Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—U.S.

Vladeck: Users Carry Too Much of Privacy Burden (October 29, 2010)

The director of the Bureau of Consumer Protection of the Federal Trade Commission yesterday provided a high-level outline of the commission's forthcoming report on the future of privacy, the Hunton & Williams Privacy & Information Security Law Blog reports. At the 32nd International Conference of Data Protection and Privacy Commissioners, David Vladeck said the report concluded both that current privacy law puts too much burden on consumers to read and understand privacy notices and make privacy choices and that there is a significant need to reexamine the concept of "harm" in U.S. law. The report, which offers recommendations to improve consumer privacy based on its findings, is due in November.
Full Story

ONLINE PRIVACY

As Other Nations Continue Asking Questions, FTC Criticized for Street View Decision (October 29, 2010)

The U.S. Federal Trade Commission's decision to suspend its inquiry into the collection of personal data from unsecured WiFi networks by Google Street View vehicles has privacy advocates speaking out, E-Commerce Times reports. "We're not sure exactly why the FTC failed to act, but we intend to find out," said Electronic Privacy Information Center President Marc Rotenberg. A Consumer Watchdog spokesman has said it is joining those asking the Association of State Attorneys General to investigate whether Google's actions broke any state laws. Meanwhile, Canada's Office of the Privacy Commissioner has stated the issue remains unresolved in that country, and legislators in Australia are questioning the company's approach to privacy.
Full Story

PRIVACY LAW—ITALY

Prosecutors Open WiFi Collection Investigation (October 29, 2010)

Computerworld reports that Italian prosecutors have opened an investigation into Google Street View vehicles' inadvertent collection of personal information over unsecured wireless networks. Prosecutors allege the company violated the country's privacy laws, the report states. The investigation was opened at the request of Italy's data protection authority, the Garante. "The problem does not so much concern the images taken by the cars as the fact that Google has also captured signals transmitted by wireless networks, including fragments of communications," said DPA President Francesco Pizzetti, noting it is illegal to intercept data transmissions without authorization. Google has apologized for the breach.
Full Story

PRIVACY LAW—U.S.

California Online Privacy Bill Faces Uphill Battle (October 29, 2010)

The Los Angeles Times reports on Facebook's quiet lobbying of California lawmakers to fight a bill that would prevent social networking sites from displaying the addresses and phone numbers of minors. The bill was introduced by state Sen. Ellen Corbett (D-San Leandro) in February and passed the Senate 25 to 4, but floundered in the state assembly, the report states. "By the time it got to the assembly, the opposition lobbying had begun," Corbett said. The average child has a digital footprint by six months of age and seven percent of babies have Facebook pages set up for them by parents and guardians, according to the report.
Full Story

PRIVACY LAW—CANADA & ISRAEL

Commissioners Approve PbD Resolution (October 29, 2010)

At their annual conference in Jerusalem, international data protection and privacy commissioners today approved a landmark resolution recognizing privacy by design (PbD), a concept coined by Ontario Privacy Commissioner Ann Cavoukian, Science 2.0 reports. The resolution, co-sponsored by Canadian Privacy Commissioner Jennifer Stoddart and commissioners from Berlin, New Zealand, the Czech Republic and Estonia, encourages privacy as the default and invites commissioners to promote that privacy be built into companies as the default mode. It also encourages commissioners to foster PbD's foundation principles into privacy policies, and to push for legislation and research on PbD in their jurisdictions, the report states. At the event, Cavoukian called the current moment a tipping point for privacy.
Full Story

PRIVACY LAW—UK

MP: Data Protection Act Limited ICO Powers (October 29, 2010)

The Information Commissioner's Office (ICO) was prevented from taking stronger action during its review of data collected by Google Street View cars due to limitations within the Data Protection Act, the Guardian reports. Meanwhile, Metropolitan police have announced it would not be appropriate to launch a criminal investigation into the issue. The ICO has since been given extra powers, including the ability to fine organizations up to £500,000 for "serious breaches of the Data Protection Act," but a spokesman confirmed that because the breach occurred before that change, "even if it was appropriate, we would be unable to use this enforcement power on this occasion." Culture Minister Ed Vaizey is scheduled to meet with Information Commissioner Christopher Graham on the issue next week.
Full Story

DATA BREACH—U.S.

UH’s Third Breach This Year Exposes Info on 40,000 (October 29, 2010)

The University of Hawaii (UH) this week removed the names, grades, disabilities and other sensitive information of 40,101 of its former students after the information sat on an unprotected server for almost a year, reports the Associated Press. A professor uploaded the data to the server, which he mistakenly thought was secure. There is no evidence that the information has been inappropriately accessed, and the university has apologized and is notifying those affected. This breach, the third since last year at UH, has some questioning whether the school is adequately protecting information. "There is absolutely no way that we can say this will never happen again, but we are taking every step that's possible to make sure it doesn't happen," said a UH spokeswoman.
Full Story

ONLINE PRIVACY

Google Names New Privacy Director (October 29, 2010)

Google has announced the selection of Alma Whitten as its new director of privacy, CNET reports. Whitten, who has been a Google engineer for seven years and has a background in privacy and security, will lead a team focused on privacy issues with more resources in an effort to prevent breaches, the report states. In its announcement on Whitten's appointment, the company said it would be increasing employee training on privacy issues and reviewing its products based on privacy-related criteria. As Whitten put it, "my responsibility is to drive privacy from within product and engineering and that encompasses whatever it needs to encompass."
Full Story

DATA RETENTION—AUSTRALIA

Pilgrim Speaks Out on Gov’t Plan (October 29, 2010)

Australian Privacy Commissioner Timothy Pilgrim said in Senate Estimates today that his office does not support a government plan to require companies providing Internet access to store customers' Web browsing activitiesfor authoritiesto access when needed, reports ZDNet. "We need to understand what is the exact problem being responded to [that] response is proportionate to the risk," said Pilgrim, warning that when holding data for a long time, "there is great risk that something could happen to it." Pilgrim said that in preliminary talks with the Attorney's General Department, he called for a privacy assessment should the proposal become law.
Full Story

FINANCIAL PRIVACY—U.S.

PCI-DSS Standards Version 2.0 Released Yesterday (October 29, 2010)

The Payment Card Industry data-security standard (PCI DSS) 2.0 was released Thursday. Some of the notable revisions include more responsibility on merchants to find cardholder data in their computer systems ahead of their PCI audits and steps taken by the council to help small merchants meet PCI duties, Digital Transactions reports, but overall, the standard is largely unchanged from its previous version. The PCI Council's European regional director called the changes "steady as she goes." However, the new standard does include additional guidance on the scope of PCI compliance, best practice on risk ranking and guidance on potential "rogue access points" in computer systems that could allow for data hacking.
Full Story

PRIVACY LAW—GERMANY

DPA Calls for Internet Legislation (October 29, 2010)

Thilo Weichert, director of the Independent Center for Data Protection of Schleswig Holstein, presented a proposal before the German Lawyers Association on Wednesday for legislation that would regulate data protection on the Internet. Central to the proposal is a provision that requires the question of digital publication of personal data to be dependent upon a balancing between freedom of expression and data protection laws. In describing the proposal, Weichert stated in part, "Our draft should free the current discussion from a fixation on geo data and direct attention to significant and mutual problems of data protection." (Article in German.)
Full Story

DATA PROTECTION—U.S.

Balancing Information Sharing and Privacy (October 29, 2010)

The U.S. Office of Personnel Management has announced plans for a database to track cost and quality of service under the Federal Employees Health Benefits Program, Federal News Radio reports. The system would collect Social Security numbers and employment details. Information sharing aims to improve mission delivery and boost transparency but can also threaten privacy, the report states. A Federal News Radio discussion aimed to explore the balance between privacy and security, featuring the assistant general counsel at the National Archives and Records Administration and the deputy director for information services at the Centers for Medicare and Medicaid Services.
Full Story

PRIVACY LAW—U.S.

FTC Drops Google Street View Inquiry (October 28, 2010)

The FTC has ended its inquiry into Google's Street View, citing the company's pledge not to gather personal information from unsecured WiFi networks, The Washington Post reports. Some privacy advocates have spoken out against the FTC's decision, which the report notes is quite different from actions being taken in the EU. "Part of it is cultural, and part of it is that the U.S. and Europe have radically different privacy regimes," said Chris Calabrese of the ACLU. "The European model is extensive data protection in private information, and the U.S. model is piecemeal." Google has stated that "we did not want and have never used the payload data in any of our products or services." (Registration may be required to access this story.)
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

EU, U.S. Tussle Over Passenger Data Sharing (October 28, 2010)

The U.S. is facing resistance to its requests for broad sharing of European airline passenger data from the EU and European airline officials alike. The EU executive has demanded a renegotiation of the Lisbon Treaty, which lays out the conditions under which European airlines can supply passenger data. According to The Washington Post report, this move serves as recognition that the European Parliament would not approve the treaty as is. Meanwhile, officials from British Airways and Virgin Atlantic and others are accusing the U.S. of imposing overly intrusive and redundant security measures. These objections worry U.S. counterterrorism officials because computer scrutiny of passenger lists has become an important anti-terrorism tool, the report states. (Registration may be required to access this story.)
Full Story

PRIVACY—UK

ICO To Recruit Tech Advisor (October 28, 2010)

The Information Commissioner's Office (ICO) plans to recruit a technology advisor to improve its knowledge of the industry, V3.co.uk reports. The advisor, who will focus on policy development, investigations and complaints, will help ensure the ICO "stays one step ahead of the game," said Deputy Commissioner David Smith. Private-sector and advocate reactions to the plan are positive. "UK privacy legislation dates from the mid to late 1990s, and technology has moved on an enormous amount since then," said Alex Brown of Simmons & Simmons. "It's difficult for companies that want to use cutting edge technologies to know how to comply with the legislation." Florian Mueller of the Open Rights Group said, "This step has been overdue." Editor's Note: The 2010 IAPP Data Protection Authorities Global Benchmarking Survey, which examines federal-level privacy offices and data protection authorities (DPAs) in 38 countries and territories, is now available in the IAPP Knowledge Center.
Full Story

HEALTHCARE PRIVACY—U.S.

FTC/HHS to Hold December Roundtable on PHR (October 28, 2010)

The Department of Health and Human Services and the Federal Trade Commission (FTC) will hold a daylong roundtable discussion on December 3 in Washington, DC, to solicit industry input on privacy and security requirements for personal health records and related service providers, Health Data Management reports. The event, to be held at FTC headquarters, will include four panel discussions between researchers, legal scholars and industry stakeholders, the report states. The discussion aims to address the "current state and evolving nature of PHRs...consumer and industry expectations and attitudes toward privacy and security practices," among other topics. A public comment period will begin in November.
Full Story

SOCIAL NETWORKING—U.S.

Congress Extends Breach Info Deadline (October 28, 2010)

The U.S. Congress has given Facebook an extension to respond to an inquiry from House Bi-Partisan Privacy Caucus Chairs Joe Barton (R-TX) and Edward Markey (D-MA) on recent privacy breach allegations, ClickZ reports. A House Energy and Commerce Committee spokesman said that the extension for the response has been granted, with answers to the privacy questions expected within a week or so, the report states. Facebook has indicated it plans to work with browsers on the glitch it believes caused user IDs to be shared with third-party firms. Meanwhile, U.S. Senate Commerce Committee Chairman Jay Rockefeller (D-WV) has also asked Facebook and MySpace for information on the alleged breach.
Full Story

STUDENT PRIVACY—U.S.

