Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—U.S.

Boucher: Bill Will Move Forward (September 30, 2010)

At an event on Capitol Hill yesterday, Rep. Rick Boucher (D-VA) said that his online privacy legislation will be introduced early in the next congress, Tech Daily Dose reports. Boucher drafted the legislation with Reps. Cliff Stearns (R-FL) and Bobby Rush (D-IL). "We want to make sure that electronic commerce is enhanced by giving to consumers privacy protections that they don't have today," Boucher said. The legislation aims to give users more control over how their personal information is collected and used. Among other requirements, it would let users opt out of information collection.
Full Story

ONLINE PRIVACY—U.S.

Leibowitz: FTC Privacy Report Coming (September 30, 2010)

Federal Trade Commission Chairman (FTC) Jon Leibowitz has confirmed that the commission will publish an online privacy report in the coming months. At an event on Wednesday, Leibowitz said the report, which will include recommended privacy guidelines, will be released in late October or early November, the report states. The report will include guidance based on the findings of the commission's three privacy roundtables in 2009 and early 2010. Leibowitz said the report is in the hands of the commissioners. FTC Consumer Protection Bureau Director David Vladeck discussed the report in his keynote address this morning at the IAPP Privacy Academy.
Full Story

PRIVACY LAW—UK

ICO To Fine Companies in Breach of DPA (September 30, 2010)

The Information Commissioner's Office says it is in the process of imposing fines against two organizations found to be in breach of the Data Protection Act, reports V3.co.uk. "This will be a landmark moment in ensuring that firms take data protection seriously," said Deputy Information Commissioner David Smith, adding that his office will now actively use its fining powers. The office has been criticized in the past for not using such powers, the report states. Smith added that businesses should provide users with transparent privacy settings that at least provide a minimal layer of protection.
Full Story

PRIVACY LAW—U.S.

Schwarzenegger Signs Toll Privacy into Law (September 30, 2010)

California Governor Arnold Schwarzenegger yesterday signed into law a bill designed to protect the privacy of toll users, the Sacramento Bee reports. SB1268: Electronic Toll Collection Privacy prohibits transportation agencies from selling or sharing drivers' information gleaned from automatic toll pay systems and imposes data destruction requirements. In a statement on his Web site, State Sen. Joe Simitian (D-Palo Alto), author of the legislation, said, "There's just no reason for a government agency to track the movements of Californians, let alone maintain that information in a database forever and ever." The law will take effect January 1, 2011.
Full Story

PRIVACY LAW—U.S.

Judge: Facebook Posts Admissible as Evidence (September 30, 2010)

The Wall Street Journal reports that a Suffolk County, NY judge has ruled in a personal-injury lawsuit that material posted to online social networks--even when posted behind privacy settings--can be used as evidence in court. In the case, a woman sued the manufacturer of an allegedly defective office chair for injuries she claimed to have suffered when she fell out of her seat. Pictures and posts on Facebook indicated the woman wasn't as disabled as she'd claimed. The judge ruled that users consent to the sharing of their personal information when they sign up to such sites. "Indeed, that is the very nature and purpose of these social networking sites, or they would cease to exist." (Registration may be required to access this story.)
Full Story

CONSUMER PRIVACY

Document-Sharing Service Changes Privacy Defaults (September 30, 2010)

Media Post reports on changes that document-sharing service Scribd made to its privacy defaults this week. Earlier this year, the company deployed its Readcast feature, which broadcasts the documents individuals download to other Scribd users, the report states. The feature used an opt-out default until this week, when Scribd changed its default setting to opt in. Santa Clara University law Prof. Eric Goldman discussed the former opt-out setting in a recent blog, saying he didn't feel he received adequate notice and that "People don't want to automatically publicly announce the documents they are reading."
Full Story

ONLINE PRIVACY

Apps That Overshare (September 30, 2010)

According to a study conducted by Duke University, Penn State and Intel Labs, of 30 applications for the Android smartphone studied, two-thirds exhibited "suspicious handling of sensitive data." InfoWorld reports that 15 of the applications sent users' geographic location to remote advertisement servers, even if users had specified that the app only access that data to unlock location-based features. According to the study, the loophole exists because apps have only "coarse-grain controls" for accessing personal information, but few regulations over how the data can be used.
Full Story

BEHAVIORAL TARGETING

Web Analytics Code of Ethics (September 30, 2010)

The Wall Street Journal interviewed Eric Peterson and John Lovett of consulting firm Web Analytics Demystified about their efforts to create a code of ethics for Web analysts to clarify "what this stuff can be used for, and more importantly, can't be used for." The consultants credit a recent WSJ series, "What They Know," for opening their eyes to the fact that there was no "consistent platform" for the field. The pair has proposed the creation of a certification program which could grow to become a trustmark. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Advocacy Group Continues Campaign (September 30, 2010)

The advocacy group Consumer Watchdog is continuing its attempt to engage Google executives in a debate over privacy using a Times Square Jumbotron. The group is displaying a 30-second video this week while AdWeek is underway in New York, reports USA Today. Consumer Watchdog previously sent a letter to Google executives offering to coordinate a privacy debate and has asked the company to implement options for users to control whether they are tracked online.
Full Story

IDENTITY THEFT

Study: Fewer Headlines Means Fewer Fears (September 30, 2010)

Forbes reports on a study released this week showing that about 25 percent of consumers now subscribe to identity theft protection services, down 42 percent since 2008. The reasons for the drop are tight budgets and a lack of major data breach headlines over the past year, according to analyst Robert Vamosi. Though the number of breaches this year is still expected to rise, the number of individual records breached has fallen more than 90 percent compared with last year due to the lack of a major breach exposing thousands or millions of records at one time. "Without those massive attacks and the headlines that follow, concerns about identity fraud are lessened," Vamosi said.
Full Story

PRIVACY LAW—U.S.

Do Corporations Have the Same Privacy Rights as People? (September 29, 2010)
The Supreme Court has agreed to hear a case involving AT&T Corp. to determine whether corporations are eligible for the same protection as individuals in Freedom of Information Act (FOIA) requests, The Wall Street Journal reports.

PRIVACY LAW—U.S.

Government to Request Online Communications Data (September 29, 2010)

The Obama administration intends to ask congress next year for new regulations to make wiretapping the Internet easier, which, advocates say, poses a threat to online privacy. The proposal would require Internet companies to create easy ways for the government to monitor Internet communications, The New York Times reports, though the government would still need legal approval to intercept and decode encrypted messages. Major Internet companies have yet to comment on the plan. Lee Tien, an attorney at the Electronic Frontier Foundation, said there are "obvious civil liberty and privacy issues." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—SOUTH KOREA

App Developer, Smartphone Company Charged for Data Storage (September 29, 2010)

Seoul prosecutors have charged a South Korean company with illegally collecting customers' personal information via a smartphone application, AFP reports. The Seoul District Prosecutors' Office has accused financial television station TomatoTV of illegally storing 83,000 users' mobile ID codes on its server without disclosing to users that the information was being stored, which is a violation of telecommunications and privacy laws. The developer of the app--which allows users to check live stock market prices--has also been charged. "This case will offer guidelines on what information should be protected as privacy and highlight that app developers should pay more attention to collection and management of private information when developing new programs," the prosecution said.
Full Story

PRIVACY LAW—U.S.

Maine Won’t Collect Student SSNs, for Now (September 29, 2010)

The Maine Department of Education has announced it will delay the submission of student Social Security numbers (SSNs) to the state after a flaw was discovered within the system, the Sun Journal reports. A technology director for one of the state's school systems discovered that it was possible to view restricted information, such as SSNs of staff in various districts, through the state database. The department was to implement a new law this fall to require schools to solicit children's SSNs, though it did not require parents to provide them. The Maine Civil Liberties Union said last week that the law could be repealed after 14 school committees voted to recommend parents not provide the numbers.
Full Story

HEALTHCARE PRIVACY—CANADA

OPC To Audit Veterans Affairs (September 29, 2010)

Privacy Commissioner Jennifer Stoddart will audit the department of veterans affairs, the Toronto Sun reports. Allegations emerged last week that government officials had inappropriately accessed and shared the healthcare records of Canadian Forces veteran Sean Bruyea, and since then another vet--Veterans Ombudsman Col. Pat Stogran--has come forward with similar allegations. Commissioner Stoddart has been investigating the Bruyea allegations for several months. A statement released by her office on Tuesday said that the preliminary findings of that investigation "raised concerns about the possibility of systemic privacy issues," prompting plans for an OPC audit. The audit "will examine the department's policies and practices against federal privacy requirements," according to the statement.
Full Story

DATA LOSS—UK

Law Firm Alleged To Have Exposed Data (September 29, 2010)

The Information Commissioner's Office (ICO) is investigating a breach involving the personal data of 10,000 people, reports eWeek. The firm ACS:Law is at the center of the investigation due to allegations that the firm exposed the data on its Web site. ACS:Law has been tracking Internet users suspected of illegal file sharing, according to the report. On Monday, Privacy International announced that it is planning legal action against the firm for the breach. The ICO said it will be contacting the firm "to establish further facts of the case and to identify what action, if any, needs to be taken."
Full Story

STUDENT PRIVACY—U.S.

States Need Guidance on Data Collection (September 29, 2010)

The Government Accountability Office (GAO) released a report saying that states need better guidance on acceptable use and collection practices under the Family Educational Rights and Privacy Act (FERPA) for postsecondary education and employment data. According to the GAO study, 26 states collect some employment-related data on postsecondary graduates to use for various purposes, but "many states are unsure about how to collect and share the information while still protecting student privacy under FERPA." The GAO outlines potential approaches for collection and recommends that education officials clarify the appropriate means of collection and sharing of graduates' employment information under FERPA.
Full Story

DATA LOSS—U.S.

Hospital Exposes Patient Data “Snippets” (September 29, 2010)

New York-Presbyterian Hospital/Columbia University Medical Center announced Monday that pieces of 6,800 patients' data were mistakenly exposed on the Internet, reports The New York Times. The data included names, ages, surgical status and vitals, but not diagnoses, according to the report. A hospital spokeswoman attributed  the breach to human error and said there is no evidence that the information has been inappropriately accessed. The hospital has apologized and is in the process of notifying affected patients. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Rosen Discusses Challenges, Solutions (September 29, 2010)

In an interview with Bank Info Security, Jeffrey Rosen, author of The Naked Crowd and past IAPP keynote speaker, outlines privacy challenges for individuals and corporations, the evolution of privacy as a worldwide concern and what the future may hold. According to Rosen, the biggest threat to privacy is "the fact that the Internet never forgets." What people want, he says, "is the ability to control their entire reputation, which in the end is an unrealistic hope but an understandable one." Rosen says expiration dates for online information is the best approach. "Inevitably we are going to make mistakes and say things we shouldn't and reveal things we shouldn't. The question is, how do we escape from these errors?"
Full Story

PRIVACY

Opinion: The Right To Be Left Alone Disappearing (September 29, 2010)

A Providence Phoenix editorial ponders the concept of privacy from the beginnings of civilization to present day, noting its definitional refinements as contexts have changed. The modern definition of privacy in the U.S. formed in dissent to a 1928 Supreme Court case on wiretapping, Olmstead v. the United States, the report states, when Justice Louis Brandeis wrote that "The makers of our Constitution...conferred as against the government the right to be left alone." That right may be what Americans risk losing with the advent of technologies such as social networking sites "There are no precedents," the report states. "That is why this is all so frightening to some and exciting to others."
Full Story

SOCIAL NETWORKING

Patient Data Sharing Spurs Concerns (September 29, 2010)

Even as medical identity theft becomes more prevalent, some patients are voluntarily posting their personal medical details on healthcare-related social networks, DarkReading reports. And while some divulge the information (diagnoses, medications, locations) readily, some experts worry that other patients are participating under the mistaken assumption that their posts are anonymous, thereby making themselves vulnerable to social engineering and other attacks. Nitesh Dhanjani of Ernst & Young says a patient's identity could be ascertained by linking it to data posted on other social networks. "We know...that with one handle and any one piece of data you have in Facebook, you can easily connect the dots and link everything up," Dhanjani said. (For more on patient data sharing, see the article "Health Information-Sharing Environment" from the September 2009 issue of Inside 1to1: Privacy.)
Full Story

PRIVACY LAW—CANADA

FISA Tweaked, Reintroduced (September 28, 2010)
The government has reintroduced its anti-spam legislation, Bill C-28, the Fighting Internet and Wireless Spam Act (FISA), after addressing concerns raised during the review of a similar bill that died in parliament last year, reports The Lawyers Weekly.

FINANCIAL PRIVACY—U.S.

U.S. Asks Banks for International Transfer Data (September 28, 2010)

U.S. authorities yesterday signaled their intention to monitor almost all bank transactions to and from the U.S., a move that is eliciting privacy concerns, the Associated Press reports. The Treasury Department's Financial Crimes Enforcement Network has asked banks to report international transactions of $1,000 or more to help detect international crimes, the report states, to take effect in 2012 if passed. Currently, only transactions of $10,000 or more are reported. Marc Rotenberg, director of the Electronic Privacy Information Center said the plan is likely to renew a long-going battle between U.S. and European governments over the disclosure of financial transactions, as evidenced by recent SWIFT negotiations. "It is a tremendous overreach by the U.S. government," Rotenberg said.
Full Story

ONLINE PRIVACY—U.S.

