Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—U.S.

Industry Opposes FIPPs-Based Regulations (January 31, 2011)

A coalition of advertising, media and business organizations has submitted comments to the Department of Commerce arguing that while Fair Information Practice Principles (FIPPs) are a "useful tool" when analyzing online privacy, they should not be codified in new laws, MediaPost NEWS reports. The comments were submitted in response to calls for industry and advocacy groups to develop enforceable, self-regulatory privacy policies. A FIPPs-based framework for online privacy "would reduce industry's ability to respond to changes in consumer preferences and would hinder advancements in technology," according to the coalition, which includes such groups as the Interactive Advertising Bureau and Newspaper Association of America. Some privacy advocates, meanwhile, have submitted comments that government regulation is needed to protect consumers.
Full Story

PRIVACY—GERMANY

Justice Minister Focuses on Privacy Leadership (January 31, 2011)
The Associated Press reports on Justice Minister Sabine Leutheusser-Schnarrenberger's comments that Germany should become a leader in international data protection standards. Urging the EU to include agreements on data protection standards with the U.S. in its revision of existing data protection laws, she spoke of the "different legal cultures" of data protection on both sides of the Atlantic, noting, "For this reason, I believe it is important that we strive to achieve basic ground rules of what constitutes data security." Leutheusser-Schnarrenberger has announced the creation of a German foundation to explore such data security issues as developing technology to protect users' privacy.

PRIVACY LAW—UK

Companies Await Changes to BT Rules (January 31, 2011)

UK businesses are preparing for changes to current law that will bar them from collecting personal information about Internet users without their knowledge, the Daily Mail reports. As the European Commission reviews the data protection act, changes are expected to include a strengthening of people's rights to opt out of having their personal data used for targeted ads and could include the right to have their data permanently deleted. Justice Minister Lord McNally said technology has come a long way, which is why "the government is working with businesses, charities, consumer groups and the public sector to look at the law and ensure it continues to protect our personal information well into the 21st century."
Full Story

PERSONAL PRIVACY—U.S.

Smart Meters Face Resistance (January 31, 2011)

The New York Times reports on the growing opposition to smart meter installations at homes in Maine and California. The wireless meters report hourly home energy usage back to the utility. Some Maine residents have launched e-mail campaigns, and some municipalities in both states have adopted moratoriums on meter installation. A group of Californians has launched a "Stop Smart Meters" campaign, and four protesters have been arrested for blocking trucks delivering meters to homes. In response to privacy concerns, the vice president of Edison Electric Institute, the national association of utilities, said, "We've always gotten information about customers' usage and always kept it confidential. We're going to honor their privacy." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Agreement Reached in Wi-Fi Case (January 31, 2011)

Google has reached an agreement with Connecticut Attorney General George Jepsen over the collection of personal information through unsecured wireless networks. The Hill reports that as part of an agreement that will prevent court action, Google admitted its Street View cars collected private data. Jepsen's predecessor, Sen. Richard Blumenthal (D-CT), issued a Civil Investigative Demand requiring the company to turn over the data last year, but as part of the agreement, the company will not have to hand over the data. "The stipulation means we can proceed to negotiate a settlement of the critical privacy issues implicated here without the need for a protracted and costly fight in the courts," Jepsen said. Google has said it will continue cooperating with authorities.
Full Story

BIOMETRICS—AUSTRALIA

Fingerprint Scanners Popular, Regulations Lacking (January 31, 2011)

Australian night clubs are increasingly requiring patrons to use fingerprint scanners for access, but a lack of regulations about the biometric data collected has some concerned about potential ramifications, The Sydney Morning Herald reports. Privacy Commissioner Timothy Pilgrim has drafted scanner guidelines but has no auditing powers. The Biometrics Institute of Australia has called for changes to the Privacy Act, including mandatory privacy impact assessments and audits with no exemption for any group and a unified national privacy system, the report states. Pilgrim said anyone using the scanners should be aware that the Privacy Act requires that they provide notice for data uses and that it "cannot be automatically shared with other venues."
Full Story

DATA LOSS—IRELAND

Credit Card Scam Still Active (January 31, 2011)

Data Protection Commissioner Billy Hawkes and Microsoft Ireland are warning the public about a cold-calling scam from people claiming to be representing Microsoft, Silicon Republic reports. Scammers posing as Microsoft employees have been calling individuals claiming there was a problem with their computers and that they could fix it by downloading a file that would be available once a credit card was provided. The file contained a virus, allowing the hackers access to the individuals' personal information. The still-active scam is under investigation by the Gardia, ComReg and the National Consumer Agency. Individuals are warned to hang up if they receive such a call and to call their credit card provider if any account details were provided.
Full Story

SOCIAL NETWORKING

Advocates Not “Liking” Ad Plan (January 31, 2011)

While a new feature on the world's largest social network is being seen as potential gold for advertising, privacy advocates and some users are raising concerns, USA TODAY reports. The new advertising format uses Facebook members' "likes" and other online actions to create promotional content in the form of "Sponsored Stories," which "became available for large brands to buy last week and is being rolled out over the next few weeks to Facebook's more than 500 million members." The Electronic Frontier Foundation is calling for an opt-out option for users. "Any time they make a change, people react, especially if there is a commercial element," says Future of Privacy Forum Director Jules Polonetsky, CIPP.
Full Story

DATA PROTECTION

Data Protection Day Brings Celebration, Call for International Treaty (January 28, 2011)
Across the globe today, institutions and individuals are recognizing Data Privacy and Protection Day. Officials from the U.S. to Canada and the UK to Belgrade are recognizing the anniversary with special events and announcements. In Europe, the day falls on the thirtieth anniversary of the signing of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the first comprehensive international document on data storage, use and sharing, Deutsche Welle reports. European Data Protection Supervisor and EU Justice Commissioner Viviane Reding hailed the occasion in video addresses, while in a speech earlier today, Council of Europe Secretary General Thorbjorn Jagland said, "30 years of experience with data protection allows us to make one clear conclusion: the only way to strike the balance between freedom of expression and the right to privacy in data collection is having an international, legally binding treaty."

PRIVACY LAW—EU

Reding: Rules Must Reflect Modern Times (January 28, 2011)

European Commission Vice President Viviane Reding was scheduled to speak in Davos today in honor of Data Protection Day, discussing 2011 data protection reform. Reding was attending a session on cloud computing and meeting with EU and U.S. technology leaders, according to a European Commission media release, and was to be meeting leading European and U.S. technology companies. Reding said the commission's review of the 1995 Data Protection Directive "will have a profound impact on the ICT industry. My goal is to ensure that the modernized rules reflect changes in technology--especially the emergence of cloud computing, social network sites and behavioral advertising." Clarifying legal certainties for cross-border services will have a profound impact on the ICT industry and strengthen users' data protection rights, the report states.
Full Story

ONLINE PRIVACY—U.S.

Analysts Support Code of Ethics (January 28, 2011)

The Web Analytics Association is supporting an online code of ethics in the midst of increasing scrutiny of the Internet data industry, The Wall Street Journal reports, to allow consumers to opt out of online tracking and offer clear privacy policies explaining data collection and usage. However, questions remain about how such a self-regulatory approach would be enforced, the report states. "We have to trust that this is a community of professionals and that putting your name and city--and behind the scenes your e-mail address--means you're actually committed to following through," said one of the Web analytics experts behind the effort, adding, "it's about the long-term health of our sector." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—EU

Commissioner: EU Should Guide Cloud Deployment (January 28, 2011)

The European Union is set to introduce a set of cloud computing guidelines that will address data protection, privacy regulations and common approaches to cloud deployment, Computerworld reports. At the World Economic Forum in Davos yesterday, European Digital Agenda Commissioner Neelie Kroes said the EU can help the transition to the cloud run "smoother and faster," and should take care that data protection achievements do not clash with the cloud. The three areas the EU should get involved in are the cloud's legal framework around data protection and privacy, technical and commercial fundamentals and supporting pilot projects towards cloud deployment, the report states. A document containing plans for such action should be released by 2012, Kroes said.
Full Story

PRIVACY LAW—CZECH REPUBLIC & EU

Senators Consider PNR Plan (January 28, 2011)

The Czech Senate is recommending creating a system of guarantees to prevent the transfer of data on air passengers to countries outside of the EU without the member state's consent, the Prague Daily Monitor reports. During a debate of the European Commission's statement on global transfer of passenger name records (PNR), Czech senators demanded that "all possible EU agreements with other countries on the transfer of these data be approved by national parliaments," the report states. As PNR include trip dates, contact data, payment, luggage and other information, the senate's commission for privacy protection believes the extent of the collected data is excessive.
Full Story

CHILDREN’S PRIVACY—U.S.

Advocates: Potential COPPA Revisions Fall Short (January 28, 2011)

The recently released Department of Commerce green paper on commercial data privacy does not sufficiently protect adolescents. That's according to a coalition of children's online privacy advocates who submitted comments about the paper recommending that forthcoming Children's Online Privacy Protection Act (COPPA) revisions include teenagers in online privacy protections, Broadcasting & Cable reports. The groups--which include the Center for Digital Democracy, World Privacy Forum and pediatric doctors associations--also want behavioral targeting data to be considered protected personal information and a broadened definition of online services that would include games and mobile applications. COPPA is under review by commerce and the FTC. It currently covers children ages 12 and under.
Full Story

DATA PROTECTION—UK

ICO Releases Guidelines for Online Safety (January 28, 2011)

Information Commissioner Christopher Graham has released guidelines to help consumers protect their personal information on social networking sites and understand what steps to take if a data breach occurs, The Telegraph reports. The "Personal Information Toolkit" also aims to alert consumers about their right to access and correct information held about them, the report states. Graham said, "It's never been more important to protect your personal information." A recent Information Commissioner's Office survey found that 92 percent of people believe that organizations are failing to keep customers' personal details safe online and that three out of five people think they have lost control of the way their personal information is collected and processed.
Full Story

PRIVACY LAW—LATVIA

New Data Protection Law Takes Effect Next Week (January 28, 2011)

Latvia's new data protection law will take effect on February 1, Deutsche Welle reports. The law requires the appointment of a new IT security official to oversee all state institutions. It also establishes the nation's new Cyber-Security Response Agency, which will be comprised of eight IT experts who will oversee IT security and promote data protection awareness among public-sector employees. The Latvian Parliament passed the law last October following a February 2010 data breach at the State Revenue Service. One of the drafters of the legislation said, "We will establish the minimal standards for every state and every local government institution in IT security."
Full Story

ONLINE PRIVACY—KOSOVO

SIM Registration Deadline Nears, But Still No Privacy Regulator (January 28, 2011)

Per a new directive from Kosovo's telecom regulator, mobile phone owners must register their SIM cards by February 28 or face disconnection, Deutsche Welle reports. And this could lead to trouble, according to some who say the country's data protection regulator should be put into place before such data collection and potential sharing occurs. Kosovo's data protection law was adopted in 2010, but political opposition has prevented the establishment of the agency that will enforce it. Although the Kosovo Police Service has asserted that officers will need a warrant in order to obtain registered SIM data, a European Commission official says that Kosovars should be wary.
Full Story

PRIVACY LAW—U.S.

Senator to Propose Location-Based Data Bill (January 27, 2011)
A U.S. Senator says he'll soon introduce a bill that would require law enforcement agencies to obtain a warrant before accessing location-based data from mobile devices, PC World reports. Sen. Ron Wyden (D-OR) says the law has not kept up with the times when it comes to geotagging and that most Americans would tell you that surreptitious monitoring of their every movement using their cell phone is a "pretty serious intrusion into their privacy...comparable to searching their house or tapping their phone calls." Meanwhile, Microsoft has provided safety tips for location privacy, including not "checking in" to location-based social networking sites from home or including GPS coordinates in blogs or tweets.

