Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

ONLINE PRIVACY—AUSTRALIA

Could the Cloud Enhance Privacy? (November 30, 2010)
Collaboration across borders is vital to reduce cloud computing risks, Minister for Privacy and Freedom of Information Brendan O'Connor said at the annual iappANZ conference this week. Privacy Commissioner Timothy Pilgrim, meanwhile, noted at the event, "Cloud computing has the potential to be privacy enhancing," but added, new laws will require organizations to take more responsibility for the information they collect. O'Connor said privacy laws are being reviewed so that "a robust privacy framework" is developed in Australia, Computerworld reports, but he also stressed that it will be "collaborative efforts between government and organizations that will create the tools to protect us all."

PRIVACY LAW—EU

Officials Push for Right To Be Forgotten (November 30, 2010)

Senior European Union officials have begun campaigning publicly for an online "right to be forgotten," The Wall Street Journal reports. EU Commissioner Viviane Reding, who introduced the idea earlier this month, said such change is needed in a world where the Web never forgets. Meanwhile, EU Commissioner Neelie Kroes called for "cloud-friendly" rules to improve data privacy. Proposed changes to EU privacy rules will face 12 to 18 months of debate before becoming law, the report states. "We still need to work out the details, but I support the right to be forgotten," said Jacob Kohnstamm of the Article 29 Working Party. (Registration may be required to access this story.) Read more about proposed changes to the EU Data Protection Directive in the December edition of the IAPP Privacy Advisor newsletter. (Member login required.)
Full Story

PRIVACY LAW—PHILIPPINES

Commission Optimistic About Data Privacy Act (November 30, 2010)

The Commission on Information and Communications Technology (CICT) chairman is optimistic that legislators will pass the Philippine Data Privacy Act before the Christmas recess, Inquirer.net reports. Chairman Ivan Uy says he hopes House Bill 3828, now pending in congress, will be submitted by the end of the year, adding that it's important the bill is passed because of increases in data processing outsourcing. "We are seeing that a lot of personal information and info that need to be secured are coming onto our shores from all over the world," Uy said. "Those countries are becoming concerned that their data in the Philippines might not be secure, that it could be stolen; it could be compromised." The act would criminalize unauthorized personal data processing, punishable with fines and jail time.
Full Story

PRIVACY LAW—U.S.

New Jersey Copy Machine Law Sees Progress (November 30, 2010)

PolitickerNJ.com reports that legislation requiring data held on digital copy machines be destroyed before machines are resold or thrown out will now move on to the Senate Commerce Committee. The assembly recently approved Bill A-297 by a vote of 50-28-1. Sponsored by Linda Greenstein (D-Mercer/Middlesex), Paul Moriarty (D-Gloucester/Camden) and Herb Conaway (D-Burlington/Camden), the bill aims to protect people from identity theft by requiring that the machines' hard drives, which store each scanned document, are cleared. Greenstein said besides identity theft, scanned sensitive medical and police records make people vulnerable.
Full Story

DATA LOSS—UK

Consumers: Data Breach? Disclose It (November 30, 2010)

A recent survey has found that 80 percent of UK consumers support compulsory public data loss disclosures by organizations, IDG News reports. Of the 5,000 consumers polled via the Internet, 70 percent responded in favor of more prescriptive regulations, with 62 percent supporting hefty fines for data breaches and 31 percent suggesting executives should be subject to criminal proceedings. Ross Brewer of LogRhythm, which sponsored the survey, said respondents support "wide-ranging reform of data protection laws, including the implementation of mandatory data breach notifications." The survey also found that "when people hear about the loss of confidential information, they will actively avoid the organizations involved," the report states.
Full Story

PRIVACY LAW—UK

Expert: ICO Fines an Educational Opportunity (November 29, 2010)

There are lessons to be learned from the first fines handed out by the Information Commissioner's Office (ICO) for data breaches, ComputerWeekly reports, highlighting the ICO's recent fines of £100,000 for the Hertfordshire County Council and £60,000 on employment services firm A4e. A primary lesson here is that the ICO will punish "business-as-usual" failures, such as misdirected faxes and unencrypted devices, explains Stewart Room of Field Fisher Waterhouse. "This tells us the ICO considers encryption as a mandatory privacy-enhancing technology," he said, adding, "Punishment despite good behavior also demonstrates the ICO's policy of zero-tolerance for such low-level failings."
Full Story

DATA LOSS—U.S.

Two Medical Data Exposures Affect Thousands (November 29, 2010)

Two healthcare providers are alerting thousands of patients that their data may have been exposed. The Puerto Rican government has issued a $100,000 fine on a managed care services provider after a breach potentially exposed the personal information of more than 400,000 customers, Dark Reading reports. The data included such personal information as names, addresses and diagnostic codes. Meanwhile, the University of Tennessee Medical Center is alerting about 8,000 patients that their personal information may be at risk after patient data was improperly discarded.
Full Story

PRIVACY LAW—U.S.

California Law To Allow Windshield Cameras in 2011 (November 29, 2010)

The Sacramento Bee reports on a new law allowing video cameras to be mounted on vehicle windshields in the name of safety. Assembly Bill 1942 will go into effect January 1 and is expected to be used largely by transportation companies. Images and audio from eight seconds before and four seconds after a crash or quick movement, like a hard stop, would be stored and uploaded to the camera company's Web site to be analyzed. But an ACLU spokeswoman asks, "What is our reasonable expectation of privacy in the workplace?"
Full Story

DATA LOSS—CANADA

Medical Records Found on City Street (November 29, 2010)

Two city parking enforcement officers on Friday found hundreds of medical papers littering a parking lot in St. John's. The Telegram reports that the records included patients' procedure information, doctor-to-doctor correspondence, ultrasound photos and a recording device. The officers collected the documents and called the police, who returned them to the rightful owner. According to an RNC spokeswoman, the owner of the records--a physician--reported that their vehicle was burglarized. Eastern Health was informed of the breach and began an internal investigation. "At this time, we can confirm that the majority of the documents were not the property of Eastern Health," said a spokeswoman.
Full Story

HEALTHCARE PRIVACY—UK

NHS Site Questioned (November 29, 2010)

The Information Commissioner's Office (ICO) has asked the Department of Health for information about its NHS Choices Web site, V3.co.uk reports. According to privacy experts, the site is sharing visitor information with third parties through social network features. The department has stated the information is collected to "see what is most effective about our site, to help us identify ways to improve it and to make it more effective." However, as one privacy expert cautions, while the need for such statistics is valid, "users' privacy should be of utmost importance (and) there is open source analytics software which the NHS should run themselves."
Full Story

PRIVACY LAW—CANADA

Courts Set High Bar for Damage Awards (November 29, 2010)

Those seeking privacy-related damages are finding that Canadian courts have set the bar high. Writing for the Toronto Star, Michael Geist highlights two recent Federal Court decisions that "arrived at the same conclusion--personal privacy is not worth much when it comes to actual compensation for privacy breaches or abuses." Although in both cases the privacy commissioner and the courts agreed that complainants' privacy rights had been violated, both refused to award damages. Geist writes, "While the desire to limit damage awards to serious privacy breaches is understandable, the evolving case law may have the unintended consequence of diminishing respect for privacy compliance."
Full Story

PRIVACY

PM Nominates Stoddart for Reappointment (November 25, 2010)

Prime Minister Stephen Harper on Wednesday moved to extend the term of Privacy Commissioner Jennifer Stoddart, The Globe and Mail reports, nominating her to be reappointed for another three years. "Jennifer Stoddart is extremely well-qualified to continue in the role of privacy commissioner of Canada," the prime minister said. "She brings to the position considerable expertise in privacy protection issues and a deep understanding of the importance of open and transparent government. I am pleased that she has agreed to be nominated to continue in this important role." The House of Commons will now consider the nomination.
Full Story

ONLINE PRIVACY—U.S.

Groups Bring Complaint to FTC on Health Sites (November 24, 2010)

The Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and the World Privacy Forum are asking the Federal Trade Commission to investigate the marketing used by a number of health Web sites. The New York Times reports that the groups' complaint charges that some sites are not transparent enough about how they track people through online heath searches, create user profiles and market to users' conditions. The main concern, said Ed Mierzwinski of U.S. PIRG, is that employers or health insurers could get hold of the profiles. "You could be searching for health information about your cat or your neighbor and it could end up harming your healthcare in terms of denial or increased cost," said Mierzwinski. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

ICO Issues First Data Breach Fines (November 24, 2010)

The Information Commissioner's Office (ICO) has levied its first monetary penalty for a data breach, fining the Hertfordshire County Council £100,000 for accidentally faxing highly sensitive information about child abuse cases to the wrong recipients. The Independent reports that the ICO determined the incidents were serious breaches of the Data Protection Act. "It is difficult to imagine information more sensitive than that," said Information Commissioner Christopher Graham, adding, "I am concerned at this breach--not least because the local authority allowed it to happen twice within two weeks." In a separate case, a £60,000 fine was imposed on A4e, an employment services company, over the theft of a laptop containing personal information on about 24,000 people. 
Full Story

ONLINE PRIVACY

Profiling Technology Making a Comeback (November 24, 2010)

Two years after an outcry by privacy advocates in the U.S. and UK appeared to squelch its use, deep packet inspection is on the verge of a comeback, The Wall Street Journal reports. Deep packet inspection is more powerful than other tracking techniques "because it can be used to monitor all online activity, not just Web browsing," the report states. Two U.S.-based companies now pitching use of such services have said they protect user privacy with such steps as user consent. The FTC has stated providers "should, at a minimum, notify consumers that the ISP was mining the information and obtain clear consumer consent." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

House To Discuss Do-Not-Track Proposal (November 24, 2010)

The House Commerce, Trade and Consumer Protection Subcommittee plans to hold a hearing on December 2 to discuss on whether the time has come for a law mandating the creation of an online "do-not-track" list, the National Journal reports. Subcommittee Chairman Bobby Rush (D-IL) introduced privacy legislation earlier this year, the report states, and is weighing whether to add language to that bill for a do-not-track list modeled after the national do-not-call list that allows consumers to opt out of receiving telemarketing calls. The committee will consider how such a list would function and whether it would "provide adequate relief to consumers" who want to limit online tracking, a Rush spokesman said.
Full Story

FINANCIAL PRIVACY—GERMANY

DPA Issues €200K Fine for Access, Profiling (November 24, 2010)

The German Data Protection Authority (DPA) has issued a €200,000 fine to the financial institution Hamburger Sparkasse AG for allowing customer representatives access to customers' bank data and for profiling its customers, reports the Hunton & Williams Privacy and Information Security Law Blog. The bank reportedly allowed self-employed, mobile customer service representatives to access customer data, often without consent, and created character profiles on customers based on neurological research and customer data such as socio-demographic data and product usage, including direct deposit accounts and the number of transactions. The DPA said that the bank quickly amended its procedures and cooperated with its investigation.
Full Story

HEALTHCARE PRIVACY—U.S.