Experts: Data Is Currency (September 28, 2010)

Web users' data is a commodity. That is the consensus reached by a privacy advocate and a digital marketer, Tech Daily Dose reports. Jeff Chester of the Center for Digital Democracy and Linda Woolley of the Digital Marketing Association have very different views on what the government's role should be in protecting online privacy, the report states, but both share a similar view on personal data. "Consumers have to understand personal data is a commodity," said Woolley, and Chester noted that what people do online is "the new currency...Data is power." However, while marketers contend that too much federal regulation will jeopardize the ad model on the Web, Chester suggests, "The idea that the Internet is going to go bankrupt if we protect privacy is absurd."
Full Story

HEALTHCARE PRIVACY—U.S.

Privacy Concerns Hinder Electronic Health Record Adoption (September 28, 2010)

Though electronic health records (EHRs) could reduce costs in the U.S. by $80 to $100 billion each year, a lack of public support due to privacy concerns has hindered its progress. That's according to a forthcoming report from researchers at North Carolina State University, which outlines steps to be taken to boost privacy and promote the use of EHRs, such as creating civil penalties for those who violate use of the records, Science Blog reports. One of the report's authors says concerns about privacy in the use of EHRs are not unfounded. "We are moving in the right direction in regard to putting better privacy protections in place, but we have a long way to go," he said.
Full Story

BIOMETRICS—INDIA

Cabinet Passes Unique ID Project, Privacy Concerns Persist (September 28, 2010)

The Union Cabinet approved the bill that will assign each citizen a unique identifying number last week, but sidestepped provisions on personal privacy related to profiling and function creep, the Indian Express reports. The drafted National Identification Authority of India Bill includes provisions on abuse of the number and the national database, but does not address concerns outlined in a cabinet committee's previous draft note, according to a senior United Progressive Alliance functionary. Civil liberties advocates have said the legislation does not adequately protect citizens' privacy and leaves room for abuse, particularly provisions which allow for government access to the data in certain situations. One advocate said the bill doesn't prevent minority profiling or protect biometric data.  
Full Story

DATA LOSS—U.S.

Hospital Notifies 1,200 of Breach (September 28, 2010)

St. Vincent Hospital of Indianapolis has notified 1,200 patients that their personal information may have been compromised following the theft of a laptop from an employee's home, TheIndyChannel reports. The computer contained Social Security numbers and personal health information, though there is no indication the information has been accessed. St. Vincent's privacy officer said the hospital is taking steps to avoid future incidents and will install security software on its laptops. "We are committed to protecting the confidentiality and privacy of our patients and will continue to implement administrative, technical and physical safeguards against unauthorized disclosures of protected health information," he said.
Full Story

ONLINE PRIVACY

TRUSTe To Grant Stamps of Approval for Apps (September 28, 2010)

The New York Times reports that TRUSTe will begin granting worthy mobile sites and apps a privacy stamp of approval next week. The company will certify those sites and apps--as it does for Web sites--that adhere to certain privacy requirements. Those that pass can display the TRUSTe seal of approval on their site, to indicate to  consumers' personally identifiable information (PII) will be appropriately handled. The privacy guidelines were established after consulting with Web companies, the Interactive Advertising Bureau and others, according to TRUSTe's chief executive, who said the company tests each app on different platforms and carriers to see how it treats PII. (Registration may be required to access this story.)
Full Story

PRIVACY—CANADA

Daycare Livestreams Kids and Workers (September 28, 2010)

Webcams installed in a Calgary daycare years ago offer parents an opportunity to check in on their kids throughout the day and have been a big hit, reports CBC News, but Alberta's Office of the Privacy Commissioner (OPC) is taking note. Parents sign up for the service and receive a password, which changes monthly for security reasons, and according to the daycare's director, there's only been one case where a parent didn't want their child recorded. Jill Clayton of the OPC said that the office hasn't received any complaints but that parental consent is key, and there may be "some concerns about having employees on camera all day long and then monitoring that activity."
Full Story

ONLINE PRIVACY—U.S.

FTC’s Vladeck: Web Awareness Needed (September 27, 2010)
David Vladeck, director of the Federal Trade Commission (FTC) Bureau of Consumer Protection, spoke with AdvertisingAge recently on emerging online privacy and behavioral targeting issues. While Vladeck said he does not believe most people have a problem with companies gathering information specifically to deliver targeted ads if they are informed, he noted that "one of our principal concerns here at the FTC is that consumers generally don't realize they're being tracked."

ONLINE PRIVACY—U.S.

Consumer Control at Heart of Forthcoming FTC Report (September 27, 2010)

The Wall Street Journal reports on the forthcoming U.S. Federal Trade Commission (FTC) report about online privacy. As reported by Christopher Wolf of Hogan Lovells, The FTC  is expected to release the report in the coming months. It will focus on three major aspects--privacy by design, improved consumer choice and the need for improved transparency. "Our whole report is about consumer control," FTC Associate Director Maneesha Mithal told a forum in Washington, DC, on Friday. According to Wolf, the report will build on the findings of the commission's three online privacy roundtables in 2009 and 2010. Editor's note: For those of you attending this week's Privacy Academy in Baltimore, FTC Bureau of Consumer Protection Director David Vladeck will deliver a keynote address. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Companies Call for ECPA Overhaul (September 27, 2010)

Bloomberg reports on the call for an overhaul of the Electronic Communications Privacy Act (ECPA) to improve privacy while benefitting such services as cloud computing. When it comes to cloud computing, "the law needs to catch up," Brad Smith, Microsoft's general counsel, said after a congressional hearing on ECPA last week. Technology companies and law enforcement officials shared differing perspectives on the next step for the law, which was first enacted in 1986. As Michael Hintze of Microsoft Corporation put it, the principal force driving the need for online privacy reform is a "mismatch between these new computing technologies" and the provisions for privacy protection in ECPA.
Full Story

STUDENT PRIVACY—U.S.

Teacher Resigns after FERPA Violation (September 27, 2010)

A Texas elementary school teacher has resigned after posting photos and personal information of her students online, the Austin American Statesman reports. The first-grade teacher, who had previously won the school's "Teacher of the Year" award, allegedly violated the Family Educational Rights and Privacy Act (FERPA) by posting photographs of her students along with information about them in her public blog, the report states. The posts were "a clear violation of the federal student privacy right statute and a matter that the district takes very seriously," district officials said in a statement, noting, "As soon as the district became aware of the blog, the teacher voluntarily removed the content and tendered her resignation."
Full Story

PRIVACY LAW—U.S.

Social Networking Sites Fair Game for Evidence (September 27, 2010)

The Boston Herald reports on a New York Bar Association opinion that lawyers can ethically use social networking sites to gather information on opposing parties in lawsuits. The explosion in the use of networks like Facebook and MySpace raises new legal questions about privacy rights, the report states, but an opinion released last week by the bar's Committee on Professional Ethics says the sites can be used to gather such information as long as it is publicly accessible. Attorneys cannot ask someone with private access to a person's page to gather information for them, nor deceptively "friend someone," for example.
Full Story

DATA LOSS—U.S.

Checks Mailed To Compensate Victims (September 27, 2010)

The Federal Trade Commission (FTC) began sending checks for $18.17 last week to 14,023 victims of the 2008 ChoicePoint breach, eSecurity Planet reports. The checks are part of ChoicePoint's settlement with the FTC and are intended to compensate its customers for the cost of monitoring their credit after the 2008 breach. That breach followed an earlier breach, for which the company was ordered to conduct independent assessments of its data security program through 2026 and agreed to pay $10 million in civil penalties and $5 million in consumer redress to the FTC. The 2008 breach settlement expanded that security program and required checks be sent directly to victims.
Full Story

FINANCIAL PRIVACY—GERMANY

Data Collection Practice Blasted (September 24, 2010)
Germany's largest cashless payment network gathered and shared customer spending information, prompting data protection experts and government officials to lambast the practice of surreptitiously collecting customer data, according to The Local.

PRIVACY LAW—U.S.

ECPA Reform Needed Now (September 24, 2010)

Those speaking at the House Subcommittee on the Constitution, Civil Rights and Civil Liberties for the "ECPA Reform and the Revolution in Cloud Computing" hearing on Thursday seem to agree that the time has come to reform the Electronic Communications Privacy Act (ECPA). Committee Chairman Jerrold Nadler (D-NY) suggested the focus should be on protecting market, consumer and law enforcement interests, noting, for example, that the same data stored in the cloud has less legal protection than if stored on a home computer. Michael D. Hintze of Microsoft Corporation, who was one of the panelists at the event, said the key will be to create appropriate standards that strike a balance between legitimate law enforcement needs and user privacy.
Full Story

PRIVACY LAW—U.S.

Privacy on the Agenda Regardless of Election Outcomes (September 24, 2010)

Tech Daily Dose reports that privacy is likely to be on the agenda of the House Energy and Commerce Communications Subcommittee no matter which party controls the house in the next congress. That's because both subcommittee chairman Rick Boucher (D-VA) and subcommittee member Cliff Stearns (R-FL) say they will push forward on comprehensive legislation, including a possible overhaul of the 1996 telecommunications act to improve its functionality and update it to reflect new services offered by telecom companies. Boucher and Stearns drafted privacy legislation in May, which has elicited much input from stake holders.
Full Story

PRIVACY LAW—U.S.

Maine SSN Law Could Face Repeal (September 24, 2010)

The Sun Journal reports that in response to a Maine law requiring schools to ask for students' Social Security numbers (SSNs) but not requiring parents to provide them, school committees in 14 cities and towns have recommended parents not give their children's SSNs to schools. A Maine Civil Liberties Union spokeswoman said, "School leaders are taking a stand for privacy." She added that several legislators are looking at sponsoring bills to repeal the law, which aims to gauge the success of school districts by tracking students into adult life. Its sponsor, Sen. Peter Mills (R-Skowhegan), said that long-term tracking is the "key to evaluation and performance" and that schools already deal with sensitive information.
Full Story

FINANCIAL PRIVACY—U.S.

Do Mortgage Applications Require Too Much Info? (September 24, 2010)

"How easy is it for someone to learn all about you from your mortgage loan application?" the Chicago Tribune asks in a report on privacy questions about the annual reporting of such data to regulators. There are 26 types of data reported under U.S. law, and that includes such information as a property's general location and loan amount as well as the race, ethnicity, sex and annual income of the applicant, the report states, with additional data such as a borrower's age and credit score soon to be collected as part of the Wall Street Reform and Consumer Protection Act. Some community organizations would also like to see data on debt-to-income ratios, loan performance and loan servicers to track abusive lending patterns and foreclosures, the report states. When it comes to such requests, Bob Belair of Oldaker, Belair & Wittie LLP told the Daily Dashboard, "The principle here is that for community groups' purposes, to evaluate the way lending is occurring they don't need any personally identifiable information." Under existing law, he said, such data is confidential, and aggregate, statistical data will provide what is needed for such groups' research purposes.
Full Story

DATA THEFT—U.S.

Files Stolen, Suspect Arrested (September 24, 2010)

A suspect has been arrested for stealing more than 33,000 medical records from the Martin Luther King, Jr. Multi-Service Ambulatory Care Center (MLK-MACC) in California. MLK-MACC discovered the breach on July 29 and began an investigation, during which an employee admitted to stealing the files for their paper value, reports CMIO. According to the report, the files contained names, addresses, dates of birth, medical record numbers, finance batch numbers and genders of patients who received outpatient care at MLK-MACC between January and October of 2008. The facility will send letters to affected patients this week.
Full Story

PRIVACY LAW—U.S.

Will the Third Time Be a Charm? (September 24, 2010)

At a Senate Consumer Protection, Product Safety and Insurance Subcommittee hearing on Wednesday, Sen. John Rockefeller (D-WV) said he intends to report the 2010 Data Security and Breach Notification Act out of committee in next week's markup. "It is my sincere hope that this time--the third time--is the charm," he said. Nextgov reports that the bill would require businesses to implement data security measures to protect consumers' personal data and notify them in the event of a security breach. The Federal Trade Commission spoke in support of the bill this week, but also recommended broadening the notification requirement to include data held in forms other than electronic, among other additions.
Full Story

ONLINE PRIVACY

Cookie Legality Questioned (September 24, 2010)

From the U.S. to the EU, concerns about the use of Flash cookies for online ad targeting purposes abound, ClickZ reports. And it's not just privacy advocates who are worried, the report states, with concerns also being expressed by regulators, consumers and even the advertising industry. From lawsuits in the U.S. against behavioral targeting companies to the recent statement by European Commissioner Neelie Kroes that such practices violate EU law, the questions about cookies are not going away. "If a consumer removes or blocks a cookie from their system, then a company has to respect that," said Alexander Hanff of the UK-based Privacy International, adding, "if they then go and use surreptitious methods to reinstall that cookie against the consumer's will, they are committing an offense."
Full Story

PRIVACY LAW—U.S.

FTC Reaches Settlement with Data Broker (September 23, 2010)
The Federal Trade Commission (FTC) has reached a settlement with the online data broker US Search after finding that the company failed to live up to its privacy promises. The company will reimburse 5,000 customers for fees they paid to "lock" their personal information, PCWorld reports.

PRIVACY LAW—CANADA

Commissioner Launching New Investigation (September 23, 2010)

The Ottawa Citizen reports on the announcement yesterday by Canada's privacy commissioner that though Facebook has resolved privacy concerns raised in a 2008 complaint, she will launch fresh investigations into new features on the site. Commissioner Stoddart will explore concerns about Facebook's "like" and invitation features, which didn't exist at the time of her yearlong investigation in 2008. Stoddart says the pace of change has created these new privacy concerns. The like button allows users to vote on products and media stories and allows Facebook to collect information about the users' viewing habits and IP addresses, the report states.
Full Story

DATA LOSS—U.S.

