Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—U.S.

Sony, Epsilon To Testify Before Congress (May 31, 2011)
A spokesman for Rep. Mary Bono Mack (R-CA) has announced that Sony and Epsilon have agreed to testify before the House Subcommittee on Commerce, Manufacturing and Trade. Scheduled for Thursday, June 2, the hearing will focus on data security in the U.S. and will address the data breaches that have affected both companies in recent months, The New York Times reports. Mack's spokesman said, "The chairman firmly believes that the lessons learned from both the Sony and Epsilon experiences can be instructive and guide us as we develop comprehensive data protection legislation." Meanwhile, Sony has announced that it will resume all services, including credit card payments, by June 5.

PRIVACY—IRELAND

Breaches, CCTV Use Examined in Annual Report (May 31, 2011)

Data Protection Commissioner Billy Hawkes released his annual report this week, and among the findings was a "dramatic increase in the number and significance of organizations that have lost personal data," he said, up from 119 reports in 2009 to 410 in 2010. The report points to increased demands in a new code of practice as the reason, "rather than an increase in the absolute number of data breaches." The report also looks at specific issues related to the use of biometrics and closed-circuit television (CCTV), highlighting one case where a school was required to remove CCTV cameras from its restrooms. The annual report also includes details on recent investigations.
Full Story

PRIVACY LAW—U.S.

CA Social Networking Bill Fails in Senate (May 31, 2011)

A California bill aimed at protecting the privacy of online social network users was voted down in the state senate last week, reports the San Francisco Chronicle. The bill, by Sen. Ellen Corbett (D-San Leandro), would change social networking sites' practices to set privacy defaults to "private" and allow users to customize privacy settings upon registering--before their information goes public. Opponents of the bill--which include some CA-based Internet giants--say the bill will hurt technology companies and ignores "the extraordinary lengths" online companies are going to protect consumer privacy. Corbett says she will reintroduce the bill for another vote this week.
Full Story

PRIVACY LAW—U.S.

Boucher Talks Privacy from the Private Sector (May 31, 2011)

The man who introduced one of the earliest Internet privacy measures in the U.S. Congress says legislative action on privacy is inevitable due to mounting public concern and resulting corporate interest. In an interview with the IAPP Daily Dashboard, former Virginia Rep. Rick Boucher discusses legislation recently introduced by Rep. Cliff Stearns (R-FL), the Obama Administration's interest in online privacy, do-not-track measures and his new role as a partner at the law firm Sidley Austin. Boucher now leads Sidley Austin's government strategies practice group.
Full Story

PRIVACY LAW—U.S.

Mandatory Car Data Recorders To Be Proposed (May 31, 2011)

While many major car manufacturers already include the devices in their vehicles, the transportation department regulatory reform proposal, released on Thursday, includes a plan to make mandatory the inclusion of event data recorders (EDRs) in all new cars and light trucks, reports The Detroit News. The Alliance of Automobile Manufacturers, the trade association GM, Ford, Chrysler Group LLC, Toyota and eight other automakers endorse making EDRs mandatory but, according to the report, have concerns that "some in congress wanted recorders that are more elaborate and expensive than are available." A law that will take effect in 2013 standardizes the information collected by EDRs to simplify data collection.
Full Story

HEALTHCARE PRIVACY—U.S.

Addressing Electronic Health Record Security (May 31, 2011)

The New York Times reports on the data security issues that surround the nation's move towards electronic health records. While acknowledging the need for privacy, "I feel equally strongly that conversion to electronic health records may be one of the most transformative issues in the delivery of healthcare," said Kathleen Sebelius, secretary of health and human services. With nearly 7.8 million health records compromised in the last two years, some health experts think stronger legislation is needed. One legislator said the healthcare industry needs to be more vigilant, but another expert added, "Your ability to control access to your information is a horse that is already out of the stable...what is really needed is legislation that controls the use of it." (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Military Contractor Investigating Breach (May 31, 2011)

A U.S. defense contractor has announced it has improved remote access security following a breach that disrupted its computer networks, ComputerWeekly reports. Lockheed Martin's "information security team detected the attack almost immediately and took aggressive actions to protect all systems and data," the company said in a statement. The company has also indicated that no personal data has been compromised, the report states. Both Lockheed Martin and security firm RSA have indicated they are examining the attack with federal officials in the wake of speculation it may have been linked to a March breach at RSA.
Full Story

Boucher: Privacy Legislation Necessary, Possible (May 31, 2011)

 


Rick Boucher

By Angelique Carson, CIPP

Despite industry resistance to federal privacy legislation, its passage would benefit even those who resist it most.

That’s according to former Virginia State Rep. Rick Boucher, who recently joined the law firm Sidley Austin as a partner. Boucher says that legislative action on privacy is inevitable due to mounting public concern and the resulting corporate interest. When privacy rights are guaranteed online, the public is more trusting of the Internet, leading to a higher volume of electronic commerce, Boucher told the Daily Dashboard in an interview last week. However, when and how it will pass is anyone’s guess in a legislative environment dominated by budgets, he said.

Boucher served as a member of the House of Representatives for 28 years and as a member of its  Energy and Commerce Committee for 25 years. He chaired the House Commerce Committee’s Subcommittee on Communications and the Internet. At Sidley Austin, Boucher is heading the firm’s new government strategies practice group, which will turn a significant focus on privacy over the next two years, a topic that he says “will be addressed on Capitol Hill and for which there is a large expectation for legislative action and a constituency that would benefit from legislation being adopted.”

His interest in privacy isn’t newly founded. Eight years ago, Boucher and Rep. Cliff Stearns (R-FL) introduced a measure to provide privacy rights to Internet users. At that time, though, privacy was further down on Washington’s legislative priority list, and the measure failed to gain widespread support. But Boucher says it did generate some conversation on the subject of privacy, which has now matured into one of this congress’s leading subjects.

The 2010 Boucher-Stearns privacy bill, which failed to pass, was an amended version of that original measure. Stearns has since introduced similar but modified bipartisan legislation with Rep. Jim Matheson (D-UT). Boucher said he couldn’t speculate on that bill’s—or any other’s—chances of passing because budget issues are dominating the debate in both houses of congress, pushing privacy and other worthy causes down the priority list. But, he’s optimistic.

“Given the bipartisan nature of support that exists for it, and also given the fact that we have bipartisan bills in the house and the senate from leaders on the subject,” Boucher said, the Stearns bill might pass.

“And I think it’s noteworthy that the president has also lent...

HEALTHCARE PRIVACY—U.S.

HHS Releases Notice of Proposed Rulemaking (May 27, 2011)

The Department of Health and Human Services has released its notice of proposed rulemaking on the HIPAA accounting for disclosures rule. The rulemaking would modify the HIPAA Privacy Rule "to implement the statutory requirement under the HITECH Act to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment and healthcare operations if such disclosures are through an electronic health record." Wiley Rein partner Kirk Nahra, CIPP, told the Daily Dashboard, "This is a very worrisome and burdensome proposal that goes well beyond the approach identified by the statute. Companies across the healthcare industry and their business associates should be considering appropriate comments to address these burdens and complications."
Full Story

DATA LOSS—U.S.

$10 Million Stolen in Bank Breach (May 27, 2011)

The FBI and Secret Service have arrested 95 suspects in a data breach involving Bank of America, Infosecurity Magazine reports. A former bank employee provided customer information to scammers who used the information to hack into about 300 Bank of America customer accounts in California and surrounding states, according to the report. At least $10 million has been reported stolen, and names, Social Security numbers, phone numbers and bank account numbers were accessed, among other details.
Full Story

EMPLOYEE PRIVACY—U.S.

NLRB Takes Enforcement Action (May 27, 2011)

Organizations planning to fire employees based on comments they've made using social media may want to know about three recent enforcement actions taken by the National Labor Relations Board (NLRB). In an Info Law Group blog post, partner Boris Segalis provides details on the actions, the latest of which, he says, "makes a strong statement about the agency's view on the scope of employee social media protection, including the discussion topics the agency views as protected. The action item for employers is to carefully review and, as appropriate, revise their social media and employee conduct policies to ensure consistency with the NLRB guidance." (Editor's note: Yesterday's Web conference, "Workplace Privacy - A Survey of New Developments," discusses new obligations for global employers based on the developments of the past year. To hear more from Segalis and others, you may purchase the recording.)
Full Story

STUDENT PRIVACY—U.S.

