Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—U.S.

Experts Weigh In on Buzz Settlement (March 31, 2011)
Privacy experts, industry advocates and Federal Trade Commission (FTC) officials are offering different insights on the implications of Wednesday's announcement of the FTC and Google's proposed Buzz settlement. In this Daily Dashboard exclusive, experts weigh in on how the settlement could impact regulations, industry and personal privacy going forward. As Katie Ratte of the FTC's Bureau of Consumer Protection put it, the settlement "is groundbreaking for us because it's the first time we've required a company to implement a privacy program to protect consumer data...It's something we called for in the FTC staff report, and we think it's important for all businesses to incorporate into their business operations today."

DATA LOSS

BP Spills Victims’ Personal Data (March 31, 2011)

A BP employee lost an unencrypted laptop containing the personal information of 13,000 people who filed compensation claims after the Gulf of Mexico oil spill, reports eWEEKeurope. The laptop, which was password-protected, contained a spreadsheet with names, addresses, phone numbers, dates of birth and Social Security numbers of claimants. A BP spokesman said there is no evidence that the data has been accessed, and the company has notified all those affected, offering to pay for their credit monitoring services. Privacy advocates are calling companies' failure to encrypt portable devices inexcusable, with one describing laptop encryption as "one of the few slam-dunks in security." Of the BP data loss, Chris McIntosh of encryption expert Stonewood says, considering the "legal importance of the data, and the scale of the event which made BP record it in the first place, it becomes inexplicable."
Full Story

ONLINE PRIVACY—U.S.

Legislators Ask Wireless Carriers About Tracking (March 31, 2011)

The House Bi-Partisan Privacy Caucus Co-Chairs Edward Markey (D-MA) and Joe Barton (R-TX) are asking the nation's top four wireless carriers for information on how they handle the collection, use and storage of data. Broadcasting & Cable reports on a letter sent Tuesday by the legislators to AT&T, Verizon, Sprint and T-Mobile in light of concerns about a mobile company in Germany "that was tracking users' locations and destinations without their knowledge," citing a provision in the Communications Act requiring companies to get permission to use location information for commercial purposes. Markey and Barton have requested details on what PII is collected, how it is gathered and the ways it is used, giving the companies until April 19 to reply.
Full Story

PRIVACY LAW—U.S.

Law Would Protect Readers’ Preferences (March 31, 2011)

A California lawmaker has introduced a law to protect Californians' reading habits. Sen. Leland Yee (D-San Francisco) has introduced the Reader Privacy Act of 2011 (SB 602), according to the Electronic Frontier Foundation (EFF). The bill, backed by the California Affiliates of the American Civil Liberties Union and the EFF, would require the government and other third parties to obtain a search warrant or court order to access sensitive reading records. The law would cover both e-books and hard copies. The EFF says it is "essential that state law keep pace and safeguard readers in the digital age," noting that many bookstores collect information about readers' purchases.
Full Story

PRIVACY LAW—U.S.

Appeals Court Finds for Employee (March 31, 2011)

An employee's case against her former employer for invading her privacy by pretexting has again been settled in her favor. An Illinois jury first found for Kathy Lawlor in her case against North American Corp., awarding her $1.75 million in punitive damages, but a judge sided with the company, resulting in Lawlor receiving a net sum of $84,752. North American then asked the Illinois Appellate Court to review the case, contending that "it should not have been held liable for the misconduct of independent contractors," the Chicago Tribune reports. The appeals court found for Lawlor, announcing last week that it had reinstated the $1.75 million award. The company plans to seek another hearing.
Full Story

PRIVACY LAW—U.S.

Kerry Discusses Need for Internet Legislation (March 31, 2011)

In an interview with The Boston Globe, Sen. John Kerry (D-MA) discusses his proposal for Internet privacy legislation, likening online tracking to being secretly monitored by a private detective. "When you go on the Internet, are you, as an American, consenting to having your private activities shared with other people?'' he questions. A draft of Kerry's proposed legislation was released earlier this month and is expected to be introduced as early as next week, the report states. Kerry said he has been consulting with industry leaders as well as consumer and privacy advocates on the plan. Kerry's bill is one of several proposed by federal legislators.
Full Story

DATA LOSS—U.S.

Medical Center, Tech Group Lose Data (March 31, 2011)

A laptop stolen from the Rancho Los Amigos Rehabilitation center contained personal health information on 667 patients who received electromyography tests, reports the Press-Telegram. Affected patients, the Los Angeles county sheriff and the health department (DHS) were notified. DHS has since implemented new security measures, retrained staff and initiated a risk assessment. Meanwhile, the Institute of Electrical and Electronics Engineers has notified more than 800 of its 400,000 members that their credit card and personal information may have been stolen in a November hack. The incident was reported to the FBI and is being described as a "sophisticated network intrusion," indicating the possibility that it was a government-organized attack, reports Security News Daily.
Full Story

PRIVACY LAW—U.S.

FCC Chief Answers WiFi Questions (March 31, 2011)

At a House Appropriations Subcommittee hearing yesterday, Federal Communications Chairman Julius Genachowski faced tough questions about the ongoing investigation into Google's collection of unencrypted private WiFi data. Rep. Tom Graves (R-GA) asked Genachowski for an update and if he thinks "the collection of people's information without their consent is wrong?" Genachowski said he could not respond because the investigation is still active, reports The Hill.
Full Story

Privacy Advocates, FTC, Google React to Proposed Buzz Settlement (March 31, 2011)

 

By Jennifer L. Saunders

Amid announcements Wednesday by the Federal Trade Commission (FTC) and Google that the two have reached a settlement agreement on privacy issues raised over last year’s introduction of the Google Buzz social network, FTC officials, privacy experts and advocates alike have been weighing in on the implications of the proposed settlement.

Under the proposed settlement, Google has agreed to provisions including the implementation of a comprehensive privacy program to include independent privacy audits for the next 20 years.

In its announcement, the FTC specifies, “The proposed settlement bars Google from misrepresenting the privacy or confidentiality of individuals’ information or misrepresenting compliance with the U.S.-EU Safe Harbor or other privacy, security or compliance programs. The settlement requires the company to obtain users’ consent before sharing their information with third parties...”

FTC Commissioner J. Thomas Rosch issued a separate statement on the proposed agreement, stressing that he has approved of accepting the consent decree for public comment purposes but has concerns that such an opt-in requirement in the agreement “might sometimes be contrary to the public interest.”

Elizabeth Johnson, a partner and the Privacy and Information Security Practice leader at Poyner Spruill LLP, shared insights into the implications of the proposed agreement with the Daily Dashboard following the announcement on Wednesday.

“There are really quite a lot of interesting things in the settlement,” she said, noting, “The requirements related to the implementation of a comprehensive privacy program are fascinating.”

Johnson pointed to the requirements the FTC is calling for to be layered with Google’s wide variety of products and services, suggesting, “The privacy program that should result will be epic in scale. Imagine the job of auditing it every other year for 20 years, even if Google never added another product or service, which is about as likely as the FTC never taking another enforcement action.” 

In terms of Safe Harbor, Johnson noted that through this agreement, “the FTC has put some teeth into the notice and choice principles with this action.”

Johnson also suggested the settlement will allow the FTC to advance the concept of privacy by design.

“The requirement that Google must identify privacy risks through an assessment process during ‘product design, development and research’ cries out for a privacy impact assessment and...

PRIVACY LAW—U.S.

FTC, Google Announce Buzz Settlement (March 30, 2011)
The Federal Trade Commission (FTC) and Google have reached an agreement on the commission's allegations the company "used deceptive tactics and violated its own privacy promises to consumers" with the launch of its Google Buzz social network last year. In its announcement of the consent decree, the FTC specifies the provisions of the proposed settlement include requirements for Google to implement a comprehensive privacy program with regular, independent privacy audits for the next 20 years. "When companies make privacy pledges, they need to honor them," FTC Chairman Jon Leibowitz said. "This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."

PRIVACY LAW—U.S.

LinkedIn Sued for Privacy Concerns (March 30, 2011)

LinkedIn is being sued for alleged privacy violations, MediaPost News reports. A complaint filed in the U.S. District Court for the Northern District of California on Friday alleges that the site allowed third parties, including ad networks, to discern a user's name and link it to tracking cookies. Plaintiff Kevin Low is seeking class-action status, according to the report. He says he was "humiliated by the disclosure of his personally identifiable browsing history." Low alleges that the company violated federal and California state laws in addition to its own privacy policy. A LinkedIn spokesperson said, "We will defend ourselves vigorously." 
Full Story

PRIVACY LAW—SPAIN

DPA Case Asks Search Engine To Forget (March 30, 2011)

The Spanish Data Protection Agency's (DPA) call for Google to remove links to individuals' personal information from its search results is currently before the Spanish High Court but could be referred to the European Court of Justice, Deutsche Welle reports, in what some suggest may be "a landmark case within Europe." Privacy expert Viktor Mayer-Schönberger suggests the case pits "two fundamental rights against each other: The right to remember in a society versus the right to personal privacy and the right to be forgotten." The DPA is representing about 80 plaintiffs calling for records from their past to be removed. Spain's privacy laws include fines of up to €600,000 for such infringements as inappropriate publishing of personal information, the report states.
Full Story

ONLINE PRIVACY

Expert: The Re-identification Devil Is in the Details (March 30, 2011)

When it comes to protecting privacy online, the biggest threat lies in the everyday details Internet users share without realizing that even anonymous postings can be correlated to expose their identities. That's according to University of Colorado Law School Prof. Paul Ohm, who spoke recently on the process of "re-identification." Deleting information is not enough, Thinq.co.uk reports, as companies can identify users by drawing inferences from the bits of data left behind. "We have to get used to talking about the price of privacy," Ohm notes, adding, "Maybe we should give up some of the efficiency and convenience of the Internet if we can protect privacy."
Full Story

DATA PROTECTION—THAILAND

Networked Medical Devices Bring Breach Risks (March 30, 2011)

A recent report by Integrating the Healthcare Enterprise (IHE) found that the increasing use of networked medical devices puts patient data at greater risk. IHE conducted research into the medical equipment management and cybersecurity, and while they found no attacks on the devices themselves, found instances where the devices "became casualties of a larger malware outbreak or where a device was the entry point for an attack," reports the Bangkok Post. Dr. Sutee Tuvirat of the Thai Medicine Informatics Association says the Public Health Ministry can play an important role in regulating healthcare security.
Full Story

PRIVACY LAW—U.S.

Do-Not-Track Comments Indicate Support (March 30, 2011)

Though the FTC's proposal for a do-not-track mechanism initially incited criticism from the advertising industry, reactions now seem to indicate widespread support, InformationWeek reports. That's according to attorney Richard Santalesa of Information Law Group, who analyzed the 442 comments submitted to the FTC during a public review period on the proposal. Concerns raised, however, include "hesitation over standardizing on a single approach or technology" and "problems with FTC Fair Information Practices," the report states. The government has favored self-regulation over legislation thus far, but it "looks like change is in the air," said attorney Nicole Friess, citing Sen. John Kerry's (D-MA) recently released legislation and three other pending privacy bills. Editor's note: Learn more about how "do not track" would work and its potential impacts and enforcement regimes during the upcoming IAPP Web Conference "Do Not Track--Implementation and Impact," Thursday, April 14.
Full Story

PRIVACY LAW—U.S. & EU

U.S. and EU Negotiating Data Exchanges (March 29, 2011)

The U.S. and EU have begun formal negotiations toward a pact to protect the personal information they exchange while fighting crime and terrorism, The Wall Street Journal reports. The negotiations come amid ongoing conflict between law enforcement's need for access to personal information in order to fight crime and the need to protect individuals' privacy. The U.S. and EU are "committed to ensuring a high level of protection of personal information while fighting crime and terrorism," a U.S. Justice Department statement said. The negotiations follow the U.S. decision last month to extend provisions of the Patriot Act, prompting advocates to call for safeguards. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

$110,000 Settlement Reached in Restaurant Case (March 29, 2011)
Massachusetts Attorney General Martha Coakley has reached a settlement with a restaurant company in a breach that compromised "tens of thousands of consumers' payment card information," the Hunton & Williams Privacy and Information Security Law Blog reports. The suit against the Briar Group, which owns several Boston-area bars and eateries, alleged hackers accessed the company's computer systems in 2009. In addition to the $110,000 fine, the company must comply with state data security regulations and Payment Card Industry Data Security Standards. Coakley said her office "will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers."

PERSONAL PRIVACY—UK

Census Concerns Persist (March 29, 2011)

While the Office of National Statistics has requested all UK households to file their 2011 census forms under threat of possible fines, questions about the security of census data persist. Infosecurity reports on concerns about the company that will be processing the census data as having "a patchy record for data-handling." The report quotes one security expert who cautions that "it's not just the Office of National Statistics staff we have to be concerned about, with the fact that this data will be shared out with the police, MI5 and other security bodies--all of which will be able to see the information."
Full Story

HEALTHCARE PRIVACY—U.S.

State Questions Breach Notification Timeline (March 29, 2011)

Regulators in Oregon are questioning the time it took for Health Net to notify them of a breach that involved consumers in that state, The Oregonian reports. Although nine servers containing personal information have been unaccounted for since January, a spokesperson for the Oregon Department of Community and Business Services, which oversees the state's insurance division, has said, "Even though they let us know in February that there was some sort of breach, we weren't privy to any details that Oregonians were involved." A Health Net spokesperson, meanwhile, has said it took time for the company to extract information from backup servers to determine what was missing.
Full Story

PRIVACY LAW—NEW ZEALAND & EU

Companies Awaiting Adequacy Notice (March 29, 2011)

Six months after the New Zealand Parliament passed legislation to comply with European privacy laws, companies are still waiting for the okay to do business in Europe, Computerworld reports. At least one New Zealand business says it has lost clients due to not being branded "adequate" under European privacy law, says Privacy Commissioner Marie Shroff. Further meetings and analyses are in process, and a formal recommendation for acceptance may come next month, the report states, noting the approval process has been underway for more than 10 years.
Full Story

 

DATA LOSS

Study: Many Companies Don’t Report, Don’t Fix (March 29, 2011)

The results of a recent study by cybersecurity vendor McAfee indicate that six in 10 companies pick and choose which data breaches to report and half of those that have experienced a breach make changes to fix and protect their systems from future breaches, reports The Huffington Post. The study surveyed over 1,000 senior IT professionals from Brazil, China, India, Japan, the Middle East, the UK and the U.S. about the challenges of protecting corporate data. According to the report, outsourcing and mobile devices are expected to pose even greater challenges to data security as they become more prevalent.
Full Story

PRIVACY—U.S.