Court Overturns Rx Marketing Law (November 24, 2010)

ModernHealthcare reports that the Second U.S. Circuit Court of Appeals in New York has overturned a Vermont law restricting the use of prescription drug data in the marketing of pharmaceuticals to physicians. The court, in a split decision, found that the 2007 law constituted "an impermissible restriction of commercial speech." This decision contradicts an August ruling by the First U.S. Circuit Court of Appeals in Boston, MA, upholding a similar law in Maine. And, the U.S. Supreme Court refused to hear a similar appeal to a New Hampshire prescription drug marketing law in June of 2009. (Registration may be required to access this story.)
Full Story

EMPLOYEE PRIVACY—CANADA

Stoddart Investigates Proposed Search Law (November 24, 2010)

Stoddart Investigates Proposed Search Law
Canadian Privacy Commissioner Jennifer Stoddart is investigating a government plan to give Canada Border Service Agency (CBSA) officers expanded powers to search airport and port employees in new customs-controlled areas, reports iPolitics.ca. The plan aims to curtail drug trafficking by cutting down on airport employees' involvement in the trade. Currently, CBSA officers can search employees as they are leaving a customs-controlled area; under the proposal, the officers would be able to search any employee within the newly defined areas with "reasonable grounds" to suspect they are involved in illegal activity. The commissioner's spokeswoman said, "there are clearly privacy implications for workers, and we would expect these new powers to be used very judiciously."
Full Story

DATA PROTECTION—UK

Researchers: Study Your Cloud Computing Contracts (November 24, 2010)

Computerworld reports on a recent study by UK academics which found that cloud computing contracts may contain clauses posing risks to users. The Cloud Legal Project at Queen Mary University of London studied 31 cloud computing contracts from 27 providers and found that the contracts sometimes can be terminated for lack of use or sometimes for no reason, contain disclaimers denying responsibility for keeping user data secure and can be revoked for violations of the provider's "acceptable use" policy. Claims against a provider for data loss or a privacy breach may be difficult in cases where the provider seems local but, in fact, is hosted on another continent, the report warns.
Full Story

PRIVACY LAW—EU

Cookies and Consent (November 24, 2010)

ComputerWeekly reports on the European Commission Citizens Rights Directive's rules for data security and breach disclosure. "These new rules focus in particular on the dropping of cookies onto our equipment," the report states. "This will only be lawful if the service provider has the subscriber or user's consent." The report points out that the benchmark for consent to be considered valid is that it "must be freely given, specific and informed." The EU's Article 29 Working Party issued an opinion earlier this year on the issue of cookies and consent, noting that default browser settings, bulk consents, Web user inactivity or the use of opt-outs will not meet the consent requirement.
Full Story

TRAVELERS’ PRIVACY—U.S.

Expert to Senators: TSA Scanner Policies Are Flawed (November 23, 2010)

CBS News reports that the head of the Transportation Security Administration (TSA), John Pistole, has asked passengers not to boycott body scans at airports this holiday season as organizers move forward with plans for a "National Opt-Out Day." Fred H. Cate of the Center for Applied Cybersecurity Research at Indiana University wrote to Sen. John (Jay) Rockefeller (D-WV) and Sen. Kay Hutchison (R-TX) supporting their close scrutiny of the screening methods and noting flaws in TSA policies, including that the TSA scanners, which were reportedly unable to store images, "leaked 35,000 stored images from one of the machines used by another federal agency." These flawed policies are "handing the terrorists a victory they could not win on their own," he writes.
Full Story

HEALTHCARE PRIVACY—U.S.

For Teens, Privacy Comes Before Health (November 23, 2010)

A recent study indicates that for teenagers, healthcare privacy is essential. Researchers at Cincinnati Children's Hospital Medical Center have found that if teens do not believe their privacy is being respected, their care could be compromised, as they will be "cautious about revealing sensitive information to healthcare providers for fear of being judged and are reluctant to talk to unfamiliar or multiple medical staff," HealthDay reports. According to the study, keeping healthcare information private was the most important issue to teens, and they would not discuss sensitive health issues with providers if they felt they would be judged.
Full Story

DATA PROTECTION—UK

Survey: 70 Percent of Employees Would Take Data (November 23, 2010)

When leaving a job, 70 percent of employees indicated they would take corporate data with them. That's according to a report in OUT-LAW News on a recent survey of 1,000 London employees by data security company Imperva. "The increasingly common use of personal devices such as phones for business purposes and the ease with which digital data can be copied have led to growing concern among businesses that employees will take information belonging to a company when they leave it," the report states. The fears may be well founded, as the survey indicated 72 percent of respondents admitted to taking corporate data out of a company in the past.
Full Story

CHILDREN’S PRIVACY—U.S.

Surveillance at School: Privacy vs. Security? (November 23, 2010)

The Dallas Morning News reports on the increasing use of security cameras at local schools and the consequential conflict between privacy and security priorities. "There's no expectation of privacy in a public school," said a spokesman for the Richardson, TX, police. "The inside of their backpack is personal, but the inside of the school itself--no." School policies on who has access to surveillance footage varies. The American Civil Liberties Union (ACLU) supports a request process for law enforcement access. One school requires police to request access to view footage alongside a school administrator, the report states. "It should be a targeted search. It shouldn't be just digging through," said an ACLU spokesman.
Full Story

DATA PROTECTION

Smartphones in the Workplace: A Problem? (November 23, 2010)

A recent survey found that eight out of 10 CIOs rank data breaches as their top security concern and think that using smartphones in the workplace increases their vulnerability to attack, InformationWeek reports. Market researcher Ovum and the European Association for e-identity and Security released the survey's report this week, which also found that half of organizations fail to authenticate employees' mobile devices but that 48 percent of employees are allowed to use personal mobile devices to connect to corporate systems. "Employees will want to use their devices, no matter who owns them, for both their work and personal lives," said an Ovum spokesman, adding that it's unrealistic to delineate between those uses.
Full Story

PRIVACY LAW—U.S.

FTC Report Expected This Month (November 23, 2010)

Venable LLP discusses the forthcoming Federal Trade Commission (FTC) report recommending new privacy principles for the collection and use of data for marketing and advertising purposes. The report, which is due out this month, "is expected to build upon the themes explored during the series of privacy roundtables," according to Venable's analysis. Topics that are expected to be addressed in the report include privacy by design, privacy notices, consumer choice and consumer and business education. "The report may also address the notion of a 'Do Not Track' registry," the Venable analysis states, referencing FTC Chairman Jon Leibowitz's comments earlier this year that the commission is evaluating such an opt-out provision. (Registration may be required to access this story.)
Full Story

DATA THEFT—U.S.

Laptop Theft Puts 35,000 Individuals at Risk (November 23, 2010)

The decision by a county employee from the state of Virginia to take his work computer on vacation with him may have put 35,000 residents at risk for identity theft. Credit Protection Pro reports that the laptop was stolen during a vacation in Las Vegas, NV. "The files on the laptop are believed to include names, addresses and Social Security numbers of Accomack County residents," the report states, and residents are being encouraged to have fraud alerts placed on their credit reports if they are concerned that their information may be at risk for identity theft.
Full Story

DATA PROTECTION—EU

Working Party Calls for “Strict” General Agreement (November 22, 2010)

European data protection authorities have called for a "strict and far-reaching" general privacy agreement with the United States. In a letter addressed to European Commission Vice President Viviane Reding, the Article 29 Working Party "welcomes the initiative for a general agreement with the United States, since this could ensure a high level of protection for all individuals' personal data." The authorities would like this to be an "umbrella agreement" that could cover existing and future agreements between the EU and U.S., and the party stresses "the need for the future agreement to comply with the European Union's data protection framework, including the EU Charter of Fundamental Rights."
Full Story

ONLINE PRIVACY—EU

Curbing Tracking Poses Challenges (November 22, 2010)

An EU effort to regulate the use of cookies for Internet tracking "is crumbling," The Wall Street Journal reports. The EU's law requiring companies to obtain consent from Web users when tracking files are placed on their computers awaits enactment by member countries, but "Internet companies, advertisers, lawmakers, privacy advocates and EU member nations can't agree on the law's meaning," the report states. And just how to move forward is a source of contention, with regulators, officials, privacy advocates and individual nations interpreting the law in different ways. EU Commissioner Neelie Kroes, who is in charge of overseeing the law's implementation, suggests, "We need a user-friendly solution." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

ICO, Google Sign Data Handling Commitment (November 22, 2010)

The Information Commissioner's Office (ICO) has announced that Google has signed a commitment with the office, agreeing to improve data handling practices globally and not just in the UK, Computerworld reports. The commitment, which stems from the collection of personal information over unsecured wireless networks, does not include a fine, but had Google not agreed to sign it, an enforcement notice could have been issued, the report states. The agreement requires the company to enact improved data protection training measures for all employees, and the company has said each new project it launches will include a privacy design document. The company will also delete all data collected in the UK.
Full Story

DATA LOSS—U.S.

Healthcare Facilities Fined for Breaches (November 22, 2010)

State officials have fined six California hospitals and a nursing home for failing to prevent unauthorized access to confidential patient medical information, The Los Angeles Times reports. By order of California health officials, the facilities have 10 days to submit plans to correct the problems that led to the breach. They may also appeal the fines. The state fined Pacific Hospital of Long Beach $225,000 after an unauthorized technician accessed nine patients' records and used the information to open telephone accounts, the report states. Kern Medical Center in Bakersfield received two fines totaling $310,000 after 596 patients' medical information was stolen from an unlocked storage locker. Five other facilities face fines ranging from $5,000 to $125,000.
Full Story

PRIVACY LAW—U.S.

House Seeks To Limit Red Flags Rule (November 22, 2010)

Rep. John Adler (D-NJ) has introduced a bill to limit the scope of the FTC's Identity Theft Red Flags Rule, the Hunton & Williams Privacy and Information Security Law Blog reports. The Red Flag Program Clarification Act seeks to "amend the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors" by adding a more narrow definition of "creditor" to exclude those "that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person." The FTC had delayed enforcement of the Red Flags Rule until December 31, the report states, in order to give congress time to address the issue.
Full Story

PRIVACY LAW—U.S.

Opinion: Federal Privacy Official Needed (November 22, 2010)

In The Wall Street Journal, Christopher Wolf and Jules Polonetsky, CIPP, of the Future of Privacy Forum, discuss the necessity of a U.S. privacy official. Referencing a recent editorial on the EU proposal for a right to be forgotten on the Internet, they write, "It is precisely because of international proposals that may impact U.S. principles that the U.S. needs a senior governmental official to participate in the global debates over the regulation of personal information." Wolf and Polonetsky note that baseline privacy protections are needed as "consumers often are left in the dark about who is collecting their information, how it is being used, with whom it is being shared and how it is being protected." (Registration may be required to access this story.)
Full Story

DATA PROTECTION—U.S

World Privacy Forum Knocks Commerce Dept. (November 22, 2010)

While the Commerce Department prepares to release recommendations about online privacy, the World Privacy Forum has released a report questioning the department's record with the safe harbor program, among others, reports MediaPost News. The report asserts that the department has not been effective in the privacy sphere and that there is a "lack of rigor regarding enforcement and compliance in the privacy programs it administers." World Privacy Forum Executive Director Pam Dixon also commented that the recently-created subcommittee to advise the White House on regulatory and legislative issues for the Web should be headed by a representative from the FTC, not commerce, stating, "The mission of the Department of Commerce is commerce, not consumers."
Full Story

DATA LOSS—U.S.

Half of State’s Breaches at University (November 19, 2010)

Since 2005, one in every three residents of Hawaii have had their personal records breached, and more than half of those breaches have come in the form of online security incidents involving the University of Hawaii, the Honolulu Star-Advertiser reports. The Liberty Coalition's report on the state's 479,000 breaches criticizes the University of Hawaii for incidents exposing Social Security numbers and other sensitive data in nearly 260,000 records. One alumnus whose information was among those breached has now filed a class-action suit against the university after applying for a job and learning that four other names are associated with his Social Security number.
Full Story

PRIVACY LAW—U.S.

