Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

ONLINE PRIVACY

Headlines Inspire Opt-Out Technologies (February 28, 2011)
Concerns about privacy have prompted the creation of two start-ups that aim to provide online users with more choice. Following the news of a privacy breach at Facebook, a former Google engineer created a piece of software that disabled features that track browsing history, The Wall Street Journal reports. Within two weeks, 50,000 users downloaded the free application. Engineer Brian Kennish said he's since left Google so that he could create "Disconnect"--software to work with a wider array of sites' tracking devices or "widgets." The software also disables search engines from tracking users' Web movements. Meanwhile, a 19-year-old college student has started a company that allows users to opt out of tracking by 100 companies. (Registration may be required to access this story.)

PRIVACY LAW—NEW ZEALAND

Emergency Code Issued After Earthquake (February 28, 2011)

In the aftermath of the Christchurch earthquake, Privacy Commissioner Marie Shroff has issued an Information Sharing Code to allow emergency services to "share personal information as necessary to assist victims of the earthquake and their families." Voxy reports that the code will remain in effect for the next three months and will then be reviewed. "Although the Privacy Act already allows collection and disclosure of information in emergencies and for public safety, greater certainty will help everyone," Shroff said. The code is aimed at helping identify injured individuals, assisting with medical and financial needs, notifying families and making it possible for visitors to get home.
Full Story

ONLINE PRIVACY

Companies Take Steps To Protect Privacy (February 28, 2011)

Internet companies are taking steps to address calls for stronger online protection for Internet users, The Wall Street Journal reports. Most recently, both Microsoft and Facebook have "moved to beef up and clarify their efforts around the thorny issue of online privacy," the report states, describing Microsoft's move to add a do-not-track tool to its services and Facebook's new draft of its privacy policy with more user-friendly information headings. "The new policy is much more of a user guide to how to manage your data," said Jules Polonetsky, CIPP, of the Future of Privacy Forum, which was consulted by Facebook. "You might actually want to read this thing." (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—EU

MEPs Wary of SWIFT Happenings (February 28, 2011)

Members of the European Parliament are expressing concern that officials in charge of a financial data sharing agreement with the United States are withholding information about the now six-month-old arrangement, EUobserver reports. One Dutch MEP--Sophie in 't Veld--described behind-closed-doors meetings and stonewalling as "a symptom of a widespread culture of secrecy and reluctance to be held accountable." She warned that "There are more agreements coming up which need our consent. Not answering questions and dodging information requests is certainly not fostering mutual trust among EU institutions." Germany's data protection authority continues "to monitor with criticism the implementation of the agreement," according to the report.
Full Story

BEHAVIORAL TARGETING—U.S.

IAB Requires Members To Comply (February 28, 2011)

In the midst of looming online tracking legislation, the Interactive Advertising Bureau (IAB) has voted to require all its members to sign a new code of conduct that includes compliance with the industry's self-regulatory principles, reports MediaPost. The IAB is giving members up to six months to follow the principles, which state that companies must provide clear notice of cookie-based behavioral advertising in at least two places and must obtain user consent--though it may be on an opt-out basis--in order to track. Companies that fail to comply face a six-month suspension and possible FTC sanctions, the report states.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

APF Concerned About E-Health Implementation (February 28, 2011)

The head of the Australian Privacy Foundation says that patients' medical data is vulnerable because e-health projects are being planned absent their input, The Australian reports. "Because consumer representatives have had so little input, there's a very strong chance sensitive data will be compromised, and the system won't suit people's needs," says Roger Clarke, who adds that consumer engagement only began in January. A health department spokeswoman said that consultations with consumers and privacy groups have been "constructive," and "The government is serious about a personally controlled system in which privacy protections will be a key element."
Full Story

PRIVACY LAW—INDIA

Gov’t Publishes Draft Rules (February 28, 2011)

The Ministry of Communications and Information Technology has proposed three draft rules that would implement the Information Technology Act, 2000, reports the Hunton & Williams Privacy and Information Security Law Blog. The rules include Reasonable Security Practices and Procedures and Sensitive Personal Information, which covers information processed in India no matter its origin; Due Diligence Observed by Intermediaries Guidelines, which requires intermediaries to notify computer resources users of unethical and unsafe online activities and police these actions, and Guidelines for Cyber Cafés. The rules are open for comment through today, and according to the report, the U.S. Department of Commerce is considering submitting comments on behalf of the U.S. government.
Full Story

ONLINE PRIVACY

Start-Ups Capitalize on Data as Currency (February 28, 2011)

Entrepreneur Shane Green's company allows people to personally profit from providing companies with their personal data, which he says has become "a new form of currency." His company is one of about a dozen start-ups aiming to capitalize on privacy as marketers increasingly rely on personal data for targeted ads, The Wall Street Journal reports. One London real estate developer now offers to sell people's personal information on their behalf and give them 70 percent of the sale, the report states, while others offer products to help block online tracking or charge to remove users from marketing databases. One entrepreneur said while "privacy" was a hard sell as of two years ago, investors are now quick to jump at opportunities. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Despite Tracking Concerns, Investments Continue (February 28, 2011)

The Wall Street Journal reports that in spite of ongoing concerns about tracking and a push for legislation to regulate online advertising, companies that specialize in this kind of tracking continue to secure venture capital investments. "Since 2007, venture firms as a group have invested $4.7 billion in 356 online ad firms," the report states, increasing at a rate of 29 percent last year alone. While a Jafco Ventures partner suggests, "Advertisers want to buy individuals. They don't want to buy (Web) pages," Chris Fralic of First Round Capital says privacy concerns can influence investment decisions. As he puts it, "What I look for are the consumers raising their hands" against having their privacy compromised. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

$1 Million HIPAA Settlement Announced (February 25, 2011)
HealthLeaders Media reports on a settlement by a Massachusetts-based hospital for alleged HIPAA violations. Massachusetts General Hospital and Department of Health and Human Services Office of Civil Rights (OCR) officials announced yesterday that the hospital has agreed to pay $1 million to settle allegations that an employee's loss of information on about 192 patients of the hospital's Infectious Disease Associates on a subway was a potential HIPAA violation. "We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement," said OCR Director Georgina Verdugo. "It is a covered entity's responsibility to protect its patients' health information." The hospital has also agreed to create comprehensive policies to protect patient privacy.

ONLINE PRIVACY

Interclick Launches Video, Fights Lawsuit (February 25, 2011)

In the midst of a lawsuit and a heightened global focus on online behavioral tracking, behavioral ad network Interclick this week launched a video ad platform. MediaPost reports that the feature is integrated into Interclick's data valuation platform, meaning marketers can "quantify the impact of video on display and vice versa," said company CEO Michael Katz. Meanwhile, the company was recently sued for violating a New York woman's privacy by using history-tracking technology. A do-not-track bill in front of congress, if passed, would allow Internet users to choose not to be tracked, making it harder for companies like Interclick to market. Interclick has acted by appointing two media veterans to its boards.
Full Story

ONLINE PRIVACY

Governing Body Accepts Microsoft Tracking Proposal (February 25, 2011)

The World Wide Web Consortium (W3C), the governing body for HTML5, has accepted Microsoft's tracking opt-out proposal to protect consumer privacy, PCWorld reports. Microsoft's Tracking Protection allows users to choose not to be tracked on the Web by blocking the content that does the tracking, the report states. Internet Explorer's corporate vice president, Dean Hachamovitch, said online privacy is a high priority for consumers and governments around the world. Ashkan Soltani, a privacy and security researcher, called Microsoft's release of the program "a great move" that demonstrates the company's recognition "that for this to work, you want both technology and policy to work in tandem."
Full Story

PRIVACY LAW—FRANCE

AFDCP Report Finds Lack of Compliance (February 25, 2011)

The French Association of Data Protection Officers (AFCDP) has determined that 82 percent of organizations do not abide by the French Data Protection Act. The AFCDP's annual report for 2011, published last month, found that just 18 percent of responding organizations addressed information access requests in a "legally satisfactory manner," Monique Altheim writes, adding, "This very useful survey by the AFCDP illustrates how the passing of data protection acts alone is totally useless unless these laws actually get enforced," questioning that "if legislation does not even guarantee significant compliance, what kind of compliance will 'self-regulation' achieve?" The AFCDP's Bruno Rasle told the Daily Dashboard that most individuals are not familiar with the right of access, "So it is not, until now, very often used," and "organizations are not 'trained' to handle it when it occurs." Rasle explained that the French press only began writing on this right last year, "but things change. Our results show the presence of a CIL (French version of DPO) provides better quality response. For AFCDP, it is a strong sign: Someone is needed to handle the subject/do the job, and the DPO is the right man. And since we've started this index, we see a lot of improvements--thanks also to the CNIL's onsite audits and penalties. We are confident we are going to see major improvements in the near future."
Full Story

PRIVACY LAW—INDIA

Supreme Court: Technology is Diluting Privacy (February 25, 2011)

The Supreme Court Thursday said that with the march of technology, privacy is "virtually disappearing," Sify finance reports. The observation follows Tata Group Chairperson Ratan Tata's call for a law to prevent against the invasion of individuals' privacy. Last year, a call between Tata and a corporate lobbyist was leaked to the media, prompting Tata to call on the Supreme Court to investigate the leak and stop the conversation's publication. Senior Counsel Harish Salve said to the court that "if the government had the right to snoop on the citizen's privacy in the national interest, then it also had a corresponding responsibility of guarding these intercepts from public gaze," the report states.
Full Story

CHILDREN’S PRIVACY—U.S.

Art Contest No Longer Requires SSNs (February 25, 2011)

USA TODAY reports on Google's decision to stop asking children's parents to submit partial Social Security numbers (SSNs) for a drawing contest. "Doodle 4 Google" asked students in grades K through 12 to submit a drawing under the theme, "What I'd like to do today," and asked parents to submit information about their children, including the last four digits of their SSNs. Bob Bowdon, a documentary filmmaker, said birthdates and city of birth can be combined to "statistically guess" an SSN's first five digits. Consumer Watchdog wrote to Reps. Ed Markey (D-MA) and Joe Barton (R-TX) asking that they question Google on why it collected the SSNs and about its data storage and access policies.
Full Story

PRIVACY LAW—EU

European Council Calls for Cost Assessments on Proposed Changes to Directive (February 25, 2011)

Daily Dashboard Exclusive

The European Council has shared its opinion on the review of the European Data Protection Directive. During meetings yesterday and today in Brussels, council officials expressed general support for the review, while also outlining areas of concern and further study. Patrick Van Eecke of DLA Piper in Brussels told the Daily Dashboard that while the council generally supports the review, "it seems to be concerned about costs of compliance." The council has advised the European Commission to conduct cost analyses of the proposed changes before actually making them. The council also made recommendations concerning minors, categories of "sensitive data" and the right to be forgotten, among others.
Full Story

European Council Calls for Cost Assessments on Proposed Changes to Directive (February 25, 2011)

The European Council has shared its opinion on the review of the European Data Protection Directive. During meetings yesterday and today in Brussels, council officials expressed general support for the review while also outlining areas of concern and further study.

The European Council comprises the national governments’ justice and home affairs ministers.  It is one of several entities that have weighed in during the consultation period on the European Commission’s proposed review of the 1995 Data Protection Directive. The Article 29 Working Party issued its opinion  last month.

Patrick Van Eecke of DLA Piper in Brussels told the Daily Dashboard that the European Council agrees with the European Commission’s stance that the directive’s basic principles are still valid, but that there is a need for fine tuning in order to address technological and business developments.

Concerns about costs

While the European Council generally supports the review, Van Eecke says “it seems to be concerned about costs of compliance.”

The council has advised the European Commission to conduct cost analyses of the proposed changes before actually making them, Van Eecke says. “What the council is saying is that proposing privacy by design, for example, is good, but first find out what the costs would be for companies to do it.”

On minors, seals and sensitive data

The council has also urged the European Commission to pay special attention to minors to make sure they are receiving data protection notifications in a way that makes it easy for them to understand what is happening with their data.

“The council put a lot of thought into the proposal,” Van Eecke says. “The ministers really tried to consider things that were not taken into account by the commission.”

For example, the council proposes adding categories under the term “sensitive data.”  The council wants biometric and genetic data added under this umbrella.

The council also expressed support for the use of privacy seals.

