Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

ONLINE PRIVACY—U.S.

Congressmen Call for Mobile App Privacy Codes (April 29, 2011)
House Bi-Partisan Privacy Caucus Co-Chairmen Edward Markey (D-MA) and Joe Barton (R-TX) have released the responses they've received from the nation's four largest wireless carriers following their requests for information about how the companies collect, store and share customers' PII. The Wall Street Journal reports that AT&T, Verizon Wireless, Sprint Nextel and T-Mobile have all responded that they seek subscribers' consent for use of personal data, but "they can't control how applications developed by third parties use location information that the carriers don't provide." Mobile device applications "shouldn't have free reign over your location data and personally identifiable information. I believe it is time we hold third-party developers accountable," Barton said. (Registration may be required to access this story.)

DATA LOSS

Fallout Continues for Company’s Data Breach (April 29, 2011)

Reuters analyzes the extent and scope of the recent breach of Sony's PlayStation Network, which has "earned a place in the annals of Internet crime." The size of the breach has officials and regulators from around the world investigating. U.S. Sen. Richard Blumenthal (D-CT) has called on the U.S. Department of Justice to look into it, and the FBI has launched an inquiry. Australian, Canadian and European regulators--including those from the UK, Germany, Italy and France--are looking into the matter. The chairman of the Article 29 Working Party said members "are considering possible actions." Meanwhile, Sony is telling customers that their credit card information was encrypted.
Full Story

GEO PRIVACY—U.S.

Committee To Hold Hearing on Mobile Phones (April 29, 2011)

Senate Commerce Committee Chairman Jay Rockefeller (D-WV) has announced the committee will hold a hearing in May on mobile phone privacy, following announcements that certain smartphones have stored and shared users' location data, The Hill reports. The announcement comes amid calls for investigations and hearings on such privacy concerns and the filing of lawsuits prompted by reports of mobile device tracking. Rockefeller has called the recent incidents "just the latest in a string of concerns raised in the mobile marketplace," since it "collects and uses a wide range of personal information--often with inadequate or untimely disclosure."
Full Story

PRIVACY LAW—AUSTRIA

Lower House Passes Data Retention Bill (April 29, 2011)

The lower house of the Austrian parliament has passed a measure endorsing the storage of private phone call and e-mail data, Deutsche Welle reports, and the upper house is expected to soon pass it into law. Data will be stored for six months under the measure, which the European Commission adopted in 2006. The information will be available to investigators and public prosecutors in criminal procedures. A spokesman for an Austrian organization that opposes data retention said he's "very concerned" and that the "risk is that the data retained will not only be used for finding terrorists...but will be used against normal people."
Full Story

HEALTHCARE PRIVACY—U.S.

Fed Health IT Chief: Privacy Must Be Ensured (April 29, 2011)

The government needs to ensure and maintain public trust in health information systems and the exchange of their health information as it rolls out electronic health records, says the head of the Office of the National Coordinator for Health IT, Farzad Mostashari. A critical goal of the HITECH Act is to "make sure we do what steps are necessary...to protect the privacy and security of information," Mostashari says, adding that patients need "more granular consent over what information is disclosed and to whom." An interagency task force is working on consistent approaches to health information privacy and security, GovInfoSecurity reports.
Full Story

IDENTITY THEFT—U.S.

Florida Residents Victims of Tax Fraud (April 29, 2011)

Sen. Bill Nelson (D-FL) is calling for a federal investigation to look into how criminals stole more than 70 South Florida residents' identities and used them to file fake tax returns. BankInfoSecurity reports that, in most cases, the thieves filed the tax returns electronically and had funds routed to bank accounts. Privacy expert Kirk Nahra, CIPP, of Wiley Rein, calls the theft a "perfect example of where efficiency and speed run up against potential problems." While the IRS has not commented on the incident, the reports states that Linda Foley of the Identity Theft Resource Center says it's likely the identities were stolen months or even years ago.
Full Story

ONLINE PRIVACY

McQuay Discusses Demonstrating Accountability (April 29, 2011)

In this Daily Dashboard Q&A, Nymity President Terry McQuay discusses the renewed look at accountability as it applies to data privacy. McQuay says accountability involves organizations being "responsible for personal information" and able to "account for it" within the organization when it flows to business partners by demonstrating the status of their privacy program to internal stakeholders. McQuay says there are three main organizational drivers for accountability, and he discusses accountability-related developments in the legislative and regulatory communities. McQuay will talk more about "demonstrating accountability" at next week's IAPP Canada Privacy Symposium.
Full Story

Demonstrating privacy accountability (April 28, 2011)
The IAPP is pleased to bring you this interview with Terry McQuay, CIPP, CIPP/C, CIPP/E, CIPP/G, president of Nymity.

DATA LOSS

Sony Sued Over PlayStation Network Data Breach (April 28, 2011)
CNET reports that a lawsuit has been filed against Sony for not taking "reasonable care to protect, encrypt and secure the private and sensitive data of its users." Filed in the U.S. District Court for the Northern District of California, the complaint alleges that the company did not allow its customers "to make an informed decision" about protecting financial information. Legal recourse could prove difficult, the article suggests, as Sony included language in its terms of service absolving it of culpability in the event of data loss. Sony now faces inquiries from several authorities and regulators. U.S. Rep. Mary Bono Mack (R-CA) has asked congress to look into the data leak, the UK Information Commissioner's Office is opening an investigation, and Canada's privacy commissioner will also launch an inquiry.

GEO PRIVACY

Jobs: Mistakes Were Made, But Users Not Tracked (April 28, 2011)

Apple CEO Steve Jobs has responded to recent reports that iPhone and iPad devices were tracking users' locations, The New York Times reports. Mistakes were made in how location data was handled, Jobs said, but stressed, "We haven't been tracking anybody. Never have. Never will." Apple has stated that the anonymous data was used to help the phone find its location in regions with weak GPS, and a software update will released to encrypt such data and limit its storage to seven days. Meanwhile, experts are calling for more transparency in how smartphones handle location information; data protection authorities across the globe have opened investigations, and a hearing before a U.S. Senate subcommittee has been scheduled for May 10. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

German Lawmakers Say Directive May Be Illegal (April 28, 2011)

The European Commission's Data Retention Directive may be illegal, the German Parliament has said. A report from the Bundestag's Working Group on data retention says the directive is incompatible with the EU Charter of Fundamental Rights; the directive's requirement that service providers retain data for two years is disproportionate with crime-fighting measures, "as data retention increases the crime clearance rate only slightly," CIO reports. A spokesperson for Bundestag's Working Group said that the EU "must abort this experiment immediately and replace the completely disproportionate blanket collection of the entire population's communications records" with one that only collects data on suspects.
Full Story

ONLINE PRIVACY

Social Network Plans Internet Erasure (April 28, 2011)

In the midst of ongoing calls for a "right to be forgotten" on the Internet, an early social network has announced it will erase old posts and photos from its site. In a column for technology review, David Zax explores the push for an Internet "written in pencil," where users may remove information. The owners of Friendster, which predated such social networks as MySpace and Facebook, appear to be doing just that, having notified users that they plan to "wipe out the site's trove of digital memories, including ancient dorm-room photos, late-night blog entries and heartfelt friend endorsements," The New York Times reports. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Bono Mack To Propose Online Legislation (April 28, 2011)

In the wake of Sony PlayStation Network's recent hacking incident, Rep. Mary Bono Mack (R-CA) has announced her plan to introduce legislation to protect consumer information online. The Hill reports that Bono Mack made the announcement on Wednesday, stating that the Sony breach reinforces her "long-held belief that much more needs to be done to protect sensitive consumer information. Most importantly, Americans should be quickly informed when their personal information has been hacked, especially in instances like this where there is an obvious potential for large-scale identity theft." Bono Mack said the Energy and Commerce Trade Subcommittee--which she heads--will investigate the breach.
Full Story

PRIVACY LAW—U.S.

Man Pleads Guilty To Bilking Bank Accounts (April 28, 2011)

A New York man pleaded guilty yesterday to stealing accountholder information from a New Jersey bank, The Wall Street Journal reports. In U.S. District Court in Newark, NJ, Viktor Kafalov admitted to collaborating with conspirators to install skimming devices on ATM machines and steal more than $278,000 from customers of Valley National Bank. Kafalov faces a 30-year prison sentence, according to the report. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Opinion: PR Damage Not Enough to Incite Action? (April 28, 2011)

There seem to be few repercussions for companies that lose customers' sensitive data, opines Nick Bilton in The New York Times. Breach reports are on the rise, and customers continue to hand over their information for access to online services. And yet, "the only real hit a company takes when these data breaches happen is to the company's image," Bilton writes. "It seems that with the frequency these events happen, a simple PR hit is not working to force these companies to protect people's privacy." Bilton says the problem will only get worse with the advent of the cloud. (Registration may be required to access this story.)
Full Story

DATA LOSS

Sony PlayStation Breach May Affect Millions (April 27, 2011)
The Hill reports that Sony started warning customers on Tuesday that its Sony PlayStation Network was breached sometime between April 17 and 19 by an "external intruder," potentially affecting 77 million users. "While there is no evidence...that credit card data was taken, we cannot rule it out at this time," said a Sony representative. Sony's notice comes days after the network suspended services and amidst calls from U.S. Sen. Richard Blumenthal (D-CT) to provide the network's subscribers with an explanation. Given the size of the incident, the report suggests that either the U.S. Congress or Federal Trade Commission will investigate it further.

PRIVACY LAW—U.S.

Supreme Court Hears About Vermont RX Law (April 27, 2011)

The New York Times reports that U.S. Supreme Court justices thus far sound skeptical about upholding a Vermont law that bans the commercial buying and selling of doctors' prescription records. The court will determine whether the government can regulate such data mining, used by drug company sales reps in order to tailor sales pitches to doctors. Chief Justice John Roberts said Vermont is "censoring what (doctors) can hear to make sure they don't have full information." A lawyer for the Justice Department, however, suggests that restrictions on data mining are "in keeping with laws that prohibit the commercial exploitation of driver license information." A decision is expected in June. (Registration may be required to access this story.) 
Full Story

PRIVACY LAW—JAPAN

Employees May Become Liable Under Law (April 27, 2011)

Japanese officials plan to extend liability to individual employees under the Personal Information Protection Act, reports Hunton & Williams' Privacy and Information Security Law Blog. The move is part of an effort to increase penalties for violations under Japan's privacy law framework. Under current law, companies that violate the act can be fined, ordered to take remedial steps and a company head can face imprisonment, according to the report. The legal changes are part of the Japanese government's planned introduction of a national identification system to help survivors of last month's earthquake and tsunami.
Full Story

PRIVACY LAW—IRELAND

DPC: Insurers Committed “Unprecedented” Number of Breaches (April 27, 2011)

An Office of the Data Protection Commissioner (ODPC) investigation has found that staff at insurance companies inappropriately accessed data to examine claims histories, The Irish Times reports, including accessing an industry-wide database prior to making quotes. The commissioner has ordered insurers to remove data from Insurance Link, which stores and shares details on 2.4 million cases, breaching the Data Protection Act. It's illegal to store such data without a valid basis, the commissioner's office said, adding most of the public is unaware of the database, and there is no evidence data-subject consent was acquired. The ODPC will publish the investigation's findings in a report later this year.
Full Story

ONLINE PRIVACY—U.S.

Smartphone Users: Privacy Is Top Concern (April 27, 2011)

PCMag reports on TRUSTe's survey of 1,000 smartphone users that indicates privacy is a primary concern. The results, released this morning, indicate users are concerned about privacy and want more transparency and control over the collection and use of their personal information as well as choices about advertising and geolocation tracking. "This survey makes it crystal clear that privacy concerns are a huge stumbling block to consumer usage of applications and websites on smartphones," said TRUSTe President and Executive Chair Fran Maier. Behavioral targeting was also cited as a key concern by respondents, with 85 percent wanting the chance to opt out of targeted ads.
Full Story

GEO PRIVACY—U.S.

Reports Show More Devices Are Tracking Users (April 27, 2011)

In the wake of recent calls for investigations on the collection of location information on mobile devices, The Wall Street Journal reports that Google and Apple also collect and store location information from personal computers. "Both companies have said the data they collect are anonymous and aren't tied to specific users," the report states. Meanwhile, reports have surfaced that Microsoft also collects location data on users of its mobile operating system. Microsoft has said the data is only collected if users allow applications to access location data. Amid those concerns, a Fast Company report looks at why users may want their information tracked, "albeit under tightly defined privacy protection rules." (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Breach Costs at $1.8 Million; Lawsuit Looms (April 27, 2011)

A recent data breach at the Texas Comptroller's Office has resulted in the firing of four employees and more than $1.8 million spent on notifications, a call center and consultants to assess damages and improve security--and lawsuits may be on the horizon, reports eWEEK. Comptroller Susan Combs said in a statement that the office will follow its consultants' advice, adding that Texans need to "feel confident that an incident like this will never happen again." Those affected are eligible for discounted fraud-related assistance and identity theft insurance. While no lawsuits have been filed to date, the Texas Civil Rights Project has filed for a "pre-suit investigation" requesting a deposition from Combs.
Full Story

PRIVACY LAW—U.S.