Nearly One Million Customers To Receive Refunds (November 19, 2010)

The Federal Trade Commission (FTC) has announced that it has begun mailing refund checks to 957,928 people who were victims of allegedly false claims made by an ID theft protection company. LifeLock had claimed it could provide absolute protection from identity theft, an FTC press release notes, but in a settlement reached in March, the company agreed to pay $11 million to the FTC and $1 million to a group of 35 state attorneys general to settle charges it "used false claims" to promote its services. Consumers will receive checks for $10.87. The distribution represents all eligible consumers, according to the release, and no further claims for refunds will be accepted.
Full Story

DATA RETENTION—GERMANY

Personal Data Plan Debate Flares (November 19, 2010)

A number of federal and state officials believe it is essential to restore Germany's 2007 data retention law, given new threats and a raised terror alert, Deutsche Welle reports. Interior Minister Thomas de Mazière, who has raised the terror alert level, has announced that there are concrete indications of a possible terrorist attack occurring soon in Germany. Justice Minister Sabine Leutheusser-Schnarrenberg, however, has said her office is against resuming data retention and instead favors "event-related use of any data," the report states, which would allow data to be temporarily captured and handed over to authorities, as is the case in the U.S.
Full Story

DATA LOSS—U.S.

VA Breaches Described (November 19, 2010)

Department of Veterans Affairs CIO Roger Baker described two recent data breach incidents during a monthly briefing for congress, Federal News Radio reports, noting that the incidents indicate that some department employees are not following policies and procedures to safeguard information. In one incident, an employee lost a personal, unencrypted thumb drive that was being used to store veterans' records, and in the second, a worker printed out records containing veterans' personal data and then took those records home. The good news, Baker said, is that most employees are following data protection rules.
Full Story

GEO PRIVACY—U.S.

Loose Lips Sink Ships 2.0 (November 19, 2010)

The U.S. Air Force issued a message recently to its airmen warning them that location-based applications could have "devastating operations security and privacy implications," reports the AFP. After a major policy review last February, the Pentagon announced that it would allow troops to use social networking sites, but it has long held a belief that there are dangers to the careless use of these sites, the report says. "All Airmen must understand the implications of using location-based services," said the message, which was posted to the internal Air Force network and sent to communications officers. The Pentagon has said it is unclear if other military services plan to issue similar warnings.
Full Story

ONLINE PRIVACY

Study: Trust and Privacy Policies Matter (November 19, 2010)

A study conducted recently by fast.MAP shows that online consumers are more likely to shop on sites that are easy to use, have obvious security features and a name they trust. MarketingWeek reports that while nearly a quarter of consumers experienced a data breach within the past six months, 25 percent are "highly confident" their personal details will be safe with companies fitting those criteria. "Trust, a clear privacy policy and necessity prompt about 40 percent of consumers to divulge their personal details," says David Cole of fast.MAP. DMA Director Chris Combemale adds, "Consumers are now fully aware of the value and vulnerability of their data, a fact that all too many brands have ignored at their cost."
Full Story

PRIVACY LAW

Commissioner Concerned About Secure Flight (November 19, 2010)

The privacy commissioner has called on the government to mitigate the impact of the U.S. Secure Flight program. Beginning in December, the program will allow U.S. authorities to prevent suspicious passengers from boarding flights that cross U.S. airspace and will allow U.S. authorities to retain data on suspicious passengers for up to 99 years. Commissioner Jennifer Stoddart told a House of Commons committee yesterday that the government should fight for concessions to shorten the amount of time passenger data is kept on file. She added concerns that "information collected can be disclosed and used for purposes other than aviation security." Meanwhile, during a visit to Toronto this week, U.S. Department of Homeland Security Chief Privacy Officer Mary Ellen Callahan discussed the intersection of security and privacy.
Full Story

TRAVELERS’ PRIVACY—U.S.

TSA Director: Scanners and Pat-Downs Are Necessary (November 18, 2010)

The head of the Transportation Security Administration (TSA) told a senate committee yesterday that full body scans and pat-downs are necessary to protect the nation's fliers, The Los Angeles Times reports. The screening methods have incited complaints from privacy advocates, pilots' unions and passengers, who say they are invasive and allow images to be routinely stored and recorded. But TSA Director John Pistole told the Senate Commerce Committee that "the threats are real, the stakes are high and we must prevail." Editor's note: A robust conversation about the privacy concerns associated with full body scanners is taking place on the IAPP Privacy List. Members can sign up or view the archives here.
Full Story

PERSONAL PRIVACY—U.S.

Body Scanner Images Published Online (November 18, 2010)

The tech Web site Gizmodo has published 100 of about 35,000 images saved last year by the U.S. Marshals Service using an Orlando, FL, courthouse body scanner, reports USA TODAY. The images, which have had identifying features eliminated, were obtained through a Freedom of Information Act request. Gizmodo says the leak "demonstrates the security limitations of not just this particular machine, but millimeter wave and x-ray backscatter body scanners operated by federal employees in our courthouses and by TSA officers in airports across the country." The Transportation Security Administration maintains that the scanners used in airports "cannot store, print, transmit or save the image."
Full Story

PRIVACY LAW—U.S.

Class Actions Abound After Breaches (November 18, 2010)

A financial firm has reached a settlement in a class-action lawsuit spurred by a 2007 data breach, Top Class Actions newsletter reports. D.A. Davidson & Co. has established a $1 million fund "to reimburse class members for any actual and unreimbursed out-of-pocket damages they may have incurred as a direct result of the Davidson data breach during the time period from December 20, 2007, through and including June 1, 2011," the report states. In a separate incident, a class action has been filed against Florida insurer AvMed over the theft of two unencrypted laptops that has placed personal data on 1.22 million members at risk. 
Full Story

PRIVACY LAW—CANADA

Disclosure Changes Concern OPC (November 18, 2010)

The Office of the Privacy Commissioner (OPC) has raised concerns about its ability to properly assess potential privacy breaches due to changes in the way government departments report potential risks, CBC News reports. "It is not an improvement; we feel that, unfortunately, the new directive will be less of a guarantee," said Assistant Privacy Commissioner Chantal Bernier. The OPC is taking steps to change the directive, the report states, including sending a letter of expectations directly to departments outlining what is required to properly assess new initiatives and when that information would be needed for the OPC's assessment.
Full Story

PRIVACY LAW—U.S.

Supreme Court Overturns Criminal Impersonation Conviction (November 18, 2010)

A recent Colorado Supreme Court decision to overturn one man's conviction for using a stolen Social Security number (SSN) to apply for a car loan isn't sitting well with privacy advocates, Network World reports. In a 4-3 decision, the court ruled that the man's action did not constitute criminal impersonation because the man provided his actual name, address and place of employment in addition to the stolen SSN and therefore "did not hold himself out to be another person when he used another person's Social Security number." Adam Levin, co-founder of Credit.com and Identity Theft 911, says the decision means that while the defendant walks away a free man, Colorado consumers wind up feeling less free.
Full Story

DATA PROTECTION—CANADA

Guarding Against or Recovering From a Breach (November 18, 2010)

The Globe and Mail reports on one company's recovery from a privacy breach, highlighting steps taken to guard against future breaches and tips from experts on protecting personal information. The report quotes Paul Battista of Ernst & Young Canada on the difficulties businesses face in rebuilding confidence after a privacy breach, even with effective, timely responses to such incidents. In a policy document on privacy issues, the Canadian Institute of Chartered Accountants points to the vulnerabilities inherent in storing personal information online as raising "concerns for organizations, governments and the public in general...The organization cannot outsource its ultimate responsibility for privacy for its business processes."
Full Story

PRIVACY LAW—U.S.

New Data Theft Settlement Proposed (November 17, 2010)

The Associated Press reports that 6.2 million TD Ameritrade customers whose contact information may have been stolen in a breach more than three years ago could be eligible to receive as much as $2,500 each under a proposed settlement agreement. However, the report states, it is unclear how many will be able to collect funds under the proposed settlement "because the payments will only be offered to identity theft victims." The settlement follows an earlier one rejected by a federal judge. If approved, it could cost the company up to $6.5 million. An Ameritrade spokeswoman said the company believes the settlement is fair and hopes it will be approved.
Full Story

PRIVACY LAW—THE NETHERLANDS

Bill Addresses Data Breaches, Cookies (November 17, 2010)

The minister of economic affairs has submitted a bill to the Dutch Parliament in a move toward implementation of the EU's e-Privacy Directive, the Hunton and Williams Privacy and Information Security Law Blog reports. The proposed legislation would amend the Dutch Telecommunications Act to require telecoms and ISPs to provide notification of data security breaches and would require consent for the use of cookies, the report states. The bill would require notification of both the Dutch Telecom Authority and affected individuals "without delay" of breaches that could affect personal data. It would also require data subjects' prior consent to place cookies on their computers.
Full Story

PRIVACY LAW—HONG KONG

Chiang Calls for Do-Not-Call List (November 17, 2010)

Hong Kong Privacy Commissioner for Personal Data Allan Chiang Yam-wang has recommended the creation of a do-not-call register and a law requiring telemarketers to make known to recipients the source of their personal information, reports the South China Morning Post. While citizens have the ability to opt out of electronically generated calls and faxes through an Office of the Telecommunications Authority (OFTA) registry, the report states, there is currently no opting out of telemarketer calls. Chiang suggests that the OFTA regulate the do-not-call list, which he says would give the public a "one-stop service." Meanwhile, Chiang continues to push for the right to carry out criminal investigations and impose fines for severe breaches.
Full Story

DATA LOSS

Verizon Launches Breach Info-Sharing Platform (November 17, 2010)

Verizon Business has launched an information-sharing service that it hopes will help improve companies' approaches to risk management, V3.co.uk reports. The Veris service lets companies post the details of hacking incidents anonymously so that others can learn from their experiences, the report states. "We are sharing the aggregate data and encouraging other companies to anonymously share their security event data to promote more dialogue and understanding of security incidents," said Peter Tippett, vice president of technology and innovation at Verizon Business. "The collective sharing of in-the-trenches security events offers the opportunity to fundamentally change how we all manage risk."
Full Story

DATA PROTECTION

Organizations Seeing New Kinds of Threats (November 17, 2010)

InformationWeek reports on a recent survey showing that a majority of organizations are ill-prepared for a data breach. The Solera Networks survey, conducted by Trusted Strategies, polled more than 200 security professionals and found that two-thirds of their organizations lack the appropriate tools to understand a breach, and 35 percent lack a response plan, the report states. One-quarter of respondents said they were not prepared to deal with a security incident, and 28 percent said they were somewhat prepared. A spokesman for Solera Networks said organizations are facing new threats as, "Opportunistic theft and vandalism on networks is being replaced with targeted, multi-component, persistent attacks focused on specific systems and assets."
Full Story

ONLINE PRIVACY

Analysts, Others React to New Messaging System (November 17, 2010)

Analysts and others are reacting to news that Facebook has launched a messaging system, Computerworld reports. Company founder Mark Zuckerberg introduced Facebook Messages at a press conference earlier this week. The system will enable e-mail, instant messaging, SMS and Facebook messages, and the company will archive conversation histories, according to a Deutsche Welle report. "The more Facebook puts itself in a position to receive, store and safeguard the most private communications we have, the more Facebook will need to be vigilant to protect privacy and guard against hacking and theft," said Forrester Research analyst Augie Ray. 
Full Story

ONLINE PRIVACY—U.S.