Thousands Have HIV Status Disclosed (September 23, 2010)

Advocacy groups are criticizing the California Department of Healthcare Services for releasing the names of about 5,000 residents with HIV to a healthcare contractor, while Alaska officials fear a breach at the Alaska AIDS Assistance Association may have compromised the information of 2,000 individuals. According to Bay Area Reporter, Lambda Legal Defense and Education Fund, the American Civil Liberties Union of Northern California and the HIV and AIDS Legal Services Alliance sent a letter to the department stating they are "shocked and dismayed by the department's blatant disregard of both California law and the privacy of HIV-positive Californians," while a spokesman for the department has said it abided by all confidentiality provisions required by law.
Full Story

PRIVACY LAW—EUROPE

Commissioner: Self-Regulate or Face Intervention (September 23, 2010)

Online advertisers and technology companies must act quickly if they want to avoid regulation, European Digital Commissioner Neelie Kroes said recently. At the European Roundtable on the Benefits of Online Advertising for Consumers in Brussels last week, Kroes said the industry should adopt four key principles of self regulation to enhance users' trust in the online economy, The Financial Times reports, including notice of personalized ads and opt-in affirmation for cookies. "The alternative is a more interventionist approach. If you don't want to see that, then you need to act quickly and responsibly," Kroes said, adding that "What is helpful to one citizen is an invasion of privacy to another." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Senate Committee Discussing ECPA Today (September 23, 2010)

Changes to the Electronic Communications Privacy Act (ECPA) will be a priority for the Senate Judiciary Committee, PCWorld reports, with a hearing scheduled for today. The 24-year-old law on how law enforcement agencies can obtain electronic records needs to be updated to address modern technology and privacy expectations, said Sen. Patrick Leahy (D-VT), noting, "The content of a single e-mail could be subject to as many as four different levels of privacy protections under ECPA...There are also no clear standards under that law for how and under what circumstances the government can access cell phone or other mobile location information when investigating crime or national security matters."
Full Story

DATA PROTECTION—U.S.

In Testimony, FTC Supports Security, Notification Measures (September 23, 2010)

In testimony before a senate subcommittee yesterday, the Federal Trade Commission's (FTC) associate director for privacy and identity protection said the commission supports proposed legislation that would require companies to use reasonable data security policies and to notify consumers when there is a security breach. According to an FTC press release, Maneesha Mithal told the Consumer Protection, Product Safety and Insurance Subcommittee that "The commission believes that notification in appropriate circumstances can be beneficial." The testimony also suggests three measures to be included into the proposed legislation, including one to grant the agency rulemaking authority to "determine circumstances under which providing free credit reports or credit monitoring may not be warranted."
Full Story

ONLINE PRIVACY—CZECH REPUBLIC

Gov’t: No Street View, Cites Privacy Concerns (September 23, 2010)

Igor Nemec, head of the Czech Office for Personal Data Protection, said Wednesday that privacy concerns led to the decision to reject Google's request to expand its Street View online mapping service. Nemec said the Street View cameras were positioned too high and could see over fences and into people's homes and that, while gathering the data, Google uses technology that "disproportionately invades citizens' privacy," reports the Associated Press. Google said it takes people's privacy into consideration when positioning cameras and that it will remove any disputed images. The company will not collect more data in the region until the problem is resolved.
Full Story

PERSONAL PRIVACY

Contributing to the Digital Universe (September 23, 2010)

"In your daily life, there are dozens of ways you transmit personal information--without ever logging on to a computer," writes Jason Magder for The Montreal Gazette. Madger notes that the information acquired daily by digital television boxes, RFID chips, vehicle GPS systems, loyalty cards, credit card companies and others, amasses "digital shadows." These digital shadows make up about 70 percent of the "digital universe," according to technology consulting firm IDC's annual study measuring the size of that universe. "It's startling now how much information people can collect about you if they know how to use the right online databases and search engines," said Colin McKay of the Office of the Privacy Commissioner of Canada.
Full Story

HEALTHCARE PRIVACY—CANADA

Vet’s Records Accessed by Government Officials (September 23, 2010)

Sean Bruyea, a Canadian Forces veteran and long-time veterans' rights activist, discovered that at least 614 people have accessed his personal records a total of 4,131 times, reports the Toronto Sun. Records Brunyea made public this week show that government officials discussed his medical records in several e-mails, and a 13-page briefing to former Veterans Affairs Minister Greg Thompson outlined Bruyea's psychiatric conditions. According to the report, Privacy Commissioner Jennifer Stoddart has been investigating the breach for more than a year and has expressed concern over the allegations. Prime Minister Stephen Harper has pledged to cooperate with Commissioner Stoddart's investigation, calling the breach "unacceptable."
Full Story

PRIVACY

Survival of the Fittest 2.0 (September 23, 2010)

Bob Garfield says that our culture is defining privacy down. "Exhibitionism is no longer considered a peccadillo," says Garfield, former Advertising Age columnist and co-host of NPR's "On the Media" program. "On the contrary, it is an industry." Garfield discusses the commoditization of privacy and the concept of Listenomics in this interview from the September issue of the IAPP's Inside 1to1: Privacy newsletter. Garfield will deliver a keynote address at next week's Privacy Academy. (Registration for the Privacy Academy closes at 8 p.m. EDT today. Onsite registration will be available.)
Full Story

PRIVACY

Privacy Prime Time (September 23, 2010)

The New York Times reports on Google CEO Eric Schmidt's appearance on "The Colbert Report" Tuesday night to answer host Stephen Colbert's questions about privacy and a comment Schmidt once made about user anonymity. Schmidt told Colbert that Google does see users' online searches but forgets them "after a little while," and said his recent statement that users should change their names to achieve online anonymity was a joke, which Colbert said was "too hip for the room." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

Stoddart: Facebook Changes Are Satisfactory (September 22, 2010)
Privacy Commissioner Jennifer Stoddart today announced that the issues prompting her yearlong investigation of Facebook have been resolved to her satisfaction. "Overall, Facebook has implemented the changes it promised following our investigation," Stoddart said.

TRAVELERS’ PRIVACY

EU: Limit Passenger Data Shared With Other Countries (September 22, 2010)

The European Commission is focused on strengthening privacy rules for the sharing of air travelers' personal information with the U.S., Australia and Canada, EUobserver reports, and to limit the use of such data "exclusively to fight terrorism and serious transnational crime." New agreements are set to be negotiated with the three countries to replace those that have been deemed to lack appropriate privacy safeguards by the European Parliament. "PNR transfers have been going on for 60 years," said European Commissioner Cecilia Malmström, noting, "carriers are obliged to do it, otherwise they can't land. But we want legal clarity for passengers and to embed it with as many data protection provisions as possible."
Full Story

ONLINE PRIVACY—U.S.

Flash Cookie Lawsuits Could Spur Courts’ Rethink (September 22, 2010)

Media Post reports on the recently filed lawsuits against companies alleged to have used Flash cookies to recreate HTTP cookies deleted by users. "Whether the litigation will pose a legal risk...remains to be seen," the report states, suggesting that courts' decisions on cookie lawsuits back in 2001 and 2003 may not portend similar outcomes now--seven years and many technological developments later. "Given the fast-evolving landscape," writes Wendy Davis, "judges today won't necessarily agree with the conclusions that seemed reasonable to courts in 2001." Perhaps more important, adds Davis, are recent allegations that companies are circumventing users' privacy settings by "recreating cookies even when people have opted out of tracking." Editor's note: Hear more from Wendy Davis during the "Online Behavioral Advertising: Business Models, Technology and Legal Issues in Q3 2010 and Beyond" preconference session at the Privacy Academy.
Full Story

ONLINE PRIVACY—GERMANY

New Privacy Rules To Be Introduced (September 22, 2010)

Germany plans to introduce a new privacy code this December to balance privacy concerns with online services, The Wall Street Journal reports, and has asked Internet firms to submit suggestions for self-regulation. "I expect the services to commit to strong privacy rules," said Interior Minister Thomas de Maizière. The announcement follows recent controversy around the introduction of street-level mapping applications such as Google's Street View, the report states. A Google spokeswoman has said the company is looking forward to taking part in "constructive conversations" about the issues, and that, "Any future legislation must make sure that in addition to the requirements of data protection, the development of innovative business opportunities and modern technology are allowed to flourish." (Registration may be required to access this story.)
Full Story

PRIVACY—CANADA

Canada Joins Global Enforcement Arrangement (September 22, 2010)

Canada today announced it has joined the Global Privacy Enforcement Network (GPEN), a group established to facilitate cooperation across national borders. The GPEN aims to provide cross-border points of contact, bilateral investigations and enforcement cooperation among privacy authorities. Canada joins 12 other entities, including the U.S. Federal Trade Commission, that are involved in the network, which was launched in March. "I am very pleased to be a part of this initiative," Privacy Commissioner Jennifer Stoddart said. "My office has seen dramatic growth in issues and investigations dealing with the online world and multinational companies, and we recognize that increased cooperation with our international colleagues is critical to our future success."
Full Story

PRIVACY LAW—U.S.

Maine Court Issues Opinion on Hannaford Suit (September 22, 2010)

The Sun Journal reports that the Maine Supreme Judicial Court may have put an end to a lawsuit customers filed against Hannaford Bros. seeking damages related to its 2007-2008 data breach. In response to a request for review by the U.S. District Court in Portland, Justice Joseph Jabar said that spending time and effort "alone does not represent a cognizable injury recoverable in implied contract." Twenty-one customers of the supermarket chain filed the suit in 2008. Should the federal judge dismiss the case, the plaintiffs could appeal to the U.S. Court of Appeals for the First Circuit in Boston.
Full Story

PRIVACY LAW

Abrams: The Answer is Accountability on the Ground (September 22, 2010)

Accountability-based privacy governance is the next generation of privacy law. That's according to Martin Abrams, senior policy advisor at Hunton & Williams LLP. In this Daily Dashboard exclusive, Abrams discusses the likelihood that both regulators and organizations will move towards accountability-based privacy programs.
Full Story

ONLINE PRIVACY—U.S.

Cookie Concerns Spark Class-Action Suits (September 21, 2010)
About a half dozen lawsuits have been filed in U.S. District Court over the past two months against companies that create advertising technology, alleging they violated federal law by creating tools that "essentially hack into users' machines without their knowledge," The Wall Street Journal reports.

GEO PRIVACY—GERMANY

Gov’t: Create New Guidelines or Face Regulation (September 21, 2010)

Germany's government has informed the companies behind online mapping services that they must come up with their own guidelines on data protection by December or face new regulations, AFP reports. "We need a charter guarding private geographical data and we need it drafted...by December 7," Interior Minister Thomas de Maiziere said after a five-hour meeting between German officials and Internet executives, adding, "A charter could, and I mean could, make regulation superfluous." The meeting between de Maiziere, federal justice and consumer protection ministers, data protection authorities and managers from firms specializing in online mapping was called following a recent outcry over Google's plans to launch its Street View mapping service in 20 German cities.
Full Story

DATA PROTECTION

How Will Privacy Apply to Apps? (September 21, 2010)

End-user software for mobile phones, or "apps," are on their way to becoming more popular than the Internet itself, some predict. Developed by teenage amateurs and billion-dollar companies alike, apps are capable of performing limitless tasks, from computing billing services to monitoring health information to forecasting the weather. But privacy advocates say apps come with risks to consumer privacy, as the data they solicit for use is managed by those who may or may not have experience in data protection or knowledge of privacy law. Some are calling for industry to get ahead of those risks, while others say the app developers themselves must take responsibility.
Full Story

DATA THEFT—U.S.

Prison Sentence for Buyer of Breach Data (September 21, 2010)

A man who purchased on the black market data stolen in the Hannaford Bros. 2007-2008 breach has been sentenced to prison. The Orange County Register reports that the man pleaded guilty last week to conspiracy to commit access card fraud and trafficking and possessing access card materials. He received a sentence of seven years and eight months in jail and was ordered to pay $33,475 in restitution to Discover Card Financial Services. According to prosecutors, the man purchased the data online and encoded it onto magnetic strips which he then affixed to fake Discover cards. A co-defendant also pleaded guilty to similar but lesser charges and was sentenced to three years formal probation and one year in jail.
Full Story

HEALTHCARE PRIVACY

Adler: Follow the Data (September 21, 2010)

In a Daily Dashboard exclusive interview, UnitedHealth Group's Chief Privacy Officer M. Peter Adler, CIPP, talks about the complexities of managing protected health data in today's digital world. Discussing how to choose the best model of data governance, Adler says data stewards need to "follow the data and see where it comes from, where it's created, how it flows in your organization, how it's used and how it leaves your organization...You need to look at your specific needs and mix and match the tools to fit your organization."
Full Story

DATA LOSS—U.S.

Rice University Notifying 7,000 (September 21, 2010)

Joining a growing list of universities that have experienced a data breach, Rice University is notifying more than 7,000 students and employees that their personal information was exposed when a portable storage device containing student and employee names, addresses, birth dates, salaries, emergency contact information and, in some cases, Social Security numbers was stolen in August. eSecurity Planet reports that university officials and local police are investigating the theft. The university has apologized and offered free credit monitoring services to those affected. Officials are reviewing the school's security procedures, according to the report.  
Full Story

SSN PRIVACY—U.S.