Supreme Court Hears Data Mining Case (April 26, 2011)
The U.S. Supreme Court will today hear a case on whether the government may put limits on data mining, NPR reports. The court will determine whether a state can "bar the buying, selling and profiling of doctors' prescription records for use by pharmaceutical sales representatives." A Vermont law banned the practice until drug companies challenged it and won. Vermont's appeal to the Supreme Court claims doctors should have the right to control their prescribing data, while opponents claim that impeding drug reps' ability to make sales pitches violates free speech. If Vermont wins, the judgment could extend to other industries, says the state's assistant attorney general. Privacy experts say the case could have serious implications.

DATA RETENTION—EU

Hustinx: Directive Is “Intrusive Measure” (April 26, 2011)

In an interview with Euractiv, European Data Protection Supervisor Peter Hustinx discusses the European Commission's recent evaluation report on the Data Retention Directive, saying that he still believes it's the "most privacy-invasive instrument ever." Hustinx admits he is grateful the report is "on the table so we can take a careful look," but adds, "I am not going to speak in favor of the directive as it was adopted in the past." Looking ahead, Hustinx plans "to make sure that the directive is revised in ways so that it can be applied in a more appropriate way" and intends to "react within a few weeks (to) help the commission stay on track."
Full Story

PRIVACY LAW—U.S.

Suit Filed Over Mobile Tracking (April 26, 2011)

Computerworld reports on a proposed class-action lawsuit against Apple following researchers' findings last week that iPhone and iPad devices have been tracking users' locations. The two plaintiffs, who hail from Florida and New York, filed the suit on Friday, alleging "fraud, deceptive business practices and several additional violations of federal and state laws," the report states. The lawsuit states, "If Apple wanted to track the whereabouts of each of its products' users, it should have obtained specific, particularized informed consent such that Apple consumers across America would not have been shocked and alarmed to learn of Apple's practices in recent days."
Full Story

GEO PRIVACY—U.S.

Hearing Scheduled as Legislators, AG Seek Answers (April 26, 2011)

The House Energy and Commerce Committee is asking mobile operating systems developers what location data their devices store and why they "track use, store or share" such data, The Wall Street Journal reports. The committee has sent letters in the wake of reports that certain mobile devices have been tracking users' locations. The letters follow similar requests from Rep. Ed Markey (D-MA) and Sen. Al Franken (D-MN), chairman of the Judiciary Subcommittee on Privacy, Technology and the Law, who has announced the committee's "Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy" hearing on May 10. Meanwhile, Illinois Attorney General Lisa Madigan called for a meeting with company executives to gather details on what they do with such location information. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

Breach List Grows, Encryption Is Key (April 26, 2011)

GovInfoSecurity reports that the Office for Civil Rights' (OCR) list of major healthcare breaches--those affecting at least 500 individuals--has grown to 265 incidents affecting 10.8 million. In the past month, 16 breaches were added to the list, including the Health Net and Eisenhower Medical Center incidents that totaled 1.9 million and 514,000 individuals, respectively. The report suggests these cases have highlighted the need for encryption, which one security expert calls "the single best way to protect sensitive data." Under HITECH, healthcare facilities with major breaches are required to report them to the OCR within 60 days; however, breaches of data encrypted "using a specific standard" do not need to be reported, the report states.   
Full Story

PRIVACY LAW—SWEDEN

DPA Says Hospital Data-Sharing Unlawful (April 26, 2011)

Sweden's data protection authority has ruled that a hospital's failure to provide patients with the choice to opt out of the sharing of their medical and other data via an electronic health records system violated the law. The Data Inspection Board ruled April 18 that the sharing of patient records requires consent by the Patient Data Law, and Stockholm's Karolinska University Hospital's method of consent did not meet those requirements. The hospital belongs to a data-sharing network that allows database access to both public- and private-sector healthcare providers. (Article in Swedish).  
Full Story

Opinion: Consumers Should Get To Use Data Too (April 25, 2011)
Consumers should be given the right to access and use their own data, writes Richard Thaler for The New York Times. "If a business collects data on consumers electronically, it should provide them with a version of that data that is easy to download and export to another website." Thaler calls this his guiding principle and the missing element in the proposed Kerry-McCain Commercial Privacy Bill of Rights. Consumers should be able to "use the data that is being collected to improve our own lives," he writes. The author points to similar initiatives such as the federal government's "Blue Button" program and Britain's MyData, which Thaler helped develop. (Registration may be required to access this story.)

ONLINE PRIVACY

Web Standards Group To Discuss Do Not Track (April 25, 2011)

The Web standards organization, World Wide Web Consortium (W3C), will meet this week to examine online privacy and the main issues surrounding a universal do-not-track mechanism, reports Media Post. Discussion topics will include definitions for do not track and the mechanism's operational feasibility. Nearly 60 position papers have been submitted by Web companies, academics and others prior to the conference. W3C Co-chair Lorrie Cranor added that the group "has not yet formally taken on the task of formalizing do not track or any of the other consumer protection technologies in the tracking space but are looking at it and trying to determine if there's a role for them and, if so, what direction to go in."
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Health Service To Pay $40,000 for Breach (April 25, 2011)

A health service has been ordered to pay $40,000 after a staffer breached a man's privacy, The Sydney Morning Herald reports. An Administrative Decisions Tribunal said the former Northern Sydney Central Coast Area (NSCCA), now split into two health services, must pay a man the maximum penalty allowed for the damage he suffered as a result of the breach. The man was suspended from the NSCCA hospital where he worked after he was admitted as a patient there, disclosing to an admissions nurse he had thoughts of harming himself. The nurse reported the disclosure to human resources, claiming his threats overrode privacy concerns.
Full Story

PRIVACY LAW—U.S.

Scooter Company To Pay $100,000 for Violations (April 25, 2011)

The Federal Trade Commission (FTC) alleges a manufacturer of electric scooters marketed to consumers registered on the national Do Not Call Registry. Electric Mobility Corporation (EMC) manufactures Rascal Scooters, aimed at helping those with mobility issues, and used sweepstakes entry forms to contact the consumers. The FTC charges that EMC made more than three million illegal sales calls since 2003, violating the FTC Act and Do Not Call provisions of the Telemarketing Sales Rule. EMC owner Michael Flowers will pay $100,000 to settle the charges. EMC was ordered to pay $2 million but cannot afford to do so, the FTC reports. The settlement seeks court approval now.
Full Story

ONLINE PRIVACY—U.S.

Federal Authorities Access Facebook Accounts (April 25, 2011)

Stltoday.com reports that federal investigators in Detroit, MI, obtained search warrants allowing them access to the Facebook accounts of suspected criminals. Investigators were able to view photographs, e-mail addresses, phone numbers, lists of friends and GPS locations to disprove alibis. The practice raises many privacy concerns, including whether information gleaned from social media sites can be authenticated. In addition to Michigan, search warrants for Facebook accounts have been requested in an additional eight U.S. states. Facebook representative Andrew Noyes added, "We never turn over 'content' records in response to U.S. legal process unless that process is a search warrant reviewed by a judge." 
Full Story

GEO PRIVACY—U.S.

Opinion: Privacy Debate Intensifies (April 25, 2011)

Greg Sterling writes in a piece for Search Engine Land on last week's revelation that iPhones and Android smartphones "track your movements in detail without your affirmative consent." Apple has declined to comment, the report states, but Google has released a statement that while such data is transmitted back to the company's servers, it is not linked to specific users. In light of the recent revelations on mobile tracking, Sterling writes, "Whatever legislation and rules finally emerge from congress and/or the FTC on digital privacy, mobile and location tracking will certainly be a part of that."
Full Story

GEO PRIVACY—U.S.

Experts: More Mobile Devices Collecting Data (April 22, 2011)
Researchers' announcements this week of iPhones and Android smartphones transmitting location data back to Apple and Google are intensifying privacy concerns, The Wall Street Journal reports. One security expert has said Android phones transmit location data to Google "several times an hour," while separate researchers announced that "iPhones store unencrypted databases containing location information sometimes stretching back several months," the report states. Meanwhile, respondents to a survey released this week expressed strong concerns over the potential privacy implications of location-based mobile services. Sen. Al Franken (D-MN) and Rep. Ed Markey (D-MA) have both sent questions to Apple on its privacy policies, requesting "prompt" responses. (Registration may be required to access this story.)

TRAVELERS’ PRIVACY—CHINA

Manufacturer: New Body Scanners Protect Privacy (April 22, 2011)

Xinhua reports the debut of a new body scanner that quickly detects nonmetal objects "while better protecting privacy." Using anti-scattering X-ray technology, the new scanners can detect prohibited objects like ceramic knives, explosives, drugs, plastic weapons and liquid bombs. The manufacturer, Tianjin Chongfang Science and Technology Company, noted that the U.S. is the only other country that can manufacture similar scanners, but, according to the company's general manager, China's new technology can appropriately detect such items while protecting privacy. The general manager added, "The body scanner can also protect the privacy of ordinary people and automatically delete their personal information."   
Full Story

PRIVACY LAW—U.S.

Legislators Seek Change to EHR Sharing Program (April 22, 2011)

FierceEMR reports on the patient advocate, medical provider and Maine Civil Liberties Union (MCLU) concerns about Maine's statewide HealthInfoNet. The electronic medical records system contains 900,000 citizens' medical records, but advocates say many patients don't know that they are enrolled in the system, which now requires a patient to opt out. State Sen. Roger Katz (R-Kennebec) is co-sponsoring a bill that would make the system opt-in, allowing for "a patient's right to control what happens to their highly personal medical information." A survey of 199 health information exchange programs found that 81 percent have an opt-out policy.
Full Story

 

HEALTHCARE PRIVACY

Dumped Medical Files Prompt Official Advisory (April 22, 2011)

Saskatchewan Information and Privacy Commissioner Gary Dickson has sent an advisory to the province's healthcare providers with eight recommendations to ensure they are in compliance with the Health Information and Protection Act (HIPA), according to The StarPhoenix. "We have a systematic problem with healthcare providers not understanding HIPA and not following the requirements," said Dickson. The advisory comes in response to a number of cases where medical files have been found in dumpsters in Saskatoon and Regina. Justice Minister Don Morgan expressed concern over the improperly discarded files and warned of a rise in prosecutions of health privacy law violations.
Full Story

DATA RETENTION—EU

Member States React to Commission Ruling (April 22, 2011)

MEPs are opposing the European Commission on its recent ruling against five member states who have not adequately adopted the Data Retention Directive of 2006, reports Euractiv. Under the current legislation, countries can retain "swathes" of telecommunications data for a period of six months to two years. MEPs from Germany, Austria and Sweden--all of which face fines--are pushing for shortened data retention periods, or "quick freezes," and more targeted searches. Constitutional courts in the Czech Republic and Romania declared the directive violates Article 8 of the European Convention of Human Rights. One MEP from Germany explained, "There is no evidence that the far-reaching retention of data has led to any concrete results beyond compromising civil liberties."
Full Story

GEO PRIVACY

Mobile Phone Tracking Raises Concerns (April 21, 2011)
Researchers have found that Apple's iPhone and iPad record their locations in hidden files, The New York Times reports. At a technology conference on Wednesday, two computer programmers presented their findings that iPhones and 3G-enabled iPads "began logging users' locations a year ago, when Apple updated its mobile operating system," the report states, and the data is usually unencrypted and can be copied to computers. A privacy advocate says such collection of location information "crosses the privacy line;" EU authorities are assessing the potential impact, and two U.S. legislators have written to Apple seeking answers; however, one technologist suggests, "This is the future. We have to figure out how to deal with it." (Registration may be required to access this story.)

DATA PROTECTION

Poll: 67 Percent of PCI-Regulated Companies Not Compliant (April 21, 2011)

In a survey conducted by the Ponemon Institute, 67 percent of PCI-regulated companies lack full compliance with the standard; 50 percent of security professionals view PCI as a burden, and 59 percent do not believe it helps with security, reports InformationWeek. The survey also found an increase in the number of data breaches since 2009, with non-PCI compliant companies experiencing more data breaches than PCI-compliant ones. The study found little connection between PCI-related expenditures and compliance levels. Imperva's director of security strategy noted, "In a somewhat counterintuitive manner, those organizations (that) suffered no breaches are not necessarily those who spent the biggest budget."
Full Story

ONLINE PRIVACY—BELGIUM

Authorities Probe Mapping Service’s Data Collection (April 21, 2011)

Bloomberg reports that Google is working with Belgian authorities over its online mapping service. The company never inspected or used the information it inadvertently collected via its Street View cars, said company spokeswoman Anoek Eckhardt in an e-mail. A spokesman for Belgium's Privacy Commission said the authority concluded earlier this year that "Google committed 'flagrant violations of privacy law' by collecting and storing wireless Internet addresses and traffic between computers and WiFi hotspots."
Full Story

PRIVACY LAW—UK & EU

ICO Says Revised Law Still Years Away (April 21, 2011)

New EU data protection laws will likely mandate data breach notifications for all organizations, said UK Deputy Information Commissioner David Smith. However, Smith said at a London event this week, the new laws are likely still years away. The Data Protection Directive is currently under review by the European Commission, V3.co.uk reports. An initial set of proposals is expected this summer. Service providers will be required to report breaches in May, but that will likely extend to all organizations eventually. Other changes may include the "right to be forgotten," built-in privacy protections and requirements for minimal data collection, Smith said.
Full Story

PRIVACY LAW—U.S.