Commerce Department Policy Draft Calls for Legislation, Self-Regulation (November 16, 2010)

The Washington Post reports on a Commerce Department draft of 10 online privacy oversight recommendations, including strengthening FTC rulemaking powers and enacting new data breach legislation. The Commerce Department's "green paper" recommends establishing a "baseline privacy framework" for fair data collection practices on the Web, the report states, and calls for a review of the Electronic Communications Privacy Act. Recommendations for voluntary codes of conduct for Web firms, however, are being criticized by privacy advocates. The Commerce Department will seek input on its recommendations "with the goal of advancing both the domestic and global dialogue and contributing to an eventual administration-wide position on information privacy policy," a spokeswoman said. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Studies Point to Benefits of Privacy Icons (November 16, 2010)

Two recent studies indicate that privacy icons are effective, The New York Times reports. The first study, conducted by TRUSTe and Publishers Clearing House over six months, allowed users to click on an icon to learn about interest-based ads, provide feedback and opt out. Only 1.1 percent chose to opt out of all advertising networks. A study by Better Advertising and Dynamic Logic analyzed reactions to the Digital Advertising Alliance's icon, finding that 67 percent preferred brands that gave them more control, including opt-out provisions. "The level of transparency and control accrues really positive benefits to the brands that take this extra step," said Scott Meyer of Better Advertising. (Registration may be required to access this story.)
Full Story

TRAVELERS’ PRIVACY—EU

WP Article 29 Issues Opinion on PNR (November 16, 2010)

The Article 29 Working Party has issued an opinion on European Commission (EC) plans to exchange passengers' personal data with countries outside the European Union, according to a press release. The working party "questions the necessity of large-scale profiling for law enforcement purposes" and says that the EC has not presented objective proof or statistics that passenger name record data are valuable in combating terrorism. The opinion reacts to the EC's September communication on the matter. Article 29 Working Party Chairman Jacob Kohnstamm raised the concerns last week during a meeting with EU Commissioner for Home Affairs Cecilia Malmström.
Full Story

DATA LOSS—U.S.

Healthcare Facilities Report Exposures (November 16, 2010)

Two healthcare facilities have announced data breaches this week involving the exposure of patient records and personal information. At the Holy Cross Hospital in Fort Lauderdale, FL, the names, addresses, Social Security numbers and other details of at least 1,500 emergency room patients were stolen by an ER worker, who then sold the data to others who used the information to steal money, reports Infosecurity. And the Detroit Free Press reports that the Henry Ford Health System has notified patients of its urology office that their personal information was compromised when an unsecured laptop was stolen from an unlocked office. Both facilities have offered free credit monitoring to those affected.
Full Story

PRIVACY LAW—U.S.

House Subcommittee To Hold Hearing (November 16, 2010)

A House subcommittee will hold a hearing early next month to discuss Internet privacy, The Washington Post reports. Specifically, members of the Commerce, Trade and Consumer Protection Subcommittee will hear more about the concept of a do-not-track registry for the Internet and other aspects of a bill presented by Rep. Bobby Rush (D-IL) earlier this year. The bill will be reintroduced during the lame duck session, according to the report. The tentative date for the hearing is December 2. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

When Is a Breach Not a Breach? (November 16, 2010)

With high-profile incidents raising concerns and the U.S. Congress considering privacy legislation, Rob Pegoraro writes in The Washington Post that not every case reported in the media actually meets the definition of a privacy breach. Referencing recent incidents involving a social network and Web company, he writes, "The information at stake in each case was already public by any meaningful definition." A breach, he suggests, does not involve "data that's already out there for anybody to see" but, instead, "exposes private information you tried to keep confidential in ways that risk the loss of money or security or otherwise fairly earn the adjective Orwellian." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Hustinx Supports Proposed Data Protection Reforms (November 16, 2010)

European Data Protection Supervisor Peter Hustinx says he welcomes the proposed changes to Europe's Data Protection Directive, The Register reports. The proposed changes, which Hustinx says are needed to keep pace with advances in technology and increased data collection, include revision of the rules in the areas of law enforcement, cross-border data protection, mandatory breach notifications and more effective enforcement of the rules. "Data protection is not an abstract thing. It relates to everybody's life," Hustinx said. "There is no room for mistakes here. The challenges are enormous."
Full Story

HEALTHCARE PRIVACY—U.S.

OPM Delays Data Warehouse Launch (November 16, 2010)

The Office of Personnel Management (OPM) has delayed the launch of its health claims database by one month, Computerworld reports. The delay will allow the OPM to accommodate more comments from the public, the report states. The Center for Democracy and Technology and 15 other organizations recently wrote to the OPM asking for more details about the Health Claims Data Warehouse data protection and access controls; the OPM has said it would share data with third-party researchers and law enforcement. The warehouse, originally slated to be launched this week, would include detailed health information, individuals' names, addresses, Social Security numbers and dates of birth.
Full Story

DATA LOSS—UK

ICO Addresses Two Breach Cases (November 16, 2010)

The Independent Parliamentary Standards Authority has signed a formal undertaking with the Information Commissioner's Office (ICO) following an incident where MPs' personal details were exposed for 21 hours on a parliamentary expense database. "This case highlights how any work carried out on a database must be subject to rigorous security testing before being re-launched," ICO Head of Enforcement Mike Gorrill noted in a press release. In a second incident, the ICO has determined the New Forest District Council breached the Data Protection Act by publishing planning applicants' personal information online. "We will be monitoring other local authorities to scope compliance in this area on a national level," said ICO Enforcement Group Manager Sally-Anne Poole. 
Full Story

PRIVACY LAW—U.S.

Proposed Privacy Laws, Coordinator Raise Questions (November 15, 2010)

Recent reports on the push for U.S. privacy laws and the Obama Administration's plans to appoint a new privacy coordinator are receiving mixed reactions. While some are cheering the focus on privacy, IDG reports, others are questioning whether new rules are necessary. Critics have suggested there is an "absence of real data" on the need for privacy regulations, the report states, and there could be conflict between the Federal Trade Commission and Department of Commerce over enforcement. Rep. Joe Barton (R-TX), however, said, "I am glad more and more folks--in the government and otherwise--are beginning to realize that there is a war against privacy."
Full Story

FINANCIAL PRIVACY—U.S.

300,000 Students’ Financial Data Posted Online (November 15, 2010)

Approximately 300,000 University of Nebraska students' financial data is now available on a state Web site for all to see. The Associated Press reports that what began as an effort to provide transparency about spending through the state treasurer's Web site has ended up with the inclusion of student data on refunds, loans, scholarships and financial aid, complete with student names. While the university has asked for the information to be removed, the report states that the treasurer replied that his staffing is too limited to make the changes, and the university "was given several chances to scrub the data" before it was posted.
Full Story

ONLINE PRIVACY—U.S.

Forthcoming Reports Prompt Speculation, Commentary (November 15, 2010)

The Federal Trade Commission and the Department of Commerce both are expected to publish reports about online privacy in the coming weeks. Some expect the FTC report will recommend the creation of a do-not-track list for the Internet but will not propose new legislation, MediaPost reports, whereas the commerce report is expected to propose a strategy that includes the creation of new laws and a federal privacy overseer. While some privacy advocates welcome commerce's activity in the privacy sphere, others say it is the FTC's domain. 
Full Story

HEALTHCARE PRIVACY—U.S.

Survey: Patients Want Control (November 15, 2010)

A survey of 2,000 adults has revealed that most individuals want conditions on the sharing and sale of their personal health data, iHealthBeat reports. Ninety-seven percent of respondents to the Zogby poll said that healthcare providers should not sell or share individuals' data without consent, and 98 percent indicated that insurance companies should not be able to sell patient data without consent, the report states. Another 91 percent backed the idea of a Web site where patients could register their preferences for the sharing and sale of personal health information, which is something that the group Patient Privacy Rights, which commissioned the survey, has proposed.
Full Story

ONLINE PRIVACY

Opinion: Forget Being Forgotten (November 15, 2010)

On both sides of the Atlantic, privacy is front and center on the regulatory stage. The Wall Street Journal reports on discussions in the U.S. on new laws and an EU proposal that, "People should have the 'right to be forgotten' when their data is no longer needed or they want their data to be deleted." However, Adam Thierer, president of the Progress and Freedom Foundation, contends, "A privacy right should only concern information that is actually private. What a 'right to be forgotten' does is try to take information that is, by default, public information, and pretend that it's private." (Registration may be required to access this story.)
Full Story

TRAVELERS’ PRIVACY—U.S.

Homeland Security Asks for Travelers’ Patience (November 15, 2010)

Homeland Security Secretary Janet Napolitano is asking air travelers for their cooperation and patience this holiday season, USA TODAY reports, amid a public backlash over full body scanners at airports. Travel group flyersrights.org plans to call on its 30,000 members today to boycott the scanners and insist on alternative security methods. The scanners' planned implementation has incited debate from a wide range of advocates regarding the potential recording and storage of the images, including a call from the Electronic Privacy Information Center that a federal judge grant an injunction on the Transportation Security Administration plans to implement the scanners at U.S. airports. But Napolitano says they serve an "important goal."
Full Story

PRIVACY—U.S.

Privacy Watchdog, Policy Coming (November 12, 2010)

The Obama Administration is planning a greater focus on Internet privacy that will involve new laws and the creation of a new position to guide efforts in this area, The Wall Street Journal reports. More details will be unveiled in a Department of Commerce report expected to be released in the coming weeks. While previous administrations have avoided regulation of the Internet, "the increasingly central role of personal information in the Internet economy has sparked government action," the WSJ report states. Some are welcoming the plans, but others are less enthusiastic; an online ad industry group executive said that in terms of potential new legislation, "We believe we are living up to consumer-privacy expectations..." But Commerce's draft report says that self-regulation is lacking, according to the WSJ.  (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Google Accuses Facebook of Data Protectionism (November 12, 2010)

Google has taken a shot at Facebook in what VentureBeat describes as a "battle of sass" between the two companies. This week, Google blocked Facebook from importing Gmail contacts, saying that "data should be free" and that Facebook does not allow for easy export of contact information. When Facebook gave users a workaround, Google created a warning page entitled "Trap My Data," where users are prompted to think twice about uploading their contacts to the social networking site. The page also invites Gmail users to "register a complaint over data protectionism."
Full Story

ONLINE PRIVACY

Ad Exec: Public Debate Needed (November 12, 2010)

Online privacy is on the minds of executives gathered at the Monaco Media Forum this week. ADWEEK reports that consensus is building around the idea that marketers and publishers should give consumers more information about data-collection practices. "My aim is to have a public debate on the issue, which is not happening," said Alain Levy, CEO of digital ad network Weborama. But consumer education is expected to be difficult in today's everyone-wants-to-sell-data environment, and the success of industry's early efforts in this direction remain to be determined, says a Berkman Center for Internet and Society co-director.
Full Story

SSN PRIVACY

Most Identity Theft Cases Close to Home (November 12, 2010)

Social Security numbers (SSNs) are used more than they should be and need to be better protected. That's according to Kirk Nahra, CIPP, who says most cases of identity theft can be traced back to an employee, family member or friend, BankInfoSecurity reports. Companies shouldn't store SSNs in order to avoid the risk of insider threats, and individuals shouldn't carry their Social Security card to protect it from those who may be willing to take advantage. Though laws and society, in general, are getting better at protecting SSNs, more needs to be done, he says. "There aren't many situations when you absolutely have to rely on a Social Security number."
Full Story

DATA PROTECTION—U.S.