Hearing Postponed for Privacy Advocate’s Funeral (March 29, 2011)

Nextgov reports that Senate Commerce Chairman Jay Rockefeller has postponed a computer security hearing to attend the funeral of Judge M. Blane Michael, a proponent of digital privacy and Rockefeller's mentor at one time. As legislators consider updates to the Electronic Communications Privacy Act, Michael last year lectured students at New York University School of Law that the "digital age is placing our privacy in jeopardy. Technological advances in the way we communicate and store information make us increasingly vulnerable to intrusive searches and seizures." The Wednesday hearing was to examine the economic ramifications of cyber threats in the private sector, the report states, and has not yet been rescheduled.
Full Story

DATA LOSS

Data Compromised Through Third-Party Breaches (March 29, 2011)

Hackers gained access to consumer data through third-party service providers in three recent breaches affecting the Maine Bureau of Parks and Lands, Play.com and Game Show Network members. These breaches highlight the need for companies to identify what data they hold that others may want and who has access to that data, Michael Maloof of TriGeo Network Security told eWEEK. Maine Parks and Lands notified 970 Maine residents and attorneys general of other states of its breach, which compromised visitors' credit card numbers and expiration dates but not names. Meanwhile, Play.com shoppers' and Game Show Network members' e-mail addresses were accessed through third-party marketing firms.
Full Story

SOCIAL NETWORKING—U.S.

Facebook Adds Former Politicos to Employee Roster (March 29, 2011)

Facebook's payroll increasingly contains names from Capitol Hill these days, The New York Times reports. Political analysts say the strategy aims to build the company's political influence in congress and quiet criticisms. Its most recent talks involve President Barack Obama's former press secretary, Robert Gibbs. The company hired a former Clinton Administration official as its chief operating officer and last year a former Obama Administration official began serving as the company's vice president of global public policy, among others. "The practical implication is it's going to make it more difficult for advocates to convince members of congress that Facebook presents a privacy problem," said one expert. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Recent Enforcements Indicate Agency’s Focus (March 28, 2011)
The Federal Trade Commission's (FTC) recent enforcement actions against two companies should serve as an indication of the kind of privacy intrusions likely to catch its attention, says Maneesha Mithal, director of the division of privacy and identity protection at the FTC. The agency recently finalized a settlement with Twitter after finding it put user privacy at risk. It also brought an enforcement action against ad network Chitika after discovering the network was tracking users after they had opted out. A 30-day public comment period will now determine the settlement's outcome. Mithal added that though the FTC can't regulate mobile phone companies, it can bring action against developers of deceptive apps, MediaPost reports.

EMPLOYEE PRIVACY—CANADA

BC Privacy Commissioner To Examine Database (March 28, 2011)

BC Privacy Commissioner Elizabeth Denham has announced that her office is examining the use of a police database for background checks on job applicants, Vancouver Sun reports. In the wake of concerns by the BC Civil Liberties Association, Denham's office is reviewing the use of the BC Police Records Information Management Environment--which contains at least the names of 85 percent of the province's residents--to check criminal records for employment purposes. "This is a very complex issue involving multiple jurisdictions, multiple data linkages, competing interests and the overlap of at least five different laws," Denham said, adding, "we need to be sure that the process is fair and justifiable, both ethically and legally."
Full Story

ONLINE PRIVACY—NEW ZEALAND

Survey: Web Users More Concerned About Privacy (March 28, 2011)

High-profile breaches may be causing a shift in attitudes about the value of privacy online, Computerworld reports. That's according to a recent survey launched by the Office of the Privacy Commissioner on public- and private-sector organizations' experiences with cloud computing and overseas data transfers. Privacy Commissioner Marie Shroff said people with more sensitivity to their privacy "may well be in the majority," in contrast with those willing to sacrifice privacy for online services. The office has received about 50 responses after extending the deadline to March 21 due to the Christchurch earthquake. The results are planned to be announced during Privacy Week beginning May 1.
Full Story

DATA LOSS—U.S.

Social Service Agency Loses Records (March 28, 2011)

The Maryville Academy, a social service agency in Illinois that cares for abused children, has announced that computer files containing the personal information of 3,900 children Maryville has served have either been misplaced or stolen, reports the Chicago Tribune. The files, which were in a locked storage room, date back to 1992 and may include birth dates, relatives' names, Social Security numbers and medical care, among other information. Maryville is investigating how the files disappeared and encouraging those affected to monitor their credit.
Full Story

PRIVACY LAW—INDIA

Opinion: Eavesdropping Legislation Allows for Abuse (March 28, 2011)

It has taken about two years for the first signs of misuse to appear after the Indian government passed legislation allowing it to eavesdrop on electronic communication and block Web sites for national security purposes. It is unclear what threat the recently blocked Web sites posed to national security, opines Rahul Bhatia in The Wall Street Journal, adding that vague rules surrounding the legislation may lead to many more abuses and do not reference individual's privacy rights; the guidelines that the Indian Computer Emergency Response Team use to block sites are considered classified information. "Nobody even knows how widespread the blockade is. There's no hint of the process involved," Bhatia writes, calling the practice "undemocratic." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Opinion: Internet Users Share PII for Benefits (March 28, 2011)

A recent study indicates that more than half of all Americans over the age of 12 are now part of the world's largest social network, prompting an editorial in The Wall Street Journal to ask, if most people are "knowingly trading personal information for other benefits, why is Washington so focused on new privacy laws?" In light of the push at the federal level for new baseline privacy legislation to let Internet users opt out of online behavioral targeting, the editorial points out that one recent survey found a current "opt-out rate of just 0.00002 percent." The editorial suggests, "The benefits of technology have changed people's expectations about privacy and information." (Registration may be required to access this report.)
Full Story

ONLINE PRIVACY—U.S.

Opinion: Is Self-Regulation Enough? (March 28, 2011)

In a Network World feature, Robert Mullins looks at recent efforts by several high-profile Internet browsers to offer their own do-not-track options, suggesting, "user information is highly coveted by tech companies, their marketers and advertisers, so I don't think industry self-regulation--as some have advocated--will be sufficient." He refers to an analysis by the Information Law Group on the 442 comments received in response to the FTC's "Protecting Consumer Privacy in an Era of Rapid Change" that includes reactions to calls for a do-not-track mechanism as well as input from specific companies and industry experts on the push for regulation.
Full Story

PRIVACY LAW—U.S.

Commissioner: FTC Has Not Endorsed Do Not Track (March 25, 2011)
The Federal Trade Commission (FTC) has not endorsed plans for an online do-not-track mechanism, ClickZ reports. That's according to FTC Commissioner J. Thomas Rosch in an opinion piece for AdAge where he writes, "The concept of do-not-track has not been endorsed by the commission or, in my judgment, even properly vetted yet." In the midst of calls for federal privacy legislation, Rosch writes that in his statement on the FTC's preliminary staff report, he acknowledged he "would support a do-not-track mechanism if it were 'technically feasible.' By that I meant that it needed to have a number of attributes that had not yet been demonstrated. That is still true, in my judgment." Editor's Note: Learn more about current plans for baseline privacy laws during the upcoming IAPP Web Conference "Federal Privacy Legislation: An Insider's View" next Friday, April 1.

ONLINE PRIVACY—U.S.

Utility Releases Smart Meter Opt-Out (March 25, 2011)

Following protests from customers and concerns voiced by advocates, California's public utility has released an opt-out plan for its smart meter program, meeting a deadline set by the California Public Utilities Commission. Mercury News reports that Pacific Gas & Electric's (PG&E) plan will allow customers to opt out of having the wireless portion of the smart meter turned on. However, the action would cost customers fees that one advocate says are "not affordable" and would discourage customers from doing so. Smart meters will measure home electricity usage in real time, in some cases down to the appliance level, prompting privacy concerns.
Full Story

PRIVACY LAW—AUSTRALIA

Data Retention Plan Will Be Targeted (March 25, 2011)

In the wake of privacy concerns being raised about plans to accede to the European Convention on Cybercrime, the attorney-general has announced that ISPs would only be required to retain data for targeted individuals being investigated for serious crimes. ZDNet reports on a statement by Catherine Smith of the Attorney-General's Department to a joint standing committee on treaties that contradicts concerns raised last year that the convention would require ISPs to store details on all users. "It is a targeted preservation of a person's data," Smith said, noting, the retention of all communications on ISP networks "is a very different issue...And we're not talking about that at this stage."
Full Story

PRIVACY LAW—U.S.

Texas Senate Passes Healthcare Privacy Bill (March 25, 2011)

The Texas Senate has passed Bill 622, which seeks to strengthen personal health information protection beyond the provisions of federal law, Star Local News reports. "Medical records include highly sensitive information, and the misuse of this information can put patients at risk for severe financial and personal consequences," said Sen. Jane Nelson (R-Flower Mound), who introduced the legislation. "This bill protects patients from having their information improperly sold to unauthorized third parties and ensures that patients have the right to access their own electronic medical records." Senate Bill 622 updates the state's medical privacy laws in light of technological advances and "expands upon federal privacy protections," the report states.
Full Story

DATA LOSS

Travel Site Breached, E-mails Exposed (March 25, 2011)

A travel Web site is alerting customers that their personal information may have been breached. TripAdvisor says someone has breached its network and stolen e-mail addresses for an undisclosed number of its members, CNET reports. "We've confirmed the source of the vulnerability and shut it down," said the company's co-founder and chief executive, Steve Kaufer, in an e-mail. "We're taking this incident very seriously and are actively pursuing the matter with law enforcement." He added that passwords were not accessed. "Unfortunately, this sort of data theft is becoming more common across many industries," he said. An online entertainment retailer reported a breach that exposed users' names and e-mail addresses earlier this week.
Full Story

DATA LOSS—U.S.

State Park Pass Purchasers’ Info Exposed (March 25, 2011)

Individuals who purchased their Maine State Parks passes online last year may have had their credit card information breached, WCSH6 reports, as the California-based company the state used for the purchases suffered a malware attack between March 21 and December 22 of last year. The Maine Department of Conservation has sent out notices to 970 credit cardholders in Maine, although a spokesperson has said "it was up to the vendor to notify all the cardholders who might have used the site." To date, there have been no reports of fraudulent charges. The spokesperson said the Web page has been removed, and "we're working with another vendor to create a better, safer site."
Full Story

PRIVACY LAW

Passenger Data Bill Passes Senate Third Reading (March 25, 2011)

The senate has passed the third reading of a bill that seeks to require airlines to provide information on passengers passing through U.S. airspace to U.S. authorities, The Vancouver Sun reports. Bill C-42, "an Act To Amend the Aeronautics Act," will allow such passenger information as name, gender and birthdate to be shared with the U.S. Department of Homeland Security. The bill has evoked concerns from advocates such as the Canadian Civil Liberties Association over privacy concerns. But one senator said that several amendments to the bill have strengthened it after an "effort was made to strike that balance between privacy and security."
Full Story

PRIVACY

Telecom To Pay $275,000 After CRTC Investigation (March 25, 2011)

Rogers Communications has agreed to pay $275,000 to education institutions after a Canadian Radio-Television and Telecommunication Commission (CRTC) investigation, reports The Globe and Mail. Rogers, a Toronto-based wireless, cable, Internet and media company, was making automated calls to its subscribers, which violates CRTC regulations. Telecommunications companies must get prior consent to make such calls. Rogers has not admitted fault but has agreed to give $175,000 to the École polytechnique de Montréal and $100,000 to the British Columbia Institute of Technology as well as to stop making the automated calls and review its policies on the practice.
Full Story

DATA PROTECTION—EU

Hustinx Advises on Balancing Privacy, Transparency (March 25, 2011)

European Data Protection Supervisor Peter Hustinx has issued advice to European Union institutions on how to protect privacy while providing access to information, V3.co.uk reports. The advice comes after a ruling by the European Court of Justice that the European Commission "was right to refuse the release of information on the attendees of a meeting requested by the Bavarian Lagar Company," the report states. Hustinx said EU institutions should develop clear policies that state what kind of data can be released and clarified that data protection does not mean withholding information. While data protection must be respected, that shouldn't be "used as a pretext for not being transparent," he said.
Full Story

PRIVACY LAW—U.S.

“Privacy Bill of Rights” Draft Released (March 24, 2011)
Following up on his announcement that he would soon submit the "Commercial Privacy Bill of Rights Act of 2011" during a hearing on the call for federal privacy legislation, Sen. John Kerry (D-MA) and the bill's cosponsor, Sen. John McCain (R-AZ), have published a draft of the legislation. MediaPost reports the draft includes provisions to "give the Federal Trade Commission authority to craft privacy regulations and to operate a Web site where consumers can opt out of online behavioral targeting." In the Hogan Lovells Chronicle of Data Protection, Christopher Wolf highlights major provisions of the draft legislation, including what would constitute PII and "unique identifier information," safe harbor programs, access to data and opt-in consent. "No private rights of action are allowed," Wolf writes, "and state laws--except those dealing with health or financial information, data breach notification or fraud--are preempted."

PRIVACY LAW—EU & U.S.

Official: Patchwork of Laws Means Company Headaches (March 24, 2011)

A U.S. official has said that the multiplicity of international data protection laws are problematic for U.S. companies. Bloomberg reports that Daniel Weitzner, an Internet policy official in the U.S. Commerce Department, said that data protection authorities don't always recognize that companies are facing a "substantial barrier today. It's awfully difficult to adapt privacy practices for a hundred or more different" jurisdictions. He also said that companies' efforts to establish protections adequate to stop abuses of privacy aren't recognized. Weitzner recently met with EU Justice Commissioner Viviane Reding, who said in a speech Wednesday that cooperation between the EU and U.S. may promote global standards for data privacy.
Full Story

DATA LOSS—U.S.

Experts Say Breach Victims Should Expect the Worst (March 24, 2011)

Experts say that those affected by the breach last week at a company that provides computer security products to a number of corporations and governments should brace themselves for the worst case scenario, InformationWeek reports. That scenario would mean that the breach at EMC Corporation's RSA Security Division involved the theft of a source code to the company's two-factor authentication product, "which would possibly allow hackers to reverse-engineer or otherwise break the system," said expert Bruce Schneier. Another expert speculated that a million users may have been impacted by the breach.
Full Story

PRIVACY

Scientist: “Surveillance Society Inevitable, Irresistible” (March 24, 2011)

There's enough data floating around about any given person to predict where they'll be next Thursday around 5:53 p.m., says Jeff Jonas, chief scientist of IBM's Entity Analytics group. The question is how privacy models will change as a result of the amount of data collected via cell phones, transactions and social media sites, among others, ZDNet reports. "The surveillance society is inevitable and irresistible," Jonas said at a recent conference in New York, adding that he's working on an "analytic sensemaking" machine that will incorporate privacy features into it from its construction that cannot be turned off. The system, called G2, aims to "explore new physics of big data," the report states.
Full Story

DATA PROTECTION—AUSTRALIA

Expanse of Database PII Causing Public Concern (March 24, 2011)

The Australian reports that the expanding volume of personal information held in government and business databases is causing the public concern about their privacy, says Information Commissioner John McMillan. Speaking in Canberra, the commissioner said people are worried about data stored about "their financial and taxation affairs, their family and medical history, employment records and transactions with agencies." He added that the privacy commissioner received 60 notices of breaches this year. Noting the government's indication that it will increase the enforcement powers of the privacy commissioner, McMillan said that the "prospect of financial penalties for privacy breaches will provide an added incentive for organizations to take their responsibilities seriously."
Full Story

ONLINE PRIVACY—U.S.