Roberts: Kill Bill on ID Theft (April 21, 2011)

Due to a lack of consensus, Colorado senators have shelved a bill that sought to give prosecutors more latitude in charging people with identity theft, the Washington Examiner reports. House Bill 1049 would have allowed prosecutors "to charge people with identity theft even in cases where the defendant did not know that the information they used belonged to another person," the report states. Yesterday, a sponsor of the bill, Sen. Ellen Roberts, called for the proposal to be killed.
Full Story

DATA PROTECTION

IT Study Reveals Same Challenges, Accelerated Pace (April 21, 2011)

A survey of 2,400 IT security specialists from around the world shows compliance, governance and information security management at the top of their priorities for the remainder of 2011, reports InfoSecurity. The study, conducted by not-for-profit IT security association ISACA, found that the complexities of the IT landscape are accelerating due to new technologies and regulations as well as an increase in data breaches. Tony Noble, a member of ISACA's guidance and practice committee, notes that this year's survey shows a need to better align "business with IT to unlock greater value," adding that there's a perception on the business side of organizations that "IT is managed in a silo."
Full Story

PRIVACY—U.S

Is Paying for Privacy a Penalty? (April 21, 2011)

MSNBC explores the question of whether consumers are willing to pay to protect their privacy in a feature that looks at one consumer's $1,000 bill to keep his phone number unlisted month after month, year after year. In this age of easy-to-access online information, the report suggests it is debatable just how private unlisted numbers really are. "We call it a privacy penalty," said Mark Toney of The Utility Reform Network, an advocacy group based in California. "We don't think people should have to pay to keep their name out of the phone book. To the phone company, it's just free money."
Full Story       

PRIVACY LAW—U.S.

Opinion: Patient Privacy Case Has Serious Implications (April 21, 2011)

The Supreme Court is scheduled to hear arguments next week in a case that Deven McGraw of the Center for Democracy and Technology describes for iHealthBeat as one "that could have significant implications for patient privacy." The case of Sorrell v. IMS Health questions a Vermont law prohibiting the use of prescription information for pharmaceutical marketing without prescribers' consent. "The case has the potential to do real damage to privacy protections," McGraw suggests, writing that "it would be a disaster if the Supreme Court were to hold that the First Amendment rights of corporations could trump the privacy interests of patients and others."
Full Story

PRIVACY LAW—SPAIN & EU

“Right To Be Forgotten” Debate Continues (April 20, 2011)
The Associated Press examines a lawsuit filed by the Spanish Data Protection Agency ordering Web search engine Google to remove links related to about 90 individuals and its implications amid calls for a "right to be forgotten" in the EU. While a final decision is likely to be years in the making, the report states, Spain's case is likely to gain prominence as the European Commission calls for legislation "to give people more power to delete personal information they previously posted online." Spanish DPA Director Artemi Rallo suggests, "This is just the beginning, this right to be forgotten, but it's going to be much more important in the future." Editor's note: This month's edition of Inside 1to1: Privacy features a report on such issues of freedom of expression, online anonymity and calls for a right to be forgotten.

ONLINE PRIVACY—NETHERLANDS

DPA: Comply with Demands or Face Fines (April 20, 2011)

The Dutch Data Protection Authority said Google collected the Media Access Control (MAC) addresses of more than 3.6 million WiFi routers while its Street View cars photographed Dutch streets, The Wall Street Journal reports. The MAC addresses are unique identifiers attached to each computer's wireless hardware. Combined with the ability to locate the hardware, the MAC addresses qualify as personal data "that could provide information about the routers' owners and requires Google to offer an online opt out," the authority said Tuesday. The company could face fines of up to €1 million if it fails to comply within three months.
Full Story

PRIVACY LAW—EU & U.S.

EU and U.S. Differ on Passenger Data Sharing (April 20, 2011)

Bloomberg reports on the differing views between the EU and U.S. on the collection of air passenger data. "The U.S. wants to collect data on anyone suspected of crimes carrying sentences of more than a year," while the "EU wants data to be handed over only in individual cases related to fighting terrorism and organized crime," the report states. The amount of time data can be stored should be restricted, the EU says, as should third-party access. However, the U.S. wants the data stored for 15 to 20 years. The U.S. will have to enter agreements with individual member states if an agreement with the EU cannot be reached.
Full Story

DATA LOSS

Study: Small Targets Are a Big Hit with Hackers (April 20, 2011)

Secure Computing reports on Verizon Business's recently released 2011 Data Breach Investigations report that shows data thieves are targeting "smaller, softer and less reactive" businesses, such as retail and hospitality companies. The study also found that many breaches were "basic hacks" due to "ineffective or weak" credentials. Mark Goudie of Verizon encouraged companies to upgrade security procedures and software, warning, "If there are six people being chased by a bear, it's best not to be the slowest runner." The findings of two other data protection studies--Imperva and the Ponemon Institute's 2011 PCI DSS Compliance Trends Study, and Veracode's State of Software Security Report: The Intractable Problem of Insecure Software--have also been announced.
Full Story

DATA LOSS—UK

Numbers Show Many Data Breaches, Few Fines (April 20, 2011)

Of the 2,565 data breaches identified by the Information Commissioner's Office (ICO) since April 2010, "only 36 have resulted in a punishment--and only four have resulted in financial penalties," according to The Guardian. An ICO spokesman said getting organizations to comply with the Data Protection Act "isn't always best achieved by issuing organizations or businesses with monetary penalties." Just this week, the ICO announced breaches at Norwich City College and NHS Birmingham East and North. A Christchurch nurse was also found guilty of misconduct for inappropriate access of medical records. The ICO's acting head of enforcement said, "organizations have a legal responsibility to abide by the principles of the DPA."
Full Story

 

PRIVACY LAW—U.S.

Suit Seeks Class-Action Status (April 20, 2011)

The Wall Street Journal reports on a lawsuit filed against the social network Myspace that alleges the company violated federal privacy law and its own privacy policy. The suit seeks class-action status. The plaintiffs allege that the company shares users' personally identifiable information with advertisers despite a statement to the contrary in its privacy policy. The plaintiffs are seeking "$1,000 per person affected" in addition to other unspecified damages. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Texas Warns Breach Victims of Phone Scam (April 20, 2011)

The Texas Office of the Comptroller announced yesterday that citizens affected by its recent breach have been receiving fraudulent phone calls, reports the Austin Business Journal. One state employee reported that a caller claiming to be from ERS asked to confirm the employee's Social Security number. The state is warning employees and retirees that "ERS, TRS and the Texas Workforce Commission are not making these telephone calls." The breach exposed the personal data of 3.5 million citizens from the Teacher Retirement System, Texas Workforce Commission and Employees Retirement System.
Full Story

HEALTHCARE PRIVACY—U.S.

CIOs Call for Standardization in E-Health Strategy (April 20, 2011)

A group of healthcare CIOs have said the Health and Human Services (HHS) Department's plan for health IT "doesn't go far enough in standardizing the ways in which patient consent for release of personal health information would be managed," Federal Computer Week reports. The college of Healthcare Information Management Executives has submitted a letter asking for "greater uniformity in healthcare data privacy laws from state to state" and standards for healthcare privacy to apply nationally. HHS released its Federal Health IT Strategic Plan in March. It calls for meaningful use of e-health record systems. Meanwhile, two Maine legislators recently proposed a bill to make Maine's electronic records system opt-in.
Full Story

ONLINE PRIVACY—U.S.

Leibowitz: Do-Not-Track Laws May Be Unnecessary (April 20, 2011)

FTC Chairman Jon Leibowitz is praising the efforts by online companies to offer do-not-track options to Internet users, while calling for those who have not yet introduced such functions to move forward, POLITICO reports. "There've been a lot of developments on do not track, which has been terrific," he said, noting that while the FTC would like to see Google go farther, "they're moving in the right direction." Leibowitz also said advertisers' concerns over do not track "are overblown," the report states. When it comes to calls for do-not-track legislation, he said, "If advertising networks honor the browsers' preferences, then you may not need it."
Full Story

HEALTHCARE PRIVACY—U.S.

OCR’s McAndrew: “Consequences” for HIPAA Violations (April 20, 2011)

In an interview with Healthcare Info Security, the Office for Civil Rights' Susan McAndrew warned of "consequences" to HIPAA violators saying, "covered entities need to take seriously their obligations to come into full compliance with HIPAA" and that "it's important to cooperate with my office." McAndrew added, "We still believe in voluntarily resolving these cases whenever we can because that's the best way of ensuring long term that the covered entity really understands what their obligations are and has taken adequate steps to meet them." McAndrew also noted that the HIPAA compliance audit program is "an ongoing effort" and the OCR has invited state attorneys general for training on filing civil suits under the HITECH Act. 
Full Story

PRIVACY LAW—U.S.

Judge Says PII Loss Sufficient for Suit (April 19, 2011)
The Register reports that a federal judge has allowed a lawsuit filed against a social media application developer for exposing 32 million users' personally identifiable information (PII). Judge Phyllis Hamilton has allowed four causes of action by RockYou user Alan Claridge in U.S. District Court in the Northern District of California. RockYou wanted the case dismissed, alleging Claridge suffered no harm when his e-mail address and password were exposed. But the judge said that the "plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his personally identifiable information has caused him to lose some ascertainable but unidentified value and/or property right inherent in the PII."

DATA RETENTION—EU

Member States Face Infringement Proceedings (April 19, 2011)

The EU Commission has announced that it will "begin infringement proceedings against member states that have failed to transpose the EU's Data Retention Directive of 2006 into national law," according to the European Voice. A commission evaluation found "huge disparities in the way that member states use the EU obligation on telecommunications providers to retain location and traffic data on e-mails and telephone calls." Several member states, including Germany, considered it "'nonsensical' if the commission insisted on the transposition of a directive that was about to be amended," the article states. European Commissioner for Home Affairs Cecilia Malmström "conceded that the directive was in 'need of improvement' but stressed that data retention was 'crucial in solving crimes.'"
Full Story

DATA PROTECTION—U.S.

Hospitals Accepting Plastic Must Comply with PCI DSS (April 19, 2011)

Last month's settlement between the Massachusetts attorney general and a restaurant company for $110,000 should serve as a reminder to healthcare privacy and security officials, HealthLeaders Media reports. Entities that collect credit cards are required to protect that information from theft--including healthcare entities. "I think healthcare organizations--and many others--are still unaware of PCI DSS," said Kate Borten, president of the Marblehead Group. "The security requirements are...simply good practice." The Payment Card Industry Data Security Standard requires organizations that accept credit cards to build and maintain a secure network, encrypt cardholder data transmissions and regularly update antivirus software, among other mandates.
Full Story

   

PRIVACY LAW—NEW ZEALAND

Policeman’s Data Leak Breached Privacy Act (April 19, 2011)

The Office of the Privacy Commissioner has ruled the police department breached two principles of the Privacy Act when it "failed to take reasonable steps to ensure the security of...personal information," reports The New Zealand Herald. An internal police investigation found that a senior police officer used the National Intelligence Application (NIA) to open the file of his wife's ex-husband in an attempt to win a custody battle. Assistant Privacy Commissioner Mike Flahive said the victim "suffered harm" because the officer "used his privileged position within the police to access" the NIA records.
Full Story

PRIVACY—U.S.

Sens. Question White House on Oversight Board (April 19, 2011)

Members of congress continue to question the Obama Administration about the dormant Privacy and Civil Liberties Oversight Board. According to Congress.org, leaders of the Senate Homeland Security and Governmental Affairs Committee last week sent a letter saying, "It is inexcusable that, more than three years after the new board was meant to have begun its work, there is still no functional board at all." The board was created in 2004 on the recommendation of the 9/11 Commission to oversee the protection of Americans' privacy and civil liberties in the age of counterterrorism. The Obama Administration nominated two individuals to the five-member board in December.
Full Story

DATA LOSS—U.S.