Lawmakers Examining SAT, ACT Privacy (May 27, 2011)

Reps. Ed Markey (D-MA) and Joe Barton (R-TX) are asking the nonprofits behind the standardized SAT and ACT tests about their disclosure and privacy policies, Bloomberg reports, as both the College Board and ACT, Inc., collect data from teens registering for the tests and then sell that information to colleges. The College Board's database includes 5.1 million student names, while ACT has a database of 2.4 million high school students, the report states. "There should be some kind of regulatory control over what even a nonprofit can be culling from students," one privacy expert said, noting elements of the collection "read as less than voluntary because these tests are usually required to get into college."
Full Story

DATA LOSS—AUSTRALIA

Banks Suffer Breaches (May 27, 2011)

Major banks are contacting customers to inform them that an external merchant has suffered a potential data breach, ZDNet reports. Commonwealth Bank, one of those affected, has contacted some 8,000 customers and is monitoring accounts and reissuing cards. Westpac Bank is also notifying customers, though reporting only a small number have been affected. National Australia Bank is using fraud detection technology to monitor at-risk accounts. The breached merchant has not been named.
Full Story

DATA LOSS—U.S.

4,000 Employees’ Personal Data Compromised (May 27, 2011)

The personal information--including Social Security numbers--of 4,000 employees at a California school district has been compromised, The Sacramento Bee reports. A district spokesman said that an employee from the human resources department loaded the personal data on a flash drive in order to work from home and then inadvertently uploaded the data onto her church website. District officials have notified the affected employees, adjusted network policies and "taken the appropriate personnel action." Joanne McNabb, CIPP, CIPP/G, CIPP/IT, chief of the California Office of Privacy Protection, said that training employees to appropriately handle sensitive data "is an area that all organizations need to stay up-to-speed on...real harm can come to people."
Full Story

IDENTITY THEFT—U.S.

Man Pleads Guilty to ATM “Skimming” (May 27, 2011)

Another New York resident has admitted that he accessed personal information from ATMs in the northern New Jersey area and stole approximately $300,000, The Wall Street Journal reports. Arrested last fall, the suspect has been accused of using an electronic device that "skims" personal identification numbers and account information. The man has pleaded guilty in federal court and will face sentencing this September. Each count of aggravated identity theft includes a mandatory consecutive two-year prison term, and, according to the article, the bank fraud conspiracy charges have a potential penalty of 30 years in prison. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Suit Filed Over Breach (May 27, 2011)

Infosecurity Magazine reports on a federal lawsuit alleging a lack of security resulted in a recent data breach at Michaels Stores. The suit, which seeks class-action status, alleges the company "violated federal and state law by failing to take reasonable steps to safeguard its customers' personal financial data, including credit and debit card numbers and PINs," the report states. Michaels announced the theft of customer banking information through PIN-pad tampering earlier this month, removing about 7,200 of the units from its stores. The plaintiff in the case had $1,300 stolen from her bank account as a result of the breach, the report states. 
Full Story

DATA LOSS

Automaker Notifies 280,000 of Breach (May 27, 2011)

In February, Honda Canada discovered that hackers had accessed a Web server that held company-created MyHonda and MyAcura websites for 280,000 of its customers. The sites were part of a 2009 mail campaign and were prepopulated with customer data including names, addresses and vehicle identification numbers, reports Computerworld. Upon discovering the breach, Honda took the system offline and, after an investigation, sent notification letters to those affected, telling them to watch for phishing campaigns. The company says the risk of identity theft is low. One customer laments, "It appears that even if you didn't create an account on their websites, if they mailed you about upcoming specials in 2009, your data were involved."
Full Story

ONLINE PRIVACY

Opinion: Big Data Needs Ethics (May 27, 2011)

In an article for the MIT Technology Review, Jeffrey F. Rayport delves into "Big Data" and the myriad companies emerging that mine and aggregate "massive amounts of unstructured data"--800 billion gigabytes of which is currently available, estimates market intelligence firm IDC--for financial gain. "As the store of data grows, the analytics available to draw inferences from it will only become more sophisticated," Rayport opines, adding, "The potential dark side of Big Data suggests the need for a code of ethical principles." Rayport proposes a structure of ethics, including his own digital "Golden Rule: Do unto the data of others as you would have them do unto yours."
Full Story

PRIVACY LAW—EU

Cookie Directive In Effect, EC Threatens Action (May 26, 2011)
The European Commission (EC) is threatening action against member states that have failed to implement the EU's new cookie law, The Register reports. The deadline to comply with the amended EU Privacy and Communications Directive passed at midnight. Though UK Information Commissioner Christopher Graham said he will not take action against noncompliant companies for one year, European Digital Agenda Commissioner Neelie Kroes has warned that she will take "measures necessary" against noncompliant states. A spokesman for the EC said it "may open infringement proceedings against the member states in question as a matter of urgency."

ONLINE PRIVACY

Mixed Perspectives at E-G8 Summit (May 26, 2011)

"The Internet could be regulated, but not too much, not too soon and preferably not by a government." That's the general consensus at the e-G8, The Wall Street Journal reports. Those speaking at the event included the founder of Facebook, Google's CEO and the head of News Corporation, along with privacy expert Christopher Wolf of Hogan Lovells, who said "there is greater need than ever for global strategies to protect privacy, and countries on both sides of the Atlantic have much to learn from each other." EU Commissioner Neelie Kroes has said the Internet should be on the agenda of "every meeting" of global leaders. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Senator Calls for Mobile App Privacy Policies (May 26, 2011)

In a letter sent to Apple and Google on Wednesday, Sen. Al Franken (D-MN) called for privacy policy requirements in "location-aware" apps. Computerworld cites a recent study by TRUSTe and Harris Interactive that found less than 20 percent of the most popular free apps available through mobile devices are linked to privacy policies. In the letter, Franken wrote, "Requiring that each app in your stores have a clear, understandable privacy policy...would be a simple first step that would provide users, privacy advocates and federal consumer protection authorities a minimum of information about what information an app will access and how that app will share that information with third parties."
Full Story

CONSUMER PRIVACY—UK

Innovative Data Uses for TV Content (May 26, 2011)

A television executive has asked Ofcom to review airtime trading and "investigate the control of audience data," reports The Guardian. In a Royal Television Society speech, David Abraham said that by 2020 about two-thirds of "TV audiovisual content" will be tracked, including TV, PC and mobile platforms. "I don't think the penny has dropped about who is controlling the data," Abraham said, adding, "Future ad sales models are unclear, but two things are certain--change is likely and data is becoming more important." Abraham also said if viewers allow Channel 4 to access and share "some of their anonymized data...we can invest the proceeds in original, risk-taking and imaginative content."
Full Story

PRIVACY LAW—U.S.

RI Senate Passes SSN Bill (May 26, 2011)

A bill passed unanimously in the Rhode Island Senate on Tuesday would make it illegal for businesses to ask for any part of a customer's Social Security number (SSN), reports The Boston Globe. The state currently prohibits companies from asking for full SSNs from customers, but the bill's sponsor, Majority Leader Dominick Ruggerio (D-North Providence), said this bill would further protect consumers from identity theft. Currently, a similar bill is pending in the house, states the report.
Full Story

PRIVACY LAW—U.S.

Smartphone Privacy Laws Differ State to State (May 26, 2011)

International Business Times reports on the ongoing debate in U.S. courts about "how much privacy a phone deserves," as laws protecting phone data are fledgling. A Pennsylvania federal court recently ruled that a warrant is required for law enforcement authorities to obtain call records, while the California Supreme court says a smartphone can be searched upon arrest in the same way a wallet can. Ohio's Supreme Court ruled that the search of a suspect's cellphone was invalid because of the vast amount of data stored on the cellphone, and the U.S. Court of Appeals in San Francisco ruled that a warrant for electronic records searches must specify crime-related records.
Full Story

PRIVACY LAW—U.S.

Lawmaker Wants Investigation Made Public (May 26, 2011)

A U.S. lawmaker is urging the Federal Communications Commission (FCC) to release findings of its investigation into Google's collection of WiFi data with its Street View cars, The Hill reports. Rep. Tom Graves (R-GA) has sent a letter to FCC Chairman Julius Genachowski urging him to release a full report of the investigation's details. Graves is concerned the FCC has not shared the case's facts with congress and says doing so "will allow congress to determine whether legislative action is necessary to prevent such a breach of private information in the future."
Full Story

ONLINE PRIVACY—U.S.

