Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

ONLINE PRIVACY—U.S.

Cookie Ban Lifted (June 30, 2010)

The Office of Management and Budget (OMB) has updated a policy that restricted the use of persistent cookies on federal Web sites, InformationWeek reports. The OMB released new guidance last week that allows for the use of cookies, with some restrictions. "We think (this guidance) will allow the U.S. government to continue to improve its ability to be transparent and open...while fully protecting people's privacy rights," said the OMB's Michael Fitzpatrick. Previously, federal entities were required to seek approval from senior leadership before placing cookies onto their Web sites. Under the new policy, they need not gain such approval but must seek user consent under certain circumstances, among other requirements.
Full Story

DATA LOSS—U.S.

470,000 Receive Breach Notice (June 30, 2010)

WellPoint has notified 470,000 health insurance applicants that a security glitch may have exposed their Social Security numbers and other personal information. The Tech Herald reports that a faulty Web site update is being blamed for the breach, which the company fixed once it was made aware of the issue in March. Of the 470,000 letters the company has sent out, 230,000 went to Anthem customers in California, where reports indicate attorneys for a class action suit against the insurer accessed applicants' personal information. "We have requested both by letter and in court filings that the attorneys return all information improperly obtained from the individual application system," WellPoint said in a statement, noting the information has been delivered to a court-approved custodian.
Full Story

ONLINE PRIVACY—SWITZERLAND

Thür Outlines Privacy Needs (June 30, 2010)

At his yearly news conference, Hanspeter Thür, the Swiss data protection commissioner, warned that people need to be aware that their data is a currency traded for online services. "The business system is always the same. Companies provide clients with a new and interesting online service. And clients pay by giving their personal data," said Thür. Swissinfo.ch reports the commissioner's office is backing legal amendments to require that service providers offer better privacy protection as the default. "Opt in rather than opt out should apply," said Thür. He also pointed out the need to increase privacy awareness in teens given the risks involved with social networking and the need to increase international cooperation.
Full Story

HEALTHCARE PRIVACY—U.S.

ACLU Sues RI Dept. of Health over Regulations (June 30, 2010)

The Rhode Island chapter of the American Civil Liberties Union (ACLU) has filed a lawsuit against the state's Department of Health, alleging that newly adopted regulations fail to adequately protect patient privacy, The Providence Journal reports. The organization says the regulations, developed by the Department of Health as the state transitions to the electronic exchange of health information, do not provide sufficient detail on how the system will work. The department has therefore violated the Administrative Procedure Act, the suit alleges. An ACLU statement said the regulations provide "virtually no details as to how the system would actually work and how it would protect the privacy, confidentiality and informed consent interests of patients."
Full Story

DATA PROTECTION—MALAYSIA

Commission To Be Established by January (June 30, 2010)

The Star reports that a personal data commission will be created by January of next year. The commission's establishment follows the passage of The Personal Data Protection Bill in April, which will also establish a code of practice to regulate dealings with personal information and require credit agencies to apply to the commissioner's office to store personal data. The Information, Communication and Culture minister says his department is now in talks with the Public Service Department on manpower needs and other requirements for the commission. "The commissioner is not just anybody. He has to be trained in interrogations, cross-examinations in court proceedings and others," said the minister.
Full Story

STUDENT PRIVACY—U.S.

School Board Opposes Student Tracking Plan (June 30, 2010)

Concerns about the privacy implications of using Social Security numbers to track student performance have prompted a Maine school board to ask the legislature to rescind the law authorizing collection of the data. The Bethel Citizen reports on the resolution by the School Administrative District (SAD) 44 School Board, which follows a similar statement from the Maine Civil Liberties Union earlier this month advising that while the Department of Education can require districts to collect the information, parents may refuse to supply it. "As a board, we must ask parents to refrain from handing over children's Social Security numbers," said SAD 44 School Board Chairman Sid Pew. "Attaching a child's Social Security number to their achievements and other information is a violation of their privacy."
Full Story

DATA LOSS—U.S.

UMaine Breach Affects 5,000 Students (June 30, 2010)

The University of Maine Police Department is investigating a data breach that exposed nearly 5,000 students' personal and medical information. Starting in 2002 and spanning eight years, hackers accessed the UMaine counseling center database, the Sun Journal reports. The database stored information including names, Social Security numbers and clinical information. The university has hired a company to monitor the credit of those potentially affected, though there is no indication the hacked data has been viewed or used. "This is a serious breach and we are profoundly sorry that this has happened," said a university spokesman.
Full Story

HEALTHCARE PRIVACY—U.S.

Tiger Team Approves Recommendations (June 30, 2010)

The team of experts working on e-health privacy and security issues last week approved recommendations to help ensure the protection of data in the online exchange environment, iHealthBeat reports. The Privacy and Security Tiger Team, developed by the Office of the National Coordinator for Health IT, approved proposals to establish verification and credentialing methods. The team also recommended the creation of data retention and use policies.
Full Story

PRIVACY LAW—U.S.

Readers Support Supreme Court’s Quon Ruling (June 30, 2010)

Federal Computer Week readers believe the Supreme Court made the right decision when it ruled on the case of a California police officer who was using his department-issued pager to send personal text messages that employers have the right to access employee messages in such instances. The court ruling means that any communication sent via employer-issued devices is subject to review, regardless of the nature or content of the material. There seems to be support for such a move, the report states, highlighting one reader's suggestion that "there should be no expectation of privacy while communicating on any employer-owned equipment...Employee communications on company equipment and services should be considered as if you were putting it on a billboard on Main Street."
Full Story

SOCIAL NETWORKING

Getting Divorced? Watch What You Post Online (June 29, 2010)

All those details social network users share online can add up to an abundance of evidence in divorce cases, the Associated Press reports. According to the American Academy of Matrimonial Lawyers, 81 percent of its members have used or faced evidence found on Facebook, MySpace, Twitter and other social networking sites in the past five years alone. "You're finding information that you just never get in the normal discovery process--ever," said one divorce attorney. "People are just blabbing things all over Facebook. People don't yet quite connect what they're saying in their divorce cases is completely different from what they're saying on Facebook. It doesn't even occur to them that they'd be found out."
Full Story

ONLINE PRIVACY—EU

Regulators Push Google To Deliver WiFi Data (June 29, 2010)

After preliminary inspections of information gathered through unsecured wireless networks, privacy regulators in France, Germany and Spain are reiterating their requests that Google give them the original data collected in their countries, The New York Times reports. Google is keeping the data on hard drives at its U.S. headquarters and has offered the regulators remote access to review the information by computer, the report states, but regulators are saying that is not enough. As Agencia Española de Protección de Datos Director Artemi Rallo put it, "for a matter this important, we really need to see all of the data, including the original hard drive." The data protection agencies have said their investigations remain open with civil and criminal penalties possible. (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—EU & U.S.

MEPs To Vote on SWIFT Agreement Next Week (June 29, 2010)

The five-year agreement signed by the European Council to allow the EU to share banking data with the U.S. could be approved by the European Parliament as early as next week, The Washington Post reports. The agreement was signed following the addition of stronger privacy guarantees requested by MEPs. "Currently, U.S. authorities submit a request for a needle, and we send them the whole haystack," said Sophie in 't Veld. "In the future...we will find the needle and send it to the U.S. authorities." The European Parliament is expected to approve the plan when it votes next week, the report states, with the data-sharing deal to go into effect on August 1. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU & U.S.

Differing Rules Pose Challenges to International Data Protection (June 29, 2010)

As the SWIFT agreement moves forward, EUobserver reports on the differing philosophies and laws governing the U.S. and EU when it comes to data protection. The differences pose challenges to U.S. companies doing business in the EU, the report states. Whereas in Europe data protection is viewed as a fundamental human right, in the U.S. "it's a consumer protection interest," said Lisa Sotto, a privacy lawyer at U.S.-based Hunton & Williams. Sotto discusses Safe Harbour agreements, which aim to bridge the gap between EU and U.S. philosophies and have helped some 2,200 U.S. companies to comply with EU laws.
Full Story

ONLINE PRIVACY—U.S.

National Strategy for Identity Ecosystem (June 29, 2010)

The Obama administration has outlined its plan for a system of trusted digital identities that aims to improve the security of online transactions. The strategy lays the groundwork for a national federated identity infrastructure that could ultimately eliminate the need for the username-and-password model, reports Dark Reading. "Through the strategy, we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable and privacy-enhancing credential...from a variety of service providers--both public and private--to authenticate themselves online for different types of transactions," said Howard Schmidt, cybersecurity coordinator and special assistant to the president, in a blog post. The National Strategy for Trusted Identities in Cyberspace draft paper is open for public comment until July 19.
Full Story

PRIVACY LAW—GERMANY

Regulators Propose Extending Law To Online Images (June 29, 2010)

German privacy regulators met Friday to discuss extending privacy laws to give citizens control over the use of their images and those of their homes in online street-mapping services, IT World reports. The proposal demonstrates "the urgent need for a comprehensive modernization of data protection," said Hamburg Data Protection Commissioner Johannes Caspar. The draft law, which was submitted to parliament in April, would amend the Data Protection Act to make it illegal to publish databases of street images linked to their geographic coordinates without blurring faces and license plates. If adopted, the law would include other provisions as well, including making it illegal to store raw data for more than one month after initial publication.
Full Story

BEHAVIORAL TARGETING—U.S.

Customers Tracked Through Mobile Coupons (June 29, 2010)

"Many companies have the technology--and customers' permission, thanks to the privacy policies that users accept routinely without reading--to track minute details of people's movements," The Washington Post reports, "but have held off from revealing how much they know with marketing offers that might come off as invasive." Digital coupons contain information about where they were obtained and redeemed and even the search terms used to find them, the report states. That data can then be matched with consumer information found both online and offline, including users' age, sex, income, purchases and Web browsing history, which has advocates asking users to consider whether the deals offered are worth potentially compromising their privacy. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

It’s Virtually Impossible To Hide (June 29, 2010)

In light of Web databases and services for "finding" people, privacy advocates are issuing warnings that a lack of online regulation allows companies to have too much control over personal information. That's according to a San Francisco Chronicle report on the dangers to both reputation and physical safety that can be posed by various online services that gather data and share information ranging from addresses to home values to "dateability." Pam Dixon of the World Privacy Forum said individuals have little control over their online information, while Paul Stephens of the Privacy Rights Clearinghouse points out that "a nosy neighbor" or marketer who is not likely to access files housed in archives can easily view digital records available at the click of a mouse.
Full Story

FINANCIAL PRIVACY—EU & U.S.

SWIFT Agreement Signed (June 28, 2010)

The EU and U.S. signed a revised agreement today, moving closer to a deal that would allow the sharing of banking data in investigations of suspected terrorist financing, Deutsche Welle reports. "At the eleventh hour, we have obtained satisfaction on most outstanding issues," MEP Guy Verhofstadt said last week, describing provisions that would allow the filtering of EU citizens' personal information before it is transferred. Under the revised agreement, an EU official would be posted in the U.S. to scrutinize the transfer of European banking data to investigators, and requests would be "tailored as narrowly as possible" and checked by the EU's police coordination agency, the report states. MEPS are expected to vote on the agreement in July.
Full Story

BEHAVIORAL TARGETING—EU

Browser Settings Don’t Imply “Cookie Consent” (June 28, 2010)

Web sites cannot comply with the new EU law governing Internet cookies by relying on users' browser settings, according to the Article 29 Working Party's interpretation of the revised Privacy and Electronic Communications Directive. OUT-LAW.COM reports that while online companies have claimed that advertising behavior will not need to change, experts believe Web sites will have to receive visitors' permission before using cookies. According to the Working Party's interpretation, "Informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user." Prior consent can, however, be given to advertising networks covering thousands of Web sites and need not be given to every individual site, the report states.
Full Story

PRIVACY LAW—EU & UK

Commission Gives UK Two Months To Ramp Up ICO Powers (June 28, 2010)

The European Commission has notified the UK government that it has two months to increase the powers of the Information Commissioner's Office (ICO) before the commission will pursue legal action through the European Court of Justice, reports OUT-LAW.com. To comply with the Data Protection Directive, the commission says the ICO must have the power to conduct random checks on organizations and, where appropriate, take action. The commission has also stated the UK must change its law on people's rights to have their information deleted by organizations, the report states, and the ICO must be given the ability to assess the data protection laws of other countries before transferring information.
Full Story

ONLINE PRIVACY—GERMANY

Justice Minister Questions Data Collection Practices (June 28, 2010)

German Justice Minister Sabine Leutheusser-Schnarrenberger has told Apple that it must immediately release information on what personal data it's collecting through GPS-enabled iPads and iPhones, how long the data is stored and how it's being used, reports Der Spiegel (article in German). Germany's personal data laws are very specific on collection, retention and consumer notification, reports PadGadget. Users must be aware of the company's practices, Leutheusser-Schnarrenberger said, adding, it would be "unthinkable" if Apple was tracking identifiable profile and location data. Meanwhile, Apple CEO Steve Jobs outlined the company's position on privacy at a recent conference, saying, "Ask them. Ask them every time. Make them tell you to stop asking if they get tired of your asking them. Let them know precisely what you're going to do with their data."
Full Story

DATA LOSS—CANADA

Newsroom Again Receives Patient Information (June 28, 2010)

The CBC is reporting receiving healthcare information accidentally from Northwest Territories (NWT) health authorities one month after a similar breach raised concerns about patient confidentiality. "Two separate sets of patient files were mistakenly faxed to the CBC's Yellowknife newsroom on June 18," the report states, including a patient prescription record from the Yellowknife Health and Social Services Authority and documentation of a meeting with a wellness counselor from the Fort Smith Health and Social Services Authority. In each case, human error has been cited as the reason for the breaches. When similar fax errors occurred last month, NWT Privacy Commissioner Elaine Keenan Bengts described such breaches as an "eye-opener" for healthcare facilities across the region, the report states.
Full Story

DATA LOSS—CHINA

Hacker Charged After Accessing E-mail (June 28, 2010)

ShanghaiDaily.com reports that a Shanghai man has been charged with breaching the e-mail rights of others after it was discovered he had improperly accessed a colleague's e-mail for more than one year. The accused used his co-worker's e-mail password to log in, read and then store e-mails on his own computer. Allegedly, he hacked the worker's computer to gain business knowledge, which he later sold. Between 2003 and 2009, the accused accessed more than 1,000 e-mails, marking them as "unread" afterwards.
Full Story

SOCIAL NETWORKING

Privacy vs. Oversharing in a TMI World (June 28, 2010)

Many "social networking companies with business models hungry for personal data" are encouraging users to "overshare" without comprehending the consequences, the Mercury News reports. With the dangers of sharing too much information ranging from embarrassment to loss of employment to abuse by stalkers or scammers, consumer advocates and legislators are turning their attention to requiring companies to protect their users, the report states. At issue, according to some scholars, is the gap between what people say and what they do. "People report in studies that they care deeply about privacy," said Ryan Calo of Stanford Law School's Center for Internet and Society, "but then people don't seem to act in a way that protects their privacy."
Full Story

PRIVACY LAW—U.S.