“This is important,” Van Eecke says, “because it brings us closer to a kind of certification scheme. Although seal programs would be self-regulatory, they would serve to compel companies to comply.”

The council wants such programs to be developed in conjunction with industry stakeholders.

Applicability and oblivion

The council also asked the European Commission to take a closer look at the applicability of law within the European Union. Currently, it is not clear which national law applies to a data...

DATA PROTECTION—EU

Hustinx Discusses Sanctions, Incentives (February 25, 2011)

At an event in Frankfurt this week, European Data Protection Supervisor Peter Hustinx said that stricter sanctions for violations and a collective redress mechanism could improve compliance with data protection regulations, reports mlex.com. He pointed to the types of fines levied in antitrust cases as an example of what could work for data protection, saying, "anticompetitive fines can range in the millions, and if it is a big wrongdoing, that is probably what it takes to make (enforcement) more effective." When it comes to incenting firms to comply, Hustinx suggested, "if accountability for data protection was linked to being registered on a stock exchange, and the board needs to be sure that it has to be correct, there is a stronger incentive to seek compliance." (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—EU & U.S.

Bank Data Transfer Details Withheld (February 24, 2011)
Six months after the Terrorist Finance Tracking Agreement between the EU and the U.S. came into effect, PCWorld reports that both the European Commission and Europol are not releasing details on the number of U.S. requests for data that have been received and approved. When the agreement came into place, EU Commissioner Cecilia Malmström was quoted as pledging "complete transparency as far as access and use of data are concerned" as well as "access to appropriate tools and redress procedures to ensure that privacy is protected." While Europol has said such questions must be answered by the commission, the commission's response has been that neither it, nor Europol nor EU Member States "have the power to bindingly interpret the agreement."

PRIVACY—EU

Report Explores Privacy Pros’ Public Roles (February 24, 2011)

A Financial Times article looking at the importance of privacy officers features the work of Accenture Data Privacy Director and IAPP Board Chairman Bojana Bellamy. With new data protection legislation in the works, the report details a push by some in the EU to make the role of chief privacy officer mandatory in all large organizations. Privacy, Bellamy said, "has become unavoidable for business...Strategically, you need to be seen to care about it." Christopher Kuner of Hunton and Williams agreed, noting, "Data is the raw material for many companies...You have to have procedures when handling private information like you need to have procedures when handling chemicals." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—SWITZERLAND

Commissioner Wants Safeguards Ahead of Street View (February 24, 2011)

Switzerland's data protection commissioner wants Google to manually blur sensitive images stored on its Street View mapping feature, The Wall Street Journal reports. The Swiss Court heard arguments on the yearlong ban of the service today and will make a decision on whether to lift the moratorium in coming weeks. Commissioner Hanspeter Thür has asked that license plate numbers, faces, hospitals and women's shelters be blurred. "I don't want a ban of Google Street View," Thür told the Swiss Court. "But in the present form, Google Street View breaches basic principles of privacy." Google lawyers have asked that the ban be lifted. Manually blurring images is too costly, and the feature does so automatically, they said. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

BMA Calls for Redrafting Healthcare Legislation (February 24, 2011)

The British Medical Association (BMA) is appealing to Health Minister Simon Burns to redraft legislation that it believes undermines a patient's right to confidentiality. The Telegraph reports that the legislation allows certain government bodies and local authorities to access sensitive medical data without patient consent. Vivienne Nathanson, head of science and ethics at the BMA, said, "The government has decided to place its desire for access to information over the need to respect patient confidentiality," adding that the legislation would "undermine the bond of trust between doctors and their patients and could have appalling consequences." A Department of Health spokesman said, "The bill does not change any of the existing legal safeguards, which are set out in the Data Protection Act and the common law of confidence.''
Full Story

PRIVACY LAW—U.S.

Rep. To Introduce Children’s Do-Not-Track Bill (February 24, 2011)

A U.S. representative who sponsored the Children's Online Privacy Protection Act of 1998 (COPPA) may soon introduce a comprehensive children's privacy bill that will include a do-not-track feature. A spokesman for Rep. Edward Markey (D-MA) says the legislation is being drafted and should be ready early this year. Markey has said new legislation is needed to address the impact of the Internet "as well as online tracking on kids," ClickZ reports, and comes as the FTC reviews its COPPA rules. Markey's legislation will join other recently introduced online privacy bills, including a proposal by Rep. Jackier Speier (D-CA) and one by Rep. Bobby Rush (D-IL).
Full Story

HEALTHCARE PRIVACY—U.S.

Study Examines E-Health Risks (February 24, 2011)

CNBC reports on a new study examining the potential privacy and security risks of healthcare information as the move toward electronic health records (EHRs) continues. The new report, "Privacy and Security in Health Care: A Fresh Look," which was released this week by the Deloitte Center for Health Solutions, recommends steps to reduce privacy breach threats. The report looks at the reasons behind lack of privacy preparedness in some healthcare organizations, and as Deloitte's Russ Rudish suggests, such organizations should "conduct a senior management-led, board-approved audit of privacy and security risk and plan to make enhancements in support of current policies, rules and regulations."
Full Story

PRIVACY LAW—U.S.

Bill Would Require CISOs in Federal Agencies (February 24, 2011)

Gov Info Security reports that the E-Government Act, currently in front of congress, would require federal agencies to designate a senior officer as chief information security officer (CISO) and lays out the responsibilities of that position. Sponsored by the leaders of the Senate Homeland Security and Governmental Affairs Committee, the bill states that the CISO would oversee agency security operations and report annually to the agency head. The CISO would also, with the federal CIO, "establish, maintain and update an enterprise network, system, storage and security architecture" to be accessed by a newly created National Center for Cybersecurity and Communications.
Full Story

PERSONAL PRIVACY—U.S.

Employee Asked to Provide Facebook Password (February 24, 2011)

The Baltimore Sun reports on a Maryland corrections officer's complaint to the American Civil Liberties Union after he was asked to provide details about his Facebook page to employers. The man says that after taking a leave of absence and then reapplying for his job, the state Division of Corrections asked him to provide his Facebook password and then watch as his employers surveyed his personal page and postings. The Division of Corrections has suspended the practice for 45 days "so it can be studied further," a spokesman said, adding that it's in place to ensure employees aren't affiliated with gangs.
Full Story

HEALTHCARE PRIVACY—U.S.

Privacy Experts: $4.3M OCR Penalty Sends Strong Message (February 23, 2011)
Privacy experts and patient rights advocates are hailing a decision by the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) to impose a civil monetary penalty of $4.3 million against Maryland-based Cignet Health for violations of the HIPAA Privacy Rule. In a Daily Dashboard exclusive, three experts in their fields discuss this first penalty of its kind for such HIPAA privacy violations. As Kirk Nahra, CIPP, of Wiley Rein LLP put it, "This is the biggest HIPAA enforcement action that has been taken to date and may signal a new enforcement approach...HHS has shown itself to be very reasonable in addressing its HIPAA investigations so far, but it's clearly a really bad idea to ignore or not cooperate with an investigation."

ONLINE PRIVACY—ISRAEL & SWITZERLAND

Mapping Feature Expands, Authorities Concerned (February 23, 2011)

As Google moves forward with plans for its Street View mapping feature in Israel and Switzerland, authorities are voicing concerns. Bloomberg reports the company will soon photograph 218 miles of the Swiss Alps for the feature, despite a pending court challenge. A hearing is scheduled for February 24 after Switzerland's data protection officer argued in 2009 that Street View's privacy safeguards were insufficient. Google has agreed not to post new photos in Switzerland until a ruling has been made and said it has made improvements, the report states. The company has also met with Swiss data protection officials. Meanwhile, as Google plans to launch Street View in Israel, officials are concerned about potential uses of the images.
Full Story

ONLINE PRIVACY—U.S.

Research: Consumers Want Transparency, Control (February 23, 2011)

MediaPost reports on recent research indicating that when it comes to online privacy, what consumers want is security and control. Ball State University's Center for Media Design found that "the notion of privacy is actually 'situational' and depends on the context of the consumer, the nature of their information being tracked and the organizations that are tracking it," the report states. With a focus on how consumers--rather than advocacy, industry or regulatory groups--react to online tracking, the first round of research found that college students surveyed are concerned about online tracking, but the focus is "not about privatizing their information. It's about keeping it secure."
Full Story

HEALTHCARE PRIVACY—U.S.

HITECH Regulation Changes En Route (February 23, 2011)

Financial penalties for single privacy and security violations will be increased to $50,000 per violation with a maximum fine of $1.5 million under final HITECH privacy, security and breach notification rules, Health Data Management reports. Adam Green, senior health IT and privacy advisor at the HHS Office for Civil Rights (OCR) says changes to the current rules will be made under the OCR's authority, will arrive in 2011 and "need to be revised to reflect the more widespread use of electronic data and electronic health records." Besides steeper fines, key changes the OCR aims to implement include direct liability for business associates and subcontractors and restrictions on the use of patient data for marketing and fundraising, the report states.
Full Story

PRIVACY LAW—CANADA

How Much Privacy Should We Expect at Work? (February 23, 2011)

Any electronic correspondence sent at the workplace should be considered about as private as a postcard. That's the message from the head of Quebec's Privacy Commission, Jean Chartier, who recently advised that a "computer screen is not a wall that you can hide behind." A case set to unfold this week before Montreal's city council illustrates the lingering question surrounding how much privacy an employee can expect at work, The Montreal Gazette reports. A city employee claims to have been spied upon by officials who say they investigated the employee based on allegations of misconduct. Employees must work within the employer's guidelines, Quebec's privacy commission warns.
Full Story

CHILDREN’S PRIVACY—U.S.

Kids Contest Could Unlock SSNs (February 23, 2011)

New York Magazine reports on an art contest for kids that collected personally identifiable data. "Doodle 4 Google" asked students in grades K through 12 to submit a drawing under the theme, "What I'd like to do today." Along with the submission, the parental consent form asked parents to submit their child's city of birth, date of birth and last four digits of their Social Security number (SSN). Bob Bowdon, a documentary filmmaker, said information such as birthdates and city of birth can be used to "statistically guess" an SSN's first five digits, unlocking "countless troves of personal information from someone" without their knowledge. The FTC was notified of the practice. Google has since stopped collecting the SSN data.
Full Story

PRIVACY LAW—U.S.

Ad Industry Slams Do-Not-Track Proposal (February 23, 2011)

The public comment period on the FTC's "Protecting consumer privacy in an era of rapid change: A proposed framework for businesses and policymakers" report has ended, and the reactions are varied. Industry groups, for example, are among those opposing calls for a do-not-track mechanism to improve consumer privacy online. InformationWeek reports on the assertion by industry groups that the FTC's proposal would "wreck the ability of Web sites to provide personalized content." The Interactive Advertising Bureau, which suggests "a do-not-track program would require reengineering the Internet's architecture," is instead recommending self-regulation for online advertising.
Full Story

ONLINE PRIVACY

A Gift With a Price? (February 23, 2011)

According to Andrew McAfee, principal research scientist at MIT's Center for Digital Business, an iTunes gifting policy may violate the U.S. Video Privacy and Protection Act which bans the disclosure of rental records without customer consent. The iTunes Store allows users to give up to 100 songs to a person using only the recipient's e-mail address and then notifies the giver if that person has duplicates of any of the songs in their playlist, reports PCWorld. McAfee points out that e-mail addresses are often easy to guess, and Apple doesn't require users to log in to their account or give payment card information to use the service. "This strikes me as problematic," McAfee wrote, adding that scanning a person's playlist could take a while, but the process could be automated.
Full Story

Advocates, Experts: Message of OCR’s First Civil Monetary Penalty Sends Message (February 23, 2011)

By Jennifer L. Saunders

Privacy and patient rights experts are hailing the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announcement that it has imposed a civil monetary penalty of $4.3 million against Maryland-based Cignet Health for violations of the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA)--the first such penalty issued for HIPAA privacy violations.

In announcing the fine, HHS Secretary Kathleen Sebelius said, “Ensuring that Americans’ health information privacy is protected is vital to our healthcare system and a priority of this administration,” noting that HHS “is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule.”

In its Notice of Final Determination, the OCR found that Cignet violated the rights of 41 patients when it denied them access to their medical records despite the HIPAA provision that covered entities provide patients with copies of their medical records no later than 60 days from receipt of a request.