ONLINE PRIVACY—U.S.

What Happens to Our Digital Lives After Death? (January 27, 2011)

Corporate Counsel reports on the amount of our lives spent online, suggesting that "one of the neglected ensigns of Internet citizenship is advanced planning." Lawmakers are just beginning to explore the realm of the disposition of digital assets when online users pass away, the report states, noting that "the most important long-term consideration is who can access a person's online life after they have gone or become incapacitated?" Most states have no provisions in law for information assets stored in the cloud, leaving open the question of "what happens to Flickr photo albums, Facebook profiles, YouTube videos and Twitter accounts residing in cyberspace and locked behind passwords and security settings?"
Full Story

PRIVACY LAW—U.S.

Legislators Seek Details on ISP Tracking Plan (January 27, 2011)

The U.S. Department of Justice is seeking a new law to require ISPs to keep records of user activity, but legislators are calling for more information, CNET News reports. A DoJ official told House Judiciary Committee members at a hearing on Tuesday that "the government doesn't have a specific proposal" at this time, prompting questions from members as to just when such a proposal will be brought forward, while other members suggested "more robust data retention will certainly assist law enforcement" in tracking down criminals. The scope of any proposed mandatory data retention law remains unclear, the report states.
Full Story

DATA RETENTION

Report Questions Effectiveness of Data Retention (January 27, 2011)

U.S. law enforcement officials this week called for mandatory data retention periods for Internet service providers in order to better fight online crime, just as a European NGO released a report critical of data retention as a crime-fighting method. The report, published by the German NGO AK Vorrat, states that data retention is ineffective because criminals switch to "Internet cafes, wireless Internet access points, anonymization services, public telephones, unregistered mobile telephone cards" and other means to get around scrutiny, The Wall Street Journal reports. The European Commission continues its review of the controversial data retention directive. (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY—U.S.

Customers Want Smart Meter Opt-Out Option (January 27, 2011)

The Maine Public Utility Commission (PUC) will determine whether or not Central Maine Power Company (CMP) customers should be allowed to opt out of the company's smart meter implementation in homes across the state, WCSH6 reports. CMP has begun plans to install 600,000 wireless smart meters, which report hourly electricity usage back to the utility via the Internet. But some customers want to opt out of the installation based on concerns that smart meters may put security and privacy at risk if hackers gain access to the system. The PUC decision will also address whether or not there would be a cost associated with opting out. 
Full Story

ONLINE PRIVACY

Privacy as Competitive Edge (January 27, 2011)

The Wall Street Journal examines whether startup search engine DuckDuckGo's pledge to honor user privacy by not storing personal data or sending search information to other sites will provide a competitive edge against online search giants. The report poses the question, "Would you switch search engines for privacy reasons, or are other aspects of search more important to you?" DuckDuckGo's founder has said the company's goal is to appeal "to a non-negligible part of the population," adding he expects the site to see about 4 million searches this month, up from a typical 2.5 million per month before he publicized its privacy features. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

NC DHHS Trashed Disks By Accident (January 27, 2011)

The North Carolina Department of Health and Human Services (DHHS) has announced that they may have thrown out computer disks containing personal information during an office renovation, reports WNCT. The disks contained the personal information of people who had applied for services through the Division of Services for the Deaf and the Hard of Hearing between 2005 and 2008. DHHS is sending letters to all those affected, alerting them to the incident and offering guidance on how to protect themselves from identity theft, the report states. The department has also notified the State Bureau of Investigation and the attorney general's office, and it is revisiting its policies and procedures to better protect records.
Full Story

SURVEILLANCE

Coming Soon: Cameras Everywhere (January 27, 2011)

USA TODAY reports on the ubiquity of digital sensors and the resulting "explosion of sensor data collection and storage." One chief technical officer predicts that sensors, already status quo in airports, subways, banks, ID cards and laptops, "will touch nearly every aspect of our lives." Privacy concerns need to be addressed before then, says privacy expert Christopher Wolf. "What's new is the capacity for databases to share data and therefore to put together the pieces of a puzzle that can identify us in surprising ways--ways that really could be an invasion of privacy," Wolf said. The article also discusses the potentially "chilling effect" of photo tagging.
Full Story

PRIVACY LAW—U.S.

Law Enforcement Asks for ISP Retention Law (January 26, 2011)
The U.S. Department of Justice law enforcement officials from around the country have renewed calls for legislation mandating that Internet service providers (ISPs) retain certain customer usage data for up to two years, Computerworld reports. Those calls came at a House Judiciary Committee hearing Tuesday, where members indicated self-regulation would be their preferred path. From a privacy perspective, John Morris of the Center for Democracy and Technology cautioned that law enforcement would have a "massive amount of information" on presumably innocent Internet users. While privacy advocates are sounding an alarm over what one expert described as "dragnet surveillance by the government," a justice official said, "any privacy concerns about data retention should be balanced against the needs of law enforcement to keep the public safe."

SURVEILLANCE

Tracking Technology Raises Concerns (January 26, 2011)

New tracking units are raising concerns among privacy advocates. Garmin's new personal tracking device, GTU 10, was introduced last month and is small enough to be stored without a person knowing, reports The Kansas City Star. The Electronic Frontier Foundation's Lee Tien says he is concerned about "protecting the privacy of individuals with respect to location and movement." Meanwhile, a "Find Your Car" system introduced in California allows mall shoppers to punch in their license plate number for a network of cameras to detect the car's location, prompting an ACLU attorney to caution that "the unintended consequences can be huge."
Full Story

PRIVACY—CANADA

Stoddart Looks to Privacy Enforcement (January 26, 2011)

The Ottawa Citizen reports on Privacy Commissioner Jennifer Stoddart's first public lecture of 2011, where she "put the Canadian privacy and business communities on notice that she intends to use her new mandate to reshape the enforcement side of Canadian privacy law." During her talk at the University of Ottawa, Stoddart spoke of strategies to move organizations into better privacy compliance practices. Stoddart said enforcement reform is likely to focus on such factors as penalties for violations and empowering the Office of the Privacy Commissioner to "name organizations that violate the law," the report states.
Full Story

ONLINE PRIVACY—U.S.

New Tracking Proposals All Face Challenges (January 26, 2011)

New proposals to address online privacy concerns about behavioral tracking each come with their own set of challenges, USA Today reports. While each addresses similar technical issues, experts have found they all have potential shortcomings as well, prompting some to argue tracking should be abolished entirely. Whether it's Google's proposal for its Chrome browser or plans for Mozilla's Firefox or Microsoft's IE9 to give users the opportunity to opt out of being tracked online, technology and privacy experts have suggested "it would likely still take a new federal law to compel the ad networks to honor such requests," the report states.
Full Story

DATA LOSS—CANADA

Medicine Centre Breach Could Affect 60,000 (January 26, 2011)

Ottawa's Bruyere Family Medicine Centre is alerting patients that some of their personal information may have been compromised after the theft of two computers, CBC reports. Though neither computer contained medical information, data on as many as 60,000 of the clinic's patients between 1971 and July 2006 may be stored on them, including names, dates of birth, street addresses and health card numbers. There is no evidence to suggest the information has been accessed or used inappropriately, and the incident has been reported to police and the privacy commissioner, the report states.
Full Story

ONLINE PRIVACY—U.S.

Students Debate Online Privacy, Safety (January 26, 2011)

Bay County, Florida's WMBB reports on a recent Florida State University student debate on Internet privacy and access to personal information. Students discussed potential Internet regulation, protection from cybercriminals and terrorists. Participants disagreed on whether or not the Internet should be regulated, while several were concerned about how to educate children on Internet safety. One student commented that a person's age seems to influence their opinion on the topics.
Full Story

PRIVACY LAW—U.S.

House Panel To Consider Retaining IP Addresses (January 25, 2011)
CNET reports that Republicans in the U.S. House of Representatives are expected to unveil their first technology initiative of the new term in the form of "a push to force Internet companies to keep track of what their users are doing." At a hearing scheduled for this morning, a house panel is expected to discuss "reviving a dormant proposal for data retention that would require companies to store Internet Protocol (IP) addresses for two years," the report states. According to a spokesman for Rep. F. James Sensenbrenner (R-WI), the panel's chairman, the hearing will look at retaining IP information to facilitate law enforcement investigations of Internet crimes.

ONLINE PRIVACY

Search Engines Offer Opt-Out Plans (January 25, 2011)

Major media outlets are reporting on plans by Google and Mozilla to offer do-not-track options for their users. Google has announced its new "Keep My Opt-Outs" tool, which enables users of its Chrome Web browser to permanently opt out of online tracking, while Mozilla's new opt-out tool for its Firefox browser provides users with more understanding and control of how their personal information is being used by advertisers. A Federal Trade Commission spokeswoman discussed efforts by Mozilla, Microsoft and Google to provide do-not-track options. Meanwhile, MediaPost News reports that while the FTC is cheering such plans, "whether ad networks and online marketers will follow those preferences is far from clear."
Full Story

ONLINE PRIVACY

Opinion: Is There a Dark Lining in the Cloud? (January 25, 2011)

There are many benefits to cloud computing, but European Commissioner Viviane Reding questions, "is there a dark lining to the cloud?" In an opinion piece for The Wall Street Journal, Reding cautions, "Consumers who store data in the cloud risk losing control over their photos, contacts and e-mails. Data is whirling around the world: A UK resident who creates an online personal agenda could use software hosted in Germany that is then processed in India, stored in Poland and accessed in Spain." Describing the European Commission's commitment to privacy, she writes that the EU's data protection rules "have stood the test of time, but now they need to be modernized to reflect the new technological landscape." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—GERMANY

Rhineland-Palatinate DPA Finds Legal Infractions (January 25, 2011)

The data protection authority (DPA) of Rhineland-Palatinate has concluded its investigation into the legality of Web site analysis tools, finding that many companies are breaching data protection law in using them. The DPA found that the companies are failing to notify individuals about the use of analytics and are failing to obtain the required consent to transfer personal data to the United States, reports the Hunton & Williams Privacy and Information Security Law Blog. The DPA also found that companies' data processor agreements "do not meet the statutory requirements for such agreements pursuant to the Federal Data Protection Act."
Full Story

DATA LOSS—U.S.

Two Higher Ed Breaches Compromise PII (January 25, 2011)

Two educational institutions are informing those potentially affected by data breaches. Hundreds of University of Missouri System employees received the personal healthcare information of others earlier this month, reports The Columbia Daily Tribune, including benefit statements, health services letters and new identification cards. A computer glitch aligned names with the wrong addresses, according to Coventry Health Care, which manages the university's medical benefits plan.  Meanwhile, Wentworth Institute of Technology is notifying 1,300 current and former students that their personal information, including Social Security numbers and medical conditions, may have been compromised after the information was inadvertently posted on the school's Web site.
Full Story

PRIVACY LAW—EU

Hustinx: Directive Changes Should Be Stronger (January 25, 2011)

European Data Protection Supervisor (EDPS) Peter Hustinx has published an opinion urging the European Commission (EC) to extend mandatory data breach notifications beyond current limits, OUT-LAW.COM reports. Hustinx says planned changes to EU privacy law do not go far enough and supports the extension of notification obligations to "fully apply to data controllers other than providers of electronic communication services." In his analysis of the EC's plans to amend data protection law, Hustinx says his office supports more ambitious solutions and calls for a strengthening of EDPS powers, a user's right to be forgotten and greater consistency in the way the directive is implemented amongst EU member states.
Full Story

PRIVACY LAW—IRELAND

Hawkes Warns Candidates: Consent Before Contact (January 25, 2011)

As the general election approaches, Data Protection Commissioner Billy Hawkes has warned political parties to only communicate with individuals over text, e-mail or phone if they have consented to share contact information, Silicon Republic reports. Though candidates may send letters to anyone on the Register of Electors per the Data Protection Act, they may not obtain contact information through third parties, Hawkes warns. In the past, Hawkes has received complaints from people who received unsolicited calls, texts and e-mails, which investigations revealed were possible due to third-party information sharing without consent.
Full Story

PRIVACY LAW—U.S.