City Launches Student Data Cards (October 28, 2010)

Civil liberties advocates are voicing concern about a pilot program that will assign Massachusetts public school students a single card to be used for access to multiple city services, The Boston Globe reports. The BostONEcard, launched today, will be used to take school attendance and for access to public transportation, library books, school meals and after school programs, among other applications. The program aims to raise school attendance and give children access to city services, but the executive director of the American Civil Liberties Union questions whether the card data could be subpoenaed by law enforcement agencies or given to marketing companies. "This may not be Big Brother, but it certainly feels like Little Brother," she said.
Full Story

SOCIAL NETWORKING

Study Shows Most Proactive Countries for Privacy Settings (October 28, 2010)

The Unisys Security Index surveyed 10,575 consumers in 11 countries and found that 80 percent of social networking users in the U.S.--more than in any other country studied--said they regularly limit the personal information they post and restrict others' access to it, reports InformationWeek. Brazil and Germany were the next in line, with Brazil the most concerned with overall security, the report states. Patricia Titus, global chief information security officer at Unisys, says that the U.S. may be more proactive because it has "better reporting on social media issues here because Facebook is a U.S.-based company."
Full Story

DATA LOSS—U.S.

Expert: Medicaid Data Breach Illustrates Need for Encryption (October 28, 2010)

The recent security breach of 280,000 individuals' personal health information highlights the need for data encryption, says one security expert. The breach, reported last month by Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan, was the result of a lost USB flash drive. Ed Goodman, CIPP, chief privacy officer at Identity Theft 911, says encryption is an uncomplicated and fairly cheap way to protect health information and notes that the reason this breach has been so highly publicized is because it happened due to the loss of a single thumb drive. He says encryption is essential because, "You can put systems in place, but there are always going to be breakdowns in processes."
Full Story

PRIVACY LAW—EU & U.S.

Personal Data Transfer Negotiations To Begin (October 27, 2010)

The EU and U.S. are set to renegotiate rules governing the privacy of personal data when it is transferred between the two, computing.co.uk reports. The European Commission is recommending citizens on both sides of the Atlantic be able to take legal action against abuses in Europe or the U.S., the report states. Speaking before the European Parliament's Committee on Civil Liberties, Justice and Home Affairs on Tuesday, Françoise Le Bail, the commission's director-general for justice, said with the current "patchwork" of data transfer regulations, "the overall result is not very satisfactory," and the commission's proposal would "guarantee a certain number of basic rights for those whose data is gathered."
Full Story

ONLINE PRIVACY

Google’s Fleischer Discusses Privacy Perspectives (October 27, 2010)

Only a small fraction of users of the world's largest search engine are taking advantage of privacy controls that allow them to choose which ads are steered their way, the Associated Press reports. Peter Fleischer, Google's global privacy counsel, said he is "puzzled about why more people don't use more of the privacy controls." Google targets ads based on cookies left behind on users' Web browsers, but with its "ads preference manager," a user can wipe out cookies or alter the subject areas identified, the report states. Fleischer also spoke of the challenges of global Internet products with different nations having different privacy views, noting he expects more efforts to reach agreement on common privacy policies around the world.
Full Story

DATA BREACH—AUSTRALIA

Telco Sends Wrong Info to 220,000 (October 27, 2010)

Australian Telco Telstra discovered last Friday that it has sent 220,000 letters containing customers' personal details to incorrect recipients. The letters included names, phone numbers, telephone plan details and, if applicable, references to pensioner discounts, reports the AAP. Telecommunications watchdogs are looking into the breach. Teresa Corbin of the Australian Communications Consumer Action Network said that Telstra must ensure "every customer affected has the problem resolved to their complete satisfaction," while Australian Communications and Media Authority Chairman Chris Chapman said the "incident appears to be a mistake on Telstra's part," adding, "criminal provisions are very unlikely to apply." Privacy Commissioner Timothy Pilgrim has also launched an investigation.
Full Story

SOCIAL NETWORKING—U.S.

Senator Wants Details About Breach (October 27, 2010)

In light of recent media investigations into social networks sharing user information with advertisers, U.S. Senate Commerce Committee Chairman Jay Rockefeller (D-WV) is asking executives of Facebook and MySpace for information about the breaches. Bloomberg reports that Rockefeller has vowed to write legislation protecting privacy, stating he is concerned about reports that the sites shared users' personal information with third parties without their knowledge. "I intend to find out whether today's social networking sites are adequately protecting their users' personal information," he said, noting he intends "to conduct oversight and formulate strong public policy that protects the privacy of American consumers."
Full Story

DATA PROTECTION—CANADA

Auditor Warns State Entities To Improve Practices (October 27, 2010)

Alberta's auditor general says the provincial government and the University of Calgary must do a better job of protecting data. The two entities came under fire in the auditor general's report, released Tuesday, for not demonstrating they've implemented adequate security policies, despite previous warnings, The Calgary Herald reports. The University of Calgary has been advised to improve its weak security controls regarding who has access to student information after it was admonished four times previously by the auditor general's office. The provincial government stores a vast amount of information--including personal health records--on servers across the province, the report states, which lack adequate protection to prevent unauthorized access.
Full Story

STUDENT PRIVACY—U.S.

Private E-mail Reaches 2,400 Students (October 27, 2010)

A Delaware college has apologized to 18 students for distributing an e-mail outlining their academic failures to the student population, The News Journal reports. The e-mail named students at risk of failing and was sent by a high-level administrator at Wesley College who had intended to send the e-mail to a dozen fellow academic advisers but inadvertently used a listserv that sent it to Wesley's 2,400 students, the report states. A Wesley spokesman said the college will now require those with access to sending campus-wide e-mail to gain approval from a second administrator before sending.
Full Story

HEALTHCARE PRIVACY—U.S.

Medical Identity Theft a “Significant Problem” (October 27, 2010)

The Philadelphia Inquirer reports on the prevalence of medical identity theft in the U.S. Joanna Saenz, for example, recently opened a bill for services rendered during the birth of her daughter at a Nebraska hospital, but she'd never had a daughter; her Social Security card had been stolen 10 years prior. The Federal Trade Commission spoke to a group of consumer advocates on the topic at Temple University recently, a day before two nearby health insurers reported losing the medical records of more than 280,000 people. An FTC lawyer said, "It's certainly a significant problem. It can turn people's worlds upside down." Meanwhile, an Ohio hospital has informed one patient that four employees inappropriately accessed his medical records.
Full Story

ONLINE PRIVACY

CEO: Street View “Not a Monitoring Situation” (October 27, 2010)

Computerworld reports on comments by Google CEO Eric Schmidt in a CNN interview on issues related to recent privacy concerns around Google's Street View mapping service. With Street View, Schmidt said, photographs of buildings are only taken once. "This is not a monitoring situation," he said. In response to criticism over one of his comments on privacy during the interview, Schmidt has said that the unedited interview shows the context of the back-and-forth on privacy issues, noting, "I clearly misspoke. If you are worried about Street View and want your house removed, please contact Google, and we will remove it."
Full Story

ONLINE PRIVACY

How Safe Is Your Login? (October 26, 2010)

Social networks are becoming the focus of new privacy questions about how their logins can be accessed through WiFi networks. The Wall Street Journal reports that Firesheep, a new add-on for the Web browser Firefox, "is designed to make it easy to intercept browser 'cookies' used by popular Web sites like Facebook, Twitter and others to identify their users, thereby allowing Firesheep users to log in to those Web sites posing as others." Eric Butler, a U.S. programmer who developed Firesheep, said he introduced the program as a way of bringing attention to a common weakness in Web site security. "On an open wireless network," he said, "cookies are basically shouted through the air, making these attacks extremely easy." (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

Tuberculosis Privacy Suit Revived (October 26, 2010)

A federal appeals court has revived a tuberculosis patient's lawsuit claiming that health officials publicized his condition to make an example of him, The Augusta Chronicle reports. Andrew Speaker's lawsuit claimed that doctors released his personal information after he flew to Greece despite his recent TB diagnosis. The 11th U.S. Circuit Court of Appeals ruled that it was a "plausible claim that the Centers for Disease Control and Prevention (CDC) was the source of the disclosures at issue," reversing a lower court's decision to dismiss the lawsuit on grounds that Speaker didn't show enough evidence that the CDC was to blame for the breach in Speaker's privacy, the report states.
Full Story

PRIVACY LAW—CANADA

Minister Apologizes for Breach of Veterans’ Data (October 26, 2010)

Former intelligence officer Sean Bruyea, whose medical information was found to be accessed 400 times by Veterans Affairs bureaucrats without permission, has said Veterans Affairs Minister Jean-Pierre Blackburn's formal apology is not enough, The Globe and Mail reports. The apology, which also acknowledged for the first time that other veterans may have suffered similar privacy invasions, was expressed Monday in a press release but should be delivered in person by Blackburn himself, Bruyea said. "The formal apology is not just for me," Bruyea said, but to "anyone who may have gone through the same situation." Privacy Commissioner Jennifer Stoddart has launched an investigation of the breach, which thus far has found systemic problems at Veterans Affairs involving the handling of personal information, the report states.
Full Story

DATA PROTECTION—U.S.

Gov’t Appoints Internet Privacy Subcommittee (October 26, 2010)

A panel appointed by the Obama Administration will focus on Internet privacy, The Washington Post reports. The subcommittee will include various parts of the federal government, including the Commerce, Justice, Homeland Security and State departments, and will advise the White House on regulatory and legislative issues for the Web, the report states. It will be headed by the general counsel at the Commerce Department and the assistant attorney general at the Justice Department. The subcommittee follows recent high-profile data breaches and increasing criticism by consumer advocacy groups about social media and advertisers collecting personal information online. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

OPC Seeks Input on Draft Report (October 26, 2010)

The Office of the Privacy Commissioner of Canada (OPC) draft report summarizing its 2010 Consumer Privacy Consultations on online tracking, profiling and targeting and cloud computing is now available on the OPC's Web site. The office received 32 written submissions and held three public events in Toronto, Montreal and Calgary that were attended by representatives of industry and government, academics, advocates and members of the public. The report proposes specific actions the office plans to take in the future and identifies areas where more input is needed. The OPC is seeking public input on the draft by November 26.
Full Story

SOCIAL NETWORKING

More Sites Tagged With Info-Sharing Concerns (October 26, 2010)

Following an investigation into a privacy breach involving popular applications on Facebook, social network MySpace and some of its apps have been found to be transmitting user information to outside advertising companies, The Wall Street Journal reports. Rapleaf, a company which compiles profiles of Internet users and was cited in the investigation as providing such information to advertisers, has stated it no longer passes such user information on to advertising networks due to privacy concerns. "The MySpace leaks appear to be more limited than those at Facebook, which has far more users and requires them to make public their name, gender and country," the report states. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING

Researchers: Ads Can Expose Personal Info (October 26, 2010)

Two recent academic papers focusing on targeted advertising found that ads can expose "sensitive profile information, like a person's sexual orientation or religion, even if the person is sharing that information only with a small circle of friends," The New York Times reports. Researchers in India and Germany, who focused on ads targeted to Facebook users, noted that by clicking on ads, users could reveal such personal information along with a unique identifier. In a separate study, a U.S. researcher said she was able to determine Facebook users' ages and sexual orientation by tailoring ads to their profiles. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

As WiFi Data Collection Revealed, New Investigation Begins (October 25, 2010)

Google has revealed that the data its Street View cars collected from unsecured WiFi networks included passwords and e-mails, Forbes reports, and now faces being the first company to incur fines of up to £500,000 under the UK's privacy laws. While UK Information Commissioner Christopher Graham has announced he is launching a new investigation into Street View's collection of private data, the Garante, Italy's DPA, has announced it will now require the company to clearly mark its Street View cars and provide detailed information on their routes to enable citizens to "freely decide what to do and possibly prevent the 'capturing' of their images" by the mapping service.
Full Story

BEHAVIORAL TARGETING—U.S.