Research: Users Read Labels, Not Policies (March 24, 2011)

Kashmir Hill writes in Forbes about the work of a team of Carnegie Mellon researchers to come up with a new format for informing Internet users about their privacy. Quoting recent comments by Lawrence Strickling of the Department of Commerce that privacy policies that are "lengthy, dense and legalistic...do not appear to be effective in informing consumers of their online privacy choices," Hill examines the researchers' "nutrition label" approach to online privacy. Citing a 2009 study, the researchers "found that people demonstrated a better grasp of a company's treatment of their data based on a 'privacy label' than a text version of a privacy policy," the report states.
Full Story

BEHAVIORAL TARGETING

Social Network Turns User “Likes” Into Ads (March 24, 2011)

PCWorld reports that Facebook's "sponsored stories" ad plan, which has raised concerns among privacy advocates, is now being rolled out across the social network. For those who don't like the plan, Dan Tynan suggests in his report, "don't 'Like' it--or anything else. Because once you do...There is no opting out. Facebook can use your name and profile image alongside any product you endorse, per its privacy policy." A forthcoming plan to allow third-party advertisers to put users' images and names in a similar way will have an opt-out, the report states.
Full Story

PRIVACY LAW—U.S.

Experts Examine Legislative Initiatives (March 24, 2011)

In a Privacy Tracker feature, Hogan Lovells LLP examines the lengthy list of federal and state initiatives aimed at protecting privacy as well as recent actions related to privacy breaches. In addition to federal calls for new privacy laws--some of which have already been presented in bill form--the report looks at what can be expected from the Senate Judiciary Committee's new Privacy, Technology and the Law Subcommittee. The update also includes a review of the recent ruling by the California Supreme Court on the collection of zip codes, which has resulted in multiple lawsuits, and an examination of last month's Department of Health and Human Services fines for HIPAA violations. (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY—UK

Questions Raised About Census Data Use (March 24, 2011)

Concerns are being raised about the potential for access to personal information gathered by the Office of National Statistics (ONS) for the upcoming UK census, InformationAge reports. Data collected in the census "will remain confidential for 100 years," according to information on the ONS Web site, but experts note that census data falls under the Statistics and Registration Service Act 2007, which stipulates conditions under which the ONS may disclose data, including for criminal investigations, court orders or "to an approved researcher," the report states. "I'd like to see confidentiality guaranteed in black and white," one expert said.
Full Story

 

PRIVACY LAW—CANADA

Court: Personal Items on Work Computer Are Private (March 23, 2011)
The Globe and Mail reports on a judgment this week by the Ontario Court of Appeal related to questionable files a teacher had on his school-issued computer. "I conclude that the appellant had a reasonable expectation of privacy from state intrusion in the personal use of his work computer and in the contents of his personal files on its hard drive," Justice Andromache Karakatsanis wrote in the 30-page ruling.The court found it was permissible for school officials to search the computer but not to provide police access. "This case comes down firmly on the side of privacy and holds that employers cannot give police investigators access to a workplace computer," said privacy expert Scott Hutchison, adding, "the employer may own the computer, but that doesn't give them the power to waive the employee's privacy rights."

ONLINE PRIVACY—U.S.

Companies Take Steps Toward Self-Regulation (March 23, 2011)

In light of concerns from the Federal Trade Commission (FTC) and recent calls on Capitol Hill for broad-based privacy legislation, several online industry leaders are taking steps to encourage self-regulatory practices. ClickZ reports on the switch by Google and Yahoo to the Digital Advertising Alliance's self-regulatory behavioral advertising icon and on TRUSTe's efforts "to help consumers prevent online tracking by bad actors." Google and Yahoo are linking their icons to tools that allow users to change their preferences and opt out of receiving targeted ads, the report states, noting, however, that self-regulation is complex, and it will remain to be seen whether the efforts will "assuage concerns" of legislators and the FTC.
Full Story

PRIVACY LAW—UK

ICO Prepares To “Use Teeth,” Issue Fifth Fine (March 23, 2011)

Information Commissioner Christopher Graham says his office is preparing a fine against an organization--the fifth issued by the ICO since it gained the powers to do so in January 2010. It is not yet known which organization will be punished, but Wolverhampton City Council, Leicester City Council and the University of York have all been flagged for breaches in recent weeks, eWeek reports. "This fifth fine coming down the track shows that the ICO is not an organization with small fangs, but that data controllers should realize that, if they let consumers down, a fine from the ICO will be the Mark of Cain," Graham said.
Full Story

ONLINE PRIVACY—CANADA

OPC: Tracking Raises Concerns (March 23, 2011)

A CBC News report explores whether Canada may begin pursuing do-not-track legislation. "Almost everywhere you go online, you're being watched," Dan Misener writes, listing off the online tracking options--from news sites to social networks to health sites--where personal information can be gathered to profile users. In response to a question about do not track, the Office of the Privacy Commissioner has stated, "We are following with interest the U.S. Federal Trade Commission's proposal for a do-not-track mechanism. Our office has concerns about the lack of visibility with respect to online tracking, profiling and targeting. If people don't know about such practices, they can't take steps to limit tracking."
Full Story

PRIVACY LAW—EU

Commission Urged To Forget “Right To Be Forgotten” (March 23, 2011)

Some online industry leaders are arguing that a "right to be forgotten" is not what Internet users want, The Register reports. That was the message from Facebook officials in light of a European Commission endorsement of such a right in its efforts to update privacy legislation. Speaking at an event in the UK, Facebook's Richard Allan spoke of a "shoot the messenger" mentality where people who are uncomfortable with certain online content do not address the source, instead "going to those places where the content is shared or indexed and asking them to resolve the problem. I think that's extremely worrying for a whole range of reasons." At the same event, one legal expert added, "Right to be forgotten will not work. Simple as that."
Full Story

PRIVACY LAW—U.S.

Bills Require Parental Consent for Teen Healthcare (March 23, 2011)

Maine lawmakers heard testimony Tuesday on two proposals  that would prevent teenagers from receiving certain health services without their parents' permission. LD 31 would prohibit pharmacists or clinics from dispensing prescription drugs to minors without parental consent, and LD 746 would require parental consent before a minor could receive treatment for substance abuse or emotional and psychological problems, the Bangor Daily News reports. Opponents to the bills say they would make Maine the most restrictive state in terms of minors' privacy, and adolescents' health "will be placed at risk" with these bills, said the executive director of the Maine Osteopathic Association.
Full Story

HEALTHCARE PRIVACY—U.S.

Health Breaches Expected To Reach 10 Million (March 23, 2011)

The total number of individuals affected by health data breaches since 2009 could surpass 10 million, Gov Info Security reports. Now at 8.3 million individuals, that tally is expected to grow once details about a recent Health Net breach are added, in which data on 1.9 million current and past enrollees went missing after nine servers disappeared from a data center near Sacramento, CA. Three government agencies in California are investigating the breach, while a recent New York City Health and Hospitals Corp. breach affected 1.7 million. The Department of Health and Human Services' Office for Civil Rights is in the process of finalizing the HITECH breach notification rule to further clarify what incidents must be reported.
Full Story

DATA LOSS—U.S.

Missing Disk Contains Nearly 25,000 Students’ SSNs (March 23, 2011)

A disk containing the Social Security numbers of 24,903 students in a Texas school district has gone missing. The Texas Tribune reports that the Texas Education Agency first became aware of the disk's disappearance in January. It was mailed to the University of Texas at Dallas (UTD), which a former administrator said is standard practice due to the size of files shared between districts, though a current administrator refutes that claim. Records show that the package was signed for, but UTD says it does not recognize the signatory. A UTD spokesman said it is standard practice for sensitive data to be encrypted, "so there was no concern of a security breach."
Full Story

PRIVACY LAW—GERMANY

Woman Loses Suit Against Mapping Feature (March 23, 2011)

Court documents recently published on the city of Berlin's Web site show that a German woman has lost a case against Google that claimed the company's camera cars invaded her privacy. The woman, who did not seek compensation but wanted the photography to cease, said that Google's Street View cars could peer into her home and backyard, PC World reports. The woman originally lost the case in a regional court in September 2010. A three-judge court of appeal panel upheld the court's decision, stating that Street View photography isn't illegal and that citizens can request to have pictures taken down.
Full Story

GEO PRIVACY—U.S.

Opinion: Would “Noprivacyville” Save Money? (March 23, 2011)

In his Dilbert.com blog, Scott Adams explores plans by auto insurers to give drivers the option of letting their driving habits be tracked via GPS devices to reward "safe driving situations" with lower rates, extrapolating such an idea to the creation of the city of "Noprivacyville," where personal privacy would be exchanged to "save 30 percent on basic living expenses and live in a relatively crime-free area," for example. While the idea of completely abandoning privacy is not appealing, he suggests, "I'm just curious what sort of price, in economic terms, and in convenience and in social benefits, we pay for our privacy. My guess is that it's expensive."
Full Story

 

BEHAVIORAL TARGETING

Advocates: Device Fingerprinting Easier To Track Than Cookies (March 22, 2011)
Device fingerprinting technology now allows advertisers to specifically identify connected devices such as computers and smart phones. When devices send or receive data, they transmit pieces of information about their properties and settings that can be pieced together to form a unique "fingerprint" for that device, ClickZ reports. This concerns privacy advocates, as a device's fingerprint is more persistent than a Web-tracking tool such as a cookie. "You don't have any control over them, or at least not the same kind of control you do over cookies...That makes fingerprinting a serious privacy threat," said Peter Eckersley of the Electronic Frontier Foundation.

PRIVACY LAW—EU & U.S.

Will Regulation Tame the “Wild West” of the Web? (March 22, 2011)

Reuters reports on efforts by regulators on both sides of the Atlantic to tighten the reins on the "Wild Wild West" of the Internet. The EU has announced that Web businesses may be subject to legal action if they fail to obey forthcoming EU data privacy rules--one of which may require what the European Commission calls a "right to be forgotten" for Internet users. A spokesman for one social network said there are industry concerns about "an over-prescriptive interpretation of what these rights mean in practice." Meanwhile, the report points out that although the EU and U.S. have traditionally differed on privacy issues, "they are working together to come up with a common set of standards."
Full Story

PRIVACY LAW—U.S.

Expert: Photo Ruling Has Powerful Implications (March 22, 2011)

In a blog for Stanford's Center for Internet and Society, Omer Tene examines the implications of a Kentucky Court of Appeals case that determined permission is not necessary to post or "tag" photos of people online. In the case, a parent at risk of losing her child for the behavior depicted in photos on Facebook argued she had never given permission for the photos to be published or for her image to be tagged. The court's response, however, was the law does not require such permission. Amid discussion of privacy legislation in the U.S., Tene looks at how the ruling relates to such key issues as online tracking and the use of data by third parties.
Full Story

BEHAVIORAL TARGETING—EU

Cookies Icon Aims To Inform Users (March 22, 2011)

PCWorld reports on Yahoo's introduction of a feature that allows users to opt out of cookies. The icon was unveiled last Friday ahead of a new law that will come into force in the EU on May 25 known as the "Cookie Directive," which will require online companies to obtain explicit consent to track users' Web movements via cookies. Yahoo's mechanism involves an "Ad Choices" icon that users can click to find out what information has been collected about them and modify their preferences on targeted ads. "Businesses like ours depend on the trust of our users," said Justin Weiss, CIPP, Yahoo's director of international privacy and policy.
Full Story

PRIVACY LAW—U.S.

Lawsuits Piling Up Against Video Provider (March 22, 2011)

In the wake of the most recent suit alleging a privacy violation by the world's foremost video-rental provider, CNET reports that Netflix "has been accused of violating U.S. privacy laws in five separate lawsuits filed during the past two months," with each case alleging the company "hangs onto customer information, such as credit card numbers and rental histories, long after subscribers cancel their membership." The lawsuits allege the company has violated the Video Privacy Protection Act. The most recent suit was filed last week by a Michigan resident. Each of the plaintiffs has filed suit in U.S. District Court, and the complaints are seeking class-action status.
Full Story

Analysts Weigh In on Privacy Bill of Rights (March 22, 2011)

E-Commerce Times reports on the reaction to calls for a "Consumer Privacy Bill of Rights" as baseline legislation to protect Internet users' privacy. As one analyst put it, "If a privacy bill passes and has some teeth, it's a good thing," adding, "The idea that there would be certain unalienable rights to your privacy is a good thing. Right now everybody and their brother is mining your personal information and making money off it but you." Meanwhile, Randall Rothenberg of the Interactive Advertising Bureau responded to an editorial in The New York Times by advocating for self-regulatory efforts and suggesting, "You are premature in calling for legislation when no need exists."
Full Story

GEO PRIVACY—U.S.

Bill Expected To See Wide Support (March 22, 2011)

CNET reports on Sen. Ron Wyden's (D-OR) bill that would provide privacy protections for geolocation information. Once introduced, the Geolocational Privacy and Surveillance Act (GPS Act) would seek to require law enforcement to obtain a warrant before accessing information related to a wireless device or GPS system, for example. The bill will likely gain "strong support" from Internet companies, civil libertarians and wireless carriers, "many of which have joined a coalition saying that location information should be accessed only with a warrant," the report states. The bill would require court evidence relating to location data be thrown out if procedures weren't followed and allows for civil lawsuits and damages in cases where location data is inappropriately accessed and used.
Full Story

ONLINE PRIVACY

Eye-Spy Your Retina’s Movements (March 22, 2011)

A Swedish company has unveiled a new system to track what users are viewing on a computer screen based on eye movement, San Jose Mercury News reports. Though eye-tracking technology has existed for some time now, it has primarily been used for academic and market research, for example, and has required people to wear special equipment. Tobii Technology plans to build eye-tracking--which beams low levels of infrared light into the user's eye to work in tandem with sensors to track the reflection of the light and gauge a user's point of focus--to the average computer. Still at the prototype development stage, the mainstream system is expected within a few years.
Full Story

PRIVACY LAW—FRANCE

CNIL Issues Record Fine Over WiFi Collection (March 21, 2011)
The CNIL, France's data privacy regulator, has issued a €100,000 fine against Google for the collection of personal information over unencrypted wireless networks by its Street View vehicles and has asked the company to delete all data collected. The Guardian reports that the fine represents the highest penalty levied by the CNIL since it obtained fining powers back in 2004. Google has repeatedly apologized for collecting the data. "As we have said before, we are profoundly sorry for having mistakenly collected payload data from unencrypted WiFi networks," said Google Privacy Counsel Peter Fleischer, adding, "Deleting the data has always been our priority, and we're happy the CNIL has given permission for us to do so."