Insurer Reaches Settlement with Vermont AG (January 25, 2011)

A Connecticut health insurance company will pay $55,000 to settle claims that it failed to inform customers about a data loss incident, the Connecticut Law Tribune reports. In a settlement reached with the Vermont Attorney General's Office, Health Net and Health Net of the Northeast agreed to the sum and to a requirement to file audit reports with the state for the next two years, the report states. In 2009, the company discovered that an unencrypted portable hard drive containing customers' sensitive information was missing. The company waited six months before informing customers.
Full Story

ONLINE PRIVACY

Google To Debut Do-Not-Track Tool (January 24, 2011)
Web giant Google is expected to unveil its own do-not-track tool for its Chrome Web browser as early as today, POLITICO reports. The tool, called "Keep My Opt-Outs," marks the latest in corporate responses to the Federal Trade Commission's calls for companies to create browser-based do-not-track mechanisms to protect consumers' online privacy. "We're always looking into new tools to give people more transparency and control over their online privacy, and we think it's great when other companies do too," said Google VP and Deputy General Counsel Nicole Wong. The new tool builds off of work by the Network Advertising Initiative (NAI), the report states, and focuses on allowing Web users to opt out of targeted ads based on their online browsing habits. NAI's opt-out tool communicates those preferences via cookie, POLITICO reports, but those preferences "can be deleted whenever you erase your saved history," while Google's "Keep My Opt-Outs" is permanent.

ONLINE PRIVACY—U.S.

FTC Extends Comment Deadline (January 24, 2011)

MediaPost News reports that the Federal Trade Commission (FTC) has extended the deadline for comments on its privacy report until Feb. 18 at the request of a coalition of industry groups. "Additional time will allow business to evaluate the potential impact on the proposals to important business operations and critical services to consumers," Stuart Ingis, counsel to Digital Advertising Alliance, wrote to the FTC, and "provide the commission with more meaningful input from a broad spectrum of affected industries." To date, the FTC has received more than 200 comments on its report. The Senate Commerce, Science and Transportation Committee is also preparing to hold hearings on online privacy issues as early as next month.
Full Story

ONLINE PRIVACY

Mozilla’s Do-Not-Track Plan Moves Forward (January 24, 2011)

The Wall Street Journal reports on Mozilla's plans to give users a do-not-track option for its Firefox Web browser. "The announcement makes Firefox the first Web browser to heed the Federal Trade Commission's call for the development of a do-not-track system," the report states, noting other companies, including Google and Microsoft, are also exploring privacy tools. However, the report points out, for such tools to work, tracking companies must agree not to monitor those who enable them. "Mozilla recognizes the chicken and egg problem," notes Alexander Fowler, Mozilla's global privacy leader, so Mozilla is asking advertisers to join efforts to "honor people's privacy choices." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—GERMANY

Privacy Deal Reached (January 24, 2011)

German data protection officials and the world's largest social network have reached a deal in a dispute over a feature that allows the company to send e-mail invitations to potential users through current members' address books, the Associated Press reports. The Hamburg Data Protection Authority announced Monday that it had reached an agreement with Facebook to give its members more control over their e-mail address books, the report states, including allowing Facebook users to choose who should receive an invitation to join the site and adding an additional warning message before it can be sent. Facebook issued a statement that it looks forward to continuing "our constructive discussions and dialogue in the future."
Full Story

PRIVACY—U.S.

Experts: This Year, Privacy Gains Momentum (January 24, 2011)

The year 2011 will likely be a very busy one for privacy, according to experts in an Inc. report. Noting a recent Supreme Court ruling allowing warrantless cell phone searches, the FTC's recently released do-not-track proposal and given that the EU does not deem the U.S. adequate for data transfers, experts say that this year may see the passage of U.S. privacy legislation, such as the Boucher-Stearns bill. Additionally, privacy now brings a competitive edge in business, according to TRUSTe CEO Chris Babel, who says businesses that show they care about privacy "are rewarded," while those with bad practices are "penalized" when it comes to their bottom line.
Full Story

PRIVACY LAW—AUSTRALIA

Bill Would Increase Police Access to Phone Data (January 24, 2011)

The Sydney Morning Herald reports privacy advocates are concerned about a plan to change surveillance laws. Currently, police can look at call, SMS and data use up until the date-of-disappearance in missing persons cases. But NSW Police support a federal bill that would allow police to access all records beyond that date, saying it needs access to real-time information to do its job. Privacy advocates fear such a change would allow police to monitor people without their knowledge and could lead to "gross invasions of privacy." They are calling for stricter access regulations. A senate committee on legal and constitutional affairs has recommended the Attorney General's Department review the bill for privacy issues.
Full Story

DATA LOSS

Smartphone User Data Potentially Exposed (January 24, 2011)

A mobile application developer has warned of a data breach that could affect up to 10 million users, SC Magazine reports. Trapster.com says a hacker may have accessed user e-mail addresses and passwords and advises that users change their passwords. The company believes this was a single event and has rewritten the software code to prevent future attacks, it says. It is now notifying those potentially affected, though there is no evidence that the data has been used.
Full Story

ONLINE PRIVACY—U.S.

“No-Track” Search Engine Gains Popularity (January 21, 2011)
Wired reports on DuckDuckGo, "a one-man-band search engine" that is taking aim at Internet giants' privacy practices with a prominent billboard proclaiming, "Google Tracks You. We Don't." Google has responded that the claims are inaccurate, stating, "we recognize our responsibility to protect the data that users entrust to us, and we give them meaningful choices to protect their privacy." DuckDuckGo founder Gabriel Weinberg has been focused on a do-not-track strategy, including the creation of Web site donttrack.us earlier this month. This privacy message seems to be one that users agree with, the report states, noting, DuckDuckGo's search traffic doubled after the site got attention.

DATA PROTECTION—CANADA

Stoddart: Fining Powers May Be Necessary (January 21, 2011)

Privacy Commissioner Jennifer Stoddart says her office may need fine-levying authority in order to more effectively protect the privacy of Canadians, according to an article in The Wire Report. In a speech at the University of Ottawa's Centre for Law, Technology and Society on Wednesday, Stoddart said, "I am increasingly of the view that we may need stronger powers to be an effective privacy guardian for Canadians. Canada has become one of the few major countries where the data protection regulator lacks the ability to issue orders and impose fines." Editor's note: To learn more about the fine-issuing capabilities of privacy regulators worldwide, see the IAPP's 2010 Data Protection Authorities Global Benchmarking Survey. (IAPP member login required.)
Full Story

PRIVACY LAW—U.S.

Will “Do-Not-Track” Become the Law of the Web? (January 21, 2011)

While the online industry is opposing the Federal Trade Commission's call for a voluntary do-not-track mechanism, MediaPost reports that some privacy experts believe the initiative will move forward. A Future of Privacy Forum poll, for example, found that 86 percent of respondents "believe that do-not-track will be enshrined in law by the end of the year," the report states. Examining do-not-track, the report suggests that if it does become law, "there's no reason to think it would lead to the end of either free content or online advertising. On the contrary, do-not-track is just another name for the notice-and-choice principles the industry has endorsed since at least 2000" with one important change--the industry would be regulated.
Full Story

PRIVACY LAW—U.S.

Future of Internet Legislation Unknown (January 21, 2011)

The potential for partisan gridlock in the U.S. Congress may have implications for forthcoming privacy legislation, ADWEEK reports. Online privacy continues to be an issue for the government, with both the Federal Trade Commission and the Commerce Department making recommendations to address Internet activity and personal information. Senate Commerce, Science and Transportation Committee Chairman Jay Rockefeller (D-WV) has outlined his committee's priorities to include online privacy and consumer protection. "That's in contrast to the Republican-controlled House Energy and Commerce Committee, which listed Internet privacy, cybersecurity and content protection as 'possible' topics," the report states. One privacy expert suggests, "It's unlikely we'll see any big privacy legislation come out of congress."
Full Story

PRIVACY LAW—U.S.

Simitian Introduces Bill to Update Notification Rules (January 21, 2011)

California State Sen. Joe Simitian (D-Palo Alto) has introduced a bill to strengthen data breach notification requirements, Central Valley Business Times reports. The California legislature passed the bill last year, but then-Gov. Arnold Schwarzenegger vetoed it. "I'm hoping a new administration will give this issue a fresh look," Simitian said. For companies and government entities, the bill specifies what information must be included in breach notices. It also includes a requirement for breached entities to notify the state attorney general if the data loss affects 500 or more Californians. "This new measure makes modest but helpful changes for consumers," Simitian said.
Full Story

DATA LOSS—UK

Lush Confirms Breach (January 21, 2011)

ZDNet reports that Lush Cosmetics has suffered a data breach. The company issued a statement yesterday advising customers that credit card information was compromised when hackers entered the UK version of its Web site. ZDNet reports that Lush customers are reporting fraudulent transactions in their bank accounts. The company has shuttered the compromised site due in part to re-entry attempts by the perpetrators. In its statement, Lush said, "For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised."
Full Story

DATA PROTECTION—U.S.

Expert, Courts: Web Privacy Only Goes So Far (January 21, 2011)

The Atlanta Journal-Constitution explores the question of whether it is possible to have privacy on the Web. "People believe that they're acting anonymously on the Internet, and to a certain extent that may be true," said media attorney Peter Canfield, "but people have virtually no privacy on the Internet. When you go online, you leave tracks that can be followed and traced." Others point to the potential for defamation on the Internet by anonymous posters. Experts point to Internet privacy issues as generating litigation across the nation, with courts indicating the Web users' identities "should only be available if it's for a court case and not just to seek retribution," the report states.
Full Story

BEHAVIORAL TARGETING—U.S.

Controversy Brewing Over BT Bank Ads (January 20, 2011)

MediaPost News reports on a controversy brewing over behavioral ads for big-name companies showing up in online bank statements as coming with "less-than-ideal timing for the advertising industry, to put it mildly." While indications are the ads are working, the report states, consumer privacy protection groups contend that most consumers are unaware of opt outs, and media reports on the practice are "generating negative viral attention for both banks and participating marketers." Meanwhile, advertising industry groups are urging marketer and agency members to implement a self-regulatory online behavioral advertising program to avoid government intervention, the report states, while the FTC is collecting comments on a possible do-not-track mechanism through the end of this month.
Full Story

PRIVACY LAW—U.S.

Court “Skeptical” that Corporations Have Personal Privacy Rights (January 20, 2011)
The Washington Post reports that it "might be an understatement to say the Supreme Court on Wednesday seemed skeptical" as it began reviewing a case asking whether corporations have personal privacy rights. The case came after AT&T convinced the U.S. Court of Appeals that an exception in the federal Freedom of Information Act for "personal privacy" extended to the corporation itself, the report states, pointing to a provision in the law where the U.S. Congress defined "person" to include "an individual, partnership, corporation, association or public or private organization." Chief Justice John G. Roberts Jr., however, said he disagrees with the argument that because "person" includes corporation in one part of the statute, "personal" must include corporations in another part, while Justice Ruth Bader Ginsburg pointed out that the law contains many exceptions, including for medical records, trade secrets and financial records. (Registration may be required to access this story.)

PRIVACY LAW—U.S.