RapLeaf Founder Talks Privacy (October 25, 2010)

Internet tracking company RapLeaf has been getting quite a bit of attention in recent days following an investigation into social networks sharing user data with advertisers. The Wall Street Journal reports on comments by Rapleaf CEO Auren Hoffman on privacy issues, including support for federal regulation for the online advertising industry and criticism of tracking with IP addresses and Flash cookies because it limits user control. When it comes to the company's practice of using real names and e-mail addresses in its database, he wrote that the key to protecting privacy is "to make it technically impossible" to link Internet users to that information "when they are not explicitly logged in." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Tools Enable Online Browsing Privacy (October 25, 2010)

Mercury News reports on various ways to maintain privacy on the Internet despite the pervasive tools used by search engines and marketing companies to track your movements online. Peter Eckersley of the Electronic Frontier Foundation says such ubiquitous online surveillance violates our right to "read in private," adding that "You might be reading the magazine, but it's reading you back." The report highlights a suite of tools available to increase online privacy, downloadable software to encrypt users' online searches and privacy modes within various Web browsers that allow for "private browsing," preventing the permanent storage of tracking technologies such as cookies.
Full Story

ONLINE PRIVACY

How Much Does the Web Know About You? (October 25, 2010)

In a report for Fortune, Chris Dixon writes on the trend of Internet advertising targeting technologies that rely on "gathering information about users, something that inevitably raises concerns about privacy." With the rise of social networks, more personally identifiable information is available, whereas online users were previously tracked anonymously. The future of online privacy, some suggest, may be more regulation across the globe. "Social networks have provided the means to de-anonymize information," Dixon writes, suggesting "the wall has been breached" between what users share under their real identity online and what information they provide under the cover of anonymity.
Full Story

HEALTHCARE PRIVACY—U.S.

OCR: Final Rules Could Come by End of Year (October 25, 2010)

A top lawyer for Office for Civil Rights says final rules for HIPAA and HITECH could be published by the end of this year or early next year, HealthLeaders Media reports. The final rule on breach notification is also pending, which was sent to the Office of Management and Budget for review but was later withdrawn. It remains to be seen whether the breach notification rule will be included into the interim final rules, which supporters say works because it eliminates endless breach notification reports for harmless incidents. But opponents want it removed, saying it reduces privacy protections. A periodic audit requirement is also being considered.
Full Story

PRIVACY LAW—HONG KONG

Laws Concern Telemarketers Union (October 25, 2010)

The Standard reports on a telemarketer union's fears that tightened privacy protection laws will lead to more employees losing their jobs following the recent firing of 200 workers in the Octopus Cards personal data case. The government has released 37 proposals to strengthen privacy laws, the report states, including requiring user consent before personal information can be sold to direct marketers. A government official said industry and government have collaborated on the proposals, but a spokesman for the Hong Kong Telemarketer Association said consent should not be required for disseminating personal data. Meanwhile, Octopus' chairman has announced he will step down in December but says the decision is unrelated to the recent breach.
Full Story

DATA LOSS—CANADA

High School Hacker Blamed for Breach (October 25, 2010)

The London Free Press reports on a massive security breach at Thames Valley District schools that left 27,000 area high school students racing to change their passwords for everything from their social networks to their bank accounts. The suspect in the incident is a 16-year-old student who hacked the district's student portal, exposing student passwords, the report states. According to the school board, the breach was shut down within an hour and the school board did not believe student marks could have been altered, but the superintendent noted, "concern now is if any student used that same password for something else."
Full Story

PRIVACY

Dispatch from Israel: Privacy Pros Take to Field (October 25, 2010)

To kick off a week of privacy events, the IAPP hosted its second-annual Global Football Friendly event yesterday in sunny Jerusalem. It was high-scoring fun for everyone.
Full Story

PRIVACY—ISRAEL

Dispatch from Israel (October 25, 2010)
To kick off a week of privacy events, the IAPP hosted its second-annual Global Football Friendly event yesterday in sunny Jerusalem. It was high-scoring fun for everyone.

PRIVACY LAW—U.S.

Expert: Regulation Seems Likely (October 22, 2010)

With multiple efforts to regulate online privacy in the works, a U.S. government Internet policy official believes some form of privacy regulation is likely, eCRM Guide reports. Speaking at a conference this week, Ari Schwartz of the National Institute of Standards and Technology referenced five U.S. and three international efforts to regulate data and online privacy. If anything, he said, the U.S. has "too many privacy laws," citing industry-specific and state laws. Suggesting the Federal Trade Commission (FTC) is likely to be the enforcer of any national regulations, he suggested that going forward, "We must move from procedural standards to performance standards...We need a lot more measurement in the privacy space."
Full Story

ONLINE PRIVACY—INDIA

New Deadline for RIM To Provide Gov’t Access (October 22, 2010)

The government of India has extended the deadline for BlackBerry maker Research in Motion (RIM) to begin providing Indian security agencies with access to its messenger and enterprise services, reports India Journal. The Indian Home Ministry granted the deadline extension this week after meeting with company officials and the Indian Ministry of Telecommunication, the report states. "We are satisfied with the solution provided for the lawful interception of BlackBerry Messenger Service," an official said. "We want to test it for some more time while discussions...are still on, hence RIM has been given a fresh deadline."
Full Story

PRIVACY—U.S.

EPIC Issues Privacy Report Card (October 22, 2010)

The Electronic Privacy Information Center (EPIC) has issued its second annual privacy report card for the Obama Administration, Computerworld reports. The report grades the administration's privacy practices in areas such as cyberspace, healthcare data, consumer protection and civil liberties. "Our bottom-line assessment is that with respect to privacy, things are getting worse," said EPIC Executive Director Mark Rotenberg. Rotenberg points to the administration's failure to establish a privacy advisory board and its approach toward consumer data protection as areas of concern. The administration received Bs for its efforts in cyberspace but garnered a D on civil liberties. In terms of healthcare privacy, an EPIC advisory board member said the administration has failed to deliver on its promises.
Full Story

STUDENT PRIVACY—U.S.

University, Student Reach Settlement (October 22, 2010)

Marshall University has reached a tentative settlement with the daughter of West Virginia's state treasurer, the plaintiff in a lawsuit claiming the school and a professor violated her privacy by releasing information about her grades. WHSV-3 reports on the proposed settlement between the university and Emily Perdue, who filed the lawsuit in July on the grounds that she suffered emotional distress and harm by the leaked information. Her attorneys and the university have agreed to an $81,250 settlement, the report states, and the agreement is expected to be finalized in the week ahead.
Full Story

BEHAVIORAL TARGETING

The Business of Selling Your Personal Info (October 22, 2010)

CNN Money reports on companies that know your name, age, hometown, e-mail address, income and social networking practices and sell that information to advertisers. One such company, Rapleaf, has been getting a lot of attention after a recent investigation revealed that it sold Facebook IDs to advertisers, the report states. While privacy experts are questioning the company's practices, a Rapleaf spokesman has said the IDs were sent to ad companies "because of technical issues with browsers today in which the referrer URLs were including them inadvertently." One privacy expert said that when it comes to data mining, "You can mash up huge data sets that were never meant to be mashed together, that are very specific."
Full Story

PRIVACY

IAPP Chair Speaks To Executive Women’s Forum (October 22, 2010)

IAPP Board Chairman Nuala O'Connor Kelly, CIPP, CIPP/G, chief privacy leader and senior counsel with General Electric, gave the keynote address at the Eighth Annual Executive Women's Forum, Network World reports. O'Connor Kelly spoke about moving from supporting roles in information security and risk management to leadership positions in a field that continues to be male-dominated, the report states. To change that, she told the audience, women need to reconsider how they approach their jobs, perhaps finding new ways to gain recognition and become leaders.
Full Story

DATA LOSS—U.S.

Missing Flash Drive Contains Info on 280,000 (October 21, 2010)

Two health plans have notified the Pennsylvania Department of Public Welfare about the loss of a flash drive containing information on 280,000 Medicaid recipients, The Philadelphia Inquirer reports. "We deeply regret this unfortunate incident," said the president of Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan. The drive, which disappeared from corporate offices in Southwest Philadelphia, contained the names, addresses and personal health information of subscribers, along with some subscribers' Social Security numbers. In a statement released yesterday, the companies said they have "actively and responsibly executed a multifaceted plan to inform those affected" and are taking steps "to ensure this does not happen again."
Full Story

ONLINE PRIVACY—SPAIN

Fine and Criminal Sanctions for Web Giant (October 21, 2010)

DLA Piper's E-Commerce and Privacy Alert reports on the announcement by Spain's Agencia Española de Protección de Datos (AEPD) that it has initiated a criminal sanction procedure and plans to impose a fine of over €2.4 million against Google, based on the outcome of its investigation into the collection of WiFi data by Google's Street View service that included user surnames, usernames and passwords. The AEPD alleges the company has committed five infringements of the Spanish Data Protection Act, the report states, and will send a special report of its conclusions to a criminal court in Madrid. Google has stated that the personal information was collected unintentionally.
Full Story

SOCIAL NETWORKING—U.S.

Facebook Breach Gets Gov’t Attention (October 21, 2010)

Reps. Edward Markey (D-MA) and Joe Barton (R-TX) have written to Facebook CEO Mark Zuckerberg following an investigation into third-party apps sharing user IDs with advertisers, MSNBC reports. "Given the number of current users, the rate at which that number grows worldwide and the age range of Facebook users, combined with the amount and the nature of information these users place in Facebook's trust, this series of breaches of consumer privacy is a cause for concern." They have asked how many users were affected by the leak, when Facebook became aware of it and what it plans to do about it. Facebook has issued a statement that it will work with the legislators to answer their questions.
Full Story

ONLINE PRIVACY

WiFi Scanning Discontinued (October 21, 2010)

Google has no plans to resume the collection of WiFi data through its Street View vehicles, CNET News reports. According to the report issued by the Office of the Privacy Commissioner of Canada (OPC) this week, the "collection is discontinued and Google has no plans to resume it." Instead, wrote Privacy Commissioner Jennifer Stoddart, "Google intends to obtain the information needed to populate its location-based services database" from "users' handsets." Both the OPC and Spain's Agencia Española de Protección de Datos recently concluded their investigations into the company's activity in this area, finding that it contravened laws in both countries.
Full Story

GEO PRIVACY—GERMANY

Government Calls for Self-Regulatory Code (October 21, 2010)

Following its September meeting on the "Digitization of Cities and States--Opportunities and Limits of Private and Public Geo Data Services," the German government is recommending that industry propose a self-regulatory code for geo data services. Once the code is developed, it would then be agreed upon with the Federal Commissioner for Data Protection and Freedom of Information as well as state data protection authorities, the Hunton and Williams Privacy & Information Security Law Blog reports. The code would be expected to include privacy standards and rules applicable to the collection and use of geo data, the report states. A draft law to regulate the use of geo data services will be issued by December 7.
Full Story

ONLINE PRIVACY—U.S.

Opinion: “Do Not Track” Idea Is Off Track (October 21, 2010)

An op-ed featured in TechNewsWorld questions whether a "Do Not Track" list for the Internet would have unintended consequences. Referencing recent studies into the collection and use of personal information online, and comments by the FTC's chairman about the possibility of developing an Internet registry modeled on the Do Not Call list, Marc Roth writes, "the feasibility of such an initiative, while well-intentioned, may result in greater costs to businesses and a reduction of access to free online content for consumers. In addition, there are many logistical issues surrounding the idea of a registry that may make it difficult, if not impossible, to implement at this time."
Full Story

PRIVACY LAW—EU

EU Document Hints at Legislative Changes in Directive Review (October 20, 2010)

A European Commission (EC) document obtained by Bloomberg hints at what regulators may propose in the upcoming review of the EU Data Protection Directive. "It appears that the commission intends to propose changes in the law and non-legislative steps to bring about the changes that are being discussed," writes Hogan Lovells partner Christopher Wolf in a blog post. The EC document suggests that expanded criminal penalties for data protection violations may be on the way, stating that it is "essential to have effective provisions on remedies and sanctions," including "criminal sanctions in case of serious data protection violations." The document also suggests that citizens gain the right to have certain details deleted from the Web, the Bloomberg report states. Regulators are set to discuss the document in early December and a draft of the amended legislation is expected in mid-2011.
Full Story

BEHAVIORAL TARGETING—U.S.