Mass. Regs Proving Difficult for Small Firms (November 12, 2010)

Many Massachusetts firms are still working to come into compliance with the state's tough new data privacy regulations, eight months after their implementation, Mass High Tech reports. The regulations require institutions that hold personal data on state citizens to encrypt that information and implement written data protection policies. The changes have been most cumbersome for smaller businesses complying with privacy regulations for the first time and with limited in-house technology expertise, according to the vice president of a New York software firm. Many of those firms are "running around with their hair on fire, trying to figure out what to do first," he said.
Full Story

TRAVELLERS’ PRIVACY—EU & U.S.

Passenger Data Debate Persists (November 12, 2010)

Members of the European Parliament (MEP) continue to express concerns about the collection and use of air passengers' data, as talks on sharing it between the European Union and U.S. are set to continue, PCWorld reports. At a 20 November EU-U.S. summit, parliamentarians will debate the issues associated with sharing such data as names, phone numbers, e-mail addresses, travel itineraries and billing information of passengers entering and leaving the EU. While the European Commission says the information would be used for counter-terrorism purposes only, MEPs have called for "factual evidence that the collection, storage and processing of PNR data is necessary."
Full Story

PRIVACY LAW—U.S.

FCC Now Investigating WiFi Collection (November 11, 2010)

The Federal Communications Commission (FCC) confirmed yesterday that it is investigating Google's collection of personal data from unencrypted WiFi networks, The Washington Post reports. "The Enforcement Bureau is looking into whether these actions violate the Communications Act," said FCC Enforcement Bureau chief Michele Ellison. The Federal Trade Commission recently closed its own investigation into the matter, concluding that the company's promise to amend its practices and delete the information collected was sufficient. Regulators in Canada, the United Kingdom, Spain and beyond recently concluded their own investigations into the activity. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

GINA Final Rule Published (November 11, 2010)

The U.S. Equal Employment Opportunity Commission (EEOC) has issued a final rule to implement Title II of the Genetic Information Nondiscrimination Act of 2008 (GINA), Gov Info Security reports. Issued on November 9, the rule outlines privacy protections of the act, which prohibits employers and health insurers from discriminating based on genetic predispositions. The EEOC enforces the portions of GINA dealing with genetic discrimination in employment. The final rule takes effect on January 10, 2011. The Department of Health and Human Services is preparing a rule to implement other portions of GINA.
Full Story

DATA PROTECTION—UK

ICO Responds to Critics of WiFi Investigation (November 11, 2010)

In The Telegraph, Information Commissioner Christopher Graham responds to criticism about his agency's investigation into Google's collection of personal details through unencrypted WiFi networks. Privacy advocates and members of parliament have condemned Graham for sending non-technical staff to investigate the matter, initially, and for failing to levy a harsher punishment on the company for contravening the UK Data Protection Act. But Graham points out that the amends--deletion of the data and a future audit--fit the offense, saying that what Google collected "certainly didn't amount to a significant cache of personally identifiable information." 
Full Story

HEALTHCARE PRIVACY—U.S.

One-Third of Medical Organizations Report ID Thefts (November 11, 2010)

A Healthcare Information and Management Systems Society (HIMSS) survey has found that 33 percent of healthcare organizations have had at least one known case of medical identity theft, but some may never be reported. InformationWeek reports that the 2010 HIMSS Security Survey also found that more than twice as many hospital employees--38 percent--responded that they would report a medical identity theft instance, as opposed to 17 percent of those working for other medical practices. Among the study's other key findings, encryption and single sign-on were most frequently identified as technologies not currently used at their organizations but planned for future implementation.
Full Story

PRIVACY LAW—SWEDEN

Sweden Proposes Six-Month Data Retention (November 11, 2010)

The Local reports on a bill presented by the Swedish government Thursday that aims to bring Sweden in line with the EU Data Retention Directive. Telephone and broadband providers would be required to retain electronic data for six months under the bill--the shortest period allowed under the directive--which would come into force in July 2011. In presenting the bill, Justice Minister Beatrice Ask said it considers privacy in that "the information can only be disclosed for crime-fighting purposes." Sweden was reprimanded in February by the EU Court of Justice for not having implemented the directive on time.
Full Story

ONLINE PRIVACY—CANADA

Are IP Addresses Private? (November 11, 2010)

The Montreal Gazette reports on a potentially groundbreaking case for Canada as the Saskatchewan Court of Appeal grapples with the privacy of Internet protocol (IP) addresses. The case involves a man who was convicted last year on child pornography charges. Using a Freedom of Information and Protection of Privacy Act request, Saskatoon law enforcement officers sought his IP address from his Internet service provider, which provided his name, home address, phone number and e-mail address. The defense has argued it was too easy for police to find the user of the IP address, the report states, but the prosecution says IP addresses are not private because anyone on the Internet can find them.
Full Story

PRIVACY LAW—AUSTRALIA

Commissioner: Telco Bill Requires Guidelines (November 11, 2010)

The Office of the Australian Information Commissioner has warned that privacy gaps exist in the government's proposed Telecommunications Interception and Intelligence Services Legislation Amendment Bill 2010, Computerworld reports. Privacy Commissioner Timothy Pilgrim has called for the creation of guidelines and binding rules to balance the country's security and privacy needs. Pilgrim has specifically suggested guidelines on law enforcement agencies' handling of personal information, rules for telecommunications organizations on disclosing data in cases of missing persons and for a framework to support privacy in the sharing of data between intelligence agencies. Pilgrim's recommendations follow those of the Australian Privacy Foundation, which said in October it had "most serious concerns" about the bill.
Full Story

STUDENT PRIVACY—U.S.

Students Form Committee To Study Privacy Policies (November 11, 2010)

The recent death of a Rutgers University student has prompted the creation of a committee to examine the school's privacy policies and educate students, The Star-Ledger reports. The committee will be formed via the Rutgers University Student Assembly, the report states, and the school's administration has not yet been made aware of the plans. The Daily Targum reports that the student ad-hoc committee will work with the administration upon completion of its findings. "We will also be looking at the general pulse of the students--how they feel about their privacy or do they have any privacy," one student said.
Full Story

SURVEILLANCE—UK

ICO Report: Legislation Should Have Privacy Review (November 11, 2010)

In an update submitted to parliament today on the state of surveillance, Information Commissioner Christopher Graham recommends there be a post-legislative review of laws affecting privacy concerns to ensure they are being used as intended. In a press release, the commissioner said this would give the government "a key way of ensuring the successful delivery of the new transparency and privacy agenda." The report also recommends widespread adoption of privacy enhancing technologies for the private sector and says organizations should consider the privacy implications of new technologies prior to launching them. The Home Affairs Committee requested the report as part of its inquiry into the surveillance society.
Full Story

ONLINE PRIVACY—U.S.

Showdown Looming on New Rules? (November 10, 2010)

A confrontation is brewing between Internet companies, federal regulators and legislators over online privacy rules, The New York Times reports. Referencing such proposals as a "do not track" feature online to "let Internet users tell Web sites to stop surreptitiously tracking their online habits" and forthcoming reports by the Federal Trade Commission and Commerce Department on online privacy, the article points to concerns from consumer and privacy advocates that the interests of those most affected by privacy policies will be forgotten. "Which agency or group leads the debate could go a long way toward determining the result," the report states. (Registration may be required to access this story.) Editor's note: Consumer privacy and the FTC will be a focus of next month's Practical Privacy Series in Washington, DC.
Full Story

BEHAVORIAL TARGETING—EU

Parliament Looks at Warning Labels for OBA (November 10, 2010)

The EU Parliament has demonstrated concerns that behavioral advertising may breach consumer privacy rights, PCWorld reports. Parliament's Internal Market Committee approved a report calling for warning labels to accompany targeted advertisements. The report, by French member Philippe Juvin, highlights behavioral targeting techniques and calls for online forum moderators who are savvy about these methods. Members noted that the Unfair Commercial Practices Directive of 2005 is not equipped to cover these new technologies, the report states. The report is scheduled for a plenary vote in December.
Full Story

PRIVACY LAW—U.S.

Labor Board Fights Employee Termination for Facebook Post (November 10, 2010)

The National Labor Relations Board has accused a company of illegally firing an employee after she criticized her supervisor on her Facebook page, The New York Times reports. The case is considered groundbreaking in that it is the first time the labor board has stepped in to argue that workers' criticisms of their bosses or companies on a social networking site are protected activities, the report states. The company, American Medical Response of Connecticut, says the employee's activity was not protected under federal law. Philip Gordon of Littler Mendelson's Privacy & Data Protection Practice Group says the case should warn employers to "tread cautiously before taking adverse action against an employee for posting negative comments about the employer on social media sites."  (Registration may be required to access this story.)
Full Story

PRIVACY LAW—THAILAND

Law or Commission Needed To Protect Citizens (November 10, 2010)

While Thailand's lower house considers a Data Protection Act draft, Surankana Wayuparb of the Electronic Transaction Commission suggests that an independent commission is needed to protect citizens' privacy rights, reports the Bangkok Post. Wayuparb said of utmost concern is the growing use of technology such as the Internet and wireless networks. She stressed that the commission be made up of experts from private organizations and human rights bodies who are fully versed in these technologies, the report states. Meanwhile, the deputy commander at the Technology Crime Suppression Division said the problem lies with people using this technology inappropriately.
Full Story

ONLINE PRIVACY—U.S.

Execs: Internet Firms Must Be Accountable (November 10, 2010)

When it comes to handling the personal data they collect from users, Internet companies must hold themselves to high standards and be more accountable. That's the message being shared by Internet executives themselves, Reuters reports. "People have very high expectations when it comes to companies in terms of how they collect, use, store and most importantly protect their information," said Peter Cullen, CIPP, chief privacy strategist for Microsoft, noting companies must invest more in privacy protection. Michael Fertik of ReputationDefender went a step further, calling for federal regulations and opt-in as the default to give consumers control of their online information.
Full Story

RFID—FRANCE

Is Tagging a Solution or a Problem? (November 10, 2010)

Though a French company with plans to electronically tag nursery-aged children in Paris has halted implementation due to privacy concerns, the international trend is different, The Guardian reports. Worldwide, 150 maternity wards in 17 countries already use RFID tags that are capable of remotely tracking a subject's location, with some countries creating laws to mandate such devices. Alex Tϋrk, the head of France's Commission for Information Technology and Freedom (CNIL), says the tags will become smaller and more difficult to legislate. "Sometimes we need to say 'no' to the temptations of technology," Tϋrk said, calling for the French Parliament to address the issue and for debates on the topic to begin around the globe.
Full Story

PRIVACY LAW—U.S.