Opinion: Privacy Tools Should Be User-Friendly (May 26, 2011)

Writing for Consumer Reports, Paul Eng says that consumer awareness of available privacy tools is low and suggests that companies should make privacy protection tools more user-friendly for their customers. In a recent speech, Mozilla's Alex Fowler said only one to two percent of Firefox 4 users are taking advantage of its do-not-track feature, but Fowler noted, the do-not-track feature will be "much more prominently displayed" in its Firefox 5 software. Eng added, "Increased attention from federal lawmakers and regulators will help raise awareness of online privacy tools and issues as well."
Full Story

 

ONLINE PRIVACY

G-8 Leaders Talk Privacy, Internet Regulation (May 25, 2011)
In a communiqué to be issued later this week, G-8 leaders are expected to call for stronger regulation of the Internet, including strengthened privacy protections, The New York Times reports. The document is expected to call for "an international approach to protecting users' personal data," and to "encourage the development of common approaches...based on fundamental rights that protect personal data, whilst allowing the legitimate transfer of data," according to a Daily Mail report. At yesterday's opening of the e-G8 Forum in Paris--a prelude event to the Group of Eight meeting taking place later this week in Deauville, France--global Internet leaders and heads of state discussed and debated some of the issues that have provoked the attention of the G-8. (Registration may be required to access this story.)

PRIVACY LAW—EU

Member States Likely To Miss Cookie Deadline (May 25, 2011)

Some member states will likely miss Thursday's deadline to implement the EU's new cookie law, ClickZ reports, causing Web companies confusion about complying lawfully. To date, Denmark and Estonia are the only states to have implemented the amended EU Privacy and Communications Directive, which gives Internet users more control of their data and requires any company with EU customers to comply. Meanwhile, UK Information Commissioner Christopher Graham has said he will give companies one year to comply with the law. The UK Department for Culture, Media and Sport has published an open letter on how it expects the rules to be implemented.
Full Story

PRIVACY LAW—U.S.

State’s Privacy Legislation Prompts Opposition (May 25, 2011)

Dozens of companies--including Facebook and Google--are teaming up to curtail two privacy bills that have been introduced in California's state legislature. SB 761 proposes an online do-not-track mechanism, and SB 242 would require social networking sites to implement stronger privacy policies for users. In a letter opposing SB 761, the companies wrote, "Prohibiting the collection and use of this data would severely harm future innovation," and in a separate letter opposing SB 242, the companies argued the bill is "unnecessary and would be difficult to implement," The Wall Street Journal reports. A spokesman for one of the bill's sponsors said, "We've had favorable feedback on the bill from constituents and the general public." (Registration may be required to access this story.)
Full Story

DATA LOSS—CANADA

Breach Spreads to Canadian Website (May 25, 2011)

Bloomberg reports on an unauthorized intrusion into a Sony Ericsson Mobile Communications website located in Canada. The names and e-mail addresses of approximately 2,000 customers were stolen. Discovered on Tuesday, the incident prompted the mobile phone company to disable the website. This latest breach comes after incidents earlier this week affecting Sony services in Thailand, Indonesia and Greece. "This is getting very serious," one analyst notes. "What looked like a game-related attack in the U.S. is spreading to other businesses, such as music, and to all over the world."  
Full Story

PRIVACY

Opinion: Privacy? Dead? It Could Be Worse (May 25, 2011)

Though some claim that privacy has been dead for years now, "it could be worse, and probably will be," writes Kashmir Hill for Forbes. Video surveillance using facial recognition is expected to increase--as is the use of RFID chips, which will be embedded in everything from cars and keys to sunglasses and prescription bottles, Hill says. One Hawaii hotel is already using the chips to track hotel property like pool towels. Driver surveillance is also expected to increase, with red light cameras and speed-monitoring devices already employed in 23 states. According to the report, DNA databases are quickly growing, as well, despite a lack of government regulations on the data.
Full Story

ONLINE PRIVACY

Opinion: Users Need Internet Control (May 25, 2011)

In an op-ed piece for The New York Times entitled, "When the Internet Thinks It Knows You," Eli Pariser of MoveOn.org writes about the ability of algorithms and Internet giants to edit and sift through the Web's wealth of information, offering "personalized filters that show us the Internet that they think we want to see." The danger, Pariser writes, is an Internet that "offers up only information that reflects your already-established point of view." When it comes to tracking our likes and dislikes, clicks and searches on the Internet, he contends that companies "need to give us control over what we see--making it clear when they are personalizing and allowing us to shape and adjust our own filters." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Wooley Discusses Self-Regulation, Do Not Track (May 25, 2011)

Ken Magill of The Magill Report writes about Direct Marketing Association Vice President Linda Wooley's comments that the Federal Trade Commission is pleased with the online ad industry's efforts at self-regulation--especially the creation of its Advertising Option icon. Wooley also says that legislation, such as the recently proposed do-not-track bill, may still be on the horizon, adding that if an online marketing law is passed, "it should outlaw its use for making eligibility decisions. If the law said you can't use marketing data to decide if someone should get health insurance...we would be right there with them."
Full Story

SOCIAL NETWORKING—U.S.

Senator: Site Needs To Protect Children’s Privacy (May 24, 2011)
During last week's senate hearing on consumer privacy, Sen. Jay Rockefeller (D-WV) criticized Facebook's efforts to protect children's privacy. To ensure children under the age of 13 are not using the site, the company tasks 100 employees to monitor the posts of about 600 million users--a policy that Rockefeller said is "completely indefensible," InfoSecurity reports. The publisher of Consumer Reports has written a letter asking Facebook CEO Mark Zuckerberg to strengthen efforts to protect children's privacy. At a recent event, Zuckerberg said that he wants children under the age of 13 to use Facebook and that restrictions mandated under COPPA should be changed. "That will be a fight we take on at some point," Zuckerberg said. Meanwhile, a bill in the California state legislature, SB 242, calls for social networking sites to have comprehensive controls to protect children and guidelines for privacy policies.

PRIVACY LAW

EU Cookie Rules Will Have International Impact (May 24, 2011)

New EU privacy rules requiring companies to give users "clear, comprehensive and understandable information about how, why and for how long their data is processed" will affect any Web company with EU customers, eWEEK reports. The law, which gives Internet users more control of their data, went into effect May 26. "The e-Privacy Directive applies to cookies used to collect information that is not directly related to the service offered by the site and would be used for advertising purposes," the report states, noting cookies used for the collection of non-advertising data such as passwords may still be installed without explicit user consent.
Full Story

ONLINE PRIVACY

Schmidt: Legalese Makes Simple Policies Hard To Do (May 24, 2011)

At a conference in the UK last week, Google CEO Eric Schmidt said the company is trying to make its privacy policies easier to read and understand--especially those for mobile devices--but required legalese makes it difficult. While not committing to a specific plan, Schmidt said the company is working on a "series of simplification projects" for its policies and noted that one option "may be to have simple statements followed by 'legally required' text," reports The Wall Street Journal. Google updated its policies last year, but a company blog post acknowledged it has further to go. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Opinion: McCain, Kerry Online Bill of Rights Needed (May 24, 2011)

In a feature for The Hill, Senators John McCain (R-AZ) and John Kerry (D-MA) write about their proposed privacy bill of rights in light of recent data breaches affecting the personal information of more than 250 million people in the U.S. "Almost every American is vulnerable to the loss, theft or unanticipated use of their information," they write, "because in this digital age, we routinely turn over personal information to online retailers, social networks and other services in growing numbers." At a time when personal data is viewed as a form of online currency, the senators write that their proposed Commercial Privacy Bill of Rights is needed "to put Americans back in control of their personal information."
Full Story

DATA LOSS

Data Breaches Continue (May 24, 2011)

Sony has announced that it has found a data breach in one of its Sony Music Entertainment Greece units. Usernames, passwords, e-mails and phone numbers for approximately 8,500 customers were compromised, but credit card information was not, The Wall Street Journal reports. Sony has also detected unauthorized user access to two additional websites in Thailand and Indonesia. The company immediately shut down the websites upon learning of the breaches. A spokesman for Sony said the company is not sure if these incidents were related to the PlayStation Network breaches last month, but added, "For now, we are still investigating each incident." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—INDIA & U.S.

New Rules Raise Concerns (May 23, 2011)
U.S. companies are reacting to India's new privacy rules, suggesting they may be "too restrictive," The Washington Post reports. The Information Technology Rules 2011 control the collection and use of personal information for all organizations in India as well as multinationals with offices in the country or that outsource business operations there. Among the concerns being raised are worries that the rules are far more restrictive than those in place in the EU and U.S., the report states, and "add a cumbersome layer of disclosures such as obtaining written consent from each customer before collecting and using personal data."