Study: Lowest Losses in 25 Years (April 19, 2011)

Verizon Business on Tuesday will release its 2011 Data Breach Investigations Report, outlining findings from almost 800 data breach incidents in 2010. InformationWeek reports that while public fear of data loss is high, the report shows that losses have gone from 144 million records in 2009 to four million records in 2010. Bryan Sartin, director of investigative response for Verizon Business, attributes the decrease to a flooded data market and the successful arrests of "a substantial number of the 250 or so really capable criminal hackers." Sartin said better corporate network monitoring and log data retention can be credited for successful investigations.
Full Story

HEALTHCARE PRIVACY

Drug Manufacturer Alerts Consumers of Breaches (April 19, 2011)

The Wall Street Journal reports that, as a result of the recent Epsilon data breach, GlaxoSmithKlein has warned consumers in a letter that their e-mail addresses and names "were accessed by an unauthorized third party." The company makes drugs for asthma, HIV, depression and smoking cessation, among others. The breach may have exposed which product sites consumers are registered for, according to the company, which could help fraudsters discern what prescription drugs they take, warns CAUCE, a spam coalition. (Registration may be required to access this story.)
Full Story

DATA RETENTION

Company Extends Retention Term (April 19, 2011)

Yahoo disclosed on Friday that it will extend the length of the term it retains user data to 18 months, The New York Times reports. In a company blog post, Yahoo Chief Trust Officer Anne Toth said, "we will keep our log file data longer than we have been--offering consumers a more robust individualized experience--while we continue our innovation in the areas of transparency and choice to protect privacy." The company's current retention term is 90 days. Privacy advocates expressed disappointment about the change, and, the report states, "Yahoo's new policy may be in conflict with European Union data protection rules." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.K. & EU

UK Law Will Require Consent (April 18, 2011)
The United Kingdom's final plan to implement the amended EU e-Privacy Directive (2009/136/EC) does not deviate from the directive's requirement that effective consent be obtained from online users in order to place most cookies on their computers, according to the Department for Culture, Media and Sport report released on Friday. The plan does not use the phrase "opt-in consent," but it is clear from the rules that it would amend the country's Privacy in Electronic Communications Regulations to require that such consent be obtained from users. "Organizations running Web sites will need the user's permission before a cookie can be used," said Culture Minister Ed Vaizey.

ONLINE PRIVACY—U.S.

Experts on NSTIC: Sounds Good, Plan Uncertain (April 18, 2011)

The White House has released its National Strategy for Trusted Identities in Cyberspace, an identity and authentication strategy that is the result of collaboration between industry, government and privacy advocates. Its release has been met with uncertainty by advocates, Computerworld reports. Lee Tien of the Electronic Frontier Foundation said that the plans now are at an abstract level and it's "not perfectly clear how this is going forward." Marc Rotenberg of the Electronic Privacy Information Center said comprehensive privacy legislation is required to protect against the misuse of identity credentials. "The strategy at this point is just a vision for the future," said Aaron Brauer-Rieke of the Center for Democracy and Technology.
Full Story

HEALTHCARE PRIVACY

CAUCE, GSK Warn of Rx Info Exposure (April 18, 2011)

A spam coalition is warning consumers to be wary of spear-phishing attempts after learning that those who have registered their prescription drug information on certain "product" Web sites may be vulnerable. The Coalition Against Unsolicited Commerce Email (CAUCE) says that Glaxo Smith Klein has notified clients that, as a result of the recent Epsilon data breach, "files containing the e-mail addresses of some of our consumers were accessed by an unauthorized third party" and the "file from which your name and e-mail address were accessed may have identified the product Web site on which you registered." The company is warning clients to "be aware of this situation."
Full Story

PRIVACY LAW—U.S.

What’s Next on Capitol Hill? (April 18, 2011)

The Washington Post looks at four privacy proposals that have come forward in this congressional session, asking, "what's next for privacy on the hill?" Experts weigh in, with Justin Brookman of the Center for Democracy and Technology saying that the bipartisan nature of the bills might give them a chance of moving, and Amy Mushahwar of Reed Smith saying that despite the momentum of some of the bills, "my enthusiasm is tempered by the calendar, given the looming election season." Mushahwar adds that "These bills have to be implemented by data centers and require a practical mindset." (Registration may be required to access this story.)
Full Story

 

PRIVACY LAW—U.S.

Privacy Advocate Gets Enhanced Publishing Rights (April 18, 2011)

U.S. District Judge Robert Payne signed a consent order broadening the scope of information that privacy advocate Betty "BJ" Ostergren is allowed to post on her Web site. The Associated Press reports that this ends Ostergren's more-than-yearlong battle challenging a Virginia law prohibiting anyone from making Social Security numbers (SSNs) available to the public. Ostergren won a case allowing her to publish SSNs--but only of public officials. According to the report, a federal appeals court called the ruling too limited and sent it back to Payne. Ostergren says she's posting the data to show that the government is not adequately protecting citizens' privacy when it posts this information to its Web sites.
Full Story

CHILDREN’S PRIVACY—EU

Kids Not Using Privacy Settings (April 18, 2011)

Many children using social networking sites don't employ privacy settings, making them vulnerable to stalkers and other risks, according to EU Commissioner for the Digital Agenda Neelie Kroes. The Associated Press reports that EU data show 77 percent of 13 to 16 year olds and 38 percent of nine to 12 year olds are on social networks, but 25 percent don't use privacy settings, and many display phone numbers and addresses. "These children are placing themselves in harm's way, vulnerable to stalkers and groomers," Kroes said. She is urging social networking sites to make minors' profiles accessible only to designated "friends" by default.
Full Story

PRIVACY LAW—U.S.

Myspace Sued for Sharing Member Data (April 15, 2011)
Myspace has been accused of improperly sharing members' data with aggregators, Bloomberg reports. Two law firms filed suit against the company in U.S. District Court in Brooklyn, NY, on Wednesday. "Myspace knowingly serves as and profits handsomely from being a conduit through which details of the most intimate aspects of its members' lives, as reflected in their Internet browsing history and otherwise, are transmitted to data aggregators, who package the information into profiles and sell it like any other commodity to advertisers," the Virtue v. Myspace Inc. complaint states.

ONLINE PRIVACY

Leibowitz: Do Not Track Will Happen (April 15, 2011)

A day before Apple unveiled its privacy tool aimed at allowing users to keep their online habits from being monitored, Federal Trade Commission Chairman Jon Leibowitz was quoted in a ConsumerReports feature as saying he believes the call for widespread do-not-track implementation will be answered. "Companies want to do the right thing and stay on the right side of consumers," he said, "so maybe we won't need legislation." Apple's announcement follows similar moves by both Microsoft and Mozilla. Google, meanwhile, offers "Keep My Opt-Outs" as a browser add-on for users to request that companies not use their data for targeted advertising. Editor's Note: The recorded audio of yesterday's IAPP Web Conference, "Do Not Track: Implementation and Impact," will be available this afternoon on the IAPP Web site.
Full Story

IDENTITY THEFT—U.S.

FL Ring Goes to Court, FTC Proposes Initiative (April 15, 2011)

Twelve people in Florida are facing possible jail time for identity theft and bank fraud. Bank Info Security reports that the ID theft ring used stolen data to make themselves authorized users of victims' payment cards and bank accounts. Two of the defendants, who worked at medical offices, are also being charged with HIPAA violations for stealing and selling patient data, including Social Security numbers. Meanwhile, the FTC addressed the House Ways and Means Committee's Social Security Subcommittee, outlining a program to help "protect consumers from ID theft and deal with its consequences." The FTC laid out a three-pronged approach including "law enforcement, data collection and analysis and consumer and business education."
Full Story

ONLINE PRIVACY—U.S.

NSTIC To Be Released Today (April 15, 2011)

The White House is scheduled to release the final version of its National Strategy for Trusted Identities in Cyberspace (NSTIC), an identity and authentication strategy that is the result of more than a year of collaboration between industry, government agencies and privacy advocates, InformationWeek reports. NSTIC is expected to be unveiled today at a U.S. Chamber of Commerce event in Washington, DC. One privacy expert describes NSTIC as addressing "one of the thorniest issues facing those who want to engage in significant or sensitive online transactions: the lack of standard, interoperable and trusted systems for proving online identity."
Full Story  

DATA LOSS—U.S.

TX Breach Causes Problems for Comptroller (April 15, 2011)

After Texas Comptroller Susan Combs announced a breach at her office that left 3.5 million Texans' data available on the Internet for about a year, Combs and her spokesman raised issue with the offices that sent them the data, saying the offices failed to encrypt it as required by law, reports the Austin American-Statesman. But, according to Doug Holt, the state's chief information security officer, the agencies transferred the data using an approved secure method. Furthermore, three offices have taken Holt's lead in rejecting a request that, by Wednesday, "all agencies sign a promise to encrypt their data from now on before transferring it to the comptroller" because it is "too broad."
Full Story

DATA LOSS

Sensitive Data Compromised in Blog Host’s Breach (April 15, 2011)

A host site for more than 19 million blogs has announced a data breach. WordPress.com says sensitive data was likely taken after its source code was exposed and copied. "We don't have any specific suggestions for our users beyond reiterating these security fundamentals," founder Matt Mullenwed said. "Use a strong password, meaning something random with numbers and punctuation; use different passwords for different sites; if you have used the same password on different sites, switch it to something more secure." The company will continue to investigate the breach, Security News Daily reports.
Full Story

DATA LOSS—U.S.

Health Records Compromised in Two Incidents (April 15, 2011)

The health information of approximately 133,000 individuals might have been compromised after the theft of a department laptop and 50 paper files, according to The Oklahoman. The Oklahoma State Department of Health notified those affected, saying the laptop was password-protected and, the article states, included names, Social Security numbers and birth defect information. In a separate incident, a Minnesota hospital lost a box containing medical records of nearly 1,200 patients when it moved its corporate offices, reports Minnesota Public Radio News. Affected individuals in both cases have been offered identity monitoring services.
Full Story 

PRIVACY LAW—U.S.

Opinion: Bill Inspires Consumer Confidence (April 15, 2011)

Reaction to the privacy bill introduced this week by Sens. John Kerry (D-MA) and John McCain (R-AZ) continues. In The Hill, David Hoffman, CIPP, says the bill is key to the growth of business because it gives consumers the baseline confidence necessary for them to overcome privacy-related reservations about using new technology. Hoffman is the director of security policy and global privacy officer at Intel Corporation. He says that well-crafted legislation can help provide "an environment where individuals can have confidence in those companies they would like to engage with" online. "We believe that now is the time for federal privacy legislation," Hoffman writes.
Full Story

BEHAVIORAL TARGETING—EU

Firms Sign On to Self-Regulate (April 14, 2011)
The Interactive Advertising Bureau (IAB) Europe today launched a pan-European self-regulatory program aimed at thwarting regulation around the practice of online behavioral advertising, Business and Leadership reports. Major media groups and technology firms have signed onto the agreement, which includes good practice guidelines and an icon that companies can use to help inform Internet users about how behavioral targeting works. According to an MLex article, creators of the agreement "assert that all consumer and privacy concerns have been addressed" and are "confident" that European regulators will be satisfied with the program.

PRIVACY LAW—U.S.

Stearns Introduces Legislation to Protect Consumers (April 14, 2011)

Rep. Cliff Stearns (R-FL) has introduced online privacy legislation in the House of Representatives focused on giving Web users information and control over what data Internet companies collect about them and how they are tracked, The Wall Street Journal reports. The bill is co-sponsored by Rep. Jim Matheson (D-UT). It requires companies to create privacy policies informing consumers about personal data collection, sale and use and calls for a policing mechanism to ensure compliance, to be approved by the Federal Trade Commission. Justin Brookman of the Center for Democracy and Technology says a clause allowing federal legislation to preempt state laws means "all the good laws California has done are out the window." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Senators to DOJ: Need Clarification on CFAA (April 14, 2011)

Sens. Al Franken (D-MN) and Richard Blumenthal (D-CT) have asked the Department of Justice to clarify its interpretation of the Computer Fraud and Abuse Act (CFAA) and to ensure that the department defines smartphones and other devices as "computers" under the law, StamfordPlus reports. "We write to the department to clarify how it determines the scope of authorization under the CFAA in the absence of a written policy or agreement addressing the issue...and further ask that the department communicate this interpretation to consumers, prosecutors and industry stakeholders," they wrote in a letter sent on Tuesday. They said the information will help consumers, industry and law enforcement. 
Full Story

DATA PROTECTION—UK

Government Unveils Consumer Data Plan (April 14, 2011)

The government has unveiled a plan to give consumers better access to data companies hold on them, This Is Money reports. "Mydata" will grant the public access to any marketing data businesses hold, the report states, with the aim of standardizing the information across industries. Data protection laws allow individuals the right to access the personal data businesses store, but accessing the information can be "complex and confusing." More than 20 firms will work together to share information with consumers under the plan. Consumer Minister Edward Davey said the plan will "radically change how consumers relate to business."
Full Story

PRIVACY LAW—U.S.

Maine Bill Proposes to Make EMR Program Opt In (April 14, 2011)

Maine's electronic medical records system, HealthInfoNet, contains 900,000 citizens' medical records and requires citizens to opt out of being included in the database, a function that two legislators are trying to change. They have proposed a bill to make the system opt-in, saying it would encourage doctors and patients to talk about the network and give patients more control over their information. The bill has the support of the Maine ACLU and privacy advocates, but MPBN reports that HealthInfoNet Executive Director Devore Culver says an opt-in system won't bring in the "critical mass" needed to make it effective. Culver says the discussion shouldn't be about opt-in versus opt-out but about patient education.
Full Story

PRIVACY LAW—U.S.