The monetary penalty is based on investigations of those patients’ complaints, the OCR reports, and resulted in $1.3 million. However, the overall penalty was increased to $4.3 million because “Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means,” according to an OCR media release.

Kirk Nahra, CIPP, of Wiley Rein LLP discussed the implications of the decision with the Daily Dashboard.

“This is the biggest HIPAA enforcement action that has been taken to date and MAY signal a new enforcement approach. The underlying violations, related to access to medical records, seem relatively minor--or at least seem to be similar to complaints that have been lodged against other companies without previous penalties being issued. What seems to be different here is both the finding of ‘willful neglect’ on the original compliance steps and the apparent stonewall that was thrown up in the face of the investigation,” Nahra explained. “HHS has shown itself to be very reasonable in addressing its HIPAA investigations so far,...

PRIVACY LAW—U.S.

Leibowitz: To Avoid Regulation, Act Now (February 22, 2011)
In Q&A with Multichannel News, FTC Chairman Jon Leibowitz notes that while he is encouraged by efforts to date from companies to provide better online privacy protection, industry needs to do more to ensure they are doing what is right for consumers. To avoid the threat of regulation, Leibowitz recommends that ISPs and advertisers give consumers "more choice and transparency and more privacy protection." Noting that he expects the move toward privacy legislation to accelerate with privacy bills being introduced before the U.S. Congress, he recommends industry take action quickly. "I guess I would say that the business community really has it in its hands to avoid regulation, it just has to step up to the plate," he said.

PRIVACY LAW—AUSTRALIA & U.S.

Nations Look To Retain Data for One Year (February 22, 2011)

Talks between the U.S. and Australia could result in Internet search providers (ISPs) retaining data on users for one year. The talks, slated for July, aim to align data retention periods between the two countries and Europe, ZDNet reports. Though some European nations suggest retaining data for five years--an idea being considered by the European Convention on Cybercrime--both the U.S. and Australia believe that's too long, according to Australia Attorney General Robert McClelland. McClelland added that governments have a "strong obligation" to balance the scope of data retention and law enforcement needs for data to solve crimes.
Full Story

BEHAVIORAL TARGETING—U.S.

Opinion: Privacy By Design for TV, Online Media (February 22, 2011)

MediaPost examines the possibility that the scrutiny of online advertising by federal regulators could potentially extend to the television medium. "As new technologies evolve to tell us more about who's watching what, it seems highly likely to me that one of these days some flavor of 'do not track' will be applied to the television platform," Mark Lieberman writes. Lieberman discusses the importance of including privacy-by-design principles into industry transitions, noting, privacy is not "something you can easily add after the fact...and if you deal with consumer data in any form, it needs to be considered part of everything you do."
Full Story

RFID—EU

Working Party Approves Self-Regulatory Proposal (February 22, 2011)

The Article 29 Working Party has approved an industry proposal for a privacy and data protection impact assessment framework for RFID self-regulation. Although it rejected a series of drafts, including a March 31, 2010, proposal that contained only "scattered references"  to risk assessment, industry reworked its proposal and submitted its latest version, the Revised Framework, on January 12. The industry proposal was developed at the request of the European Commission, which issued a recommendation in 2009 on the implementation of privacy and data protection principles in applications supported by RFID. In its February 11 opinion, the Article 29 Working Party endorsed the revised framework.
Full Story

SURVEILLANCE—ISRAEL

Street View To Launch (February 22, 2011)

The Iraeli Justice Ministry's Law Information and Technology Authority will launch an open hearing to receive feedback from residents on Google's Street View mapping feature, which will begin operating in Israel soon. Attorney Yoram Hacohen, head of the authority, recently discussed the privacy and security implications and how residents can protect themselves, Haaretz.com reports. The authority will give Google guidelines on privacy safeguards, Hacohen said, adding that the mapping service blurs details such as license plates and faces, and residents may request that photos of their homes be blurred. The public must be informed of filming and has the right to request removal from a Street View database, he said.
Full Story

PRIVACY LAW—U.S.

States Respond to FTC Online Privacy Report (February 22, 2011)

Fifteen states have submitted comments on the FTC's December 2010 staff report, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers," The Gov Monitor reports. The states encourage the FTC to "adopt an approach to information security that takes into account the size, scope and resources of businesses" and have highlighted state statutes and regulations "that codify a set of reasonable safeguards," the report states. The states advocate state-level enforcement authority and stress the need to protect medical and health information, require opt-in consent for geo tracking and implement strong safeguards to protect children's online privacy.
Full Story

PRIVACY LAW—KOREA

Expert Discusses New Data Protection Draft (February 22, 2011)

Korea JoongAng Daily reports on a new version of the Data Protection Act currently before the Korean National Assembly and experts' calls for the reforms. Prof. Park Whon-il describes Korean's data protection legislation history and the effect of current technological advances extending personal information from "the data of a living person such as character, voice, sound and image...to include data such as e-mail addresses, credit card numbers and log files." With proposed revisions to the act aimed at regulating the public and private sector, Park notes the importance of an independent data protection authority and provisions for breach notifications.
Full Story

DATA LOSS—U.S.

FINRA Imposes $600K Fine on Lincoln National Units (February 18, 2011)
The Financial Industry Regulatory Authority (FINRA) has reached an agreement with Lincoln Financial Securities Inc. (LFS) and Lincoln Financial Advisors Corp. (LFA) over inadequate data security, the Associated Press reports. FINRA fined the broker-dealer and financial advisory firms a combined $600,000 for allowing employees to "use shared usernames and passwords to access customer records from any Web browser on any network" and other inadequacies, the report states. FINRA fined LFS $450,000 and LFA $150,000.

PRIVACY LAW—U.S.

Plaintiff Tries Again in Data Aggregator Suit (February 18, 2011)

A Virginia resident is again trying to bring a class-action lawsuit against online data aggregator Spokeo after his first complaint was dismissed last month by a federal judge, MediaPost reports. The judge ruled that Thomas Robins had not "adequately alleged" that he was harmed by incorrect information published about him--including age, marital status and field of employment--on the site. In new papers filed Wednesday, Robins says such inaccuracies have hampered his job search. Another plaintiff has filed a federal lawsuit in the Northern District of California, which is pending, while privacy advocates argue Spokeo's practices violate the federal Fair Credit Reporting Act.
Full Story

PRIVACY LAW—INDIA

Chairman Calls for Privacy Legislation (February 18, 2011)

Tata Group Chairman Ratan Tata has called for a law to prevent against the invasion of individuals' privacy, The India Times reports. The call follows an incident last year in which Tata's private conversation with a corporate lobbyist was leaked to the media. Tata implored the Supreme Court to look into the leak and stop its publication. Tata says wiretapping and the publishing of such taps poses grave dangers to India, the report states. "There should be a law against invading people's privacy, unless it's for an investigative purpose," Tata said.
Full Story

BEHAVIORAL TARGETING—EU

Cybersecurity Agency Releases Cookie Paper (February 18, 2011)

ENISA, the EU's cybersecurity agency, has published a paper on the privacy and security concerns of new types of online cookies. ENISA says, "both the user browser and the origin server must assist informed consent and that users should be able to easily manage their cookies," according to a press release. The agency urges such privacy protections for users as informed consent, easy-to-use-and-understand cookie management, prohibition or limitation of cookie storage outside browsers' control and alternative service channels for users who do not accept cookies. ENISA's executive director said of the new generation of cookies, "Much work is needed...to safeguard the privacy and security aspects of consumers and business alike."
Full Story

DATA PROTECTION

PCI Council Launches Training Program (February 18, 2011)

The PCI Council today begins its series of training programs intended to educate practitioners on Payment Card Industry Data Security Standards (PCI DSS). Council General Manager Bob Russo told Info Security that the courses "cover all PCI basics, including how the payment system operates straight through to how PCI works and why it is important to be compliant." Offerings include in-person sessions as well as online training, and according to Russo, there will likely be supplemental guidance throughout the year. Version 2.0 of the PCI DSS went into effect last month, and merchants have one year to comply with the new standard. "We can say confidently that (PCI compliance) is the best defense you will have against a breach, but by no means is this the ceiling," said Russo.
Full Story

DATA LOSS—HONG KONG

Lost Flash Drive Contains Patient Records (February 18, 2011)

An occupational therapist at Kwai Chung Hospital lost her personal USB flash drive that contained the medical records and reports of 59 patients, reports News.gov.hk. The flash drive is not protected by encryption or password. The hospital is investigating the loss and has notified the Hospital Authority and the Office of the Privacy Commissioner for Personal Data. The flash drive disappeared on February 16.
Full Story

FINANCIAL PRIVACY—U.S.

Pugh: Data Disposal Strategy Needed (February 18, 2011)

In Wall Street & Technology, Harry Pugh explores the challenges the finance sector faces in satisfying privacy regulations, noting that, "adhering to the letter and spirit of the Dodd-Frank Act requires financial services firms to do a far better job of knowing what information they have and where it is." And, while the disposal of information also creates potential concerns, he writes that it is essential "to develop a practical strategy for disposing of the mountains of information that have no legal obligation, regulatory requirement or business value" that sometimes account for as much as 50 percent of stored data. Pugh recommends tips for "achieving defensible disposal" and advocates C-Suite support for information governance processes.
Full Story

PRIVACY LAW—AUSTRALIA

Supreme Court: Internet Data Could Prevent Fair Trial (February 18, 2011)

The Australian Supreme Court has ordered newspapers to delete certain articles from their Web sites, saying that they could impact the fairness of an upcoming trial, The Age reports. The jurors on the trial will also be ordered to refrain from reading about or discussing the case, but "The confidence in the integrity of the jurors does not mean the court should not protect them from incidents that put their integrity to the test," said Justice Derek Price. One publishing executive described the decision as "the modern equivalent of burning books," and a civil liberties advocate said the order appears to "discriminate against the Internet because courts never ordered the removal of a microfiche from every library in the state."
Full Story

PRIVACY LAW—U.S.

Suit: Sharing Device IDs Violates Privacy (February 17, 2011)
MediaPost reports on the most recent potential class-action suit against Apple and 11 outside companies for allegedly violating the privacy of iPhone and iPad users. The suit is the fourth case of its kind and was filed in U.S. District Court in California on Tuesday. It alleges the company violated federal and state laws and contends that users did not authorize Apple to share their devices' unique identifiers with application developers and other parties. However, the report states, it remains to be seen "whether courts will rule that transmitting a unique device number--as opposed to a name or street address--raises any privacy issues."

ONLINE PRIVACY—EU & U.S.

Consumer, Industry Needs Create Balancing Act (February 17, 2011)
European Voice explores the balance between online advertisers' ability to track consumers and Internet users' privacy concerns with regard to personal data, which one European commissioner has described as the "currency of the digital world." The European Commission has suggested that building consumer confidence about data use will only help the online industry. The report examines the potential for new laws and recent efforts by Internet companies to prove that self-regulation can work. As the U.S. considers new regulations--and the EU plans to update its 26-year-old data protection directive--one consumer advocate notes, "Legislation needs to be kept flexible and general because we don't know where we will be, even in six months' time."

PRIVACY LAW—FRANCE

CNIL Announces Data Processing Exemption (February 17, 2011)

The French Data Protection Authority (CNIL) has published its Deliberation No. 2011-023, which IT Law Group reports should make reporting requirements less odious for companies that have no operations in France but use subcontractors or cloud providers there to process data. The French Data Protection Law requires companies to file with CNIL and, in some cases, obtain authorization in advance. Under the new declaration, payroll processing, workforce management and the management of databases of clients and prospects for personal data collected outside of France will be exempt from the requirement for data that is returned to the data controller, or other specified recipient, "for the benefit of the data subject," the report states.
Full Story

PRIVACY LAW—U.S.

Body Scanner Legislation Gains Momentum (February 17, 2011)

Sen. Charles Schumer's (D-NY) proposed legislation on airport body scanner images was unanimously accepted as an amendment to the FAA Reauthorization Bill being considered by the senate, The Consumerist reports, which means the legislation "is virtually guaranteed to pass." Schumer's bill, the Security Screening Confidential Data Privacy Act, would make distributing scanned body images illegal and punishable by up to one year in prison or a $100,000 fine. Schumer said his bill sends a message to the public that both safety and privacy are being considered and that, as new technologies are incorporated, "we need to do everything we can to protect the privacy rights of the air travelers."
Full Story

HEALTHCARE PRIVACY—UK

Researcher: Anonymization Not Enough (February 17, 2011)

The use of medical records for research is a polarizing topic, with some believing current patient consent requirements hamper life-saving discoveries. But research associate Dr. Lindsey Brown opines in The Guardian that patient privacy is crucial within the National Health Service (NHS) and consent the only solution. Legally, patient records may only be accessed by special government permission, if the data has been "pseudonymized" or with explicit patient consent. However, "pseudonymized" data can still be identified, Brown writes, rendering it "personal data" and therefore subject to EU and UK consent requirements. "There are serious public concerns over the use of patient records without individual consent. Public trust in the NHS could be threatened unless there's a response to calls for transparency and accountability," Brown writes.
Full Story

PERSONAL PRIVACY—U.S.