IRS Still Using SSNs (September 21, 2010)

The Internal Revenue Service (IRS) has not eliminated using Social Security numbers (SSNs) from the majority of its computer systems and documents because they still associate correspondence and documents with taxpayer accounts, NextGov reports. The IRS submitted a plan to eliminate and reduce its SSN use in 2008, but the Treasury Department's inspector general for tax administration says it has only done so in a "small number of systems, notices and forms." Meanwhile, the agency recently received funding for a new initiative to replace SSNs on notices with 2-D bar codes, allowing taxpayer data to be encoded, the report states.
Full Story

BIOMETRICS—INDIA

Unique ID Project Draws Criticism (September 21, 2010)

The government of India is undertaking a project to create a citizen database and give a unique identification number to each citizen, Top News Singapore reports. The project will be rolled out within the next four weeks, according to the chairman of the Unique Identification Authority of India, and will be based on biometrics and usable anywhere in the country. But critics say the project violates privacy, doesn't have the proper oversight or legal framework and could expose citizens to data theft and abuse.
Full Story

BIOMETRICS

Biometrics Industry Hampered by Privacy Concerns (September 21, 2010)

<em>The Wall Street Journal</em> reports on the biometrics industry and the privacy concerns that may be slowing its growth. Sales of technologies for fingerprinting and iris and body scanning were expected to increase significantly after September 11, 2001 in the name of security, but those expectations have since been tempered. The industry's potential will partly depend on winning over people who worry about invasions of privacy, the report states. A spokesman from the American Civil Liberties Union said criminals could access fingerprint databases and misuse that personal data, for example. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

Health Breaches Must Be Reported in Five Days (September 21, 2010)

HealthLeaders Media reports on the new Connecticut requirement that insurers and their agents inform the state insurance commissioner within five calendar days of discovering a breach. The requirement is stricter than California's five-working-days policy, which is considered the toughest in the nation, the report states. A spokesperson for the Connecticut Insurance Department said the notification requirement is in response to "some recent data breaches which were not reported in what we believe to be a timely manner."
Full Story

ONLINE PRIVACY

Cookies Slip Through Loophole (September 20, 2010)
The New York Times reports on the results of a Carnegie Mellon University (CMU) study that reveal that "large numbers of Web sites...appear to be using a loophole that circumvents Internet Explorer's ability to block cookies."

CHILDREN’S PRIVACY—U.S.

Investigation: Kids Are Prime Targets of Web Tracking (September 20, 2010)

The Wall Street Journal reports that in its recent investigation into online privacy, it found that children are targeted for tracking on the Web more than adults. According to the report, "popular children's Web sites install more tracking technologies on personal computers than do the top Web sites aimed at adults," with 50 popular sites aimed at children and teens installing well over 4,000 pieces of tracking technology on the newspaper's test computer. Although the companies say the information they collect is anonymous and used to deliver targeted ads, the report notes that their privacy practices vary widely and regulations are limited. "We need clearer explanations of what's happening to their data online, that they can understand--not the kind of legalese in a privacy policy that basically obscures what's really going on," said American University Prof. Kathryn C. Montgomery. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Commissioner: Middle Ground Needed (September 20, 2010)

European Commissioner Neelie Kroes, who is overseeing the drafting of new Internet rules to be proposed this fall, was among those taking part in a debate sponsored by the Interactive Advertising Bureau, The Wall Street Journal reports. When it comes to the practice of online firms collecting user data to better target advertising, she suggested, "We need a user-friendly solution, possibly based on browser settings...Obviously we want to avoid solutions which would have a negative impact on the user experience." She also spoke of the importance of the industry adopting key principles of self-regulation to improve trust among users. Industry leaders in the audience promised rigorous self-regulation, the report states. (Registration may be required to access this story.)
Full Story

PRIVACY

Wolf Examines the Politics of Privacy (September 20, 2010)

Christopher Wolf of the Future of Privacy Forum begins his feature for Israel's Haaretz Newspaper discussing the past harms that have come from personal information landing in the wrong hands, writing of the tragedy of the Holocaust and its influence on EU data protection and the EU's view that the U.S., despite laws and regulations intended to protect privacy, still lacks "adequate protection" for personal data. By contrast, he writes, Israel has earned the recognition of the EU's Article 29 Working Party, continuing on to question the recent block of EU data transfers to Israel by Ireland. "International cooperation to promote privacy, which is essential in our information society, used to be fairly immune to politics," he writes, suggesting, "In the end, privacy is too important to be politicized."
Full Story

ONLINE PRIVACY—EUROPE

Businesses Attempt To Address EU Cloud Concerns (September 20, 2010)

The move to cloud computing is facing obstacles in Europe, where the definition of personal data is much broader than in other parts of the world, The New York Times reports. "European governments fear that personal information could fall prey to aggressive marketers and cybercriminals once it leaves the jurisdictions of individual members," the report states, noting that the EU's strict privacy laws place "rigid limits on the movement of information" outside of its 27 member counties. Some U.S. businesses, however, are developing new methods to make cloud computing work within Europe's complicated legal landscape, including new forms of encryption and ways to let individuals choose the degree of privacy on each part of their personal information in the cloud. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING

OBA: A Look Forward (September 20, 2010)

D. Reed Freeman, CIPP, of Morrison & Foerster LLP, shares some insights on the future of online behavioral advertising in this Daily Dashboard Q&A. Freeman will moderate the upcoming Privacy Academy preconference session "Online Behavioral Advertising: Business Models, Technology and Legal Issues in Q3 2010 and Beyond" with panelists Gil Beyda of Genacast Ventures, Wendy Davis of Online Media Daily, Stuart Ingis of Venable LLP, Karin Retzer of Morrison & Foerster LLP and Joe Wilson of Turner Broadcasting System, Inc. Freeman said this session will offer "a 360-degree view of tracking technologies from regulations to practical applications."
Full Story

DATA PROTECTION—GERMANY

Politicians Call for Data Protection Laws (September 20, 2010)

German politicians today called for data protection regulations ahead of a summit in Berlin on issues such as geotagging and online mapping services, The Local reports. One justice minister said the government must conduct talks with Internet service providers to determine how they gather user data "to define exactly what personal data is and which details should not be used." Justice Minister Sabine Leutheusser-Schnarrenberger added she hopes to see laws created to protect user anonymity. Germany's consumer affairs minister agreed that new data protection laws are needed, and German Data Protection Commissioner Peter Schaar said it's important that the summit yields results and not just discussion. "There must also be conclusions," he said.
Full Story

PRIVACY

TPP Seeking Research Grant Proposals (September 20, 2010)

The Privacy Projects (TPP) has announced that its Winter 2010 Research Grants competition proposals are due October 29, with awards ranging from $25,000 to $100,000 per project. According to TPP, the goal of the grant program is to "advance practical and effective research relating to information and privacy governance to inform the transition we believe is underway from traditional regulatory models to emerging frameworks of demonstrated accountability and responsibility." The TPP Board of Directors is encouraging grant applicants to submit proposals addressing such areas of emphasis as legislative reforms, organizational data governance programs and consumer privacy compliance. Questions on the program may be e-mailed to TPP.
Full Story

DATA PROTECTION—U.S.

FDIC: Protect Copy and Fax Machine Data (September 20, 2010)

Bank Info Security reports on the risks office machines pose due to the data they store on their hard drives. The Federal Deposit Insurance Corporation has issued guidance on how to mitigate the risk of the machines' data falling into the wrong hands, including changing default passwords and adding security by encrypting information, which some manufacturers offer as an addition. Organizations would also be wise to create written policies on the handling and disposal of copies, faxes, printed material and stored data, the report states. The penalty for a breach could cost organizations up to $100,000 and individuals up to $10,000.  
Full Story

HEALTHCARE PRIVACY—U.S.

Lawsuit Filed for Security Breach (September 20, 2010)

An applicant for Anthem Blue Cross health insurance has filed a lawsuit claiming the company failed to protect his personal information when it was hacked earlier this year, reports the Los Angeles Times. The breach occurred when lawyers involved in another lawsuit against Anthem allegedly accessed Patrick Magorien and other applicants' protected information. Magorien's suit claims his Social Security number, address and credit card numbers were accessed and seeks class action status, says the report. Anthem has not commented on the case, but in a statement, it said it "is committed to protecting the privacy and security of our members' and applicants' personal information, in accordance with all applicable laws and regulations."
Full Story

PRIVACY—GERMANY & U.S.

A Private-Public Balancing Act (September 17, 2010)

Jeff Jarvis writes in The Faster Times on comments at a recent event in Berlin, Germany, where Schleswig-Holstein Data Protection and Privacy Commissioner Thilo Weichert continued a trend that began earlier this summer of calling out nations and industry on privacy concerns. Weichert, who previously called for the European Commission to walk away from the U.S. safe harbor principles, is quoted as saying that those who are "stupid enough" to use Google "don't deserve any better." Jarvis writes that while Weichert suggests privacy should be the default, there is merit to "publicness" and a "balancing discussion" is what is needed "so people know they have a choice and protect that choice."
Full Story

PRIVACY LAW—U.S.

Software Company To Pay $100,000 for Breach (September 17, 2010)
New York's Attorney General has reached a settlement with the manufacturer of software that allows parents to monitor their children's activity on the Web, following a complaint to the Federal Trade Commission last year that the company was collecting and selling data about the children being monitored, MediaPost reports.

PRIVACY LAW—U.S.

IAB Expected To Launch Certification Program on Monday (September 17, 2010)

The Interactive Advertising Bureau (IAB) is expected to launch a program on Monday that will certify that online companies comply with self-regulatory guidelines, MediaPost News reports. It is expected that the start-up Better Advertising will be tapped to assist in monitoring compliance, the report states. In addition, the icon designed last year to help Web users identify when ads are being served to them based on their browsing history is expected to undergo modifications before the online ad industry begins using it. The original "power i" icon was deemed too similar to other images.
Full Story

ONLINE PRIVACY—U.S.

Lawsuit: Advertiser Evaded Cookie Controls (September 17, 2010)

A class-action lawsuit has been filed against Ringleader Digital, alleging the company tracks Internet users even after they delete cookies, OUT-LAW.COM reports. The suit claims that the company uses an HTML5 feature to place a "Media Stamp" on mobile devices to allow the tracking of users' Web activities without their knowledge or consent. "When a mobile Web site that uses Media Stamp is accessed, Ringleader's own databases collect information from the mobile device," the lawsuit states, assigning each device a unique number that is then stored by the company. The suit claims the company has violated both the U.S. Computer Fraud and Abuse Act and California's Computer Crime law. A Ringleader spokesman has said the company will "defend its practices vigorously."
Full Story

PRIVACY LAW—UK

Opinion: Gov’t Needs To Clarify Cookie Law (September 17, 2010)

The government has "let businesses down" by failing to clarify an EU directive on cookies that has privacy regulators and advertisers at an impasse and Web publishers "languishing in the middle, unsure whether their advertising is lawful or not," according to an opinion piece in OUT-LAW.COM. The report states that UK officials failed to provide much-needed clarity by writing the "confusion into UK law, word for word." The article suggests that the EU law is bad for business and consumers since it adds "confusion without improving privacy in any meaningful way...Regurgitating the directive's wording, without any further guidance, is not helpful."
Full Story

HEALTHCARE PRIVACY—U.S.

Privacy Rights of the Deceased Could Change (September 17, 2010)

The Center for Democracy & Technology (CDT) reports on a Department of Health and Human Services proposal to remove health information privacy protections for people who have been dead for 50 years. Currently, the law requires companies to contact the deceased's relatives before using their medical data, but the proposed rule argues that it's difficult to locate relatives for authorization and that waiting 50 years would protect the privacy of the deceased and their families. The CDT, however, disagrees. It argues that patients already withhold embarrassing conditions from doctors and will likely withhold information they believe may be detrimental to their legacies and could affect the privacy of their offspring. Meanwhile, some researchers are arguing that medical research on mummies invades their privacy because it does not allow for patient consent.
Full Story

STUDENT PRIVACY—U.S.

Tracking Systems in Almost Every State (September 17, 2010)

The U.S. State Higher Education Executive Officers (SHEEO) have found that 44 states and the District of Columbia have student record systems in place collecting demographic and postsecondary enrollment data, AACRAO reports, with 39 states linking, sharing or exchanging data with other entities. Meanwhile, educators are opposing the collection of student Social Security numbers required by the Maine Department of Education. While schools are required to collect the information, some school officials are urging parents to exercise their option of not providing the data. When it comes to databases of student information, many advocates are concerned about the privacy implications and potential future uses of such repositories of personal information, the report states.
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Receives Thousands of Pages of Comments (September 17, 2010)

The comment period for proposed changes to the HIPAA privacy, security and enforcement rules ended on Monday and, according to a GovInfoSecurity report, the Department of HHS received thousands of pages of comments from hundreds of organizations. Those who commented highlighted concerns about the cost associated with allowing patients to restrict who sees their medical information and the provision requiring covered entities to modify their business associate agreements to reflect the latest modifications, the reports states. Some requested more guidance on the risk assessment requirement and many asked for the 180-day compliance deadline to be extended.
Full Story

PRIVACY

Anderson: “Profound Benefits” Spur Interest in PbD (September 17, 2010)

The concept of privacy by design is gaining traction. Last week, the Information and Privacy Commissioner of Ontario announced a lineup of Privacy by Design Ambassadors that includes the likes of European Data Protection Supervisor Peter Hustinx, New Zealand Privacy Commissioner Marie Shroff and many other leading minds from industry, academia and government. Privacy by design expert Ken Anderson attributes the traction to the fact that "the benefits of privacy by design are so profound." In this Q&A, the Daily Dashboard speaks with Anderson, of the Information and Privacy Commissioner's Office of Ontario. He discusses who should be paying attention to the principles of privacy by design and why.
Full Story

DATA PROTECTION—UK

Expert: Keep IT Close By (September 17, 2010)

The challenge of a data breach could lead to decisions having to be made in only 30 minutes in order to keep an audit committee at bay. That's according to Jonathan Armstrong, a partner at Duane Morris, who said at a security conference in London that it's important to keep IT and compliance people on a tight lead, SC Magazine reports. Armstrong predicts the future of data breaches will see more private actions, a greater degree in trust, more globalization and more use of a "moral compass" for third parties involved in breaches, the report states.
Full Story

DATA PROTECTION—UK

Data Loss Insurance Policies on the Rise (September 16, 2010)
Organizations are increasingly looking at insurance to augment their data security systems, according to a new survey, though UK companies do not plan to increase spending on such systems as quickly as other countries.