ONLINE PRIVACY

Do Not Track: A Business Differentiator, for Now (March 21, 2011)

Mozilla's new version of Firefox, to launch this week, and Microsoft's updated Internet Explorer, launched last week, both contain do-not-track features allowing users to state their preference about how their online movements are used to serve them ads. The launches represent a critical step forward in the debate about digital privacy, writes James Temple for The San Francisco Chronicle. "Businesses must now choose which of two camps they want to fall into, those that respect consumer wishes and those that don't," he writes. The Federal Trade Commission is looking at enacting a requirement that companies comply with do not track, but to date, companies can choose whether to honor the user's request. Mounting political pressure may help with that initiative, writes Rob Pegoraro for The Washington Post.
Full Story

PRIVACY LAW—U.S.

Opinion: Online Privacy Legislation Needed (March 21, 2011)

"Considering how much information we entrust to the Internet every day, it is hard to believe there is no general law to protect people's privacy online." That's the message of an editorial in The New York Times that examines recent calls for federal privacy legislation to protect consumers with a "privacy bill of rights." Meanwhile, some experts are questioning exactly which federal body will become the "Internet police." Examining the push-and-pull around broad-based privacy legislation, the editorial looks at the various proposals coming forward, stating, "It is crucial that lawmakers get this right...Privacy protections are long overdue. We hope the swell of support will lead to significant legislation." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—AUSTRALIA

Experts Say New Opt-Out Guidelines Lack Teeth (March 21, 2011)

Starting today, new guidelines allow consumers to opt out of receiving targeted ads based on their online movements. But some experts say the new guidelines don't do enough to protect user privacy and are calling for more robust measures, The Sydney Morning Herald reports. Ten companies have thus far signed on to a code that introduces rules around the tracking of users and will now have six months to enact an opt-out mechanism that users can access at Web site youronlinechoice.com.au. A spokesman from Electronic Frontiers Australia said the new guidelines will actually do little to increase privacy and calls instead for a do-not-track mechanism. A government spokesperson said the new guidelines are the "start of an ongoing process."
Full Story

PRIVACY LAW—EU

Opinion: Should There Be a “Right To Be Forgotten?” (March 21, 2011)

While a report in internet evolution examines expert reactions to calls in the EU for a 'right to be forgotten," an opinion piece in The Guardian suggests that such a right would mean "extreme withdrawal" from the world around us. In her column, Tessa Mayes writes that--despite EU Commissioner Viviane Reding's call for Internet users to have the right to withdraw consent and have their online data removed--"to say there should be a right to be forgotten is to say we can live outside society. We can't." Robert McGarvey, meanwhile, writes that expert opinions on whether the granting of such a right is a workable solution "are much less optimistic than you might hope."
Full Story

PRIVACY LAW—CHINA

Recent Regulations Aim to Protect Credit Cardholders (March 21, 2011)

The Hunton & Williams Privacy and Information Security Law Blog reports on new measures passed in January by the China Banking Regulatory Commission, the first regulations aimed at protecting credit card business in China and including provisions on personal information. The regulations prevent commercial banks from disclosing or using customer information for purposes other than the credit card transaction; require commercial banks to craft guidelines on marketing efforts, including that credit card application information is kept confidential except with the applicants' consent, and ensure that documents sent as communications to credit cardholders do not contain the full credit card number. Violations of such provisions could include fines or criminal liability.
Full Story

DATA LOSS—UK

Data Breach? That’ll be £1.9M, Please (March 21, 2011)

The cost of an average data breach in the UK is now up to £1.9 million, BBC reports. The 2010 Annual Study: U.K. Cost of a Data Breach, from the Ponemon Institute and Symantec, indicates those costs come from such factors as "clearing up after breaches, loss of clients and rebuilding trust with customers." The study also shows that the cost of data breaches has risen every year for the past three years. "The biggest incident logged in the report cost the firm involved about £6.2m, a leap of £2.3m from the biggest incident in 2009," the report states. The study also found that system failure was the top reason for breaches.
Full Story

HEALTHCARE PRIVACY—DUBAI

Regulation Aims to Protect Patient Privacy (March 21, 2011)

Business Intelligence Middle East reports on regulations to protect patient healthcare privacy in Dubai as awareness of the importance of data protection and privacy issues increases in the Middle East. It's important that medical licensees "are aware of and comply with their obligations" under the 2008 regulation on patient privacy, the report states. The regulation applies to patient health information stored within and outside of Dubai Healthcare City. It requires that health data only be collected when necessary for a "lawful purpose;" that patients have rights to amend or delete their information under certain circumstances, and that data is only transferred to third parties--under prescribed circumstances--that are deemed to have adequate protections under the law.
Full Story

PRIVACY LAW—U.S.

Suit: Video Provider Violates Users’ Privacy (March 18, 2011)

A Virginia resident has filed suit in federal court against video rental company Netflix alleging a violation of the Video Privacy Protection Act. MediaPost reports that the lawsuit, which is seeking class-action status, alleges the company violated the act "by retaining data about users' movie rental history and recommendations." The suit contends that the company "purposefully retains confidential information regarding both payment and video viewing habits for millions of individuals--even after their subscriptions are canceled." The act prohibits video rental companies from sharing users' records without permission and, once those records are no longer needed, the act requires their destruction within one year.
Full Story

DATA LOSS

Security Product Company Suffers Hack (March 18, 2011)

A company that provides computer security products to a number of corporations and governments says it has suffered a sophisticated data breach that could potentially compromise those products, The New York Times reports. EMC Corporation's RSA Security Division, which sells multifactor authentication, posted an urgent message on its Web site alerting customers that it had suffered an "advanced persistent threat." An investigation revealed that "the intruder successfully stole digital information from the company that was related to RSA's SecurID two-factor authentication products," the report states, adding that it does not appear that the information has been used to attack customers, and the appropriate authorities have been notified. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Online Privacy a Focus for Many Legislators (March 18, 2011)

Like their counterparts in the senate, legislators in the house are calling for control of plans to regulate Internet privacy, The Hill reports. In one of the most recent developments, House Energy and Commerce Trade Subcommittee Chair Mary Bono Mack (R-CA) has stated that the group "has the lead on privacy matters" and plans to tackle the issues this spring with particular focus on child protection. Meanwhile, Rep. Cliff Stearns (R-FL) has stated he is again working on privacy legislation as he has in past congressional sessions, noting he looks forward to working with Bono Mack on issues of online privacy regulation.
Full Story

BEHAVIORAL TARGETING—UK

Yahoo Launches Consumer Info Icon (March 18, 2011)

As the European Commission works on new online privacy rules, Yahoo has launched its "Ad Choices" icon in the UK to show Internet users how their information is being used for behavioral targeting, Financial Times reports. Yahoo ads will now contain a clickable icon to inform users of data collected about them and to give them the choice to modify their preferences on targeted ads. "The idea of a visual symbol in and around every ad we show is to remind users that their information is being used" and of the controls they have over such data, said Justin Weiss, CIPP,  international privacy director at Yahoo. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Opinion: Data Stewardship Regulations Needed (March 18, 2011)

In an opinion piece for PCWorld, Mark Sullivan writes of the importance of "data stewardship," urging responsible treatment of personal information "on the part of the social networks, ad networks and data brokers who use it to make money." Noting that the collection of personal data can have both positive and negative results, he writes, "I think we need a set of rules that talks about Web companies' stewardship responsibilities both today and into the future." He also calls for legislation--with "international reach...because the Internet knows no borders"--focusing on data stewardship by Web companies. Referencing forthcoming legislation from Sen. John Kerry (D-MA) and Sen. John McCain (R-AZ), he writes, "I hope they get it right, because the law will set the tone for the way sites...treat our personal information well into the future."
Full Story

ONLINE PRIVACY

Tips for Data Mining Done Right (March 18, 2011)

PCWorld offers tips on how companies can mine customer data without intruding on privacy. The article suggests that companies post a whitepaper and have interested customers gain access by entering contact information; set up a company fan page on social networks and allow people to follow it; monitor Web site traffic using various services that capture such data; use the company's current mailing list to ask members which social networking sites they use the most, or buy a customized list from a database broker. Whatever the method, the report suggests, for example, that it's important for companies to follow the rules by not asking for more information from customers than needed and clearly stating opt-out options.
Full Story

ONLINE PRIVACY—EU

Reding Outlines Four Pillars of New Rules (March 17, 2011)
Forthcoming amendments to the EU Data Protection Directive are needed to respond to new technologies allowing for automatic data collection "used by companies to better target individuals," Justice Commissioner Viviane Reding said during a speech in Brussels on Wednesday. The rules, to be finalized this summer and put in front of parliament, are to be based on four pillars: the right to be forgotten, transparency, privacy by default and data protection regardless of data location. Redding said third parties processing EU citizens' data outside of the EU should be held accountable to the same laws, v3.co.uk reports.

PRIVACY LAW—EU

MEPs: SWIFT Transfers Have Been “Rubber Stamped” (March 17, 2011)

The European Commission is due to publish its six-month review of the SWIFT agreement today. Members of the European Parliament have criticized the bank transfer data sharing deal between the European Union and the U.S., Sofia Echo reports. The SWIFT agreement allows the U.S. to access details of European bank transactions to be used in the effort to fight terrorism. Since the agreement took effect six months ago, the U.S. has made four data transfer requests to oversight body Europol that Civil Liberties Committee MEPs say have been "rubber stamped," citing that the requests were too general and abstract "to allow Europol to check whether they meet EU data protection standards."
Full Story

PRIVACY LAW—U.S.

White House Backs Privacy Legislation (March 17, 2011)

The Obama Administration has called for comprehensive online privacy legislation. Alongside Federal Trade Commission Chairman Jon Leibowitz at a Senate Commerce Committee hearing on Wednesday, Department of Commerce Assistant Secretary Larry Strickling told lawmakers that "the administration now recommends congress enact legislation" to establish a privacy bill of rights; give the Federal Trade Commission associated enforcement authority, and "offer incentives to online companies that comply with the rules," The Hill reports. Sen. John Kerry (D-MA) indicated that he is working with Sen. John McCain (R-AZ) on a proposed bill of rights. "The status quo cannot stand," Kerry said in a statement. "We cannot continue to allow the collectors of people's information to dictate the level of privacy protection Americans get when they engage in commerce."
Full Story

PRIVACY LAW—SWEDEN

Riksdag Delays Data Retention Vote (March 17, 2011)

The Riksdag on Wednesday postponed its vote on whether to implement the EU Data Retention Directive, The Local reports. "The Swedish government needs to act towards a renegotiation of the data retention directive in the EU while this case is postponed in Sweden," said Green Party member Marie Ferm. By implementing the directive, the nation's telecommunications carriers would be required to store citizens' data for at least six months so it could be used to aid law enforcement investigations and crime prevention. The decision to delay the vote could result in a several million kronor fine for the Swedish government.
Full Story

HEALTHCARE PRIVACY

OCR Wants $5.6M for HIPAA, HITECH (March 17, 2011)

The Department of Health and Human Services' Office for Civil Rights (OCR) is taking its role as HIPAA and HITECH enforcer to new levels with recent enforcement actions, an upcoming educational tour and a request for an additional $5.6 million in its 2012 budget, mostly to adhere to and enforce HIPAA compliance, reports Health Leaders Media. With the additional funds, the OCR plans to fill requirements to investigate breaches, hire regional privacy officers and establish a compliance review program, among other initiatives. An OCR spokesperson said, "OCR's 2012 Budget Justification highlights that while our workload has increased, we are working smarter and more strategically to fortify our enforcement activities across the board."
Full Story

IDENTITY THEFT—U.S.

Study: Consumers Care About but Don’t Act on Medical ID Theft (March 17, 2011)

A Ponemon Institute study released Tuesday suggests that while Americans care about keeping their medical information private, they are not taking steps to ensure its security. Of the nearly 1,700 respondents, 91 percent are unfamiliar with the concept of medical identity theft. And half of the respondents who have experienced medical identity theft did not report it to authorities, according to the findings. Larry Whiteside of Visiting Nurse Service of New York told SCMagazine that part of the problem is that people don't see a correlation between medical records and money. "It is difficult to understand that if your medical records are exposed, how someone could then begin stealing your money," he said.
Full Story

PRIVACY LAW—U.S.

Administration: Privacy Bill of Rights Needed (March 16, 2011)
The Obama Administration is weighing in on the dialogue surrounding online privacy, and the consensus is that the time has come for baseline privacy legislation at the federal level. That was the focus at today's Senate Commerce Committee hearing on consumer privacy. The Department of Commerce "has concluded that the U.S. consumer data privacy framework will benefit from legislation to establish a clearer set of rules for the road for businesses and consumers," explained National Telecommunications and Information Administration Administrator Lawrence Strickling. This Daily Dashboard exclusive examines the testimony and reactions from legislators, industry and advocates at today's hearing paired with expert opinions on a U.S. "privacy bill of rights."

ONLINE PRIVACY—EU

Reding Calls for “Right To Be Forgotten” (March 16, 2011)

The European Commission's new rules for Internet user privacy should protect EU citizens no matter which country the data is stored in, said Justice Commissioner Viviane Reding. The Wall Street Journal reports that during a speech in Brussels today, Reding said the commission's proposed rules--expected to be finalized this summer--should provide citizens the "right to be forgotten...When modernizing the legislation, I want to explicitly clarify that people shall have the right--and not only the 'possibility'--to withdraw their consent to data processing," Reding said. She also called for harmonization of EU data protection rules and for the burden of proof that data collection is necessary to rest on data controllers, not Web users. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

E-Commerce Site Makes Changes After Users Complain (March 16, 2011)

As a result of privacy concerns voiced by a number of users, an e-commerce Web site has decided to stop publishing customers' purchase histories within user feedback posts. Etsy recently activated a "people search" tool allowing users to search for other users' names as a way to view purchases and recommendations. However, some users claimed they were not notified that their information would become public when they initially entered their full names on the Web site. Etsy has now disabled the feature and says it is considering further changes to protect buyer privacy, Ars Technica reports. In the future, the site may allow users to post purchases, but it would be "completely opt-in," executives said.
Full Story

PERSONAL PRIVACY

The Changing Meaning of “Personal Data” (March 16, 2011)

William Baker and Anthony Matyjaszewski explore the changing meaning of "personal data" in this preview article for the upcoming April edition of the IAPP member newsletter, the Privacy Advisor. The article includes a compendium of definitions outlining how the term is defined within data protection laws worldwide.
Full Story

SOCIAL NETWORKING

Study: Attitudes on Privacy Becoming Polarized (March 16, 2011)

According to a Ponemon Institute study, 58 percent of social network users feel their privacy is less important to them than it was five years ago, while 53 percent of non-users said it is more important, msnbc.com reports. Ponemon Institute Founder Larry Ponemon, CIPP, called the findings surprising, adding, "The fact is there's not a lot of complacency about privacy now. People are thinking about this." Privacy expert Alessandro Aquisti says one reason for the polarization may be that the more people use social networks, "the more costly it becomes for others (who aren't members) to be loyal to their views...That means some people's right to privacy is being rendered more difficult to protect precisely by the right of other people not to care about privacy."
Full Story

HEALTHCARE PRIVACY—U.S.