Social Network Settles FTC Charges (June 25, 2010)

In the first Federal Trade Commission (FTC) case of its kind against a social networking service, Twitter has agreed to settle charges it "deceived consumers and put their privacy at risk by failing to safeguard their personal information" during breaches that occurred in 2009, according to an FTC release on the case. The Washington Post reports that Twitter will set up a new security program to be assessed by and will be prohibited from what the FTC described as "misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information." In a statement, Twitter General Counsel Alexander Macgillivray noted, "Even before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices." (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—EU

Working Party Clarifies Online Ad Rules (June 25, 2010)

The Article 29 Working Party has released its opinion clarifying the way EU rules apply to online behavioral advertising. According to the European Data Protection Authorities' opinion, when online behavioral advertising providers use cookies, they are bound by the new EU ePrivacy Directive, which "introduces the obligation for informed consent of users before tracking devices such as cookies are installed on users' computers." The opinion calls for "simple and effective mechanisms for users to affirmatively give their consent for online behavioral advertising." Future of Privacy Forum Director Jules Polonetsky, CIPP, told the Daily Dashboard that in some ways the opinion was not a surprise as the Article 29 Working Party has previously indicated that behavioral profiles "are personal information and, therefore, require a specific opt in." However, he said, the opinion does "leave the window open...for companies to develop innovative ways" to inform users and obtain consent. Polonetsky added, "It is also interesting to note that they focused on behavioral ads across multiple Web sites, reserving judgment on first-party behavioral ads."
Full Story

PRIVACY LAW—NEW ZEALAND

Shroff to Law Commission: Federal CPO Needed (June 25, 2010)

Privacy Commissioner Marie Shroff has called for the creation of a federal chief privacy officer position. In a hundred-page submission to the Law Commission, Shroff said a federal CPO would provide "leadership, expertise and help create a culture of respect for privacy across government." The submission was in response to the Law Commission's proposed changes to the Privacy Act. In it, Shroff largely backed the commission's proposed changes, saying that while the act is fundamentally sound, there are areas where it is ineffective. Shroff also called for the creation of "anonymity," "openness" and "accountability" principles in accordance with international data protection statutes.  
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Health ID Legislation Passes (June 25, 2010)

Australia Health Minister Nicola Roxon has announced the passage of legislation authorizing Medicare Australia to start issuing patients with individual 16-digit identifier numbers beginning July 1. ZDNet reports the identifiers will contain "just enough information to identify a person, although each patient can determine whether or not they use it to create a personal e-health record." The legislation had been amended due to concerns raised about privacy implications. "Healthcare identifiers are a key building block of the government's plans to invest $466.7 million over the next two years to revolutionize healthcare delivery through the introduction of personally controlled electronic health records," Roxon said in a statement released Thursday evening. The Australian Privacy Foundation is among those who have raised concerns over the introduction of the identifiers, the report states.
Full Story

DATA LOSS—U.S.

200,000-Plus Customers Receive Breach Notice (June 25, 2010)

Approximately 230,000 Anthem Blue Cross customers received notification this week that personal information--including Social Security and credit card numbers--may have been accessed, the OC Register reports. The breach involved customers with pending insurance applications that could be viewed through a Web site tool that allows users to track their status online, the report states. An Anthem spokeswoman said the confidential information was accessed primarily by attorneys seeking information for a class action lawsuit against the insurer. While she said it is not known how many customers' information was viewed, letters were sent to 230,000 Californians out of an "abundance of caution." The company said it has made security changes to prevent such a breach from happening again.
Full Story

PRIVACY LAW—U.S.

House Subcommittee Hears Call for ECPA Updates (June 25, 2010)

At a hearing yesterday, the House Subcommittee on Constitution, Civil Rights and Civil Liberties heard arguments for updating the Electronic Communications Privacy Act (ECPA), The Hill reports. Witnesses at the hearing stressed that the law is out of date and fails to protect the privacy of citizens' digital communications. "The time is ripe for congress to set forth clear and sustainable ground rules that balance user expectations and law enforcement needs," said attorney Marc Zwillinger. Zwillinger said that in terms of location data, "ECPA's statutory framework is profoundly unsatisfying."
Full Story

GENETIC PRIVACY—ARGENTINA

DNA Database Defended (June 25, 2010)

A leading human rights activist in Argentina is speaking out in support of the National Genetics Bank as a tool in the efforts of the Grandmothers of the Plaza de Mayo to find children stolen from prisoners of the dictatorship between 1976 and 1983. The Associated Press reports on unsuccessful efforts by attorneys to block the DNA tests by arguing the genetics bank lacks "appropriate safeguards" and suggesting results could be manipulated. "In questioning the bank, they are trying to plant doubts about all the restitutions and the hundred children we have found," said Grandmothers of the Plaza de Mayo President Estela de Carlotto. "Are they suggesting that we want to find just anyone? I want my grandchild, not just any child."
Full Story

ONLINE PRIVACY

Survey Rates Consumers’ Willingness To Share Data (June 25, 2010)

Privacy remains a burning issue for online marketers, Marketing Week reports, but a recent study sponsored by Equifax indicates that consumers are more willing to share their information than expected, provided they trust the companies seeking their data. "Three-quarters of consumers are happy to share their personal information for marketing purposes with companies that they have a relationship with," the report states, noting that consumers "believe the brands they know well will treat their personal data with respect." However, the study found that the overwhelming majority of respondents would not share their details with companies they did not have a prior relationship with and that social networking sites made consumers "feel the most wary about providing information."
Full Story

ONLINE PRIVACY—AUSTRALIA

Senate Probe Into Online Privacy, Gov’t Plans (June 25, 2010)

The Senate Standing Committee on Environment, Communications and the Arts yesterday began an inquiry into online privacy following increasing concern about how companies are handling personal data online, reports IT News. "It is time the parliament took a proper look at the degree to which the privacy of Australians online is being eroded by governments and corporations alike," said Green Sen. Scott Ludlam, who proposed the inquiry to parliament. The inquiry will also look into government plans to adopt European style data protection laws, including, says Ludlam, "plans to compel ISPs to collect the Web browsing history of all Australians, for purposes which are not at all clear." The committee is currently accepting comments from the public and is expected to give a report by October 20.
Full Story

DATA LOSS—U.S.

Hackers Steal Hotel Credit Card Data (June 25, 2010)

Hackers broke into the computer system of a luxury hotel chain and, over a three-month period, stole the credit card information of hundreds of guests, ABC News reports. More than 700 guests of Colorado-based Destination Hotels and Resorts were affected, according to the report. "The losses right now are probably in the hundreds of thousands," said Austin, TX, Police Department Sgt. Matt Greer. "I think each loss is averaging about two or three thousand dollars." Austin police began investigating after receiving complaints from residents about erroneous credit card charges.
Full Story

ONLINE PRIVACY—UK

Utility: Smart Grid Regulations Needed (June 25, 2010)

Reuters reports on increasing concerns about privacy in the ongoing rollout of the smart grid. The grid will communicate with household smart meters capable of measuring energy use down to the appliance level. But some are concerned that the meters' data-gathering abilities may be compared to having "spies" within the household. At the Smart Grids and Cleanpower conference in Cambridge, a Siemens Energy spokesman warned that regulations are needed to specify that the data smart meters collect belong to the consumer alone, or consumers will resist adopting the technology. Now, his company has the technology to record "masses of private data" on household activity, he said. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Missouri Passes Privacy Bill (June 25, 2010)

Missouri Governor Jay Nixon has signed a bill aimed at protecting citizens' Social Security and taxpayer identification numbers, reports InfoZine. House Bill 2056 requires that child support and garnishment documents contain only the last four digits of such identifiers, whereas previously they may have contained the entire number. "The people of Missouri deserve a state government that operates with maximum efficiency and protects the vital interest that citizens have in the privacy of their personal information," Nixon said. The bill will take effect August 28.
Full Story

PRIVACY LAW—EU

Commissioner To Launch Consultation on Data Laws (June 24, 2010)

European Commissioner for Justice and Fundamental Rights Viviane Reding plans to launch a public consultation on whether to introduce a European contract law on the use of personal data, Research Magazine reports. In a speech at the American Chamber of Commerce to the European Union, Reding outlined a three-point plan to ensure the safety of data protection and privacy amongst all EU countries, though she noted industry self-regulation should remain at the core of any new legislation. "I am very much aware that this sector needs clarity, not red tape," Reding said. "I am considering this approach as a way to have codes of conduct" and "the incorporation of 'privacy by design' principles."
Full Story

PRIVACY LAW—U.S.

ACLU: PII Request Unconstitutional (June 24, 2010)

A request by the North Carolina Department of Revenue for personally identifiable information (PII) on customers from an online retailer violates privacy rights, according to the American Civil Liberties Union (ACLU). CNET reports that the ACLU has intervened on behalf of Amazon customers in a lawsuit the company filed in April over the request for purchase records for customers with North Carolina shipping addresses. The company did provide such information as product codes and shipping areas, but its decision to withhold specific user information prompted the state agency to threaten legal action, the report states. According to Katy Parker, legal director of the ACLU of North Carolina Legal Foundation, "There is no legitimate reason why government officials need to know which North Carolina residents are reading which books."
Full Story

BEHAVIORAL TARGETING—U.S.

Advertisers To Launch Self-Regulatory System (June 24, 2010)

Stricter self-regulation for companies that track users' Internet habits for ad targeting is set to be launched in the months ahead, The Wall Street Journal reports. The system is aimed at protecting online privacy while warding off federal regulations, the report states. Legislators are preparing measures to regulate the industry, and the Federal Trade Commission has cautioned it will support such a move if online businesses do not improve self-regulation. The new system would focus on "trying to make the interactive advertising supply chain much more visible, more transparent to consumers, so that they have a much better ability to understand what is going on and act on it," said Randall Rothenberg of the Interactive Advertising Bureau. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—AUSTRALIA

Senate Inquiry Into Privacy Laws (June 24, 2010)

The senate will soon begin an inquiry into the adequacy of privacy laws at the request of Green Sen. Scott Ludlam. Sparked by recent online privacy controversies, the inquiry will examine privacy protections and data collection on social networking sites and the data collection activities of private companies and government agencies, reports The Age. Ludlam says that because of advances in technology and a change in the way people use the Internet, "it is time for the parliament to update itself on what's actually occurring and whether privacy is being adequately defended." A report will be delivered by October 20.
Full Story

GENETIC PRIVACY—U.S.

Proposed NY Law Would Expand DNA Collection (June 24, 2010)

New York Gov. David Paterson has proposed expanding the state's DNA database to include samples from "low-level offenders" convicted of misdemeanors, the Associated Press reports. This would make New York the first state in the nation to collect DNA in such a broad fashion. New York's database began in 1996 with DNA from convicted murderers and sexual predators, the report states, and has been expanded three times to now include samples from some 356,000 people convicted of felonies and certain misdemeanors. While some are praising the plan as a way to solve crime and exonerate those who have been wrongly convicted, the New York Civil Liberties Union is cautioning that the proposed expansion raises questions about privacy rights and requires independent study.
Full Story

PRIVACY LAW—MALAYSIA

Commission Clarifies Data Protection Rules (June 24, 2010)

The Malaysia Communications and Multimedia Commission (MCMC) has clarified its consumer code governing the sharing of personal information, The Star reports. The General Consumer Code governs all communication service providers and requires that they not disclose customers' personal information to third parties without consent and that they meet Fair Information Principles on data collection and retention. The report also states that a personal data commissioner and an advisory committee will be appointed to enforce the Personal Data Protection Bill 2009, passed by parliament last April.
Full Story

EMPLOYEE PRIVACY—CANADA

Adjudicator: Company Must Offer Privacy Education (June 24, 2010)

An Edmonton-based business has been ordered to educate its employees about privacy laws after two managers sent out a memo about the departure of a "difficult" staffer, the Edmonton Journal reports. Keri Ridley, information and privacy adjudicator, has ruled that managers at Insight Psychological violated the former employee's privacy rights by releasing personal information without her consent, the report states. While the company said it released the information to dispel rumors, Ridley wrote in an 18-page decision released Wednesday that the company's opinions "were not innocuous information, nor was it distributed to those who needed to know it." An Information and Privacy Commission spokesman said organizations need to be cognizant of Alberta's privacy laws "when they develop their own privacy policies."
Full Story

DATA LOSS—U.S.

University Alerts Nearly 20,000 of Data Breach (June 24, 2010)

A Florida university is notifying 19,407 students and 88 faculty members that their personal data may have been exposed, Infosecurity reports. The possible breach occurred via a database's external search function at Florida International University in May. It was discovered during an internal review of a previous and unrelated hacking incident at the university. The potentially exposed data includes grade point averages and Social Security numbers for both students and faculty, though the university says it does not appear that the data has been used. A university letter to those affected said that the school "took immediate steps to remove the database from any external search capability" and to prevent another breach.
Full Story

SOCIAL NETWORKING

Facebook Creating Location-Based Service (June 24, 2010)

The world's largest social networking site is "pretty close" to providing location-based services, CEO Mark Zuckerberg said Wednesday at an event in Cannes, France. The service would allow marketers to deliver personalized ads to Facebook users based on their locations, Bloomberg reports. Attendees at last week's Computers, Freedom and Privacy conference, meanwhile, have released a 14-point Social Networking Users' Bill of Rights focused on privacy enhancements and user control. For his part, Zuckerberg spoke of recent privacy complaints against the site at the Cannes event, noting, "With almost a half-billion users, we're making a transition. Our challenge is to make a safe, secure environment for users to share."
Full Story

HEALTHCARE PRIVACY—U.S.