FTC Commissioner: Report Won’t Recommend Laws (October 20, 2010)

At an event in Washington, DC, yesterday, Federal Trade Commission (FTC) member Julie Brill confirmed that the FTC's soon-to-be-released report about behavioral advertising will not recommend the enactment of new laws, MediaPost News reports. Instead, Brill said, "We're talking about a new self-regulatory framework." Companies should improve the ways they provide notice to consumers, Brill said, adding that so-called Schumer boxes and nutritional labels are methods of notice that the commission would support. Brill also indicated that she would support the development of a do-not-track mechanism, the report states.
Full Story

PRIVACY

Looking to the Future: Essential Skills for CPOs (October 20, 2010)

In a feature for GovInfoSecurity, Upasana Gupta quotes a scenario written by IAPP Board Chairman Nuala O'Connor Kelly, CIPP, CIPP/G, of GE and Michelle Dennedy of Oracle on the future of privacy in a fully networked world where between waking and 9 a.m. each morning, "you've already generated a terabyte of data in your personal account in the cloud." With ever-changing technology, Gupta writes, the top four skills privacy leaders will need in the decade ahead are the understanding of IT security and risk, encryption technologies, international privacy laws and the implications of cloud computing. The privacy profession, she writes, "is moving from regulatory compliance and breach notifications to being identified by development in various applications."
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

EDPS: Justification, Safeguards Needed for PNR Use (October 20, 2010)

EDPS: Justification, Safeguards Needed for PNR Use
European Data Protection Supervisor Peter Hustinx is speaking out against the use of passenger name records (PNR) to profile the potential risk of international travelers to their destination country, ComputerWeekly reports. In an opinion issued Tuesday, Hustinx said, "The proactive use of PNR data of all passengers for risk assessment purposes requires more explicit justification and safeguards," calling for strict conditions on the processing, transfer and retention of sensitive data. He is also recommending that conditions for collection and use of PNR data "be considerably restricted" and EU-U.S. talks focus on "a consistent and harmonized approach on data protection."
Full Story

CHILDREN’S PRIVACY

Parents Monitor Children’s Social Network Use (October 20, 2010)

A recent TRUSTe survey found that nearly 72 percent of parents monitor their children's social networking accounts and even more know how much time their teens spend online and the types of photos they share, NetworkWorld reports. "The data clearly shows that parents place the utmost importance on their teens' online privacy and control of their personal information," said Fran Maier of TRUSTe. Meanwhile, 80 percent of teens responding to "The Kids Are Alright," as the study is called, said they use their privacy settings to hide content from parents or friends, the report states.
Full Story

SOCIAL NETWORKING—FRANCE

CNIL Voices Concerns Over “Places” Feature (October 20, 2010)

French data protection agency CNIL wants Facebook and consumers to carefully consider the privacy implications of the "Places" location feature. Telecompaper reports that CNIL has asked Facebook to improve the confidentiality and personal data settings of the service, which uses GPS on smartphones to allow users to place themselves at a certain location and allows them to tag others as being at a location. CNIL also voiced concerns about the use of data collected and the notice given to users who have been tagged through Places. CNIL said users need to be mindful of their settings and how they use it. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—U.S.

Lawsuits Filed Against Facebook, Zynga (October 20, 2010)

Federal lawsuits have been filed in California and Rhode Island in light of reports that the world's largest social network and the company behind some of its most popular games violated federal law by sharing users' information with advertisers and tracking companies. The Wall Street Journal reports that the suits against Facebook and Zynga were filed following an investigation into apps sharing Facebook IDs with outside firms. The California suit targets Zynga, the report states, while the Rhode Island case focuses on Facebook. Both companies have issued statements that the complaints are without merit and that they will fight the lawsuits. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—U.S.

VA Tracking Computer Security (October 20, 2010)

As part of its ongoing initiative to ensure the security of its data, the Department of Veterans Affairs (VA) has implemented the Visibility to Desktop Initiation, reports the Federal Times. The program gives the department the "ability to, at any given time, look at the status of all 333,000 machines in the network from a central location. This includes the hardware, software, patch level, level of security compliance and membership of the administrative group," said Jerry Davis of the VA Office of Information and Technology. In addition, the VA has installed automatic encryption software on tens of thousands of computers, among other improvements.
Full Story

SOCIAL NETWORKING

As Officials Raise Concerns, Facebook Promises To Fix Glitch (October 19, 2010)

A report that some of Facebook's most popular applications have been transmitting user information to Web tracking companies has privacy advocates and legislators sounding an alarm. While Facebook issued a statement that there is "no evidence that any personal information was misused or even collected," The New York Times reports that the company plans to introduce "new technical systems that will dramatically limit the sharing of user IDs." Meanwhile, Canadian Privacy Commissioner Jennifer Stoddart is considering launching a new investigation into Facebook's privacy policies, and U.S. House Bipartisan Privacy Caucus Chairmen Edward Markey and Joe Barton have sent a letter to the company seeking more information on the way "third-party applications gathered and transmitted personally identifiable information about Facebook users and those users' friends." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—SPAIN CANADA

DPAs Find Privacy Law Infractions (October 19, 2010)

The privacy authorities of Canada and Spain have concluded investigations into Google's collection of personal information from unencrypted WiFi networks via its Street View vehicles. Spain's Agencia Española de Protección de Datos (AEPD) is bringing sanctions against the company for five infractions of Spanish law, the Latin American Herald Tribune reports, including the gathering and storing of personal data without the consent of individuals involved. In addition, the AEPD is charging Google Spain with transferring data to the United States "without the guarantees required by Spain's Information Protection Law," the report states. Canada's Office of the Privacy Commissioner has concluded that the company's activities contravened that country's Personal Information Protection and Electronic Documents Act and has given Google until February 1, 2011, to implement recommendations for rectification.
Full Story

HEALTHCARE PRIVACY—U.S.

Gov’t Agencies Discussing HIPAA Requirements (October 19, 2010)

A Department of Health and Human Services (HHS) advisory panel is recommending that healthcare providers supply patients with easy-to-understand notices of how their information will be used and protected when it is exchanged, while the Substance Abuse and Mental Health Services Administration continues to study whether HIPAA privacy protections for mental health information should include test data. Government Health IT reports that HHS is recommending physicians discuss face-to-face information sharing practices with their patients and include a description of how their information will be used in their HIPAA-required privacy practices notice that is "written so that 90 percent of patients can understand it."
Full Story

PRIVACY LAW—U.S.

NJ: Copy Machine Law Moves Forward (October 19, 2010)

A New Jersey Assembly panel released legislation on Monday requiring data held on digital copy machines be destroyed before the machines are re-sold or thrown out, reports TMCnet. The bill, sponsored by Linda Greenstein (D-Mercer/Middlesex), aims to protect people from identity theft. "Consider all of the highly sensitive information stored on copiers used by both the public and private sector," said Greenstein. "In today's global economy, a copier used in a doctor's office in Trenton could be re-sold to someone in South America, sending thousands of sensitive documents into the realm of the unknown..." Earlier this year, the FTC announced that it was working with manufacturers to make consumers more aware of these privacy risks.
Full Story

ONLINE PRIVACY

CEA: Personal Data Should Be Paid For (October 19, 2010)

BBC News reports on the U.S. Consumer Electronics Association (CEA) statement that companies seeking to make use of the personal information people share online should pay for it. "The mining of personal data is here to stay," said Sean Murphy of the CEA, noting, "Privacy is only going to continue to get increased attention in the years and months to come." With privacy topping the CEA's list of technology trends to watch for in the year ahead, advocates suggest the key is for consumers to be "fully informed, have control of their data and choose to opt in to some sort of scheme that offers payments" for sharing their personal information. Editor's note: For more on the view of personal data as a commodity, read "Valuing, protecting and commoditizing your personal information: Is 'data banking' the answer?" from the June issue of Inside 1to1: Privacy.
Full Story

DATA LOSS—U.S.

Breaches Result in Prison Time, Demotions (October 19, 2010)

Recent healthcare privacy breach cases have resulted in significant sanctions. As the result of an incident involving the University of Texas Medical Branch, a 34-year-old Texas woman has been sentenced to 15 years in federal prison and ordered to pay $163,185.19 restitution for unlawful possession of fraudulent identification documents and conspiracy to commit identity theft. In a separate case, The Herald-Sun reports on a University of North Carolina cancer researcher's fight against the demotion and $85,000 pay cut she received following a 2007 security breach in the study she directed. The researcher's attorney is arguing the university knew the program's computer system had security deficiencies and did not notify his client.
Full Story

EMPLOYEE PRIVACY—U.S.

Tax Company Employee Info Found in Dumpster (October 19, 2010)

News4Jax.com reports that the owner of a recently closed tax company franchise admitted to disposing of former employees' records in a dumpster behind the tax service building in Jacksonville, FL. The boxes of records included employees' W-2 forms, copies of their driver's licenses, Social Security cards and other personal information, the report states. The franchise owner said he dumped the records but thought that the personal information had been shredded. The records have now been shredded. In a statement, the company said they take privacy very seriously and are "satisfied that the old documents have been secured and that our customers are not at risk."
Full Story

SOCIAL NETWORKING

Site Faces Privacy Breach Allegations, Lawsuit (October 18, 2010)

The most popular Facebook applications have been providing advertisers and tracking companies with users' identifiable information, The Wall Street Journal reports. "The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook's strictest privacy settings," the report states. Meanwhile, German ministers are criticizing the social network for a glitch that potentially allowed access to users' "Friends" lists, and a lawsuit filed in U.S. District Court in California alleges Facebook violated state and federal law by sending user data to advertisers when users clicked on their ads. The company has discontinued the practice, the report states. "Privacy, I would say, is the number one most important thing for our company, and we're always listening to feedback," said Facebook's Randi Zuckerberg. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—URUGUAY EU

Working Party Deems Uruguay “Adequate” (October 18, 2010)

After a two-year review process, Europe's Article 29 Working Party has deemed Uruguay's data protection regime to be "adequate" by the standards of the European Data Protection Directive. In an opinion published last week, the group of European data protection authorities said that "Uruguay provides an adequate level of protection with regard to transfers of personal data from the EU/EEA, pursuant to Article 25(6) of Directive 95/46/EC on the protection of personal data." In making the determination, the group compared Uruguay's Law No. 18,331 on the Protection of Personal Data and "Habeas Data" to the main provisions of the directive. The Article 31 committee and the European Commission will consider the opinion before issuing a final decision on Uruguay's adequacy status.
Full Story

DATA PROTECTION

Mexico To Lead Data Protection Consortium (October 18, 2010)

The Ibero-American Data Protection Network unanimously chose Mexico to lead the consortium, which includes the governments of Spain, Portugal, Andorra and 19 Latin American countries and focuses on exchanging knowledge of data protection issues through dialogue and collaboration, reports the Hunton & Williams Privacy & Information Security Law Blog. The election comes on the heels of Mexico's recent enactment of its Federal Data Protection Law. According to the report, Jacqueline Peschard, head of Mexico's Federal Institute for Access to Information and Data Protection, will represent Mexico during its two-year term.
Full Story