Analysis: Privacy Legal Risks at a Crossroad (January 20, 2011)

In an analysis piece for InformationLawGroup, David Navetta, CIPP, reflects on privacy as one of the key issues of 2010 and predicts the privacy-related lawsuits filed last year "have the potential to change the privacy and security game in ways that are difficult to anticipate." The resolution of these cases, he suggests, might be the "tipping point" that leads to new state or federal privacy laws. Reviewing an array of online tracking lawsuits related to "zombie" cookies, HTML 5, history sniffing and deep packet inspection and privacy lawsuits on such topics as data aggregation and social media uses, "it appears that privacy-related legal risk and liability potential...will likely increase going forward," Navetta writes.
Full Story

PRIVACY LAW—EU

Hustinx Calls for Incentives, Stronger Regulatory Powers (January 20, 2011)

V3.co.uk reports that European Data Protection Supervisor Peter Hustinx has backed the European Commission's (EC) plans to reform EU data protection laws but wants stronger accountability for public and private companies controlling data. As the EC reviews data protection laws, Hustinx says mandatory data breach notification laws are necessary in all relevant industries and has called for data controller incentives that would encourage controllers to revise their business processes in the name of compliance. Data protection authorities also need stronger powers, he says, adding, "If we want to strengthen citizens' rights over their personal data, we need to ensure that individuals remain in control..."
Full Story

DATA PROTECTION—CANADA

Commissioner Orders Retailer: Protect PII (January 20, 2011)

Alberta's privacy commissioner has ordered Staples Canada to better protect personal information, The Edmonton Journal reports. The retailer must now ask customers that bring a computer in for repair if the machine contains a hard drive and if they authorize any personal information to be destroyed or preserved if the company buys back the computer, the report states. The commissioner's order follows an investigation after the store bought back a computer but could not locate its hard drive when the customer requested it be wiped of PII. A spokesman for the commissioner said though the order is Staples-specific, "the message would be that we would like all companies that deal with computers to have similar policies and procedures in place."
Full Story

PRIVACY LAW—U.S.

SCOTUS Rules on Worker Privacy Case (January 19, 2011)
The U.S. Supreme Court overturned a lower court's ruling on worker privacy today, Bloomberg reports. In a unanimous decision, the justices ruled that background checks conducted on independent contractors at a National Aeronautics and Space Administration facility were reasonable, the report states. A San Francisco appeals court had previously ruled that the questions asked of workers at a California jet propulsion lab were too privacy invasive. But the high court deemed "The challenged portions of the forms consist of reasonable inquiries in an employment background check," Justice Samuel Alito wrote for the court.

PRIVACY LAW—SPAIN

In Madrid Court, Google Challenges AEPD (January 19, 2011)

In a Madrid court today, Google challenged five rulings by Spain's data protection authority, Bloomberg reports. The  Agencia Española de Protección de Datos (AEPD) had ordered the company to remove certain articles from its search listing due to the privacy concerns of those featured in search results. But in an e-mailed statement read in court today, Google spokesman Peter Barron said, "We are disappointed by the actions of the Spanish privacy regulator. Requiring intermediaries...to censor material published by others would have a profound chilling effect on free expression..." The government, however, contends that Google has "never addressed the underlying question, the right of citizens to protect their information."
Full Story

ONLINE PRIVACY—U.S.

ANA Pushes Self-Regulation, Toolkit (January 19, 2011)

The Association of National Advertisers (ANA) is urging its 400 member companies to get behind the self-regulatory online behavioral advertising (OBA) program developed in line with the FTC's 2009 call for such an initiative. MediaPost News reports that the ANA has released a toolkit containing details about how to implement the OBA program, guidelines about who should use it and how to recognize if an advertiser is covered by it. ANA CEO and President Bob Liodice said the program "protects consumers' privacy and gives them the ability to exercise choice and control over the data used by marketers to create online behavioral advertising," adding he strongly urges all ANA members to comply.
Full Story

PRIVACY LAW—U.S.

Case Seeks Privacy Rights for Corporations (January 19, 2011)

Bloomberg reports on a business privacy case coming before the U.S. Supreme Court today that may rekindle debate over whether corporations can invoke a Freedom of Information Act (FOIA) provision protecting personal privacy. "In siding with AT&T, a lower court said companies can be embarrassed and stigmatized just like human beings," the report states, but government officials disagree. Prof. Stefan J. Padfield of the University of Akron School of Law has written about the case, suggesting the Supreme Court could rule for AT&T without necessarily affording companies the same protections as individuals, the report states, "leaving it to the agency handling the FOIA request to consider exactly how much privacy a company should have."
Full Story

HEALTHCARE PRIVACY—CANADA

Hospital Ordered To Examine PHI Protection After Breach (January 19, 2011)

Ontario Information and Privacy Commissioner Ann Cavoukian has ordered Ottawa Hospital to examine its rules and practices relating to personal health information following another electronic breach of a patient's medical records, the Ottawa Citizen reports. Cavoukian has found that the hospital "failed to comply with certain elements of a revised policy," the reports states, after asking the hospital to consider changes following a breach in 2005 that was "strikingly similar" to one recently investigated. Cavoukian has concluded, "the actions taken to prevent the unauthorized use and disclosure by employees in this hospital have not been effective" and fail to comply with a section of the Personal Health Information Protection Act.
Full Story

DATA LOSS—U.S.

Charges Filed in Breach Case (January 19, 2011)

Federal prosecutors have charged two men with fraud and conspiracy in obtaining and distributing the e-mail addresses of 114,000 iPad 3G owners, The New York Times reports. Each count carries a maximum penalty of five years in prison and a $250,000 fine. Daniel Spitler, 26, and Andrew Auernheimer, 25, of Goatse Security discovered a security loophole on AT&T's Web site that allowed them to gain access to the addresses and corresponding iPad identification numbers, the report states, including those belonging to military personnel, members of the U.S. Senate and House of Representatives and employees of NASA and the Department of Homeland Security. The Goatse Security group originally stated it exposed the security vulnerability to alert the company to the problem. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

AGs Investigate, Settle Breaches (January 19, 2011)

Connecticut Attorney General George Jespen is investigating a breach at the University of Connecticut Co-op. The Co-op has until Thursday to provide the office with detailed information on the breach, reports Patch. The Co-op has since shut down the Web site and notified customers, encouraging them to cancel any payment cards used on the site, but the AG says it should offer free credit protection as well. "In this era of increasing reliance on technology, it is vitally important that all entities entrusted with nonpublic personal information employ the highest levels of data security," Jepsen said. Meanwhile, NECN reports that Vermont's AG has announced that a Connecticut-based insurance agency is ready to settle a breach complaint involving the loss of a portable hard drive.
Full Story

DATA LOSS—U.S.

State Insurance Program Hacked (January 19, 2011)

South Carolina officials have notified those covered by the state's insurance program that their personal information may have been breached, the Associated Press reports. The state Budget and Control Board mailed letters last week after a computer virus attack potentially exposed names, addresses, Social Security numbers and birth dates of as many as 5,600 enrollees. An additional 800 records belonging to deceased people were potentially exposed, as well. Director Stephen Van Camp said the program aims to determine what was accessed and who was involved in the breach.
Full Story

ONLINE PRIVACY—EU

Report: No Bite in Cookie Directive (January 18, 2011)
The Wall Street Journal reports that Internet companies' concerns about a European Union directive to require them to obtain permission before placing cookies on users' computers are unnecessary. John W. Miller writes that a European Commission document written to offer formal guidance to member states implementing the directive sheds light on "how EU regulators see the directive, and that's firmly on the side of business." The document does not endorse an opt-in clause, and instead states, "It is not necessary to obtain consent for each individual operation of gaining access to or storing of information on a user's terminal if the initial information and consent covered such further use."(Registration may be required to access this story.)

PRIVACY LAW—SPAIN

Google in Spanish Court Tomorrow (January 18, 2011)

The Guardian reports on Google's challenge of the Spanish data protection commission's orders for it to remove almost 100 articles from its search listing. Company representatives will appear in a Madrid court tomorrow to challenge the order, which the Agencia Española de Protección de Datos (AEPD) says stems from increasing public complaints. The AEPD wants Google to remove from search results links to Web sites that contain certain information about citizens' pasts, but Google's Peter Barron says, "Requiring intermediaries like search engines to censor material published by others would have a profound, chilling effect on free expression without protecting people's privacy."
Full Story

PRIVACY LAW—FRANCE

DPA Amendments Move Forward (January 18, 2011)

A bill containing several key amendments to the French Data Protection Act was preliminarily adopted by the French National Assembly last week, reports the Hunton & Williams Privacy and Information Security Law Blog. The  bill would amend the powers of the French data protection authority (CNIL) by requiring it to obtain a judge's approval before conducting an onsite inspection without proper warning and would authorize CNIL to publish its sanctions against violators of the Data Protection Act. It would also amend the role of CNIL's chairman, who would no longer belong to the decision-making committee on sanctions but would be required to notify parties ahead of an imposed penalty.
Full Story

BEHAVIORAL TARGETING—U.S.

Online Ads Continue To Raise Concerns (January 18, 2011)

BtoB reports on questions of how online marketing will be affected if federal regulations come into place for behavioral targeting. In the same week as reports surfaced about financial institutions' behavioral targeting ads, the report examines the FTC's calls for a do-not-track mechanism and moves by online companies to create their own opt-out features for users. Linda Woolley of the Direct Marketing Association said it is essential to make sure legislators know that "the phrase 'do not track' sounds catchy and analogous to 'do not call,' but it's not at all similar for a zillion reasons." However, the report states, "most Americans appear deeply concerned about Internet privacy."
Full Story

DATA LOSS—U.S.

Hackers Expose Military Personnel Banking Info (January 18, 2011)

The Washington Post reports that hackers breached a Pentagon Federal Credit Union (PenFed) laptop, exposing the personal and banking information of an undisclosed number of active-duty military personnel and others connected to the Pentagon. The breach was discovered on December 12, and PenFed sent notification letters earlier this month, saying there is no indication the data has been misused and no PINs or passwords were accessed. The credit union is offering two years of free credit-protection software and has reissued payment cards to all affected customers. PenFed serves almost one million active-duty military personnel as well as the Department of Defense, Coast Guard, Department of Homeland Security and other agencies, the reports states. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Facebook Suspends Third-Party Plans (January 18, 2011)

Facebook has decided to suspend its latest privacy policy modification, which would have enabled third-party applications to access users' addresses and cell phone numbers, reports the Inquirer. The company said it would protect users' personal information by only sharing it with third parties if the user explicitly granted permission to do so, but a Facebook spokesman this week said the company would "temporarily disable the feature" based on feedback that it could make people more clearly aware of the changes. Some have questioned how the third parties would use the additional data.
Full Story

PRIVACY LAW—SPAIN

Google Goes to Spanish Court This Week (January 17, 2011)
A Spanish court will hear a case this week involving Google and Spanish citizens' requests for privacy in search results, The Wall Street Journal reports. The case stems from the requests of private citizens for Google to remove from search results links to Web sites that contain certain information about their pasts, the report states. Spain's data protection authority has claimed that, under Spanish law, the company must oblige such requests. But Google says that news providers are not subject to such obligations and questions why it should not receive the same protection. The case will be heard on Wednesday. (Registration may be required to access this story.)

DATA LOSS—NEW ZEALAND

Telecom Customer Details Exposed (January 17, 2011)

Privacy Commissioner Marie Shroff has announced that she will investigate a reported breach involving the information of millions of Telecom customers, The New Zealand Herald reports. The breach reportedly was perpetrated by associates of Telecom's rival Slingshot and exposed the names, addresses and billing plan data of every Telecom customer. Telecom retail chief executive Alan Gourdie said, "We're just outraged. This is our customer data--potentially fraudulently used. We will pursue this to all remedies that are available." Gourdie added that the Commerce Commission is also looking into the matter.
Full Story

BEHAVIORAL TARGETING—U.S.