California Approves Insurance Reg Amendments (November 9, 2010)

The California Office of Administrative Law has approved Department of Insurance plans to repeal portions of its privacy regulations, Insurance Journal reports. Effective immediately, agents and brokers will no longer be required to mail privacy policies to customers annually nor must they provide customers with an opt-out form to prevent broker-agents from shopping on renewal, the report states. "The department had no legal authority to enforce opt-out notification, but so long as the requirement was on the books, many broker-agents incurred very substantial expense attempting to meet those requirements," said Steve Young, general counsel of the Insurance Brokers and Agents of the West, the group that requested the change.
Full Story

DATA PROTECTION—UK

ICO Releases Study Findings (November 9, 2010)

A survey commissioned by the UK Information Commissioner's Office (ICO) has revealed that private sector organizations lag behind public sector bodies in their knowledge of data protection principles, eWeek reports. While 60 percent of public sector organizations surveyed indicated awareness about securely storing personal information, 48 percent of private sector entities indicated the same. Only 14 percent of all organizations polled for the study could identify all eight data protection principles, the report states. On releasing the findings, Information Commissioner Christopher Graham said, "A strong awareness of data protection obligations is of fundamental importance to any organization. Businesses need to show they are taking data protection seriously."
Full Story

SOCIAL NETWORKING

Web Company: Put Privacy Before Ads (November 9, 2010)

Founders of a new browser aimed at social network users are not planning on selling ads, The Wall Street Journal reports, because they believe it will be a conflict of interest with user privacy. RockMelt made its public debut in a test version Monday, the report states, and while it has some big-name investors, the company has said that when it comes to making money, an ad network is not part of the plan. The focus, said co-founder Tim Howes, is on improved Web browsing, and "you can't have a good user experience if somebody is (taking) your data and using it to sell ads." (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

Study: Data Loss Costs Hospitals Billions Annually (November 9, 2010)

The average per-hospital cost of a data breach is $1 million per year--$6 billion annually for the industry--but the majority of hospitals report they do not have adequate resources to protect patient data loss. That's according to the Ponemon Institute's Benchmark Study on Patient Privacy and Data Security, sponsored by ID Experts. Forbes reports that for medical data breaches, customer losses and brand damage end up costing more than double the average for breaches in other industries. "In a trusted industry like healthcare, there's a high expectation of good stewardship of personal information," said Larry Ponemon, CIPP, "and when that confidence is lost, it leads to customer churn."
Full Story

HEALTHCARE PRIVACY—U.S.

Data Warehouse May Be Delayed (November 9, 2010)

In response to privacy concerns, the launch of the Office of Personnel Management's (OPM) planned database may be delayed, according to the Center for Democracy and Technology (CDT). The database, slated to be launched November 15, will contain millions of Americans' names, addresses, Social Security numbers and dates of birth. But the CDT and 15 other organizations wrote a letter to the OPM asking for more details about the Health Claims Data Warehouse and the possibility, as indicated by OPM, that the database could be shared with law enforcement or third-party researchers. A spokeswoman for the OPM did not provide further detail on the launch date or whether more information will be provided, reports Computerworld.
Full Story

PRIVACY LAW—U.S.

CT HealthNet Suit Reaches Agreement (November 9, 2010)

Connecticut's insurance commissioner announced yesterday that HealthNet of Connecticut agreed to provide affected members two years of credit monitoring and pay $375,000 in penalties for failures to protect their personal information, reports StamfordPlus. The penalties stem from the 2009 loss of a disk drive containing the personal health information of about 500,000 members. According to the Department of Insurance, the company did not inform their members of the breach in a timely manner. The report states that HealthNet has made significant improvements to security and fully cooperated with the review.
Full Story

STUDENT PRIVACY—U.S.

DOE Sets Up Privacy Assistance Center (November 9, 2010)

The U.S. Department of Education (DOE) has launched a campaign aimed at helping school officials manage data on student progress. The Privacy Technical Assistance Center, launched two weeks ago, will help officials to use and share student statistical data safely, Education Week reports. Its program officer said it will release six guidance briefs within the next six months on privacy, electronic student records and a profile of privacy protections in each U.S. state, according to the report. A DOE spokeswoman said it will propose amendments to the Family Education Rights and Privacy Act this winter to address student progress databases.
Full Story

PRIVACY LAW—U.S.

User Sues Search Engine (November 9, 2010)

A complaint filed in federal court last week alleges the world's most popular search engine has violated users' privacy rights by allegedly transmitting their Internet activity to the company. Bloomberg reports on the complaint, which is seeking class-action status, as alleging, "With products such as Toolbar, Google acquires a great deal of information about users' Internet activities, adding to the already substantial information it acquires by providing a search engine, network advertising and more." Toolbar features can be used without sharing personal information, according to information on the company's Web site, except for features designed to work with a Google account.
Full Story

DATA RETENTION—AUSTRALIA

Opinion: Data Retention Plan Wide Open to Abuse (November 9, 2010)

The Australian Federal Police (AFP) says the government's proposal for a new data retention plan aims to maintain the status quo, which AFP assistant commissioner Neil Gaughan says is problematic, as illustrated by the Office of the Commonwealth Ombudsman's recent report findings. The report, released last week, found continued disagreement on data storage requirements between government agencies and telecommunications carriers, "compounded by a lack of record keeping." In a ZDNet editorial, Josh Taylor writes that the system would be wide open to abuse and that the possibility exists that the plan would give police "unprecedented and undocumented access to every move we make online." Privacy Commissioner Timothy Pilgrim has also expressed concern.
Full Story

PRIVACY LAW—U.S.

Barton “Very, Very Willing To Legislate” (November 8, 2010)

On C-SPAN's "The Communicators" program on Friday, Rep. Joe Barton (R-TX), who is looking to become the Energy and Commerce chairman, restated his intention to work with colleagues on moving privacy legislation, Nextgov reports. "Privacy is one of those issues gaining in importance," Barton said. "It's something that could be addressed if we could get the right coalition. As chairman, I would be very, very willing to legislate in that area." Barton also indicated that the committee would look into Google's collection of data from unsecured WiFi networks, a matter that the Federal Trade Commission investigated and closed without action last month. Editor's note: Privacy Tracker subscribers, on last week's call, Jim Halpert of DLA Piper discussed the impacts of Tuesday's election on privacy legislation. A recording of the call is available here.
Full Story

GEO PRIVACY

Location-Based Services See Success Ahead (November 8, 2010)

The location-based services industry has had no problem finding investors. That's because of how valuable the currency that is personal data is to marketing, The New York Times reports. Advertisers plan to spend $1.8 billion on location-based marketing in 2015, according to ABI Research. And users are happy to give up their personal data for a service they find useful, the report states, even despite concerns about their privacy. "Many people are in a more 'transactional' frame of mind" when it comes to their personal information, said the director of the Internet and American Life Project. "They will share information if they think they can get something of value for it." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

New Congress Expected To Scrutinize HITECH (November 8, 2010)

A Gov Info Security report explores the potential impact of last Tuesday's election on the HITECH Act. "Privacy and security are key issues that both political parties are interested in," said Dave Roberts of the Healthcare Information Management Systems Society, adding that "congress will scrutinize the emerging HITECH regulations and consider introducing legislation to fix any rules that don't meet their expectations..." The CEO of a health IT security provider speculates that the new congress might move to nix the harm provision of the final breach notification rule and says that healthcare groups are keen to know whether the proposed Data Security and Breach Notification Act of 2010 will apply to healthcare. Wiley Rein partner Kirk Nahra, CIPP, told the Daily Dashboard, "While there is interest in some members of congress in changing the healthcare privacy rules, it is much more likely that congress will give the current legislation (which is still being implemented) a chance to work before new changes are made. Congress has had a very hard time agreeing to healthcare privacy principles, with HITECH being a sort of 'perfect storm' because of the economic incentives in the legislation."
Full Story

ONLINE PRIVACY

Somebody’s Camera Is Watching You (November 8, 2010)

They are tiny, lightweight and can even be worn tucked into your hair accessory or just above your ear as they record everything that's going on around you. The New York Times reports on these "wearable" cameras that have the ability to "record life's memorable moments as they unfold" and the privacy questions they raise. Harvard Prof. Jonathan Zittrain suggests that with proper procedures in place, the cameras could help future historians, noting, "We have painstakingly reconstructed ancient civilizations based on pottery and a few tablets... I would love to leave this legacy instead." However, he also acknowledges that as photos and video of unsuspecting individuals show up on the Internet, the devices are likely to raise privacy concerns. (Registration may be required to access this story.) Editor's note: Read more about the practice of recording every moment in the feature, "Valuing, protecting and commoditizing your personal information: Is 'data banking' the answer?" from the June edition of Inside 1to1: Privacy.
Full Story

DATA LOSS—U.S.

Federal Employee Breach Affects 12,000 (November 8, 2010)

The General Services Administration is taking steps to protect its employees' identities after a data breach exposed the personal information of 12,000, reports The New York Times. The breach occurred after an employee e-mailed a list of names and Social Security numbers to a personal address. The agency is paying for one year of credit monitoring and identity theft insurance coverage for each employee but says the e-mail involved was deleted from the recipient's e-mail account and laptop, which was also "scrubbed clean," and had not been forwarded on. A spokeswoman for the agency said protecting employee data at large organizations is "no small challenge" but that the agency will continue to evolve protocols. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—UK

Graham: Anti-Terrorist Database Plans Flawed (November 8, 2010)

Information Commissioner Christopher Graham said that after finding Google responsible for a "significant breach" of data protection rules, the company cannot be trusted to store data in accordance with the new anti-terrorism plan proposed by the UK government, reports The Australian. The plan requires companies and Internet service providers to store details of customers' Internet and telephone communications, states the report. Earlier, the government dismissed proposals for a central government database, but Graham still has concerns. "Anyone who thinks that storing the information with the communication service providers, rather than in a big database, solves the problem hasn't been paying attention with what's been going on with Google," he said.
Full Story

SOCIAL NETWORKING—U.S.

No Online Closet for Political Hopefuls’ Skeletons (November 8, 2010)

With the prevalence of social networking sites, The New York Times reports that "it was a given that a generation of politicians would someday find themselves confronted with digital evidence of their more immodest and imprudent moments." That someday is now, the report states, pointing to recent U.S. political hopefuls who have had to explain compromising photos, videos and comments posted online or on their own social networking pages. When it comes to transgressions recorded for posterity online, one expert suggests, "We're in kind of a cultural transformation right now... It's a relatively slow process in political terms, but culturally, we're going to get used to this." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Commission Calls for New Privacy Rights (November 5, 2010)

The European Commission has unveiled its proposed online privacy code, The Wall Street Journal reports, calling for new privacy rights for citizens who share personal data with Web sites. The proposed rules have been called "a comprehensive approach on personal data protection in the European Union" and include the recommendation for a "right to be forgotten" online, the report states. Describing the protection of personal information as a "fundamental right," Justice Commissioner Viviane Reding said that "to guarantee this right, we need clear and consistent data protection rules. We also need to bring our laws up to date with the challenges raised by new technologies and globalization." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

FTC Appoints First Chief Technologist (November 5, 2010)

The Federal Trade Commission (FTC) has appointed Princeton University Prof. Edward Felton as its first chief technologist and U.S. Small Business Administration Chief Operating Officer Eileen Harrington as the agency's executive director. The Washington Post reports that Felton's expertise in computer security is essential at a time when the FTC has taken on high-profile technology cases and is expected to soon announce recommendations for how lawmakers and the Internet industry should protect privacy online. Felton will "provide invaluable input into the recommendations we'll be making soon for online privacy, as well as the enforcement actions we'll soon bring to protect consumer privacy," said FTC Chairman Jon Leibowitz. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Cookie Confusion Continues (November 5, 2010)

ClickZ reports that lawmakers are facing continued confusion over the EU's recently revised e-Privacy Directive and whether it requires Internet users' prior consent before advertisers can place cookies on their computers. According to the directive, national governments of EU member states must ensure that access to and storing of information on users' devices only occurs when users have been informed and given their consent. "Businesses, legal experts, analysts, industry bodies, consumer groups and politicians remain divided in their interpretations of the directive, specifically around whether or not it will require prior and explicit user consent or whether consent can instead be inferred through the use of browser settings," the report states.
Full Story

SURVEILLANCE

Smile! I’m Recording You, Neighbor (November 5, 2010)

The New York Times reports on the increasing popularity of do-it-yourself surveillance as the cost of recording technologies decreases. A Texas resident last year used an at-home surveillance camera to catch his neighbor scratching the back of his car. He posted the footage online and sent it to police, resulting in more than 3,000 views on YouTube and the offender paying $3,000 in damages. The director of the Citizen Media Law Project at Harvard said on the legality of such a trend, "generally it's true that you can film your own property as well as anything that is in public view." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Microsoft CEO to Gov’t: We Need Rules (November 5, 2010)

Microsoft CEO Steve Ballmer has called on Europe for clearer rules on privacy and data retention, PC World reports. At a London event on technology issues facing government, Ballmer said there needs to be a regulatory regime that outlines the responsibilities of companies when providing those services, the report states. "There needs to be a single framework. We need to know what the responsibilities and obligations are," Ballmer said. "We need some help from government." He mentioned a Swedish company that has data centers in Finland but provides services to UK users. Companies such as this need to know the rules, he said.
Full Story

HEALTHCARE PRIVACY—U.S.