Patient Sues Hospital Over Breach (June 24, 2010)

WAVE reports on a patient suing a psychiatric hospital after a flash drive containing 24,600 patient files went missing in April. The Our Lady of Peace Hospital files included patient names, names of insurers and hospital stay details. The lawsuit accuses the hospital of negligence, invasion of privacy and emotional distress. A hospital spokeswoman said the hospital took the appropriate actions after the breach, including notifying affected patients and the Office for Civil Rights. "Patient confidentiality is sacred to us and our patients. We have taken this breach seriously," she said.
Full Story

PRIVACY

Despite Policy Updates, Legislators Concerned (June 24, 2010)

Apple has updated its iTunes privacy policy to let users opt out of its iAd platform, eWeek reports. The updated privacy section includes options to let users choose not to receive targeted advertising, according to the policy, which notes that those who choose to opt out of the tailored advertising campaigns "will continue to receive the same number of mobile ads, but they may be less relevant because they will not be based on your interests." While Apple has also announced changes to its privacy policy related to location-based services, members of the U.S. House Bi-Partisan Privacy Caucus sent a letter to Apple CEO Steve Jobs on Thursday asking about the updated privacy policies and raising concerns about the use and collection of geographic location information.
Full Story

DATA PROTECTION—EU

Reding: Data Laws Should Put Individuals First (June 23, 2010)

Europe needs to put individuals at the heart of its data protection laws to ensure the safety of personal data, according to Viviane Reding, European Commissioner for Justice and Fundamental Rights. In a speech at an American Chamber of Commerce to the European Union event Tuesday, Reding said, "We need to find new ways to empower Web surfers. Internet users must have effective control of what they put online and be able to correct, withdraw or delete it at will." Reding added the EU needs to have unified consumer rights, despite the interference of national contract laws. She plans to launch a public consultation on various long-term possibilities this summer, The Wall Street Journal reports. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU & U.S.

EDPS Lists Concerns about New SWIFT Draft (June 23, 2010)

European Data Protection Supervisor Peter Hustinx has issued his opinion on the European Commission's draft agreement to allow U.S. authorities access to European financial data for anti-terrorism investigations, and while he cites improvements over an interim agreement rejected by the European Parliament, Hustinx is raising concerns. Eurasia Review reports on Hustinx's announcement Tuesday that while the fight against terrorism "may require restrictions to the right to the protection of personal data," such provisions as the transfer of banking data in bulk to the U.S., data retention periods, enforceability of data protection rights and independent supervision need improvement "in order to meet the conditions of the EU legal framework for data protection."
Full Story

PRIVACY LAW—U.S.

FTC Rep: Privacy Laws Aren’t Working (June 23, 2010)

Current privacy laws place too much of a burden on American consumers and don't offer enough in the way of protection. That was the message from Kathryn Ratte, a senior attorney in the consumer protection bureau of the Federal Trade Commission (FTC), CNET News reports. Speaking at an event in Alberta convened by Canadian Privacy Commissioner Jennifer Stoddart, Ratte said U.S. privacy law, which relies on disclosure of data collection and use practices and informed consumer choice, "in some very basic sense isn't working." Ratte spoke of the importance of transparency when it comes to notice as well as minimizing data collection and limiting retention. Ratte's comments came as many are anticipating the FTC will release recommendations to congress on new privacy laws this year, the report states.
Full Story

ONLINE PRIVACY—U.S.

Study: Tech Firms More Trusted than Social Networks (June 23, 2010)

According to a Zogby Interactive survey, Americans trust big tech firms such as Apple, Google and Microsoft more than social networking sites. Nearly half of the 2,100 respondents said they trust the big tech firms, reports The Washington Post. Adults aged 18 to 29 showed somewhat higher levels of trust in social sites--seven percent higher than adults of all ages. John Zogby, president and CEO of Zogby International, said, "I think to a great degree, it's all about privacy," noting that the tech firms have a longer history and have built brand equity. However, both big tech and social networking scored higher among respondents than traditional media. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Privacy Protection Firm Raises $15M (June 23, 2010)

ReputationDefender, a California-based company aimed at helping its customers take control of their online information, announced it has secured $15 million in venture capital. The San Francisco Chronicle reports the company plans to use the funds to expand its management team, develop new products and improve sales efforts. Users pay the company a monthly fee of $9.95 or more to "take charge of their online identity and privacy," the report states, and in return, ReputationDefender pledges to remove online content--including clearing user information from marketing databases--as well as altering browser settings and optimizing search results. In the past year, the company has raised $24 million from investors.
Full Story

PRIVACY LAW—U.S.

House Subcommittee To Examine ECPA Update (June 23, 2010)

A House Judiciary subcommittee will examine on Thursday how location-based services are being used by law enforcement agencies to compile data on cellphone users, The Washington Post reports. The Subcommittee on the Constitution, Civil Rights and Civil Liberties' will take its second look at the Electronic Communications Privacy Act of 1986. The subcommittee wants to determine whether the law should be updated in order to account for new technologies. Some Internet and software companies argue that law enforcement authorities routinely request information on users, increasing the possibility of privacy-rights violations, the report states.  (Registration may be required to access this story.)
Full Story

CHILDREN’S PRIVACY

Survey: Teens Engage in Risky Behaviors Online (June 23, 2010)

USA Today reports on survey results that indicate teenagers often participate in risky behaviors online. Released this week, The Harris Interactive survey, commissioned by McAfee and titled "The Secret Online Lives of Teens," polled 955 teens ages 13-17. Of those polled, 69 percent said they divulged their physical location while online and 28 percent said they chatted with strangers. Girls often were more willing to divulge information than boys, with 32 percent saying that they chat with strangers online compared with 24 percent of male respondents. "This is a wake-up call to the real dangers our teens face when they make themselves vulnerable online," said McAfee's chief cyber security mom.
Full Story

HEALTHCARE PRIVACY—U.S.

HHS To Investigate Clinic (June 23, 2010)

The U.S. Department of Health and Human Services (HHS) has opened an investigation of the Adult Industry Medical Healthcare Foundation in response to a formal written complaint, reports the Los Angeles Times. The investigation will focus on whether adult film performers' privacy was breached when the clinic required them to sign broad disclosure agreements. The AHF said in a February complaint that patients were required to sign "overbroad, irrevocable" consent to disclose test results to whomever the clinic deemed appropriate "in perpetuity." An AHF lawyer said for the disclosures to be lawful, the performers should be provided with information on patient data use and retention.
Full Story

DATA PROTECTION—U.S.

Outsourcing Data, Not Accountability (June 23, 2010)

Computer data centers are becoming more common--as is outsourcing data storage--and some privacy experts are cautioning companies to make sure the data is adequately protected. "When a company is hiring one of these data centers, they need to remember they can outsource responsibility for the data but they cannot outsource accountability," said Marilyn Prosch, an expert in privacy at Arizona State University. The Arizona Republic reports that centers protect the equipment by removing exterior doorknobs and installing video cameras, but transferring and protecting data is the responsibility of center customers. Prosch advises that companies check into certifications, policies and employee training programs and make sure that contracts clearly outline data handling and protection.
Full Story

DATA PROTECTION—U.S.

Study Finds Company Leaders Lack Privacy Involvement (June 22, 2010)

A survey of 66 board members and senior executives at Fortune 100 companies by Carnegie Mellon University's CyLab exposed inadequate involvement in their organizations' privacy and security decisions, SC Magazine reports. While organizations are encouraging more cross-company communication about privacy, none of the respondents to the second "Governance of Enterprise Security" report listed improving computer and data security as a top board priority, the report states. The survey also found that 61 percent of respondents have not reviewed or approved annual privacy and security risk management budgets--an increase from 40 percent when the survey was conducted in 2008--and that they are receiving fewer security and privacy reports. The study also indicated that many organizations lack key privacy and security positions such as CISOs and CPOs.
Full Story

GEO PRIVACY

Apple Updates Location-Based Services Policy (June 22, 2010)

Apple has updated its privacy policy to make sure users know that when they use location-based services, they will be sharing their location information with that service provider. CNET News reports that the update, which was released on Monday, specifies that in order to provide location-based services, "Apple and our partners and licensees may collect, use and share precise location data, including the real-time geographic location of your Apple computer or device." The policy points out that the information is collected anonymously "to provide and improve location-based products and services." The announcement comes on the heels of comments by Apple CEO Steve Jobs at this month's All Things Digital conference, where he said customers should always be asked whether they want to share their information.
Full Story

ONLINE PRIVACY—AUSTRALIA & U.S.

Preliminary Review: Google WiFi Collection Not So Bad (June 22, 2010)

Australian Privacy Commissioner Karen Curtis shared preliminary comments with The Sydney Morning Herald on Google's collection of data from unsecured wireless networks, rejecting the idea that banking transactions could have been captured because financial institutions use secure Internet connections. "At this stage, it appears payload data that has been collected comprises only fragments--0.2-second snatches," she said, adding that her office has not examined the data and has told Google not to review it. Curtis said her office is working with its international counterparts as the investigation continues. In the U.S., meanwhile, as many as 30 states are considering taking part in a joint investigation led by Connecticut Attorney General Richard Blumenthal to determine whether any laws were broken when the data was collected.
Full Story

PRIVACY LAW—U.S.

Boucher: Bill’s Aim Is Clear Federal Privacy Rights (June 22, 2010)

Discussions continue around the Boucher-Stearns draft privacy legislation, NPR reports, with "mom and pop shop" Web businesses lobbying Congress that the bill will be their death knell. Web companies suggest that warnings about the information they collect from users will scare people away from their sites. House Subcommittee on Communications, Technology and the Internet Chairman Rick Boucher (D-VA), who proposed the legislation with Rep. Cliff Stearns (R-FL), said the goal is actually to give customers more confidence online by allaying the concerns caused by an absence of clear federal privacy rights. "There's a lot of uncertainty on people's part about what information is collected from them when they visit Web sites and how that information is used and with whom it's shared," he said.
Full Story

DATA LOSS—CANADA

Tax Employees Viewed Documents (June 22, 2010)

The Toronto Star reports that dozens of employees at Canada's tax agency have accessed taxpayers' personal information inappropriately. In one breach last October, an employee accessed 37,500 e-mails and 776 documents and downloaded them for her personal use with the aid of agency technicians, the report states. Other incidents involved employees accessing the tax documents of ex-spouses, family members and friends. In 2008-2009, there were 29 cases in which employees accessed documents without authorization and 12 cases in which records were disclosed to third parties. "The agency consistently continues to review its activities to enhance prevention, detection and deterrence," said a spokesman.
Full Story

PRIVACY LAW—INDIA

Panel Established, Privacy Law Coming (June 22, 2010)

The United Progressive Alliance government has established a panel of senior officials to create a blueprint for the country's first privacy and data protection law, reports Live Mint. The move comes amidst concerns about government plans to issue national identity cards to all citizens, which will provide 11 law enforcement and intelligence agencies with access to the phone records, credit card transactions and drivers license information of all citizens, among other data. The law would recognize privacy as a fundamental right, and would include safeguards to protect against violations. "There's a need for legislation to decide what is private and what is not," said a senior government official.
Full Story

PRIVACY LAW—ISRAEL

ILITA Fines on the Rise (June 22, 2010)

This week the Israeli Law, Information and Technology Authority (ILITA) imposed a $70,000 (NIS 258,000) fine on a company for providing its customers with illicitly obtained personal data on debtors. Legal consultant Omer Tene writes for the Hunton & Williams Privacy and Information Security Law Blog that ILITA has used its increased levying powers, which were handed down recently by the Israeli parliament, to fine several controllers from both public and private sectors. A pending government-sponsored bill would increase ILITA's fining powers even more--up to $1 million--and give it broader powers of search, seizure and interrogation, if passed.
Full Story

ONLINE PRIVACY

Certifier: Business Model Switch Levels Playing Field (June 22, 2010)
online privacy, daily dashboard

BEHAVIORAL TARGETING—U.S.

Marketers Debut Self-Regulating Icon (June 22, 2010)

Beginning this week, dozens of major companies will "pull the veil off their Web ads," Advertising Age reports, with the first trial of a self-regulation plan aimed at staving off government regulation while giving consumers added control over targeted advertising. The new system, one of several competing to win the support of advertising industry coalitions and the Council of Better Business Bureaus, will only apply to ads that use data from third parties. The self-regulatory approach features a "power eye" icon included with ads. When consumers access the icon, they "get a view of all the data that was used to target the ad, as well as the option to opt out of future targeting by those companies," the report states. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—U.S.