Connecticut AG Looks Into Recent Breach (March 16, 2011)

As the Department of Health and Human Services' Office for Civil Rights prepares for its springtime road show to train state attorneys general on how to file a HIPAA federal civil lawsuit, Connecticut Attorney General George Jepsen is asking one health plan for details about a recent breach involving the data of 1.9 million enrollees, LegalNewsline.com reports. The California Department of Managed Health Care is also investigating the breach, which Health Net confirmed on Monday. In a letter, Jepsen asked the company to provide two years of credit monitoring services to those impacted.
Full Story

From the Top Down: Administration Calls for Privacy Bill of Rights (March 16, 2011)

By Jennifer L. Saunders

The time has come for national privacy legislation.

That’s according to testimony prepared by National Telecommunications and Information Administration Administrator Lawrence Strickling for today’s Senate Commerce Committee hearing focused on online privacy that indicates the Obama Administration’s intent to pursue a privacy bill of rights for U.S. Internet users based on the Department of Commerce’s December report on Internet privacy.

As quoted in Tech Daily Dose, Strickling’s testimony notes, "Having carefully reviewed all stakeholder comments to the ‘green paper,’ the department has concluded that the U.S. consumer data privacy framework will benefit from legislation to establish a clearer set of rules for the road for businesses and consumers, while preserving the innovation and free flow of information that are hallmarks of the Internet.”

Strickling’s comments come in the wake of multiple reports of privacy bills coming forward in both the U.S. Senate and House of Representatives.

In advance of today’s hearing, Senate Commerce Committee Chairman John D. (Jay) Rockefeller IV announced it would effectively start the 112th Congress’ deliberations on the issue of consumer privacy.

Speaking before the committee, Strickling discussed the need to improve the protection of consumer data privacy in the rapidly evolving Internet economy, noting that trust is imperative for the stability and continued growth of the Internet.

The hope, he said, is to establish multi-stakeholder approaches based on fair information practice principles (FIPPs) with flexibility to address privacy issues as they arise, enforceable codes of conduct and strengthened enforcement powers for the FTC.

“The administration now recommends that congress enact legislation to provide a firm legal foundation” for enforceable codes of conduct that would be designed to be flexible and create greater interoperability with other countries’ privacy laws, he said, adding that consumer privacy “remains a top priority.”

FTC Chairman Jon D. Leibowitz voiced support for the idea of a privacy bill of rights, noting that the reaction to the FTC’s report on consumer privacy and call for a do-not-track mechanism for Internet users has resulted in a record 446 comments during the report’s review period.

Protecting data will only improve trust on the Internet, he said, telling the committee, “Stakeholders have responded very, very positively to our call for do not track.”

...

DATA LOSS—U.S.

Data on 1.9 Million Enrollees Missing (March 15, 2011)
A California watchdog agency is investigating a health plan's loss of multiple servers containing personal information for 1.9 million current and past enrollees, HealthLeaders Media reports. The information contained on the Health Net servers, which disappeared from a data center near Sacramento, includes names, addresses, health information, Social Security numbers and financial information. The plan is notifying enrollees potentially affected and is offering two years of free credit monitoring services, including identity theft insurance. Earlier this year, Health Net settled a data breach involving unencrypted data for $55,000 after claims that it failed to notify those affected until six months after the incident.

ONLINE PRIVACY

Microsoft Do-Not-Track Tool To Debut Tuesday (March 15, 2011)

Microsoft's newest version of Internet Explorer is set to release on Tuesday with a do-not-track tool to help Internet users "keep their online habits from being monitored." However, concerns persist as to whether self-regulatory approaches will work. The Wall Street Journal reports that Microsoft and Mozilla have adopted do not track in the wake of the Federal Trade Commission's recommendation for such tools, highlighting "the pressure the industry faces to provide people with a way to control how they are tracked and targeted online" with legislation being contemplated at the federal level. However, the report goes on to state, industry-based systems "will only work if tracking companies agree to respect visitors' requests," and to date, none have publicly agreed. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—SWEDEN

Opinion: Drop the Data Retention Directive (March 15, 2011)

The Swedish parliament will vote tomorrow on whether to implement the EU Data Retention Directive. In an op-ed for SvD, two Swedish parliamentarians say that a "yes" vote would be "contrary to the rule of law principles." Christian Engström and Camilla Lindberg say the directive is flawed, potentially illegal and would be cost-prohibitive to some companies. They also say that it would put the personal data of Swedes at risk. For tomorrow's vote, the "least one can demand is a minority planking, which postpones the decision one year," they write. "To rush forward with a 'yes' tomorrow would be directly frivolous."
Full Story

PRIVACY LAW—U.S.

FTC Brings Enforcement After Deceptive Cookies Discovered (March 15, 2011)

The Federal Trade Commission has brought an enforcement action against an online ad network for tracking Web users after they'd opted out. From at least May 2008 to February 2010, Chitika's cookies resumed tracking users 10 days after they had opted out, MediaPost reports. Chitika says the cookies were meant to expire 10 years later, but a glitch caused the error. A settlement with the FTC requires Chitika to destroy any PII collected before the opt-out glitch was corrected and to include a hyperlink on each targeted ad allowing users to opt out for at least five years. Chitika says it has always placed a premium on user privacy and the agreement will help them continue to do so.
Full Story

PERSONAL PRIVACY—U.S.

Agree To Be Monitored, Save on Car Insurance (March 15, 2011)

Car insurance company Progressive has launched a nationwide ad campaign for a program that offers lower insurance premiums to drivers who allow their driving to be monitored, USA TODAY reports. Drivers could save an average of $150 per year by installing a data recorder into their vehicle that would track how hard they brake, how far they drive and whether it's day or night driving, the report states. Privacy advocates are concerned about data use now and in the future as well as whether such programs could eventually become mandatory. Progressive says it doesn't monitor drivers' coordinates or speed and that it knows "privacy is a big issue for consumers."
Full Story

ONLINE PRIVACY

Working On-The-Go Could Pose Privacy Threats (March 15, 2011)

The ability to take work on the road via laptops, tablets and smartphones enabled for WiFi access is convenient, but these mobile offices are vulnerable to data breaches, The New York Times reports. According to a report by Symantec and the Ponemon Institute, such breaches are becoming more expensive. From leaving laptops in hotel rooms to using public WiFi to sharing information on social networks, experts detail the myriad risks to personal and business data. Prof. Betsy Page Sigman of Georgetown's McDonough School of Business suggests, "You want to be overly cautious, especially if you are around a lot of competitors." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

A Look at the “Right To Be Forgotten” (March 15, 2011)

The ramifications of a "right to be forgotten" online are explored in an internet evolution feature that looks at the call on both sides of the Atlantic for online privacy protection and, more specifically, the push in the EU for a right to "erase your Internet tracks forever." The report references a recent post by Peter Fleischer, noting that "anyone who has considered codifying such a right into law hasn't thought through the implications." The report goes on to consider the historical and legal implications of removing, for example, the online footprints of criminals. Ron Miller writes that "whether you can delete the content is not really the point. The real question is: Should you? And if you do, does this amount to censorship?"
Full Story

PERSONAL PRIVACY

Consumer Attitudes Explored (March 15, 2011)

In the first of a three-part series, msnbc.com technology correspondent Bob Sullivan talks to Larry Ponemon, CIPP, and Alessandro Acquisti about the large part of the population that claims to care about personal privacy but yet does not make efforts to preserve it. Ponemon says people, as "part of a large herd...take a 'the lion is not going to attack antelope' mentality," while Acquisti says between attitude and behavior there are many steps, and "it's not obvious what you should do to protect your privacy." Both experts also point to a sense of helplessness, a belief that privacy is lost anyway, and if you want to function in society--get on a plane, use a social network--you have to surrender to it.
Full Story

PRIVACY LAW—U.S.

FTC Announces Settlement (March 15, 2011)

The Federal Trade Commission (FTC) has announced its settlement with Twitter over allegations that the site failed to safeguard user information has been finalized. PCMag reports that the settlement, first announced in 2010, found "Twitter deceived consumers and put their privacy at risk," and bans the social network from "misleading consumers about the extent to which it protects the security and privacy of non-public information" for the next 20 years. The settlement requires Twitter to establish a security program. In a statement, Twitter noted, "Even before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices."
Full Story

PRIVACY LAW—U.S.

Suit Claims Data Sales Deprived Customers (March 15, 2011)

Walgreen Co is the target of class-action lawsuit related to how the company profits from customers' prescription data. The suit claims that Walgreens deprives its customers of the "commercial value of their own prescription information," by selling it to data mining companies, Reuters reports. "We believe this information belongs to the patient who paid for the drug, not the pharmacy," said a lawyer for the plaintiffs. Last week, a Pennsylvania man filed suit against another drugstore chain for similar activities, but that suit alleges the activity violated the privacy of consumers.
Full Story

PRIVACY LAW—U.S.

Senate Committees Stake Claims on Online Privacy (March 15, 2011)

The Hill reports that committee leaders are focused on who should be in charge of online privacy legislation in the U.S. Senate. Commerce Committee Chairman Jay Rockefeller (D-WV) and ranking member Kay Bailey Hutchison (R-TX) have written to the Judiciary Committee that their committee should be the home of online privacy legislation, the report states. The letter comes in the wake of last month's announcement by Judiciary Chairman Patrick Leahy (D-VT) on the creation of the Subcommittee on Privacy, Technology and Law, demonstrating "the growing importance of online privacy as a consumer and political issue that touches the lives of the majority of Americans," the report states.
Full Story

BEHAVIORAL TARGETING—EU

Future of Online Display Hangs in the Balance (March 15, 2011)

Wired reports on the ePrivacy Directive amendment that requires Web publishers to obtain consent from users before placing cookies on their browsers and its impact on the future of display advertising. "The implications could be unpleasant for publishers," the report states. UK Information Commissioner Christopher Graham recently warned that "Industry needs to wake up and realize this isn't some kind of Brussels nightmare." While a recent Department of Culture, Media and Sport announcement and anticipated government support of pan-European self-regulatory efforts give some in the ad industry reason for calm, "the conflict between publishers and privacy advocates can only intensify," the report states. "In the balance hangs the future of online display."
Full Story

HEALTHCARE PRIVACY—U.S.

State AGs to Get HIPAA Training (March 15, 2011)

The Department of Health and Human Services' Office for Civil Rights will take to the road this spring, traveling to four cities to offer state attorneys general training on how to file a HIPAA federal civil lawsuit, Gov Info Security reports. OCR will hold events in Dallas, Atlanta, Washington and San Francisco in order to help ensure "that state attorneys general will be better prepared to carry out their new authority under the HITECH Act in enforcing HIPAA," said OCR Deputy Director for Health Information Privacy Susan McAndrew. After the regional meetings, OCR will offer computer-based training.
Full Story

PRIVACY LAW—U.S.

Opinion: REAL ID Backlashes Miss the Mark (March 15, 2011)

In Government Computer News, William Jackson writes that the REAL ID Act, which sets national requirements for state driver's licenses, "does not adequately provide for the security of sensitive data that it requires states to collect and share," and that issue should be addressed. However, he says, proposals such as those in New Hampshire and Oklahoma that ban radio frequency identification and biometric technologies used to implement the act "throw the baby out with the bathwater." Prohibiting these technologies is both unreasonable and unenforceable, Jackson opines. "It would make a lot more sense to focus on the real issues than on technophobic prohibitions that miss the point." 
Full Story

PRIVACY LAW—EU & U.S.

Hustinx, Leibowitz Discuss Approaches to Consumer Privacy (March 11, 2011)

The National Journal reports on comments by EU Data Protection Supervisor Peter Hustinx and Federal Trade Commission (FTC) Chairman Jon Leibowitz at this week's IAPP Global Privacy Summit and whether common ground on privacy protection exists on both sides of the Atlantic. In light of the European Commission's work on revising its Data Protection Directive and the FTC's December report on protecting consumer privacy online, Leibowitz said, "I see more convergence than divergence." Hustinx, who said he was pleased to see the FTC's recognition that "status quo in the U.S. is not satisfactory," responded to a question about whether a federal privacy law could help the U.S. meet the EU's adequacy standard, stating, the "trend is moving in the right direction" but "whether this is adequate in a technical sense may not be so decisive."
Full Story

PRIVACY LAW—U.S.

Class Action Filed Over E-mail Program (March 11, 2011)

MediaPost reports that a second lawsuit has been filed in U.S. District Court alleging privacy violations in Google's Gmail service. The complaint, which seeks class-action status, was filed by a Texas resident who contends that the company violated federal law by "scanning and capturing the contents of every e-mail sent and received through Google's Web-based e-mail program." While the company has not formally responded to the suit, its online privacy statement notes that the practice "is completely automated and involves no humans...Neither e-mail content nor any personal information is ever shared with other parties as a result of our ad-targeting process."
Full Story

ONLINE PRIVACY—U.S.

Web Data Miners Strike it Rich (March 11, 2011)

In a feature for TIME Magazine, Joel Stein writes of the ways data-mining companies are able to amass rich stores of information about Web users. "I've gathered a bit of the vast amount of data that's being collected both online and off by companies in stealth--taken from the Web sites I look at, the stuff I buy, my Facebook photos, my warranty cards, my customer-reward cards, the songs I listen to online, surveys I was guilted into filling out and magazines I subscribe to," he writes. Stein details what he describes as a multibillion-dollar industry based on consumers' personal information and examines the push at the federal level for regulating the collection, storage and use of such data.
Full Story

PRIVACY LAW—U.S.

Gordon: Is it Illegal To Access Applicants’ Social Networks? (March 11, 2011)

In a report for Workplace Privacy Counsel, Philip Gordon reviews a recent incident where the American Civil Liberties Union of Maryland called the Department of Public Safety and Correctional Services' practice of asking job applicants to disclose their social networking passwords to check for criminal activities illegal under federal and state law. Gordon points out that the laws apply to "unauthorized access to electronic communications stored at an electronic communications service provider," writing that, in this case, "the Maryland Corrections Department did not gain 'unauthorized' access to applicants' Facebook pages" since the passwords were provided. "Applicants are not 'forced' to provide authorization," he writes, as the department specifies that applicants may still be considered for employment if they refuse.
Full Story

PRIVACY LAW—U.S.

Judge to Debt Collector: No Social Media (March 11, 2011)

A Florida debt collection agency has one less tool in its quiver for contacting debtors. The Sydney Morning Herald reports that a judge has ordered Mark One Financial LLC not to contact a debtor or her family or friends via Facebook. Attorney Billy Howard said in doing so, the company violated his client's privacy and a provision of the state's consumer protection law. He said that debt collectors are turning to social media increasingly to retrieve payments and, increasingly, debtors are looking for legal remedy. "It's the beginning of an epidemic," Howard said.
Full Story

DATA LOSS—U.S.