New Rule a “Wake-up Call for Compliance” (November 5, 2010)

The proposed Health Insurance Portability and Accountability Act (HIPAA) modification rule is a wake-up call for compliance. That's according to Kirk Nahra, CIPP, a partner at Wiley Rein, who said during an October 29 Health Care Info Security podcast that the modifications "would toughen enforcement and set penalties of up to $1.5 million for violations of the HIPAA privacy and security rules." He said, "this is a good opportunity to revisit your HIPAA compliance efforts to help ensure your organization doesn't get hit with the tougher penalties." The Office for Civil Rights has said the final rules for HIPAA and HITECH could be published by the end of this year or early next year.
Full Story

PRIVACY LAW—U.S.

Lawmaker: Privacy Key Legislative Priority (November 4, 2010)

With data breaches making headlines and getting more and more attention from federal regulators, Internet privacy will be a legislative priority for the next U.S. Congress. That's according to a statement by Rep. Joe L. Barton (R-TX), who wrote, "I want the Internet economy to prosper, but it can't unless the people's right to privacy means more than a right to hear excuses after the damage is done." The Washington Post reports that while questions have arisen about the future of privacy legislation following Tuesday's national election, government regulators in the U.S. and across the globe "are preparing to take a more aggressive role in enforcing privacy rules." (Registration may be required to access this story.) Editor's note: Jim Halpert of DLA Piper discussed the election's potential impact on privacy legislation during today's Privacy Tracker call. Recorded audio of the call is available to subscribers here.
Full Story

PRIVACY LAW—EU

Commission Seeks New Online Rules (November 4, 2010)

New EU rules on data protection and privacy to be announced today will include consumer control of data, a push for the "right to be forgotten" and provisions concerning information shared beyond EU borders, AFP reports. "The protection of personal data is a fundamental right," said Justice Commissioner Viviane Reding. "People should be able to give their informed consent to the processing of their personal data, for example when surfing online, and should have the 'right to be forgotten' when their data is no longer needed or they want their data to be deleted." Formal legislative proposals are expected to come forward following a two-month public consultation.
Full Story

ONLINE PRIVACY—U.S.

White House Issues Cloud Computing Document (November 4, 2010)

The White House has issued a draft document that is designed to help government agencies adopt cloud computing, reports GovInfoSecurity. The Proposed Security Assessment and Authorization for U.S. Government Cloud Computing document, released through the Federal Chief Information Officers Council, is the "product of 18 months of collaboration with state and local governments, private sector, NGOs and academia," says U.S. Chief Information Officer Vivek Kundra, and "marks an early step toward our goal of deploying secure cloud computing services to improve performance and lower the cost of government operations." The council will accept comments on the draft through December 2.
Full Story

DATA PROTECTION—UK

Minister Proposes New Code of Conduct (November 4, 2010)

Culture Minister Ed Vaizey has proposed a refreshed code of Internet conduct that "more well-known and legitimate Web sites" should be made to sign, the Guardian reports. He proposes an updated version of the code the Information Commissioner's Office (ICO) currently uses. Vaizey was set to meet with the ICO yesterday to discuss the proposition and plans to write to Internet service providers about the idea. The code would allow for citizen redress in the event of privacy breaches, Vaizey said during a parliamentary debate last week. He also proposed the creation of a mediation service that citizens could use to seek data dispute resolution.
Full Story

HEALTHCARE PRIVACY—U.S.

Data Warehouse Concerns Advocates (November 4, 2010)

The U.S. Office of Personnel Management (OPM) planned database to store personal health information on millions of Americans is troubling some privacy advocates, Computerworld reports. To be launched November 15, the Health Claims Data Warehouse aims to help the OPM manage three health claims programs. In addition to detailed health information, the database would include individuals' names, addresses, Social Security numbers and dates of birth. John Berry from the Center for Democracy and Technology (CDT) and 15 other organizations wrote a letter to the OPM asking for more details, because, according to another CDT spokesman, the lack of information on how the OPM will protect data and the fact that it will share it with third-party researchers is troubling.
Full Story

PRIVACY LAW—U.S.

ICO: First Fines Imposed Later This Month (November 4, 2010)

Information Commissioner Christopher Graham says his office will announce the first organizations to be fined later this month, Kable reports. The office's ability to impose fines has given it the teeth it has lacked, said Graham at an event in London yesterday. He also provided data on organizations leading in data breaches, which included the NHS with 377 breaches--30 percent of all 1,254 breaches reported to date--followed by the private sector (360), local government (184), central government (97) and other public sector bodies (149). Graham said decisions on how steep a fine will be imposed will depend on the size of the offending organization.
Full Story

SOCIAL NETWORKING—U.S.

Lawmaker Reacts to Company’s Response (November 4, 2010)

At least one lawmaker has expressed dissatisfaction with Facebook's response to congressional concerns about recent breach allegations, ClickZ reports. In a statement, Congressman Joe Barton (R-TX) lauded the company for responding quickly to questions he and Congressman Ed Markey (D-MA) posed in an October letter to the company, but said, "the fact remains that some third-party applications were knowingly transferring personal information in direct violation of Facebook's privacy promises to users." In its response to the lawmakers, Facebook said that the company's reported privacy breach was false and misunderstood, according to a CNET News report.
Full Story

CHILDREN’S PRIVACY

Eye-Spy Barbie? (November 4, 2010)

The Sydney Morning Herald reports that Barbie may be getting older, but she is certainly keeping up with new technology--with her most recent iteration, complete with a built-in camera, raising privacy concerns. The Barbie Video Girl doll comes equipped with the ability to record up to 30 minutes of video and a color LCD screen in her back. The doll is being criticized for enabling children to film themselves and others using the hidden camera in the doll's necklace, creating videos that can then be transferred to a computer. Some experts suggest better privacy laws are needed to protect children against the potential inappropriate use of technology.
Full Story

PRIVACY LAW—U.S.

Buzz Suit Settlement Announced (November 3, 2010)

Google has notified its Gmail users that it has reached a settlement in a class-action suit over its Buzz social networking feature, The Washington Post reports. As part of the settlement, the company has agreed to create an $8.5 million fund for privacy education; however, payments will not be made to the network's users. The company has also pledged to better educate users about Buzz, which came under fire after it was launched back in February because, in some cases, it exposed Gmail users' data. The U.S. District Court for the Northern District of California is scheduled to hold a fairness hearing on the settlement in January. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—UK

ICO: WiFi Collection Breached DPA (November 3, 2010)

Information Commissioner Christopher Graham has determined Google's inadvertent collection of personal data through its Street View vehicles was a "significant breach" of the Data Protection Act, BBC reports. Google must now sign an undertaking to ensure data protection breaches do not happen again and delete the data it collected. "We are profoundly sorry for mistakenly collecting payload data in the UK from unencrypted wireless networks," said Peter Fleischer, Google's global privacy counsel, noting, "We are in the process of confirming that there are no outstanding legal obligations upon us to retain the data and will then ensure that it is quickly and safely deleted." Meanwhile, the Australia Privacy Foundation is criticizing that country's former privacy commissioner for her handling of the Street View incident.
Full Story

PRIVACY LAW—U.S.

Election Implications for Privacy Legislation (November 3, 2010)

Privacy itself may not have been on the ballot for yesterday's national election, but "the results may affect the prospects for privacy legislation," Christopher Wolf writes in a piece for the Hogan Lovells Chronicle of Data Protection. Among the changes, Wolf notes, is the end of the 19-year term of Rep. Rick Boucher (D-VA), who worked with Rep. Rick Stearns (R-FL) to create draft privacy legislation earlier this year. Stearns, however, has pledged to keep working on privacy legislation but would reportedly like to see a bill that "allows innovation to continue to flourish." Another change is the election of Connecticut Attorney General Richard Blumenthal, described by Wolf as "well-known for his aggressive investigations and settlements related to privacy issues," to the U.S. Senate.
Full Story

HEALTHCARE PRIVACY—U.S.

ONC Seeking Public Comment (November 3, 2010)

The Office of the National Coordinator (ONC) has opened its public comment period on privacy and security concerns associated with the move to electronic personal health records (PHR), Government Health IT reports. The ONC is seeking the input for a roundtable on new technologies, including PHRs, to be held on December 3 to explore different approaches to privacy and security requirements for third-party PHR vendors. While some PHRs are available through healthcare providers and plans covered by HIPAA privacy and security rules, the report notes that HIPAA does not govern PHR technology developers. 
Full Story

RFID

RFID Guidelines in Development (November 3, 2010)

Trade associations and technology companies have come together to develop guidelines and standards to support the push for RFID technology across the apparel supply chain, RFID News reports. The "Item Level RFID Initiative" group includes the National Retail Federation, Retail Industry Leaders Association, Voluntary Interindustry Commerce Solutions and standards organization GS1, among others. The group intends to support the need to protect consumer privacy when using RFID technology, the report states, and to list guidelines for RFID use. Macy's and Walmart are among the retailers that have switched to RFID technology.
Full Story

PERSONAL PRIVACY—GERMANY

Electronic ID Cards Incite Concerns (November 3, 2010)

Fears about privacy and identity theft are accompanying the government's rollout of electronic identity cards, Reuters reports. The cards store personal data--including the owner's date and place of birth, address, biometric photo and voluntary fingerprints--and aim to facilitate e-commerce by allowing users to sign documents electronically. But around 44 percent of Germans are skeptical about the cards, according to an industry body's survey. Johannes Caspar, head of Hamburg's data protection agency, said some of the fears are based on a "Big Brother" scenario about the state's collection and storage of personal information.
Full Story

PRIVACY LAW—U.S.