Marketers Debut Self-Regulating Icon (June 22, 2010)

Beginning this week, dozens of major companies will "pull the veil off their Web ads," Advertising Age reports, with the first trial of a self-regulation plan aimed at staving off government regulation while giving consumers added control over targeted advertising. The new system, one of several competing to win the support of advertising industry coalitions and the Council of Better Business Bureaus, will only apply to ads that use data from third parties. The self-regulatory approach features a "power eye" icon included with ads. When consumers access the icon, they "get a view of all the data that was used to target the ad, as well as the option to opt out of future targeting by those companies," the report states. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Privacy Startups Gain Funding Support (June 21, 2010)

Venture capitalists are seeing the value of investing in privacy-related startups--to the tune of millions of dollars, The Wall Street Journal reports. Among recently funded startups such as ReputationDefender and SafetyWeb and former nonprofit Truste, a key focus is giving consumers tools to defend their privacy, the report states. Those three companies alone have raised about $35 million in new venture funding, according to the report. "Privacy is a big issue and it's going to get bigger because people realize it can be used against you," said Ted Schlein, a venture capitalist at Kleiner Perkins and a ReputationDefender board member. "That spells market opportunity." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Facebook Rebuts Privacy Advocates’ Open Letter (June 21, 2010)

Facebook has released its response to an open letter from privacy advocates asking the company to address "outstanding privacy problems," saying it has already created measures to protect user privacy. Meanwhile, a privacy law expert has said the advocates' expectations are unrealistic. PCWorld reports on Facebook's response that the information third-parties receive from the site is the same that can be viewed by accessing users' public information. "We do not use (the information) for ad targeting nor do we sell it to third parties," the response states. "That information cannot be sold or shared with others or used in any way other than to improve the experience of Facebook users visiting their site."
Full Story

PRIVACY—CANADA

Commissioner Establishes Toronto Office (June 21, 2010)

Canada's Office of the Privacy Commissioner (OPC) has established a Toronto office in an effort to develop a more effective presence there, according to a press release. Privacy Commissioner Jennifer Stoddart said increasing her office's regional presence was needed "in order to build stronger ties with our provincial colleagues and other stakeholders across the country." In the last two years, more than half of respondents to PIPEDA complaints have had addresses in the greater Toronto area, the commissioner said, adding that an office will help to fill a gap there. Robin Gould-Soil, CIPP/C, former chief privacy officer at TD Bank Financial Group, will direct the Toronto office.
Full Story

DATA LOSS—UK

Police Breached Data Protection Act (June 21, 2010)

The Information Commissioner's office has found Kent Police in breach of the Data Protection Act after personal data was stolen from the back of an officer's car, The Register reports. The data was stored in an unsecure briefcase in transit to the officer's home. Adrian Leppard, temporary chief constable of Kent Police, has signed an undertaking to improve policies, the report states. Kent Police staff transporting confidential data outside of the station will now use secure briefcases and storage facilities at home. Staff will also be trained in new procedures.
Full Story

DATA RETENTION—AUSTRALIA

Senator Questioned About Gov’t Plans (June 21, 2010)

Greens communications spokesperson Scott Ludlam questioned Senator Penny Wong today about federal government plans to require Internet service providers to retain Australians' Web browsing, e-mail and telephone activity for the purpose of fighting crime and terrorism, ZDNet reports. In response, Wong said, "I understand the Attorney-General's Department has been consulting with industry in relation to continuing availability of telecommunications data with reference to law enforcement purposes." She added that any move in this direction would need to balance privacy concerns. Wong also said that the Attorney-General's Department has been consulting with the Office of the Privacy Commissioner on the issue.
Full Story

ONLINE PRIVACY

WiFi Data Fallout Continues (June 21, 2010)

French data protection agency CNIL is deciding whether to prosecute Google after finding e-mail passwords and other sensitive data among the information collected from unsecured wireless networks. CNIL Chairman Alex Turk has said an early review of information collected in France showed the presence of "data that are normally covered by...banking and medical privacy rules," BBC News reports, and Turk hopes to decide by September what further action to take as CNIL has the power to issue warnings, levy fines or forward the case to prosecutors. Australia's privacy commissioner is also continuing to hold discussions with prosecutors and police and, in the U.S., Congress is being urged to consider basic principles to meet privacy expectations. Google has said it is continuing to work with authorities across the globe.
Full Story

PRIVACY LAW—U.S.

Ontario v. Quon Decision Provides “Useful Guidance” (June 18, 2010)

The New York Times reports on yesterday's Supreme Court ruling on a case involving the privacy of employee text messages. In a unanimous decision on City of Ontario v. Quon, the court determined that the search of a police officer's personal messages on his government-owned pager did not violate his constitutional rights. The ruling offers useful guidance for private employers, says Littler Mendelson partner Philip Gordon in the Workplace Privacy Counsel blog. Specifically, he says the court's assertion that the employer's search was reasonable and legitimate "demonstrates that private employers can substantially reduce their potential exposure on privacy-based claims by acting reasonably when searching and reviewing employees' electronic communications." Gordon also says employers should heed the court's emphasis on "the importance of a well-crafted and broadly distributed electronic resources policy."
Full Story

DATA THEFT

Clearinghouse Created for Stolen Data (June 18, 2010)

Microsoft has launched a coalition to serve as a clearinghouse for reports about caches of stolen data stored on the Internet, USA Today reports. Managed by the National Cyber-Forensics & Training Alliance, the Internet Fraud Alert Center will serve as a reporting hub for stolen payment card numbers and online account logons. Cached stolen information will be sent to the issuing banks. "This fills a big gap in the arsenal of weapons we need to fight online fraud," said Microsoft executive Nancy Anderson. The future participation of major Internet companies could be key to the clearinghouse's success, as they collect "mountains" of online traffic data, one expert said.
Full Story

DATA PROTECTION

More Harmony Needed in Int’l Data Protection (June 18, 2010)

The Economist reports on the increasing friction among data protection regulators and global Internet companies. That friction may be the result of underlying philosophical differences on privacy, exemplified by Europe's view of privacy as a fundamental human right versus America's self-regulatory approach. Some say more harmony is necessary as global data flows increase across emerging markets, with one expert suggesting that Asia could become "a new privacy battleground." German Data Protection Commissioner Peter Schaar suggests that if America was to create an independent data protection body, then other regulators may "adopt a more flexible regulatory approach."
Full Story

PRIVACY LAW

Crown Disputes Commissioner’s Jury Selection Report (June 18, 2010)

The Ontario government is disputing the findings of a report issued last fall by Ontario Privacy Commissioner Ann Cavoukian that determined approximately one-third of Crown offices in the province violated the Juries Act by using confidential police databases to vet prospective jurors, the National Post reports. The Crown has said the report was the result of "an inaccurate and incomplete understanding" of the jury selection process. The Office of the Information and Privacy Commissioner "strongly disagrees" with that interpretation, said its senior counsel, David Goodis, explaining, "Our findings were based on the source from which the Crown collected the information, such as police, not the format in which that information was held."
Full Story

DATA PROTECTION—EU & U.S.

MEPs Want Passenger Data Protected (June 18, 2010)

In a resolution passed Thursday, members of parliament called for better protection of air passengers' personal data, according to a European Parliament press release. Parliament "emphasizes that the privacy of European and U.S. citizens should be respected when personal passenger data are exchanged," MEPs said, adding they "believe that all transfers of personal data from the EU and its Member States for security purposes should be based on international agreements, with the necessary safeguards, and comply with data protection legislation at national and EU levels." MEPs also noted an urgency to arrive "at worldwide standards on data protection and privacy."
Full Story

PRIVACY LAW—U.S.

Supreme Court Rules on City of Ontario v. Quon (June 17, 2010)
The Supreme Court has ruled on a case involving the privacy of employee text messages transmitted on employer-issued equipment.

DATA RETENTION—EU

Parliament Proposals Send Mixed Messages (June 17, 2010)

A new push by the European Parliament contradicts the Article 29 Working Party's requirement that search engines reduce the time they store data to six months, Search Engine Land reports. The proposed European Data Retention Directive seeks to have search engines retain "all communications traffic data...for possible use by law enforcement" for two years, the report states. Pointing out that while it is not guaranteed that the European Parliament will support the directive becoming law, the report suggests that "for the time being at least, it would seem to paralyze the EU's ability to make data retention demands on search engines of any sort."
Full Story

PRIVACY LAW—EU & U.S.

MEPs May Veto Bank Data Deal (June 17, 2010)

Members of the European Parliament (MEPs) who advocated the rejection of the SWIFT deal back in February are threatening to veto the new EU-U.S. bank data transfer agreement negotiated by the European Commission, EUobserver reports. "We regret that the European Commission seems to have already closed the negotiations on a draft agreement that is far from being approvable," said MEP Martin Schulz. The primary focus of concern is with the transfer of bulk data, the report states, as MEPs want information filtered in the EU before it is sent to the U.S. for processing. MEP Jan Philipp-Albrecht said the plan would allow "bulk data about completely unsuspicious persons" to be sent to the U.S., violating the EU Charter of Fundamental Rights.
Full Story

CONSUMER PRIVACY—CANADA

Guiding Document Aims to Protect Smart Grid Data (June 17, 2010)

Privacy Commissioner Ann Cavoukian has launched a publication aimed at guiding utilities on how to protect consumers' personal information in the smart grid, IT World reports. The commissioner partnered with Hydro One and Toronto Hydro to publish "Privacy by Design: Achieving the Gold Standard in Data Protection for the Smart Grid," which outlines best practices. The smart grid will digitize consumer energy information, in some cases down to the appliance level. "The smart grid's impact is being compared to the advent of the Internet, which was built without privacy in mind and which now faces an extreme impediment and very high levels of scrutiny regarding privacy," the publication states. Cavoukian said the time to embed privacy into the design of the smart grid is "during its infancy." (Watch IT World's interview with Commissioner Cavoukian here.)
Full Story

DATA RETENTION—AUSTRALIA

ISP Data Storage Proposal Raises Concerns (June 17, 2010)

Australia's Attorney-General's Department is considering a plan to require ISPs to store users' Internet activity--whether or not they are suspected of crimes--and that is spurring criticism from advocates and industry experts, The Sydney Morning Herald reports. The Attorney-General's Department has said it is in the process of determining whether a plan similar to the European Directive on Data Retention would be appropriate for Australia, but such groups as the Internet Industry Association and Electronic Frontiers Australia are criticizing the plan as a "fishing expedition" for data. Privacy Commissioner Karen Curtis, meanwhile, has issued a statement in reaction to the discussions, noting her office will expect any proposed legislation to have "the appropriate privacy safeguards built in."
Full Story

PRIVACY LAW—U.S.

Proposed Settlement Reached in Missouri Class Action Suit (June 17, 2010)

A proposed settlement has been reached in a 2008 class action lawsuit involving the alleged acquisition and unlawful use of some Missouri drivers' personal information, reports the Sacramento Bee. Shadowsoft, Inc., and The Source for Public Data L.P. have agreed to return the personal data. The class alleged that the defendants violated the state's Driver's Privacy Protection Act when "highly restricted personal information" about their motor vehicle records was obtained, disclosed or used by the defendants beginning in July 2004. An October hearing will determine whether the settlement is fair. A separate suit is pending against individuals at the Missouri Department of Revenue for allegedly disclosing the data.
Full Story

STUDENT PRIVACY—U.S.

Maine Schools To Collect SSNs (June 17, 2010)

Maine schools will begin collecting student Social Security numbers this fall to track student progress after graduation, and that has the Maine Civil Liberties Union (MCLU) concerned, Kennebec Journal reports. MCLU Legal Director Zachary Heiden said the Maine Department of Education's one-sentence statement provided to schools to notify parents that they have the option of withholding their children's Social Security numbers does not clarify the risks of providing such information, including the potential for identity theft. Department of Education spokesman David Connerty-Marin said the statement was created as an advance notice to schools. He said the department shares the MCLU's concerns about protecting student privacy and believes "it is possible to protect and use data to improve outcomes."
Full Story

EMPLOYEE PRIVACY

Staff Surveillance: Part of the IT Job (June 17, 2010)

As more corporate infractions such as leaking intellectual property, sharing trade secrets and violating regulatory requirements are occurring via the Internet, Computerworld reports that organizations are increasingly monitoring what their employees are doing online--at home as well as during work hours. Often, the report states, it is the IT department that is tasked with filtering Web sites, scanning e-mails, watching what employees post on social networks, collecting mobile phone calls and messages and, in some cases, even tracking employees' physical locations using GPS features on smartphones. Some estimates indicate such monitoring uses up more than 20 percent of an average IT manager's workday.
Full Story

PRIVACY LAW—CANADA

Toronto Woman Launches Campaign for Ontario Privacy Law (June 17, 2010)

The Toronto woman suing her former phone company for allegedly invading her privacy has launched a campaign to find other frustrated customers to join her lawsuit, the Toronto Star reports. Gabriela Nagy says the company consolidated her household's invoices for services--including Nagy's mobile phone bill--without her consent, allowing her husband to discover her extramarital affair. Nagy, whose suit claims invasion of privacy and breach of contract, said federal privacy laws have no teeth and that Ontario doesn't have its own privacy laws like other Canadian provinces, adding "If we have no privacy, we are nothing." She's created a Facebook group called "Citizens Helping Individuals Reform Privacy Policies."
Full Story

SOCIAL NETWORKING

Advocates: Facebook Needs More Privacy Changes (June 17, 2010)

In an open letter to Facebook CEO Mark Zuckerberg, a group of privacy advocates acknowledges the social network has made some positive changes but calls on the company to do more to address "outstanding privacy problems." V3.co.uk reports that the group, which includes the American Civil Liberties Union, Electronic Frontier Foundation, Electronic Privacy Information Center, PrivacyActivism, Privacy Lives and the Privacy Rights Clearinghouse, has made six recommendations to Facebook,
including giving users the choice of opting in to the site's "instant personalization" feature rather than opting out. The letter urges Facebook to give users "control over how and with whom they share" their information--including their names,
gender, profile pictures and networks.
Full Story

PRIVACY LAW—EU & U.S.

MEPs Offer Split Views on New SWIFT Plan (June 16, 2010)

MEPs have different views on whether the European Commission's proposal to allow U.S. authorities access to SWIFT financial data on suspected terrorists does enough to protect Europeans' personal information. The New York Times reports that although European Commissioner Cecilia Malmström says the agreement will "increase the security of European citizens while at the same time fully respecting their rights to privacy and data protection," several MEPs have come out against the plan. MEP Sophie In 't Veld, for example, raised concerns about bulk transfers of information, suggesting that the U.S. "can request a needle, but Europeans still would be sending the entire haystack." MEP Timothy Kirkhope, however, said, "This agreement is, of course, not perfect, but ultimately it gets a necessary and vital job done" while addressing privacy concerns. (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—NEW ZEALAND

Commissioner Proposes Changes to Credit Reporting (June 16, 2010)

New Zealand's privacy commissioner has announced proposals that would change the way credit information is reported, The New Zealand Herald reports. Proposed amendments to the Credit Reporting Privacy Code of 2004 would allow credit agencies to collect more data about a consumer's history than currently permitted and would allow for the use of drivers' licenses to verify information. The proposals aim to provide a more complete picture of a consumer and may help detect identity theft and fraud, but "the collection and reporting of more personal information creates increased risks of inaccuracy and misuse," the Privacy Commission said in an information paper on the amendments. It proposes safeguards to mitigate risk. The commissioner will accept comments on the proposals through August 13.  
Full Story

PRIVACY LAW—U.S.