FINANCIAL PRIVACY—HONG KONG

After Octopus, Commissioner Wants Stronger Law (October 18, 2010)

Hong Kong Privacy Commissioner for Personal Data Allan Chiang has found that the city's leading e-payment operator, Octopus Holdings, violated data protection principles when it sold about two million customers' personal data to business partners, People's Daily reports. Chiang is now seeking stricter laws and more power to protect privacy, the report states. In light of recent cases, the Hong Kong Legislative Council has announced it will meet this Wednesday to debate a motion on improving personal data privacy protection. The measures being considered include a move to make the unlawful transfer of personal data a criminal offense.
Full Story

ONLINE PRIVACY—GERMANY

Thousands Opt Out of Street View (October 18, 2010)

The New York Times reports on Google's announcement on its plans for Street View in Germany despite the fact that thousands of residents have asked the company to delete their properties from the service. "The number of requests will not have an effect on our plans to launch Street View this year," said Kay Oberbeck, a Google spokesman in Hamburg. The option to request properties to be removed from Street View was offered to address privacy concerns, the report states. "We realize that privacy is a very sensitive issue in Germany and are doing what needs to be done to address everyone's concerns," Oberbeck said. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

University Breach Exposes 107,000 (October 18, 2010)

Computerworld reports that intruders accessed a University of Northern Florida server last month, exposing the data of 107,000 current and prospective students, adding to the list of four dozen similar breaches at universities this year. The breach was discovered during a routine system review. Investigators say that the intruders may have been based outside the U.S., and they are unsure whether they actually stole any information. Of those affected, about 53,000 had their names and Social Security numbers exposed, while the rest had their names and dates of birth exposed. The university has notified all those affected, decommissioned the compromised server and increased security to better protect data.
Full Story

PERSONAL PRIVACY—U.S.

Smart Grid Concerns Persist, CDT Proposes Policies (October 18, 2010)

From coast to coast, consumers and advocates are expressing concern about the health and privacy implications of smart meters, reports the San Francisco Chronicle. In Maine, where the state's largest utility is beginning a smart meter rollout, residents and advocates have voiced concern, and in California, some municipalities have moved to delay the installation of smart meters due to uncertainties. In comments to the California Public Utilities Commission last week, the Center for Democracy and Technology(CDT) proposed a set of privacy policies for the smart grid, a CDT press release states. The Department of Energy last week issued a report on the smart grid's privacy concerns.
Full Story

ONLINE PRIVACY—U.S.

DOE Reports on Smart Grid Privacy (October 15, 2010)

The Department of Energy (DOE) has published a report on the rollout of smart grid technologies and their impact on privacy, Computerworld reports. The smart grid will collect and measure energy consumption data from residences, disclosing "fairly detailed information about the behavior and activities of a particular household," the DOE report states. The DOE says lawmakers need to recognize and address the concerns. In particular, the DOE says that consumers should have control over whether third-parties may access or receive their energy data and calls for the creation of policies to ensure that utilities refrain from sharing customers' energy usage data with third-parties without their authorization. Editor's note: For more on the smart grid and privacy, read "Smart grids are the future of power, but what does that mean for the future of privacy?" from the July issue of the Privacy Advisor. (Member login required.)
Full Story

ONLINE PRIVACY—FRANCE

Social Networks, Others Sign Data Protection Charter (October 15, 2010)

French social networks, blogs, search engines and consumer protection associations are among those who have signed a charter on the right to personal data destruction, Telecompaper reports. The charter is part of an initiative launched a year ago by French Secretary of State Nathalie Koscuisko-Morizet, the report states, and companies including Microsoft France have signed on, stating their commitment to put into practice principles of consent and not to hold data that is subject to requests for withdrawal or is found in "personal spaces." A "virtual complaints office" is being established, the report states, along with measures to facilitate account closings.
Full Story

RFID—U.S.

Schools Use Badges To Track Students (October 15, 2010)

Two Texas school districts are now using RFID-enabled identification badges to allow administrators to keep tabs on students' whereabouts on campus, The Houston Chronicle reports. School leaders are pointing to the devices as a way to improve security and attendance rates, the report states, but parents and privacy advocates are warning of the potential for unintended consequences. Dotty Griffith of the ACLU of Texas suggested there are "real questions about the security risks involved with these gadgets," adding, "To the best of my knowledge, these things are not foolproof. We constantly see cases where people are skimming, hacking and stealing identities from sophisticated systems."
Full Story

DATA LOSS—U.S.

VA Posts Latest Breaches, Improvements (October 15, 2010)

The Department of Veterans Affairs (VA) is offering about 4,000 vets free credit monitoring services because in August their Social Security numbers were mailed to the wrong person, says a Gov Info Security report. The VA blames the breach on a mail merge error. The incident has been posted to the VA's Web site in accordance with its new policy aimed at increasing transparency. The VA also announced that, due to increased technology funding, it is now able to identify all computers and other devices on its network and determine whether they are encrypted, says the report.   
Full Story

DATA PROTECTION

Securing Your Laptop Before It Gets Stolen (October 15, 2010)

Protecting sensitive data on your laptop before it gets stolen is easier than securing it after the fact. The New York Times reports on the software programs that can help protect such data in the event of laptop theft. The best method is to "simply not keep any sensitive information on your laptop in the first place," the report states. But since that is not always possible, experts point to encryption, tracking and data removal software options as ways to ensure the integrity of your data in the event it lands in the hands of someone else.
Full Story

ONLINE PRIVACY—GERMANY

Street View Deadline Today (October 15, 2010)

Google's extended period for German residents to opt out of having their properties featured in Street View when it is launched this year ends today, Deutsche Welle reports. In the wake of concerns from German privacy advocates, the company allowed residents to request their residences to be made unrecognizable before the service's launch. Approximately 200,000 people have taken Google up on the offer and have had their homes or apartment buildings blurred, the report states. "We take privacy very seriously," a Google Germany spokesperson said, noting the company respects that individuals "may not want certain types of images featured on the service."
Full Story

HEALTHCARE PRIVACY—SPAIN

Hospitals Lack Data Breach Protection (October 14, 2010)

The Reader reports that one in three Spanish hospitals are in breach of data protection requirements, with no measures in place to prevent data loss or unauthorized access. The report also states that another 40 percent of state hospitals and 15 percent of private ones do not record access to clinical files, and 45 percent do not include legal explanations on their forms explaining how and why patient data is stored. "Only a third of state hospitals carry out any kind of security audit on their files," the report states. Those found in breach have been issued warnings and could face substantial fines.
Full Story

PRIVACY LAW

Data Protection Laws Expanding Worldwide (October 14, 2010)

Dark Reading reports on the expansion of data protection laws across the globe as detailed in the report "A New Era of Compliance: Raising the Bar for Organizations Worldwide" from the RSA and the Security for Business Innovation Council (SBIC). The report analyzes how new legislation and strengthened regulations are forcing businesses to change their approaches to compliance. In the report, which includes recommendations from SBIC for enterprise security teams, Art Coviello of the RSA notes, "Regulators are making it clear that you're on the hook for ensuring the protection of your data at all times, even when it's being processed by a service provider."
Full Story

PRIVACY LAW—U.S.

ACLU, Amazon Fight NC Over Citizens’ Info (October 14, 2010)

The ACLU and Amazon.com took on North Carolina yesterday in a Seattle, WA, federal court to stop the state from collecting personal information about Amazon's customers, reports The Seattle Times. North Carolina is looking to collect sales taxes for online purchases and sued Amazon last April for what it claims to be $50 million in uncollected sales taxes. Amazon, in turn, sued NC with the support of the American Civil Liberties Union (ACLU). The ACLU and Amazon say turning over names and addresses would violate citizens' rights to free speech. The judge is expected to make a decision within two weeks, says the report.
Full Story

SOCIAL NETWORKING

Common Sense and Trust Key To Preserving Patient Privacy (October 14, 2010)

The key to protecting patient data in an age of social media is hiring good employees. Good employees know better than to breach patient confidence, says a HealthLeaders Media report. "The problem is," says Arthur Derse, director of the Center for Bioethics and Medical Humanities at the Medical College of Wisconsin, "students and employees and younger folks coming into work think of Facebook and Twitter as something you do." He says patient information is like radioactive material. "It must be contained." Pamela Paulk of Johns Hopkins Hospital says it's a matter of trust. "We really do believe that our employees are going to do the right thing," Paulk.
Full Story

DATA PROTECTION—FRANCE

CNIL Issues Data Security Guidance (October 14, 2010)

The French Data Protection Authority (CNIL) has released a comprehensive handbook on securing personal data, reports the Hunton Williams Privacy Information Security Law Blog. The guidance follows the CNIL's "10 tips for the security of your information system," the report states. It reminds data controllers of their legal obligation to secure data and the penalties for failing to do so. The 17-chapter document addresses such topics as authentication, education, privacy by design and anonymization.
Full Story

ONLINE PRIVACY

HTML 5 Concerns Persist (October 14, 2010)

HTML 5 is already being used to create new ways of experiencing online content and is raising privacy concerns as it is expected to provide improved opportunities for tracking consumers' online activities. The New York Times "Tech Talk" podcast features a discussion of the implications of the new technology, including the ability to collect personal data. The report notes that such information as browsing histories, blog text, photos and messages can be collected and stored, and deleting HTML 5 storage "can be tricky." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Candidate’s Photos Raise Privacy Issues (October 13, 2010)

When embarrassing photos of a Virginia congressional candidate were posted online by an opposing party's blogger, she turned the focus to "double standards and the inevitable perils of the digital age," NPR reports. Krystal Ball contends that the six-year-old Christmas party photos of "fully clothed adults of legal age...acting silly and doing stupid things in front of a camera" are an example of what others of her generation--who have lived much of their lives online--can expect to face if they seek public office. "I realized it was important for me to stand up to these tactics, to call them out."
Full Story

HEALTHCARE PRIVACY—U.S.

Doctor’s Files Found in Dumpster (October 13, 2010)

A KMTV Action 3 News viewer found medical files in an Omaha, NE dumpster and delivered them to the station. Upon investigation, the news station discovered hundreds more files containing patients' Social Security numbers, addresses and personal health issues in the dumpster. The files date back to 2002 and were linked to one doctor who, when approached by KMTV Action 3 News, refused to comment. The station is holding the files and working with the federal Civil Rights Office as well as Nebraska's Attorney General to find out what should be done with them.
Full Story

ONLINE PRIVACY—U.S.

Opinion: Poll Results Highlight Concerns, Need for Education (October 13, 2010)

The results of recent Zogby research indicate that 92 percent of parents polled are concerned that their kids share too much information online. The nonprofit Common Sense Media commissioned the survey and has launched a campaign designed to raise awareness about children's online privacy. But, writes Larry Magid in the San Jose Mercury News, the poll does not necessarily reflect parents' knowledge about the tools to protect their children's privacy. "It's important that we look at how children use social media to better understand how--and if--their privacy is being violated." Magid says that more education and transparency are needed.
Full Story

ONLINE PRIVACY—GERMANY

Controversial Service Opened Dialogue about Privacy (October 13, 2010)

In a Deutsche Welle Q&A, the editor of the blog Netzpolitik, Markus Beckedahl, discusses the recent hype about Google Street View's launch in Germany. Beckedahl says that while the debate over the controversial service brought the concept of privacy to the forefront, fears about the service itself were somewhat unfounded. But the controversy, which had some politicians claiming they'd put an end to it while others supported it, allowed for privacy to become more tangible a concept to generations young and old. "It's something where my parents have an opinion about it, and maybe your parents do too," Beckedahl said. "This is a new level in that debate."
Full Story

DATA PROTECTION—U.S.