FERC Report Cites Smart Grid Privacy Concerns (February 17, 2011)

The Federal Energy Regulatory Commission (FERC) this month released its biannual report, which includes questions about smart meters and privacy. The report outlines concerns about consumer data privacy as companies continue to deploy new technologies, and customers, unsure of the purposes and uses of such technologies, push back. "The existing business policies and practices of utilities and third-party smart grid providers may not adequately address the privacy risks created by smart meters and smart appliances," the FERC report states. Jeff St. John writes in GigaOM that this year may be the year that "smart grid privacy finally becomes a must-do, rather than a oft talked-about, subject."
Full Story

DATA LOSS—U.S.

West Virginia AG Acts on Medical Breach (February 17, 2011)

West Virginia's Attorney General's Office (AG) is assisting the Charleston Area Medical Center (CAMC) in informing patients of a vulnerability on one of its servers. According to TMCnet.com, the vulnerability exposed the names, contact details, Social Security numbers and dates of birth of about 3,655 patients, along with certain basic clinical information about some of them to online searches. CAMC has removed all the data from the Internet, and while the information was accessed 94 times, there have been no instances of identity theft. CAMC is offering those affected free credit monitoring and credit bureau security freezes and has set up a toll-free number to answer questions. The AG's office will be monitoring the situation for possible instances of identity theft.
Full Story

PRIVACY—CANADA

Denham to Address Privacy and Security Leaders (February 17, 2011)

BC Privacy Commissioner Elizabeth Denham was scheduled to speak as a keynote at the 12th annual Privacy and Security Conference in Victoria. The event gathers leaders in the privacy and security fields from both the public and private sectors to discuss the latest policies, programs and technology in the field, the Victoria Times Colonist reports. The two-day event, "Security and Privacy: Is There An App for That?" will feature Denham's talk on the value of privacy as well as keynotes from Brian Contos of McAfee; Chris Swecker, a retired assistant director at the FBI, and BC Chief Information Officer Dave Nikolejsin.
Full Story

PRIVACY LAW—U.S.

Lawmakers to FCC: Investigate Street View Incident (February 17, 2011)

Two legislators are asking the Federal Communications Commission (FCC) to conduct a full investigation into Google's collection of Wi-Fi data, The Hill reports. Reps. Mike Rogers (R-MI) and John Barrow (D-GA) yesterday sent a letter to the FCC asking that the commission seek answers on the incident. "...Americans have a right to know the relative facts of its Wi-Fi data collection activity known to U.S. consumers, regardless of whether the FCC finds a technical violation of the law. Earlier letters and investigations have not resulted in any action, leaving American consumers with little information about Google's conduct," Rogers said.
Full Story

PRIVACY LAW—U.S.

Have a Question for Senator Franken? (February 17, 2011)

On Tuesday, the Daily Dashboard reported on Sen. Al Franken's (D-MN) appointment to chair the new Senate Judiciary Subcommittee for Privacy, Technology and the Law, which will "oversee laws and policies governing the collection, protection, use and dissemination of commercial information by the private sector," according to a Washington Post report. ArsTechnica will speak with the senator today. It is seeking input from readers on what questions to ask. Click on "Full story" here to register your question.
Full Story

PRIVACY LAW

G8 May Have Privacy Focus (February 16, 2011)
Following up on its efforts in October to move toward the goal of adopting "an international binding legal instrument harmonizing the protection of privacy," France has announced its intent to bring the world's Internet leaders to the G8 Summit in May. An announcement from France's Commission nationale de l'informatique et des libertés (CNIL) suggests that including privacy on the agenda for the G8 "would mark a critical milestone in the protection of privacy against the development of digital technologies." Despite the continual exchange of data across borders and the prevalence of biometrics, geolocation and surveillance, the CNIL points out that "there is no globalized legal answer, and the levels of privacy protection are disparate."

PRIVACY LAW—AUSTRALIA

Vodafone Investigation Concludes: Act Breach (February 16, 2011)

After an investigation, Privacy Commissioner Timothy Pilgrim has found that Vodafone breached the Privacy Act by failing to take reasonable steps to protect its customers' information, but the commissioner dismissed claims that information was made public, ABC News reports. The company had been accused of allowing billing and call records to be stored on a public Web site with only a password to protect them. Pilgrim found that some staff may have breached company login and password policies, and that "Vodafone did not have the appropriate level of security measures in place to adequately protect their customers' personal information." 
Full Story

ONLINE PRIVACY—CANADA

Report: Lottery Site Privacy Problems Fixed (February 16, 2011)

An online lottery site did not adequately protect users' privacy when it was launched, an investigation has determined, but the issues have since been addressed, The Vancouver Sun reports. British Columbia Information and Privacy Commissioner Elizabeth Denham completed an investigation into BC Lottery Corp.'s PlayNow.com, which experienced "data crossovers" last summer that allowed users to see such personal information as credit card information from other users. Announcing the investigation's findings on Tuesday, Denham noted the security gaps were not directly responsible for the data crossovers, the report states, and concluded the corporation has "since taken steps to address the problem and the site now adequately protects users' privacy."
Full Story

PRIVACY LAW—U.S.

Juror: Social Network Posts Are Private (February 16, 2011)

A juror who posted comments on Facebook during an attempted murder trial has filed a lawsuit in the wake of a judge's order to release those postings to the defense. Courthouse News Service reports that the juror has filed a federal complaint alleging the judge's order "violates his privacy and his right to avoid self-incrimination." The postings were seen by another juror he "friended" online after the trial--as well as others involved in the case--and brought to the court's attention. In addition to the judge, the juror's suit names the state of California, Facebook and all five criminal defendants, the report states, "asserting his right to the privacy of his Facebook postings."
Full Story

PRIVACY LAW—U.S.

Committee Gives Online Privacy a Higher Profile (February 16, 2011)

ADWEEK reports that the new Senate Judiciary Subcommittee on Privacy, Technology and the Law is an indicator that online privacy will be a higher priority at the federal level. Sen. Al Franken (D-MN), who is known for his commitment to consumer privacy, has been selected as the subcommittee's chairman, with Sen. Tom Coburn (R-OK) as the ranking member. "The boom of new technologies over the last several years has made it easier to keep in touch with family, organize a community and start a business," Franken said, cautioning, "It has also put an unprecedented amount of personal information into the hands of large companies that are unknown and unaccountable to the American public."
Full Story

PRIVACY LAW—U.S.

Financial Industry Asks To Opt Out of FTC Rules (February 16, 2011)

With the Federal Trade Commission's (FTC) deadline for public comment on its recent privacy rules recommendations just two days away, industry and individuals are weighing in on all sides of the issue. The Securities Industry and Financial Markets Association (SIFMA), which represents large banks and investment firms, has asked "to not be regulated by any FTC privacy rules at all," paidContent reports, citing sector-specific privacy regulations that already apply. SIFMA wrote, "financial services firms appreciate more than almost any sector of the economy the importance of maintaining the confidentiality of customer information." The FTC, meanwhile, has suggested that certain types of information--including financial, health and geolocation data--require "special protection."
Full Story

DATA LOSS—U.S.

SSNs on Envelopes in Ohio (February 16, 2011)

A company hired by the Ohio Department of Job and Family Services mailed 8,000 letters to day care providers with member numbers--which in some cases are the providers' Social Security numbers--printed on the outside of the envelopes. The Chronicle-Telegram reports that the breach affected the at-home child care providers paid by the state; child care centers are given random six-digit numbers. A Department of Job and Family Services spokesman said the department is "extremely disappointed" by the breach, and it will be offering identity theft protection services to those affected.
Full Story

DATA LOSS—U.S.

Customer Payments Breached at Maine Jewelry Store (February 16, 2011)

Investigators have determined that hackers from outside the company accessed the payment card data of Day's Jewelers customers. MPBN reports that Maine credit unions were the first to notice the breach as customers discovered fraudulent charges to their accounts. The Maine State Police Computer Crimes Unit investigation has determined that the breach did not affect the company's online customers and the hackers did not access customers' identities. Day's has apologized for the breach and is encouraging customers to review their payment card statements and report any questionable activity.
Full Story

PRIVACY LAW—U.S.

Franken Named Head of New Privacy Committee (February 15, 2011)
Sen. Al Franken (D-MN) has been selected to chair the new Senate Judiciary Subcommittee for Privacy, Technology and the Law, The Washington Post reports. Franken said his goal will be to "make sure that we can reap the rewards of new technology while also protecting Americans' right to privacy." The new committee was created by Senate Judiciary Committee Chairman Patrick Leahy (D-VT) to "oversee laws and policies governing the collection, protection, use and dissemination of commercial information by the private sector," the report states. Leahy said the new committee will focus on how new technology has "unleashed new questions about how to protect Americans' privacy in the digital age." (Registration may be required to access this story.)

HEALTHCARE PRIVACY—U.S.

Study: Medical Social Networks Lack Privacy Protections (February 15, 2011)

A recent study of 10 medical condition-focused social networks revealed that privacy policies "significantly varied," InformationWeek reports. "Social but safe? Quality and safety of diabetes-related online social networks," which was conducted by researchers from Children's Hospital Boston, revealed a lack of safeguards for personal health information privacy protection, with only three sites providing member control for personal information and the vast majority using privacy policies that were difficult to read. Elissa R. Weitzman, the study's lead author, voiced concerns about the implications for patient safety and said such sites need policies to protect members' privacy.
Full Story

PRIVACY LAW—U.S.

Florida Court Records Law Still Undecided (February 15, 2011)

Eight years into the development of data protection rules for Florida's court documents, few decisions have been made about how best to secure personal information as courts move to electronic files, reports The Miami Herald. The Committee on Privacy and Court Documents has proposed that personal information be excluded when it is not necessary to the case, but that proposal exempts criminal and traffic cases. One Florida Supreme Court Justice says it "shouldn't be that complicated. Let them get on the stick and get the rest done." But a Tampa lawyer argues that personal information is needed to verify defendants' identities when they get to court and points out that the volume of criminal and traffic filings makes stripping them of personal information impractical.
Full Story

HEALTHCARE PRIVACY—U.S.

Hospital Breaches Require Credit Protection (February 15, 2011)

Two U.S. health plans are providing credit protection to patients and employees after data breaches potentially exposed Social Security numbers (SSNs), and other personal details. Health Data Management reports that Oklahoma's Saint Francis Health System is notifying 84,000 affected employees and patients that their personal information may have been compromised after a laptop was stolen containing names, dates of birth, mailing addresses, SSNs and diagnostic codes about patients treated prior to 2004. Meanwhile, New York City Health and Hospitals Corp. has filed a lawsuit against a data storage and transport vendor to recover breach notification costs after files on 1.7 million patients and employees were stolen.
Full Story

PRIVACY LAW—U.S.

Angwin Discusses Legislative Push for Internet Protection (February 15, 2011)

NPR's "All Things Considered" features an interview with The Wall Street Journal's Julia Angwin on federal legislation aimed at improving online privacy. Angwin discusses various forms of tracking technologies and offers insight into industry initiatives to address online tracking concerns as well as current legislative proposals. A proposal by Rep. Jackie Speier (D-CA), Angwin suggests, "is basically piggybacking on the FTC's recommendation last year that the industry should develop a system called Do Not Track." Angwin describes a bill proposed by Rep. Bobby Rush (D-IL) as "addressing, actually, a bigger problem"--the lack of "baseline federal privacy laws in the U.S."
Full Story

PRIVACY—U.S.