PRIVACY LAW—U.S.

Rep. Calls for Industry Solutions (May 23, 2011)

Rep. Marsha Blackburn (R-TN) says companies need to empower consumers when it comes to protecting the data they track and retain about them online. At an event for the telecommunications industry last week, Blackburn called upon industry leaders to step up with solutions, adding that for "the online world to continue to thrive, we need real leadership that answers consumers' cry for help, not just the typical ploy that gives a false sense of security and a free credit report." At an event in January, Blackburn called for an Internet free from government intervention, The Tennessean reports.
Full Story

ONLINE PRIVACY—U.S.

Contests Raise Questions (May 23, 2011)

Two new online prize contests are raising questions about the challenge of protecting privacy, The New York Times reports. Referencing a similar contest from last year that was cancelled due to privacy concerns, the report looks at two initiatives aimed at rewarding contestants who "come up with predictive algorithms, using anonymized personal data as the test bed." From a privacy perspective, the report states, using personal online data, "even when stripped of personally identifying information like names and credit card numbers, is a risk management game." As one expert put it, "There are privacy risks, even if they are small." (Registration may be required to access this story.)
Full Story

DATA PROTECTION

CPO: “You Can’t Prepare Enough” (May 23, 2011)

HealthcareInfoSecurity has released a two-part interview with Kirk Herath, CIPP, CIPP/G, chief privacy officer of Nationwide Insurance Companies. In the interview, Herath discusses how to handle scrutiny after a breach incident--stressing the need for communications professionals to guide public relations. "At the end of the day," he says, "the worst thing you can do is look like you're not transparent." The interviews also cover the scope and scale of a privacy officer's job; a review of the Epsilon and Sony breach incidents; how to manage privacy during a breach incident; Herath's personal experiences managing privacy at Nationwide, and the privacy concerns brought on by mobile devices and cloud computing.
Full Story

DATA LOSS

Hackers Target Small Firms, Too (May 23, 2011)

Small firms that think they are not a target for hackers should think again, The Los Angeles Times reports. One small California company last year lost $465,000 after hackers gained access to its business bank account, most likely through the owner's computer system. One fifth of the money was recovered. A 2010 survey by Symantec found that 74 pecent of small and medium-size companies have been the target of cyber attacks. "It's a competitive advantage" now to have privacy protections in place, one consultant said, as companies are increasingly looking for contractors that do.
Full Story 

ONLINE PRIVACY—AUSTRALIA

Opinion: The Necessary Big Data Debate (May 23, 2011)

In a column for ITNews, former Australian Privacy Commissioner Malcolm Crompton, CIPP, raises several issues surrounding the emergence of "Big Data." Noting that "immense datasets" offer potential economic gains while driving innovation, Crompton asks, "Can we gain from the enormous economic benefits of Big Data while maintaining privacy?" To flesh out the debate, he cites an OECD roundtable, "The Economics of Personal Data and Privacy;" a recent blog post, "Will a Crackdown on Privacy Kill Big Data Innovation," and a speech touching upon the need for an ethical framework built into search algorithms.
Full Story

PRIVACY LAW—U.S.

Vladeck: FTC Looking for Enforcement Targets (May 20, 2011)
At a senate hearing on mobile privacy yesterday, the Federal Trade Commission's David Vladeck said the agency is "looking for good enforcement targets" as it conducts several investigations into mobile phone privacy, including possible violations of the Children's Online Privacy Protection Act, reports The Wall Street Journal. Senators Jay Rockefeller (D-WV) and John Kerry (D-MA), who have both introduced online privacy bills, questioned Apple, Google and Facebook on their data collection practices. Apple and Google said they do not collect personal data without consent, while a Facebook spokesman testified that the site has "robust privacy protections" and warned against laws that may restrict the site from operating in a way "individuals expect and demand."

DATA LOSS—U.S.

SEC Informs Employees of Breach (May 20, 2011)

The Securities and Exchange Commission has notified about 4,000 agency employees that their Social Security numbers and other payroll information were included in an unencrypted e-mail, The Los Angeles Times reports. A contractor at the department's National Business Center, which manages payroll, human resources and financial reporting for many federal agencies, sent the e-mail May 4 and neglected to properly encrypt the information. Additionally, software made to catch such errors failed to do so. A Department of the Interior spokesman said there is "no indication that the data was intercepted," however, and the agency has launched an investigation.
Full Story

DATA LOSS

Customer Rewards Site Breached (May 20, 2011)

So-net Entertainment Corp., a Sony subsidiary, has announced that a hacker accessed its customer rewards site and stole gift points worth approximately $1,225. The company believes the intruder may have used automated software to generate passwords in order to gain site access, reports The Wall Street Journal. There is no evidence, So-net said, that the perpetrator accessed personal data. The breach comes days after Sony restored service to its PlayStation Network (PSN). "Although we can't completely rule out the possibility that there is a connection with the PSN issue," said a So-net spokesman, "the likelihood is low." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Schmidt: No Facial Recognition for Google (May 20, 2011)

Google CEO Eric Schmidt, talking this week at the company's "Big Tent" conference in the UK, said that Google is "unlikely" to create a facial recognition database, saying the accuracy of the technology is "very concerning" and that popularizing the technology may cause governments to pass broad-reaching laws with unintended consequences, reports PC Advisor. Schmidt also announced Google's new Dashboard, a service that allows users to see the information Google has collected about them and opt to delete certain data. "It is worth stressing that we can only do this with data you have shared with Google. We can't be a vacuum cleaner for the whole Internet," said Schmidt.
Full Story 

ONLINE PRIVACY

Expert Explores Internet Data Dilemma (May 20, 2011)

When it comes to controlling personal information online, the best option Internet users have lies in that old adage, "if you can't beat them, join them." That's according to MIT Prof. Sandy Pentland, whose work has focused on finding a data collection approach that works for organizations, advocates and regulators, The Wall Street Journal reports. Pentland suggests an approach where consumers manage their data and receive compensation for making it available. "Your data becomes a new asset class," he said, adding, "you have more control over the information, and it becomes your most lucrative asset." (Registration may be required to access this story.)
Full Story 

TRAVELLERS’ PRIVACY

Report: Electronic Device Searches Need Probable Cause (May 20, 2011)

On Wednesday, a think tank released a report recommending that the U.S. Department of Homeland Security (DHS) use probable cause before searching electronic devices at its borders, The Globe and Mail reports. "Technology is developing so much more quickly, and the law needs to catch up," one expert said. By carrying electronic devices, travellers "are unknowingly subjecting volumes of personal information to involuntary search and review by federal law enforcement authorities," the report said, and the "problem is compounded" because the devices often contain "personal and business-related information."
Full Story

PRIVACY LAW—EU

Working Party: Geolocation Rules Would Apply to Employers, Too (May 19, 2011)
eWEEK reports on the Article 29 Working Party's approval of the European Data Protection Supervisor's (EDPS) decision requiring mobile service operators to obtain consent before collecting or sharing users' location data. EDPS Peter Hustinx has said that location data is private. The Working Party's opinion paper says, "The default should be that location services are 'off,' and users may granularly consent to the switching 'on' of specific applications." The ruling would also apply to employers aiming to track employees. It would require employers to make a case that it's "demonstrably necessary" to track the user, and the user must be able to turn tracking off outside of work hours.

PERSONAL PRIVACY—U.S.

Commission Emphasizes Smart Grid Privacy (May 19, 2011)

InformationWeek reports on the California Public Utility Commission's proposal on security and privacy requirements for smart meter data. The proposal would implement Fair Information Practices, requiring the state's three utility companies and other smart meter operators to minimize collected data, use it only for the intended purpose unless consent is acquired for other uses and take reasonable steps to protect it. The commission's report said, "access to detailed, disaggregated data on energy consumption can reveal some information that people may consider private." An attorney at Hogan Lovells said the commission's decision "represents a significant step towards a set of smart grid privacy rules in the United States" and noted Europe's recently released guidelines.
Full Story

HEALTHCARE PRIVACY—U.S.