Is Your Bank Targeting You? (January 17, 2011)

A report in The Washington Post explores online banking as the "latest frontier" for behavioral targeting, exploring a new practice by financial institutions to match ads to their customers' most recent debit card purchases. "The one thing these debit programs have is a significant amount of transaction and behavioral data," says Mark Johnson of marketing trade group Loyalty 360. "You're going to see a big push to make that insight more sellable." National chains have begun testing the checking account ads, but when it comes to consumer trust, the report states, "As the amount of personal data online grows, businesses have had to walk a fine line between using the information for profit and creeping customers out." (Registration may be required to access this story.)
Full Story 

PRIVACY LAW—U.S.

Is Your Online Identity Property or a Person? (January 17, 2011)

Bloomberg reports on fundamental issues for U.S. regulator and legislator efforts to address online data privacy concerns, suggesting, "Central among them is the question of whether online privacy is a matter of personal property or of human rights." Rep. Marsha Blackburn (R-TX) said that as congress looks at regulating consumer privacy online, it must first determine what data privacy means, what should be regulated and how to balance consumer and commerce needs. "The crux of the issue is whether or not an online persona is an extension of a human being," the report notes, "or a mere collection of bits that can be bartered away for access to free e-mail or a social network."
Full Story

PRIVACY LAW—U.S.

Stearns Revising Privacy Bill (January 17, 2011)

Rep. Cliff Stearns (R-FL) is reworking a draft online privacy bill he crafted with former Rep. Rick Boucher in the last congress, the National Journal reports. A spokesperson for Stearns said the congressman is reviewing comments on the measure he and Boucher released last year and is "working with stakeholders on developing legislation that he plans to offer soon."
Full Story 

ONLINE PRIVACY—U.S.

Trusted Identities Plan “A Long Way Off” (January 17, 2011)

NetworkWorld reports on the government's strategy for better securing the Internet by improving authentication. Department of Commerce (DoC) Secretary Gary Locke unveiled the National Strategy for Trusted Identities in Cyberspace last week. It calls for the creation of a National Program Office within the DoC to support the strategy. The administration has stressed that the plan does not include the creation of a national ID card or government-controlled authentication system, the report states, but questions remain about how the strategy would play out, and analysts say that concrete implementation is a long way away.
Full Story

ONLINE PRIVACY—U.S.

Advertisers Move Towards Self-Regulation (January 17, 2011)

In an effort to help ward off government regulation, digital ad buyers are aligning themselves with an online advertising industry self-regulatory program. VivaKi has announced it has joined GroupM in choosing Evidon--formerly known as the Better Advertising Project--to provide compliance services, ADWEEK reports. The news follows the FTC's report about online privacy, which stated that the online advertising industry wasn't moving fast enough on self-regulation. "We need to get ahead of the government, and we need to make sure it gets done the right way as data-driven marketing has become more and more important," said a VivaKi official.
Full Story

DATA LOSS—CANADA

NS Officer Ponders Potential Review (January 17, 2011)

Nova Scotia's privacy review officer will decide this week whether to launch an investigation into an alleged breach of confidentiality at the Workers' Compensation Board (WCB), The Chronicle Herald reports. The board allegedly mailed the personal information of one person--including social insurance number, birth date, address, phone number and medical record--to someone else. Privacy officer Dulcie McCallum said, "This is an important issue...This is people's personal health information." The WCB says that the information was not disclosed to anyone, according to the report, and a spokeswoman for the board welcomed a possible inquiry, saying, "We'll work with them to give them whatever they need."
Full Story

TRAVELERS’ PRIVACY—U.S.

TSA: New Scanners Less Invasive (January 14, 2011)
A model of full body scanners considered to be less privacy invasive may be deployed at U.S. airports for tests this year, Bloomberg reports. That's according to the chief of the Transportation Security Administration (TSA), John Pistole, who said he reviewed testing of the upgraded machines this week. Instead of displaying individuals' body images, the new machines would display a standard avatar and a box indicating the risk area. Pistole said the machines would "completely address the privacy" issue. Meanwhile, a federal judge has rejected the Electronic Privacy Information Center's attempt to obtain some 2,000 body scan images from the TSA, which would not release the requested images because the photos are used to train employees to recognize threats and could threaten security practices.

HEALTHCARE PRIVACY—FRANCE

CNIL Approves Hosting for Electronic Records (January 14, 2011)

The Commission Nationale Informatique et Libertés (CNIL) last month authorized the computer applications necessary to implement the first phase of a national and voluntary online personal health file system, reports eGov Monitor. Dossier Médical Personnels (DMPs) are patient-controlled online health records that stay with a person throughout their life; the patient first gives consent to create the profile, then controls the content of and access to their records from their computer and can close the account at any time. The first phase is expected to last three years, and CNIL says it will use feedback and lessons learned to develop the legal framework and content and access conditions for the DMP system.
Full Story

ONLINE PRIVACY

Flash Fix Is Important First Step (January 14, 2011)

The Wall Street Journal reports on efforts to improve privacy controls in Adobe's Flash video player after privacy advocates and regulators raised concerns that companies could use such technology to track Internet users. "So-called 'Flash cookies,' which are small files stored on a user's computer through the Flash program, have raised privacy questions because they are more difficult for users to detect and delete than regular cookies associated with Web browsers," the report states, noting that although Adobe's effort to simplify the program's settings is an important step, it "doesn't solve all the issues associated with this type of tracking," and other video programs can also track users. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Zombie Profiles Elicit FTC Complaint (January 14, 2011)

Forbes reports on the Web site Spokeo, which aggregates data to offer profiles of people. The site has come under scrutiny by privacy advocates and tech bloggers, and this week, one blogger filed a complaint with the U.S. Federal Trade Commission alleging that the company fails to live up to its opt-out promises. "Multiple users say that they have asked to have their profiles removed and that they have come back," the report states. Spokeo asserts that it tries very hard to preserve privacy preferences, "However, a computer cannot know the difference between 'John Smith at 1234 Nowhere Street' and 'John Smith at 5678 Somewhere Avenue,' though you may know that you moved."
Full Story

DATA LOSS—EU

ENISA Issues Breach Report (January 14, 2011)

The European Network and Information Security Agency (ENISA) has issued a report on data breach notifications as required for the electronic communications sector in the ePrivacy Directive. The requirement, according to an ENISA release, is vital to increase long-term data security in Europe. The report highlights key concerns for both telecom operators and DPAs and notes that recent high-profile incidents have prompted discussion about the security of personal information shared, processed, stored and transmitted electronically. "Gaining and maintaining the trust of citizens that their data is secure and protected is an important factor in the future development and take-up of innovative technologies and online services across Europe," said ENISA Executive Director Udo Helmbrecht.
Full Story

DATA PROTECTION

Survey: PCI DSS Standards Necessary (January 14, 2011)

A new survey has found that the majority of IT security practitioners believe that the Payment Card Industry Data Security Standard (PCI DSS) is necessary for protecting cardholder information, SC Magazine reports. The Cisco survey polled 500 IT security decision makers in healthcare, finance, retail and education, a majority of whom said they were "very confident" they could pass an assessment today. The greatest challenge for PCI DSS compliance is educating employees about the proper handling of cardholder data, the report states. Respondents also indicated they expect "significantly increased spending" on PCI compliance this year. Meanwhile, a recent Verizon survey found that organizations that had suffered data breaches performed "dismally" with PCI requirements.
Full Story

PRIVACY LAW—U.S.

Social Network: PII Leaks Do Not Violate Law (January 14, 2011)

MediaPost News reports on Facebook's motion to dismiss a class-action lawsuit that alleges the social network violated its users' privacy by referring their names to advertisers. The motion calls for dismissal "on the grounds that none of the users who are suing allege that they suffered any kind of tangible loss," the report states. Facebook also contends it did not violate federal wiretap laws as the statute applies to contents of communications, such as e-mail messages, and not to the referrer headers that transmitted user data to advertisers, the report states. Facebook goes on to argue that referring user names does not reveal PII because the social network considers names to be public information.
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: Hospital Deserves Credit for Response (January 14, 2011)

Tucson's University Medical Center deserves accolades for calling attention to an important privacy issue, opines Howard Anderson in Gov Info Security. Anderson says the hospital's treatment of its recent data breach involving victims of last weekend's shooting rampage informs the whole world "that this hospital takes its privacy policy seriously" and "provides an excellent example for other hospitals to follow when dealing with records snoops on their staff." The hospital announced this week that it had terminated three employees and a contracted nurse for violating patient privacy, and it posted details about the breach on its Web site. "Zero tolerance is appropriate," Anderson says.
Full Story

DATA LOSS—AUSTRALIA & U.S

Company, Hospital Terminate Employees Following Breaches (January 13, 2011)
An Australian company and an Arizona hospital have both announced employee terminations based on privacy breaches. Australia's Vodafone says it has let several employees go after a breach that exposed customer details including names, addresses, dates of birth and credit card numbers, The Herald Sun reports. A Vodafone spokeswoman said the company has "contacted the NSW Police while its investigation continues." Meanwhile, Tucson's University Medical Center (UMC) has terminated three employees and a contracted nurse for violating patient privacy following last weekend's shooting rampage. The breaches will be investigated and addressed, said a UMC spokeswoman, adding, "With advances in technology, ensuring patient privacy has become the focus of hospitals nationwide."

ONLINE PRIVACY—U.S.

Company Addresses Potential Privacy Loopholes (January 13, 2011)

Adobe has announced it is taking steps to address concerns raised by privacy advocates and the FTC about its Flash Player program, paidContent reports, referencing recent class-action lawsuits over local storage objects, commonly referred to as "Flash Cookies," that can be used to track user behavior for unauthorized purposes. In a blog post, Flash Product Manager Emmy Huang noted the company will "dramatically simplify how users access privacy settings for the video-watching program." The report highlights plans by three major browser companies to create a standard for user data held by such browser plug-ins and references Adobe's efforts to create a system allowing users to control Flash from their computers.
Full Story 

PRIVACY LAW—U.S.

Supreme Court Case May Influence Privacy Debate (January 13, 2011)

The Supreme Court announced this week that it will hear the case of Sorrell v. IMS Health, which paidContent reports is "likely to have some influence on the growing debate over online privacy." The case involved pharmaceutical and data-mining companies that are contesting a Vermont law prohibiting the sale of prescription information, such as which doctors prescribe what drugs to patients. "So far, the battle against these new 'prescription privacy' laws, which have passed in Vermont, Maine and New Hampshire, has produced mixed results," the report states, "so what the Supreme Court has to say will likely be decisive."
Full Story

PRIVACY LAW—HONG KONG

Lawmakers Oppose Another Octopus Inquiry (January 13, 2011)

Hong Kong legislators have rejected one lawmaker's call for the creation of a committee to probe the Octopus data scandal, The Standard reports. In calling for the committee, democrat James To Kun-sun said, "We have to find out the truth behind the incident so as to give the public an account of the data leaks." But his colleagues say that a public consultation has already taken place and there is no need to begin an inquiry. Secretary for Transport and Housing Eva Cheng Yu-wah said the government will make proposals to strengthen personal data protection, according to the report.
Full Story 

SOCIAL NETWORKING—U.S.

Facebook Lobbying Has Privacy Focus (January 13, 2011)

"The world's largest social networking site is increasing its Washington office, spending more on lobbying and meeting with lawmakers, congressional staff and privacy experts who question whether the company is adequately protecting the personal information of its 500 million users." That's according to a report in USA Today on efforts by Facebook in the midst of conversations by lawmakers and regulators considering changing online privacy law. "We have not had to come out strongly for or against anything," Facebook's Tim Sparapani noted, explaining that plans for a do-not-track mechanism "aren't ripe yet. We're here to share our views for those long-term critical questions and educate."
Full Story

DATA LOSS—U.S.