FCW Announces Federal 100 Winners (February 15, 2011)

The winners of the 22nd Annual Federal 100 Awards have been announced, and on the list are IAPP members Mary Ellen Callahan, CIPP, chief privacy officer at the Department of Homeland Security (DHS), and Carey Miller, director at Deloitte. Nominated by readers of Federal Computer Week and selected by an independent panel, the awards recognize industry, academic and government leaders who have enhanced the use of information technology in federal government. Among the winners are 23 employees from the IT industry, two from state and local government and 75 from federal government, including eight from the DHS.
Full Story

PRIVACY LAW—U.S.

Speier Introduces Do-Not-Track, Financial Privacy Bills (February 14, 2011)
The former California lawmaker who sponsored some of the nation's strongest financial privacy protections during her time as a state senator has dropped a new federal law. Now in the U.S. Congress, Rep. Jackie Speier (D-CA) on Friday introduced the Do Not Track Me Online Act of 2011, The Wall Street Journal reports. The bill has elicited support from privacy advocates and warnings from the online advertising industry, according to a MediaPost News report. It would let consumers opt out of having their online activities tracked through the creation of a do-not-track system such as the one called for in the Federal Trade Commission's recent report on Internet privacy. Also on Friday, Speier introduced the Financial Information Privacy Act of 2011. (Registration may be required to access this story.)

DATA LOSS—U.S.

Millions Affected by PHI Theft (February 14, 2011)

Confidential information on about 1.7 million New York City hospital patients and employees dating back as far as 20 years was stolen in December, The Wall Street Journal reports.  The New York City Health and Hospitals Corporation (HHC) reported the breach on Friday. While a recent study indicates that well over half--61 percent--of such breaches are the result of malicious intent, HHC President Alan D. Aviles noted, "The loss of this data occurred through the negligence of a contracted firm that specializes in the secure transport and storage of sensitive data." HHC will provide credit monitoring to potentially affected individuals as the stolen data included names, addresses, Social Security numbers and medical information. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Rule To Be Reviewed (February 14, 2011)

The Department of Health and Human Services' Office of Civil Rights (OCR) is asking the White House Office of Management and Budget to review its new privacy rule that will provide "an expanded requirement that healthcare providers track and be able to report to patients any disclosures of their medical records," Modern Healthcare reports. The rule is aimed at improving patient privacy rights by building on provisions included in HIPAA. Meanwhile, a study is making headlines with findings that protected health information (PHI) breaches affecting more than 6 million individuals have been recorded since HITECH'S Breach Notification Rule was issued in August of 2009. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

DNA Records To Be Deleted (February 14, 2011)

OUT-LAW.COM reports on the Protection of Freedoms Bill, which includes such provisions as requiring the deletion of DNA profiles on individuals questioned by police but not charged with crimes. Information Commissioner Christopher Graham spoke in favor of the bill's role in addressing "issues that have been longstanding concerns for us...increased privacy safeguards on biometric information such as DNA profiles and ensuring effective regulation of camera surveillance, including the increasing use of automatic number plate recognition." The bill, which comes two years after the European Court of Human Rights called for such a change, is expected to "result in a massive reduction in the number of innocent people whose DNA is held by police," the report states.
Full Story

PRIVACY LAW—PHILIPPINES

Data Privacy Law Moves On (February 14, 2011)

The Philippines House of Representatives last week passed a second reading of the proposed Data Privacy Act, which aims to set regulations for the processing of personal information. According to Newsbytes.ph, the bill recently received the endorsement of both the committee on information and communications technology and the committee on government reorganization and has the backing of the business process outsourcing sector. Chief author of the bill Roman Romulo says, "The bill is quite strong...you are expected to adopt adequate organizational, physical and technical measures to protect your electronic files." Meanwhile, a proposed cybercrime bill that seeks international cooperation in fighting cybercrime is also in congress.
Full Story

SURVEILLANCE—U.S.

Cashless Toll Booths Mean Increased Surveillance (February 14, 2011)

As the U.S. population grows, so will the number of cars on its highways, creating significant congestion problems on roads and at toll booths. As a potential solution, highway administrators have proposed controlling congestion by implementing new cashless technologies such as RFID transponders and license plate readers to charge demand-based pricing and catch those avoiding tolls. But such practices require increased surveillance. Timothy Lee opines in Ars Technica that much stronger legal and technological safeguards must be put in place ahead of cashless tolling in order to avoid the privacy concerns such surveillance creates.
Full Story

PRIVACY LAW—SWEDEN

Data Retention Implementation Faces More Delays (February 14, 2011)

As Sweden prepares to implement the European Data Retention Directive, a parliamentary committee's request for consultation may further delay such action. Sweden was to have implemented the directive in September 2007. The European Commission sued the country in 2010 for failing to do so. Now, the Parliamentary Constitutional Committee wants the government to consult parliament on details within the directive and "has sent its opinion to the Committee on Justice, which is currently hearing a report on how the directive is to be introduced in Sweden," Stockholm News reports.
Full Story

ONLINE PRIVACY

Hachamovitch Talks Browser Privacy (February 14, 2011)

IDG News features an interview with Microsoft's Dean Hachamovitch on privacy and tracking protection in IE9, one of several browsers debuting do-not-track options for users. Hachamovitch describes the interest in the announcement of IE9's "Tracking Protection" feature. "The fact is that users on the Web are tracked, often without their knowledge and without their consent," he acknowledges, describing the differences between tracking, advertising and what he calls "creepy tracking," where users receive no information about what service is tracking them or how their information is being used. "It is precisely this kind of tracking that we want to address with Tracking Protection," he notes.
Full Story

ONLINE PRIVACY—U.S.

Regulators: Will Industry Do-Not-Track Plans Be Enough? (February 11, 2011)
Reports on Mozilla's launch this week of a do-not-track feature for its Firefox browser and plans coming forward from Google and Microsoft for their online browsers are raising questions as to whether such industry-created features will be enough to assuage U.S. Federal Trade Commission (FTC) concerns about consumer privacy. The do-not-track features are being unveiled in response to calls by the FTC for companies to provide comprehensive opt-out tools to Internet users who do not want their online activities followed for advertising purposes.

PRIVACY LAW—U.S.

CA Court: ZIP Codes Are Personal Information (February 11, 2011)

The California Supreme Court has ruled that merchants may not collect ZIP Codes from credit card customers, the Los Angeles Times reports. In a unanimous decision, the justices deemed that ZIP Codes are part of a person's address and are therefore covered by the state's 1971 Credit Card Act, the report states. "The legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction," Justice Carlos R. Moreno wrote.
Full Story

PRIVACY LAW—U.S.

Rush Reintroduces Bill (February 11, 2011)

Rep. Bobby Rush (D-IL) yesterday reintroduced a bill aimed at improving online consumer privacy similar to the one he presented to the last congress. Tech Daily Dose reports that the bill requires consent from consumers before Web sites can share information with third parties. It also offers safe harbor status for businesses that comply with an FTC-approved self-regulatory program. The bill does not appear to include a do-not-track mechanism like that endorsed by the FTC. Jeff Chester of the Center for Digital Democracy said the bill is a step in the right direction but doesn't go as far as he and other privacy advocates would like.
Full Story

PRIVACY LAW—ISRAEL

Court Restricts Monitoring of Employee E-mail (February 11, 2011)

Israel's National Labor Court has set out rules for employers' monitoring of workers' e-mails. Dan Or-Hof, CIPP, of Pearl Cohen Zedek Latzer, writes that "The rules impose severe restrictions...and employers should consider reforming their workplace policies accordingly." The rules state that employers must establish policies on e-mail monitoring and must inform employees of the policies. They also establish clear guidelines on when and how e-mail monitoring is permitted. "Employers should carefully study the opinion and make all necessary adjustments to comply with its requirements," Or-Hof writes. "Specific attention should be given to...harmonizing the corporate information security system and policies with a new pro-privacy workplace environment."
Full Story

DATA LOSS

Dating Site Hacked, Names and Passwords Exposed (February 11, 2011)

The online dating site eHarmony has announced that a hacker used a vulnerability to access the usernames, e-mail addresses and passwords of users of its informational site eHarmony Advice. CNET News reports that the Krebs on Security blog first reported the vulnerability and soon after found eHarmony data offered for sale on an online marketplace for hacked data. The company says it has fixed the vulnerability and is notifying affected customers and suggesting that they change their passwords. "At no point during this attack did the hacker successfully get inside our eHarmony network," the company said in a blog post. The company has not released the number of users affected, but says it represents less than .05 percent of eHarmony's 33 million users.
Full Story

DATA LOSS—U.S.

DOC Workers’ Data Compromised (February 11, 2011)

The Oregon Department of Corrections (DOC) announced that a non-employee had access to a thumb drive that may have contained the payroll information of up to 550 staffers from at least three correctional facilities. KTVZ reports that the DOC and the state police are investigating the breach. An agency spokesperson said, "We do not believe the breach was malicious in intent, nor do we have any indication at this time that the personal information has been used or misused." The DOC is offering free credit protection to those affected and is reviewing its internal security practices to prevent future breaches.
Full Story

Will do-not-track features and self-regulation initiatives be enough to stave off regulations? (February 11, 2011)

By Jennifer L. Saunders

 

Reports on Mozilla's launch this week of a do-not-track feature for its Firefox browser and plans coming forward from Google and Microsoft are raising questions as to whether such industry-created features will be enough to assuage Federal Trade Commission concerns about consumer privacy.

While the FTC called for do-not-track in its recent report on Internet privacy and continues to gather input on the next step, a growing list of federal legislators are slated to propose privacy bills in the weeks ahead, and do-not-track is among the issues expected to be debated on Capitol Hill as privacy concerns persist.

The California Office of Privacy Protection’s Joanne McNabb, CIPP, shared her perspective on online tracking for a PBS report on privacy, stating, "We think we're the customers when we're shopping around online. In fact, we're the product; we're the raw material that's being marketed. Trafficked.”

Mozilla’s new feature is one of several that have come in response to calls by the U.S. Federal Trade Commission for companies to provide comprehensive opt-out tools to Internet users who do not want their online activities followed for advertising purposes.

The beta version, released this week, allows users to check a box opting not to be tracked, which then transmits that message to each site the users visit.

"We believe the header-based approach has the potential to be better for the Web in the long run because it is a clearer and more universal opt-out mechanism than cookies or blacklists," Mozilla Privacy Lead Alex Fowler explained in ClickZ feature, adding that it is less complex and more persistent than other techniques.

However, the report points out that “the mechanism will only allow users to opt out of being tracked by parties that choose to enable the technology. In order to satisfy the FTC, therefore, some form of monitoring and enforcement would likely be required.”

The Wall Street Journal reports on Microsoft’s unveiling of “an almost-finished version of its latest Internet Explorer browser,” commonly known as IE9, that “addresses growing concerns over the amount of private information that is collected each time a Web user visits a site.”

Like the Mozilla feature, and Google’s “Keep My Opt Outs,” which consumers may activate for its Chrome browser, IE9 asks users to opt in to the do-not-track service in order to opt out of being tracked online.

The IE9 version “allows users to employ lists of Web sites recommended...

PRIVACY LAW—U.S.

FTC: Expect Gov’t Action if Self-Regulation Doesn’t Work (February 10, 2011)
The FTC will go to the U.S. Congress if online advertisers and analytics companies do not commit to protecting consumer privacy. That was the message from FTC Commissioner Julie Brill at a California event with privacy researchers, paidContent reports. Brill's remarks came as the FTC continues to gather input on its recent online privacy report, which includes a call for a do-not-track mechanism that is getting a lot of attention. However, Brill said, that is only one piece of the plan, citing the importance of building privacy into new products instead of "retrofitting" when problems arise, as well as simplifying privacy policies and making data collection practices transparent.

PRIVACY LAW—EU

Reding: Tracking Technologies Highly Intrusive (February 10, 2011)

European Union regulators are concerned that mobile phone and computer technologies that monitor online activities threaten individual privacy rights, Bloomberg reports. "I am concerned about the use of highly privacy-intrusive tracking technologies," EU Justice Commissioner Viviane Reding said in a speech in Brussels yesterday. "Mobile phones and computers have become tracking devices." She added that tracking technologies can have serious consequences for people and can lead to criminal penalties. Reding's concerns come as the European Commission reviews the EU's data protection law with plans to update it to reflect new technologies that have emerged since the law passed nearly 16 years ago.
Full Story

PRIVACY LAW—U.S.