Report: Electronic Health Record Security Lacking (May 19, 2011)

The Department of Health and Human Services Office of the Inspector General (OIG) has released two reports that offer "harsh" critiques of the department's efforts to protect electronic health records, HealthcareInfoSecurity reports. One report asks the Office for Civil Rights (OCR) to "ramp up" its compliance review efforts in order to make sure appropriate security controls are in place in healthcare facilities. The OIG found "a lack of general (information technology) security controls during prior audits at Medicare contractors, state Medicaid agencies and hospitals." The OCR has noted the federal final rule covering changes to HIPAA will not mandate encryption. The second report, which addressed the HITECH Act electronic health record incentive program, concluded that the program did not adequately meet several security issues. One expert notes this is a "wake-up call to the healthcare industry."
Full Story

PRIVACY LAW—EU & U.S.

Groups Concerned About Data Sharing (May 19, 2011)

Privacy groups are concerned about data sharing talks between the U.S. Department of Homeland Security (DHS) and the European Commission, The Hill reports. In a letter to President Barack Obama and the Senate Foreign Relations Committee, the 11 groups said, "We fear that the United States may be pushing the Europeans to weaken their comparatively strong protections of privacy and other fundamental rights, rather than agreeing to strengthen U.S. protections and respect such principles." The groups, which are also calling for a hearing on the topic, include the American Civil Liberties Union and the Consumer Federation of America. This week, a DHS spokesman said the belief that the "U.S. doesn't care about privacy" is a misconception.
Full Story

ONLINE PRIVACY—EU

Search Engine Pledging To Change Its Ways (May 19, 2011)

Google Chairman Eric Schmidt is leading a new initiative to change the company's image in Europe. With 88 percent of the market share, Google has loyal customers in Europe, reports Bloomberg, but government agencies continue to challenge the company's advertising practices and online mapping service, Street View. The company says it will improve privacy practices and consult public policy specialists and advocacy groups prior to launching new products, among other efforts. "You should be able to delete information about you that we can control. You should own your data, and we should be transparent," Schmidt said. Alice Enders, a London economist, says Google is trying to "avoid a situation where...governments fill the hole with new laws to respond. It's no longer sufficient to view the world from the West Coast of the U.S."
Full Story

 

PRIVACY LAW—KOREA

Comprehensive Data Protection Law Passed (May 19, 2011)

On March 29, Korea passed the Personal Information Protection Act (PIPA), which will go into effect September 30. The law broadly restricts the collection, use and retention of personal data and puts limits on the use of closed-circuit television, while also providing for internal controls and litigation of data protection disputes, reports the Bae, Kim & Lee Newsletter. PIPA applies broad definitions to "personal information" and "data handlers" and will overlap the two data protection laws covering telecom service providers and entities handling credit information, respectively. It also requires data handlers to publish personal data handling policies and appoint an individual to be responsible for the data.
Full Story

DATA LOSS

Security Flaw Forces Site Shutdown (May 19, 2011)

Sony has shut down a website that was designed to help those affected by last month's data breaches, Reuters reports. The announcement came after Sony found a "security hole"--potentially allowing hackers to access users' accounts by using personal information stolen during the original breaches. The news comes after U.S. lawmakers wrote a letter to the company questioning the breach incidents and response. One expert said, "The Sony network in general still isn't secure and still has security issues that could be exploited by hackers." A Sony spokesman said the issue has been fixed, and the site will be back up soon.
Full Story 

PRIVACY LAW—U.S.

Opinion: Privacy Bill May Be Unconstitutional (May 19, 2011)

In a MediaPost editorial, Wendy Davis discusses California's proposed legislation, SB 242, which would prohibit social networking sites from publicizing users' personal information without explicit consent. Davis notes that the legislation may be unconstitutional because states cannot regulate interstate commerce and "prohibiting sites from publishing truthful information raises troubling First Amendment issues." Noting that "it's understandable why lawmakers are considering this bill," Davis also adds, "Whether California's law passes or not, Facebook and other social networking sites should rethink their approach to privacy."
Full Story 

 

ONLINE PRIVACY

Google Introduces TRUSTe Seal in App Marketplace (May 19, 2011)

In response to concerns about the data handling practices of Web apps, Google has introduced a TRUSTe certification in its Apps Marketplace--the online store offering business-oriented Android applications, reports InformationWeek. The certification applies to installable applications and aims to clarify the makers' privacy practices. To get certified, app makers need to answer a series of questions about data sharing and security. Certified apps will display the green TRUSTe seal. The report stresses, however, that the certification is "not a guarantee of security or proper data handling; it's merely an assessment of whether a particular vendor's self-reported practices fall within industry norms."
Full Story 

 

PRIVACY LAW—FRANCE

CNIL To Increase Compliance Checks (May 18, 2011)
The French data protection authority (CNIL) is warning companies and individuals that they should "exercise caution" when transferring data in and out of European countries as it plans to increase its compliance inspections, COMPLIANCE WEEK reports. The CNIL said in an April statement that it plans to increase inspections by one third compared to last year, aiming to complete at least 400 this year. The checks, which will especially look at companies enrolled in the U.S.-EU Safe Harbor Program, will focus on telemedicine, storage of health data and consulting firms' use of data from the Program of Medicalization of Information Systems, the report states. The CNIL has the ability to impose sanctions for violations of French data privacy law.

PRIVACY LAW—U.S.

FCC Looking at Location Data Rules (May 18, 2011)

The Federal Communications Commission (FCC) has announced a forum next month on the use of smartphone location data, The Los Angeles Times reports, which could lead to the establishment of governing rules over smartphone companies' use of such data for targeted ads and other purposes. Apple and Google are among the companies invited to the forum, which will discuss benefits and risks of the services. One expert says, however, the hearing could feature "industry reps who will lull the FCC into believing that consumers don't need any new safeguards when they really do." Meanwhile, a second U.S. Senate hearing over location privacy will this week  question Apple, Google and Facebook about their treatment of customers' location data.
Full Story

PRIVACY LAW—U.S.

Senate Bill Would Require Warrants for Data (May 18, 2011)

Sen. Patrick Leahy (D-VT) has introduced legislation that would require law enforcement to obtain search warrants before accessing geolocation information and e-mails stored on servers, reports The Wall Street Journal. The legislation would update the Electronic Communications Privacy Act of 1986. "Today, this law is significantly outdated and outpaced by rapid changes in technology," said Leahy. The bill has received support from Google, Microsoft and AT&T as well as from the Center for Democracy and Technology, but some advocates do not think the updates go far enough. Leahy said, "Updating this law to reflect the realities of our time is essential to ensuring that our federal privacy laws keep pace with new technology and the new threats to our security." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Commission Addresses Cloud Computing (May 18, 2011)

The European Commission (EC) has released a proposal that considers standardizing terms and conditions for using cloud computing services, how to address cloud security and who is responsible for data protection in the cloud. OUT-LAW News reports that the commission is looking to businesses and public organizations for feedback on its consultation on "data protection and liability questions, in particular in cross-border situations." The consultation looks at the existing legal framework for data protection in the cloud and asks respondents for specific updates that could be applied to the EU Data Protection Directive. Neelie Kroes, EC vice president for the digital agenda, said businesses can benefit from lower costs, improved services and new opportunities that come with cloud computing, adding, "We need a well-defined cloud computing strategy to ensure that we make the best use of this potential."
Full Story

DATA LOSS—U.S.

Massachusetts Gov’t Agency Hacked (May 18, 2011)

Hackers installed a virus that corrupted about 1,500 computers in the Massachusetts unemployment system, compromising the personal data of as many as 210,000 out-of-work residents of the state, reports The Boston Herald. The Massachusetts Executive Office of Labor and Workforce Development first detected the virus on April 20, and while it immediately took steps to wipe out the virus, the agency announced on Monday that it was "not remediated as originally believed and that the persistence of the virus resulted in a data breach." The office will send notification letters to everyone it serves and is urging residents served by the office to put a fraud alert on their credit reports.
Full Story

PRIVACY LAW—U.S.

Coalition “Strongly Opposes” Social Networking Bill (May 18, 2011)

A coalition of Web companies, including Facebook, Google, Skype, Twitter and Yahoo, has voiced opposition to a California bill aimed at protecting user privacy, TechNewsWorld reports. In a letter to Sen. Ellen Corbett (D-San Leandro), who proposed SB 242, the coalition said that SB 242 "gratuitously singles out social networking sites without demonstration of any harm" and would result in users making uninformed choices by requiring that they select privacy settings ahead of using the sites. Corbett said Californians have a right to privacy and to understand how their data is used and that she's "up for a very tough fight."
Full Story

ONLINE PRIVACY

Research: Flaw Could Compromise Smartphones (May 18, 2011)

Researchers from Germany's Ulm University have found a security flaw that could make it possible for hackers to breach data on certain Google Android applications, the Financial Times reports. The research indicates that photo-sharing, calendar and contacts applications could be breached, the report states, spurring warnings to Android users to avoid public WiFi networks. Google is quoted as saying, "We're aware of this issue, have already fixed it for calendar and contacts in the latest versions of Android, and we're working on fixing it in Picasa." As the effort to fix the issues continues, IT PRO reports that Google is adding trust accreditation to its Marketplace Apps. (Registration may be required to access this story.)
Full Story 

DATA LOSS—U.S.