Malware Infects UMass Health Services System (March 11, 2011)

A malware program infected a University of Massachusetts Amherst Health Services workstation from June through October of last year, possibly exposing personal data of some of its patients. The workstation contained patients' names, health insurance company names, medical record numbers and information on prescriptions dispensed from January 2 to November 17 of 2009, reports Becker's Hospital Review. The university's IT office found no evidence that any data had been copied from the workstation. UMass Amherst officials are notifying those affected and are working to improve the security of personal information by installing malware detection software, identifying files in all departments that contain personal data and increasing training for employees.
Full Story

ONLINE PRIVACY

DPAs, Others Weigh “Right To Be Forgotten” (March 11, 2011)

Across borders, discussions are in full swing over the dichotomy between the Internet's inability to forget and the call for a "right to be forgotten." In a Forbes report, Kashmir Hill notes, for example, that just such a right "has been affirmed by the Spanish DPA," which recently called for Web sites to delete "inaccurate or out-of-date links" from searches. Meanwhile, Google Global Privacy Counsel Peter Fleischer writes, "More and more, privacy is being used to justify censorship. In a sense, privacy depends on keeping some things private, in other words, hidden, restricted or deleted. And in a world where ever more content is coming online, and where ever more content is findable and shareable, it's also natural that the privacy countermovement is gathering strength."
Full Story

PRIVACY

CDT Receives 2011 IAPP Privacy Leadership Award (March 10, 2011)

The Center for Democracy and Technology has received the 2011 IAPP Privacy Leadership Award. The annual award recognizes a global leader in the field of privacy and data protection. Presenting the honor this morning at the IAPP Global Privacy Summit in Washington, DC, IAPP Board of Directors Treasurer Brendon Lynch, CIPP, said the CDT "is at the forefront of efforts to keep the Internet open, innovative and free. They have consistently been a leading voice for free expression and privacy in communications and have fostered practical and innovative solutions to public policy and civil liberties." CDT President Leslie Harris accepted the award on stage with CDT staff members Justin Brookman, Jim Dempsey and Erica Newland and CDT Board Chairman Deidre Mulligan.
Full Story

HEALTHCARE PRIVACY—U.S.

Suit Filed Over Use of Rx Info (March 10, 2011)

CVS Caremark Corp. is being sued for allegedly using confidential information to promote pharmaceutical products, Bloomberg reports. A Pennsylvania resident and the Philadelphia Federation of Teachers Health and Welfare Fund filed the complaint earlier this week in a Philadelphia court. It alleges that the company "violated the privacy and rights of consumers by sending letters to customers' physicians that promoted specific medications," the report states. "While touted as an 'RxReview Program,'...in reality, the physician communications were nothing more than a profit-making opportunity," the complaint alleges. A spokeswoman for the company said, "CVS Caremark places a high priority on protecting the privacy of our customers and members."
Full Story

FINANCIAL PRIVACY—EU & U.S.

SWIFT Transfers in Spotlight (March 10, 2011)

Europol has approved requests to send citizens' banking data to the U.S. Department of Treasury "without sufficient consideration for data protection laws," PCWorld reports. That is according to the findings of an investigation by Europol's Joint Supervisory Body (JSB), which were made public yesterday by Germany's data protection authority. A JSB team of seven data protection experts conducted the investigation into transfers under the so-called SWIFT pact. It found that some of the transfers approved by Europol failed to meet a provision that the U.S. "clearly substantiate the necessity of the data" in combating terrorism.
Full Story

PRIVACY LAW—U.S.

Legislators Share Privacy Bill of Rights (March 10, 2011)

Senators John McCain (R-AZ) and John Kerry (D-MA) are the most recent federal legislators moving forward with plans for online privacy legislation. The Kerry-McCain proposal "would create the nation's first comprehensive privacy law, covering personal data gathering across all industries," The Wall Street Journal reports, with an "online privacy bill of rights...that would require companies to seek a person's permission to share data about him with outsiders" and would pertain to such data as names and addresses to identification numbers and biometrics. "It would also establish a program to certify companies with high privacy standards" that would be allowed special provisions for selling personal data, the report states. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU & U.S.

Data Sharing Talks To Begin Soon (March 10, 2011)

The United States government and European Union are expected to begin negotiating a justice- and security-related data-sharing agreement soon, the European Voice reports. The European Parliament will have to approve whatever agreement may be reached. A working group comprised of officials from both governments has already been working towards certain resolutions in this area, but a U.S. official said, "We have a long way to go." The European Commission's director-general of justice, Françoise Le Bail, will serve as chief negotiator of the talks, which will begin in April. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—U.S.

Senators Ask Facebook To Protect PII (March 10, 2011)

The Hartford Courant reports on a letter by Democratic U.S. Senators Richard Blumenthal, Al Franken, Sheldon Whitehouse and Charles Schumer asking Facebook CEO Mark Zuckerberg to do more to protect users' privacy. They are specifically asking for changes to Facebook's "new plan to allow application developers to request what the lawmakers called 'sensitive personal information'--everything from the names of the user's family members to the bank they obtained their mortgage from," the report states. In the letter, the senators caution, "Anyone with ten minutes, $25 and a Facebook user's phone and address and no other information can obtain a breathtaking amount of information about that Facebook user."
Full Story

ONLINE PRIVACY—UK

Report: ICO’s Message Received (March 10, 2011)

Information Commissioner Christopher Graham is succeeding in his effort to make UK Web sites aware that they must prepare for implementation of the EU Privacy and Electronic Communications Directive on May 25. That's according to a BBC report on the directive's requirement that Web companies "will have to obtain the consent of users before installing cookies on their computers." The report suggests that there was a lack of awareness on the industry level prior to Graham's announcement this week and predicts "consumers will actually notice very little after 25 May, and the definition of consent will be pretty vague."
Full Story

PRIVACY LAW—U.S.

Senate Commerce Committee Hearing Scheduled (March 10, 2011)

The Senate Commerce Committee will take up the topic of online privacy during a hearing next week, The Hill reports. "I want to know if the privacy protections we have in place are enough, or whether congress needs to step in and do more," said committee chairman Jay Rockefeller (D-WV), adding, "As chairman, I'm committed to doing everything I can to protect consumers' privacy." The hearing will take place in the Russell Senate Office Building on Wednesday, March 16, at 10 o'clock.
Full Story

PRIVACY LAW—U.S.

Man Faces Prison Time for Passport Viewing (March 10, 2011)

A Maryland man faces prison time and monetary penalties for viewing confidential passport records of well-known individuals, the San Francisco Chronicle reports. Former State Department contractor Mark Carter on Wednesday pleaded guilty to unauthorized computer access, the report states. He is one of several workers that the Justice Department has convicted for accessing such records inappropriately. Sentencing will take place on August 5. Carter faces "up to a year in prison and a $100,000 fine," according to the report.
Full Story

DATA PROTECTION—U.S.

University Breaches Show Need for Education (March 10, 2011)

Recent breaches at universities, while unrelated, underscore the need for educating employees on the dangers of misplacing organizational data, reports eWEEK. A security firm's CTO told eWEEK that employees need to learn to think about a lost computer as a corporate data breach, not just a lost computer. Another technology company official agreed that employee training is important but underscored that users need to be mindful of their privacy all the time, and not just as a "check-box item."
Full Story

ONLINE PRIVACY—UK

ICO Offers Guidance on Directive (March 9, 2011)
UK Information Commissioner Christopher Graham has reminded organizations to prepare for the EU Privacy and Electronic Communications Directive, which comes into effect on May 25. The directive will require users' consent before Web sites can use tracking cookies, the Financial Times reports, and Graham cautions that "businesses and organizations running Web sites in the UK must wake up to the fact that this is happening." The Department for Culture, Media and Sport is working on implementation of the directive, the report states. Graham noted the directive "will have positive benefits as it will give people more choice and control over what information businesses and other organizations can store on and access from consumers' own computers." (Registration may be required to access this story.)

ONLINE PRIVACY—U.S.

WSJ Poll: Is Your Personal Info for Sale? (March 9, 2011)

As part of its "What They Know" series on online tracking, The Wall Street Journal is asking readers to weigh in on the question of whether they view their personal information as a commodity worth selling to advertisers. In light of recent initiatives, including start-ups that focus on the data-as-currency model, the report states, "Much of what we do online gets tracked (and) several companies are eying our privacy as a commodity." Whether they favor fees in lieu of tracking, payments for information or even a "Privacy Bill of Rights" at the federal level, the report invites readers to take part in a poll asking, "Would you consider actively selling your personal information to advertisers?" (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—U.S.

Vladeck: Congress is Watching (March 9, 2011)

Speaking at an industry event in Texas yesterday, FTC consumer protection bureau chief David Vladeck urged advertisers to adopt a do-not-track mechanism, the Austin American Statesman reports. Vladeck said the commission "doesn't want to block all data collection," the report states, but warned industry to take action. One agency executive said industry is paying attention to such calls "because no one wants legislation around this." Janice Suter of GSD&M said, "We want to self-regulate; we'll take it seriously, it just hasn't been done long enough to understand broadly what consumers, if they're going to opt out on a broad basis or not. It's really hard to tell at this point." (Editor's note: For those of you at the Privacy Summit this week, hear from FTC Chairman Jon Leibowitz and European Data Protection Supervisor Peter Hustinx in the session "Reopening of the EU Directive, Review of the U.S. Privacy Framework: Toward Greater Cooperation" on Thursday at 11:15.)
Full Story

PRIVACY LAW—MALAYSIA

Prime Minister: SMS to 4 Million Didn’t Violate Privacy (March 9, 2011)

The Sun Daily reports that Malaysian Prime Minister Datuk Seri Najib Abdul Razak says he did not violate people's personal privacy or the data protection law when he sent Chinese New Year messages to citizens. The four million messages were sent to three telecommunications companies for transmission, he said in response to inquiries. "The Prime Minister's Office has ensured that the principle of personal data protection was not compromised and the terms and conditions of the companies were fully respected," Najib said, adding that the prime minister had no access to any of the recipients' personal data.
Full Story

DATA LOSS—U.S.

Survey: Quick Responders Pay More for Breaches (March 9, 2011)

InformationWeek reports that the cost of a data breach for a U.S. company continues to rise, reaching $7.2 million in 2010, an increase of nine percent from the previous year. A Ponemon Institute study, published by Symantec, found that companies that responded to a breach rapidly paid more than companies that responded slowly. "Quick responders paid $268 per record, an increase of 22 percent from 2009, while organizations that took more time paid $174 per record, a decrease of 11 percent from 2009," the report states. Negligence topped the list of data loss causes.
Full Story

CONSUMER PRIVACY—U.S.

ID Theft Tops List of Consumer Complaints (March 9, 2011)

The Federal Trade Commission (FTC) yesterday released its list of the top consumer complaints for the year 2010, and identity theft tops the list for the 11th year in a row. According to an FTC press release, the commission received 250,854 complaints related to identity theft--19 percent of all of the complaints received. According to the Consumer Sentinel Network Data Book report, "government documents/benefit fraud" was the most common form of reported identity theft, and Florida is the state with the highest per capita rate of reported identity theft complaints. The category "Internet services" accounted for the third-highest number of complaints, with 65,565 reported to the FTC in 2010.
Full Story

DATA THEFT—FRANCE

French Ministry Documents Stolen (March 9, 2011)

The French Finance Ministry has confirmed that hackers infiltrated 170,000 of the agency's computers in December and stole data related to the G20, All Headline News reports. The attack involved Trojan horses and was discovered in January, according to French Budget Minister Francois Baroin. Officials are investigating.
Full Story

PRIVACY LAW—U.S.

Legislators Moving Forward with Privacy Bills (March 8, 2011)
MediaPost reports on moves by several legislators toward introducing privacy legislation at the federal level. Rep. Cliff Stearns (R-FL) has announced his intention to introduce privacy legislation that would, among other things, give the FTC the power to oversee industry self-regulation. Meanwhile, Rep. Jackie Speier (D-CA) has already submitted a proposal known as the Do Not Track Me Online Act; Rep. Bobby Rush (D-IL) has reintroduced a bill requiring advertisers to obtain Internet users' consent before tracking them online, and Rep. Ed Markey (D-MA) has also spoken of plans to submit online privacy legislation.

PRIVACY LAW—SPAIN

Parliament Reduces DPA’s Penalties (March 8, 2011)

The Spanish Data Protection Agency (DPA) is described as "one of the more enforcement-oriented DPAs in the EU," but parliament has modified its penalty structure to lower many fines, the Hogan Lovells Chronicle of Data Protection reports. The main modifications include warning businesses and giving them a set amount of time to resolve breaches before fines would be levied and changes in the level of infringement for certain transfers of personal data, the report states. The modifications were announced in the wake of Europe's highest court's review of the DPA's order that Google remove links to Web content due to privacy concerns.
Full Story

ONLINE PRIVACY—EU & UK

Report Forecasts Pros and Cons of the Cloud (March 8, 2011)

Experts have suggested that 75 percent of senior business leaders believe that privacy and security concerns are the key impediments to the adoption of cloud computing, the Financial Times reports in an analysis piece on the benefits and risks of cloud computing for entities in the UK and EU. With the European Commission anticipating introducing data protection reforms later this year, the report stresses that "to comply with EU personal data requirements, the data controller needs to ensure that the security standards are appropriate, having regard to the nature of the personal data, the state of technological development and the cost of implementing particular measures." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

RI Legislators Seek To Protect SSNs (March 8, 2011)

The Boston Globe reports on a push by two Rhode Island lawmakers to keep businesses from asking for the last four digits of customers' Social Security numbers (SSNs). The new legislation follows an existing state prohibition on recording full Social Security numbers on personal checks, the report states. Sen. Dominick J. Ruggerio (D-North Providence) and Rep. Brian Patrick Kennedy (D-Hopkinton) have introduced bills seeking to end a practice where businesses may record partial SSNs, noting an entire number can be determined from those few digits.
Full Story

DATA LOSS—U.S.

Company Fined for Improper Document Disposal (March 8, 2011)

WREX 13 News reports on the Office of the State of Illinois Director of Insurance's decision to fine an insurance company for its improper disposal of private insurance documents. MetLife must pay a fine of $75,000 and provide credit fraud protection for those customers who may have been affected when a former sales office discarded clients' personal documents in a dumpster without shredding them. The documents, which remained in the dumpster for up to four days, included such information as Social Security numbers, birth dates and account balances.
Full Story

BEHAVIORAL TARGETING—U.S.