Data Removal Options Detailed (October 13, 2010)

The Wall Street Journal reports on the array of people-search sites and data brokers that compile public records and social networking profiles. The sites harvest personal data using information that is publicly available, such as property records and telephone listings, as well as data on Web sites where users have posted information about themselves. A number of these data aggregators offer users options to remove information stored about them. The Wall Street Journal has compiled a list of most-visited people-search sites and information on how to seek data removal. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

Gov’t Data Sharing “A General Concern” (October 13, 2010)

The findings of the federal privacy commissioner's investigation into Veterans Affairs Canada's data handling have prompted concerns that other federal departments may be disseminating personal information about government critics, The Hill Times reports. Commissioner Jennifer Stoddart last week released investigation results indicating that Veterans Affairs contravened the Privacy Act in sharing a veteran's sensitive records with certain government officials. Stoddart told The Hill Times that the potential that other departments may be engaging in similar activities is "a general concern," but "At the present time, I have no indication that this is happening in other departments," Stoddart said.
Full Story

DATA LOSS—U.S.

Guard Members’ Details Exposed (October 12, 2010)

Officials are looking into the exposure of data on nearly 3,000 active members of the Mississippi National Guard, Army Times reports. A National Guard spokesman told the Associated Press that information management personnel are "working feverishly" to determine how the breach occurred. Guard members' Social Security numbers, pay grades and telephone numbers, among other details, were posted to the Web and remained there for several weeks. Guard spokesman Tim Powell said, "We take this very seriously and are incorporating numerous layers of Internet security on our Web site."
Full Story

PRIVACY LAW—UK

ICO Yet To Fine for a Data Breach (October 12, 2010)

It's been six months since the Information Commissioner's Office (ICO) has had the power to issue fines of up to £500,000, but it has yet to collect such a fine, SC Magazine reports. One company's CEO said he believes that the ICO raised awareness about data losses by introducing the new fine but that people are starting to wonder if they'll ever make use of it and, as a result, aren't taking data loss as a serious threat. "Personal customer data should be of utmost importance to any company, so if it's not the fear of losing their reputation that makes them invest in encryption, it has to be the threat of a significant fine."
Full Story

PRIVACY LAW—U.S.

No Big PRH Breaches Reported to FTC Yet (October 12, 2010)

No major breaches affecting 500 or more individuals have been reported since the Federal Trade Commission's (FTC) breach notification rule for personal health records took effect, reports Gov Info Security. The rule, required under the HITECH Act, took effect last September. It requires that entities experiencing a personal health records breach notify the FTC within 10 business days and that smaller breaches are reported annually. The FTC has posted a list of smaller incidents to its Web site.
Full Story

SOCIAL NETWORKING

Advocates Pleased with Facebook Changes (October 12, 2010)

Privacy advocates are voicing approval of Facebook's new privacy features, which will allow users greater control over their personal data, OUT-LAW.com reports. The changes include a "dashboard," which will display to users which applications are active and the data they collect. The Electronic Frontier Foundation welcomed the change, the report states. "We think that this is an important step forward in terms of providing more transparency to users about where their Facebook data is going and who is using it." Additional features will allow users to export all of their uploaded data from the site and create private groups for communications.
Full Story

STUDENT PRIVACY—U.S.

School District To Pay $610,000 (October 12, 2010)

The Lower Merion School District in Pennsylvania has agreed to pay $610,000 to settle two lawsuits filed over its use of a laptop tracking system, The Washington Post reports. The district issues laptops to all of its 2,300 high school students. Earlier this year, school officials admitted that Web cams on some of the computers had been left activated. An investigation revealed that the cameras captured about 56,000 images over a two-year period. A student who was photographed 400 times in a two-week period will receive $175,000 under the settlement. Another student will receive $10,000. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

Veterans Affairs Minister Responds to Findings (October 12, 2010)

The Minister of Veterans Affairs Canada has responded to the federal privacy commissioner's conclusions following an investigation into the department's handling of a veteran's personal information. In a report released last week, Privacy Commissioner Jennifer Stoddart described her office's findings as "alarming," stating that the department contravened the Privacy Act in sharing veteran Sean Bruyea's sensitive records, according to a Toronto Star report. The Honourable Jean-Pierre Blackburn said in a statement that he is taking the report "very seriously" and that a senior government expert will assist his department in implementing Stoddart's recommendations. Meanwhile, Bruyea is suing the federal government for $200,000.
Full Story

BEHAVIORAL TARGETING—U.S.

Congressmen React to Companies’ Responses (October 12, 2010)

Two members of the Congressional Privacy Caucus have reiterated concerns that companies might not be adequately informing consumers about their information practices, MediaPost News reports. Rep. Ed Markey (D-MA) said in a statement on Friday that "Consumers may be unaware that the sites they visit...may be tracking their activities around the Internet." Rep. Joe Barton (R-TX) said he worries that "not only are many Americans unaware of these practices, but those who seek out information in privacy policies often come up against complicated legalese." The congressmen also released companies' responses to their questions about behavioral targeting and use of Flash cookies.
Full Story

ONLINE PRIVACY

HTML 5 Coming, Worries Surface (October 12, 2010)

The New York Times reports on HTML 5, the new Web language that will be rolled out over the next few years. It is expected to bring Web users many benefits. It is also expected to enhance opportunities for marketers, advertisers and others to track Web users' activities. The new language would allow for the collection of large amounts of data and storage of that data on the computer user's hard drive. Experts say that could give companies a look at weeks or months worth of personal information including location data, photographs, shopping cart contents and more. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

TRUSTe CEO Explains Service and Growth Plan (October 8, 2010)

In an interview with ZDNet, Chris Babel, CEO of online privacy trustmark company TRUSTe, discusses the challenges the company faces and the benefits of the TRUSTe seal for online businesses. Babel says safeguarding consumer privacy is very complex because one page can have as many as 30 different ad networks collecting users' information. The company verifies that all networks collecting data from sites with its seal keep it secure. Recently, TRUSTe announced that it will expand its certification to mobile applications and the company has been working with the advertising industry on best practices in efforts to stave off government regulation.
Full Story

CHILDREN’S PRIVACY

Study: Lots of Little Ones Have Online Presence (October 8, 2010)

The security firm AVG has released study results that show 82 percent of kids under the age of two in 10 nations have an online presence, CNN reports. Newborns and toddlers in the U.S., New Zealand, Canada and Australia are the most likely to appear online in photographs, the report states. The study found that often it is friends or other family members--not the child's parents--who post the photos. "Obviously there's a privacy issue," said an AVG spokeswoman, "if they're applying for credit (later on) and having that information readily available for people who want to compromise their identities."
Full Story

DATA PROTECTION

PCI Supports Encryption (October 8, 2010)

The Payment Card Industry (PCI) Security Standards Council has released new guidance on card security standards, including the use of point-to-point encryption, InformationWeek reports. Troy Leach of the PCI Security Standards Council said the goal is to help organizations "understand how they can better secure their payment card data and how specific technologies may assist them in meeting the requirements of the PCI Data Security Standard." The guidance also discusses EMV card security, which requires consumers to enter a personal identification number when paying with a credit or debit card in person. Jeremy King, European regional director for PCI, said "the devil is in the details" when it comes to introducing PCI changes.
Full Story

ONLINE PRIVACY—U.S.

Poll: Younger Internet Users Want Privacy (October 8, 2010)

Fast Company reports on a new Zogby poll that suggests teens are looking for more control over their personal information. The poll found that 88 percent of teens understood that search engines tracked their browsing habits, and 79 percent knew they were being tracked by social networks. The report, which is scheduled to be released today, found that 92 percent of teens believe they should be able to request the deletion of all their personal information held by a search engine, social network or marketing company. FCC Chairman Julius Genachowski and FTC Chair Jon Leibowitz, who will be present for the report's release, will also outline a children's online safety outreach kit.
Full Story

PRIVACY LAW—CANADA

FISA To Regulate Commercial Messages, Carry Steep Penalties (October 8, 2010)

On yesterday's Privacy Tracker call, experts discussed Canada's Fighting Internet and Wireless Spam Act (FISA), which has been reintroduced to the legislature and is expected to pass either by the end of this year or by summer 2011. The bill, also known as C-28, aims to deter spammers by requiring expressed opt-in consent before any commercial electronic message could be sent from or received on a computer located within Canada. It also includes provisions on malware, the alteration of transmission data through "phishing," and would grant the Canadian Radio-television and Telecommunications Commission new enforcement powers. But the scope of the law and its steep penalties, $1 million per violation for an individual and $10 million per violation for an organization, has some concerned. Privacy Tracker subscribers: Learn more about the bill in this post-call analysis on the Privacy Tracker Web site. Archived audio is also available. (Full story available to Privacy Tracker subscribers only.)
Full Story

PRIVACY LAW—UK

ICO Seeks Comment on Data Sharing Code (October 8, 2010)

Computerworld UK reports on plans by the Information Commissioner's Office (ICO) for a first-ever code of practice on data sharing, which is available for review and comment through January 5. The draft code covers "best practice for public, private and third-sector organizations," the report states. Information Commissioner Christopher Graham said the goal is to facilitate data sharing that maintains individuals' privacy rights. "We want citizens and consumers to be able to benefit from the responsible sharing of information, confident that their personal data is being handled responsibly and securely," he said, urging all organizations that handle personal data to review and comment on the proposed code.
Full Story

ONLINE PRIVACY—U.S.

Former FTC Employee Files Search Engine Complaint (October 8, 2010)

A former employee has filed a complaint with the FTC alleging an Internet company did not adequately protect the privacy of its users' search queries, The Wall Street Journal reports. The complaint, which was filed in September, asks the FTC to investigate allegations that Google shared its users' search queries with third parties and to "compel Google to take proactive steps to protect the privacy of individual users' search terms." In a statement, Google responded that it "is a standard practice across all search engines" to share search data with third parties, but "Google does not pass any personal information about the source of the query to the destination Web site." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

Stoddart: Veterans Affairs Mishandled Personal Information (October 8, 2010)

Privacy Commissioner Jennifer Stoddart has concluded an investigation into Veterans Affairs Canada's handling of vets' personal information and has described the findings as "alarming." The investigation followed a complaint by veteran Sean Bruyea, who discovered that his sensitive records had been shared among government officials. Stoddart confirmed this, saying Bruyea's "sensitive medical and personal information was shared--seemingly with no controls--among departmental officials who had no legitimate need to see it." Stoddart said the department's actions contravened the Privacy Act, the Toronto Star reports. She recommended specific steps for the department to take immediately. The commissioner will also launch an audit of the department.
Full Story

SOCIAL NETWORKING

Facebook Unveils Privacy Changes (October 7, 2010)

Facebook has released new privacy options, it announced at a press conference yesterday, allowing users more control over their data and communications, NPR reports. Users will now be able to create "closed" groups in order to communicate with Facebook friends privately and can also use a "dashboard," allowing them to view what personal information has been collected by games and third-party applications on the site and letting them disable some of those features. An analyst at Forrester Research called the changes a smart move for Facebook, adding the announcement "helps move the ball forward in terms of greater control and greater transparency."
Full Story

PRIVACY LAW—U.S.