White House Privacy Group Charter Released (November 3, 2010)

The inter-agency committee on Internet privacy, established last month by the White House, has released a charter statement saying it will come up with a whitepaper and policy and legislative guidelines during its two-year term, reports The Washington Post. According to the report, the group has three main tasks--to produce a whitepaper from government agencies' policy work, come up with "general principles" for an Internet privacy framework and vet all government statements on privacy. Some privacy advocates say that the group's lack of a mission to create laws could be a detriment. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S. & INDIA

Privacy Concerns Slow Outsourcing of PHRs (November 3, 2010)

When it comes to electronic health records, privacy concerns are making the U.S. healthcare industry reluctant to embrace outsourcing, TMC reports. One expert highlighted the concerns by suggesting that patient confidentiality takes a backseat when medical files leave the U.S., the report states. However, Indian companies counter that when it comes to protecting health information, they are required to adhere to the same regulations as technology companies within the U.S.
Full Story

PRIVACY LAW—U.S.

Opinion: Gov’t Should Stay Out of Consumer Info (November 3, 2010)

Last week's ruling that Amazon.com would not be required to hand over detailed information about its customers to the North Carolina Department of Revenue was an important win for privacy rights, but more remains to be done, according to a TIME editorial. Amazon claimed that turning over names and addresses would violate citizens' rights to free speech after the state demanded the information in order to collect sales tax revenue. U.S. District Judge Marsha Pechman wrote in her ruling that "The First Amendment protects a buyer from having the expressive content of her purchase of books, music and audiovisual materials disclosed to the government."
Full Story

ONLINE PRIVACY—UK

ICO: Street View Review Needs “Calm and Measured” Approach (November 2, 2010)

Following recent accusations in the House of Commons regarding Google's collection of personal information on unsecured wireless networks via its Street View vehicles, the Information Commissioner's Office (ICO) has released a statement that it will "take a calm and measured approach to the issue of data privacy." SC Magazine reports that MP Robert Halfon was among those who criticized the company and the response to the incident, the report states. The ICO statement stresses the office must ensure it does not "get caught up in the emotive arguments which will only naturally take place around sensitive issues such as the inadvertent collection of data by Google Street View."
Full Story

PRIVACY LAW—U.S.

What Will Midterms Do to Privacy? (November 2, 2010)

The Hill reports that no matter who controls congress after the midterm elections, online privacy legislation will likely survive due to bipartisan support. The Boucher-Stearns Discussion Draft, for example, requiring Web site transparency on user data use, was championed by a Democrat and a Republican. Jeff Chester of the Center for Digital Democracy said that "Privacy is a hot-button red and blue issue" that both sides can work together on. However, if Republicans gain control of the house and Democrats control the senate, as many predict, it could lead to gridlock on major issues, pushing privacy and cybersecurity down on the priority list.
Full Story

PERSONAL PRIVACY—CHINA

Citizens Reluctant to Reveal Personal Info (November 2, 2010)

The Chinese government is acknowledging that citizens' reluctance to offer up personal information to census takers may hamper efforts to get an accurate read on how the country has changed over the past 10 years. The Christian Science Monitor reports that a pre-census poll revealed "more refusals to cooperate with the census," according to the deputy head of the census project. In an effort to quell concern, the deputy premier went on television asking citizens to provide accurate data and warning enumerators to keep personal information confidential, the report states. Meanwhile, a long-distance running program at about 100 universities throughout the country is drawing complaints from students over its requirement that they provide fingerprints in order to participate.
Full Story

SOCIAL NETWORKING

New Feature Raises Concerns (November 2, 2010)

"Friendship Pages," a new Facebook feature that shows the relationship between friends, is raising privacy concerns, InformationWeek reports. The new feature uses public information shared between friends that would be linked under relevant wall posts, stories and profile photos and would be accessible to those who are Facebook friends with at least one of the two users, the report states. Some users, however, are voicing privacy concerns. As one user put it, "While I'm all for innovation, privacy should come first...If you introduce a new feature, notify the community when it arrives." Users are also calling for clear opt-in or opt-out choices for such features.
Full Story

ONLINE PRIVACY

Rethinking Privacy in the Cloud (November 2, 2010)

With privacy concerns abounding when it comes to Internet use and cloud computing, eSecurityPlanet explores the idea of rethinking privacy in the cloud. "To gain some clarity on the cloud privacy issue, it is helpful to break down the exposure use cases into three categories," the report states, focusing on the issues of unintentional user-driven data leaks, lack of provider protections and intentional breaches perpetrated for monetary gain. When it comes to cloud computing, the report suggests, "providers have a responsibility to let users and enterprises know when they're using our information to hop on the marketing gravy train and selling sensitive information to other vendors and advertisers." Editor's Note: The upcoming IAPP Practical Privacy Series will feature a session on cloud computing issues entitled "Cutting Through the Cloud Computing Fog: Evaluation, Adoption, Privacy and Security."
Full Story

PRIVACY LAW—U.S.

Experts: Browser Add-On May Be Illegal (November 2, 2010)

Computerworld reports that some legal experts believe using the browser add-on Firesheep to identify users on open networks visiting unsecured Web sites and access their accounts on popular social networks and other Web sites may be against the law. The tool itself is not illegal, but using it may be a violation of federal wiretapping laws and an invasion of privacy, the report states. "There are two schools of thought," said Jonathan Gordon of the law firm Aston & Bird. "The first is that there's no reasonable expectation of privacy in a public insecure WiFi connection," while the second suggests "that when people are accessing their social network, they have an expectation that whatever they're doing is governed by the privacy settings in that network."
Full Story

PRIVACY LAW—U.S.

Lawmaker Concerned with Online Sales Tax Collection (November 2, 2010)

A North Carolina court ruling could have implications on a recently passed Colorado law, The Denver Post reports. North Carolina sued Amazon last April for what it claimed to be $50 million in uncollected sales taxes. Amazon, in turn, sued North Carolina with the support of the American Civil Liberties Union (ACLU), claiming that turning over names and addresses would violate citizens' rights to free speech. The court ruled in Amazon's favor last week. Colorado Rep. Amy Stephens (R-Monument) says those concerns over privacy echo in Colorado, and "Coloradans should be free to make online purchases without government looking over their shoulder."
Full Story

ONLINE PRIVACY—GERMANY

Street View Launched (November 2, 2010)

Google's first Street View images of Germany are now online, AFP reports. Following opposition to the mapping service over privacy concerns, Google allowed people to opt out by having their properties pixilated, and about 250,000 Germans chose the option, the report states. The first images now online show the town of Oberstaufen in Bavaria, and some of the houses are blurred. Street View will be rolled out in the country's 20 largest cities later this year, the report states.
Full Story

PRIVACY LAW—CANADA

Legislation Aims To Improve Medical Practices (November 2, 2010)

Health legislation proclaimed in New Brunswick in September will provide better guidance for medical professionals about how they should record, access and use a patient's personal medical information, The Daily Gleaner reports. The Personal Health Information Privacy and Access Act will govern the collection, use, disclosure and secure destruction of personal health information by every public user, the report states. One health network's chief privacy officer says the legislation will also provide guidance on breach notification and management of electronic health records. "It gives us a consistent practice so everybody's using that same standard, whereas in the past, the different facilities may have had their own policy or practice."
Full Story

PRIVACY LAW—U.S.

Indiana Sues Wellpoint for Data Breach (November 1, 2010)

The Indiana attorney general's office is suing health insurance giant Wellpoint, Inc., for $300,000 for waiting months to notify customers that their medical records, credit card numbers and other sensitive information may have been exposed online, the Associated Press reports. The suit, filed last week in Marion County, IL, alleges that Wellpoint violated state law requiring data breach notifications because it knew of a privacy breach that exposed up to 470,000 customers' personal information for at least 137 days between last October and March but didn't alert those customers until June, the report states. WellPoint says it notified customers after identifying those potentially affected.
Full Story

SOCIAL NETWORKING

Facebook Suspends Apps for Sharing User Data (November 1, 2010)

The Wall Street Journal reports that Facebook has announced a data broker paid application developers for users' information, prompting the world's largest social networking site to place some of its app developers on a six-month suspension. In its announcement, Facebook wrote that it has a "zero tolerance" policy for data brokers "because they undermine the value that users have come to expect from Facebook," the report states. The company has said the apps in question were not providing data that users had set as private, but wrote that "this violation of our policy is something we take seriously." Facebook has not named the app developers or data broker involved, the report states. (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY

PCI DSS Changes Welcomed (November 1, 2010)

Although the PCI Security Standards Council (PCI SSC) revisions to the PCI data security standard (PCI DSS) and payment application data security standard (PA DSS) have been described as minor, the response so far has been positive, SC Magazine reports. The new version, which will go into effect on Jan. 1, "does not introduce any new major requirements, and the majority of changes are modifications to the language, which clarify the meaning of the requirements and make understanding and adoption easier for merchants," the report states. The report highlights the positive responses by several organizations and data protection professionals to the changes announced last week.
Full Story

PRIVACY LAW—U.S.

Is DNA the Same as a Photograph? (November 1, 2010)

At issue in United States v. Mitchell is one of the most important privacy rights decisions facing the courts, The Pittsburgh Post Gazette reports. The 3rd U.S. Circuit Court of Appeals will decide whether routine DNA sampling should be considered no different from fingerprinting or photographing, or whether a warrant should be required for its collection. In November 2009, U.S. District Judge David S. Cercone of the Western District of Pennsylvania ruled that DNA sampling of arrestees violates the Fourth Amendment because a genetic sample can reveal much more about a person's identity than fingerprints or photographs, the report states. The U.S. Attorney's Office has argued the ruling should be reversed.
Full Story

DATA RETENTION—AUSTRALIA

Senate Inquiry on Retention Regime (November 1, 2010)

According to the Australian Attorney General's Department, the government has proposed a new data retention plan because of fleeting data records kept by voice over Internet protocol (VoIP) communications, Computerworld reports. At a senate inquiry into the plan, the Australian Federal Police assistant commissioner referred to the plan as maintaining the "status quo" and said only the time, cost, location and persons involved in a communication would be retained under the proposed plan. Greens Sen. Scott Ludlam criticized the department for not consulting the public about the proposal "I would have thought in the light of this expansion of data to be retained you would be talking to civil libertarians, privacy activists, take your pick," he said.
Full Story

SOCIAL NETWORKING

Filling Privacy’s Generation Gap (November 1, 2010)

Michael Geist writes of this past week's 32nd Annual Data Protection and Privacy Commissioner Conference and the focus on the perception of "a growing privacy divide between generations, with older and younger demographics seemingly adopting sharply different views on the importance of privacy." In this Toronto Star report, he writes that "longstanding privacy norms are being increasingly challenged by the massive popularity of social networks that encourage users to share information," citing strategies to balance openness and personal privacy while ensuring companies "understand the legal limits on collecting, using and disclosing personal information and for users to know that the law stands ready to assist them if those rules are violated."
Full Story

PRIVACY LAW—AUSTRALIA

Office of Information Commissioner Launched (November 1, 2010)

The Office of the Australian Information Commissioner (OAIC) has been officially launched with the mission of championing open government, Computerworld reports. The office, headed by Information Commissioner John McMillan, will include Australian Privacy Commissioner Timothy Pilgrim and was officially launched by Minister for Privacy and Freedom of Information Brendan O'Connor. They will be joined by Australia's first freedom of information commissioner, James Popple, an adjunct lecturer in the school of computer science at Australian National University. Popple, appointed on October 29, will be responsible for freedom of information requests. The OAIC "fills a major gap in the system," McMillan said, adding it aims to promote better information management by government.
Full Story