U.S. Lawmakers Ask Company for Answers (May 18, 2011)

Reps. Mary Bono Mack (R-CA) and G.K. Butterfield (D-NC) sent a letter on Tuesday to Sony requesting more information about last month's data breaches that affected approximately 100 million users. The lawmakers want to know more specifics on compromised customer information and whether the company's investigation has uncovered how the breach occurred, Bloomberg reports. Sony Chief Executive Howard Stringer defended the company's response, saying, "we still have a lot of investigation to do to find out how this happened." A spokesman for Bono Mack said, "Clearly, there are a lot of unanswered questions...as we begin drafting our data security legislation, we are hopeful that the Sony experience can be instructive."
Full Story 

PRIVACY LAW—EU

Hustinx Says Location Data Is Personal Data (May 17, 2011)
The European Data Protection Supervisor (EDPS) has said that geolocation constitutes personal data, PC World reports. "Location data is certainly, in many instances, private data, and there then follows the obligations to inform users, and the opportunity to opt in or opt out," said EDPS Peter Hustinx. The opinion has been approved by the Article 29 Working Party and will be posted on the party's public website later this week. The European Commission is currently reviewing the European Data Protection Directive and could include geolocation in the law's revision if the working group's recommendations are accepted, the report states.

PRIVACY LAW—NEW ZEALAND

Commissioner Proposes Changes to Credit Reporting (May 17, 2011)

Privacy Commissioner Marie Shroff has proposed several changes to New Zealand's Credit Reporting Privacy Code. A press release issued by the privacy commissioner noted that Amendment No. 5 will introduce a style of credit reporting similar to the system employed in the U.S. The new amendment will include ongoing reporting of repayment history, give credit reporters additional tools to assess creditworthiness and allow victims of identity theft to exercise a "credit freeze." Supporters of the changes claim they will help New Zealand "climb" out of the recession, whereas skeptics are "very suspicious," saying it is not a "transparent system." Shroff noted, "There is no doubt that this would be a more intrusive regime, but I have tried to ensure that there will be benefits to individuals and the community as well as to business members."
Full Story

PRIVACY LAW—U.S.

Complaint Filed Against File-Sharing Service (May 17, 2011)

A complaint was filed with the Federal Trade Commission last week alleging that a file-sharing service has been misleading customers about their privacy, InformationWeek reports. Dropbox, a file synchronization and online backup service with more than 25 million customers, stated in its terms of service that all files were encrypted. However, security and privacy researcher Christopher Soghoian, who lodged the complaint, says the service uses a technique called "deduplication," which usually results in poorer security and has "significant flaws," and suggests Dropbox instead assign users individual encryption keys. A spokeswoman for the company said the complaint is "without merit," and the issues were addressed in a company blog post in April.
Full Story

DATA PROTECTION—U.S.

Vladeck: “FTC Will Step In” on Behalf of Consumers (May 17, 2011)

At an online ad industry conference on Monday, FTC Consumer Protection Chief David Vladeck talked about the committee's do-not-track proposal and its concerns over online data collection practices, reports MediaPost News. Vladeck said the FTC has recently settled with three companies for allegedly "making deceptive claims about the privacy of the information they collect," and there are "more cases to come." The FTC has concerns that data collected for advertising may end up being used for secondary purposes that consumers don't want, said Vladeck, who voiced his dissatisfaction with the industry's response to questions surrounding secondary use. "The FTC will step in when false or misleading privacy claims have the effect of undermining consumer choices," Vladeck stressed.
Full Story

HEALTHCARE PRIVACY—CANADA

Opinion: Blood Test Lawsuit Hits Upon Privacy Rights (May 17, 2011)

In a column for the Vancouver Sun, Ian Mulgrew writes about a lawsuit filed by an anonymous couple against the Provincial Health Services Authority in British Columbia. The lawsuit alleges that their child's blood "samples were obtained and stored as a result of a negligent or fraudulent concealment of facts that constituted an unlawful search and seizure violating the Charter of Rights and Freedoms." The Newborn Screening Program takes blood samples from newborn children to check for conditions, and the results are recorded and stored until the children reach the age of 10. According to the article, the judge has given the suit a "green light to proceed," but the family's lawyer has 30 days to "reframe the pleadings."
Full Story

PRIVACY LAW—U.S.

Senate Hearing Will Focus on Mobile Privacy (May 17, 2011)

The Senate Consumer Protection, Product Safety and Insurance Subcommittee will hold a hearing on mobile devices and online data collection this Thursday. Led by Sen. Jay Rockefeller (D-WV), the hearing will focus on "industry practices with respect to online mobile data collection and usage," the AFP reports. Rockefeller notes that the "hearing will also explore the possible role of the federal government in protecting consumers in the mobile marketplace and promoting their privacy." Witnesses will include the FTC's David Vladek, who recently spoke about online privacy issues, as well as representatives from Facebook, Google and Apple. This will be the second time in little over a week that Google and Apple have testified before a senate subcommittee.
Full Story 

ONLINE PRIVACY—U.S.

Big Data and the Privacy Balancing Act (May 17, 2011)

In a GigaOM feature, Derrick Harris examines a report by the McKinsey Global Institute (MGI), released last week, that identifies "one very important issue to the future success of big data efforts: finding the appropriate balance between consumer privacy and business innovation." Among the key issues policymakers are facing when it comes to addressing the wealth of data stored and shared online, the MGI report lists the need to create "policies that balance the interests of companies wanting to create value from data and citizens wanting to protect their privacy and security." Harris writes that both the pros and cons of big data must be weighed to ensure regulations do not "hamstring" innovation.   
Full Story 

PRIVACY LAW—U.S.

Law Would Address Social Networking Defaults (May 17, 2011)

A California proposal could require social networking sites to allow users to establish privacy settings before enrolling, The San Francisco Chronicle reports. SB242 would also require sites to set default privacy settings and explain privacy controls in plain language and would carry penalties of $10,000 per violation. The executive director of the Internet Alliance said such a law would force users to make decisions about their data before exploring the site, and that could lead to unintended consequences, such as users selecting privacy settings they don't fully understand. Others have expressed concerns the law would discourage Internet business in California.
Full Story

ONLINE PRIVACY—THE NETHERLANDS

Telecom Denies Privacy Rules Violations (May 16, 2011)
On Friday, Dutch telecommunications provider KPN denied it violated the terms and conditions of its contracts when it used deep packet inspections (DPI) to view the Internet activity of its customers, reports The Wall Street Journal. The company "came under fire" on Thursday after it revealed it uses DPI to find out if customers use instant messaging applications. A spokesman for a civil rights organization said it is "theoretically possible" to read the mail's content when using DPI. KPN said an internal investigation "found no wrongdoing," but the company would cooperate with an external investigation. (Registration may be required to access this story.)

PRIVACY LAW—INDIA

Proposed Data Rules Stricter than GLBA, EU Directive (May 16, 2011)

The Indian government's proposed regulations on protecting outsourced data could have a negative impact on the country's relationship with global companies, PC Advisor reports. The draft regulations are stricter than the U.S. Gramm-Leach-Bliley Act and the EU Directive and would create requirements for companies that either outsource data to India or operate there, the report states, including written prior consent--without exceptions--to collect and use data about any person within the country, citizen or not. "These types of issues may significantly impede an enterprise's ability to properly and efficiently interact with its customer base," says David Rutchik from outsourcing consultancy Pace Harmon.
Full Story

PRIVACY LAW—U.S.