PRIVACY LAW—U.S.

Expert: Privacy Bills Unlikely To Pass This Year (September 16, 2010)

Christopher Wolf, co-chair of the Future of Privacy Forum, is among those who suspect that online privacy bills currently pending in the U.S. Congress are unlikely to pass before the year is out, Forbes reports. However, Wolf believes businesses know that legislators are paying close attention and are reforming their practices, the report states. "Privacy isn't just a legal compliance obligation," he said. "It's good business...It's becoming less defensive than it is a feature that consumers will find attractive if they're dealing with a company that highlights their privacy practices." Wolf said that it "may be too early to give up on innovation and self-regulation," but he also stressed that, "It doesn't matter where your data is. It ought to be protected."
Full Story

ONLINE PRIVACY

Web’s Creator: Mobile Devices Require Privacy Rethink (September 16, 2010)

The Internet's creator believes that mobile devices will continue to evolve and pose new privacy challenges, Sarah Perez notes in a report for ReadWriteWeb. Speaking at a conference on Wednesday, Sir Tim Berners-Lee shared concerns around the development of mobile technologies, noting that geolocation features are the "tip of the iceberg," and such devices may eventually be able to monitor everything from where users are to how they feel. "The problem that has not been worked out yet is how to allow a user to share their location while still making it easy for them to understand when they're sharing critical information, how much control they have over that information and who can access that data," Perez writes.
Full Story

HEALTHCARE PRIVACY—U.S.

Surgical Tech Indicted for Selling Data (September 16, 2010)

A former hospital worker has been indicted on charges that he sold patient data, reports the Pittsburgh Tribune-Review. A federal grand jury indicted Paul C. Pepala yesterday. He is accused of selling the names, dates of birth and Social Security numbers of UPMC Shadyside patients in violation of federal health privacy laws and the Social Security Act, the report states.
Full Story

PRIVACY LAW—U.S.

Paper Argues IP Addresses Are PII (September 16, 2010)

In a paper published in the DePaul Law Review, Joshua J. McIntyre writes about the potential to use IP addresses to "expose the individuals behind the computers." His paper, entitled "The Number is Me: Why Internet Protocol (IP) Addresses Should Be Protected as Personally Identifiable Information," explores various definitions of PII, concluding that IP addresses are "functionally similar" to other types of PII and should be similarly protected by law. According to the paper's abstract, "While various federal statutes protect similar data, such as telephone numbers and mailing addresses, as Personally Identifiable Information, federal privacy law does not sufficiently protect IP addresses."
Full Story

HEALTHCARE PRIVACY—UK

NHS Employee Pleads Guilty to Viewing Files (September 16, 2010)

An NHS IT manager has admitted to illegally accessing the medical records of patients, including his friends and family, This is Hull and East Riding reports. The 22-year-old male pleaded guilty to seven counts of breaching the Computer Misuse Act 1990 for accessing the files 431 times without authority, the report states. He will be sentenced next month. A spokesman for NHS Hull called the defendant's actions a serious breach of trust. "We welcome the fact a successful criminal prosecution has been brought and that a custodial sentence is being considered. It sends out a powerful message to NHS staff and the healthcare community about the importance of data protection."
Full Story

DATA PROTECTION—U.S.

GAO: Gov’t Contractors Have Inappropriate Access (September 16, 2010)

A report released last week by the Government Accountability Office (GAO) says that some government agencies have given contractors inappropriate access to and have not appropriately safeguarded sensitive materials, reports Security Director News. The report "Contractor Integrity: Stronger Safeguards Needed for Contractor Access to Sensitive Information" focused on the Departments of Defense, Homeland Security and Health and Human Services between May 2009 and September 2010 and found that nearly half the contracts the GAO reviewed did not protect "all relevant types of sensitive information that contractors may have had access to through the program offices they support." According to a NextGov report, the GAO recommends that the White House instruct agencies to require vendors to sign nondisclosure agreements.
Full Story

ONLINE PRIVACY

Site Engineer Fired for Accessing Accounts (September 15, 2010)

A Google site reliability engineer has been fired for violating the company's privacy rules for allegedly improperly accessing accounts belonging to several teenagers, PCWorld reports. Site reliability engineers have access to databases that contain e-mails, chat logs and other files that belong to Google users, the report states. "We dismissed David Barksdale for breaking Google's strict internal privacy policies," Google Senior Vice President Bill Coughran said in a statement, noting, "We carefully control the number of employees who have access to our systems, and we regularly upgrade our security controls...That said, a limited number of people will always need to access these systems if we are to operate them properly--which is why we take any breach so seriously."
Full Story

DATA PROTECTION—U.S.

Survey: Data Security Spending To “Skyrocket” (September 15, 2010)

A recent global poll shows that corporate spending on data security will increase sharply, ComputerWeekly reports. That's because the number of companies reporting losses due to data breaches is up six percent from last year, the highest proportion to forecast an increase in the last five years, according to the PricewaterhouseCoopers (PwC) survey. More than half of respondents said their companies plan to increase spending on security technologies. But a PwC spokesman said technology isn't always the problem. "Technical solutions are too frequently being prescribed for people problems," he said.
Full Story

ONLINE PRIVACY

What Should Be Forgotten, Protected? (September 15, 2010)

Privacy was one of the key policy issues discussed at the UN-sponsored Internet Governance Forum held in Lithuania this week. Larry Magid writes in The Mercury News on the event's panel on the future of privacy, the "right to be forgotten" and the discussion of whether personal information should have an expiration date. The report also looks at what Magid describes as the dichotomy in U.S. law that assigns a higher level of privacy protection to data stored on a home or office computer than to data stored on any type of Internet-based system such as Web mail. "The 'cloud' is, for all practical purposes, an extension of your desktop computer," he writes, "so providing the government with easier access to cloud data than data stored on personal hard drives makes no sense."
Full Story

PRIVACY LAW—U.S.

Judge: No Privacy for ISP Subscribers (September 15, 2010)

In a case aimed at those who download movies from peer-to-peer networks, U.S. District Court Judge Rosemary Collyer has ruled that ISP subscribers have no "cognizable claim of privacy in their subscriber information," MediaPost reports. In making that determination, Collyer noted that users "already have conveyed such information to their Internet service providers." Some legal scholars, meanwhile, maintain that IP addresses should be protected as PII. Collyer's rationale also contradicts another court's ruling, the report states, referencing a two-year-old decision by the New Jersey Supreme Court "that citizens have a reasonable expectation of privacy...in the subscriber information they provide to Internet service providers--just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by companies."
Full Story

ONLINE PRIVACY—CZECH REPUBLIC

Authorities Reject Street View Request (September 15, 2010)

For a second time, the Czech Office for Personal Data Protection (UOOU) has rejected Google's request to collect information necessary to complete the photo imaging for its Street View mapping service. Reuters reports that UOOU spokeswoman Hana Stepankova said the ruling doesn't ban Google from using photos it has already taken, and that if the company can ensure that the process can be done legally, the office may consider reversing its decision. While Google can publish only blurred images of individuals in the Czech Republic, the parties have not resolved whether it can include non-blurred images of car license tags and building facades, reports The Wall Street Journal. According to the report, Czech authorities are scheduled to release more information at a press conference on September 22.
Full Story

PRIVACY

Protecting Customer, Employer and Supplier Privacy (September 15, 2010)

Speaking before the CSO Security Standard, GE Chief Privacy Leader and Senior Counsel Nuala O'Connor Kelly, CIPP, began with the question of what privacy is. The answer, NetworkWorld reports, is the right and ability to control how your personal information is used. With issues ranging from the privacy implications of social networking posts by employees to the use of mobile devices for both work and personal activities, companies face significant privacy challenges. "The trick for GE is the same as it is for most organizations--how to achieve security without setting off animosity someone might feel about being violated," the report states, noting O'Connor Kelly believes GE's move to create a partnership between its legal and IT security divisions has made a significant difference.
Full Story

DATA LOSS—U.S.

College Alerts 7,000 of Data Breach (September 15, 2010)

School officials at City College of New York are alerting more than 7,000 students that their personal information may have been compromised after a school laptop was stolen last month, eSecurity Planet reports. The laptop was password-protected but not encrypted, and it included Social Security numbers. There has been no evidence to suggest the information has been used improperly, according to school officials, who added that the school is reviewing its security procedures and has established a hotline for students to ask questions about protecting their information. The breach follows similar breaches at universities across the U.S., including one this summer at Iowa's Buena Vista University, which affected 93,000 students and one at the University of Connecticut, which affected 10,000.
Full Story

PRIVACY

Researchers to Create a Privacy Dictionary (September 15, 2010)

Researchers at four universities in the UK are working to create an automated privacy dictionary to assist researchers studying privacy. Disputes on what criteria belong to the concept of "privacy" have hampered research thus far, according to the paper's abstract. "The lack of a clear definition or consensus on privacy, along with the need to avoid priming questions, suggests that without methodological tools that help capture a nuanced and broad perspective on privacy, privacy-related content may end up being ignored in favor of more easily coded themes," the report states.
Full Story

ONLINE PRIVACY

Researchers: Promises Fall Short in Compact Policies (September 14, 2010)
The longtime tenets of know-say-do have been incorporated into the development of many privacy policies. According to the findings of a recent Carnegie Mellon University study, when it comes to the compact policies (CPs) created for the Platform for Privacy Preferences (P3P) protocol, industry may be falling short of doing what it says it is doing.

PERSONAL PRIVACY

Do Egyptian Mummies Have Privacy Rights? (September 14, 2010)

The assumption that ancient corpses are fair game for science is beginning to be challenged, NewScientist reports. The strict ethical guidelines that apply to human research don't extend to Egyptian mummies, which disturbs anatomist Frank Rühil and ethicist Ina Kaufmann of the University of Zurich, who say such research produces personal information including family history and medical conditions and doesn't allow for patient consent, the report states. The rights of the deceased individual must be considered and weighed against the knowledge attained by the research, Rühil says. Some regions classify such information as personal. In New Zealand, information about how someone died is considered personal data, and in the European Union, information about the deceased is considered personal if it can reveal something about living descendants.
Full Story

PRIVACY LAW—U.S.

EPIC Sues for NSA-Google Info (September 14, 2010)

The Electronic Privacy Information Center (EPIC) has filed a lawsuit to require the National Security Agency (NSA) to divulge information about its agreement to help defend Google against foreign cyber attacks, the Los Angeles Times reports. EPIC filed its case on Monday, stating, "As of 2009, Gmail had roughly 146 million monthly users, all of whom would be affected by any relationship between the NSA and Google. In order for the public to make meaningful decisions regarding their personal data and e-mail, it must be aware of the details of that relationship." According to national security expert Richard Clarke, there is probably not a significant privacy concern, "But the easy way for Google and NSA to prove that is by letting an outside group come in and find out."
Full Story

HEALTHCARE PRIVACY—U.S.

AG: Hospital Taking Wrong Approach (September 14, 2010)

Massachusetts Attorney General Martha Coakley is objecting to a hospital's decision not to send notifications to 800,000 individuals who may have been affected by a recent breach, GovInfoSecurity reports. However, the report states, the office has not taken any formal action against South Shore Hospital. The hospital has cited a state law as the basis for its new notification strategy, but the HITECH interim final breach notification rule requires breaches affecting 500 or more to be reported to federal authorities and those affected within 60 days, the report states. Coakley has said the hospital should mail notices about the incident to the patients that were potentially affected, and the office has stated it will "continue to monitor and investigate South Shore Hospital's actions with regards to the data breach and its response."
Full Story

CHILDREN’S PRIVACY—U.S.

Opinion: Location-Based Microchips Put Kids at Risk (September 14, 2010)

A San Francisco Chronicle editorial says a child tracking initiative that uses microchips to take attendance has created "very real privacy and safety concerns." One county's Head Start program is complying with federal requirements that it take attendance every hour using the Child Location, Observation and Utilization Data System (CLOUDS), which outfits the children in jerseys embedded with electronic locator chips. But school officials aren't the only ones capable of picking up the chips' signals; research has shown that informed criminals, for example, can trace the signals, too. "This isn't the right solution," the report states. "The privacy and safety of these very young children must outweigh the inconvenience of their teachers."
Full Story

HEALTHCARE PRIVACY—U.S.

Police Want Prescription Database Access (September 14, 2010)

The North Carolina Sheriffs' Association has asked for access to a state prescription drug database, and the Greensboro News & Record reports that has people worried about "local law enforcement looking over who is prescribed what, without warning or a warrant." Since 2007, the report states, NC pharmacists have been required to report the filling of prescriptions for controlled substances scheduled by the Drug Enforcement Agency to a Department of Health and Human Services database. "If law enforcement wants access to that kind of private information, they should have to go get a warrant," said Sarah Preston of the NC ACLU. The State Bureau of Investigation can already access the database in drug investigations, the report states, and privacy advocates are concerned about any expansion.
Full Story

PRIVACY LAW—SWITZERLAND

Court: Illegal File Sharers’ IP Addresses Private (September 13, 2010)
The Register reports on a Swiss Federal Court ruling that the collection of illegal file sharers' IP addresses is a violation of the law. The ruling backs Switzerland's data protection commissioner's assertion that Logistep's collection of sharers' IP addresses violates the country's data protection act.

