul Fraser told a committee that is reviewing the Freedom of Information and Protection of Privacy Act (FIPPA) that it is already working in the ways the government wants, but a "lack of training and understanding" exists. The government told the same committee last week that it needs new powers to collect citizens' information and share it across government agencies using the forthcoming Integrated Case Management database. Fraser said that instead of rewriting the rules, the government should appoint a chief privacy officer to help interpret and communicate the existing rules.
Full Story

EMPLOYEE PRIVACY—GERMANY

Court Receives Wage Verification System Complaint (April 1, 2010)

Lawyers for the civil rights group FoeBud have filed a formal complaint with Germany's Constitutional Court to stop the storage of employment data, contending the Electronic Wage Verification System (ELENA) violates privacy laws. Deutsche-Welle reports that more than 22,000 Germans have joined the legal initiative to stop the use of ELENA to store employee data including wages, absenteeism and reasons for dismissals and disciplinary action. Privacy advocates believe the ELENA system could allow for the manipulation of personal data. "The system could become the target of computer hackers," said Rena Tangens of FoeBud, adding, the government could amend "the ELENA law, allowing intelligence services access to the system."
Full Story

DATA THEFT—UK

Theft Exposes Personal Data of 9,000 Students (April 1, 2010)

London's Barnet Council has apologized to the parents of 9,000 schoolchildren after a laptop, CD and USB sticks containing the students' personal information were stolen. The devices, which stored student names, post codes and phone numbers, among other data, were stolen during a burglary at a staff member's home. The employee had downloaded the student files from an encrypted database, decrypting the data in the process. The employee has since been suspended for breaking council rules, and the council says it has disabled external storage devices to prevent unauthorized copies of data, The Register reports.
Full Story

HEALTHCARE PRIVACY—U.S.

Public Opinion Shows Concern About ONC Data Project (April 1, 2010)

David Blumenthal of the Office of the National Coordinator (ONC) for Health Information Technology is asserting that the National Information Exchange Model (NIEM) is not a "Trojan Horse" to funnel patient data to government agencies, Modern Healthcare reports. Blumenthal referred to speculation about whether NIEM "might make it inevitable" that data is transmittable "to the Department of Justice, the Department of Homeland Security, the CIA, the NSA--I don't know where else," the report states. However, a recent survey indicates Americans do not trust the government with their medical information. According to the results of a Ponemon Institute survey of 883 adults, only 23 percent responded that they trust the federal government to protect the privacy of their health records. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—U.S.

Report Calls for C-level Involvement in Cybersecurity (April 1, 2010)

"The Financial Management of Cyber Risk," a new report published by the Internet Security Alliance (ISA) and American National Standards Institute (ANSI), is recommending C-level executives implement cybersecurity risk management programs at their companies. CIO reports that part of the goal is to get executives directly involved in such efforts, citing a federal cyberpolicy review indicating U.S. businesses lost $1 trillion worth of intellectual property to cyberattacks between 2008 and 2009. "We believe if we can educate American organizations about how much they're actually losing, we can move to the next step, which is solving the problem," said Larry Clinton of the ISA, pointing out that between 80 and 90 percent of cybersecurity problems can be avoided by a combination of best practices, standards and security technology.
Full Story

PRIVACY LAW—U.S.

Legislation Planned to Keep Inmates from Data (April 1, 2010)

The U.S. Social Security Administration plans to propose legislation that would put a national ban on prisoners accessing data that could be used for identity theft, UPI reports. A 2009 audit by the administration's inspector general showed that a Kansas inmate involved in a work program tried to steal names and numbers. Kansas currently allows inmates to perform data entry for non-profit groups, the courts and state and local government, the report states. "This is like having the fox practice herding chickens," said a Kansas state representative. Most states have laws that bar inmates from seeing personal data.
Full Story

ONLINE PRIVACY—GERMANY

Street View Foes Vandalize Vehicle (April 1, 2010)

Foes of a Google mapping feature vandalized a car used to photograph German cities and towns this week, The Local reports. On Tuesday, the camera-clad vehicle of a Street View photographer was found with deflated tires and slashed camera cables, the report states. Street View offers Internet users panoramic views of cities and towns in a growing list of nations across the world. The feature has come under scrutiny in Germany, where data protection authorities have expressed privacy concerns.
Full Story