Reactions to Privacy Bill Vary (April 14, 2011)

The proposed "Commercial Privacy Bill of Rights" is receiving criticism and accolades from both consumer rights groups and the advertising industry. While some are applauding Sens. Kerry and McCain for tackling the issue of online behavioral advertising, others say there is no need for such a law, and still others say the lack of a do-not-track provision means it won't have much of an effect. AdWeek reports that the consensus of industry groups is that the "legislation is premature." They'd like to see their self-regulation program given more time to work. And while Rainey Reitman of the Electronic Frontier Foundation says the bill won't do much to stop the "rampant collection of data," she believes there are elements of it that could be beneficial to consumers and industry alike.
Full Story

HEALTHCARE PRIVACY—U.S.

HIPAA: Tension Between Privacy and Access (April 14, 2011)

The safeguards in place to protect health records under HIPAA often prevent efficient access by a patient's doctor or an emergency room physician, the Chicago Tribune reports. "You want to protect privacy and allow data flow," said Deven McGraw of the Center for Democracy & Technology. "It's not either or. It's yes and..." The article points out that HIPAA became law before the digitization of health records and "many medical institutions overreacted to the law by being too stingy about sharing information." Some advocates think the law is outdated, "partly because it applies chiefly to the medical industry and not to others who might gain access to data after a privacy breach."
Full Story

PRIVACY LAW—U.S.

Experts Assess Kerry/McCain Privacy Bill (April 13, 2011)
Yesterday, Sens. John Kerry (D-MA) and John McCain (R-AZ) introduced the "Commercial Privacy Bill of Rights Act of 2011" aimed at protecting consumers' personal information online. This Daily Dashboard exclusive features expert insights into the bill, which lays out a framework for online privacy including requirements for organizations to allow consumers to opt out of online behavioral advertising; gain consent in order to collect sensitive personal information, and give consumers access to and the ability to correct their information. Notably, a do-not-track mechanism is not present in the bill, and it leaves open the possibility for industry self-regulation, prompting some privacy advocates to say the bill doesn't go far enough.

DATA PRIVACY—UK

Gov’t Will Not Prosecute BT and Phorm (April 13, 2011)

Privacy advocates are expressing frustration after the Crown Prosecution Service (CPS) announcement that it will not prosecute BT and Phorm for tracking consumers online, The Guardian reports. The CPS launched an investigation after allegations that BT partnered with Phorm to place cookies on BT users' browsers without consent and used data on Web activity for behavioral targeting purposes. CPS has concluded that there is not sufficient evidence to prosecute under the Regulation of Investigatory Powers Act. The Home Office has published changes to RIPA that it says will close loopholes in UK privacy law and prevent similar incidents in the future.
Full Story

 

PRIVACY—CANADA

OPC Investigating Allegations Against Postal Service (April 13, 2011)

The daughter of the victim of mail scams is raising concerns with the federal privacy commissioner about Canada's postal service, CBC reports. The woman says Canada Post sold her 84-year-old father's new mailing address to companies that update addresses in a federal database after his address was changed to avoid marketing scams. The database--containing thousands of new addresses--is accessible to 37 companies for a $10,000 charge each. Those companies update address lists for marketers. Canada Post "should not under any circumstances be selling personal information," the woman said. Canada Post says it offers an opt-out box to customers on its address change form. Privacy Commissioner Jennifer Stoddart is investigating.
Full Story

PRIVACY LAW—EU & U.S.

Concerns Persist Over PNR Plans (April 13, 2011)

"The European Commission has still to prove why passengers' personal details should be recorded on all flights to and from Europe," OUT-LAW.COM reports in a piece on the Article 29 Working Party's opinion on the collection of passenger name record (PNR) data. The commission has not provided "proper evaluation of the use of PNR," the Working Party writes, suggesting that collecting PNR data to fight crime "should not enable mass tracking and surveillance of all travelers." Other opinions on PNR plans are divided, the report states. Amidst such questions about PNR retention and cross-border access to data stored by U.S. cloud providers, U.S. Attorney General Eric Holder and Homeland Security Secretary Janet Napolitano are attending a meeting of EU-U.S. justice officials.
Full Story

PRIVACY

Is Self-Regulation Realistic? (April 13, 2011)

The Wall Street Journal uses the example of catalog mailers to examine whether companies should self-regulate on privacy. Catalog Choice, a Web site that aims to give users choice over the sharing of their personal information, allows users to choose which mailing lists they'd like to opt out of and reports that 95 percent of catalog companies honor users' requests. But some catalog companies say they don't work with any third parties and aren't required to belong to such organizations, the report states. Chris Hoofnagle of the University of California Berkeley, who advises the company on legal matters, explains "the organization is legally an 'agent' for people requesting opt-outs." (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY—EU

Commission Outlines Smart Grid Plans (April 13, 2011)

The European Commission has presented its ideas on how to push smart grids forward, Europolitics reports. Among plans to develop common technical standards across the EU to allow for system interoperability, the commission asks that member states produce action plans for smart grid implementation. The smart grid will digitize electricity use via smart meters, which communicate consumer energy use back to the utility. Energy Efficiency News reports that Energy Commissioner Gunther Oettinger "yesterday unveiled a report calling for all European nations to set smart meter targets by 2012." A spokeswoman from consumer organization BEUC noted that smart meters will supply utilities with a "truckload of personal data" and called for safeguards.
Full Story

DATA LOSS—U.S.

Experts Discuss “Breach Notification Fatigue” (April 13, 2011)

The Texas Attorney General's Office is investigating a breach by the comptroller's department that may be the largest in the state's history, exposing the personal data of 3.5 million individuals. Meanwhile, paystub data at a Massachusetts healthcare provider was exposed due to a software glitch. And, the high-profile breach at Epsilon continues to raise concerns in the U.S. and abroad, prompting a CSO report to question, "are so many breach notifications from so many companies numbing their impact?" While some experts point to the educational value of notices, others suggest "notification fatigue" abounds in cases where no tangible harm occurs.
Full Story

PRIVACY LAW—U.S.

Bill To Protect Readers’ Privacy Moves Forward (April 13, 2011)

California's State Senate Judiciary Committee has passed a bill to protect the privacy of Californians' reading habits, according to the Electronic Frontier Foundation. The Reader Privacy Act of 2011, SB 602, would require the government and other third parties to obtain a search warrant or court order to access sensitive reading records. The law would cover both e-books and hard copies. The bill, introduced by California Sen. Leland Yee (D-San Francisco), aims to protect the "detailed portrait" potentially gleaned by viewing what a person has borrowed from libraries, browsed on digital book service sites or purchased from bookstores. The bill next goes to the State Senate Appropriations Committee.
Full Story

PRIVACY LAW—PAKISTAN

Opinion: Pakistan Needs Cybercrime Legislation (April 13, 2011)

Pakistan's government should immediately reconstitute a select committee to propose internationally-compliant legislation on cybercrime, writes National Assemblyman Marvi Memon in the International Herald Tribune. The Prevention of Electronic Crime Ordinance (PECO) was introduced in 2009 but did not pass the house after Memon and other assembly members blocked the bill, which he says lacked necessary amendments on human rights and international convention compliance. Had PECO passed, for example, police authorities could seize computers and electronic data without warrants and make arrests based on cybercrimes that are "non-bailable," with no protections for fabricated evidence. New legislation should establish "law enforcement training...a parliamentary advisory group and an international cybercrime task force."
Full Story

GENETIC PRIVACY—U.S.

State Grapples with DNA Storage, Use Questions (April 13, 2011)

Two separate uses for DNA are raising privacy concerns in Minnesota. MPR News reports on two state senate proposals that would require the Minnesota Department of Health to promptly destroy newborn blood samples, which are collected to identify medical disorders and can currently be stored indefinitely for other testing and disease research. The proposed legislation would require parental consent and a maximum storage period of two years. "Until there is consent for the storage and the use of our genetic information, no research should happen," one privacy advocate said. Separately, proposed legislation to let police test samples for familial DNA matches to solve crimes is also raising privacy questions.
Full Story

Experts Discuss Proposed “Commercial Privacy Bill of Rights” (April 13, 2011)

 

By Emily Leach, CIPP

Senators John Kerry (D-MA) and John McCain(R-AZ) yesterday presented the “Commercial Privacy Bill of Rights Act of 2011,” laying a framework for the protection of Americans’ personal information in the online environment.

Some highlights include:

  • A right to opt out of online behavioral advertising
  • A requirement that “covered entities” receive opt-in consent before collecting sensitive personal information
  • A requirement that “covered entities” implement a Privacy by Design model to protect consumer information, including collecting and storing only the information necessary to the intended purpose for as long as it is needed
  • The ability for people to access their information and, if necessary, correct it

Industry and privacy experts alike are weighing in on the implications of the bill, which the senators describe as predicated on the beliefs that “personal privacy is worthy of protection through appropriate legislation” and current laws provide “inadequate privacy protection for individuals engaging in and interacting with persons engaged in interstate commerce.”

Power to the FTC

While the bill contains some provisions that impose regulations directly onto covered entities, much of the onus of rulemaking falls on the FTC.

“This will give the FTC significant power to shape the privacy landscape in this country,” says Lisa Sotto, of Hunton & Williams, which has provided a detailed outline of the bill in its Privacy and Information Security Law Blog.

Sotto points out, “The bill does not pick up on the FTC's new focus on harm to human dignity. Instead, the bill focuses on traditional notions of harm, specifically economic and physical harms.”

The bill also eliminates private rights of action, giving the right to bring suit against violators to state attorneys general and the FTC. Amy Mushahwar of Reed Smith LLP says this is good news, noting, “by excluding a private right of action and shutting out the class-action bar, this bill does not make the same mistake that was made in the telemarketing context nearly 20 years ago.”

What’s covered?

The bill broadly refers to a “covered entity” as anyone that “collects, uses, transfers or stores ‘covered information’ on more than 5,000 individuals” over a consecutive 12-month period and is subject to FTC authority, the Communications Act or is a nonprofit.

Covered information refers to personally identifiable information (PII), while the subset of sensitive personal information includes medical...

DATA LOSS—U.S.

TX Breach Brings Firings, Criminal Investigation (April 12, 2011)
Texas Comptroller Susan Combs announced on Monday that human error resulted in confidential data on 3.5 million Texans--including teachers, state workers, retirees and those receiving unemployment--ending up accessible online for about a year. Data from four state offices are involved in the breach, which includes Social Security numbers, dates of birth and addresses. The comptroller's spokesman, R.J. DeSilva, said that the employees responsible were fired, and while the information doesn't appear to have been misused, the FBI and Texas attorney general have opened a criminal investigation, reports the American-Statesman. The breach was discovered and fixed on March 31, and the office has apologized for it. "The procedures were there. They were not followed," DeSilva said.

PRIVACY LAW—NEW ZEALAND & EU

Working Party Recommends “Adequacy” for NZ (April 12, 2011)

The Article 29 Working Party has issued its opinion on New Zealand's data protection and privacy law, writing that "although some concerns still exist," New Zealand ensures "an adequate level of protection within the meaning of Article 25(6) of Directive 95/46/E...with regard to the processing of personal data and the free movement of such data." In the opinion, the Working Party notes that it is also encouraging authorities there "to take the necessary steps to address weaknesses in the current legal framework," including strengthening the law governing direct marketing. The opinion also calls for maintaining oversight of data transfers to countries that "are not themselves subject to an adequacy finding."
Full Story

PRIVACY LAW—U.S.

Kerry, McCain To Unveil Online “Bill of Rights” (April 12, 2011)

Sen. John Kerry (D-MA) has announced that he and Sen. John McCain (R-AZ) will unveil their Commercial Privacy Bill of Rights Act of 2011 at a press conference this afternoon. MediaPost reports that the proposed legislation "could potentially impose a host of new legal obligations on ad networks." A draft of the bill, which was released late last month, indicates that the legislation would authorize the Federal Trade Commission to craft privacy regulations and would require companies to notify consumers about how their data is collected and used while also providing opt-out provisions for use of their personal information by third parties. Editor's Note: Thursday's IAPP Web Conference, "Do Not Track: Implementation and Impact," will feature more on the calls for consumers to be allowed to opt out of online tracking.
Full Story

DATA LOSS

Epsilon Breach Could Cost More Than $100M (April 12, 2011)

Writing for ITWorld, Kevin Fogarty explores the financial repercussions of Alliance Data Systems subsidiary Epsilon's data breach, stating that it could cost the company more than $100 million--mostly due to lost sales. While, so far, only one company has announced it will break ties with Epsilon, Fogarty says, "The greatest risk is the potential loss of customers." Ponemon Institute founder Larry Ponemon, CIPP, estimates breaches cost companies $214 per record in lost sales and direct costs. Alliance said in a statement last week that its top priority will be "to ensure that Epsilon's clients regain complete trust in the company's operations" while also urging customers to be wary of e-mails sent from unknown sources.
Full Story

PRIVACY LAW—CANADA

Judge Dismisses Facebook Lawsuit (April 12, 2011)

Quebec Superior Court has dismissed a class-action lawsuit against Facebook. Judge Michel Déziel refused to authorize certification of the lawsuit, filed in July 2010 by Merchant Law Group in Toronto, which claimed that Facebook breached the privacy of its users, All Facebook reports. The suit also claimed that Facebook's altered privacy rules misappropriated users' personal information, enabling behavioral targeting, the report states. Déziel wrote that "Quebec courts do not have jurisdiction on the litigation because all the users of Facebook accepted, while joining itself to the site, to submit all the eventual recourses to the Californian courts of the district of Santa Clara."
Full Story

ONLINE PRIVACY—U.S.