Companies Back Best Practices Act (October 7, 2010)

Three technology companies have signaled their support of the Best Practices Act in a letter to the bill's primary author, U.S. Rep Bobby Rush (D-IL), reports The Wall Street Journal. Intel, Microsoft and eBay lauded the bill, saying it "strikes the appropriate balance." The companies urged policy makers "to enact a comprehensive framework to protect consumer privacy." The bill would require online companies to get users' permission before collecting sensitive information, among other mandates. In the letter, the companies also suggested changes to the bill, the report states. Specifically, they would like to see the removal of a provision that would allow individuals to sue for privacy breaches. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Suits Question Law Enforcement Access to Web Data (October 7, 2010)

Three lawsuits seeking class-action status are raising questions about how law enforcement agencies get information about Internet users without their knowledge, The National Law Journal reports. The suits, filed in Georgia Superior Court against three Internet companies, alleged the out-of-state companies violated federal wiretap and computer privacy laws by providing information in response to warrants or subpoenas issued by the state's judges or magistrates. "If these were federal warrants, there would be no cause of action," said one of the plaintiffs' attorneys, Joshua A. Millican, who contended that state warrants "have no force outside of the state of Georgia."
Full Story

PRIVACY LAW—U.S.

Supreme Court Case Could Have Broad Implications (October 7, 2010)

The U.S. Supreme Court's decision in a case involving NASA and background checks for low-risk employees could have significant implications for private-sector employees, Philip Gordon writes for Workplace Privacy Counsel. The court heard oral arguments in the case on Tuesday that "swirled largely around whether a constitutional right to information privacy exists and, if so, what are its contours," Gordon writes, noting, similar requests for information on employees "have become increasingly common in the private sector...The court's decision--albeit in the context of federal constitutional law--might provide guidance on how vendors should handle this difficult situation in a manner that reduces risk."
Full Story

PRIVACY LAW—UK & EU

ICO Calls for More Clarity, Custodial Sentences (October 7, 2010)

In its response to a call for evidence from the Ministry of Justice, the Information Commissioner's Office (ICO) said it needs increased powers of enforcement and that data protection principles need more clarity regarding what data is personal and when consent is needed to use that data. The ICO reiterated the need for jail sentences for the worst offenders and said not enough is being done to deter the misuse of data. Steven McCartney of the ICO told V3.co.UK that "more common sense and clarity need to be applied--if you understand the law, you can adhere to it more easily."
Full Story

HEALTHCARE PRIVACY—U.S.

Advocates: EHRs Are Not Very Private (October 7, 2010)

FORTUNE Magazine reports on widespread concerns about researchers' access to health records under the Health Insurance Portability and Accountability Act (HIPAA) as the move to all-digital health records continues. "Researchers have very broad access rights to healthcare records under HIPAA," noted Pam Dixon of the World Privacy Forum. Privacy advocates are concerned that in the push for digitized health records, not all information is being sufficiently protected. The Texas Department of State Health Services, for one, has been selling "de-identified" patient data to research groups, the report states, but experts are cautioning that there are many ways to cross-reference that information to determine patient identity.
Full Story

BEHAVIORAL TARGETING—EU

IAB Europe: Re-Spawning is Illegal (October 7, 2010)

The Interactive Advertising Bureau (IAB) Europe has condemned the practice of re-spawning because it circumvents a user's choice to allow cookies and erodes consumer trust, Silicon Republic reports. The practice involves the automatic reestablishment of a previously deleted cookie from a backup copy despite the user's preference to not accept cookies. IAB Europe considers the practice illegal under European data protection rules and has called on all businesses not to engage in such practices. "We work hard to protect lawful business practices across Europe and will not allow individual companies to jeopardize the trust and confidence that our membership has built with their European users," said a spokesman from IAB Europe.
Full Story

ONLINE PRIVACY

Self-Regulatory Program Overview Released (October 7, 2010)

Morrison & Foerster has released an overview of the self-regulatory program for online behavioral advertising announced earlier this week. The program features an "Advertising Option Icon" to alert users when data is collected for behavioral targeting. The Morrison & Foerster report, which is now available in the IAPP Knowledge Center, looks at the efforts by several leading media and marketing associations to address issues of consumer control. The report includes background on the origin of the program, its goals and frequently asked questions.
Full Story

PRIVACY—CANADA

Commissioner: Gaps Found in Gov’t Data Handling (October 6, 2010)

After conducting an audit of five governmental departments' data protection practices, Privacy Commissioner Jennifer Stoddart says not enough is being done to protect citizens' personal information, The Globe and Mail reports. In a report released Tuesday, the commissioner identified gaps in areas including government use of wireless devices, password protections, data destruction and encryption. "Our audits turned up some disturbing gaps in the privacy policies and practices of government institutions," Stoddart said, adding the government must be held to the highest standards. Stoddart last week received the 2010 IAPP Privacy Vanguard Award for her leadership, knowledge and creativity in privacy and data protection.
Full Story

PRIVACY LAW—UK & EU

ICO Responds to MoJ (October 6, 2010)

Document Management News reports on the information commissioner's response to the Ministry of Justice's (MoJ) call for evidence on the current data protection legislative framework. The response highlights key features the Information Commissioner's Office (ICO) would expect to see in any revised framework and, the report states, points out that although the current data protection principles are sound, the law needs to provide more clarity for individuals and for businesses. David Smith, deputy commissioner and director, said, "The ICO has welcomed the MoJ's call for evidence on the current framework. We have no doubt that this framework...can be improved so that the law is more effective in practice."
Full Story

PRIVACY LAW—GERMANY

DPAs: Google Analytics Illegal (October 6, 2010)

The Düsseldorfer Kreis, which is comprised of Germany's state data protection authorities (DPAs) responsible for the private sector, continues to consider the use of Google Analytics on company Web sites to be illegal, but it hopes to continue negotiations with the company, the Hunton & Williams Privacy and Information Security Law Blog reports. Berlin Commissioner for Data Protection and Freedom of Information Alexander Dix has said that although the company has undertaken efforts to improve Google Analytics, the DPAs do not consider the improvements to be sufficient. The DPAs have given Google eight weeks to improve the service, the report states.
Full Story

PRIVACY LAW

Weighing Employer, Employee Concerns (October 6, 2010)

The U.S. Supreme Court is weighing privacy questions involving NASA and whether federal employers have too much leeway when it comes to examining the private lives of employees, just as Germany is poised to review changes to its Federal Data Protection Act (BDSG). Eastman Kodak Chief Security and Privacy Officer Brian O'Connor, CIPP, shared insights into Germany's proposed law with the Daily Dashboard, pointing out that while many parts of the legislation balance employee and employer interests, some issues may need to be addressed on a case-by-case basis. In terms of the U.S. case, Dan Stormer, who is representing 28 scientists and engineers who were contractors for NASA, suggested that with "low-risk or no-risk employees, the government doesn't need to know."
Full Story

HEALTHCARE PRIVACY—U.S.

New Database Prompts Concern (October 6, 2010)

Government Executive reports on privacy advocates' concerns regarding a new Office of Personnel Management database designed to track federal employee health benefit plans. Advocates fear a new tool aimed at tracking and evaluating the quality and cost of services provided through the Federal Employees Health Benefits Program, could put participants' personal information--including Social Security numbers, employment details, medical diagnoses and insurance coverage--at risk, the report states. Deven McGraw, director of the Health Privacy Project at the nonprofit Center for Democracy and Technology, suggested the database is not necessary, cautioning that it presents an opportunity for outside access to sensitive information.
Full Story

HEALTHCARE PRIVACY—U.S.

Report Delayed on Personal Health Records (October 6, 2010)

Healthcare Info Security reports that federal officials expect to present a report on privacy and security requirements for personal health records vendors not covered by HIPAA early in 2011. The Department of Health and Human Services Office of the National Coordinator (ONC) for Health Information Technology report was expected last February but has been delayed while the department worked on other projects, according to the ONC's chief privacy officer. To help in drafting the report, the ONC will hold a day of roundtable discussions Dec. 3 in Washington, DC.
Full Story

PRIVACY LAW—U.S.

New Legislation Needed (October 6, 2010)

CSPAN's privacy series, "The Communicators," featured a special segment on pending privacy legislation by Reps. Rick Boucher (D-VA) and Cliff Stearns (R-FL), who head up the House Commerce Subcommittee on Communications. "I think the horse is out of the barn," Stearns said when asked about online privacy and tracking. Speaking about issues like opt in and opt out, he noted that if individuals saw the way their information can be compiled online to create user profiles, they would be very concerned. "I think we have to step up to the plate here in Congress...the public is unaware, and we need to get the privacy bill into play and let the people understand what's happening."
Full Story

BEHAVIORAL TARGETING

The Cookie Business is Booming (October 6, 2010)

NPR reports on the increasingly lucrative world of display ads capable of targeting specific customers by tracking their online behaviors. The online display ad market is projected to grow six percent in the next four years, the report states, but some say the tracking may go too far. "You're talking about a commercial system that's a digital dossier about your innermost secrets, concerns and personal matters," said Jeff Chester of the Center for Digital Democracy. On Monday, the online advertising industry launched a self-regulatory program aimed at better informing Web users about ad targeting.
Full Story

PRIVACY LAW—GERMANY

Employee Data Protection Law Moves Forward (October 5, 2010)

The government's draft law providing special rules for employee data protection now goes before the German Parliament for a first reading in November 2010, the Hunton & Williams Privacy and Information Security Law Blog reports, which means the law could be passed this year. The draft law would amend the German Federal Data Protection Act (BDSG) by adding provisions in nine key subject areas, including medical exams, CCTV use, employee tracking, biometrics and monitoring employees' Internet, e-mail and telephone use. In several cases, such actions are prohibited or require employee knowledge and consent, according to the draft law's provisions.
Full Story

ONLINE PRIVACY—U.S.

Ad Industry Self-Regulatory Plan Launched (October 5, 2010)

The Hill reports on efforts by the online advertising industry to "ward off tighter privacy regulations with a feature that helps Internet users spot when they are being tracked." The new self-regulatory program features an icon next to advertisements that track users that links to a disclosure statement and gives consumers the chance to opt out. Five advertising trade groups have launched the Web site AboutAds.info, which gives advertisers and networks information about the new icon. While some are hailing the plan, which comes in the midst of discussions by the U.S. Congress about privacy legislation, many privacy advocates are saying self-regulation is not enough.
Full Story

PRIVACY LAW—U.S.

Pharmacies Sue CVS Citing Privacy Rule Violations (October 5, 2010)

Six Texas pharmacies have filed suit against CVS Caremark for alleged violations of the HIPAA privacy rule, Health Data Management reports. American Pharmacies, the group representing the independent pharmacies, alleges that the company is mining data and contacting individual patients and physicians for marketing purposes, the report states. This activity violates the HIPAA privacy rule, the plaintiffs say, and flies in the face of a Federal Trade Commission mandate coming out of a 2009 settlement with the company on similar charges. A CVS spokesperson said in a statement that the company "is confident that its business practices and service offerings...are being conducted in compliance with applicable antitrust, privacy and other laws."  
Full Story

PRIVACY LAW—CANADA

Commissioner: Legislation Needed Ahead of EHRs (October 5, 2010)

CBC News reports on Nunavut's transition to electronic health records (EHRs) despite an absence of laws to protect patient information. Health officials plan to introduce EHRs in Nunavut in the next six months, the report states, but the territory's information and privacy commissioner says she doesn't have the power to investigate privacy violations involving patient records. "Unfortunately, the Access to Information and Protection of Privacy Act has privacy rules but no oversight and no way to address breaches," said Commissioner Elaine Keenan Bengts. "Legislation should precede the electronic record. That's not going to happen here." Bengts suggested amending Nunavut's privacy law to allow her to review breaches.
Full Story

CHILDREN’S PRIVACY—UK

Site Offers Children’s Ethical Communications Kit (October 5, 2010)

OUT-LAW.COM reports on the Advertising Association's launch of the Children's Ethical Communications Kit (CHECK), a site aimed at bringing together all UK laws and regulations on advertising to children. The Committee of Advertising Practice has revised its guidance on the collection of data on children this year, the report states, with the rules strengthened in recent months. "Nobody gains from irresponsible marketing where children are concerned," said Advertising Association Director of Communications Ian Barber, noting, "It's damaging for client relationships, for brands, for the industry's reputation and for the person that gets it wrong."
Full Story

HEALTHCARE PRIVACY—U.S.