Report: More User Control Could Appease Lawmakers (June 16, 2010)

The research firm Concept Capital has released a report suggesting that ad network owners could give users more control over their personal information as a way to stave off increased regulatory attention to online privacy, The Washington Post reports. The researchers also note that while the Boucher-Stearns bill, which is expected to be introduced soon, is unlikely to make many waves in 2010, its passage is "quite realistic" for 2011. The report also acknowledges that it remains to be seen whether consumers would exercise greater control over their personal information if granted. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

Proposed Rules Coming in Two Weeks (June 16, 2010)

The HHS Office for Civil Rights (OCR) will release proposed rules on HIPAA-related provisions in HITECH later this month, HealthLeaders Media reports. The notice of proposed rulemaking, expected on or around June 26, will include clarification regarding willful neglect penalty tiers. The OCR is expected to begin HITECH-required compliance audits next year.
Full Story

GEO PRIVACY

Make Maximum Privacy Default (June 16, 2010)

The International Business Times reports that as location-based services become more common, so do privacy and security concerns. Stored locational data could be misused or used in civil lawsuits such as divorce cases, said Peter Eckersley of the Electronic Frontier Foundation. He added that unless the company providing the service specifically states how long the data is kept, chances are it is forever. "Privacy is hard to figure out. It's hard to anticipate in advance the kind of privacy you're going to need," he said, adding that the solution is to design applications to provide maximum privacy as the default. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—U.S.

Balancing Privacy and Profit (June 16, 2010)

With nearly 500 million members--the equivalent of the third-largest country in the world--social networking giant Facebook must walk a "tricky line" between respecting users' privacy and making advertising profits, USA Today reports. Facebook and other social networks are facing more and more scrutiny over their privacy policies, the report states, with some U.S. legislators pushing for regulation of the collection and sharing of consumer information. Internet experts contend that too many requirements for user permission to share information could mean "innovation would slow to a crawl." Privacy advocates, however, point to "an inevitable conflict between Facebook's treasure trove of user data and the temptation to sell it to advertisers."
Full Story

PRIVACY LAW—U.S.

States Discuss WiFi Data Investigation (June 16, 2010)

Attorneys general from about 30 states are considering whether to hold a joint inquiry into whether Google's collection of WiFi data violated any laws, The New York Times reports. The prosecutors took part in a conference call led by Connecticut Attorney General Richard Blumenthal, who described the discussion as "the first step in an effort to cooperate in a possible joint investigation and action. At this point, we are asking questions and frankly some of the answers we received so far have raised additional questions that we have put to the company." Google, meanwhile, has issued a statement that the data collection was a mistake, and the company is "working with the relevant authorities to answer their questions and concerns." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU and U.S.

EU Commissioners Approve Data Transfer Agreement (June 15, 2010)

The European Commission has finalized a draft agreement that would allow banking data to be transferred to the U.S. in cases of anti-terrorism investigations. EUobserver reports that European Commissioner Cecilia Malmström will present the agreement today, and it will then be forwarded to the Council of Ministers and the European Parliament for approval. The draft agreement requires all data sent to the U.S. to be based on anti-terrorist investigations, prohibits such practices as profiling and data mining and provides such rights as blocking inaccurate data and judicial redress, the report states. Malmström has said the plan's data protection provisions have been significantly altered from an interim deal rejected by the European Parliament in February.
Full Story

ONLINE PRIVACY—U.S.

Battle Brewing Between Congress, Companies (June 15, 2010)

While federal legislators and privacy advocates are calling for online privacy legislation, Internet industry leaders are raising concerns that the result could be stifled innovation if those regulations are too strict. The Mercury News reports, however, that even legislators who believe Internet freedoms must be protected are voicing concerns about privacy. The report references a recent study by UC Berkeley and the University of Pennsylvania that found 55 percent of adults were more concerned about online privacy than they were five years ago. "While privacy concerns have ebbed and flowed, I think it is fair to say that they are at an all-time high now," said Jim Dempsey of the Center for Democracy and Technology.
Full Story

FINANCIAL PRIVACY—SWITZERLAND & U.S.

Swiss Bank Data Deal Moves Forward (June 15, 2010)

Switzerland's parliament has approved a deal with the U.S. that would require UBS to provide data on as many as 4,450 suspected U.S. tax evaders holding accounts with the bank, Deutsche Welle reports. The specific details of the agreement are still being reviewed, including whether a public referendum will be required before it becomes law. Final approval is expected to put an end to legal action by U.S. authorities, the report states. A transfer agreement between the U.S. and Switzerland governments had first been reached in 2009, but parliamentary approval was required after the Swiss Supreme Court questioned whether it was legal.
Full Story

HEALTHCARE PRIVACY—U.S.

Patient Breaches Tripled Since February (June 15, 2010)

The number of entities that have reported major patient information breaches to HHS' Office for Civil Rights (OCR) nearly tripled in four months, reports iHealthBeat. As of June 11, the OCR's Web site listed 93 breaches, up from 32 in February. Nearly 20 percent of the reported breaches involved business associates of HIPAA-covered entities, and 10 of the breaches involved entities classified as a "private practice," the report states. The OCR says it will soon post the names of private practices due to the "routine use" provision in the Privacy Act, which does not require prior consent. The economic stimulus package requires the OCR to publicize breach notifications involving 500 people or more.  
Full Story

HEALTHCARE PRIVACY—UK

ICO: Too Many NHS Breaches (June 15, 2010)

The Information Commissioner's Office has expressed concern about the prevalence of data breaches involving NHS organizations. A quarter of all data breaches reported to the ICO involve the NHS, according to an ICO press release, and two more NHS bodies have promised to increase data security after recent losses of patient data. "Everyone makes mistakes," said ICO Head of Enforcement Mick Gorrill, "but regrettably there are far too many within the NHS." Gorrill added that "Health bodies must implement the appropriate procedures when storing and transferring patients' sensitive personal information." The chief executives of NHS Stoke-on-Trent and Basingstoke and North Hampshire NHS Trust have signed formal undertakings with the ICO for recent losses.
Full Story

DATA PROTECTION—U.S.

FCC: Cybersecurity a “High Priority” (June 15, 2010)

The Federal Communications Commission is warning businesses and consumers about data security in light of two recent information breaches, ESecurity Planet reports. "Our Public Safety and Homeland Security Bureau is now addressing cybersecurity as a high priority," Joel Gurin of the FCC's Consumer and Government Affairs Bureau wrote in a blog post. The Federal Bureau of Investigation is looking into a breach involving the data of iPad owners, while governments around the world are examining the circumstances surrounding Google's collection of private data from unsecured WiFi networks.
Full Story

SOCIAL NETWORKING

Whitepaper: Five Risks CIOs Must Consider (June 15, 2010)

Companies should embrace social media while encouraging employees to make themselves aware of the risks involved. That's according to the Information Systems Audit and Control Association (ISACA), which this week released a whitepaper on social networking risks CIOs should be aware of, CIO reports. "Companies should embrace it, not block it," said ISACA Vice President Robert Stroud. "But they also need to empower their employees with knowledge to implement sound social media governance." The whitepaper cites viruses and malware, brand hijacking, lack of control over content, unrealistic consumer expectations of "Internet-speed" service and noncompliance with records management regulations as the top five risks.
Full Story

ONLINE PRIVACY—AUSTRALIA

AG: Gov’t Will Not Track Web Histories (June 14, 2010)

A spokesman for Australia Attorney-General Robert McLelland has denied that a controversial data retention policy being considered by his office could result in Web browsing histories being tracked by ISPs, ZDNet reports. When the Attorney-General's Department confirmed Friday that it was examining the European Directive on Data Retention to consider whether it would be beneficial for Australia to adopt similar rules, opponents cautioned the Australian version could extend as far as tracking the Web browsing history of all Australians, the report states. However, Adam Siddique, a media liaison for the Attorney-General's Department, said the plan "is not about Web browser history...It's purely about being able to identify and verify identities online," linking the initiative to the ability for law enforcement to track criminals.
Full Story

PRIVACY LAW

Google: WiFi Collection Was Not Illegal (June 14, 2010)

As inquiries and criminal investigations over Google's collection of data from unsecured wireless networks continue to mount across the globe, Google has filed a legal motion seeking to combine all U.S. lawsuits into one case and has written to the U.S. Congress asserting it did not break any laws. The Mercury News reports on a letter to the House Commerce Committee from Pablo Chavez, Google's director of public policy, stating that "neither Google's management nor any Google product group requested that the payload data be collected, and Google never used the payload data in any of its products or services." Rep. Joe Barton (R-TX), meanwhile, said that as the committee is contemplating privacy legislation, "this matter warrants a hearing, at minimum."
Full Story

ONLINE PRIVACY

Cloud Computing Study Portends Ubiquity, Big Breaches (June 14, 2010)

A Pew Internet survey has revealed most experts agree that cloud computing will be ubiquitous by the year 2020, Ars Technica reports. But some also caution that a massive data breach will cause a rethink on that move. "Expect a major news event involving a cloud catastrophe (security breach or lost data) to drive a reversion of these critical resources back to dedicated computing," said the Mozilla Foundation's Nathaniel James in the Pew report, which reflects widespread unease about the cloud. "Trust not the cloud for reliability, security, privacy," said University of Toronto Professor Barry Wellman.
Full Story

GEO PRIVACY—U.S.

Mobile Marketing Concerns Lawmakers, Advocates (June 14, 2010)

As mobile marketing expands on smartphones and other devices, there are concerns among U.S. lawmakers and privacy advocates over the geolocational information marketers collect and how it is used. Some fear that data could be misused or exposed through hacking, accidental breaches or subpoenas, The Wall Street Journal reports. Two recent studies found that mobile marketers often lack privacy policies or fail to communicate with consumers about how their data will be managed and shared. "Individuals, I think, would want to have the highest level of control over how companies can track their physical locations," said Rep. Rick Boucher (D-VA), who has drafted an Internet privacy bill. (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—U.S. & SWITZERLAND

Data From 500 Bank Accounts Sent to U.S. (June 14, 2010)

Following on the lower house of Switzerland's parliament's decision to reject an agreement to hand over banking information to the U.S., Reuters reports that Swiss authorities have already handed over 500 accounts of UBS clients "under an agreement to end a tax dispute that has threatened the bank's existence." Citing information published in Swiss newspaper Sonntag, the report states that while Swiss bank secrecy law usually prohibits the transfer of account details to foreign authorities, the 500 clients had signed waivers allowing their accounts to be handed over to the U.S. "Client dossiers were transferred to the United States in around 500 of the 2,900 cases," said Thomas Brueckner, a spokesman for the Swiss tax office. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

Expert: Information Protection Rules “Toothless” (June 14, 2010)

The Daily News reports that current federal and provincial laws are not doing enough to protect personal data stored
electronically, using as an example the recent thefts of laptops from financial institutions in Nanaimo. The report points
out that under both the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial law,
there is no obligation for financial companies to disclose what client information was stored on the stolen computers.
Technology and e-business attorney David Canton warns that changes proposed to amend PIPEDA "are rather toothless...There
certainly remains a lack of power for the police to force any company to inform their clients that their personal information
may have been breached."
Full Story

ONLINE PRIVACY—AUSTRALIA

AG Considers Requiring ISPs To Record Browsing Histories (June 11, 2010)

The Australia Attorney General's Department has confirmed it is looking to the European Directive on Data Retention in considering whether ISPs should be required to log and retain customers' Web browsing histories to provide for law enforcement access as needed, ZDNet reports. Internet Industry Association (IIA) CEO Peter Coroneos confirmed there have been preliminary discussions with the Attorney General's Department, but the IIA has not "seen any firm proposals yet from the government." If such a plan should come forward, he said, the IIA would "engage not only with the industry but also the community in a proper discussion." Colin Jacobs of Electronic Frontier Australia said such a move would be "a step too far" for data retention laws.
Full Story

PRIVACY LAW—U.S.

Industry Responds to Privacy Bill (June 11, 2010)

The June 4 deadline has passed, and ClickZ reports that industry and advocacy groups have submitted comments on the Boucher-Stearns privacy bill that was released last month for review. Both groups seem to believe the bill needs work, according to the report, with industry calling for fewer restrictions on the collection and sharing of data and advocates saying that it lacks effective measures to promote consumer privacy. Earlier this week, Congressman Joe Barton (R-TX) indicated that he would like to work with his colleagues on crafting legislation that would help build consensus on the issues.
Full Story

DATA LOSS—U.S.

$675K in Breach Fines Levied Against CA Hospitals (June 11, 2010)

The California Department of Public Health (CDPH) announced Thursday it has issued privacy breach fines totaling $675,000 against five hospitals after the CDPH determined the facilities did not prevent unauthorized access to confidential patient information. "Medical privacy is a fundamental right and a critical component of quality medical care in California," said CDPH Director Dr. Mark Horton. "We are very concerned with violations of patient confidentiality and their potential harm to the residents of California." The medical centers were fined between $95,000 and $325,000 each. The Mercury News reports that the facilities have 10 days to submit a plan of correction or appeal.
Full Story

PERSONAL PRIVACY

Voicemail is “The Next Frontier of Exhibitionism” (June 11, 2010)

The San Francisco Chronicle reports on two new startups with plans to make e-mail and voicemail public. Launched last month, Audioo allows people to share their voicemail messages by uploading them to the site, which then automatically transcribes and tags them. Audioo CEO Ryan Born calls voicemail "the next frontier of exhibitionism" and says that the company is working on technology that would let Google Voice automatically upload all of a users' voicemail to the site as it comes in, the report states. Meanwhile, Cc:Everybody offers free e-mail addresses which, when used, allow anyone to see both the message sent and the user's reply.
Full Story

FINANCIAL PRIVACY—EU & U.S.