Judge Says Plaintiffs Can Re-file Harm Claims (May 16, 2011)

A California federal judge has thrown out most of the claims against Facebook in a privacy suit alleging the social network shared users' personal data with advertisers without obtaining consent, The Recorder reports. However, the judge did not dismiss the entire lawsuit, despite Facebook's request that he do so on the basis that the plaintiffs did not demonstrate that sufficient injury occurred as a result of the alleged data sharing. The plaintiffs are allowed to re-file five of the eight original claims. "The court finds that plaintiffs have alleged facts sufficient to establish that they have suffered the injury required for standing," the judge said.
Full Story

ONLINE PRIVACY

Study: Most Apps Lack Policies (May 16, 2011)

A Future of Privacy Forum (FPF) study examined some of the most popular mobile applications available for major platforms and found that 22 of the top 30 have no policy stating how the app treats personal data, reports MediaPost News. "Without a privacy policy to review, consumers may not have the ability to understand and control the use of their personal data by the apps," the FPF said in a blog post. The FPF is currently working with the Center for Democracy and Technology to come up with privacy improvements for app developers. The study comes on the heels of a senate hearing on mobile privacy challenges.
Full Story 

ONLINE PRIVACY

Adobe Introduces Flash Controls (May 16, 2011)

InformationWeek reports on Adobe's newly released Flash Player 10.3, which enables users to block the use of Local Shared Objects, commonly referred to as Flash cookies, "which some advertisers use to surreptitiously track every website that a user visits, regardless of their cookie or cache settings." In its blog, Adobe describes the new feature. "Now, when users go into their browser settings to clear their browser history or clear their cookies," Adobe notes, "they will be able to clear both their browser data as well as their plug-in data." The Flash update is included in Google's latest version of Chrome, which also addresses vulnerabilities, the report states.
Full Story 

ONLINE PRIVACY—U.S.

Opinion: Privacy Attack Could Encourage Regulation (May 16, 2011)

In a column for The Wall Street Journal, L. Gordon Crovitz writes about Facebook's reported hiring of a "public relations firm to plant negative stories about Google's privacy policies," suggesting that although the journalists and privacy advocates contacted by the PR firm "concluded that Google has done nothing wrong," Facebook's actions may encourage "the same federal regulators it tries to keep away from its own business." Crovitz contends that social media is "redefining people's expectation of privacy...faster than regulators can keep up," stating that it would be a mistake for the federal government to "pass any of the proposed new laws setting privacy expectations into stone." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

White House Calls for Federal Breach Notification Law (May 13, 2011)
The Obama Administration has sent legislative guidance to Capitol Hill that includes a proposal for mandatory security breach notifications, GovInfoSecurity reports. The proposed federal standard would help businesses "by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements," according to a fact sheet released by the White House Office of the Press Secretary. The White House cybersecurity team sent the "Cybersecurity Legislative Proposal" to lawmakers on Thursday. In addition to the breach notification standard, it includes guidance on securing the nation's cyberinfrastructure as well as government access to the personal details of citizens.

PRIVACY LAW—U.S.

FTC Reaches $3 Million Settlement with Game Sites (May 13, 2011)

The operator of 20 online gaming sites has agreed to a $3 million settlement with the FTC for violating the Children's Online Privacy Protection Act (COPPA). The Playdom, Inc., settlement is the largest to date for a COPPA violation. The FTC complaint alleged that the defendants, Playdom, Inc., and its executive, Howard Marks, violated COPPA when, without notifying parents or receiving parental consent, they "collected children's ages and e-mail addresses during registration and then enabled children to publicly post their full names, e-mail addresses, instant messenger IDs and location, among other information." COPPA requires websites directed at children to obtain parental consent before collecting and using children's personal information. FTC Chairman Jon Leibowitz said of the ruling, "Let's be clear: Whether you are a virtual world, a social network or any other interactive site that appeals to kids, you owe it to parents and their children to provide proper notice and get proper consent. It's the law, it's the right thing to do and, as today's settlement demonstrates, violating COPPA will not come cheap." Michelle Dennedy, founder of The iDennedy Project, told the Daily Dashboard that the settlement is a message from the government that we need to value our children as much as we value our banking data and should be a wake-up call to the gaming industry as a whole. "We look at gaming and playthings as light fluffy topics, but where we're seeing ID theft happen is at...play groups, schools, all these light-weight things where our guard is down and we feel like it's fun, but the consequences to our kids are very real."
Full Story

 

DATA THEFT—U.S. & CANADA

Company: PIN Pads Tampered, No Debit Purchases (May 13, 2011)

Michaels Stores, Inc., has announced that approximately 90 PIN pads in at least 20 U.S. states have shown "signs of tampering," reports the Associated Press. As a result, customers can only make purchases with cash, checks or credit cards for now. The company announced earlier this month that Chicago-area stores were affected. In response, Michaels has "disabled and quarantined suspicious PIN pads and removed another 7,200 as a precautionary measure" and is currently looking into whether PIN pads in Canadian stores were affected.
Full Story

GEO PRIVACY—EU

EU Advisory Board To Issue Geolocation Opinion (May 13, 2011)

The Article 29 Working Party will publish an opinion this month announcing that location-based data must be handled like names, birthdays and other personal data, reports The Wall Street Journal. Mobile phone and Internet companies would likely have to get consent prior to data collection, delete the information in a timely manner and keep the information anonymous. The opinion will not be binding, but, the article suggests it would likely be used as a guiding principle by several national regulators. "Geolocation data has to be considered as personal data," said an EU official. "The rules on personal data apply to them." (Registration may be required to access this story.)
Full Story 

DATA LOSS

Recent Breaches Result in Dozens of Lawsuits (May 13, 2011)

The Globe and Mail reports that Sony faces at least 25 lawsuits in U.S. federal courts that stem from recently reported data breaches. The company is being accused of negligence and breach of contract. But, the article points out, plaintiffs' lawyers may find it difficult to establish damages rather than liability in the cases. Meanwhile, Sony is trying to rebuild consumer confidence in its services. One analyst said, "The key point is whether Sony will be able to get consumers to move on after this incident." Sony has announced that it will provide ID theft monitoring and other free services.
Full Story

SURVEILLANCE—U.K.

Police Force To Use Digital Mapping Software (May 13, 2011)

The Guardian reports that the Metropolitan Police have purchased software that can map "nearly every move suspects and their associates make in the digital world." Geotime software can collect and collate information gleaned from social networking sites, GPS equipment, mobile phones, financial transactions and IP network logs. A spokesman from the police said, "We are in the process of evaluating the Geotime software...a decision has yet to be made as to whether we will adopt the technology." Some individuals are concerned the software could be a violation of data protection legislation. One attorney said, "This latest tool could also be used in a wholly invasive way."
Full Story

IDENTITY THEFT—U.S.

Children Are Increasingly Targets (May 12, 2011)
NBC's Jeff Rossen and the "TODAY" show explore a rising trend in identity theft--stealing the identities of children--and the challenges that brings for parents trying to protect their kids. Children's clean credit records are prime targets for thieves, and often, the thefts aren't discovered for years. Meanwhile, the FTC and others discourage parents from regularly checking their kids' credit reports because most children don't have them, and the Identity Theft Resource Center says checking may lead to the creation of a report, making it easier for the child's identity to be stolen. The MSNBC report offers tips on how parents should go about checking for fraudulent activities on their children's credit.

ONLINE PRIVACY

Research Raises New Smartphone Concerns (May 12, 2011)

The Wall Street Journal reports on research suggesting that unique smartphone identifiers can be linked with other information to allow third parties access to personal information without users' consent. "The identifiers--long strings of numbers and letters associated with the phone--don't themselves hold any information about users," the report states, but New Zealand-based researcher Aldo Cortesi has found that U.S. gaming company OpenFeint "connected the IDs to users' locations and Facebook profiles and then made the combined data available to outsiders." Although the company has since fixed those issues, Cortesi has noted it is likely that other databases also link the unique IDs with other user information. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S

Companies Sued for Tracking in Puerto Rico (May 12, 2011)

A lawsuit filed this week in U.S. District Court in Puerto Rico alleges that Apple, Pandora Media and The Weather Channel failed to disclose that they were sharing personal and location data with advertising networks, reports CNET News. The suit focuses on the use of unique device identifiers (UDID) to track users' online activities because, "unlike with browser cookies, Apple does not provide users any way to delete or restrict access to their devices' UDIDs." The suit seeks class-action status as well as damages, restitution and an injunction against Apple for collecting UDID-related data. A similar suit was filed last December targeting the same companies and other app makers.
Full Story 

DATA PROTECTION—NETHERLANDS

Authority Calls for “Sharper Teeth” (May 12, 2011)

The Dutch data protection authority (CBP) has said that the Netherlands "needs a privacy watchdog with sharper teeth," Dutch News.nl reports. The authority must be able to ensure that government, companies and individuals take appropriate care of people's personal data, said Jacob Kohnstamm, head of the CBP, noting that technological advances have made it possible to track individuals' behavioral patterns. In his annual report, Kohnstamm noted the almost limitless options to store and process information, making it increasingly difficult to keep watch over such processes and to be sure data is appropriately handled and protected.
Full Story

PRIVACY LAW—UK

ICO Launches Code for Sharing Personal Data (May 12, 2011)

The Information Commissioner's Office has launched a code of practice aimed at guiding private- and public-sector companies on data protection when it comes to legally sharing personal information, reports V3.co.uk. The code of practice, which incorporates input solicited during the consultation period, can be applied in all sectors, said Information Commissioner Christopher Graham. "...We can be confident that it not only makes sense on paper but will work in the real world," he said. "I would encourage all businesses and public bodies that share personal data to get to grips with the code without delay so they can be sure they are getting it right."
Full Story

SOCIAL NETWORKING—U.S.