Hackers Expose Data (January 13, 2011)

The University of Connecticut has notified customers of its Husky-branded online sports store that their billing and payment information may have been exposed when its database was hacked. NetworkWorld reports the hacker compromised an administrative password to gain access to the database and then unencrypted the data, which included names, addresses, Social Security numbers, credit card numbers, expiration dates and security codes, among other information. Meanwhile, a New Hampshire radiology office has sent letters to about 231,400 patients to let them know its server was hacked, potentially exposing their personal and medical data.
Full Story

ONLINE PRIVACY—GERMANY

Regulators: Using Analytics May Mean Legal Action (January 12, 2011)
German data protection authorities have ended talks with Google over its free metrics tool, warning that German companies using Google Analytics could face fines and legal action, The Wall Street Journal reports. The tool gathers data about how visitors use Web sites by tracking IP addresses, which regulators have argued could violate individuals' privacy. Google has said its service "complies with European data protection laws and is used by other European data protection authorities on their own Web sites." Meanwhile, IAB Europe Vice President Kimon Zorbas told the Daily Dashboard, "Web analytics tools were indispensible for the transformation of Web 1.0 to Web 2.0. If you restrict a Web site's capacity to analyze which parts are successful and which are not, you risk catapulting the Internet back to the 'Digital Stone Age.' Companies would have to guess what's going on on their properties instead of focusing on how to improve any shortcomings. Cookies-based Web analytics like Google and many other companies offer are neither intrusive nor do they process personal data."

PRIVACY LAW—U.S.

Leahy Outlines Judiciary Agenda (January 12, 2011)

The chairman of the Senate Judiciary Committee yesterday outlined the work its members will undertake in the coming session, nextgov reports. Sen. Patrick Leahy (D-VT) said the committee will continue revising the 1986 Electronic Communications Privacy Act and will begin looking at the 1994 Communications Assistance to Law Enforcement Act, which was written before "the technological leaps and bounds" of the last two decades. Leahy said that the committee will also examine the use of full body security scanners at airports and online tracking by marketers and data aggregators. "The last decade has encroached on Americans' privacy as has no other decade in our history," Leahy said.
Full Story

PRIVACY LAW—EU & U.S.

U.S. Commerce Official Discusses EU Data Protection (January 12, 2011)

U.S. Department of Commerce Deputy Under Secretary for International Trade Michelle O'Neill held a briefing on her recent meetings in Brussels with European DPAs, discussing "the right to be forgotten" as a current key topic in Europe, the Hunton & Williams Privacy and Information Security Law Blog reports. O'Neill has said that European Data Protection Supervisor Peter Hustinx has been encouraged by such ongoing U.S. efforts as the Commerce Department's recent green paper on data protection, the report states. O'Neill also met with Françoise Le Bail of the European Commission's Directorate-General for Enterprise and Industry to discuss the Safe Harbor framework, noting the commission and Commerce Department will take part in a Safe Harbor conference in November.
Full Story

DATA LOSS—CANADA

Breaches Not Reported Publicly (January 12, 2011)

Infosecurity reports that Statistics Canada has experienced a number of recent data breaches that have exposed sensitive information and, while the cases were investigated, Statistics Canada failed to report the breaches publicly. "There have been a number of data breach cases of employees having their laptops containing confidential information stolen," the report states, noting at least two incidents where "employees left sticky notes with the passwords on their computers." The Office of the Privacy Commissioner has labeled a separate incident where employment records of 66 census takers and managers were left in surplus filing cabinets and sold at auction as "a serious matter."
Full Story

PRIVACY LAW—CANADA

Government Refuses to Release Contract (January 12, 2011)

Despite an order to do so by the provincial privacy commissioner, the BC government has refused to hand over the full, unedited copy of its $300 million contract with IBM to the Freedom of Information and Privacy Association (FIPA), the Times Colonist reports. An adjudicator had decided last November that the government must turn over the contract, as well. A spokeswoman for the Citizens' Services Ministry said it has turned over almost all of the 535-page contract, withholding only server names and network addresses to protect against hackers. "They are out there and they are smart," Citizens' Services Minister Mary MacNeil said. "In the end, security is paramount."
Full Story

DATA LOSS—U.S.

Universities Increase Security, Breaches (January 12, 2011)

The University of Maine System (UMS) and the University of Hawaii (UH) are taking steps to secure data after breaches affected thousands at their campuses last year. UMS expects to spend more than $860,000 per year over three years, while UH expects to spend $1.9 million on data security. A recent Identity Theft Resource Center report found that educational institutions account for nearly 10 percent of the 662 data breaches reported in 2010.
Full Story

ONLINE PRIVACY—U.S.

Potential Online Identity System Concerns Advocates (January 11, 2011)
International Business Times reports on concerns surrounding a proposed Department of Commerce system aimed at identifying people on the Internet. The National Strategy for Trusted Identities in Cyberspace intends to authenticate user identity in order to protect against identity theft and business fraud. But privacy advocates are concerned that if an identity were hacked, the hacker would have access to a wide range of the user's affiliations. Implementation will be key, advocates say, and will require more robust privacy laws than now exist.

PRIVACY LAW—CANADA

Contract Disclosure Expected Today (January 11, 2011)

The BC government must hand over an unedited copy of its $300-milion contract with IBM to the BC Freedom of Information and Privacy Association (FIPA) today, the Times Colonist reports. The FIPA requested a copy of the contract four years ago and has thus far received more than half of it. Though the government has argued that releasing the contract would threaten certain aspects of its governance and the company's business interests, adjudicator Michael McEvoy decided last November that it must release it. BC's Information and Privacy Commissioner ordered the Citizens' Services Ministry to release its full IBM workplace services agreement last month as well.
Full Story

PRIVACY LAW—U.S. & EU

Social Network Subpoena Fuels Debate (January 11, 2011)

EUobserver reports on the implications of a U.S. court order that may give law enforcement officials access to all 637,000 followers of the WikiLeaks account on Twitter. The move, the report states, "has added fuel to the fire of an EU debate on data retention." Members of the European Parliament said on Monday that this move illustrates the need for governments to have checks and balances on access to private data, the report states. "We need to show the U.S. that they can't impose their rules on the whole world and that there is a real possibility for redress and appeal when such orders are issued," said German MEP Jan Philipp Albrecht.
Full Story

ONLINE PRIVACY—GERMANY

Use of Analytics Could Result in Fines (January 11, 2011)

German Web companies could face fines for using Google Analytics, a free online metrics service, The Local reports, citing the end of talks between German data protection officials and the company and threats of legal action. "Unfortunately we have come to the conclusion that Google has not complied with our data protection demands," said Johannes Caspar, Hamburg's commissioner for data protection. Google Analytics gathers information about Web site visits through users' IP addresses, the report states, and sends that data back to the U.S. for processing--a practice that German DPAs believe should be illegal. According to Google Germany's data protection official, however, the service has met EU privacy standards and the demands of German customers.
Full Story

PRIVACY LAW—U.S.

Will Congress Tackle Online Privacy in 2011? (January 11, 2011)

IDG News Service reports that technology issues--including online privacy--will be a focus for the U.S. Congress in 2011. Tech-related bills that could move include a revamp of the 25-year-old Electronic Communications Privacy Act (ECPA), the report states. Online companies and advocacy groups have been pushing for ECPA reform for the past year because it does not give the same protection to e-mail and cloud-stored documents as it does to hardcopy files or those stored on PC hard drives. Web tracking is also expected to be a focus, though the report suggests that given past debate over allowing consumers to opt out, "chances of similar legislation passing in 2011 are small."
Full Story

ONLINE PRIVACY

Are Privacy Policies Dead? (January 11, 2011)

ReadWriteWeb reports on comments by Fran Maier of TRUSTe advocating moving away from privacy policies to focus on notifications for the collection of new data and the use of data in new ways. At a time when online data is not only growing but also has the potential to drive innovation and monetization, "Maier says we'll soon start to see a system called a Forward Eye in advertisements online, which will tell us what information about us is being captured and how it will be used," the report states. "Privacy policy is dead. What we've got to move into is just-in-time notices that give us choices and lead fundamentally to accountability," Maier said.
Full Story

HEALTHCARE PRIVACY—U.S.

Copy Machines Could Risk HIPAA Violations (January 11, 2011)

American Medical News reports on the privacy concerns related to replacing office printers and photocopiers at medical facilities. Many are unaware that the devices contain hard drives storing caches of personal information. Experts suggest looking for an "overwrite" or "wiping" feature on a machine before discarding or selling and to be sure, if a machine is recycled, that the recycling plant has a plan in place for handling hard drives. A New York health plan recently had to report a HIPAA violation after discarding more than 6,000 used copiers without destroying PII stored on them. Meanwhile, a pending New Jersey law aims to protect against identity theft by requiring copy machine hard drives' destruction.
Full Story

PRIVACY LAW—U.S.

Supreme Court To Review Prescription Law (January 10, 2011)
The Supreme Court will review a Vermont law to limit using prescription information for one-on-one marketing of pharmaceuticals, Bloomberg reports. Vermont's law, which is one of three in New England that restrict the use of prescription information for marketing purposes, has been challenged by the Pharmaceutical Research and Manufacturers of America and several data-mining companies and, the report states, the case could "shape the burgeoning debate over the extent of privacy rights in the digital age." The pharmaceutical and data-mining companies have argued the law violates the right of free speech, while the state of Vermont argues, "Restrictions on the dissemination of nonpublic information held by private persons have long coexisted with the First Amendment."

PRIVACY—U.S.

New Office to Secure Online Transactions (January 10, 2011)

Commerce Department Secretary Gary Locke has announced the creation of a national office to secure online transactions, The Hill reports. The office will coordinate the government implementation of the National Strategy for Trusted Identities in Cyberspace (NSTIC), the report states. NSTIC aims to improve consumer confidence in e-commerce. "A coordinated national strategy to significantly improve online trust will put e-commerce on stronger footing," Locke said from a Stanford University event on Friday. Speaking with the Daily Dashboard this morning, Ari Schwartz of the National Institute of Standards and Technology cited the four guiding principles set forth by White House Cybersecurity Coordinator Howard Schmidt and said the move is "about building innovation for trust." And it has to be led by the private sector, Schwartz said. "It has to be voluntary as well."
Full Story

DATA LOSS—AUSTRALIA

Vodafone Breach Incites Investigation, Potential Suit (January 10, 2011)

iTnews reports that Privacy Commissioner Timothy Pilgrim has launched an investigation into an alleged privacy breach at Vodafone putting customer details at risk. Vodafone allegedly allowed its partners to access its database of customer names, dates of birth, PIN numbers, driver's license numbers, addresses, credit card numbers and call records. Despite Pilgrim's investigation, the office doesn't have the authority to impose penalties, though Pilgrim said he supports ongoing privacy reforms that would provide his office that power. The alleged breach, which Vodafone says it is taking "very seriously," has prompted law firm Piper Alderman to investigate whether it can include the breach in its pending class-action lawsuit against Vodafone. Meanwhile, Vodafone is reassuring its New Zealand customers that their data is safe.
Full Story

PRIVACY LAW—U.S.