Auctioned Data Concerns Former Hospital Employees (October 5, 2010)

Former employees of a shuttered Florida medical facility are questioning what will happen with their personal data now that the Gulf Pines Hospital in Port St. Joe has been auctioned to a buyer in California, WJHG reports. "They have all of our personal information," said one, adding that despite a sign on the hospital door stating otherwise, employee files and emergency room logs are still in boxes in the hospital. Former hospital worker Barbara Weeks said the files are on the floor in the middle of the hospital. "We're unable to obtain who to get in contact with...We've tried several avenues--county, city, state attorneys. No one seems to know."
Full Story

DATA PROTECTION

Study: PCI DSS Security Compliance Often Unmet (October 5, 2010)

Organizations that suffer a data breach are 50 percent less likely to have achieved or maintained compliance with the Payment Card Industry Data Security Standards (PCI DSS) than the average organization, InformationWeek reports. That's according to a study released Monday by Verizon that polled 200 PCI assessments, which also found that the top techniques used to steal payment card data were malware and hacking. The study found that the top three requirements for PCI DSS are the most difficult for organizations to meet and also the most vulnerable to breaches. Only 22 percent of organizations comply with PCI at their initial compliance assessments, the report states.
Full Story

DATA LOSS—UK

Patient, Staff Records Missing (October 5, 2010)

A total of 387 confidential patient and staff records have been reported lost or stolen from NHS West Midlands between April and June of this year, the Express & Star reports. Two other incidents also took place, the report states, but the numbers of records missing as a result of those cases is unknown. Since January of 2009, there have been more than 20,000 breaches, including a spreadsheet of patient details that was e-mailed to the wrong address, several stolen laptops and a CD containing 300 records that was found unencrypted and without password protection at an area bus stop, the report states.
Full Story

PRIVACY LAW—U.S.

Supreme Court To Hear Privacy Cases (October 4, 2010)

The new Supreme Court term has begun, and among the cases on the docket for Tuesday are key decisions related to privacy. The court is scheduled to hear NASA v. Nelson, the Los Angeles Times reports, which contests a privacy ruling won by 28 employees on the issue of whether the government can require background checks that include medical, financial and drug use history for low-risk employees and contractors. The court will also hear a case involving AT&T and whether corporations are eligible for the same protection as individuals when it comes to Freedom of Information Act requests.
Full Story

ONLINE PRIVACY

Advertisers Share Web Privacy Plan (October 4, 2010)

Amid the ongoing push-and-pull between user privacy and advertiser access to Web data, the Digital Advertising Alliance, which is comprised of some of the industry's largest trade organizations, has announced the details of a self-regulatory program allowing users to opt out of being tracked online. The New York Times reports on the program and its use of the "Advertising Option Icon" to alert users when data is collected for behavioral targeting. While some experts see the move as a step in the right direction, other privacy advocates maintain that self-regulation is not enough and government intervention is needed. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Paper Raises Concerns About Smartphone Security (October 4, 2010)

The user data collected by some smartphone applications can be correlated to real-world identities, Ars Technica reports, posing privacy risks to users of such popular devices as the iPhone, iPod and iPad. According to a paper by Bucknell University Assistant Director of Information Security and Networking Eric Smith entitled "iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)," many applications request personally identifiable information affiliated with users' accounts. Smith noted that such data, combined with "extremely long-lived" tracking cookies, could result in companies tracking users' online activities for extended periods of time and across multiple devices, the report states.
Full Story

PRIVACY LAW—U.S.

Senator Calling for Tougher Legislation (October 4, 2010)

State Sen. Shirley Turner (D-Milburn) is proposing legislation to increase current privacy invasion laws in light of a recent tragedy at a New Jersey university, Wyckoff Patch reports. Currently, invasion of privacy offenses are third-degree crimes, carrying a maximum penalty of three to five years in prison and fines of up to $15,000, the report states. Turner's goal is to see such crimes classified as second-degree offenses with prison terms ranging from five to 10 years and fines of up to $150,000. "We need to send a loud and clear message that we are serious about this," Turner said.
Full Story

PRIVACY LAW—U.S.

Pryor To Introduce Online Tracking Bill (October 1, 2010)

Senate Commerce Consumer Protection Subcommittee Chairman Mark Pryor (D-AR) says he is working on legislation to give consumers control over whether they are tracked online, reports Tech Daily Dose. Pryor says the bill could include a "do-not-track" list, similar to the do-not-call list, where consumers can opt out of having their online behavior tracked. "I just think Americans ought to have a choice on how much their... Internet behavior is tracked," said Pryor. According to the report, the senator plans to have the bill ready to introduce in the next congress. Privacy advocates and FTC Chairman Jon Leibowitz have voiced support for a do-not-track list, the report states.
Full Story

HEALTHCARE PRIVACY—U.S.

CDT Calls on Congress for Stronger Standards (October 1, 2010)

The Center for Democracy & Technology (CDT) is calling on congress to further improve the privacy and security of health information, Health Data Management reports. In testimony yesterday, the center's Deven McGraw said, "The prospect of storing and moving personal health data electronically in an environment where security is a low institutional priority should give us all pause." The CDT wants congress to deny certain incentive payments to entities that significantly violate the HIPAA privacy and security rules and mandate encryption, among other measures. "We need--through certified electronic health record requirements and enhancements to the HIPAA Security Rule--stronger requirements with respect to data security, as well as more proactive education and guidance from regulators."
Full Story

BEHAVIORAL TARGETING—U.S.

Icon Program To Debut in Coming Weeks (October 1, 2010)

The Interactive Advertising Bureau (IAB) and other advertising groups will soon launch a new icon to help Web users understand when behavioral advertising is occurring, MediaPost reports. The IAB, Better Business Bureau, Direct Marketing Association, Network Advertising Initiative and other groups have formed a trade organization to bring the icon forward. The program is part of the advertising industry's effort to more effectively notify users about the collection and use of their data. In an afternoon session at the IAPP Privacy Academy yesterday, Venable partner Stu Ingis said the groups will release guidelines for the program this month.
Full Story

DATA PROTECTION—UK

PCI DSS Compliance a Challenge (October 1, 2010)

The deadline for compliance with Payment Card Industry Data Security Standards (PCI DSS) passed yesterday for Level 1 UK merchants, however, just nine percent of this group comply, and according to a V3.co.uk report, security experts are using the deadline to warn against complacency in the industry. The current standards have been a challenge for merchants and "Version 2.0 is just around the corner," says Alan Bentley of endpoint-security firm Lumension, "meaning that merchants need to be concerned about their ability to prove compliance with v1.2, and with the steps they must take to get to the next stage of compliance."
Full Story

BEHAVIORAL TARGETING—UK

IAB Retracts 48-Hour Cookie Recommendation (October 1, 2010)

The Interactive Advertising Bureau (IAB) has withdrawn a code of practice released last week that recommended the expiration of retargeting cookies within 48 hours, OUT-LAW.COM reports. The IAB's Affiliate Marketing Council will rework the code after further industry consultation, the report states. "Following extensive feedback from IAB members, the IAB Affiliate Marketing Council (AMC) has withdrawn its code for the time being to ensure the initiative fully represents the needs and wants of the market, and that the language used is satisfactory to all corners of the industry," said IAB head of regulatory affairs Nick Stringer.
Full Story

GENETIC PRIVACY—U.S.

Colorado DNA Collection Law in Full Effect (October 1, 2010)

Beginning today, Colorado's "Katie's Law" goes into effect, meaning law enforcement in the state will collect and store DNA from anyone arrested of a felony. KWGN reports that the law, designed to help connect suspects with unsolved crimes, is drawing criticism from the Colorado American Civil Liberties Union (ACLU). "This kind of search of innocent persons to see if they might have some connection with a crime not connected to the crime for which they're arrested violates our constitution, it violates the right of privacy," said the ACLU's Mark Silverstein. Denver district attorney and sponsor of the bill, Mitch Morrissey, says the law will be valuable for catching serial offenders.
Full Story

DATA LOSS—U.S.

University Alerts Former Students of Breach (October 1, 2010)

The University of Florida has notified 239 former students that their personal information may have been compromised, University of Florida News reports. A Web site created by a faculty member containing information from a computer science class including names, addresses and Social Security numbers has been removed from a university server after it was discovered to be accessible by Web users. The university used Social Security numbers as student identifiers until 2003.
Full Story

PRIVACY

Stoddart Receives Vanguard Award (October 1, 2010)

At a reception in Baltimore, Maryland last night, Canadian Privacy Commissioner Jennifer Stoddart received the 2010 IAPP Privacy Vanguard Award for her outstanding leadership, knowledge and creativity in privacy and data protection. In presenting the award, Jeff Green, CIPP/C, of the Royal Bank of Canada, described Stoddart as "a catalyst for a global approach" to privacy protection. Winners of the eighth HP-IAPP Privacy Innovation Awards were also honored at the event, with Symcor, Inc., Minnesota Privacy Consultants and Microsoft Corporation taking this year's honors.
Full Story

PRIVACY

Sustaining a “Culture of Privacy” (October 1, 2010)

U.S. Department of Homeland Security CPO Mary Ellen Callahan, CIPP, and GE Senior Counsel, Information Governance and Chief Privacy Leader Nuala O'Connor Kelly, CIPP, CIPP/G, offered their insights on how to maintain privacy as a priority throughout organizations that must also balance competing demands and diverse regulatory requirements. Speaking at the IAPP Privacy Academy in Baltimore, MD, both shared their experiences and conclusions, suggesting that people--in the form of allies within and beyond a given organization--are invaluable assets to privacy protection. Privacy officers should focus on building a team, both agreed, as one person cannot know everything that goes on in an organization the size of the Department of Homeland Security or GE.
Full Story

PRIVACY LAW - EU & UK

Commission Taking UK to Court (October 1, 2010)

The European Commission is taking the UK to court for failing to protect citizens' privacy to the degree demanded by EU Internet privacy laws, OUT-LAW.COM reports. The action follows calls by the EU for the UK government to bring its data protection standards into accordance with EU directives. "The commission considers that UK law does not comply with EU rules on consent to interception and on enforcement by supervisory authorities," said a commission statement. "The commission considers that existing UK law governing the confidentiality of electronic communications is in breach of the UK's obligations under the ePrivacy Directive and the Data Protection Directive."
Full Story

Privacy Vanguard, HP-IAPP Privacy Innovation Awards announced (October 1, 2010)
It was a night of celebration and camaraderie at the IAPP’s 10th Anniversary Privacy Dinner, where the winners of this year’s privacy awards were announced amidst food, fun and festivities. Canadian Privacy Commissioner Jennifer Stoddart received a standing ovation toward the end of the evening when Jeff Green, CIPP/C, of the Royal Bank of Canada announced Stoddart had been selected as the winner of the 2010 IAPP Privacy Vanguard Award. The award honors the privacy professional who has best demonstrated outstanding leadership, knowledge and creativity in privacy and data protection.
Experts give tips to create and sustain a “culture of privacy” (October 1, 2010)
Privacy officers cannot go it alone. That was a key message shared when U.S. Department of Homeland Security CPO Mary Ellen Callahan, CIPP, and GE Senior Counsel, Information Governance and Chief Privacy Leader Nuala O'Connor Kelly, CIPP, CIPP/G, offered their insights to well over 100 privacy professionals on the ways they’ve found to nurture respect for privacy throughout their organizations during one of the first breakout sessions at the IAPP Privacy Academy on September 30 in Baltimore, MD.