Legislators Introduce Breach Bills (February 10, 2011)

Hawaii legislators have introduced several bills to amend the state's data breach notice law, Covington & Burling's Inside Privacy reports. Among those, security breach bill S.B. 728 and its house companion would require more specific notification in security breach cases, would eliminate the harm trigger in state law and would apply to any disclosure of records. It also would list the plaintiffs' rights of action and would state that any person at risk for identity theft as a result of a data breach may sue for damages sustained. S.B. 796 would widen the definition of a security breach and would require three years of credit monitoring service by the responsible party to those affected. (Privacy Tracker subscribers can hear a full analysis of the bills in the recorded audio of last week's call, available now on the Privacy Tracker Web site.)
Full Story

PRIVACY LAW—U.S.

State Settles Online Privacy Dispute (February 10, 2011)

The Seattle Times reports that the American Civil Liberties Union (ACLU) and the North Carolina Department of Revenue have settled their dispute over the state's efforts to collect personal information about e-commerce customers for tax purposes. The ACLU and online retailer Amazon filed a federal privacy lawsuit against North Carolina last year. As part of the settlement, the state has agreed not to ask for information that could link consumers to the products they purchase online. The agreement "will go a long way toward protecting the privacy and free speech rights of online customers in North Carolina and hopefully elsewhere," said ACLU attorney Aden Fine. 
Full Story

SURVEILLANCE—AUSTRALIA & U.S.

Vehicle Tracking Devices Could Be Used To…Track (February 10, 2011)

Plans to install vehicle tracking devices are concerning advocates. A private car-for-hire company in Australia has announced it will install GPS devices in up to 30 percent of its fleet, News.com.au reports. The company said the devices will allow them to know if the cars are driven out of the contracted range or on dirt roads, which would breach contract. But Civil Liberties Australia calls the move an "excessive invasion of privacy." Meanwhile, the U.S. National Highway Transportation Administration will consider new rulemaking that would require event data recorders to be installed in passenger vehicles, according to a press conference announcement Tuesday. The announcement has some privacy advocates concerned that the recorders could be used to track Americans' movements.
Full Story

PRIVACY LAW—EU & IRELAND

Examining the Communications Act 2011 (February 10, 2011)

Matheson Ormsby Prentice examines the Communications Act 2011, which came into effect late last month to implement "Directive 2006/24/EC on the retention of data generated or processed by or in connection with the provision of publicly available electronic communications services or of public communications networks" and repeals Ireland's prior data retention law. The new act requires service providers to retain data and make it available to Irish authorities in specific instances and includes provisions addressing those obligations as well as security measures for the data. The act now brings Ireland's law into compliance with EU directives, the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Internet Privacy Bills To Hit Capitol Hill (February 9, 2011)
The Washington Post reports on privacy bills expected to come before the U.S. Congress in the weeks ahead "with a handful of lawmakers ready to introduce legislation on how best to protect consumer information on the Internet." House Energy and Commerce Chairman Fred Upton said Tuesday that he is keeping an open mind as to whether federal legislation is needed to enhance consumer privacy online. Bills being proposed include one being prepared by Rep. Jackie Speier (D-CA) to include do-not-track provisions. Representatives Bobby Rush (D-IL), Cliff Stearns (R-FL), Edward Markey (D-MA) and Joe Barton (R-TX) are also at work on privacy bills, the report states, while Sen. John Kerry (D-MA) "is also expected to introduce privacy legislation that his office has been working on for months." (Registration may be required to access this story.)

PRIVACY LAW—U.S.

Sens. Propose Body Scanner Legislation (February 9, 2011)

U.S. Senators Charles Schumer (D-NY) and Ben Nelson (D-NE) yesterday proposed legislation that would make the misuse of airport body scan images a federal crime, Computerworld reports. The Security Screening Confidential Data Privacy Act would prohibit the dissemination or photographing of scanned body images, punishable by up to one year in prison and a $100,000 fine per violation. The bill follows advocates' and passengers' concerns about privacy as the machines are increasingly implemented at U.S. airports. Marc Rotenberg of the Electronic Privacy Information Center is pleased with the legislation and said, "Obviously, there are no circumstances under which anyone should be able to take an image generated by one of these devices and circulate it to others."
Full Story

SURVEILLANCE—U.S.

ACLU Calls for Moratorium on City Cameras (February 9, 2011)

The American Civil Liberties Union (ACLU) is calling for a moratorium on installations of surveillance cameras in Chicago and new policies to prevent their misuse, AFP reports. The city has more than 10,000 surveillance cameras, capable of tracking people or vehicles, searching for images of interest and reading license plates, the report states. "Our city needs to change course before we awake to find that we cannot walk into a bookstore or a doctor's office free from the government's watchful eye," an ACLU spokesman said. A spokeswoman for the Chicago Police Department said it is committed to "safeguarding the civil liberties of city residents" and "upholding the constitutional rights of all."
Full Story

HEALTHCARE PRIVACY—U.S.

Survey: Despite Privacy Concerns, Many Want EHRs (February 9, 2011)

Despite privacy concerns, researchers from the University of Chicago have found that most Americans surveyed support a move to electronic health records (EHRs), Reuters reports. "Our core finding is that a large majority of Americans support use of health IT to improve healthcare and safety and reduce costs," said Daniel Gaylin of the University of Chicago National Opinion Research Center. The survey of 1,000 people found that while nearly half said they had worries about the privacy of EHRs, 64 percent thought the benefits of being able to access their records online outweighed those concerns, the report states.
Full Story

DATA LOSS—IRELAND

Job Recruiting Site Breached (February 9, 2011)

Ireland's Gardaí are investigating a data breach on the job recruitment Web site recruitireland.com, reports Silicon Republic. The data protection commissioner has also been informed of the breach, which the company says exposed the names and e-mail addresses of its users. According to a message posted to the site's homepage, no other data has been compromised, but the company is recommending that once the site is back online, users change their usernames and passwords. "We have a process in place for eventualities such as this; when we were notified, we shut down the server and the database to prevent any access," the message says.
Full Story

DATA LOSS—U.S.

Sensitive E-mail Affects 2,400 (February 9, 2011)

A data breach at California's Medicaid program has affected about 2,400 beneficiaries, CaliforniaHealthline reports. The Human Services Agency of San Francisco says a former employee e-mailed records to her personal computer, two attorneys and two union representatives, the report states, in an effort to demonstrate that she was responsible for a disproportionately high caseload. The agency's director says that though the records included Social Security numbers and names, they did not include medical or benefits information. The agency is mailing letters to those affected.
Full Story

DATA PROTECTION—U.S.

Survey: Americans Worry About Online Privacy (February 9, 2011)

Most Americans are worried about privacy and viruses when using social networking media, USA TODAY reports. Seven out of 10 Facebook members surveyed said they are either "somewhat" or "very concerned" about their privacy on the site. In the same survey, 52 percent of Google users also said they are somewhat or very concerned about privacy while using the search engine. Privacy attorney Chris Wolf of Hogan Lovells says, however, that companies are increasingly paying attention to privacy concerns and that new services revolve around "ways to empower people to protect their information," the report states.
Full Story

PRIVACY LAW—U.S.

Judge Dismisses Data Aggregator Lawsuit (February 8, 2011)
A U.S. District Court judge has dismissed one of two lawsuits filed against an online data aggregator after determining the plaintiff did not "allege he had been injured by Spokeo." MediaPost reports on privacy advocates' concerns about the information the company makes available, noting that although this case has been dismissed, the questions it poses "will almost certainly reappear in other litigation--especially given the wave of recent privacy lawsuits." The report also highlights a complaint brought before the FTC alleging that Spokeo "violates federal law by offering information about users' financial status and credit ratings without giving consumers the protections required by the federal Fair Credit Reporting Act."

PRIVACY LAW—U.S.

Have We Gone Too Far Online? (February 8, 2011)

MediaShift is featuring a series about online privacy and the potential for new regulations to "crack the whip" on online sharing. The report suggests that FTC recommendations for regulating the "commercial use of consumer data" online and the Commerce Department's call for the government to "articulate certain core privacy principles" have been spurred by a belief that we have "lost control of the information that we reveal about ourselves and of the way others use that information." In the PBS report, Jonathan Peters writes, "In the privacy world, my sympathies are chiefly with the consumer, but the patchwork of state security breach notification laws is a very real challenge for businesses." Looking forward, he writes that it is clear the government is focused on online privacy, "but it's hard to say what effect, if any, the reports will have."
Full Story

HEALTHCARE PRIVACY—U.S.

Terminated Employee Denies Wrongdoing (February 8, 2011)

One of the University of Iowa Hospitals and Clinics employees fired for breaching football players' medical records says she did nothing wrong, The Washington Post reports. The hospital announced last week it would fire three employees and suspend two others following an investigation, but one of the accused says another employee may have accessed the records and left the screen open on a shared computer. A hospital spokesman declined to comment but released the hospital's guiding document on privacy breach disciplinary action, which ranges from verbal reprimands to termination, depending on the number of records involved and if information was released. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Juror Appealing Social Network Order (February 8, 2011)

The attorney representing a juror ordered to divulge Facebook posts he made while serving on the trial of several alleged gang members is filing an appeal, CNET News reports. Ken Rosenfeld, a California criminal defense attorney, said forcing jurors to turn over correspondence in the form of Facebook posts "would be catastrophic in terms of free speech, justice and the jury system itself." Judge Michael Kenny wrote in his order that, "It is clear that the law was not intended to allow a juror to violate the court's admonition to keep silent about a case and then claim that the act made the very postings that violated the admonition private and unreachable."
Full Story

ONLINE PRIVACY

Schwartz Discusses the Impact of Choice on Privacy (February 8, 2011)

Barry Schwartz, author of The Paradox of Choice: Why More is Less and professor of social therapy and social action at Swarthmore College, shared his insights on the intersection of choices and privacy with the Privacy Advisor. "I think the main task facing organizations that worry about Internet privacy is to figure out a 'default' level of privacy that enables people to benefit from what the Web makes available and not be tortured by it," he explained. Schwartz, who will be a keynote speaker at the IAPP Global Privacy Summit in March, said he will be discussing "how too much choice produces paralysis rather than liberation, leads to bad decisions and reduces satisfaction with even good decisions."
Full Story

HEALTHCARE PRIVACY—U.S.

FTC Releases Medical Identity Theft Guide (February 8, 2011)

The FTC has released information for healthcare providers and health insurers about how to help patients minimize the risk of medical identity theft and deal with the consequences if it occurs. The Medical Identity Theft FAQs for Health Care Providers and Health Plans publication says indications that medical identity theft has occurred include health plan statements that benefit limits have been reached or insurance claim denials due to medical conditions the patient doesn't have. Healthcare providers and insurers should advise victims to notify health plans, file complaints with police and the FTC and review credit reports, the report states.
Full Story

PRIVACY LAW—UK

Councils Fined £150,000 After Laptop Theft (February 8, 2011)

The Information Commissioner's Office (ICO) has fined two councils a combined total of £150,000 after two laptops were stolen, ComputerWeekly reports. Ealing Council used the laptops to provide a service for itself and Hounslow Council. The laptops contained data on more than 1,700 individuals and were not encrypted. Ealing Council has been fined £80,000 for the breach, and Hounslow Council has been fined £70,000 for failing to have a written contract in place with Ealing and not monitoring its operational procedures. Deputy Commissioner David Smith said the Hounslow Council fine makes clear that organizations can't outsource services "unless they ensure that the information is properly protected."
Full Story

PRIVACY

Survey Lists World’s Top Privacy Pros, Firms (February 8, 2011)

In a feature for Computerworld, Jay Cline, CIPP, reports on this year's survey of the top 10 individuals and firms to turn to for privacy advice, noting, "Doing privacy wrong now takes a bigger bite off the bottom line than it did when I first started asking this question." In addition to listing the top advisors as indicated by the survey results, Cline writes that when it comes to the corporate privacy agenda, "Regulatory compliance is still the first step to take for many companies, and the firms that were the best at assisting with this first step five years ago are still the go-to destinations for in-house privacy officers."
Full Story

PRIVACY LAW—U.S.

Online Privacy Legislation Expected To Abound (February 7, 2011)
Legislators are "practically falling over each other to introduce new online privacy legislation," paidContent reports, highlighting recent announcements that at least three representatives are expected to introduce bills this week. Rep. Jackie Speier (D-CA) is proposing a bill that will include specific do-not-track provisions, and Rep. Bobby Rush (D-IL) will introduce a bill that will instead offer "safe harbor" to marketers who participate in privacy rules, the report states. Meanwhile, Rep. Cliff Stearns (R-FL) is also expected to introduce a new version of last year's Boucher-Stearns bill, and Rep. Joe Barton (R-TX) has pledged to "put Internet privacy in the crosshairs."