Experts: Protecting PII Comes with a Price (April 12, 2011)

Many Web sites are "snatching, saving, selling information on every click you make, every bit of personal data they can grab," notes Tom Ashbrook, host of NPR's "On Point," exploring current private-sector and legislative privacy protection initiatives. Pointing out that a presumption of privacy that once existed cannot be expected on the Web, Ashbrook interviews researchers, Internet experts and the founder of one reputation management company on people's willingness to "buy back their own privacy" and on federal efforts to give consumers an option not to be tracked online. As one expert puts it, the question for the decade ahead is, "Who's going to control this data?"
Full Story

DATA PROTECTION—TAIWAN

Gov’t Establishes Consumer Protection Differentiators (April 11, 2011)
Taiwan's government has established a system to protect online consumers, Focus Taiwan News reports. The Ministry of Economic Affairs will issue data privacy protection marks to companies in an effort to ensure consumer trust in online commerce amongst increasing risk of scams such as phishing, in which hackers attempt to gain users' personal information by pretending to be legitimate Web site operators. The government will fund the system's implementation during its trial period, and the Department of Commerce (DOC) will hold information sessions in cities around Taiwan. The new system is part of the DOC's ongoing attempt to ensure online safety; it recently issued identification marks to guard against scams.

DATA LOSS—U.S.

Lawmakers Push for Answers, Investigation (April 11, 2011)

The House Subcommittee on Commerce, Manufacturing and Trade wrote to e-mail marketing company Epsilon last week giving it an April 18 deadline for delivering information on the company's recent data breach. Tech Daily Dose reports that while the data exposed in the breach was limited to names and e-mail addresses, lawmakers worry that phishing e-mails could lead "an unwitting consumer into financial disaster," subcommittee members Mary Bono Mack (R-CA) and G.K. Butterfield (D-NC) wrote. Meanwhile, Sen. Richard Blumenthal (D-CT) is asking the U.S. attorney general to investigate the breach and look into whether civil or criminal charges should be filed against the company, reports ConsumerAffairs.com. Blumenthal says Epsilon should be required to notify all those affected and offer them free credit reporting services and insurance.
Full Story

HEALTHCARE PRIVACY—U.S.

OCR Taking Stronger Approach To Enforcement (April 11, 2011)

If the $1 million settlement reached by Massachusetts General Hospital and the Department of Health and Human Services Office for Civil Rights (OCR) last month is any indication of what's to come, the OCR plans to take healthcare privacy enforcement seriously. In this Daily Dashboard exclusive, Susan Rhodes of the OCR discusses the recent settlement with Massachusetts General and offers advice on how to stay compliant with healthcare privacy and security rules. Strengthened by the HITECH Act, the OCR is now taking a "strong enforcement approach," to healthcare privacy rules, Rhodes said, adding that state attorneys general are now doing the same.
Full Story 

 

PRIVACY LAW—U.S.

Internet “On Alert” for New Regulations (April 11, 2011)

"As federal officials move closer to creating Internet privacy laws, companies that have enjoyed the freewheeling nature of the Internet find themselves under increased scrutiny." That is the basis of a recent report in The Washington Post that looks at reactions from online companies and privacy advocates to the push at the federal level for privacy laws governing online tracking for such purposes as targeted advertising. As one privacy expert put it, "No matter what size the company, they are seeing how a government inquiry can shut down a business or affect the future of others. Privacy is now a line item in business plans." (Registration may be required to access this story.)
Full Story

DATA LOSS—SOUTH KOREA

Hackers Access Data on 420,000 (April 11, 2011)

South Korea's Financial Supervisory Service has launched an investigation into a car manufacturer's consumer finance unit, Reuters reports. Hyundai Capital said the personal information of about 420,000 of its 1.8 million customers was leaked when a hacker accessed its database, the report states. Hyundai has launched its own investigation and says that some customer passwords may have been accessed. The company holds data on auto financing, personal loans and home mortgages. 
Full Story

DATA LOSS—U.S.

Pilots’ and Patients’ Data Exposed (April 11, 2011)

A former chief pilot at US Airways handed over names, addresses, Social Security numbers and possibly the passport information of 3,000 of the airline's pilots to a third-party pilot group in 2009, reports eSecurityPlanet. The U.S. Airline Pilots Association and the FBI are investigating the breach. Meanwhile, Philadelphia's Family Planning Council announced on Friday that, last December, a former employee stole a flash drive containing personal and medical records on about 70,000 patients from a number of providers. Philly.com reports the lost data includes patients' names, addresses, phone numbers, Social Security numbers, dates of birth and insurance and medical information. There is no indication any of the data has been misused.
Full Story

PRIVACY LAW—U.S.

Lawmakers Seek to Repeal Driver’s License Law (April 11, 2011)

Maine lawmakers are urging a full repeal of a federal law requiring biometric data collection during the process of obtaining a state driver's license. Rep. Ben Chipman (I-Portland) is sponsoring LD 1068, "An Act to Protect the Privacy of Maine residents under the Driver's License Laws." The bill, which is seeing support from both sides of the state house, would repeal state laws that comply with the 2005 Real ID Act, the Portland Press Herald reports. The Maine Civil Liberties Union held a press conference last week advocating for that law's repeal federally. A spokeswoman for Maine's governor said he "has a strong interest in protecting the privacy of Maine people." Editors Note: Privacy professionals recently discussed acceptable forms of identification on the IAPP Privacy List, a free service for IAPP members. To learn more, visit our Web site.
Full Story

ONLINE PRIVACY

What Happens to Your Digital Life After Death? (April 11, 2011)

All Things Digital explores the question "Who will be reading your e-mail after you die?" in a feature on a new startup aimed at letting users decide. Michael Aiello, founder of LifeEnsured, explains, "We want people to think about what their virtual life is and what it means to them and their families and how they want to be perceived after they pass away." Besides deleting social network accounts or entries on online dating sites, options include moving photos stored in online servers into the public domain and sending final e-mails. And whatever end-of-life options LifeEnsured users may choose, Aiello says, "We put all the requests for our paying members in irrevocable trust."
Full Story

ONLINE PRIVACY—U.S.

Opinion: Balancing Privacy and Innovation (April 11, 2011)

Slate explores the implications of a proposed FTC settlement with Google over its Buzz social network, questioning the impact of required privacy audits included in the proposal. "There's a good chance that privacy regulators--spurred by a public that doesn't really know what it wants when it comes to online privacy--may go too far," Farhad Manjoo writes in the report, suggesting that if companies are blocked from analyzing users' data, "profound implications for the future of computing" will result. While many fear that it is becoming harder to differentiate between anonymous online data and PII, Manjoo points to Internet innovations in suggesting, "tracking is not always a bad thing."
Full Story

OCR Provides Guidance on HITECH Compliance, Investigation Procedures (April 11, 2011)
If the $1 million settlement reached by Massachusetts General Hospital and the Department of Health and Human Services Office for Civil Rights (OCR) last month is any indication of what’s to come, the OCR plans to take healthcare privacy enforcement seriously.

FINANCIAL PRIVACY—U.S.

SEC Imposes First Fines for Privacy Rule Violation (April 8, 2011)
The U.S. Securities and Exchange Commission has fined three individuals for violations of the Privacy Rule and Safeguards Rule of Regulation S-P. Last year, securities broker-dealer GunnAllen Financial, Inc., sent notice to account holders that it was liquidating and informed them of subsequent options regarding their accounts. A month later, a GunnAllen representative downloaded the account holders' files to his personal thumb drive and took them to a new firm. The action violated the Privacy Rule, which allows customers to opt out of third-party disclosures, and the Safeguards Rule, which blocks transfers when customers are not given that choice. Two individuals were fined $20,000 and the third $15,000 for "aiding and abetting GunnAllen's rule violations," writes Andrew Smith in this Daily Dashboard exclusive.

PRIVACY LAW—AUSTRALIA

Senators Call for Right to Privacy, Civil Actions and “Do Not Track” (April 8, 2011)

A parliamentary report released on Thursday recommends giving Australians a legal right to online privacy, iTWire reports. Senate committee members who collaborated on the report also recommend giving Australians a civil right of action for serious privacy violations and "increasing the scope" of the Office of the Privacy Commissioner. Senator Mary Jo Fisher said, "The report also recommends allowing an individual online user to dictate the amount of personal data that a Web service provider can collect and use to target them with advertisements through a 'Do-Not-Track' model." She added, "Whilst the committee's 'asks' aren't small, they should be considered by a country which embraces technology in leaps and bounds."
Full Story

PRIVACY LAW—EU

Commissioners: Rules Needed for Law Enforcement Data Access (April 8, 2011)

European data protection commissioners have called for reforms to provide "an effective and consistent implementation of fundamental rights in a global environment," OUT-LAW News reports. At an event this week, the commissioners also called for data protection laws to apply to law enforcement agencies in the same way they do for companies and governments. The commissioners expressed concern that data intended for private-sector use is increasingly being repurposed for law enforcement needs. Data protection laws currently under revision should include clauses that allow for such use while balancing individuals' personal privacy rights, the commissioners said.
Full Story

STUDENT PRIVACY—U.S.

Department of Education Proposes FERPA Changes (April 8, 2011)

The Department of Education has named Kathleen Styles, formerly of the Census Bureau, as its first privacy officer and proposed several changes to the Family Educational Rights and Privacy Act, Education Week reports. The proposed changes include stricter enforcement, protection of directory information and provisions to allow high schools to track their graduates' success in college. "Data should only be shared with the right people for the right reasons," said Secretary of Education Arne Duncan. "We need common-sense rules that strengthen privacy protections and allow for meaningful uses of data. The initiatives announced today will help us do just that." Comments on the proposal will be accepted for the next 45 days.
Full Story

PRIVACY LAW—U.S.

Mobile App Investigation Prompts Questions (April 8, 2011)

A decision by federal prosecutors to investigate whether the transmittal of user data via mobile applications violates the law is raising questions for consumers, CNET reports. The basis of the investigation, the report suggests, is to determine "whether app developers have violated the Computer Fraud and Abuse Act...created to prosecute computer hackers who go after information stored on a computer." The report also highlights the ability of some apps to send location data and unique device IDs without users realizing it. "The majority of app makers put third-party tracking tools as part of the underlying code of their application, meaning there's no on-off switch," the report states.
Full Story
 

DATA LOSS—U.S.

Financial Services Group Breached (April 8, 2011)

Hartford Financial Services Group has announced that its servers were breached by password-stealing Trojans, affecting about 300 people--mostly employees and contractors of the company, reports Help Net Security. The Connecticut company informed the New Hampshire attorney general and those affected in March. The Hartford is offering those affected two years of credit monitoring services. It is also working to patch its system and is ramping up privacy and security training for employees.
Full Story

SEC Levies Privacy Fines on Three Financial Execs (April 8, 2011)

 

By Andrew Smith

On April 7, the U.S. Securities and Exchange Commission announced an administrative settlement in which it fined three individuals a total of $55,000 for violations of the Privacy Rule and Safeguards Rule of Regulation S-P. The SEC stated that this is the first case in which it has assessed civil penalties for violations of its Privacy Rule. The Privacy Rule requires that consumers be provided with notice and an opportunity to "opt out" of certain disclosures of personal financial information to non-affiliated third parties.

The three named individuals were associated with the now-defunct securities broker-dealer GunnAllen Financial Inc. As GunnAllen was winding down its operations last year, it sent a notice to the holders of its "direct application accounts" that the firm was liquidating and that the accountholders could permit their GunnAllen representative to make arrangements for their account, or they could take their accounts to a firm of their own choosing. (Direct application accounts are accounts maintained by investors directly with mutual funds or issuers of variable annuities, and for which GunnAllen served as "broker of record," primarily for the purpose of collecting sales commissions.) Less than a month after sending that letter, a GunnAllen registered representative downloaded the information for all of the direct application accounts to his personal thumb drive and took them to a new firm. He did this with the blessing of GunnAllen management.

The SEC alleged that, by this transfer, GunnAllen violated the Privacy Rule, because the individual accountholders were not provided adequate notice and an opportunity to opt out of the transfer. Furthermore, "GunnAllen’s disclosure of the information was not covered by any exception from Regulation S-P’s notice and opt-out requirements, including an exception in Rule 14 of Regulation S-P for disclosures that are required, or are a usual, appropriate or acceptable method, in connection with the transfer of accounts, because GunnAllen failed to obtain the customers’ affirmative consent to transfer the direct applications accounts."