Commissioner: SWIFT Negotiations Near Completion (June 11, 2010)

Negotiations between the EU and U.S. on the sharing of bank transfer data are close to being finalised, European Commissioner Cecilia Malmström told MEPs on Thursday. The talks have yielded "considerable improvements" over the interim deal rejected by MEPs in February, Malmström said in a European Voice report, with "significantly stronger" data protection guarantees. Malmström will ask her fellow commissioners to approve the agreement at their June meeting, the report states, at which point it would be forwarded to the European Parliament and the Council of Ministers for adoption. MEP Alexander Alvaro, however, said questions remain about issues including data retention and sharing, suggesting, "The draft as it is now still has room for improvement." MEP Jan Philipp Albrecht went a step further, stating it has "serious flaws" and should be renegotiated. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

AT&T Discloses iPad Breach (June 10, 2010)

AT&T acknowledged Wednesday that a small group of computer experts known as Goatse Security accessed 114,000 e-mail addresses of iPad users through a security hole in AT&T's Web site. Ed Amoroso, chief security officer at AT&T, said the hole grew out of an effort by the carrier to simplify its customers' subscription renewal process by having their e-mail addresses pre-entered on the Web site. The Wall Street Journal reports that AT&T has fixed the security problem and will inform all customers whose e-mail addresses and iPad IDs may have been obtained. According to a company statement, "At this point, there is no evidence that any other customer information was shared." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—U.S.

Zuckerberg’s Ethos of a Single, Transparent Identity (June 10, 2010)

Author David Kirkpatrick got up close and personal with Facebook founder Mark Zuckerberg while researching his newly published book, The Facebook Effect. On National Public Radio's "Morning Edition" earlier today, Kirkpatrick told host Deborah Amos that Zuckerberg believes it will be better for the world if people dispense with the belief that they can have different identities. "To him, the idea that someone is different at work than at home, than at a rock concert, is dishonest," Kirkpatrick said, adding that Zuckerberg "sees the world as moving very rapidly toward transparency and very rapid sharing of data between individuals in all sorts of ways."
Full Story

PRIVACY LAW—U.S.

Senate Panel Targets Online Marketing (June 10, 2010)

The Senate Commerce Committee approved a bill Wednesday aimed at curbing misleading online marketing tactics. Tech Daily Dose reports that the legislation proposed by Commerce Chairman John (Jay) Rockefeller (D-WV) emerged out of the committee's investigation into a practice known as "data-pass marketing," where firms convince consumers to sign up for services such as discount memberships where financial information is provided to other firms. The bill would bar companies from automatically passing consumer credit or debit card information to third-party online partners and would also require such merchants to disclose the terms of their offers to consumers. "Web sites will no longer be able to trick consumers into signing up for unwanted services and membership clubs," Rockefeller said during the panel's markup session.
Full Story

PRIVACY LAW—U.S.

Barton Wants To Help with Privacy Bill (June 10, 2010)

A ranking member of the House Energy and Commerce Committee says privacy legislation drafted by his colleagues does not go far enough, reports Tech Daily Dose. Congressman Joe Barton (R-TX) told Energy and Commerce Chairman Henry Waxman (D-CA) that he can work with democrats on crafting legislation that would help build consensus on the issues. Barton said that Reps. Cliff Stearns (R-FL) and Rick Boucher (D-VA) "put together a good draft to get people's attention," but the bill released last month doesn't go far enough, the report states.  
Full Story

PRIVACY LAW—IRELAND

Draft Code To Require Breach Reports (June 10, 2010)

OUT-LAW.COM reports on Ireland's draft code of practice published recently by Data Protection Commissioner Billy Hawkes. The code would require Irish organizations to report data breaches involving the personal information of more than 100 people. Organizations can avoid reporting an incident, however, if the data is encrypted and password protected. In cases involving fewer than 100 people, breaches still must be reported if the information involves sensitive personal data or financial information. The code follows a government-appointed review group's recommendation that guidelines be established regarding when organizations must report data breach incidents.
Full Story

DATA LOSS—U.S.

University Says Additional 25,000 May Be Affected by Breach (June 10, 2010)

More people than additionally estimated may have been affected by a data breach at Penn State University, the Associated Press reports. Last week, officials announced  that the personal information, including Social Security numbers, of 25,572 alumni had been exposed. But now they say an additional 25,000 may be at risk. Those potentially affected have been cautioned to watch for identity theft, the report states. Universities across the country are increasingly becoming the targets of more sophisticated malware attacks, said a Penn State spokesman, adding that the university has stepped up its security efforts as a result.
Full Story

ONLINE PRIVACY

Cyber Safety vs. Internet Freedom (June 10, 2010)

Concerns about the potential for nations to use the Internet to secretly declare "cyberwar" on each other are bringing to light the challenge of balancing online privacy with public safety. NPR reports that while security experts focus on the "attribution problem" of identifying and tracking down the source of cyberattacks, privacy advocates fear the loss of anonymity for Internet users. Security experts suggest that deterrence in the form of knowing where an attack comes from is needed to prevent countries from secretly using the Internet to disable their rivals' power grids, telecommunications, transportation and banking systems. Privacy advocates, meanwhile, question whether the security benefits will justify the cost to privacy, especially in countries where dissidents depend on anonymity to raise awareness of human rights issues.
Full Story

PRIVACY LAW—NEW ZEALAND

New Criminal Investigation Launched Into WiFi Data Collection (June 10, 2010)

Police in New Zealand are investigating allegations that Google illegally gathered personal data from unsecured wireless networks through its Street View vehicles, The New Zealand Herald reports. The announcement Wednesday evening marks the latest such investigation, with others underway in Hong Kong, Australia and the U.S. "At the moment we are just confirming that we have received a complaint from the privacy commissioner," said Gary Ogilvie of the New Zealand Police, explaining, "The first step will be to assess the complaint before we make any decisions on whether to proceed from there...We can't speculate on what they might be charged with until we look at what they are doing." A Google New Zealand spokesman has said the company is "profoundly sorry" for the mistake.
Full Story

PERSONAL PRIVACY—U.S.

Opinion: Outlawing Anonymity? (June 10, 2010)

A bill in the U.S. Senate aimed at prohibiting pre-paid cell phone sales could mean the end to what "represents perhaps the last opportunity for a person to communicate anonymously," Bob Barr writes in his column for The Atlanta Journal-Constitution. Barr takes aim at the 111th U.S. Congress as curbing "the rights and privacy of all Americans." While the pre-paid cell phone question has come up due to concerns about terrorism and crime, Barr points out that other "law-abiding citizens use such devices regularly." Barr also questions plans to require "black box" computers in American automobiles and expand the government's collection of DNA samples from those arrested for criminal activities.
Full Story

PRIVACY LAW—U.S.

FTC Says No to COPPA Safe Harbor Proposal (June 10, 2010)

The Federal Trade Commission (FTC) has rejected a proposal by an Internet safety education group to operate a self-regulatory program that would allow firms that enroll to comply with the Children's Online Privacy Protection Act (COPPA), reports Tech Daily Dose. In a letter to iSAFE's chief operations officer, the FTC said it rejected the group's application because it failed to meet the FTC's requirements for a safe harbor program and that iSAFE's safe harbor guidelines "would result in lesser protections for children than provided by COPPA itself." According to the commission's requirements, a safe harbor program must provide "substantially similar" requirements to those included in the COPPA rule, among other provisions.
Full Story

ONLINE PRIVACY—U.S.

CDT Responds to Draft Boucher Bill (June 9, 2010)

The Center for Democracy and Technology (CDT) has submitted written comments on the Boucher-Stearns privacy bill, recommending it be revised to include fair information practices, reports MediaPost. The CDT wrote in its comments that while it "generally agrees with the draft's basic framework for notice and choice, including its opt-in and opt-out structure, we are concerned that the strong reliance on consent places the entire burden for privacy protection on consumers." The Interactive Advertising Bureau (IAB), meanwhile, says the bill could put a damper on online advertising, while a group of consumer advocates says it doesn't go far enough to protect consumers' privacy.
Full Story

PRIVACY LAW—U.S.

Ninth Circuit: No Harm, No Foul in Suit Against Gap (June 9, 2010)

The Ninth Circuit Court of Appeals has backed a lower court's rejection of a lawsuit against Gap, Inc., involving the loss of job applicants' private data. In the suit Ruiz v. Gap, Inc., the plaintiff alleged negligence, breach of contract, unfair competition and violations of the California constitution and civil code for the loss of two laptop computers at a third-party contractor for the company, the Technology & Marketing Law Blog reports. The computers contained the personal information of Gap job applicants. The Ninth Circuit court decided that "increased risk of future harm was not sufficient to state a negligence claim under California law," the report states. (Privacy Tracker subscribers, what would you like to know about this case? Send your questions to the Privacy Tracker to be answered on the next monthly call.)
Full Story

PRIVACY LAW—CANADA

Commissioner Releases 2009 PIPEDA Report (June 9, 2010)

For the Office of the Privacy Commissioner (OPC), "2009 was a watershed year," Commissioner Jennifer Stoddart writes in her report to parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA). "The dominant theme of our work in 2009 was the protection of privacy in an increasingly online, borderless world," she notes. The report, which was submitted to parliament Tuesday, highlights such key issues as the "exponential growth" in technology-based investigations. Stoddart notes that while the OPC has been able to apply PIPEDA to tools and business models that did not exist when it came into force, it is essential to review privacy laws and administrative structures to ensure they keep pace with technology. "It is increasingly clear that if data protection authorities want to remain relevant," she writes, "the online world is where they need to be."
Full Story

FINANCIAL PRIVACY—U.S. & SWITZERLAND

Bank Data Deal Coming Undone (June 9, 2010)

A deal negotiated by the U.S. with Switzerland to gather information on Americans with holdings in Swiss bank UBS is on the verge of collapsing, The Washington Post reports. The lower house of Switzerland's parliament voted to prevent the country from turning over the names and financial information of as many as 4,450 Americans with undeclared accounts at UBS, following a ruling by a Swiss court that the deal was illegal. Lawmakers have voted to hold a public referendum on the question. In the U.S., Sen. Carl M. Levin (D-MI), who led a senate probe of UBS, said the U.S. should move forward with legal action and "force UBS to provide the names and account information..." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

ICO’s Fining Power Unused So Far (June 9, 2010)

Although the Information Commissioner's Office (ICO) has had new fining powers for more than two months, it has yet to hand out any fines. "It could be argued that while no fines have been issued, awareness has been raised within business," writes Dan Raywood in SCMagazine. However, a recent Proofpoint survey revealed that more than half of organizations are still not encrypting data. At a recent conference, ICO Deputy Commissioner David Smith said the ICO was "waiting with baited breath for the first of its £500,000 fines to be handed out."
Full Story

DATA PROTECTION—CANADA

Audit: Increased Data Protection Still Needed in Mortgage Brokering (June 9, 2010)

Though mortgage brokers have made strides in protecting personal data, an Office of the Privacy Commissioner (OPC) audit has revealed that more should be done. The OPC conducted the audit after 14 data breaches involving impersonated mortgage brokers downloading credit reports for false applicants. Since then, brokerages have improved data protection, but "we have ongoing concerns about the controls and safeguards in the way in which credit reports are obtained," said Assistant Privacy Commissioner Elizabeth Denham. The OPC details the audit findings in its annual report to parliament, tabled yesterday.
Full Story

HEALTHCARE PRIVACY—U.S.

Hospital to Fire Five for Potential HIPAA Breach (June 9, 2010)

A California hospital will fire five employees and discipline another after it was discovered they posted personal discussions about patients to a social networking site, Gov Info Security reports. An ongoing investigation at Tri-City Medical Center "yielded sufficient information to warrant disciplinary action," said CEO Larry Anderson. The California Department of Public Health confirmed it has also launched an investigation. Anderson said the hospital is working to prevent similar incidents by "re-emphasizing, through employee training and education, the hospital and the employees' ongoing commitment and obligation to protect our patients' privacy."
Full Story

ONLINE PRIVACY

Parnes Weighs in on the Issues (June 9, 2010)

In a Daily Dashboard exclusive interview, Lydia Parnes, a partner at Wilson Sonsini Goodrich & Rosati and former head of consumer protection at the Federal Trade Commission (FTC), discusses the online privacy landscape--self regulation, online advertising, social networking and disengagement. Parnes notes that the FTC and congress have made privacy a focus, especially in terms of online advertising. "We will certainly have to address tough issues in the privacy arena," says Parnes, "but we've done so before, and I'm confident that we can do so here as well."
Full Story

PRIVACY—CANADA

Saskatchewan Gov’t Considering Breach Disclosures (June 9, 2010)

The Saskatchewan government is considering the mandatory disclosure of privacy breaches, reports The StarPhoenix. The announcement follows recent high-profile incidents involving data breaches at government entities. Justice Minister Don Morgan said disclosure is optimal for "any kind of significant breach," adding, "I think it would be beneficial for the government to try and develop a practice as to what kind of information would be released when there is a breach." Saskatchewan Privacy Commissioner Gary Dickson has also supported the idea. Without a disclosure system for privacy breaches, he said, "there's really a lack of data showing how often it happens."
Full Story

DATA LOSS—U.S.

FTC Approves Dave & Buster’s Settlement (June 9, 2010)

The Federal Trade Commission (FTC) has approved a final settlement order with entertainment operation Dave & Buster's, settling charges that the company failed to protect consumers' information. According to an FTC press release the company's inadequacies led to the theft of 130,000 debit and credit cardholders' data, resulting in several hundred thousand dollars of fraudulent charges. To settle the charges, the company will establish a program to protect customers' data and subject itself to biennial audits for the next decade. The FTC vote approving the final order was 4-0, with Commissioner Edith Ramirez not participating.
Full Story

Q&A with Practical Privacy Series: Online Privacy Program Chair Lydia Parnes (June 9, 2010)
Social networking continues to gain popularity and behavioral targeting is increasingly appealing to advertisers and online operators, yet the privacy debate rages on and regulatory threats loom. In this interview, Lydia Parnes, a partner at Wilson Sonsini Goodrich & Rosati and former head of consumer protection at the Federal Trade Commission, discusses the online privacy landscape—self regulation, online advertising, social networking and disengagement.