PRIVACY—U.S.

Nasdaq Suffers Security Breach (February 7, 2011)

Nasdaq OMX Group says it found suspicious files on its U.S. computer servers, Banking Business Review reports. Nasdaq says it found malware at the end of last year and alerted forensic groups and U.S. law officials and that the FBI and Department of Justice are now investigating. The malware was pointed at Nasdaq's Web-based program, where about 5,000 companies store documents for board members, the report states. Nasdaq deleted the malware and says no customer information appears to have been compromised as a result of the security breach. Law enforcement officials have not yet issued a statement on the case.
Full Story

FINANCIAL PRIVACY—HONG KONG

After Octopus Breach, Concerns Persist (February 7, 2011)

The Octopus Holdings Ltd. privacy breach has incited widespread public concerns about companies' and financial institutions' handling of customers' personal data, writes Angela Wang for Reuters. A recent case involved a bank customer's complaint after she was contacted by an insurance company that had entered into a marketing agreement with the bank. The Administrative Appeal Board ruled that the bank should not have shared the customer's information because its small-print provisions on data sharing discouraged customers from reading them, and the customer should have been informed of the reasons her data was to be shared. The board also said shared data must be used for the same purposes for which it was collected.
Full Story

PRIVACY LAW—U.S.

Judge: Juror Must Turn Over Online Posts (February 7, 2011)

A California judge has ordered a juror to turn over social networking posts he made during the trial of several gang members or face possible jail time, Mercury News reports. The juror's attorney has called the order an invasion of privacy and plans to appeal, while defense counsel for the alleged gang members have suggested the posts will help determine whether the juror was influenced by communications outside of the courtroom. The juror had "allegedly characterized the evidence as 'boring' in one posting and revealed he was on the jury in another," the report states.
Full Story

PRIVACY LAW—U.S.

Bill Banning Texting While Driving Concerns Some (February 7, 2011)

A bill headed to the Mississippi House of Representatives that would ban texting while driving is raising privacy concerns, Justice News Flash reports. The bill passed the senate last week with only two lawmakers voting against it. It would extend Mississippi's ban on texting while driving from young drivers to all drivers, carrying a misdemeanor charge and a $500-$1,000 fine, depending on whether an accident occurred as a result. Sen. Terry Brown (R-Columbus) is concerned about privacy, however. "A law officer could read a person's text message after an individual was pulled over. Are they going to confiscate your cell phone for evidence?" Brown questioned.
Full Story

PRIVACY LAW—U.S.

Opinion: When the Right to Know and Privacy Collide (February 7, 2011)

The New York Times features an editorial on the Freedom of Information Act's exemption 7 to protect individuals' privacy and a current Supreme Court review of an appeals court's ruling that "personal privacy" extends to corporations. Detailing the case, Federal Communications Commission v. AT&T, the editorial suggests, "the appeals court's mistaken view has to be taken seriously. As the acting solicitor general warned, its logic, if upheld, would lead to 'personal privacy' for local, state and foreign governments, with 'no meaningful benchmarks to guide the federal agencies and the courts in defining the limits' of those interests." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

ACLU Launches Privacy Mobile App Contest (February 7, 2011)

Branches of the American Civil Liberties Union (ACLU) and others are launching a contest challenging mobile application developers to address privacy concerns for mobile phones and other portable devices, reports InfoWorld. The 2011 Develop for Privacy Challenge aims to encourage developers to build open-source tools for mobile devices to help users understand and address privacy threats, the report states. Brian Alseth, technology and liberty director at the ACLU of Washington, said the contest's goal is to show developers that "privacy doesn't need to be an afterthought in new technologies. Rather, privacy can and should be a fundamental building block." Contest submissions may be made at the Develop for Privacy Web site until May 31.
Full Story

PRIVACY LAW—U.S.

Speier To Introduce Do-Not-Track Bill (February 4, 2011)
Rep. Jackie Speier (D-CA) plans to introduce an online privacy bill next week directing the FTC to begin a do-not-track program for online advertisers, The Hill reports. The program would enable consumers to opt out of behavioral advertisers' tracking. The bill is meant to provide a floor rather than a ceiling, according to the report. Speier worked with Consumer Watchdog, Consumer Federation of America, Consumers Union and the Electronic Frontier Foundation on the bill. Meanwhile, Rep. Bobby Rush (D-IL) is expected to re-introduce his online privacy bill next week.

PRIVACY LAW—U.S.

FTC Settles Credit Report Complaints (February 4, 2011)

The Federal Trade Commission (FTC) has approved proposed settlements of complaints against three credit report resellers for lax security practices that resulted in hackers accessing more than 1,800 credit reports without authorization between October 2006 and June 2008, CIO reports. The settlements require each company to create comprehensive cybersecurity programs and obtain independent audits of the programs every other year for the next two decades. "These cases should send a strong message that companies giving their clients online access to sensitive consumer information must have reasonable procedures to secure it," said FTC Consumer Protection Bureau Director David Vladeck. The agreements will be available for public comment through March 7.
Full Story

TRAVELERS’ PRIVACY—U.S.

TSA Deploys New Body Scanners (February 4, 2011)

The Transportation Security Administration this week debuted software designed to make airport body scanners less invasive, The Washington Post reports. The software creates generic body images and displays any detected anomalies in a red outlined box around the specific area of concern. The software will be incorporated at Reagan National Airport in Washington, DC, and in Atlanta, the report states, and could eventually land at all 78 airports currently using body scanning technology. "We believe it addresses the privacy issues that have been raised," said TSA Chief John Pistole. (Registration may be required to access this story.)
Full Story

DATA LOSS—AUSTRALIA

CityCycle Apologizes for Breach (February 4, 2011)

Brisbane's CityCycle bike hire company is apologizing to customers for a data breach involving their e-mail addresses. Brisbane Times reports that the company sent a message to 1,306 customers yesterday, exposing the e-mail addresses of all in the "to" field. The company's chief executive, Steve O'Connor, described it as a "regrettable" human error, adding, "We'll have to do a review of our procedures internally to make sure it doesn't happen again." O'Connor said the company would notify the privacy commissioner's office on Monday, asserting, "We'll explain (to the commissioner) how it happened and why it won't happen again."
Full Story

PRIVACY LAW—U.S.

Court: No Common Law Duty To Protect PII (February 4, 2011)

Information Law Group reports on an Illinois appellate court case--"the first that we are aware of in the United States"--focusing on the question of "whether common law duty exists to safeguard personal information." An Illinois appellate court upheld the dismissal of a suit over the unauthorized disclosure of such sensitive personal information as names, addresses and Social Security numbers, finding that no such duty to protect personal information exists for purposes of a negligence claim. Speculating that the case could be appealed to the Illinois Supreme Court, the report suggests, "Based on the strong dissent, it appears as if the majority opinion may be at risk for an overturn."
Full Story

SOCIAL NETWORKING—U.S.

Fake Dating Site Mines Profile Pictures (February 4, 2011)

The world's largest social networking site is "not amused" that two artists gathered public profiles of more than a million of its users to create a fake dating Web site, the San Francisco Chronicle reports. "Users can search based on nationality, traits like 'easy going' and gender or can simply enter a name and see if they're in the database. When users click a result to 'arrange a date,' they're taken to the person's public Facebook profile," the report states. The site mined the profile data without Facebook's permission, the report states, and the company plans to "take appropriate action."
Full Story

DATA LOSS—U.S.

University Hospital Fires Three After Breach (February 4, 2011)

The University of Iowa Hospitals and Clinics will fire three employees following an investigation into a data breach involving inappropriate access to 13 athletes' medical records, MSNBC reports. Two other employees will be suspended for five days. A university spokesman said the families of those involved have been notified, as have federal regulators who may pursue jail time or fines, the report states. The spokesman said breaches are often due to employee curiosity, but he did not confirm the cause of the breach. He said the school routinely screens medical records to be sure they are kept confidential, and the employee terminations indicate the school's "commitment to patient privacy."
Full Story

PRIVACY

Report: Companies Will Hire More Privacy Pros (February 3, 2011)
Ernst & Young has released its new report "Privacy Trends 2011: Challenges to Privacy Programs in a Borderless World," and the findings include expectations that organizations will invest more in the protection of personal information. Accounting Today reports that the study indicates organizations will allocate more funding in the year ahead toward hiring "highly skilled certified privacy professionals and invest in technical controls that monitor and manage external attacks and internal leaks from within the organization." The report suggests that beyond privacy professionals, many positions that impact the use of personal information--such as IT, audit, legal and marketing--will become increasingly focused on privacy risk and compliance.

SOCIAL NETWORKING—U.S.

Legislators Question Facebook on Privacy (February 3, 2011)

As privacy legislation discussions continue at the federal level, Reps. Edward Markey (D-MA) and Joe Barton (R-TX) of the House Energy and Commerce Committee have again sent a letter to Facebook CEO Mark Zuckerberg about privacy concerns. Writing to Zuckerberg on Wednesday, the legislators requested answers to questions prompted by changes the social network outlined last month about sharing such user data as mobile phone numbers and addresses with third parties, nextgov reports. Markey said the goal is "to better understand Facebook's practices regarding possible access to users' personal information by third parties. This is sensitive data and needs to be protected."
Full Story

DATA PROTECTION—JAPAN

Gov’t To Implement National ID System (February 3, 2011)

The Daily Yomiuri reports on privacy concerns about recently announced government plans for a comprehensive identification system to be implemented in 2015. The Council for a Number System for Social Security and Taxation drafted the plan, which would assign each citizen a unique number. The system would store such personal information as name, gender, annual income and number of dependents, the report states. But the plan calls for a third party to monitor the stored data, and it has yet to be determined what information could be used for business purposes, prompting concerns about data protection and privacy. A bill pertaining to the ID system is expected this fall.
Full Story

ONLINE PRIVACY

NIST Releases Cloud Guidelines, Definitions (February 3, 2011)

The National Institute of Standards and Technology (NIST) yesterday released guidance on cloud computing, Gov Info Security reports. Two drafts, "Guidelines on Security and Privacy in Public Cloud" and "The NIST Definition of Cloud Computing," seek public comments until February 28. The guidelines include such provisions as ensuring security and privacy in cloud solutions before deployment, ensuring cloud providers meet organizations' privacy and security guidelines and maintaining data protection accountability, the report states. The definitions provided are the result of NIST putting its "ear to the ground and listening to what the public and private sectors are saying," a NIST co-author said.
Full Story

DATA PROTECTION—U.S.

Schmidt Discusses Trusted Identity Program (February 3, 2011)

The National Strategy for Trusted Identities in Cyberspace is due to be released in the next few months. In a Q&A with MSNBC, White House Cybersecurity Coordinator Howard Schmidt discusses the plan, which is aimed at fostering safer online transactions between businesses and consumers. Schmidt says the plan looks to the private sector to build a system allowing for multiple online identities and one-time passwords and pins, for example, reducing the risk of identity theft by eliminating central passwords and Social Security numbers as identifiers. The plan aims to allow consumers choice in purging their PII from companies' databases. "We have the opportunity now to build for the future when it comes to the way we operate from anonymity to full-trusted abilities online," Schmidt says.
Full Story

PRIVACY—U.S.

Big Strides on Privacy, Many More Needed (February 3, 2011)

Although 2010 was a "banner year" in data protection and privacy, there is more to be known about the pitfalls innovative technology brings. That's according to Lisa Sotto, partner at Hunton & Williams LLP and member of the IAPP Board of Directors. In a Bank Info Security Q&A, Sotto offers insights on what to expect this year as we continue to learn "how to do data security right." An increasing engagement between the FTC and the Department of Commerce is expected, as well as national legislation to regulate online privacy, Sotto says. Looking forward, companies need to understand what data they are collecting and how they are protecting it. "Without understanding the lifecycle, it is impossible to understand where the vulnerabilities are," Sotto said. Read more of Lisa Sotto's thoughts in the current edition of the Privacy Advisor. (IAPP member login required).
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: Balancing Products and Privacy (February 3, 2011)

An editorial in the Los Angeles Times examines a push by states across the country proposing regulations to govern prescription drug data mining. Looking at market research companies that pay pharmacists for details contained in prescriptions, "including the name of the doctor and the patient, the drug prescribed and the dosage," the report notes that companies then compile the information into databases. "Drug makers should be able to market their products, but their First Amendment rights shouldn't guarantee them access to sensitive data that wouldn't exist but for the government's requirement that doctors and patients disclose it," the editorial states. 
Full Story

HEALTHCARE PRIVACY—U.S.