ONLINE PRIVACY

Cookie Questions Persist (September 13, 2010)

The Wall Street Journal recently asked for questions from readers on technology and privacy, and a key question on many readers' minds, the report states, is, "Does deleting cookies force trackers to start over, or do they just pick up where they left off, combining the new with the old?" Jules Polonetsky, CIPP, of the Future of Privacy Forum explained that when consumers delete all cookies and later enable them, tracking companies generally can't associate the data from the newly enabled ones with the old ones. "You deleted that number that the advertising company or Web site recognizes you by," he said, explaining that when users return, "they will assign you a new number and generally are not going to have a link between the new and the old." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—U.S.

Postings Lead to Thefts (September 13, 2010)

WMUR reports that three men have been charged with burglary for allegedly breaking into homes that they knew were vacant because of the home owners' social networking posts. About 50 Nashua, NH, homes were robbed in August. Police believe that at least 18 of these cases are now solved and that the suspects are likely linked to more. Capt. Ron Dickerson of the Nashua, NH, police department warns, "Be careful of what you post on these social networking sites. We know for a fact that some of these players, some of these criminals, were looking on these sites and identifying their targets through these social networking sites."
Full Story

PRIVACY—GERMANY

Germans Gather to Protest Government Database (September 13, 2010)

Some 7,500 Germans gathered in Berlin this weekend to express concerns about personal data privacy, AFP reports. The protestors, comprised of civic organizations and political parties gathered under the name "Liberty Instead of Fear," denounced a government database that will collect information on wages, taxes and social payments, the report states, as the government and companies increasingly accumulate personal information in large databases. The protest follows strong opposition to Google's Street View mapping service. The company has since given German citizens the opportunity to have images of their homes and businesses pixilated prior to the services' launch online.
Full Story

HEALTHCARE PRIVACY—U.S.

CA Hospital Appeals Breach Fine (September 13, 2010)

A California hospital has appealed a $250,000 fine by the state for a data breach that exposed more than 500 patients' personal information, eSecurityPlanet reports. Stanford University's Lucile Packard Children's Hospital is appealing the $250,000 fine, which was issued by state health officials for an alleged delay in reporting the breach, the report states. The appeal follows last week's announcement that the California Department of Public Health fined the hospital the maximum amount allowed under state law for failing to report a breach of 532 patient medical records due to the theft of a hospital computer.
Full Story

SOCIAL NETWORKING

Facebook Founder Talks Privacy (September 13, 2010)

In a feature published in The New Yorker, Jose Antonio Vargas shares a conversation with Facebook founder Mark Zuckerberg that touched on issues related to privacy. Referencing recent privacy controversies involving the company and its privacy settings, Vargas writes that Zuckerberg told him privacy is the "third-rail issue" online. "A lot of people who are worried about privacy and those kinds of issues will take any minor misstep that we make and turn it into as big a deal as possible," Zuckerberg reportedly said, adding, "We realize that people will probably criticize us for this for a long time, but we just believe that this is the right thing to do."
Full Story

PRIVACY LAW—HONG KONG

Government, Industry Discuss Pending Legislation (September 13, 2010)

The government has expressed its commitment to protecting citizens' personal privacy while not hampering industry at a meeting with representatives from the direct marketing industry, according to a press release. Industry representatives expressed concern about the impact that pending legislative proposals could have and asked the privacy commissioner for personal data to consult stakeholders before issuing new guidelines. They also asked that any guidelines be clearly stated in order to promote compliance. The commissioner's office said it is preparing new guidance on the collection and use of personal data and expects to replace existing guidelines this fall. The government signaled it would increase privacy protections for citizens after a scandal involving the sale of two million payment card customers' personal data.
Full Story

PRIVACY LAW—TURKEY

Privacy Rights Voted In (September 13, 2010)

Turkish voters on Sunday approved 26 amended articles to their constitution, including one that expands privacy rights, Reuters reports. According to the report, 58 percent voted to approve the amendments. Article 20 of the referendum makes individuals' personal information accessible only with the individual's permission or in certain legal circumstances. The changes are being called a step towards full democracy by the government, while the opposition has concerns that the changes take power away from the courts.
Full Story

HEALTHCARE PRIVACY—U.S.

University Hospital Fined $250,000 for Breach (September 10, 2010)
HealthLeaders Media reports that California Department of Public Health (CDPH) officials have fined Lucile Salter Packard Children's Hospital at Stanford University $250,000--the maximum amount allowed under state law--for failing to report a breach of 532 patient medical records due to the theft of a hospital computer.

PRIVACY LAW—U.S.

Internet Industry: Legislation is “i-AWFUL” (September 10, 2010)

Internet industry group NetChoice's latest list of "i-AWFUL" laws is naming online privacy legislation pending before Congress at the top of the legislative proposals that it says could "hamper the growth of e-commerce and the Internet," Tech Daily Dose reports. Legislative proposals by Rep. Rick Boucher (D-VA) and Rep. Bobby Rush (D-IL) are among 10 included on the list. Speaking about the proposals in terms of the businesses of online advertising, NetChoice Executive Director Steve DelBianco said the measures would "constrain one of the few growth industries." The provisions in the proposed legislation cited by NetChoice as of particular concern include providing users with a private right of action, requiring consumer consent before a company can send follow-up e-mails and giving the FTC rulemaking authority.
Full Story

DATA LOSS—U.S.

Hospital: Tapes Gone, No Letters To Be Sent (September 10, 2010)

A Massachusetts hospital has concluded its investigation into the disappearance of backup computer tapes containing the personal information of approximately 800,000 individuals, The Boston Globe reports. "All available evidence indicates that the files are unrecoverable and that there is little to no risk that information on the files has been or could be acquired," the South Shore Hospital said in a statement. Investigators concluded that the tapes were probably sent to a commercial landfill, according to the report. Hospital officials have determined that they will not send notification letters to those potentially affected. That decision has drawn the ire of Mass. Attorney General Martha Coakley.
Full Story

PRIVACY LAW—UK

ICO Warns Estate Agents To Notify (September 10, 2010)

The UK Information Commissioner's Office (ICO) is warning lettings and estate agents of their legal obligation to notify the ICO that they are handling people's personal information. According to an ICO press release, only a small percentage of industry members are registered, despite the Data Protection Act requirement for all organizations handling personal information to register with the watchdog. The ICO has written to professional bodies, urging them to encourage their members to notify. ICO Head of Enforcement Mick Gorrill said, "We want to work with the industry to ensure all property agents meet the legal requirement to notify us." If the encouragement is ignored, said Gorrill, "we will take action against those who flout the law."
Full Story

DATA LOSS

Hotel Systems Hacked (September 10, 2010)

Computerworld reports that HEI Hospitality, the owner of Marriott, Sheraton, Westin and other hotel brands, is the latest in a growing number of operators to announce a breach of its point-of-sale system. HEI sent letters to 3,400 customers informing them that their credit card data may have been compromised when hackers intruded on several of its hotels' payment systems between March and April of this year. According to the report, an HEI spokesman said there is no evidence that any of the exposed data has been misused, and the company is offering affected customers one year of free credit monitoring.
Full Story

PRIVACY

SIA Releases Privacy Framework (September 10, 2010)

The Security Industry Association (SIA) has released its 12-point Privacy Framework to address privacy concerns related to the recording of video, the collection of personally identifiable information and the use of biometrics, RFID and other security technologies. "While security without privacy is possible, privacy without security is impossible," Kathleen Carroll, the chair of the SIA Government Relations Department's State & Local Policy Working Group, said in a press release. The guidelines, she explained, show practical ways to apply responsible privacy protection throughout the security industry. The guidelines include such recommendations as conducting privacy impact assessments, implementing privacy by design principles, adopting a breach notification plan and establishing a retention policy and limiting access to personally identifiable information to those who "need to know."
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: EHR Privacy Issues Must Be Addressed (September 10, 2010)

Latanya Sweeney of Carnegie Mellon University cautions that for the Nationwide Health Information Network (NHIN) to be successful, privacy concerns cannot be overlooked. In a Modern Healthcare report, Sweeney writes, "A significant loss of privacy in the NHIN will render it useless and can cause serious personal harm as patients opt out and doctors find unforeseen ways to hide sensitive patient information." She notes, however, that the list of meaningful uses for 2011 does not include privacy incentives. Without privacy, she writes, "It doesn't take a doctorate in computer science to know the prognosis for the NHIN is not good, and it doesn't require political sensitivity to know what public reaction will be." (Registration may be required to access this story.)
Full Story

PRIVACY LAW

BC OIPC Rules on Agency Breach (September 10, 2010)

The Office of the Information and Privacy Commissioner of British Columbia has upheld the complaint of a man who claimed he was wronged by a government agency. According to an OIPC press release, the BC Ministry of Children and Family Development "breached its duty under section 28 of the Freedom of Information and Protection of Privacy Act." The act requires public and private-sector bodies to take all reasonable steps to ensure the accuracy of individuals' personal information. BC Privacy Commissioner Elizabeth Denham said the decision "drives home...the significance of ensuring personal information is accurate before it is used in a decision that affects someone."
Full Story

PRIVACY LAW—SWITZERLAND

Court: File Sharers’ Privacy Infringed Upon (September 10, 2010)

The Swiss supreme court has ordered a company to stop collecting information on suspected illegal file sharers, saying the practice breaches sharers' privacy rights, The Associated Press reports. Logistep AG's distribution of file-sharers' information to film and music companies seeking to protect their copyrights is a significant infringement of privacy rights, a Lausanne-based Federal Tribunal said in a Wednesday ruling. The information distributed included IP addresses, which the court said are protected by Switzerland's strict data protection laws.
Full Story

ONLINE PRIVACY—U.S.

FTC May Seek New Restrictions (September 9, 2010)

A Federal Trade Commission (FTC) official has hinted that the agency may "prod online advertisers and Web companies to adopt new education tools and data-collection restrictions in an effort to protect consumer privacy," ecommerce-guide.com reports. FTC Senior Attorney Loretta Garrison said the agency's roundtable sessions this year made it clear that "there's no such thing really as anonymity on the Web," noting the lack of consumer understanding about "the wealth of information that's being collected and the many different parties that are involved" must be addressed. Referencing recent comments by FTC Chairman Jon Leibowitz, she suggested a basic level of privacy protection should be made available to consumers, noting, "There ought to be an element where if they don't want to be tracked they ought to be able to say no."
Full Story

ONLINE PRIVACY

Expert: Privacy is Worth Paying For (September 9, 2010)

Following up its report on startup companies focused on privacy protection, The Wall Street Journal has published a Q&A with Eugene Kuznetsov, a former IBM executive and cofounder of the online privacy company Abine. Kuznetsov notes that one of the key opportunities for privacy protection companies is to "alleviate some of the confusion around privacy." A key component of getting people to use such services is trust, he said, which is built in businesses where the consumer is the paying customer. Looking to future issues in privacy protection, Kuznetsov points to the use of e-mail addresses to log into Web sites, noting, "if every one of the hundred sites online that you log into has your one unique e-mail address as the login, they can track you now across sites. They don't need a cookie." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Courts Increasingly Hear Cases on GPS Surveillance (September 9, 2010)

The Washington Times reports on recent court cases demonstrating tension between centuries-old rules on search and seizure and the advent of surveillance technology such as GPS. Law enforcement increasingly use such technology to track suspected criminals' movements, often without warrants, which has incited an onslaught of court cases challenging the practice. An Oregon man was recently convicted on charges of marijuana cultivation after police tagged his car with a GPS device, for example. He lost his appeal to a 9th U.S. Circuit Court of Appeals, but a dissenting judge wrote that there was "something creepy and un-American about the clandestine and underhanded behavior" of the police in the case.
Full Story

DATA RETENTION—AUSTRALIA

Senator: Online Privacy Report Needs More Time (September 9, 2010)

Greens Sen. Scott Ludlam will propose that a senate inquiry report into data retention and online privacy be delayed when parliament next sits, CIO reports. Ludlam, who proposed the inquiry in June and aimed to have a report prepared by October 20, now says the study on the adequacy of Australians' online protection will require more time. The study will look at topics including privacy and data protection on social networking sites and companies' and government agencies' data collection practices. "It is time the parliament took a proper look at the degree to which the privacy of Australians online is being eroded by governments and corporations alike," Ludlam said. Meanwhile, the Australian Federal Police this week backed a proposal for a controversial data retention scheme.
Full Story

PERSONAL PRIVACY—U.S.