Bureau To Enforce Self-Regulatory Program (March 8, 2011)

The Council of Better Business Bureaus plans to announce it will start enforcing its program to make online tracking more transparent and give consumers an easy way to opt out, The Wall Street Journal reports. In an effort to avoid government regulation, the council released self-regulatory principles in 2009 that require companies to "clearly explain how they track and use information about consumers' Web activities," the report states, including an icon that users can click on for information and to modify ad preferences. The council will employ 300,000 volunteers who will use software allowing them to view companies tracking their Web movements to be sure companies are complying. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Student Data Losses for Three Institutions (March 8, 2011)

The State reports that the University of South Carolina has notified 31,000 current and former faculty, staff and students throughout its eight campuses about a breach that exposed their personal information--including Social Security numbers (SSNs). Meanwhile, at Missouri State University, the names and SSNs of 6,030 students of the College of Education were accidentally posted online and searchable through Google, reports SC Magazine. The university has worked with Google to remove the lists and is notifying those affected and offering them identity theft protection. In a separate incident, Channel 2 News reports that the Alaska Department of Education and Early Development is notifying students and parents that 89,000 students' personal information was being temporarily stored on an external hard drive that was stolen from its Juneau headquarters.
Full Story

PRIVACY LAW—U.S.

CA Zip Code Ruling Incites Flurry of Class Actions (March 7, 2011)
Privacy Advisor Exclusive
In the month's time since the California Supreme Court decided that zip codes are personal information, 106 class-action lawsuits have been filed. That's because the presiding justices ruled that the law would apply retroactively, putting every retailer that has collected zip codes during credit card transactions since the Beverly-Song Act of 1971 at risk for liability. In this Privacy Advisor exclusive, experts discuss the potential implications of the Pineda v. Williams-Sonoma decision. Among them, Linda Woolley of the Direct Marketing Association says the case is "very troubling" and has "great implications for what marketers do in terms of data collection," while Martin Abrams of the Center for Information Policy Leadership at Hunton & Williams says the court's decision is the "wrong approach."

PRIVACY LAW—U.S.

Stearns: Bill Will Give Consumers More Control (March 7, 2011)

Rep. Cliff Stearns (R-FL) has announced that he will soon introduce online privacy legislation focused on giving Web users information and control over what data Internet companies collect about them. PCWorld reports on the forthcoming legislation, referencing comments by Stearns that while it is aimed at encouraging industry to develop privacy standards, it will also provide the Federal Trade Commission with enforcement power. When it comes to the balance between Internet business and consumer privacy, Stearns said, "We are at a tipping point where we have to come to grips with the information that's being collected."
Full Story

SOCIAL NETWORKING—CANADA

Commissioner Launches NDP Investigation (March 7, 2011)

BC Information and Privacy Commissioner Elizabeth Denham has launched an investigation to determine whether the New Democratic Party is violating privacy laws by requiring leadership candidates to supply passwords to their social networking sites, the Canadian Press reports. Since such profiles are a combination of public and private information, "At first blush, I think the idea of a political candidate having their full social media profiles examined and vetted appears to be problematic from a privacy perspective," Denham said. She said the law limits information that private entities can collect to that which is "reasonable, relevant, accurate and effective for whatever purpose it's being collected," the report states.
Full Story

DATA PROTECTION—LATVIA

DPA Suspends Electronic Tax Service (March 7, 2011)

Latvia's data protection inspectorate has suspended the State Revenue Service's tax return service due to privacy concerns, Baltic Business News reports. The inspectorate ordered a halt to the Electronic Declaration System due to the fact that "users who happen to know another person's identity number can find out that person's name, surname, address and other personal data," the report states. The system will remain suspended until the revenue authority finds a way to control access.
Full Story

PRIVACY LAW—SPAIN

Medical Malpractice Case at Heart of Legal Debate (March 7, 2011)

A plastic surgeon who was cleared of wrongdoing in a criminal medical malpractice case 20 years ago is at the heart of a legal debate in a Spanish court, The Wall Street Journal reports. The case involves the Spanish data protection authority's request for Google to remove from its search results links that go to a 1991 newspaper article about the surgeon's troubles. Google is contesting the request, saying that to do so would be censorship. But "Spain has always taken an extremely strong line over privacy," says a Barcelona lawyer, and now the European Court of Justice may become involved. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—U.S.

Cable, Satellite Test Targeted TV Ads (March 7, 2011)

As cable and satellite providers test systems to target ads to specific households, The Wall Street Journal reports that data gatherers are compiling information on what viewers are watching with such personal data as prescription records to "emulate the sophisticated tracking widely used on people's personal computers with new technology that reaches the living room." However, some industry executives are raising privacy concerns, pointing to the push to regulate online tracking. Others say TV targeting is less intrusive, as it involves outside companies providing aggregated data without PII. The founder of one such company says they do not know who is sitting in front of any given TV, noting, "We don't want to look in the window. It is a little spooky." (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Blood Bank Loses Data on 300K (March 7, 2011)

Cord Blood Registry (CBR), the world's largest stem cell bank, has notified about 300,000 people that their data may have been have been exposed when storage tapes and a laptop were stolen from an employee's locked car last December, reports Network World. According to CBR's director of corporate communications, the tapes may have contained credit card numbers, driver's license numbers or social security numbers but no medical information. CBR sent letters to affected people dated February 14 offering a year of free credit monitoring and assurances of better security practices in the future, but some are questioning why it took so long for them to notify people and why the data was not better protected.
Full Story

DATA LOSS—U.S.

BCBS of Florida Mails Forms to Wrong Addresses (March 7, 2011)

Blue Cross and Blue Shield of Florida (BCBSF) has alerted about 7,400 of its members that for three months it has been mailing explanation of benefits forms to old addresses. The Sacramento Bee reports that the error occurred when BCBSF converted to a new source of customer mailing address information. According to BCBSF, no Social Security numbers, dates of birth of financial information was exposed. The company has corrected the problem and notified all affected customers.
Full Story

PRIVACY LAW—U.S.

Expert Examines Speier Bill (March 7, 2011)

Last week's Privacy Tracker audio conference featured insights on key legislative and enforcement actions. Amazon State Public Policy Director Braden Cox offered analysis and predictions of a new online tracking bill introduced by Rep. Jackie Speier (D-CA). Even in light of recent efforts by Web browsers to create such opt-out mechanisms for their users, "There are those in the privacy advocacy community that are saying there is nothing in law that requires companies to respect the choices of consumers." The call also included analysis of the Department of Health and Human Service's recent HIPAA fines and settlements. The next Privacy Tracker audio conference is scheduled for April 7. Privacy Tracker subscribers may access recorded audio here. (Login is required to access this story.)
Full Story

Tracking Users’ Web Footprints (March 7, 2011)

A feature in The New York Times explores Web sites that track users' browser history for public viewing, questioning whether individuals will choose to share such information, which can range from visits to online dating and banking sites to exploring medical conditions, and pointing to the assurances site developers are making about privacy. "At all of these tracking sites, developers say they take privacy very seriously," Austin Considine writes in the report, adding, "their success will ultimately be predicated on trust." The developers point to such safeguards as not sharing secure links and providing options for disabling tracking. The founder of one such site suggests they make users more aware of online privacy, noting, "If we're not following you, no matter what, somebody else is." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Opinion: Voice for Privacy on the Supreme Court (March 7, 2011)

In an opinion piece for The Washington Post, Jeffrey Rosen describes the emergence of U.S. Supreme Court Justice Samuel Alito "as a stalwart defender of privacy, particularly in cases with strong free speech interests on the other side. He cares more about the government's ability to protect a range of privacy values--including dignity, anonymity and community standards of decency--than anyone else on the court." Rosen references several recent cases where Alito took a pro-privacy stand and looks ahead to "more cases this year in which Alito appears ready to favor privacy and community standards of decency over free speech"--including the challenge to a Vermont consumer privacy law being brought by pharmaceutical companies. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Suit: Company Flouted Privacy Settings (March 4, 2011)
A class-action lawsuit is alleging that Amazon.com "fraudulently circumvents users' Web-browser privacy settings to collect personal information without permission and share it with other companies," the Seattle Post-Intelligencer reports. The suit, filed Wednesday in U.S. District Court in Seattle, alleges the site used code to convince a Web browser that its privacy policy aligned with users' privacy settings when, instead, it would "collect users' personal information even if they have set their browser to block it." The class-action, which represents anyone who accessed Amazon using specific Internet Explorer versions with privacy protection settings in place, contends the site "shares users' PII with third parties for those third parties' independent use and does not disclose this fact to consumers."

PRIVACY LAW—GERMANY

Germany Adopts Telecom Breach Notification Requirements (March 4, 2011)

The German government has adopted a draft law that revises the German Telecommunications Act to include breach notification requirements for telecommunications companies, reports the Hunton & Williams Privacy and Information Security Law Blog. The law brings Germany into alliance with the European e-Privacy Directive. Under the draft law, telecommunications companies are required to notify the federal data protection commissioner and the federal network agency about data breaches. The law also includes provisions requiring "providers of location-based telecommunications services to send text messages informing users whenever their mobile devices are being tracked on location," according to the report.
Full Story

GEO PRIVACY—CHINA

Mobile Phone Tracking Proposal Approved (March 4, 2011)

An expert panel has approved plans to collect real-time location data on 17 million China Mobile subscribers to help resolve Beijing's traffic problems, reports FutureGov. Under the program, phones' locations will be registered with base stations then collected, aggregated and reviewed by transportation officers and city planners. The first phase of the Beijing Real-Time Travel Information Platform is expected to roll out in June. Once the program is up and running, the government plans to send the aggregated data back to citizens to help them make smart travel decisions. While the deputy director of social development said the data would only be used for traffic control--and mobile users' privacy would be protected--the panel that approved the plan recommended linking the platform with city-management efforts in other government departments.
Full Story

BEHAVIORAL TARGETING

Fingerprinting To Supplant Cookies? (March 4, 2011)

Several startups are experimenting with tracking technologies that could supplant cookies as behavioral targeting mechanisms, ClickZ reports. Device fingerprinting operates by tracking mobile phones, PCs, TVs and cars using unique identifiers. Based on the device's properties and settings, fingerprinting allows advertisers to link to and track the device and transmit messages based on activity. It's easier to opt out of fingerprint tracking than cookies, developers say; because the device's fingerprint lasts as long as the device itself, opting-out must only happen once. In addition, the developers say, the new technology already complies with do-not-track principles because users can "opt out of both tracking and targeting independently."
Full Story

HEALTHCARE PRIVACY—U.S.

Health System Installs Data Protection Technology (March 4, 2011)

New Jersey's Saint Barnabas Health Care System is rolling out a "major data loss prevention initiative that will enforce new content-control restrictions" on more than 10,000 computers used by the system's staff, Network World reports. Software installed on each computer will enable policies on what kind of data they collect or what they e-mail, according to a spokesman for the healthcare system, and will be capable of recognizing what is patient information and what is "just a medical document," he said.
Full Story

PERSONAL PRIVACY—U.S.

DHS: No Plans for Increased Body Scans (March 4, 2011)

The Department of Homeland Security (DHS) says it does not plan to implement more body scanning technologies. Computerworld reported yesterday on an Electronic Privacy Information Center (EPIC) Freedom of Information Act request indicating that the U.S. government has signed contracts for the development of new scanning technologies, such as pedestrian surveillance technologies capable of detecting explosive devices concealed under clothing. But USA TODAY reports that the DHS says any plans for the projects were dropped after preliminary testing determined flaws.
Full Story

PRIVACY LAW—EU

Tene: EU Consultation Requires Innovation (March 3, 2011)
Writing for the CDT Fellows Focus series, Omer Tene discusses the European Commission's plans to update the EU Data Protection Directive. In light of "the scope and pace of technological innovation over the past 40 years and its massive impact on the collection, storage and use of personal information," he writes, "it seems that an innovative mindset is needed to overcome some of the shortcomings of the current framework." He examines the directive's overall structure as well as the implications of regulation in multiple jurisdictions, lack of enforcement and the "challenging issue of consent." Going forward, he writes, the definition of personal data "will remain an amorphous notion, consent a treacherous concept and enforcement problematic."

GEO PRIVACY—GERMANY

Industry Submits Code of Practice for Online Maps (March 3, 2011)

Germany's digital industry has submitted a voluntary code of privacy to the government in response to public concerns over services like Google's Street View that publish images of residences online, Monsters and Critics reports. The draft code of practice, submitted by a federation representing the industry, would establish a Web site disclosing information collected about German towns, explain how Germans can file objections to data gathering and offer links for complaints, the report states. Interior Minister Thomas de Maizière, who received the industry's code, called it "a sign of greater transparency by German businesses and international corporations."
Full Story

PRIVACY—UK

ICO, Advocates Concerned About Increasing Commissioners (March 3, 2011)

The information commissioner says government plans to create two new privacy commissioner posts could result in conflicts and regulatory overlaps, OUT-LAW.com reports. The Protection of Freedoms Bill would establish commissioners to govern the use of CCTV and biometrics, expanding the number of commissioners from three to five. But Commissioner Christopher Graham says each authority's role must be clearly defined or "commissioners may adopt differing interpretive approaches and guidance on each others' statutory provisions." An alliance of advocacy groups is calling for a single privacy authority, stating that more commissioners "will not necessarily lead to greater protection for the public" and that a single authority is "the only way of providing meaningful oversight of freedom and privacy..."
Full Story

PRIVACY LAW—U.S.

Multitude of Privacy Bills Makes Action Likely (March 3, 2011)

The Hogan Lovells Chronicle of Data Protection reports on the multitude of bills introduced on Capitol Hill that aim to protect online privacy. Sen. John Kerry (D-MA) is expected to introduce comprehensive legislation about online data collection; Rep. Jackie Speier (D-CA) has introduced two bills addressing online tracking and financial institutions' information sharing with third-parties; The Best Practices Act would require opt-in consent for third-party information disclosures, and Rep. Steve Cohen (D-TN) recently introduced legislation preventing potential employers from obtaining credit reports for employment purposes. "Given the amount of attention privacy is receiving in the media...all it will take is a major privacy incident to spur the lawmakers to action," the report states.
Full Story

ONLINE PRIVACY—EU & UK

Consumer Group: Cookie Concerns Continue (March 3, 2011)

An investigation by Which?, a consumer group, that points to difficulties for Internet users to manage local shared objects--more commonly known as Flash cookies--is sparking a push for stricter online legislation. The Guardian reports on the difficulties of removing local shared objects from hard drives and features comments by Sarah Kidner of Which?, who suggests, "If such practices are happening without the user's knowledge, it is pretty serious and could be in contravention of data protection law." A member of the group's legal counsel says that "as the online behavioral advertising industry innovates to collect ever more data," both the UK Information Commissioner's Office and the EU need to address such technologies.
Full Story

PRIVACY LAW—U.S.