Advocates: ECPA Was Not Made for the Internet Age (January 10, 2011)

Internet companies and consumer advocates are warning that the Electronic Communications Privacy Act (ECPA) is outdated, "affording more protection to letters in a file cabinet than e-mail on a server," The New York Times reports. With Internet services providing storage for e-mails, photographs, financial documents and a range of other private information, while law enforcement agencies may be sending out requests "for legitimate criminal investigations," some companies are calling for a requirement for search warrants approved by courts rather than subpoenas from prosecutors. Given that ECPA was drafted in 1986, before such widespread use of cell phones and e-mail, one expert notes, "The law can't be expected to keep up without amendments." (Registration may be required to access this story.)
Full Story

SURVEILLANCE—CANADA

Bus Cameras Delayed Due to Privacy Concerns (January 10, 2011)

The Record reports on concerns about transit service plans to install surveillance cameras on Waterloo buses later this year. Grand River Transit has delayed installing the cameras due to complaints that the regional council hadn't consulted the public on the plans and that no surveillance policy existed, the report states. The council has since launched a public consultation and the transit service is reportedly developing policies on data retention and use. A spokesperson for the Office of the Information and Privacy Commissioner of Ontario said, "I think it's critical to have those policies in place before the cameras go live."
Full Story

FINANCIAL PRIVACY—AUSTRALIA

Minister Proposes Credit Reporting Code of Conduct (January 10, 2011)

Minister for Privacy Brendan O'Connor is calling for the development of a new Credit Reporting Code of Conduct designed to provide better privacy protection, TechWorld reports. In a statement, O'Connor said, "A binding Code of Conduct will be an integral part of the new credit reporting regime, helping to provide better protection for consumers and better guidance for business." The plan will be discussed at a roundtable on February 10, the report states, and O'Connor noted, "The roundtable will contribute to the development of the industry-led code and will provide an open forum for interested parties to discuss any outstanding issues of concern."
Full Story

DATA LOSS—U.S.

Military and Gov’t Breaches Total 104 in 2010 (January 10, 2011)

Nextgov reports on an Identity Theft Resource Center study that showed 15.7 percent of the 662 data breaches reported last year involved military and government agencies. This represents an increase from 90 incidents the year before, yet the 104 breaches resulted in fewer exposed records. More than 79 million records were exposed in 2009, and in 2010, that number decreased to 1.2 million. According to the report, the actual number of data breaches may be greater because of a lack of a centralized reporting system and no mandatory reporting requirement.
Full Story

PRIVACY LAW

Experts Discuss Legislation Implications (January 10, 2011)

This month's Privacy Tracker audio conference featured a discussion of key legislative issues that have the potential to affect businesses in the U.S., Canada and beyond. Panelists shared insight on the HITECH final rules as well as reports presented by the Federal Trade Commission and Commerce Department on online privacy. Adam Kardash of Heenan Blaikie updated listeners on Canada's newly passed Bill C-28 anti-spam legislation, which focuses on e-mail marketing and provides a more robust regulatory framework and broader scope than the U.S. CAN-SPAM Act, he explained. D. Reed Freeman, CIPP, of Morrison & Foerster, commented that C-28 is "a very significant development for companies that do business internationally." (Privacy Tracker subscribers may access recorded audio here. Login is required.)
Full Story

PRIVACY—UK

ICO To Gain Independence (January 7, 2011)
The Information Commissioner's Office (ICO) may soon gain more independence from the Ministry of Justice (MoJ), OUT-LAW.COM reports. In its Freedom of Information Package, the MoJ calls for "enhanced independence for the ICO." The commissioner "will be given more freedom to make day-to-day corporate and operational decisions," according to an MoJ news release. The ICO will no longer be required to seek the Secretary of State's consent regarding staffing matters and will be allowed to set charges and issue statutory guidance independently, among other changes. "I welcome the proposals that the government has set out today...a more independent ICO is essential to make sure information rights continue to be upheld," said Information Commissioner Christopher Graham.

PRIVACY LAW—U.S.

Mass. Officials Discuss Data Security Regs (January 7, 2011)

In the Workplace Privacy Counsel blog, Ellen Giblin of Littler Mendelson's Privacy & Data Protection Practice Group shares insight from a recent IAPP KnowledgeNet event at which officials from the Massachusetts Attorney General's Office and Office of Consumer Affairs and Business Regulation (OCABR) discussed their investigations into and enforcement of the almost one-year-old Massachusetts Data Security Regulations (201 CMR 17). The AG and OCABR share enforcement responsibilities for the regs, which took effect last March. Scott Shafer, the AG's chief of consumer protection, said the AG receives three to four data breach notifications daily and the office reviews each report closely to identify warning signs that may indicate noncompliance with the regulations, according to the report.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Public Discussion to Begin on E-Health System Plans (January 7, 2011)

Federal Health Minister Nicola Roxon says a draft framework of the nation's electronic health record system will be issued for public consultation soon, The Australian reports. The National E-Health Transition Authority developed the framework but the government has faced criticism from those who have concerns about privacy and say the development process has not been transparent. Roxon says she is committed to working with stakeholders "to make sure we develop the right e-health system" and that "The next step will be a public discussion paper on the operating concepts for the personally controlled e-health record."
Full Story

DATA LOSS—U.S.

Malware Attack Exposes Personal, Credit Card Details (January 7, 2011)

The Pentagon Federal Credit Union (PenFed) on Tuesday began notifying customers that a malware attack penetrated a database which contains current and former members' names, addresses, Social Security numbers, payment card numbers and more, reports Softpedia. In a letter to the New Hampshire Attorney General, PenFed says 514 residents of that state were affected. The total number of customers affected has not been disclosed. PenFed is offering a two-year subscription to an identity theft service and is recommending its customers routinely review their account statements and credit reports.
Full Story

PRIVACY LAW—U.S.

Kamber Discusses Internet Suits (January 7, 2011)

In an interview with paidContent, Scott Kamber of KamberLaw discusses recent class-action lawsuits alleging Internet companies' privacy violations. In response to a question about the increase in Internet privacy suits being filed in recent months, Kamber replied, "People are more aware of online privacy issues. You now probably have two or three dozen researchers nationally that do nothing but Internet privacy...The Internet is where we shop, bank and get our news--so everyone is rightfully concerned about whether we have privacy safeguards online." When asked whether class-action suits are the right approach, he replied, "We are the consumer voice for self-regulation... We're not trying to harm the company; we're trying to redress the harms done to the consumer."
Full Story

PRIVACY LAW—U.S.

TX Officials Unsure About Cell Phone Ruling (January 7, 2011)

Though California's Supreme Court on Monday ruled that police can search arrestees' cell phones without a warrant, some Texas judges and a deputy chief at the Dallas Police Department (DPD) disagree, Dallas Morning News reports. "If you've ever been the detective on the stand in a trial and they say they think you've obtained evidence illegally, it's always better to err on the side of caution," said DPD Deputy Chief Craig Miller. State District Judge Don Adams said he would advise police to get a warrant "until the Texas Court of Appeals rules or the U.S. Supreme Court rules."
Full Story

PRIVACY LAW—EU

Working Party Suggests Directive Improvements (January 6, 2011)
The Hunton & Williams Privacy and Information Security Law Blog reports on the Article 29 Working Party's opinion on practical implications of the EU Data Protection Directive. The opinion "intends to clarify the current scope of EU data protection law with regard to the processing of personal data within and outside the European Economic Area," the report states. The Working Party's goals include providing a clearer framework and avoiding legal loopholes and potential conflicts between overlapping national data protection laws. "Furthermore, in light of the general revision of the EU data protection framework," the report states, the opinion includes "suggestions to improve the existing applicable law provisions in the EU Data Protection Directive."

HEALTHCARE PRIVACY—CANADA

Commissioner: Insurer Collects Too Much PHI (January 6, 2011)

The Regina Leader-Post reports on Saskatchewan Information and Privacy Commissioner Gary Dickson's announcement that SGI, the government auto insurer, "has rejected his authority to investigate the complaints of three individuals injured in accidents over SGI's use of their personal health information." Although the decision has put limits on his investigation, Dickson has said there is clear evidence the insurer is "over collecting" personal health information, the report states, citing one case where a complainant said the company collected information on her daughter and the child's birth father. Dickson wants SGI to revise its procedures and is asking the legislature to amend the province's privacy laws related to the use of health information.
Full Story

SOCIAL NETWORKING—U.S.

Facebook To Modify Privacy Settings for States (January 6, 2011)

Facebook will modify its terms and conditions in order to facilitate state agencies' use of the site, The Associated Press reports. The move is expected to satisfy the legal concerns of officials in 14 states who had objected to certain portions of the terms. The company will strike an indemnity clause related to harm and loss and remove a provision requiring that legal suits against the company be resolved in California courts, among other changes. Colorado Attorney General John Suthers said, "We look forward to continuing to work with Facebook and starting a new dialogue with the people of Colorado through the company's Web site."
Full Story

HEALTHCARE PRIVACY—U.S.

Study: Hard-To-Use Software Means Data Losses (January 6, 2011)

Difficult-to-use software is a key factor when it comes to leaked data from confidential medical records. That's according to a study by researchers at Dartmouth's Tuck Center for Digital Strategies, TMC reports. Researchers monitored peer-to-peer networks that are used to share various types of files, the report states, and in just a two-week period, they were able to find 200 files containing such confidential information as names, addresses, dates of birth, Social Security numbers and insurance numbers. The study also found that healthcare consumers are increasingly concerned about privacy, while government mandates to guard privacy are raising concerns due to their "lack of clarity."
Full Story

DATA LOSS—U.S.

Personal Information Found Outside Library (January 6, 2011)

WFAA.com reports that medical records, Social Security numbers and other personal information were found in a box outside a Plano, Texas library. An individual discovered the information while sifting through the library's recycling container. The data belonged to former employees of a company called White Rock Networks, the report states. "No one should have the right to just dump personal information. I don't see how people can get away with this," said an individual whose data was among that in the dumpster.
Full Story

PRIVACY LAW—SOUTH KOREA

Police: Data Collected Illegally (January 6, 2011)

South Korea's police authority says Google broke the country's privacy law when it collected WiFi data with its Street View cars, The Guardian reports. The authority says it will conclude its investigation by the end of January. It is not yet known whether Seoul--where Google's Korean headquarters are located--will prosecute the company. Google's Korean arm said, "As soon as we realized what had happened, we stopped collecting all WiFi data from our Street View cars and immediately informed the authorities. We have been cooperating with the Korean communications commission and the police and will continue to do so." The company is facing similar investigations in more than 20 countries.
Full Story

ONLINE PRIVACY—U.S.

Point, Counterpoint: Do-Not-Track (January 5, 2011)
U.S. News & World Report features a point-counterpoint on the FTC's calls for a do-not-track mechanism. FTC Chairman Jon Leibowitz writes, "Once you enter cyberspace, your private information--often without your consent or even knowledge--becomes a commodity out of your control." Do-not-track would let users "specify what information you want to share about your browsing behavior and have those preferences travel with you to every Web site you visit." IAB Senior Vice President and General Counsel Michael Zaneis, however, cautions, "You cannot simply turn off the data exchanges between parties that allow you to, for example, navigate from one Web site to another. Stop that sharing and you put a stop to the Internet as we know it."

HEALTHCARE PRIVACY—U.S.

Groups Ask FTC To Investigate Pharmaceutical Marketing Practices (January 5, 2011)

Four privacy groups have filed a complaint asking the Federal Trade Commission to investigate the online marketing practices of pharmaceutical companies, American Medical News reports. The 144-page complaint, filed by the Center for Digital Democracy, Consumer Watchdog, U.S. Public Interest Research Groups and World Privacy Forum, alleges that certain Web sites allow pharmaceutical companies to collect patient and prescription information to market health-related services and medications, the report states. The complaint, which targets many well-known Web sites, alleges that pharmaceutical marketers collect consumers' personal information without their knowledge. None of the companies involved had formally responded to the complaint, the report states.
Full Story

SOCIAL NETWORKING—CANADA

Experts: “Design for Privacy” (January 5, 2011)

"Every business needs to listen to Ontario's Privacy Commissioner Ann Cavoukian and design privacy principles and practices into their operations," Don Tapscott and Anthony D. Williams write in a CTV News report, noting that is especially true for social networks. The report considers the importance of privacy in the world of social media, suggesting, "In the past we only worried about Big Brother governments assembling detailed dossiers about us. Then came what privacy advocates called Little Brother--corporations that collect data from their customers." The authors advocate Privacy by Design for all companies and urge individuals to be vigilant about what they do online.
Full Story

DATA LOSS—U.S.