Customers Resist Smart Meter Deployment (September 9, 2010)

The Wall Street Journal reports on a California utility company's efforts to transition customers from traditional utility meters to digital, or "smart" meters, which some customers have resisted on cost and privacy grounds. Pacific Gas & Electric Corp. has established "answer centers" to assuage concerns after complaints from various customers, followed by city councils in the state asking the company and the California Public Utilities Commission to suspend smart meter deployment until concerns had been addressed. Meanwhile, the National Institute of Standards and Technology released a report last week making recommendations for privacy within the smart grid, including that privacy be protected "by law or other means." (Registration may be required to access this story.) Editor's note: Read more about privacy and the smart grid in an article from last month's Privacy Advisor.
Full Story

ONLINE PRIVACY

How Much Would You Pay for Web Privacy? (September 8, 2010)

New companies aimed at helping people protect their online anonymity are facing a challenge, The Wall Street Journal reports, as many are reluctant to pay for Web privacy. With the majority of Internet users unaware of how their Web searches, posts and visits can be used by marketers and others, privacy company executives say many are uncertain about trusting their information to an unfamiliar company. As the founder of Web privacy company VaporStream put it, "Individuals don't understand the risk of privacy online." When it comes to protecting privacy online, the report states, "Overall, the Web-privacy industry remains fractured, with many free and for-purchase products tackling a range of risks. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—UK

Ad Regulator Latest To Monitor Online Marketing (September 8, 2010)

The Advertising Standards Authority of Britain, an industry-financed body that operates independent of the government to monitor advertising in the UK, has announced it is extending its oversight to social networks, company sites and other nontraditional digital marketing activities, The New York Times reports. The announcement follows similar moves in more than a dozen European countries, the report states, as well as the release of guidelines by the U.S. Federal Trade Commission for marketing via social media and blogs in that country. The Advertising Standards Authority will include particularly tough sanctions, the report states, as "marketers, ad agencies and Internet companies are eager to demonstrate that 'self-regulation' can protect consumers at a time when the future of marketing is under scrutiny." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Law Students to Study Smart Grid (September 8, 2010)

Vermont Law School has launched a project to study the smart grid, The National Law Journal reports. The school has hired two energy experts to assist students in studying regulatory and privacy issues associated with the smart grid, which will digitize consumer energy information, in some cases down to the appliance level. The two-year project is funded in part by a U.S. Department of Energy grant. Energy expert Kevin Jones said the project will research how utility companies have balanced smart grid technology and privacy concerns, the report states. "There will be a lot more information about customers and energy usage with these smart meters, and privacy has been a big question thus far," Jones said. Editor's note: Read more about privacy and the smart grid in an article from last month's Privacy Advisor newsletter.
Full Story

PRIVACY LAW—NEW ZEALAND

Commissioner Outlines Plans for New Powers (September 8, 2010)

Changes to New Zealand's privacy act will allow the privacy commissioner to ensure that personal information sent overseas to New Zealand for processing has effective protections, Voxy reports. The Privacy (Cross-border Information) Amendment Act, enacted yesterday, aims to bring the country closer to the European Union's "adequate" status when it comes to cross-border data transfers. Privacy Commissioner Marie Shroff released guidelines today outlining her business approach to the new enforcement powers, the report states. "Ensuring that European business and regulators see New Zealand as a safe place for information processing is important for New Zealand's reputation. I intend to exercise the new powers in a careful and proportionate way," she said.
Full Story

ONLINE PRIVACY

Q&A with Microsoft’s CPO (September 8, 2010)

The Inquirer discusses online trust with Microsoft Chief Privacy Officer Brendon Lynch, CIPP. Lynch has been part of Microsoft's privacy team since 2004. In the interview, he discusses the company's move to offer tokenized authentication. He hopes the company's U-Prove technology, which he says brought to life the bridging of offline and online identities, will be built widely into identity technologies. "There's a need for rethinking and thinking deeply about how identity is dealt with online," Lynch said. "In certain situations, you want high assurance and strong authentication--for example, healthcare, when it moves online." Lynch is on the IAPP board of directors.
Full Story

PRIVACY LAW—U.S.

Groups Sue Government over Laptop Searches (September 8, 2010)

The American Civil Liberties Union, criminal defense lawyers, photographers and a university student have filed a lawsuit challenging the policy permitting officers at U.S. borders to detain travelers' laptop computers to search their contents without suspicion of wrongdoing, The Washington Post reports. The suit, filed Tuesday in U.S. District Court for the Eastern District of New York, alleges the searches violate privacy and freedom of speech and asks that they require a warrant. The Bush-era search policies were updated with Department of Homeland Security revisions under the Obama administration last year to increase information available to travelers about the searches and set time limits. Some say those changes didn't go far enough. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—UK

ICO Disappointed about TalkTalk Trials (September 7, 2010)
The Register reports that Information Commissioner Christopher Graham has rebuked TalkTalk for tracking customers' movements across the Web without notifying them. The ICO sent a letter to the company in July, expressing dismay that during a trial of its anti-malware system, it not only tracked customers' movements but also failed to mention the activity to ICO officials during meetings with them.

ONLINE PRIVACY

Google Updates Privacy Policy, Settles Buzz Suit (September 7, 2010)

Google has reached an $8.5 million settlement in a class-action suit regarding its Buzz social-networking feature, PC Magazine reports. The agreement includes an acknowledgment that the company has addressed the privacy issues and the creation of a fund for "existing organizations focused on Internet privacy policy or privacy education," the report states. The settlement was released on the same day that the company announced it will simplify its privacy policies--cutting the length of the policies by 22 percent. "To be clear, we aren't changing any of our privacy practices," Google officials wrote in the company's official blog, noting "we want to make our policies more transparent and understandable." However, Marc Rotenberg of the Electronic Privacy Information Center is questioning whether the changes will be good for Google users. The revisions go into effect October 3.
Full Story

PRIVACY LAW—NEW ZEALAND

Parliament Passes Cross-Border Data Bill (September 7, 2010)

New Zealand lawmakers have passed a bill that could bring them closer to the European Union's coveted "adequate" status when it comes to cross-border data transfers. Scoop.co.nz reports that the New Zealand Parliament passed The Privacy (Cross-border Information) Amendment Act on August 26. "The government recognizes that in today's difficult economic environment, we need to do everything possible to improve the international competitiveness of our businesses," said Justice Minster Simon Power, who added that the new law allows businesses "to assure their international business partners that their customers' personal information will be protected by the full force of the law."
Full Story

DATA THEFT

FIFA Fans’ Personal Information Stolen, Sold (September 7, 2010)

A criminal investigation has been launched into the theft and sale of personal details of as many as 250,000 individuals from the U.S., UK, Switzerland, Portugal, the Netherlands, Poland, Italy, Germany, France, Spain and Croatia who purchased tickets to the 2006 World Cup from official FIFA outlets, the Daily Mail reports. The information, which includes passport details and dates of birth, was sold for as much as £500,000 (USD$765,132). "The unlawful trade in people's personal information is a criminal offense under the Data Protection Act," Mick Gorrill of the UK's Information Commissioner's Office said over the weekend, noting the office will be working with FIFA and international data protection authorities in the investigation.
Full Story

RFID—U.S.

Tags Gaining Popularity and Raising Concerns (September 7, 2010)

The San Francisco Chronicle reports on the increasing use of RFID tags for a wide range of purposes including tracking preschoolers' whereabouts, authenticating ID badges and retail inventory. While their popularity grows, privacy experts have concerns that the chips could be used to reveal subjects' personal information, including habits and identities. A spokeswoman from the American Civil Liberties Union of Northern California said someone sitting across the street from a preschool could scan children's RFID tag information without ever being detected, for example.
Full Story

DATA RETENTION—AUSTRALIA

Police Back Data Retention Proposal (September 7, 2010)

The Australian Federal Police (AFP) has backed a proposal for a controversial data retention scheme that aims to catch cybercriminals, ZDNet reports. Like the EU Data Retention Directive, the plan would require telecommunications providers to retain information about customers' phone calls and e-mails and may also include a requirement that they retain a record of Web sites visited. A spokesman from the AFP said police currently have the ability to lawfully obtain the information they seek, but the practice is dependent on how long service providers retain the data. "The government will ultimately make a decision in where they stand in relation to privacy and where they stand in relation to what they want," he said.
Full Story

ONLINE PRIVACY—EU & U.S.

Regulators Raise Cloud Concerns (September 7, 2010)

Concerns about the Safe Harbor Framework voiced recently by Schleswig-Holstein Data Protection Commissioner Thilo Weichert illustrate the importance of developing transparency and standardized policies in the cloud computing market, ReadWriteWeb reports. Referencing a report from the Information Law Group that, despite the German regulator's concerns, there is no "imminent danger of a European crackdown," the report points to questions that still remain about protecting personal information in the cloud. "European authorities have a reputation for strict data protection requirements. That's not going to change," the report states. "It's just a question what effect the law will have on the technology itself as privacy takes center stage."
Full Story

PRIVACY LAW—U.S.

Senators Push for Cell Phone Law (September 7, 2010)

Senators Ron Wyden (D-OR) and James Risch (R-ID) are drafting legislation to set regulations for government collection and use of cell phone geolocation data, reports The Oregonian. Cell phone service providers track the location of phones in order to provide services, and increasingly, police and courts are requesting this information to assist in investigations. "I was struck by the fact there was no legal framework to make clear how this information is protected. It's become a huge legal quagmire," said Wyden. The senator says the bill is to be modeled on regulations for wiretapping, with a requirement that authorities "show cause and a real basis in evidence" to access the information and penalties for surreptitiously tracking someone.
Full Story

INFORMATION ACCESS

IPCs Call for “Open Government” (September 3, 2010)

The information and privacy commissioners of Canada are calling on the government to be more transparent, the Montreal Gazette reports. In a joint resolution, the federal, provincial and territorial commissioners call for proactive sharing of information. "The norm should really be proactive disclosure," said Information Commissioner Susanne Legault from a gathering in Whitehorse. "We feel that all Canadian governments at all levels should really embrace this approach and this cultural shift." In the resolution, the commissioners call on the federal government to commit to stronger open government standards and to change the system so that Canadians get information without having to formally file access requests, among other changes.
Full Story

DATA LOSS—U.S.

Retiree Files Class-Action Suit (September 3, 2010)

A Delaware woman has filed a class-action lawsuit after her personal information was exposed on a state Web site, reports The News Journal. The state confirmed this week that its benefits consultant, Aon Consulting, inadvertently included the Social Security numbers, birth dates and genders of about 22,000 state retirees in a document posted to the state's procurement site. "She's always going to have to live with the fear that her identity could be stolen," said the attorney for the plaintiff. Ryan Calo of Stanford University Law School told the Daily Dashboard that even were none of the victims of the breach to suffer identity theft, "the law ought to recognize the subjective apprehension they'll experience, never quite knowing whether their finances or credit will one day be compromised. One way to mitigate this form of harm is to provide free credit monitoring," said Calo, who has written a paper on the "Boundaries of Privacy Harm," which will be published next year.
Full Story

ONLINE PRIVACY—U.S.

Advocacy Group Uses Ad To Slam Google (September 3, 2010)

A consumer group that has long been critical of how online companies address privacy has taken aim at Google in a very public way, The New York Times reports. On Thursday, Consumer Watchdog "took its objections to a new level with a 540-square-foot video advertisement in Times Square in New York," the report states. Consumer Watchdog leaders have said the goal with their videos and the accompanying Web site, InsideGoogle.com, is to push for the creation of a national Do Not Track Me list, similar to the Do Not Call list that was developed to limit telemarketing calls. "Consumers have a right to privacy. They should control how their information is gathered and what it is used for," Consumer Watchdog President Jamie Court wrote in his blog. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Commission Suspends Data Transfers to Israel (September 3, 2010)

The European Commission has suspended its plans to allow the storage of personal data on European citizens in Israel. Justice commissioner Viviane Reding yesterday moved to halt the immediate adoption of an EU declaration that Israeli data protection systems are in line with European Standards, The Irish Times reports. The plan had elicited criticism from Irish Minister for Justice Dermot Ahern, who expressed concern about the nation's data protection standards. The move to allow such transfers was expected to pass, as Ireland has been the only EU state to express resistance. A spokesman for Reding indicated the proposal would see more discussion, stating, "A decision has been delayed."
Full Story

DATA PROTECTION—U.S.

NIST Releases Report on Privacy and the Smart Grid (September 3, 2010)

The National Institute of Standards and Technology's smart grid privacy subgroup has published the second in its three-volume report on privacy within the smart grid. Released today, "Guidelines for Smart Grid Cyber Security" explores privacy concerns and makes recommendations that personal information, personal privacy, behavioral privacy and personal communications privacy should all be equally considered when incorporating privacy into the grid. "The innovative technologies of the smart grid pose new issues for protecting consumers' privacy that will have to be tackled by law or by other means," the report states, as the types of data collected in the grid present risks to privacy that have not existed before. Editor's note: Read more about the privacy implications of the smart grid in an article from last month's Privacy Advisor.
Full Story

PRIVACY LAW—NEW ZEALAND

WiFi Investigation Continues (September 3, 2010)

Privacy Commissioner Marie Shroff is continuing her investigation into Google's collection of WiFi data, despite New Zealand police's determination that the company did not commit a criminal offense, 3 News reports. The police yesterday called the incident a timely reminder about WiFi security and the importance of having security measures in place. "People should not underestimate the risk that information they broadcast might be accessed by others, either inadvertently or for more sinister purposes," said a spokesman for the department's national cyber crime centre. Assistant Privacy Commissioner Katrine Evans said the investigation continues.
Full Story

BIOMETRICS—JAPAN

New Ad Displays Actually Watch Consumers (September 3, 2010)

Billboards in Japan are being replaced with flat-screen monitors with cameras and sensors to glean more information about who is looking at them, The Wall Street Journal reports. To target consumers more directly, the public displays use facial-recognition technology to determine not only how many people looked at the visual but also their gender and level of attentiveness. The technology is raising privacy concerns as Japan does not have any laws that require notification that signs are equipped with cameras or rules for handling the information captured as people pass by or stop to look, the report states. According to Yasuhiko Tajima of Sophia University and the Campaign Against Surveillance Society, privacy protection depends too much on the consciences of individual companies. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—HONG KONG

Chiang Considers Increased Penalties (September 3, 2010)

Privacy Commissioner for Personal Data Allan Chiang has met with representatives of the political group New Forum to hear concerns and recommendations on the collection and use of personal data for direct marketing by organizations, according to a commission press release. New Forum recommends legislation to regulate the transfer of personal data and raising the penalty for offenses of the ordinance on Personal Data Privacy. The commissioner has written to Hong Kong's monetary authority, among other government officials, to draw attention to the ordinance on marketing practices and agrees with New Forum's suggestion that the penalty for offenses should be raised, the report states.
Full Story

PRIVACY LAW—U.S.