The SEC alleged further that GunnAllen violated the Safeguards Rule, based on the downloading of accountholder data to a personal thumb drive, as well as a series of securities breaches that predated the data transfer.

The SEC charged the three named individuals with "aiding and abetting" GunnAllen's rule violations, and fined two of them $20,000 and...

DATA LOSS

Breach Effects Grow, Legislators Want Answers (April 7, 2011)
As Alliance Data Systems apologizes and works to rebuild its clients' trust, the fallout from last week's Epsilon data breach continues. U.S. legislators are requesting details about the breach and its subsequent risks to consumers, and Sen. Richard Blumenthal (D-CT) is calling for the U.S. attorney general to investigate. Meanwhile the list of affected companies continues to grow. Forrester Research Analyst Dave Frankland told eWEEK that the effects of this breach reach farther than the company's client base, saying the breach calls into question the security of data in a cloud-computing environment.

PRIVACY LAW—U.S.

DOJ: Privacy Reforms Would Impede Investigations (April 7, 2011)

Department of Justice (DOJ) officials are speaking out against calls for federal legislation to better protect online privacy, CNET News reports. Associate Deputy Attorney General James Baker has spoken out against a set of changes proposed last year by Digital Due Process, a coalition of businesses and advocacy groups, to update the Electronic Communications Privacy Act with more safeguards for Internet users. The proposal includes a call for court approval requirements for such law enforcement activities as tracking cell phones. Baker voiced concerns about the potential to limit "the government's ability to obtain important information in investigations of serious crimes."
Full Story

PRIVACY LAW—EU & SWEDEN

Commission Sends Sweden Back to Court (April 7, 2011)

The European Commission has referred Sweden back to the European Court of Justice for a second time for failing to implement the Data Retention Directive into national law, Reuters reports. In February 2010, the court condemned Sweden for failing to implement the directive, which requires telecommunications companies and Internet service providers to retain online traffic and location data for law enforcement purposes. The implementation deadline for all member states was more than three years ago. The commission asks that the court impose monetary penalties for each day Sweden is not in compliance. Though draft legislation was submitted to Sweden's parliament in December, the vote was deferred for another 12 months in March.
Full Story

PRIVACY LAW—MEXICO

DPA: Enforcement Inspections Not Primary Goal, for Now (April 7, 2011)

Mexico's data protection authority (IFAI) will not rush to carry out compliance inspections or take enforcement actions when the country's data protection law is implemented in July, reports the Hogan Lovells Chronicle of Data Protection. IFAI President Commissioner Jacqueline Peschard Mariscal said last month that the government expects companies to take steps to fulfill the law's basic requirements, such as appointing personnel to data protection responsibilities and establishing written policies on the subject. But, training and education of covered entities will be the authority's primary focus for now, Mariscal said. Mexico's data protection law was passed in April 2010. It recognizes the right to personal data and establishes data protection requirements for government agencies.
Full Story

PRIVACY LAW—U.S.

Senator: California Will Lead the Nation in Do-Not-Track Legislation (April 7, 2011)

The Los Angeles Times reports on California Sen. Alan Lowenthal's (D-Long Beach) do-not-track bill, introduced this week. The bill would allow Internet users to opt out of online behavioral targeting by Web sites and advertising networks on computers, cell phones and other mobile devices. "We will lead and provide stimulus to the rest of the nation," Lowenthal said. "It's much more difficult to get something like this through Washington." The Judiciary Committee will hold a hearing on the legislation April 26. "I'm interested in this, and I think there may be some abuses in this area," said Sen. Tom Harmon (R-Huntington Beach), a member of the committee. (Registration may be required to access this story.) Editor's Note: For more on this bill, dial in to today's Privacy Tracker call or register for the upcoming Web conference "Do Not Track: Implementation and Impact."
Full Story

PRIVACY LAW—EU

Officials Support “Right To Be Forgotten” (April 7, 2011)

A feature in The Christian Science Monitor explores EU Justice Commissioner Viviane Reding's call for a right to be forgotten. While this push has been met with mixed responses from industry and officials, a spokesman for the commissioner says such a right "already exists in the sense that if you live in the EU, you have control over your data. But what's missing is that it hasn't taken account of how we use the Internet now." More stringent rules would not only provide a right for users to remove their data but would also require companies to prove the need to collect data in the first place, the report states.
Full Story

ONLINE PRIVACY—U.S.

City Council Aims To Halt Smart Meters (April 7, 2011)

Lakeport City Council has voted to bring back an ordinance that would place a moratorium on a California public utility's smart meter devices due in part to privacy concerns. The council also voted to support state bill AB 37, which would require Pacific Gas & Electric to provide an opt-out option to customers, Lake County News reports. Board of Supervisors spokesman Tony Farrington told the council he has concerns about privacy and how the data is stored and transmitted. "It's about big brother government and about choice," he said. Customers wanting to opt out would pay fees to do so, which Farrington called "extortion." A Maine utility is experiencing similar pushback.
Full Story

HEALTHCARE PRIVACY—U.S.

Experts: OCR Penalties Just the Beginning (April 6, 2011)
In the wake of the Department of Health and Human Services' issuing of penalties totaling $5.3 million against two healthcare organizations, Help Net Security compiles expert insight on the implications of this first round of fines. "The overall conclusion," the report states, is that "these sizeable fines signal a wakeup call for the healthcare industry and are only the beginning." As ID Experts President Rick Kam, CIPP, suggests, the ramifications for HIPAA noncompliance go beyond fines with "Corrective Action Plans to follow, creation and implementation of revised policies, government agency monitoring--not to mention the potential damage and harm caused to the individuals whose information was breached."

DATA PROTECTION—EU

EU Plans for Cloud Computing Transformation (April 6, 2011)

Digital Agenda Commissioner Neelie Kroes will hold a consultation next month with stakeholders on development of a strategy for cloud computing. The technology, allowing data to be both stored and accessed from any location, will become as transformative to this decade as PCs were to the 1970s, EUObserver reports. But cloud computing's success will depend on a secure framework for data protection internationally, experts say. "It's reasonable to expect that consumers and businesses will require a high level of confidence before they place sensitive financial or medical information in the cloud," said the chairman of the U.S. Federal Communications Commission.
Full Story

ONLINE PRIVACY

Reputation Managers Striving for Internet Amnesia (April 6, 2011)

A report in The New York Times on efforts to make the Internet forget likens the proliferation of personal information online to "a metastasized cancer" that has "embedded itself into the nether reaches of cyberspace, etched into archives, algorithms and a web of hyperlinks." More often, people from all walks of life are turning to online reputation managers that focus on improving their clients' Internet images through such techniques as removing negative posts and burying unfavorable search results. "The Internet has become the go-to resource to destroy someone's life online," the head of one reputation management company put it, adding the result is that life offline is turned upside-down as well. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Opinion: Wisdom of Retention Laws Remains To Be Seen (April 6, 2011)

Following the announcement that approximately 20 Internet companies, including Google and Facebook, are filing a complaint with the State Council of France contesting a decree that requires them to keep user data for a full year, Silicon Republic examines issues around data retention in the EU. Ireland, the report points out, requires ISPs and telcos to retain user data for two years. "The wisdom of the passing of such laws--whether enlightened or draconian--will be telling in the months and years ahead," John Kennedy writes, adding, "Let's hope the system is not open to abuse or invasion of privacy."
Full Story

ONLINE PRIVACY—U.S.

Smart Meter Opt-Out Would Cost Users, Utility Says (April 6, 2011)

Allowing customers to opt out of Central Maine Power's (CMP) smart meter plan or imposing a one-year ban on further installations would kill the project and cost ratepayers tens of millions of dollars, CMP officials said at a public hearing this week. Maine Rep. Heather Sirocki (R-Scarborough) said she may propose legislation allowing consumers to opt out of the meters, reports the The Portland Press Herald. If the meters were banned, the company said it would have to repay $22 million in federal grant funding, a cost that would be passed on to customers. CMP has thus far installed 157,000 of the 600,000 meters it plans to install at Maine homes, inciting privacy, cybersecurity and health concerns from residents.
Full Story

DATA LOSS—U.S.

CT Medical Center Loses Hard Drive, Patient Data (April 6, 2011)

Connecticut's MidState Medical Center is now on the growing list of medical centers that have reported a data loss. The hospital is notifying about 93,500 patients that an employee lost a hard drive that may have contained their personal information. Hartford Business reports that the hard drive, which was lost in February, contained patients' names, addresses, birthdates, Social Security numbers and medical record numbers. A hospital spokeswoman said the hospital investigated the loss prior to notifying patients, and there is no indication the information has been improperly accessed. The hospital is offering those affected two years of free identity protection.
Full Story

PRIVACY LAW—FRANCE

Internet Companies Fighting Data Retention Decree (April 5, 2011)
More than 20 Internet companies--including Google and Facebook--are filing a complaint with France's highest judicial body to fight a decree that requires they keep users' personal data for one year, AFP reports. The decree requires the retention of such information as users' full names, addresses, pseudonyms, e-mail addresses and telephone numbers that "can be demanded in the context of an enquiry by police, the fraud office, customs, tax or social security authorities," the report states. The French Association of Internet Community Services (ASIC) "is appealing at the State Council against the decree to keep connection data," Benoit Tabaka of ASIC announced.

DATA LOSS—U.S.

Experts: Low-Risk Breach Has High Stakes (April 5, 2011)

The New York Times reports that privacy experts say a large-scale data breach at e-mail marketer Epsilon has put millions at greater risk of being scammed through phishing attempts. On the surface, a hacker accessing customer names and e-mail addresses doesn't seem overly threatening, but Brian Krebs of Krebs on Security warns, it gives "the bad guys a road map..." Experts say--and many of the affected companies are warning their customers--that, armed with this data, scammers can produce seemingly legitimate "spear-phishing" e-mails that attempt to collect recipients' personal information for nefarious purposes and have a high potential for success. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—SWITZERLAND

Court: Street View Must Blur Images (April 5, 2011)

A Swiss court has ruled that Google must ensure anonymity before it publishes faces and license plates captured in that country on its Street View mapping feature, Deutsche Welle reports. The ruling comes after the Swiss data protection commissioner argued in 2009 that the feature's privacy safeguards were insufficient. The company said it is disappointed with the court's ruling, which also requires the company to blur the skin color and clothing of people near sensitive locations such as women's shelters or hospitals. Peter Fleischer, Google's global privacy counsel, said the company will now consider its appeal options and will "take some time to consider what this means for Street View in Switzerland."
Full Story

PRIVACY LAW

Condé Nast Targeted in Phishing Scam (April 5, 2011)

The ABA Journal reports that magazine publisher Condé Nast was recently duped in a spear-phishing scheme and is suing to recover the funds that the scammers attempted to steal. The publisher received a fraudulent e-mail that appeared to come from its regular printing house asking for payment to be sent to a new address. Relying on this e-mail, the company sent its $8 million payment to the new address. The publisher was alerted to the scam by its printing house and froze the funds, which were still in the recipients' account. This news comes amid high-level concerns that customers affected by the recent data breach at e-mail marketer Epsilon will fall victim to similar spear-phishing campaigns.
Full Story

PRIVACY LAW—U.S.

State Senator Introduces Do-Not-Track Bill (April 5, 2011)

California Sen. Alan Lowenthal (D-Long Beach) has introduced a do-not-track bill, PC World reports. The bill would let Internet users "opt out of online tracking efforts by Web sites and advertising networks," the report states. Since December, when the Federal Trade Commission first suggested the creation of a do-not-track mechanism for the Internet and the words "do not track" entered the everyday parlance of many privacy pros, major Web browsers have introduced such opt-out mechanisms. But Web sites are not required to honor the preferences stated via the browsers. The California bill would change that, says Consumer Watchdog Privacy Director John Simpson; it would ensure that "consumers' choices will be honored."
Full Story

 

ONLINE PRIVACY—U.S.

Smartphone Probe Could Mean Criminal Charges (April 5, 2011)

The Wall Street Journal reports on an investigation by federal prosecutors into whether certain smartphone applications obtained or shared information about their users without proper disclosures. Among those being questioned, music service Pandora has acknowledged in a U.S. Securities and Exchange Commission filing that it has been subpoenaed in the investigation, which is examining whether smartphone application makers "fully described to users the types of data they collected and why they needed the information--such as a user's location or a unique identifier for the phone," the report states. The investigation could result in criminal charges and is significant to note, according to legal experts, because "federal criminal probes of companies for online privacy violations are rare." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—NORWAY

Parliament Passes Data Retention Directive (April 5, 2011)

The Norwegian Parliament on Tuesday adopted the Data Retention Directive, which will see Internet and telecommunication traffic "stored for six months, regardless of the access platform, after which it will be deleted with no copies being made," according to theForiegner. The 80-to-89 vote is drawing fire from the Liberal Party leader, who said, "I do not think those who voted for the directive understand the consequences of the decision." The Norwegian Data Inspectorate also opposes the directive, saying, "crime fighting is not a privacy measure, rather an interest that must be weighed against the consequences of privacy." The majority of conservatives who voted in favor of the directive are pleased with its passing.
Full Story

DATA LOSS—U.S.