ITRC: Report Shows Need for Mandatory Reporting (January 5, 2011)

The Identity Theft Resource Center (ITRC) has revealed that 662 data breaches were reported in the U.S. in 2010, up about 33 percent from 2009. Infosecurity reports that the number of actual breaches is likely higher since not all breaches are required to be reported. The ITRC says that 62 percent of the breaches involved Social Security numbers and 26 percent involved payment card information. In a press release, ITRC notes a lack of transparency in reporting. "Other than breaches reported by the media and a few progressive state Web sites, there is little or no information available on many data breach events. It is clear that without a mandatory national reporting requirement that many data breaches will continue to be unreported or underreported."
Full Story

SSN PRIVACY—U.S.

Defense Department Decreases Use of SSNs (January 5, 2011)

Though full implementation of an alternative system of ID numbers won't happen until 2012, the Defense Department is continuing its efforts to decrease the use of Social Security numbers (SSNs), Federal News Radio reports. The Navy will no longer post announcements of promotions and other personnel messages that include the last four digits of individuals' SSNs on its public Web site. The Office of the Secretary of Defense ordered, in a November 23 memorandum, that no part of any SSN be posted on any public Web site, the report states. Last month, a former West Point professor wrote in a journal article that the U.S. needs to do a better job protecting the identities of its military personnel.
Full Story

FINANCIAL PRIVACY—HONG KONG

Government Considers Expanding Mortgage Database (January 5, 2011)

Hong Kong's government is seeking public feedback until February 8 on a proposed expansion of a data-sharing system to include positive and negative credit history for homes and properties, Privacy Commissioner for Personal Data Allan Chiang has announced. Bloomberg reports that under Hong Kong's current system, banks can share only negative data on housing mortgages while both positive and negative data is available for unsecured debt such as credit card borrowings. One financial services expert suggests that if the expansion is approved, it will allow banks to better assess home buyers' credit status.
Full Story

STUDENT PRIVACY—U.S.

Opinion: UCLA Database Puts Students at Risk (January 5, 2011)

In an opinion piece for the Daily Bruin, Avni Nijhawan says UCLA's online campus directory provides a false sense of security about its privacy settings. The publicly accessible directory, created through the school's privacy policies, allocates some of the information deemed public by federal law, including an "unprecedented amount of 'personally identifiable information,'" Nijhawan writes, such as phone numbers and home and e-mail addresses of 33,000 students. "The potential for misuse seems to outweigh the necessity of public access to such information," said Nijhawan, proposing that students be removed from the database altogether.
Full Story

ONLINE PRIVACY—U.S.

Opinion: If Feds Fail, State Should Enact Do-Not-Track (January 5, 2011)

In an op-ed for the Los Angeles Times, Consumer Watchdog President Jamie Court discusses privacy as an inalienable right, according to California's state constitution, urging California to create its own do-not-track mechanism if the federal government does not do so. "Advertisers may be able to target us better if they know everything about us," Court suggests, but argues the government should be expected "to protect us from being targeted for such invasive data collection without our knowledge and consent." A do-not-track move is important, Court writes, "because it sets the principle and precedent of the first real governmental limits on the Wild West of Internet data mining."
Full Story

PRIVACY LAW—CANADA

Manitoba Man Files Buzz Lawsuit (January 5, 2011)

A Manitoba man has filed a class-action suit over alleged problems with the launch of Google's Buzz program earlier this year, The Vancouver Sun reports. Norman Rosenbaum, the plaintiff's attorney, alleges that even though Google told users they could choose whether or not to use the company's Buzz service, it automatically activated on users' Gmail accounts, the report states. "It's a breach of privacy," Rosenbaum said. "It automatically affected all of your followers. Even if you said you didn't want to have your e-mail list forwarded, it did it anyway." The suit is seeking unspecified damages, the report states.
Full Story

PRIVACY LAW—U.S.

Company Will Fight Allegations (January 4, 2011)
Interclick, the company facing a class-action lawsuit for allegedly violating Internet users' privacy, said this week it will fight the charges, ABC News reports. A New York resident filed suit against Interclick recently, claiming that it used the "history sniffing" technique to help its customers discern more about Web users' online activities. The company admitted to using the technique for eight months, the report states, but said it stopped in October and it "continually endeavors to be sensitive to the privacy concerns of our customers and the general public." The same plaintiff has filed suit against four companies alleged to have worked with Interclick.

ONLINE PRIVACY—U.S.

Two Gov’t Agencies Focus on Privacy (January 4, 2011)

In its fiscal 2011 work plan, the Office of the Inspector General revealed that it plans to inspect the privacy and security policies of the Department of Health and Human Services (HHS) as well as the details of the HITECH Act electronic health record incentive program, reports Gov Info Security. The review will include the HHS Offices of the National Coordinator for Health IT, Civil Rights and the Centers for Medicare and Medicaid. Meanwhile, on January 1, the Internal Revenue Service (IRS) began enforcing new security, privacy and business standards, reports the Boston Globe. The standards, which went into effect with a one-year enforcement grace period last January, aim to protect taxpayer information held by online providers of individual tax returns.
Full Story

ONLINE PRIVACY—U.S.

What Will 2011 Mean for Privacy? (January 4, 2011)

ClickZ looks back at what 2010 meant for privacy and how that may change in 2011 as government and industry each work to resolve concerns surrounding online advertising. Some have questioned the feasibility of the Federal Trade Commission's do-not-track proposal. A final report on the proposal and other guidance is expected sometime this year. Also expected is legislative action on privacy bills, including that of Rep. Bobby Rush (D-IL), and the introduction of bills by Sen. John Kerry (D-MA)  and Rep. Ed Markey (D-MA). On the industry side, 2011 could see the evolution of the industry's ad-choice program to allow users to opt out of third-party tracking completely.
Full Story

DATA PROTECTION

Most Info Sec Budgets Unchanged for 2011 (January 4, 2011)

The Great Recession may have lingering effects on information security plans in 2011, SC Magazine reports. That's according to a recent survey that found 36 percent of respondents expect their budgets for IT security projects and data leakage prevention efforts to increase in 2011, compared with 41 percent in 2010. The Guarding Against a Data Breach survey, conducted by SC Magazine, ArcSight and research firm CA Walker, polled 468 information security leaders. Sixty percent expect their budgets to remain the same. Concerns about damage to the brand and compliance demands are top drivers for security planning, the report states.
Full Story

PRIVACY LAW—U.S.

Court: No Warrant Necessary for Searching Arrestees’ Cell Phones (January 4, 2011)

In a 5-2 decision on Monday, the California Supreme Court ruled that police can search arrestees' cell phones without a warrant, the San Francisco Chronicle reports. Based on 1970s-era U.S. Supreme Court decisions, the justices deemed that defendants lose certain privacy rights when taken into custody, the report states. But dissenting justices said that decades-old rulings should not be applied to data-heavy cell phones. The ruling lets police "rummage at leisure through the wealth of personal and business information that can be carried on a mobile phone or handheld computer," Justice Kathryn Mickle Werdegar said in dissent.
Full Story

PRIVACY LAW—U.S.

Four Companies Sued for History Sniffing (January 3, 2011)
A woman who recently sued a marketing company for invading her privacy has now filed suit against McDonald's, CBS, Mazda and Microsoft. Sonal Bose filed a complaint last week with the U.S. District Court for the Southern District of New York alleging that the four companies worked in concert with Interclick, which Bose sued several weeks ago, to track Internet users for marketing purposes. The new suit seeks class-action status and claims that the companies violated the federal computer fraud law, wiretap law and other statutes, MediaPost News reports.

PRIVACY LAW—RUSSIA

Russia Extends Deadline for Database Operators (January 3, 2011)

President Dmitry Medvedev signed into law a bill to amend the country's framework personal data protection law to, for a second time, postpone the implementation of certain data protection requirements, according to a December 27 presidential press-service statement. Medvedev signed Federal Law No. 359-FZ, which amends Article 25 of the 2006 framework "On Personal Data" law (Federal Law No. 152-FZ), garant.ru reports. The amendment moves the required compliance date for database operators from January 1, 2011, to July 1, 2011. Originally, the database requirement was set to take effect January 1, 2010. (Article in Russian.)
Full Story

PRIVACY LAW—U.S.

Mobile Apps Under Fire, Likely To Continue (January 3, 2011)

The Washington Post reports on recent lawsuits filed against Apple, Backflip, Dictionary.com, Pandora and the Weather Channel, among others. The suits claim users' data was shared without their knowledge and seek to prevent the applications from sharing ages, genders and locations of users as well as iPad and iPhone device identifying numbers. According to an InformationWeek article, a lack of laws defining privacy rights means it's likely there will be more suits like these. "Consumers are engaged in a marketplace, but it's not a fully informed market," said Dave Stampley of KamberLaw. Kevin Pomfret, a lawyer with LeClairRyan, said that in order to avoid a lawsuit, companies should carefully consider why they need consumer data and how they use it, adding "Unfortunately, there's no clear-cut answer right now because of the uncertainty." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

IAB, FTC Officials Discuss Do-Not-Track (January 3, 2011)

PBS features an interview with FTC Chairman Jon Leibowitz and Interactive Advertising Bureau General Counsel Mike Zaneis on their perspectives on the FTC's proposal for a do-not-track mechanism. Leibowitz explains, "what we have called for is the ability of consumers to be able to opt out of that kind of third-party cookie tracking." Cautioning about potential implications of do-not-track for the online industry, Zaneis suggests it would not mean significant changes in terms of consumer choice. He says industry already agrees that "we need to increase consumer transparency about what data collection processes are ongoing on the Internet."
Full Story

PRIVACY—CANADA

Manitoba Hires Privacy Adjudicator (January 3, 2011)

The Manitoba government has appointed its first information and privacy adjudicator, CBC News reports. Based on input from citizens on how best to allow for information access while protecting privacy, the government appointed Ron Perozzo, Manitoba's acting conflict-of-interest commissioner, who will help resolve access and privacy complaints, the report states. Perozzo will be able to issue binding orders to the government, school divisions or regional health authorities that do not follow the ombudsman's recommendations.
Full Story

DATA LOSS—U.S.

Honda Hack Exposes Personal Information (January 3, 2011)

American Honda has alerted millions of customers that their personal information was hacked. The information includes names, e-mail addresses and Vehicle Identification Numbers of 2.2 million U.S. customers, ZDNet reports. The data was reportedly hacked from a third-party company after it e-mailed customers who'd created accounts with the firm, the report states. The e-mail addresses of an additional 2.7 million Honda customers' were exposed in a separate breach.
Full Story

ONLINE PRIVACY

The Privacy Year In Review (January 3, 2011)

The BBC looks at the year that was 2010 from a privacy perspective. Exploring high-profile breaches of the past year, the report considers the implications of government and private-sector privacy decisions for the future. It suggests that "an interesting twist in 2010's privacy story" is that while private-sector organizations have been taken to task on privacy issues, "governments seem intent on increasing their snooping powers." When it comes to social networking, Ian Brown of the Oxford Internet Institute says the environment "is designed to encourage people to share. Often the default setting is privacy-unfriendly." The report also suggests that personal information "is fast becoming the most important commodity online."
Full Story