DATA LOSS

Customers Receive Wrong DNA Results (June 8, 2010)

23andMe, a company that provides genome testing by mail to its customers, has announced that "up to 96" customer samples were incorrectly processed by the company's contracted laboratory. As a result, customers received DNA results that were not their own. In a TechCrunch report, Jason Kincaid says the mix-up "led to some very confused customers and will doubtless help bolster the push to increase regulation for direct-to-consumer genetic testing." 23andMe has notified those customers affected by the mistake and said it is in the process of adding "an extra layer of safeguards to help assure that similar incidents do not occur in the future."
Full Story

ONLINE PRIVACY—UK

Advocates: Businesses “Spying” for Online Complaints (June 8, 2010)

Privacy advocates are concerned about UK companies tracking conversations on social networking sites to monitor customer comments and then contact complainants with solutions, the Daily Mail reports. Critics are saying those unsolicited calls could breach data protection laws, while business executives maintain that the information being gathered is not private. "These are all discussions that can be seen by anyone on the Web," said Warren Buckley of BT. "I would liken it to someone having a conversation in a pub--it's just a very big pub." Simon Davies of Privacy International offered a different perspective, calling the practice "nothing short of outright spying...It may not be illegal but it is morally wrong. And it is unlikely to stop there."
Full Story

ONLINE PRIVACY—U.S.

TRUSTe Receives $12 Million (June 8, 2010)

Online privacy trustmark company TRUSTe announced today that it is receiving $12 million in funding from investors aimed in part at several initiatives including new certification initiatives in social networking, mobile and advertising, according to a company release. Jeb Miller of Jafco Ventures, one of TRUSTe's new investors, described "trust and privacy as the next big wave of online security." According to TRUSTe CEO Chris Babel, "Recent events have shown that consumer privacy remains a hot button for usage of any online service--whether it is social tools or the purchasing of business goods." He said the company plans to "raise the bar and broaden the scope" of its online privacy services.
Full Story

GENETIC PRIVACY—ARGENTINA

Adoptees Balk at DNA Testing (June 8, 2010)

Argentina's National Genetics Bank was set to begin extracting DNA yesterday from the clothing of two citizens who are alleged to have been adopted illegally during the country's Dirty War from 1976 to 1983, the Toronto Star reports. Their DNA will be compared to that of military prisoners from that period whose babies were kidnapped by the military junta. The group The Grandmothers of the Plaza de Mayo, which has been pushing to reunite the kidnapped with their families, wants to prove the parents of Marcela and Felipe Noble Herrera adopted them illegally under these conditions. But the Noble Herreras, now in their thirties, say the grandmothers group and Argentine authorities are violating their privacy.
Full Story

ONLINE PRIVACY—U.S.

Groups Want More from Boucher Bill (June 8, 2010)

A coalition of 10 privacy and consumer groups is calling for stronger privacy protections in the Boucher-Stearns privacy bill, reports MediaProNews. The groups want an expanded definition of sensitive information, strict opt-in procedures for the collection of covered data and the inclusion of Fair Information Practice Principles. The Center for Democracy and Technology (CDT) has also commented on the bill, stating, "While CDT generally agrees with the draft's basic framework for notice and choice, including its opt-in and opt-out structure, we are concerned that the strong reliance on consent places the entire burden for privacy protection on consumers."
Full Story

PRIVACY LAW—EU

Declaration Would Store Web Inquiries for Two Years (June 8, 2010)

Civil liberty groups and some MEPs are calling an EU plan to store Web search inquiries for up to two years an intrusion into citizens' privacy, the Daily Mail reports. Written Declaration 29 aims to serve as an early warning system to stop paedophiles. It would extend the Data Retention Directive--which allows EU member states to monitor and store personal e-mails and other Web activity for up to two years--to all Web search engines. "MEPs should have a serious re-think before supporting this declaration which would open up even more of citizens' personal data to monitoring and abuse," Open Europe spokeswoman Sarah Gaskell said.
Full Story

FINANCIAL PRIVACY—U.S.

Closed Loan Data Lives On (June 8, 2010)

Loan data may be retained for decades after loans are paid off, and according to California-based Privacy Rights Clearinghouse, breaches of more than 354 million records of personal data have occurred in the past five years alone. Advocates believe it is "nearly impossible to trace just how much naked loan data is out there and who may have access to it," The Wall Street Journal reports, cautioning, "it should never be assumed that data is deleted." Even when the Federal Trade Commission's Red Flags Rule goes into effect, the problems will remain, the report states, as the digital footprints we leave travel beyond financial institutions to include everything from automotive dealers to medical offices. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—AUSTRALIA

National Cyber Security Awareness Week Continues (June 8, 2010)

As National Cyber Security Awareness Week continues, Australia Privacy Commissioner Karen Curtis is hailing the government initiative as an opportunity for government organizations, industry and community groups to work together to promote smart online practices. "The number of ways that people can connect, shop and do business online is increasing all the time," Curtis said in a statement issued on Monday. "However, with this convenience also comes risk, and so people need to make sure that their online security is protected." The week focuses on simple ways to improve online security, including updating security software and being careful about sharing personal information across the Internet.
Full Story

BEHAVIORAL TARGETING

Firefox Has New Plans for Third-Party Cookies (June 8, 2010)

Mozilla, creator of Web browser Firefox, is updating its browser code to "dramatically change the handling of third-party cookies," writes Jules Polonetsky, CIPP, of the U.S.-based Future of Privacy Forum. Comments from Dan Wittes of Mozilla on the company's message board explained that third-party cookies will now only be persistent for a given session, while those who opt out of the default to accept cookies would completely disable them. "So if a user keeps their computer on and browser open, tracking across sites will continue," Polonetsky writes, "but if a user closes their browser, tracking cookies will be deleted."
Full Story

BIOMETRICS—UK

Expert: Brain Scanning Could Invade Privacy (June 8, 2010)

Experts and researchers from around the world will gather in Glasgow today to discuss the use of brain imaging and its potential for exploitation, reports The Telegraph. At the Institute for Advanced Studies event, researcher Burkhard Schafer of the University of Edinburgh will say that, if unregulated, scanners could threaten people's privacy. Scanning could be used to test the validity of candidates' résumés or to analyze the subconscious preferences of consumers, the report states. "After data mining and online profiling, brain imaging could well become the next frontier in the privacy wars," Schafer said.
Full Story

PRIVACY LAW—U.S.

Insurer Says It’s Not Responsible for Breach Costs (June 7, 2010)

A Colorado insurance company has filed a federal lawsuit claiming it is not responsible for reimbursing the University of Utah for costs related to a 2008 data breach, Computerworld reports. Colorado Casualty Insurance Co. was providing breach insurance to the university when sensitive data on 1.7 million patients at the university's hospitals and clinics was potentially exposed, costing the university $3.3 million in breach notification and credit monitoring fees, among other costs. The breach occurred when burglars stole data tapes from an employee of Perpetual Storage, the university's storage provider. Perpetual has filed a motion to dismiss the complaint. A spokesman said, "We obviously think there is coverage."
Full Story

PRIVACY—CANADA

$500K for Privacy Research, Awareness (June 7, 2010)

Privacy Commissioner Jennifer Stoddart has announced the 2010-11 Contributions Program recipients. Thirteen organizations across Canada will receive a combined $500,000 for research and projects to advance privacy awareness and rights. The projects focus on four key priority areas: targeted online advertising, data sharing through national border security programs, video surveillance and online health records. Among this year's recipients are the University of Victoria, which will receive $46,250 to explore tools and licensing programs for online health records, and the University of Toronto, which plans to create a privacy-protective "mobile wallet." Other recipients include Ryerson University, Option Consommateurs and the Public Interest Advocacy Centre.
Full Story

DATA PROTECTION

Hengesbaugh Discusses Challenges, Solutions (June 7, 2010)

BankInfoSecurity spoke with attorney Brian Hengesbaugh, CIPP, about the top privacy and security issues for organizations today. Hengesbaugh is a partner in the Chicago offices of the global law firm Baker & McKenzie, where he sits on the firm's global privacy steering committee. He says U.S. breach notification rules and a proliferation of new privacy laws worldwide are posing some of the day's top challenges. Hengesbaugh says that "A lot of U.S. companies haven't yet realized how strict these privacy laws are," and discusses what businesses should do to comply.

Editor's note: Read Brian Hengesbaugh's Privacy Advisor article about the U.S.-EU Safe Harbor privacy framework here
Full Story

SOCIAL NETWORKING

Opinion: Consider Privacy First (June 7, 2010)

While recent lawsuits against Facebook may pose little in the way of a legal threat, the site should be thinking about privacy any time that it plans changes to its user settings, Wendy Davis writes in MediaPost. Lawsuits related to a glitch that exposed user information to advertisers pose a public relations problem, she writes, but not necessarily a legal one, citing a prior appeals court ruling that consumers need to show harm occurred for a case to proceed. "Litigation aside, Facebook still has to deal with Congress, the Federal Trade Commission, and authorities abroad--where privacy laws are broader than in the U.S.," she writes, adding, "in the future, the company should consider privacy advocates' arguments before making changes to the site, rather than afterwards."
Full Story

PRIVACY LAW—AUSTRALIA

Criminal Investigation Launched Over Data Collection (June 7, 2010)

Australian authorities are launching a criminal investigation into Google's collection of data from wireless networks, The New York Times reports. The focus will be on whether the company violated the telecommunications interceptions act, explained Attorney General Robert McClelland, noting, "my department thought there were issues of substance that were raised that require police investigation." News of the investigation spurred allegations that Australia is targeting Google over its opposition to Internet filter plans, but Communications Minister Stephen Conroy countered that the issue is with "giant companies...who don't seem to believe the Australian laws should apply to them." Google, meanwhile, has responded that the incident was a mistake, and the company is "talking to the appropriate authorities to answer any questions they have." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Report: Education Needed to Protect Kids Online (June 7, 2010)

As Congress and the Federal Trade Commission reexamine the Children's Online Privacy Protection Act, a government-appointed review group says parents and educators need to place a greater emphasis on safe Internet practices for children. The Online Safety and Technology Working Group, appointed by the National Telecommunication and Information Administration, delivered recommendations to Congress last week. The Washington Post reports the group recommends that educators coordinate with law enforcement to create a consistent message about online safety and calls for the establishment of a Web-based clearinghouse that would compile frequently updated research. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Facebook CEO: Site Gives Users Control (June 4, 2010)

Facebook is doing a "reasonable job" of giving its users control when it comes to sharing their personal information on the Web, Facebook CEO Mark Zuckerberg said in an interview with The Wall Street Journal. Based on Zuckerberg's interview, indications are that Facebook will continue to require users to opt out of sharing personal information. "It's never been by default just your friends...It's always been the community around you," Zuckerberg said, adding, "The big feedback we got that really resonated with me is that over time the privacy settings have just become too complex." Zuckerberg suggested that privacy concerns currently centering on the social networking site will eventually pass. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

State Now Involved in Potential HIPAA Breach (June 4, 2010)

NBC News reports that California state officials are now investigating Tri-City Medical Center for a possible breach of HIPAA laws involving Facebook. Hospital officials have been looking into alleged incidents where employees may have posted patient information onto the social networking site. Hospital spokeswoman Courtney Berlin, however, has refuted the rumor that 26 employees had been fired or suspended. The California Department of Public Health declined to comment on the investigation Wednesday but confirmed that a probe is ongoing.
Full Story

ONLINE PRIVACY

Google To Begin Data Handover, Lawsuit Amended (June 4, 2010)

Google's CEO told the Financial Times the company will begin handing over data intercepted from private WiFi connections to European regulators within the next day or so. Eric Schmidt said the company will release the data to German, French and Spanish data protection authorities first. Google will also publish the results of an external audit into the data collection, in which company vehicles lifted snippets of personal information from unsecured wireless networks while traversing cities and towns to collect photographs for its Street View mapping feature. Google has asserted the collection was inadvertent, but lawyers representing an Oregon plaintiff modified a lawsuit against the company on Wednesday, claiming that a patent application filed in 2008 indicates it was deliberate. (Registration may be required to access this story.)  
Full Story

DATA LOSS—U.S.

Missing Laptops, Unsecure Web Site Create Breaches (June 4, 2010)

Two more medical-related breaches have come to the fray. AvMed Health Plan officials said yesterday a December data breach involving missing laptops may have affected three times as many customers as previously estimated, bringing the number to more than one million. Meanwhile, University of Louisville Hospital is notifying 708 patients that their medical information was exposed when a physician posted it to an unsecured Web page. Esecurityplanet.com reports that the site, which included names and Social Security numbers, was shuttered less than an hour after its discovery. "We do have a strict university policy when it comes to meeting HIPAA standards," said a university spokesman. "This was just a simple mistake."
Full Story

PRIVACY LAW—EU

MEPs: Declaration 29 Extends Directive to Search Engines (June 4, 2010)

The European Parliament is urging members to sign Declaration 29 in order to combat pedophilia and child pornography, Ars Technica reports. But some say the EU is misleading members into signing the declaration, which would ultimately extend the Data Retention Directive to cover search engines. In a letter to fellow MEPs, Cecilia Wikström wrote, "The Written Declaration is supposed to be about an early-warning system for the protection of children. Long-term storage of citizens' data has clearly nothing to do with 'early warning' for any purpose." Wikström urged those MEPs who may have signed the declaration mistakenly to withdraw their support.
Full Story

DATA LOSS—U.S.

Penn. State Alumni Data Exposed (June 3, 2010)

During routine security procedures, Penn. State information-technology staff discovered that two campus computers were infected with malicious software, potentially exposing as many as 25,572 alumni Social Security numbers (SSNs), reports StateCollege.com. There is no evidence that the SSNs were inappropriately accessed, and some of the data may have been deleted from the computers prior to the attack, says a Penn. State spokesman. The university is notifying all affected alumni and encouraging them to monitor their personal data. According to the report, the university stopped using SSNs as student identifiers in 2005 and the IT department has been removing them from its computer systems.
Full Story

Close-up on COPPA at FTC Roundtable (June 3, 2010)
COPPA continues to generate great debate as evidenced at an FTC roundtable discussion yesterday, where panelists dissected the finer points of the Children’s Online Privacy Protection Act (COPPA).

PRIVACY LAW—U.S.