Survey: EHR Privacy a Priority for Doctors, Patients (February 3, 2011)

Doctors and patients agree on the way health IT should be used in modern healthcare, according to a Markle Foundation survey. InformationWeek reports that the Markle Survey of Health in a Networked Life interviewed 1,582 members of the public and 779 physicians. It found that respondents are accepting of technology's increasing role in healthcare, but both groups want privacy and accountability provisions. A majority of both groups support allowing individuals to know who has accessed their records and the controls to change incorrect data. The majority also supports breach notifications and a policy against government collection of PII for quality improvement programs, the report states.
Full Story

DATA LOSS—U.S.

Universities Suffer Medical Record Breaches (February 3, 2011)

Seattle's KING5 reports on private medical records one customer found inside furniture sold at a surplus store. The records consisted mainly of X-ray and MRI imaging from the University of Washington (UW) Medical Center, stored on 19 DVDs, one of which contained the name and phone number of the corresponding patient. "This is private; this is my body, my life. I don't think it should be out there for people," the patient said. A UW spokeswoman said it will review its procedures. Meanwhile, the University of Iowa is investigating a data breach involving 13 athletes' medical records. The players and their families have been notified.
Full Story

PRIVACY LAW—U.S.

Rush To Reintroduce Bill Next Week (February 2, 2011)
Rep. Bobby Rush (D-IL) will reintroduce his online privacy legislation next week, National Journal reports. Rush debuted his Best Practices Act last July. It received support from some tech firms because "it was technology neutrality and gave flexibility to the Federal Trade Commission to adapt the bill's principles to changes in technology." Rush has indicated that the revised bill may include a do-not-track provision.

TRAVELERS’ PRIVACY—EU

PNR Data Could Be Required for EU Travel (February 2, 2011)

EUobserver reports on proposals set to come before the European Commission to require air travelers to have their passenger name record (PNR) data--such as home addresses, mobile phone numbers, credit card information and e-mail addresses--checked by authorities and shared with other member states if links to terrorism or serious crime are suspected. Negotiations between member states and the European Parliament on the plan are expected to last two years. "So far, the U.S. and other countries using the PNR system have failed to convince us about its necessity," said German MEP Manfred Weber, adding, "There are deficits in the usage of current data. So why should we collect even more mass data?"
Full Story

PERSONAL PRIVACY

Cavoukian Releases Smart Grid Study (February 2, 2011)

Ontario Privacy Commissioner Ann Cavoukian today released a study on an Ontario utility's approach to smart meter deployment, which she says should serve as the model for all future smart grid investment, The Globe and Mail reports. Released at a California event, Operationalizing Privacy by Design: The Ontario Smart Grid Case Study is the third in a suite of papers on smart grid deployment. It describes the utility's policy to only include customer identification information in the company's own billing records and not share it with third parties unless consent is acquired for service offers. "Smart grid technologies have the potential to collect extremely detailed information about energy consumption in the home, which can lead to the unwelcome profiling of individuals," Cavoukian said.
Full Story

PRIVACY LAW—U.S.

Wyden Discusses Mobile Privacy Bill (February 2, 2011)

In an interview with CNET's Declan McCullagh, Sen. Ron Wyden (D-OR) discussed his forthcoming mobile privacy legislation. Wyden suggests that many people "have not really put their arms around the dimensions of this, the fact that everybody's got a handheld electronic device, a cell phone, a GPS system...and probably aren't thinking that much about the fact that someone may be keeping tabs on them." Wyden's goal is to get a bill before the U.S. Congress, he explains, adding he is encouraged by stakeholders' responses. Wyden adds that balance is essential, where those who pose threats to national security can be tracked while law-abiding American citizens don't end up with "their privacy thrown in a trash can."
Full Story

PRIVACY LAW—NETHERLANDS

Reding Investigating Passport Laws (February 2, 2011)

The Dutch government is treating innocent citizens as potential criminals by storing their fingerprints for passports, according to MEP Sophie in't Veld, who has incited a European Commission investigation into whether Dutch passport legislation breaches EU data protection rules, Radio Netherlands Worldwide reports. The government stores four fingerprints in a central database kept by local councils. European Justice Commissioner Viviane Reding is leading the commission's investigation. In't Veld says the Dutch practice is much more privacy-intrusive than other EU-member states' practices and that the United Nations Human Rights Council is critical of the practice.
Full Story

ONLINE PRIVACY—U.S.

DMA To Enforce Self-Regulation Initiative (February 2, 2011)

The Direct Marketing Association (DMA) has announced enforcement plans for its online data collection self-regulatory program. Direct Marketing News reports that the DMA is requiring members to place the "Advertising Option Icon" on ads, linking to pages that educate consumers about data collection and offer opt outs from online tracking and will investigate consumer complaints about noncompliance. For members that do not comply, "the ultimate sanction is that you are thrown out of the association. If a non-member is persistently noncompliant, we will refer them to the FTC," said Linda Woolley of the DMA, who stressed that, "the goal is not to rat people out. The goal is to make companies comply."
Full Story

DATA LOSS—CANADA

Dickson: Breaches Need Stiffer Penalties (February 2, 2011)

Saskatchewan Privacy Commissioner Gary Dickson told the Leader-Post that the province needs to dole out stiffer penalties to individuals and organizations responsible for data breaches. The comments came on the heels of a breach at the Sun Country Health Region where an employee inappropriately accessed patient prescription data. Dickson said he was "impressed" with the investigation but noted privacy breaches involving electronic health records are serious matters and risk undermining public confidence in the system. "In a number of cases, termination would be the appropriate response," Dickson said, adding, "A minor fine or a suspension of a couple weeks without pay in my mind really minimizes what I think is a much more serious matter."
Full Story

ONLINE PRIVACY—U.S.

Study: “Flash Cookie” Tracking Persists (February 2, 2011)

A Carnegie Mellon University study suggests that about 10 percent of popular Web sites may be using so-called "Flash cookies" to track users, paidContent reports. The study, commissioned by Adobe, tested the 100 most popular Web sites and 500 others that were randomly selected, finding "none of the 500 random sites engaged in re-spawning, and only two of the 100 most-popular sites engaged in re-spawning," the report states. However, a significant number of Web publishers "still won't say if they're using Flash cookies for tracking." Adobe, the creator of Flash Player, has condemned the use of its local storage objects for tracking purposes and recently introduced changes to simplify Flash's privacy options.
Full Story

PRIVACY LAW—U.S.

BT Class Actions Abound (February 2, 2011)

Dominique R. Shelton and Clinton J. McCord of Wildman Harrold Allen & Dixon LLP explore the recent wave of class-action lawsuits related to behavioral advertising that allege violations of federal and state laws "that prohibit intentional accessing and tracking of consumer behavior online without consumer consent." The report looks at the balance of targeted advertising from a marketing standpoint with consumer concerns about privacy. For example, the report suggests, "The gathering of data through Flash cookies can occur without even the company's knowledge if outside vendors are operating, managing or serving advertising on the Web site." Lack of knowledge may be a defense, but it will not protect companies from being sued, the authors write. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Swire: Federal Privacy Office Needed (February 1, 2011)

In a feature for the Center for American Progress, Peter Swire, CIPP, writes in support of a proposal in the Department of Commerce's new green paper to create a federal privacy policy office. Swire disagrees with comments by some privacy advocates that the creation of such an office would weaken the Federal Trade Commission's privacy efforts. "I believe there is an extremely strong case in favor of developing an ongoing privacy policy capability in the executive branch," Swire writes. "Privacy policy requires familiarity with a complex set of legal, technological, market and consumer considerations. Good government thus calls for creating an institutional memory and a group of civil servants experienced in privacy policy."
Full Story

ONLINE PRIVACY

Mozilla Offers Do-Not-Track Feature (February 1, 2011)
Mozilla has confirmed that its Firefox 4 Web browser will include a do-not-track system allowing users to opt out of targeted advertising, V3.co.uk reports. "This is just our first step," said Mozilla developer Sid Stamm. "We are exploring ways to empower users to have more robust and precise control over their data, and will share our progress on this as it is made." Google has added a similar feature to its Chrome browser, while Microsoft is exploring tracking protection to work consistently across browsers. The announcements come in the midst of questions about what "do not track" actually means, prompting the Center for Democracy & Technology to release a draft definition.

PRIVACY LAW—U.S.

Suit Alleges Privacy Violations (February 1, 2011)

PC World reports that a lawsuit has been filed in federal court alleging privacy violations in the way Apple shares information collected from iPhone, iPad and iPod Touch users with advertisers. The suit, which seeks class-action status, states that the company shares information about browsing history, application use and other personal details without user consent, alleging the result is that application developers can "put a name to highly personal and in many cases embarrassing information derived from app downloading activity and usage, and Internet browsing history, that would otherwise be anonymous." The company previously stated its apps are not supposed to transmit user data without prior permission, the report states.
Full Story

ONLINE PRIVACY—UK

Advocates Angered Over End of BT Investigation (February 1, 2011)

Privacy groups are criticizing the Information Commissioner's Office (ICO) for closing its investigation of a BT data breach, the Guardian reports. The ICO said BT cannot be held responsible for the incident in which a spreadsheet with such confidential information as customer names, addresses and telephone numbers was sent to a law firm by a BT employee, the report states. While the ICO closed its investigation after determining the company was not liable for a mistake committed by one of its employees, advocates contend such a move "appears to give the green light to companies like BT claiming to have a data protection policy but failing to adequately enforce it."
Full Story

DATA PROTECTION—CANADA

MPs Pleased with Response to Privacy (February 1, 2011)

A House of Commons committee says the privacy of Canadians is being protected by online mapping applications like Google Maps, Winnipeg Free Press reports. The committee has been examining efforts by companies that build online maps using real pictures of homes and streets, such as Google and Canpages, the report states, and says both companies' policies about notifying individuals of filming and blurring identifying information are sufficient. Following Privacy Commissioner Jennifer Stoddart's investigation and subsequent recommendations about Google Street View cars' accidental collection of WiFi data, MPs now say they are "cautiously optimistic" that Google is taking privacy more seriously since it hired a privacy director and introduced employee training. Stoddart had said today was Google's deadline for compliance. The committee, however, said it has concerns about companies not considering privacy in the development phase of new technologies.
Full Story

DATA PROTECTION—ISRAEL & EU

EC Publishes Israel’s Adequacy Status (February 1, 2011)

The European Commission (EC) has published its opinion formalizing Israel's status as "adequate" under the European Data Protection Directive. The decision, rendered in October 2010, follows the recommendation of the EC's Article 29 Working Party. It allows for personal data transfers between EU countries and Israel. Israel is one of only a handful of countries to have obtained adequacy status.
Full Story

PRIVACY LAW—U.S.

Bills Would Eliminate Employee Credit Check (February 1, 2011)

Two bills under consideration by the Nebraska Legislature aim to prevent employers from using job applicants' credit histories as a determining factor in hiring decisions, Bloomberg reports. State Sen. Annette Dubas introduced LB113, which would add the use of credit histories or reports to Nebraska's list of unlawful employment practices, with certain exceptions. State Sen. Brenda Council introduced LB530, which would prevent employers from inquiring about an employee or prospective employee's credit history as a basis for employment, recruitment, discharge or compensation, with some exceptions, the report states.
Full Story

DATA PROTECTION

Study: Compliance Saves Money (February 1, 2011)

A benchmark study conducted by the Ponemon Institute and sponsored by Tripwire has shown that investing in IT and security compliance can save companies money over time. Bank Info Security reports that through interviews with 160 IT practitioners across a broad range of industries, the study found that companies that review and maintain compliance with security standards spend an average of $3.5 million yearly, while the cost of noncompliance came in at $9.4 million--due mostly to business disruption and loss of productivity, according to the researchers. Tripwire's Rekha Shenoy noted that, in terms of compliance reviews, "PCI was the one that was top of mind across all industries, because they all take card payments."
Full Story