Epsilon Breach Exposes Countless Consumers (April 4, 2011)
The world's largest provider of permission-based e-mail marketing, Epsilon, has announced that a hacker gained access to some of its files, exposing multiple companies' consumer data in what The Economic Times says "could be one of the biggest such breaches in U.S. history." Epsilon serves a wide range of companies including supermarket chain Kroger; banks including U.S. Bank, Capital One Financial Corp and Citigroup; retail stores including Best Buy, Walgreens, LL Bean and Brookstone, and hotel chains including Marriott International, all of which have notified customers that their e-mail addresses, names and, in some cases, other information were compromised in the breach. Epsilon has said no data other than names and e-mail addresses were compromised, but authorities and some companies are conducting their own investigations into the breach. A Security Week article stresses that while some "may dismiss the type of data harvested as a minor threat," such access to customer e-mail lists "opens the opportunity for targeted phishing attacks to customers who expect communications from these brands."

PRIVACY LAW—U.S.

Court: CAN-SPAM Applies to Social Network Messages (April 4, 2011)

The U.S. District Court for the Northern District of California has determined that "messages sent by Facebook users to their Facebook friends' walls, news feeds or home pages are 'electronic mail messages' under the CAN-SPAM Act," the Hogan Lovells Chronicle of Data Protection reports. In the case of Facebook v. MAXBOUNTY, the court sided with Facebook as the plaintiff in denying MAXBOUNTY's motion to dismiss on the basis that CAN-SPAM applies only to traditional e-mail. "The ruling is the most expansive judicial interpretations to date of the types of messages falling within the purview of the CAN-SPAM Act," the report states.
Full Story

PRIVACY LAW—U.S.

Court To Revisit Juror’s Social Networking Case (April 4, 2011)

The California Supreme Court has ordered a state appeals court to revisit the case of a juror who was ordered to release social networking posts he made during a criminal trial. The juror had appealed that order, but the appeals court denied the request. In a media update for The Reporters Committee for Freedom of the Press, Rachel Costello writes that the justices' decision to transfer the case back to the appeals court for a full hearing was unanimous."This issue is a significant issue and a timely issue for society today because the law has not caught up with technology, and it's time they both run the same track," the juror's attorney said.
Full Story

ONLINE PRIVACY—AUSTRALIA

Privacy Minister: New Regime for Cloud Computing (April 4, 2011)

A government minister has indicated that new principles will be put in place to better protect citizens' data in the cloud computing environment, News.com.au reports. Privacy Minister Brendan O'Connor said the jurisdiction issues that come with cloud computing are troublesome and that "businesses need to think carefully about who and where they are sending personal information and about what privacy protections, if any, the recipients of the information have." O'Connor said, "Under the new regime, before an entity can disclose personal information outside Australia, it will be required to take such steps...to ensure that the overseas recipient does not breach the Australian Privacy Principles."
Full Story

 

PRIVACY LAW—U.S.

States Dealing with Copier, Fax Data (April 4, 2011)

A New York law went into effect on Friday requiring manufacturers of devices capable of storing data to include instructions on how to wipe the data prior to recycling or disposing of the machines. The Hunton & Williams Privacy and Information Security Law Blog reports that the law also requires retailers of such equipment to institute electronic waste collection programs and notify buyers at the point of sale where the data destruction information can be found. The FTC last year produced a report on the privacy risks associated with digital office equipment with tips for securing data. Other states including Connecticut, Florida, Nevada, New Jersey and Oregon are considering similar laws. 
Full Story

BEHAVIORAL TARGETING—U.S.

Opinion: Regulations Could Have Detrimental Effects (April 4, 2011)

Web surfers could soon be paying a "privacy tax" on Internet sites and for online services due to the heat advocates are putting on congress and the Obama Administration for increased regulation of online advertising, writes Adam Thierer in an opinion piece for Forbes. The push for regulation could mean unintended consequences Thierer says, including pay walls to cover decreased advertising opportunities, a dwindling of  "more and better" online content and a detrimental effect on the ability of U.S. advertising agencies to compete internationally. Advocates haven't been able to prove real harm when it comes to online advertising, sufficient online tools already protect consumers and new regulation is "unnecessary," Thierer says.
Full Story

PRIVACY LAW—U.S.

Attorney: For Privacy Law Compliance, Look to FTC (April 4, 2011)

In a Smart Business report, attorney Kit Winter offers companies advice on how to navigate the "rapidly changing landscape of privacy regulation." Winter advises looking to the FTC's proposed privacy framework for guidance and implementing a privacy-by-design approach to programs and everyday business practices. Limiting the monitoring and retention of customer data, charging personnel with overseeing privacy issues, training employees on privacy matters and encrypting and vigorously protecting consumer data can help mitigate risks, Winter says, adding that the "FTC has also made clear that when a company makes representations about how it treats consumers' personal information, it has to live up to those promises or face FTC action."
Full Story

ONLINE PRIVACY

Miss Manners: Teach the Children Well (April 4, 2011)

Even Miss Manners is weighing in on data privacy concerns. In The Washington Post last week, a reader describes a video chat where a beloved niece "was snapping pictures of me using her computer's camera and was posting them on Facebook." The reader seeks advice on what to do about this younger relative's handling of digital data, asking, "perhaps I need to get with it and be prepared for my close-up at all times?" Miss Manners advises the reader to explain the concept of privacy to the young relative "not only for your protection, but for hers." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU & U.S.

Reding: U.S. Moving Toward EU Regulatory Model (April 1, 2011)
The call for a do-not-track mechanism and a privacy bill of rights by U.S. officials "means very clearly that the U.S. is approaching the EU regulatory model." That was one of the messages shared by EU Commissioner Viviane Reding during a speech this week. V3.co.uk reports on Reding's comments that changes to the EU data protection rules, which are expected this summer, may come with additional costs for organizations, but those costs would be offset by less "red tape within the EU" and opportunities for more innovation. Reding said her goals include harmonizing data protection rules within the EU, simplifying the rules of applicable law, facilitating international data transfers and eliminating "those administrative obligations and requirements imposed on businesses that are unnecessary and ineffective."

ONLINE PRIVACY

“G-8 du Web” Planned (April 1, 2011)

Data privacy concerns continue to demand the attention of world leaders. More details have emerged about plans to include Internet privacy on the agenda of the Group of 8 summit in France this year. The New York Times reports that French President Nicolas Sarkozy has enlisted a longtime advertising industry executive to help "organize a gathering of policy makers and Internet company executives" for a "first-of-its-kind meeting, dubbed 'G-8 du Web,'" to coincide with the G-8 summit, which takes place in Deauville, France, in May. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Legislator: All Should Abide By FTC Settlement (April 1, 2011)

At least one federal lawmaker believes the privacy requirements outlined in a proposed settlement between the FTC and Google over the company's Buzz social network should be adopted by all firms. That's according to a report in The Hill that quotes Rep. Anna Eshoo (D-CA) on the importance of businesses' use of personal data being transparent and secure and on the growing number of legislators calling for baseline federal privacy laws. "Google's agreement to obtain consumer consent before sharing new information with third parties should apply to all companies that collect or use personal data," Eshoo said.
Full Story

 

PRIVACY LAW—U.S.

EPIC Files Objection to Lawsuit Settlement (April 1, 2011)

The Electronic Privacy Information Center (EPIC) has objected to a class-action settlement reached between Google and Gmail users, Reuters reports. EPIC filed its opposition in court this week, saying that the part of the settlement that doles out $6 million to Internet privacy interests is flawed because the funds were given to groups that "receive support from Google for lobbying, consulting or similar services." EPIC had requested but was not granted a share of that sum. The filing states that the court should reject a deal "that encourages organizations to stand by quietly while others do the actual work of safeguarding Internet privacy."
Full Story

DATA PROTECTION—INDIA

Group Calls for Body to Oversee Privacy (April 1, 2011)

The Associated Chambers of Commerce and Industry of India (ASSOCHAM) is calling for a national body to oversee cybersecurity and data protection concerns, India Infoline News Service reports. ASSOCHAM also wants a "detailed regulatory, legal and policy-enabling regime to facilitate further protection and preservation of cybersecurity," the report states. The calls came from the ASSOCHAM event "Safeguarding the Digital Economy." The group's cyberlaw committee chairman, Pawan Duggal, said, "Both the requirements of national sovereign governments as those of balancing the needs of data protection and privacy have to be appropriately addressed."
Full Story

PRIVACY LAW—SOUTH AFRICA

Consumer Protection Act Starts Today (April 1, 2011)

The Direct Marketing Association (DMA) has voiced its support of the Consumer Protection Act--which goes into effect today. The law, among other initiatives, will give consumers the right to opt out of receiving unsolicited direct marketing services by establishing a registry at www.nationaloptout.co.za, reports EastCoastRadio's Consumer Watch blog. DMA spokesman Brian Mdluli said, "It gives more control to the consumer in terms of what they want to hear, when they want to hear it and how they want to hear it."
Full Story

IDENTITY THEFT—U.S.

Children the Target for ID Theft (April 1, 2011)

Identity thieves are targeting children when picking victims, MSNBC reports. That's according to a report published today by Carnegie Mellon University fellow Richard Power, who examined 40,000 children's profiles using data from identity monitoring company Debix. Power found that, of those profiles, 10 percent had identities that were "tainted in some way," including 500 children with names attached to mortgages or foreclosures and 415 with driver's licenses. The report is the first real attempt to quantify the problem of children's identity theft, Power said. The child ID theft expert at the Federal Trade Commission said the results are "informative, giving us the best insight available into the potential scope and nature of the problem."
Full Story

HEALTHCARE PRIVACY—U.S.

Army: To Reduce Suicides, Share Mental Health Info (April 1, 2011)

Army officials say knowing more about soldiers' mental health will help to prevent suicides, the rates of which doubled after 2004. But that thinking is troubling to some who say army access to mental health records may deter soldiers from seeking help if they feel their privacy is being violated, USA TODAY reports. Though HIPAA protects health information, exceptions exist, such as when a patient might cause harm to himself or another. The army encourages doctors to report if a "high-risk" solider misses a counseling session, for example, and has begun to require a list of soldiers' medical appointments. It's unclear what other behavior might allow the sharing of private therapy information, said a HIPAA officer at Duquesne University.
Full Story

PERSONAL PRIVACY

Samsung: Keylogging Accusations False (April 1, 2011)

Samsung has refuted claims that some of its laptops came loaded with a keylogger. The statement follows an internal investigation launched by Samsung after a report claiming that the spyware was installed on two of its models. The report was based on a security consultant's findings after he had performed a series of virus scans, Digital Trends reports. The keylogging software is publicly available. It records computer users' keystrokes and can send information to a third party without the users' knowledge, the report states. An additional, independent investigation confirmed that the keylogging finding was false.
Full Story

DATA LOSS—U.S.

Stolen Computer Holds Health System Records (April 1, 2011)

The Saint Francis Health System in Tulsa, OK, has announced the theft of a PC containing personal information for 84,000 patients. The records belong to the Saint Francis Broken Arrow outpatient facility, which closed in 2007, and include patient names, Social Security numbers, addresses and pre-2004 diagnostic data, reports eWEEK. This is the third breach of this kind at the hospital in the last several years and the latest in a string of recent breaches at medical facilities. The hospital said, "special expertise and tools" would be necessary to access the files and there is no evidence the information has been accessed. A police investigation is ongoing.
Full Story

DATA LOSS—U.S.

Theft, Human Error To Blame for Breaches (April 1, 2011)

Human error and theft have left thousands of personal records vulnerable to inappropriate access across the U.S. Washington's Wenatchee Valley College accidentally included 3,800 former students' Social Security numbers (SSNs) in records sent to a local law firm in response to a public records request. A Maine bank shut down its online banking service in March after noticing suspicious activity. A suspect has been arrested for stealing a computer containing patients' names and medical information from a New York University School of Medicine physician's office. And, a list of names and SSNs of veterans with upcoming appointments at a Virginia Veterans Administration medical center was found in a government vehicle. There have been no reports of misuse of the data in any of these cases.
Full Story

DATA LOSS—U.S.

Actors’ Personal Health Information Leaked (April 1, 2011)

Officials at a California clinic that caters to performers say they are investigating the possibility of a criminal breach of patient information, The Los Angeles Times reports. The announcement comes after a Web site posted the names, birth dates and stage names of more than 12,000 current and former performers earlier this year, which some say could only have come from the Adult Industry Medical Healthcare Foundation clinic, now known as AIM Medical Associates P.C. "There is preliminary information indicating that criminal behavior by persons or entities may have occurred," AIM said in a statement. An attorney for AIM added that officials believe if a hack occurred, it was an outside job. (Registration may be required to access this story.)
Full Story