Close up on COPPA (June 3, 2010)

At the Federal Trade Commission's (FTC) public roundtable yesterday, panelists offered differing views about which aspects of the Children's Online Privacy Protection Act (COPPA) are sufficient and which should be modified to better protect children. The FTC is considering updates to its COPPA rule to address new geolocational technologies and behavioral targeting, among other advancements. Panelists were divided on topics such as the efficacy of the law's "e-mail plus" standard as well as its "actual knowledge" standard, which some say isn't enough to verify a child's age.
Full Story

PRIVACY LAW—AUSTRALIA

Gov’t Amends Health ID Bill (June 3, 2010)

The federal government has amended its Healthcare Identifiers Bill to address privacy and data security concerns, Computerworld reports. The bill would see the storage of all Australians' health records in a national database and has been controversial due to what some have described as a lack of data protection considerations. The new amendments are designed to address those concerns. The bill now includes a right-of-review provision and streamlined requirements around monitoring for unauthorized access to healthcare records, the report states. Health and ageing minister Nicola Roxon said the amendments will make the legislation safer and more secure.
Full Story

DATA PROTECTION—EU

Hustinx: Privacy Should Be Default in “Smart” Environment (June 3, 2010)

Clear rules are needed to mitigate risks posed by a world of ubiquitous smart tags, according to European Data Protection Supervisor Peter Hustinx. At the annual Internet of Things conference yesterday, Hustinx said that smart objects such as appliances equipped with metering technology and geo-enabled devices must have data protection built in. Hustinx also stressed that privacy should be the default in the "smart" environment, and he called for more accountability on the part of manufacturers and vendors. "Controllers should be more in control," Hustinx said. "This is happening in the financial sector, on environmental issues and it should also be the case in the context of data protection."
Full Story

SOCIAL NETWORKING

Yahoo Urges Users to Review Privacy Settings (June 3, 2010)

In preparation for unveiling its new social networking option to its users, Yahoo is advising its 280 million e-mail accountholders to review their privacy settings, the Associated Press reports. Yahoo has posted a privacy reminder in connection with its plans for a new service that will share e-mail users' online activities and interests with their saved contacts unless they disable the feature. Yahoo is trying to avoid a privacy backlash by providing a one-click option for opting out of its new social features.
Full Story

RFID—CANADA

Experts: “Contactless” Credit Cards Pose Security Risks (June 3, 2010)

Most new credit cards in Canada are equipped with embedded radio frequency identification (RFID) chips, which experts caution poses major fraud and privacy concerns, CBC News reports. "Contactless" credit cards need only be waved near a payment terminal in a store for the RFID chip to supply the number and expiration date, the report states, which means that anyone who purchases an RFID reader online could potentially begin accessing accounts without the cardholders' knowledge. In addition to fraud risks for these unencrypted credit cards, experts also warn of other privacy violations, such as employers using card-access doorways to scan employees' RFID credit cards for information on their finances and lifestyles.
Full Story

PRIVACY LAW—U.S.

CO Bill Peeves Privacy Interests, Other States Watchful (June 3, 2010)

Internet Evolution reports on a bill passed by the Colorado legislature that would require all online retailers to furnish the state's tax authorities with a list of residents who have purchased goods. The state wants the information in order to collect sales and use taxes. Critics of the legislation say that in addition to creating an "administrative burden" for online retailers, the requirement would violate the privacy of Coloradans. "Many customers would not be comfortable with the government having that detail of their online purchases," Jerry Cerasale of the Direct Marketing Association suggests.
Full Story

PRIVACY LAW—U.S.

Facebook Suit Alleges Breach of Contract (June 2, 2010)

A California Facebook user is suing the social networking company for an alleged breach of contract, MediaPost News reports. David Gould says the company shared his personal information with advertisers despite assurances in its privacy policy that it would not do so without user consent. Gould alleges that "Facebook advertisers are able to gain the ultimate demographic information" because the company sends "referrer headers" to advertisers, who can then use the data to gather specific users' profile information. He is seeking class-action status, according to the report. Facebook revised its code last month after a Harvard professor confirmed for The Wall Street Journal that social networking sites were sharing such data with advertising companies.  
Full Story

PRIVACY LAW—IRELAND

Draft Code of Practice Calls for Breach Notification (June 2, 2010)

Data Protection Commissioner Billy Hawkes yesterday published a draft code of practice, The Irish Times reports. The code would require data breaches affecting more than 100 individuals and any loss of sensitive personal or financial data be reported to the Data Protection Commissioner's Office. It would provide an exception where the data can be considered inaccessible due to proper security, the report states. The code comes on the heels of recommendations last week by a government-appointed Data Protection Review Group calling for the code of practice as well as for prosecution in cases where organizations or individuals fail to report breaches.
Full Story

ONLINE PRIVACY—CANADA

Commissioner Investigating Google WiFi Collection (June 2, 2010)

Canadian Privacy Commissioner Jennifer Stoddart has launched an investigation into what Internet company Google has described as accidental collection of data from unsecured wireless networks by its Street View vehicles, The Globe and Mail reports. The investigation will determine whether the company violated Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Referencing concerns about the privacy implications of the WiFi data gathered across Canada and from nations around the world, Stoddart said, "We have a number of questions about how this collection could have happened and about the impact on people's privacy. We've determined that an investigation is the best way to find the answers."
Full Story

PRIVACY LAW—U.S.

Should Doctors Be Exempt? (June 2, 2010)

The Wall Street Journal is asking readers whether doctors should be exempt from the Federal Trade Commission's Red Flags Rule. The American Medical Association thinks so. That group, along with the American Osteopathic Association and the Medical Society of the District of Columbia, sued the commission last week, claiming that physicians who allow patients to defer payment should not be considered as "creditors" subject to the rule. Other healthcare groups have challenged the FTC's application of the rule requiring that businesses have written policies in place to protect customers from identity theft. Last week, the FTC extended the Red Flags enforcement deadline to December 31, 2010. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

FTC Hosting COPPA Roundtable Today (June 2, 2010)

The Federal Trade Commission (FTC) is hosting a workshop today to determine whether the use of new technologies and mobile broadband warrant an update to its rule on the Children's Online Privacy Protection Act (COPPA), Tech Daily Dose reports. The public roundtable comes as the commission embarks on its requisite five-year review of the COPPA rule. The FTC wants to determine whether the rule can be applied to new mobile technologies, interactive television and gaming, the report states. Panelists are debating the law's "actual knowledge" standard and its definition of "personal information," among other topics. The event is being Webcast.
Full Story

DATA LOSS—U.S.

Stolen Laptop Affects 61,000 (June 2, 2010)

Officials at a Cincinnati hospital are increasing employee training after a data breach affecting more than 61,000 patients, Cincinnati.com reports. A laptop containing the patients' records, which were not encrypted, was stolen from the vehicle of a Cincinnati Children's Hospital Medical Center employee. The records contained patient names, medical records numbers and services provided, according to a hospital spokesman. "We need to and are doing a better job of strengthening our encryption practices," the spokesman said. The hospital is notifying those potentially affected.
Full Story

HEALTHCARE PRIVACY—CANADA

Telus Employees Piloting e-Health Platform (June 2, 2010)

Telus will soon launch a consumer electronic health service that chief executive Darren Entwistle says will "revolutionize" healthcare, The Vancouver Sun reports. "Canadians will have the ability to create, store and manage their personal health information across their computers and smartphones and, in the future, TVs," Entwistle said at an e-health conference in Vancouver this week. Currently, 750 Telus employees are piloting the platform, which will enable the secure transmission of health information between providers and patients and will improve the privacy and accuracy of electronic health records, Entwistle says. He expects the service will be available to consumers by year's end.
Full Story

PRIVACY LAW—U.S.

CA Senate Passes Bill to Protect Drivers’ Data (June 2, 2010)

The California Senate passed a bill on Tuesday that aims to restrict the retention, sharing and sale of information collected through automatic vehicle identification systems, reports The San Francisco Chronicle. According to Sen. Joe Simitian (D-Palo Alto), the bill's author, under current law, the state transportation department and Bay Area Toll Authority, among others, can keep and sell data they've collected on travelers. If passed by the assembly, the bill will require the destruction of any data that could be linked to a vehicle or driver within 60 days and prohibit entities from selling or sharing the data.
Full Story

SOCIAL NETWORKING—U.S.

Making the Private Public (June 2, 2010)

The San Francisco Chronicle reports on how the tangled webs of friends, family and associates in the social networking world often reveal information that many of us would rather be kept private. "As the lines between private and public blur, many social network users are actively monitoring and managing their online reputations," the report states. Some experts caution that those embarrassing posts by high school friends are the least of our worries, noting that the information we disclose creates a trail of digital footprints for advertisers, employers, landlords and law enforcement to follow. In an effort to address some of these issues, draft privacy legislation has been proposed by Rep. Rick Boucher (D-VA), with public comment being accepted through June 4.
Full Story

SOCIAL NETWORKING

Yahoo Plans E-mail Networking Service (June 2, 2010)

Yahoo will soon be entering the social networking fray with a new service that uses its 280 million e-mail subscribers' contact lists to create a base for sharing information on the Web, The Washington Post reports. Users will be able to exchange such information as comments and photographs, but their contacts will not be shared publicly, the report states. In an effort to address privacy concerns, the company has said it will give users a week's notice before launching the new features and will also provide a simple one-click function for opting out entirely. "We've been watching and trying to be thoughtful about our approach," said Anne Toth, Yahoo's head of privacy. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Privacy at Heart of OMB Cookie Ban Review (June 1, 2010)

The Office of Management and Budget (OMB) is expected to complete its revision of the White House ban on federal sites' use of Web-tracking devices this month, Nextgov reports. The so-called cookie policy took effect in 2000 but has been under review due to concerns that the ban is too restrictive. At issue, should the tracking prohibition be lifted, is how to protect the privacy of those who visit federal sites. While some want visitors to be able to opt out of having their data collected by the sites, others say that simple instructions to help site visitors control tracking using their browser settings would be a better solution.
Full Story

PRIVACY LAW—AUSTRALIA

Privacy Foundation Says HI Bill Lacks Safeguards (June 1, 2010)

The Australian Privacy Foundation (APF) says the nation's Healthcare Identifiers Bill lacks the safeguards necessary to protect patient privacy, The Australian reports. APF spokeswoman Dr. Juanita Fernando says the bill would authorize health authorities to disclose and use patients' health information in ways the patient may not approve of, which could erode patient-doctor trust. "Can you imagine the damage to our health as patients start to distrust the confidentiality of their medical records and become more reluctant to be frank about their symptoms?" she asked. Far safer e-health systems already exist in some Australian states, Fernando said.
Full Story

ONLINE PRIVACY

Google To Offer WiFi Data Compromise (June 1, 2010)

Google has said it will propose a compromise solution this week on data it collected from private WiFi networks through its Street View vehicles and will also respond to separate concerns from Europe's Article 29 Working Party. Financial Times reports that the company is facing a "dilemma" between requests by data protection authorities in Germany, France and Spain asking Google to hand over hard drives containing the data and concerns from other privacy advocates, including the U.S.-based Electronic Frontier Foundation, that handing over the hard drives would be an additional invasion of privacy, the report states. According to a company statement, "We are working through it and will have some answers for the data protection authorities during the course of the week." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

FTC Extends Red Flags Enforcement Deadline (June 1, 2010)

The Federal Trade Commission (FTC) has extended the enforcement deadline of its Red Flags Rule again. According to an FTC press release, the new enforcement deadline is December 31, 2010. The commission says the extension comes at the request of several members of congress who are considering legislation related to the scope of the rule. FTC Chairman Jon Leibowitz said, "Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule--and to fix this problem quickly."
Full Story

DATA LOSS—CANADA

UHN Laptop Stolen; Patient Data Accessible (June 1, 2010)

University Health Network (UHN) has informed patients and the privacy commissioner that a laptop containing the personal health information of about 20,000 surgical patients was stolen from an employee's car. A UHN press release states that the laptop's encryption had failed, making accessible names, types of surgeries and, in some cases, phone numbers of surgical patients who used the hospital system between 2004 and 2010. UHN has deemed that the laptop was likely stolen for its resale value, not for the data it contains and that the risk for misuse of the data is low. The system will send letters to patients whose phone numbers are on the laptop and will review its procedures and intensify employee education.
Full Story

DATA PROTECTION—UK

ICO Sends Warning as Data Breach List Nears 1,000 (June 1, 2010)

As its list of reported data breaches nears 1,000, the Information Commissioner's Office (ICO) is urging organizations to minimize risks, Insurance Age reports. The ICO's Security Breaches Report, which lists reported data loss incidents since 1998, shows NHS at the top with 305 reported breaches, followed by a private organization with 288. Deputy Information Commissioner David Smith is urging companies to have security and disclosure procedures that staff can understand and that are properly implemented. "We all know that mistakes can happen, but the fact is that human error is behind a high proportion of security breaches that have been reported to us," Smith said.
Full Story

ONLINE PRIVACY—U.S.

Facebook, Google to Answer Lawmaker’s Questions (June 1, 2010)

Google and Facebook will respond to requests from House Judiciary Committee Chairman John Conyers Jr. (D-MI) to address recent privacy concerns related to both companies. Conyers wrote to the two companies on Friday, the Los Angeles Times reports, stating that he wants CEO Mark Zuckerberg to explain Facebook's privacy practices and Google CEO Eric Schmidt to retain records related to personal information the company collected through unsecured wireless networks. Meanwhile, a "Quit Facebook Day" organized in protest to the company's sharing of user information reportedly garnered few followers, raising questions about how widespread the concerns over Facebook's privacy policies are. The House Judiciary Committee is considering hearings and legislation related to Facebook and Google "to ensure that privacy concerns are as paramount as creativity to these and all Internet companies," Conyers said.
Full Story

ONLINE PRIVACY

New Companies Bank on Privacy (June 1, 2010)

In the wake of recent backlash against Facebook and Google over their handling of user information, The San Francisco Chronicle reports that "a slate of ambitious online startups are aiming to squeeze into the fields of social networking and search by touting a stronger focus on privacy." In such privacy-focused social networking projects as Diaspora, Appleseed and OneSocialWeb as well as search engines like Yauba, Ixquick and Duck Duck, a strong focus on privacy is included as part of the package, the report states. And while market analysts do not see privacy as the sole factor to draw users from one service to another, Ryan Calo, whose company reviews Web applications based on privacy, security and openness, believes companies have begun to use privacy as a business differentiator.
Full Story