Drug Database Passed in South Carolina (March 3, 2011)

South Carolina has joined nine other states in passing a law to adopt a national database for tracking the sale of pseudoephedrine, which can be used to make methamphetamines, reports The Sun News. While pharmacies throughout the state have been recording purchases, National Precursor Log Exchange (NPLex) allows states to share information. Privacy advocacy groups are not "watching NPLex," says the report, but when "personal information is collected into a database, there is always a chance of some secondary use," said Tena Friery of Privacy Rights Clearinghouse. Meanwhile, an Arkansas Senate panel is backing legislation to create a statewide database for tracking some prescription drug purchases.
Full Story

DATA PROTECTION—UK

Cloud Provider: Legislation Required for Cloud Success (March 3, 2011)

"Legislation is an impediment" to the UK government's G-Cloud initiative, say officials from Lockheed Martin, the largest provider of cloud services to the U.S. government. In the UK and Europe, data privacy laws prevent the movement of data outside the jurisdiction, Computing reports, which is "the antithesis of cloud computing's concept." For the cloud to succeed, privacy and confidentiality legislation will need to change, the report states. "Governments should all be updating their laws if they aren't already," said Melvin Greer, chief strategist for Lockheed Martin, adding that the UK government and the G-Cloud initiative "will have to deal with the concept of having a secure infrastructure..."
Full Story

BEHAVIORAL TARGETING

Study: Data Anonymity Changes Internet Users Minds (March 3, 2011)

MediaPost reports on a PubMatic study that asked about 500 Internet users how they feel about advertisers tracking their online activities. The study found that the anonymity of the data and how the data is used matters to respondents. Once respondents understood that only anonymous data was used for ad targeting, 40 percent changed their response from disapproving of the practice to approving of it. PubMatic's vice president of marketing said, "Everyone knows the user's privacy is paramount and that we provide a service to them. Understanding the how and the why changes everything."
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: The High Cost of Ignoring Privacy (March 3, 2011)

In a FierceCIO editorial, Caron Carlson points to the U.S. Department of Health and Human Services' $4.3 million fine against Cignet for HIPAA privacy violations and a Massachusetts General Hospital $1 million settlement in a HIPAA privacy case as indicative of the high costs of not adhering to privacy regulations. "Not only is the government pursuing enforcement, but it is going to come down particularly hard on organizations that don't take it seriously," she writes. Stressing that the recent fines should prompt healthcare providers to take privacy more seriously, she notes that data breach headlines are "not the kind of publicity the industry needs." Editor's note: Today's Privacy Tracker audio conference features an analysis of the recent HHS fine actions and insight on a new healthcare bill introduced in the state of Texas. Subscribers may access the recorded audio on the Privacy Tracker Web site.
Full Story

PRIVACY LAW—U.S.

Court Determines Corporations Are Not Persons (March 2, 2011)
The U.S. Supreme Court has ruled that the term "personal privacy" does not extend to corporations. Forbes reports on the 8-0 decision in FCC v. AT&T, which was prompted by an appellate court decision to extend a Freedom of Information Act exemption prohibiting the release of information that causes "unwarranted invasion of personal privacy" to corporations. In his opinion, Chief Justice John G. Roberts Jr. wrote, "We do not usually speak of personal characteristics, personal effects, personal correspondence, personal influence or personal tragedy as referring to corporations or other artificial entities. In fact, we often use the word 'personal' to mean precisely the opposite of business-related..."

HEALTHCARE PRIVACY—U.S.

OMB Reviews HIPAA Rule Change (March 2, 2011)

Info Security reports on the Office of Management and Budget's review of a Health and Human Services (HHS) proposal to extend the HIPAA privacy rule's requirements to "include disclosures during the previous three years for treatment, payment and healthcare operations (TPO) if a healthcare provider uses an electronic health records (EHR) system." The Medical Group Management Association is raising concerns about the plan, writing to HHS that the stipulation "that the TPO accounting is only required for those physician practices that have adopted an EHR suggests that the government believes TPO disclosures would be collected and stored on this one clinical system. This is simply not the case."
Full Story

PRIVACY LAW—IRELAND

Notification Requirements Didn’t Make Deadline (March 2, 2011)

Data Protection Commissioner Billy Hawkes says a new code of practice that would have forced data breach notification cannot be enforced because it was not put it front of parliament before the last session's dissolution, reports The Irish Times. Hawkes said at a recent Irish Computer Society event that though he approved the code last year, it "does not have the force of law because the final step to give it such force was never taken," the report states. Hawkes said, "the code of practice that exists now is not legally binding--it's just strong recommendations." He added that he would like to see penalties put in place to "complement" notification requirements.
Full Story

DATA RETENTION—FRANCE

Decree Mandates Yearlong Data Retention (March 2, 2011)

Internet service providers, video sites and other Web sites will be required to retain certain personal data on users for one year after account closure, according to a decree published in the official gazette, Telecompaper reports. "Decree 2011-219 states that information provided upon contract subscription or account creation...must be kept," the report states. Such information may include names, postal addresses, pseudonyms, phone numbers and passwords. "Web sites will also have to keep for one year after any content is published the user name, type of protocol used, nature, date and time of the operation," according to the report.
Full Story

HEALTHCARE PRIVACY—U.S.

Study: HIPAA Laws May Have Borders, Ethics Don’t (March 2, 2011)

It is a breach of ethics to post pictures of medical patients receiving treatment outside of the U.S., even if HIPAA laws don't extend that far. That's according to researchers in a recent Journal of Medical Internet Research study, who looked at 1,023 medical students' Facebook pages and found 12 photos of patients being treated in developing countries, HealthLeaders Media reports. In the U.S., patients agree to be photographed after signing consent forms. But in developing countries, patients may feel that by signing such a form, they have a better chance at receiving care, says one of the study's authors. "Use your moral and ethical compass," she tells practitioners. "What if this was your child?"
Full Story

PRIVACY

HBGary Federal CEO Resigns After Hack (March 2, 2011)

Three weeks after the "hacktivist" group Anonymous breached HBGary Federal's servers, the company's CEO has resigned. Aaron Barr said he's leaving in order to rebuild his reputation and hopes that with his departure, HBGary will be able to repair its own, reports eWeek. Anonymous publicized thousands of company e-mails--exposing some objectionable tactics--and deleted gigabytes of company research after Barr told the Financial Times he would expose some of the organization's leaders at an upcoming security conference. HBGary, which provides security services to the federal government, was found to have basic network vulnerabilities, such as unpatched servers and simple passwords used across multiple systems, allowing Anonymous to use "standard, widely known techniques to compromise a system, collect information and use the collected data to compromise additional systems," the report states.
Full Story

PRIVACY LAW—U.S.

ZIP Code Decision in Detail (March 2, 2011)

The California Supreme Court recently ruled that merchants may not collect ZIP Codes from credit card customers. The decision is expected to have a significant effect on California's retail industry, as "retail stores routinely ask customers for their ZIP codes for both marketing and regional sales forecast," says Scott Koller, CIPP, of McKennon Schindler. Koller discusses the decision and outlines the case that provoked it in a preview article for the upcoming April edition of the IAPP member newsletter, the Privacy Advisor.
Full Story

PRIVACY LAW—INDIA

Chairman: Unique ID Doesn’t Jeopardize Privacy (March 2, 2011)

The project that will give each Indian citizen a unique identifier will not put people's security and privacy rights at risk, says the Unique Identification Authority of India's chairman. Nandan Nilekani said in a recent lecture that the number will be used to identify people for bank loans and other systems, reports The Economic Times. Nilekani said the government is looking to enact a data security law to "iron out any privacy issues," but added that third parties would not have access to the project's database and that the information associated with the unique 12-digit number will be limited.
Full Story

DATA LOSS—U.S.

Health System Flash Drive Lost (March 2, 2011)

The Henry Ford Health System reported that an unencrypted flash drive containing patient data was lost on January 31, reports the Detroit Free Press. The drive contained names, medical records and test information--including results--of 2,777 patients tested for urinary tract infections between July and October of last year. The hospital is investigating the breach but is unsure of how the flash drive was lost. Last September, an unsecured laptop was stolen from an unlocked office at the hospital, exposing 3,700 patients' data. In a statement, the hospital said there's no evidence the data has been misused, and the report states, employees involved in a breach such as this may be suspended or terminated.
Full Story

ONLINE PRIVACY

Facebook Gives its Privacy Policy a Facelift (March 2, 2011)

On Friday, Facebook asked users of the site to look at and comment on a newly-formatted privacy policy aimed at making the policy easier for users to understand, reports The New York Times. The policy itself hasn't changed, though the company says the new format resulted in more complete explanations of some of its policies. Facebook has incorporated elements such as FAQs and visuals and included privacy policy information in its help center. The facelift comes after waves of criticism over the site's user privacy controls and transparency as to how users' information is being used and shared. If users approve of the new format, it will move to a standard notice and comment process for policy changes, the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Supreme Court: Businesses Do Not Have Personal Privacy Rights (March 1, 2011)
Corporations do not have personal privacy rights when it comes to the disclosure of federal records. That's according to a U.S. Supreme Court ruling issued today, Reuters reports. The case was brought forward after an Appeals Court ruling that found an exception in the federal Freedom of Information Act where the U.S. Congress defined a "person" to include "an individual, partnership, corporation, association or public or private organization." In today's ruling, the justices unanimously overturned the prior court's finding that "corporations can assert personal privacy in claiming the records should be exempt from disclosure," the report states.

PRIVACY LAW—EU

Europe’s Top Court To Hear Google Case (March 1, 2011)

The European Court of Justice (ECJ) will consider the Spanish Data Protection Authority's demands for Google to remove from search results the links to Web sites that contain certain information about citizens. The ECJ will "offer guidance on whether Spain's demands comply with European law," The Guardian reports. A Google official said the company is pleased that Europe's top court will review the issue. "It shows that key issues are at stake," said Google's head of European external relations. "We believe that European law rightly holds the publisher of material responsible for its content."
Full Story

PRIVACY LAW—GERMANY

Regulators Seek Stronger IP Address Protection (March 1, 2011)

German data regulators are considering making it illegal for Web companies to provide their visitors' IP addresses to third parties without their users' permission, The Register reports. The Lower Saxony DPA has already moved in that direction, with Data Protection Commissioner Joachim Wahlbrink recommending that users' permission be in place before  IP addresses can be passed on to advertisers. Germany's revised law only allows the use of personal information for marketing "if the individual has expressly consented to such use." The Lower Saxony DPA's order to one online marketer to remove an ad tool feature may result in a lawsuit from the company, the report states.
Full Story

PRIVACY LAW—U.S.

Swire: Can Gov’t Balance Privacy, Freedom of Association? (March 1, 2011)

In a report for the Center for American Progress, Ohio State University Prof. Peter Swire, CIPP, explores "the tension between information sharing, which can promote the freedom of association, and limits on information sharing, notably for privacy protection." Exploring the interaction between these two rights in a time when, as he points out, online connections allow individuals to use data in ways that only large organizations could in the past, Swire writes, "This means that rules about information flows involve individual rights on both sides, so advocates for either sort of right need to address how to take account of the opposing right."
Full Story

ONLINE PRIVACY—U.S.

Executive: Industry, Police Yourself (March 1, 2011)

Speaking at an Interactive Advertising Bureau (IAB) event, Microsoft's Rik van der Kooi recommended that industry move to address privacy issues centered on online tracking, The Wall Street Journal reports. Consumers have been left out of the discussion in what he described as "the digital equivalent of Don't Ask Don't Tell," resulting in an erosion of users' trust of the Internet. He went on to say that industry is at a crossroads and must establish frameworks to manage consumer data or face government regulation. "The key thing is that we act before others act on our behalf," he said. "We will have to move from privacy to data as an asset." (Registration may be required to access this story.)
Full Story

DATA RETENTION—INDIA

Data Retention Law Sought (March 1, 2011)

The Times of India reports on a push by the home ministry to have the Department of Telecom (DoT) require ISPs and mobile phone companies to retain customer information--including text messages, e-mails and call records--for at least one year. In addition to such information as e-mail senders, subject and recipients, the ministry is also seeking login details and the amount of time spent online to address "security challenges and to keep pace with the rapidly changing Internet technologies, protocols and different types of services being used by adversaries," the report states. The ministry is also seeking social networking information, but online companies have said they have not yet been made aware of the potential changes.
Full Story

DATA PROTECTION—CANADA

Government Orders Grinding Machine for Data Purge (March 1, 2011)

The Canadian Press reports on the federal government's order for a large-scale grinding machine that will destroy data that's been stored on discarded media to be sure that it's "reliably overwritten." Privacy Commissioner Jennifer Stoddart reported last year that three government agencies had been discarding old cell phones at the Public Works Department without purging the data first. The Royal Canadian Mounted Police and Communications Security Establishment both issue guidelines on destruction of government data, however. A public works spokesman said that besides ensuring the data will be permanently destroyed, the onsite grinder will keep data from being "transported off-premises, which also reduces the risks of unauthorized disclosure."
Full Story

PRIVACY LAW—U.S.

Customer Sues Game Retailer for PII Collection (March 1, 2011)

A California resident has filed a class-action lawsuit against a game retailer for allegedly "requesting and recording personal information from its customers without their knowledge or consent," IGN reports. Melissa Arechiga filed the suit last week on behalf of all customers who made a purchase within the last year at a GameStop location that allegedly collected her name, credit card number and personally identifiable information (PII). The suit claims that the store made no attempt to delete the information from the electronic cash register after the credit card number was recorded, which violates a California law prohibiting corporations from requesting credit card customers to provide and record PII, the report states.
Full Story

SOCIAL NETWORKING

Facebook to Redeploy Sharing Feature (March 1, 2011)

As Facebook plans to reactivate a feature that would allow third-party applications to request contact information from users, Rep. Ed Markey (D-MA) says he is not satisfied with the company's response to his inquiry about such features, CNET News reports. After Markey and Rep. Joe Barton (R-TX) last month wrote to the company about privacy concerns, Facebook suspended the feature temporarily. It now says it will redeploy the feature alongside enhanced "user controls." Responding to Markey's concerns about third-party access to minors' contact information, a Facebook spokesman said children under 13 are prohibited from using the site and that it is "actively considering" whether third parties may request information from anyone under 18.
Full Story

TRAVELERS’ PRIVACY—U.S.

DHS: Body Scanners Do Not Store, Transmit Images (March 1, 2011)

The Transportation Security Administration recently announced that it would deploy less privacy-invasive scanners at U.S. airports for tests this year. The announcement followed concerns voiced by advocates and passengers about whether the machines could store images, who had access to them and how they would be used. Lawmakers have recently introduced legislation making it a federal crime to misuse body scan images, punishable by up to one year in prison and a $100,000 fine. In this Privacy Advisor exclusive, the Department of Homeland Security discusses its privacy safeguards, and IAPP members weigh in on the role they can play in the ongoing debate.
Full Story

PRIVACY LAW—U.S.

States Consider New Privacy Laws (March 1, 2011)

Info Law Group explores the push at the state level for new privacy and data security legislation, including a Colorado bill seeking to give companies incentives to put security practices in place. Under specific conditions, "a person or entity operating in Colorado that owns, licenses or maintains computerized data that includes 'personal information' shall not be liable for civil damages resulting from a breach of data security due to its acts or omissions that are in good faith and not grossly negligent or willful and wonton," the report states. However, a split committee vote will keep that proposal on hold at least for the current legislative session.
Full Story