Legislators Seek Info on Data Gathering (September 3, 2010)

With the push for privacy legislation moving forward in the U.S. House of Representatives, Manett Phelps & Phillips LLP review several legislators' responses to a recent series of articles in The Wall Street Journal focused on online data-gathering practices. Following the "What They Know" series, Congressmen Ed Markey (D-MA) and Joe Barton (R-TX) asked 15 Internet companies to explain their practice of allowing third-party advertisers to install tracking mechanisms on the computers of those who visit their sites. "This data gathering permits Web-based enterprises to develop digital dossiers on consumers for a range of purposes, including highly targeted marketing," they noted in their letters. The legislators will consider responses as they debate pending privacy legislation proposed by Reps. Rick Boucher (D-VA) and Bobby Rush (D-IL). Editor's Note: Privacy Tracker subscribers may hear Jim Halpert's analysis of The Wall Street Journal article series on this month's Privacy Tracker call, now available on the Privacy Tracker Web site.
Full Story

BIOMETRICS—U.S.

Fingerprints for Fitness (September 3, 2010)

A California-based fitness chain has begun using fingerprint scanners to identify members entering its facilities, raising privacy concerns for some, the Los Angeles Times reports. "I don't want my gym having more information on me than they already do," said one fitness publisher. A spokesperson for the chain said, "We aren't really storing fingerprints, just a number of points on a person's finger that are being captured." About three percent of members have opted out of the fingerprinting system. The Daily Dashboard asked privacy consultant Chris Zoladz, CIPP, CIPP/G, about biometrics in gyms. While implementing such technologies can help cut costs and fraud, Zoladz said, clubs must thoughtfully address the "significant" security and privacy implications in order to ensure they are not being "penny wise but pound foolish."
Full Story

PRIVACY LAW—CHINA

Critics: Cell Phone Registration Invades Privacy (September 2, 2010)

A new rule requiring cell phone users to register their phone numbers by showing personal information is raising privacy concerns from critics. The Ministry of Industry and Information Technology says residents buying numbers for mobile phones must show ID cards, and foreigners must also produce their ID cards, Reuters reports. But the rule, which came into force yesterday, is seen by critics as an invasion into users' privacy and a way for the government to pry. Some fear the numbers could be sold to third parties for nefarious purposes. A commentary in the China Economic Times calls for measures to protect citizens' privacy under the new rule.
Full Story

DATA LOSS—U.S.

Heartland To Pay Discover $5 Million (September 2, 2010)

Heartland Payment Systems, Inc., agreed on Wednesday to pay Discover Financial Services $5 million to resolve issues related to its 2008 data breach, reports the Associated Press. Heartland said this marks the last of its credit card brand payouts, which include $3.5 million to American Express, $59.3 million to Visa and banks and $41.4 million to MasterCard. The breach occurred when cyber criminals hacked Heartland's computer network, exposing as many as 100 million customer credit card numbers, expiration dates and some internal bank codes.
Full Story

ONLINE PRIVACY

Personal Data Has a Price (September 2, 2010)

NetworkWorld reports on the view of digital personal data as bankable currency. Marc Davis of Microsoft, who is a backer of rights-based privacy, suggests that "every piece of data on the Internet maps back to who created it and who they know. Where they were when they did it, where they've been and where they plan to go. What they are interested in, attend to and interact with, and is around them and when they do these things." All this, he explains, has vast implications for privacy and the economy, he writes, noting that personal data "could be bankable and tradable from your Personal Data Bank," which would be "tied to clear, immediate and concrete benefits to choices about your personal data." Editor's Note: Read more about the concept of data banking and exchange.
Full Story

SOCIAL NETWORKING

The Privacy of Ping (September 2, 2010)

Apple's Ping, a music-focused social-networking service for iTunes users, was introduced this week, and the company is promising simple and straightforward privacy controls, indicating companies are now seeing the potential for privacy as grounds on which to compete, The New York Times reports. "You can get as private or as public as you want," Apple CEO Steve Jobs said of Ping, noting the device's privacy settings are "super simple." Citing recent privacy issues for large Web and social networking companies, Marc Rotenberg of the Electronic Privacy Information Center said Jobs' remarks show "privacy is very much on the minds of companies offering social-network services," and Ryan Calo of Stanford Law School's Center for Internet and Society suggested the comments show that companies are responding to public demands for simple privacy controls. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—INDIA

Government: Security More Important than Privacy (September 2, 2010)

Following its demand for access to encrypted Blackberry data in the country, India has said security is more important than privacy, reports News.com.ag. Research In Motion (RIM), which manufactures Blackberrys, has conceded to India's demand for lawful access to its private data to avoid a ban on the product in the country, says the report. "The government feels that security is more important than privacy," said India's home minister, adding the country will watch the progress made over the next two months. The UN said yesterday that RIM should provide India, Indonesia, Lebanon, Saudi Arabia and the United Arab Emirates access to Blackberry data due to legitimate security concerns.
Full Story

ONLINE PRIVACY

Tech Suppliers Urged To Embrace Privacy Principles (September 2, 2010)

In a feature for The Last Watchdog, Fran Maier of TRUSTe shares her personal experience underscoring the privacy risks that come with the "Internet of Things." Maier writes how her missing camera began wirelessly uploading photos to her Eye-Fi account from an unsuspecting family in Germany that did not know that the account--complete with geo-tags--was enabled. "In this new world of the Internet of Things, a family photo can be much more than that," Maier writes, noting, "It may be a sensitive piece of personal data inadvertently shared with a stranger because of insufficient privacy safeguards." As the Internet of Things grows, Maier said it will be essential for technology designers and suppliers to "incorporate transparency, accountability and choice" to protect privacy. Editor's Note: Read more about Maier's story and the unforeseen consequences of such technology.
Full Story

PRIVACY LAW—NEW ZEALAND

Street View WiFi Data Not a Crime (September 2, 2010)

New Zealand police said Google did not commit a criminal offense when it collected data from wireless networks for its Street View mapping service, AFP reports. The matter has been referred back to Privacy Commissioner Marie Shroff, who alerted the police to the potential crime after Google admitted its Street View cars had collected WiFi data. "An investigation by police has determined that there is no evidence to suggest a criminal offense has been committed," said a spokesman for the New Zealand police cyber crime centre, adding that the case underlines the need for Web users to secure their wireless networks.
Full Story

DATA LOSS—U.S.

Settlement Reached in Security Breach Case (September 1, 2010)

A federal judge has approved a settlement between Countrywide Financial Corp. and millions of customers whose information was exposed in what has been described as "the biggest reported case of data theft by a financial insider." The Associated Press reports that the company will provide free credit monitoring for up to 17 million customers who obtained a mortgage or used Countrywide to service a mortgage before July 1, 2008, and individuals could be reimbursed up to $50,000 for each instance of identity theft stemming from the breach. Countrywide has said it worked with federal investigators on the case, and it does not appear that any identities have been stolen.
Full Story

PRIVACY LAW—U.S.

Two California Bills on The Move (September 1, 2010)

Two bills designed to protect Californians' data are on the move. The California Legislature last week passed SB1166, a law that strengthens the notification requirements for data breaches, SC Magazine reports. The bill now moves to the governor's desk. And yesterday, the state assembly passed a bill designed to protect the privacy of motorists who use automated toll payment systems. SB1268 would prohibit the selling or sharing of motorists' data collected by transportation agencies, reports The Mercury News. It would also require agencies to destroy data that could be linked to specific drivers, the report states. That bill now moves to the senate.
Full Story

IDENTITY THEFT—CANADA

Commissioner Investigating Hospital Admission, Burial Under Stolen Name (September 1, 2010)

In a case that has been described as unlike anything his office has seen before, Alberta Privacy Commissioner Frank Work is launching an investigation to determine how a patient was admitted to a Calgary hospital with the stolen Alberta Health Care card of an acquaintance and was buried under that stolen name when he died in the hospital of natural causes. The Health Information Act (HIA) allows the commissioner to conduct investigations to ensure compliance with its provisions, the Calgary Herald reports. "I have decided to conduct an investigation to examine what steps are reasonable to take to ensure health information is accurate and complete before it is used by a health services provider," Work said.
Full Story

DATA LOSS—UK

Company Fined £2.27 Million for Data Breach (September 1, 2010)

The Financial Services Authority (FSA) has fined an insurance company £2.27 million, a record amount, for its loss of computer backup tapes containing the personal information of 46,000 policy holders, Citywire reports. The FSA says Zurich Insurance failed to have systems in place to prevent the loss, which occurred during the outsourcing of unencrypted information, including credit card and bank details, to the company's South African branch arm. "This incident was unacceptable," said Zurich's chief executive, adding that the company is doing all it can to protect customer data.  
Full Story

ONLINE PRIVACY

Defining the Limits of Privacy (September 1, 2010)

The way we respond to the prevalence of online data will define the limits of privacy in the next decade. That is the message Daniel J. Solove shares in a report for The Chronicle of Higher Education. "The growth of information-analysis technology will have profound consequences, both good and bad," he writes, pointing to such positives as improved research and communication while cautioning that when it comes to privacy, "it will be harder for people to escape mistakes they made in the past. Big corporations and the government will be able to learn more about our lives and have more power as a result." Solove suggests that our responses and the "legal rules we develop over the next decade to cope with these developments will determine the limits of our freedom and privacy."
Full Story

PRIVACY LAW—U.S.

Broadband Services May Face New Regulation (September 1, 2010)

Broadband service providers may soon be subject to new and strengthened privacy and data security regulations likely to touch on a variety of topics "including the use of customer data for marketing, cloud computing and cybersecurity," The Metropolitan Corporate Counsel reports. The article, which provides an overview of developing privacy regulation and focuses on Federal Communications Commission's (FCC) activity, notes that although "a recent court decision has cast considerable doubt over the extent to which the FCC can regulate broadband Internet access providers, the FCC has made clear that it believes it has ample authority to regulate," referencing FCC concerns that fears over privacy and data security impede consumers' adoption and use of broadband.
Full Story

FINANCIAL PRIVACY—U.S.

Candidates Use Privacy as a Platform (September 1, 2010)

Two political candidates in North Dakota are using a decade-old financial privacy bill as fodder for their congressional campaigns, Minot Daily News reports. At issue is Senate Bill 2191, introduced in response to the Gramm-Leach Bliley Act (GLBA) of 1999. It aimed to change North Dakota's privacy law from a requirement that banks seek permission before sharing customer data with marketing partners to requiring that customers instead opt out of such practices. Voters eventually said no to the bill, which is now the subject of debate between Congressmen Earl Pomeroy and Rick Berg over who supported the idea, which another legislator called "absolutely wrong."
Full Story

PRIVACY LAW—UK

Does ICO Need More Power To Stop Breaches? (September 1, 2010)

In the wake of recent Data Protection Act breaches, ITPRO reports on expert opinions as to whether the Information Commissioner's Office (ICO) has enough power to prevent such incidents. Although the ICO can levy £500,000 fines for serious data breaches, no fines were issued in the most recent cases, the report states, prompting some experts to suggest the issue isn't with the ICO's powers but with "lack of enforcement ability, just in terms of actual manpower." Several said the ICO should issue fines more often. As Edy Almer of Safend put it, "If Europe and the UK do not start acting fast, there will be more instances of this kind and once it's out, the genie cannot be put back in the bottle."
Full Story

DATA LOSS—U.S.

Breaches in DE, FL Discovered (September 1, 2010)

Delaware Online reports that a benefits consulting company working with the state government inadvertently posted to the Internet the Social Security numbers, birth dates and gender of about 22,000 state retirees. A spokesman for the company said the information should have been randomized and the company is investigating why it was not. Meanwhile, the University of Florida announced in a press release that a laptop was stolen from an employee of P.K. Young, an affiliated kindergarten-through-grade-12 laboratory school. It contained the personal information of more than 8,300 students and employees. The university is notifying those affected and installing encryption software on laptops containing restricted data.
Full Story

DATA LOSS—U.S.

PII Found in Military Dumpster (September 1, 2010)

Heartland News reports that a viewer alerted them after finding high school diplomas, birth certificates and Social Security cards in a dumpster behind a Missouri Armed Forces Recruiting Center. The news station counted dozens of high school diplomas, eight of which contained birth certificates, Social Security cards or both. A statement released by Air Force Lt. Col. Christopher Byrom said that a new recruiter who was cleaning out old files, "separating Privacy Act information from non-controlled documents," missed a "limited amount" of documents. The statement said the office will contact all individuals affected and that "The Air Force is actively working with the disposal company involved, as well as the media outlet to which these materials were given, to recover any improperly released information."
Full Story

SOCIAL NETWORKING

The Future of Privacy and Publicness (September 1, 2010)

Using social networking posts and media reports, Fast Company reports that "the line that separates privacy and openness remains undefined" as individuals weigh the "benefits and risks of living in public." Focusing on responses to Facebook's recent privacy-related decisions and user posts from Twitter, the report looks at the media's role in fueling discussions and debate around privacy. Following an analysis of responses and reactions to the word privacy, among other things, the report states that the push-back from people and the press can help "push things forward collaboratively" as "we are the last generations to know privacy as it was."
Full Story