Lawmakers Press Company on Security Flaw (May 12, 2011)

Reps. Edward Markey (D-MA) and Joe Barton (R-TX) wrote a letter to Facebook CEO Mark Zuckerberg on Wednesday questioning a recently reported security flaw that allows unauthorized third parties access to users' personal information. The company said it fixed the problem, but The Wall Street Journal reports that the legislators want more information about the incident. "This issue is one that cannot be ignored" they wrote in the letter, "and our concerns about Facebook's privacy policies are continuously increasing." A representative from the social networking site said "we welcome the opportunity to talk this through." (Registration may be required to access this story.)
Full Story

 

PRIVACY—CANADA

Commissioner Stepping Down (May 12, 2011)

Alberta Information and Privacy Commissioner Frank Work says he will step down when his term expires at the end of this year, The Edmonton Journal reports. "It has been my privilege to serve the people of Alberta in promoting open, transparent government and to guide citizens in the protection of their personal information," said Work, who has served as commissioner since 2002. Work oversaw the expansion of the commissioner's office in 2001 and 2004, following the Health Information Act and the Personal Information Protection Act, the report states. The government will appoint a committee to search for Work's replacement.
Full Story 

PRIVACY LAW—JAPAN

Current Developments in Data Protection (May 12, 2011)

The Korea Times provides an overview of Japan's data privacy frameworks, including the guidelines currently used by the country. Japan uses guidelines from the Organisation for Economic Co-operation and Development and its own Japanese Industry Standards. In the private sector, the Privacy Mark System is an accreditation that allows organizations to demonstrate their compliance with the law while providing a high level of protection. The article also reviews the three main laws that drive the current legislative structure and mentions that "various issues, such as behavioral targeting marketing and cloud computing, are in talks recently." The Japanese government has also proposed the idea for a "Number System for Social Security and Taxation" and a "Number System Council for Social Security and Taxation."
Full Story 

 

PRIVACY LAW—U.S.

Senate Holds Hearing on Mobile Devices (May 11, 2011)
The Senate Judiciary Subcommittee on Privacy, Technology and the Law heard testimony on Tuesday from government, advocacy and industry representatives in order to shed light on location-based data collection practices. Bloomberg reports that Subcommittee Chairman Al Franken (D-MN) said, "Consumers have a fundamental right to know what data is being collected about them...and yet reports suggest that the information on our mobile devices is not being protected in the way that it should be." Representatives from Apple and Google defended their use of location data, saying they do not track individual customers. Independent researcher Ashkan Soltani said there should be more transparency and education for consumers. "What today is about," added Franken, "is trying to find the right balance between all those wonderful benefits (of mobile devices) and the public's right to privacy."

DATA LOSS—UK

ICO Issues Fine for Breach (May 11, 2011)

The Information Commissioner's Office (ICO) has fined ACS:Law £1,000 in the wake of a breach that resulted in the loss of personal information belonging to at least 6,000 individuals, ZDNet UK reports. "The security measures ACS:Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details," Information Commissioner Christopher Graham said when the fine was announced, noting it lacked such provisions as firewalls and access control. One privacy advocate has called the level of the fine "ridiculous" given the sensitivity of the information involved. "The ICO would have fined ACS:Law £200,000 had the company still been trading," the report states.
Full Story

ONLINE PRIVACY

App Glitch Allowed Fourth-Party Access to Accounts (May 11, 2011)

A security firm has exposed a Facebook vulnerability that allowed third-party applications to share "access tokens" with advertisers and analytics companies, giving them access to users' accounts--including the ability to post information, read wall posts, access friends' profiles and mine personal information, reports The Wall Street Journal. The vulnerability has existed for years and likely affected about 100,000 apps, according to Symantec, which also said it's possible the third parties didn't know they had this ability. Symantec alerted Facebook to the vulnerability in April and the company has since addressed the problem and conducted an investigation that revealed "no evidence of this issue resulting in a user's private information being shared with unauthorized third parties," said a Facebook spokeswoman. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—SWITZERLAND & U.S.

Swiss Court Decision To Be Appealed (May 11, 2011)

Google will appeal a Swiss court's ruling that the company must blur faces and license plates on its Street View mapping feature, The Wall Street Journal reports. Peter Fleischer, Google's global privacy counsel, said that 99 percent of people are not identifiable on the feature but that the "decision of the Federal Administrative Tribunal requires us to guarantee that 100 percent of faces and license plates are not identifiable. We simply cannot comply with that." Meanwhile, at a hearing before the U.S. Senate Judiciary Committee's privacy subcommittee, Sen. Richard Blumenthal (D-CT) questioned Google about a patent application related to determining a user's location based on nearby Wi-Fi signals. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Indiana Set To Pass Cell Phone Do-Not-Call Law (May 11, 2011)

A new bill that will bar telemarketers from calling the cell phones of do-not-call registrants has unanimously passed the Indiana General Assembly. The House Enrolled Act 1273 allows Indiana residents to register their cell phone numbers on a do-not-call list and mandates that companies violating the law face lawsuits and financial penalties, reports LegalNewsline. Attorney General Greg Zoeller noted that many Indiana residents "now use cell phones only and do not have landlines at home, we wanted to statutorily extend the protections of the Do Not Call list for cell phone users so they also can be shielded from intrusive solicitors."
Full Story 

HEALTHCARE PRIVACY—U.S.

Official: HIPAA Rule Coming Soon (May 11, 2011)

Government Health IT reports that the final omnibus rule to strengthen HIPAA privacy and security safeguards will be released before the end of this year. That's according to Sue McAndrew of the Health and Human Services Department Office for Civil Rights, who said at a recent conference that she anticipates the rule "certainly by the end of the year...I really am hoping that we are now targeting months, if not weeks, for the publication." In addition to including data breach notification rules, strengthened HIPAA enforcement provisions and other privacy and security protections, the final rule will also require business associates working on behalf of healthcare providers to comply with HIPAA, the report states.
Full Story

PRIVACY LAW—U.S.

Senate Committee’s Smartphone Hearing Today (May 10, 2011)
CNN reports on today's scheduled hearing before the Senate Judiciary Subcommittee on Privacy, Technology and the Law amid concerns raised about the "privacy quicksand" of incidents such as mobile device tracking and sharing users' location information. Sen. Al Franken (D-MN) has indicated he is happy that "Google and Apple aren't sidestepping the hearing that will look into whether federal consumer privacy laws are keeping pace as technology advances," the report states. "There are numerous ways in which this information could be abused by criminals and bad actors," Franken stated. Meanwhile, a report in The Wall Street Journal suggests that mobile devices' collection of location data is "the tip of the iceberg...Auto makers, insurance companies and even shopping malls are experimenting with new ways to use this kind of data."

PRIVACY LAW—EU & UK

Cookie Compliance Confusion Continues (May 10, 2011)

Following on the Information Commissioner's Office (ICO) publication of advice to help businesses comply with a new EU law governing the use of Web cookies, many experts and business owners are voicing confusion over what to do next. PC Pro reports on key elements of the advice, including the recommendation that organizations "can't rely on browser settings to help them comply" when the EU's new law goes into effect on May 26. "Web companies need not panic over the vague guidance and tight deadline, as the ICO has reiterated that it has no immediate plans to take action against sites that don't comply," the report states. Following Monday's announcement of the newly published advice, Hazel Grant of Bristows told the Daily Dashboard, "It's something of a surprise that the guidance has been issued so early and, crucially, without the guidance on how the ICO will carry out enforcement. The ICO seems keen to encourage businesses to make a start on assessing the cookies used by their websites and potential compliance mechanisms. Carrying out these activities--and documenting them--may be helpful in any subsequent enforcement." Editor's Note: To be a part of the rich dialogue going on right now about the ICO's advice and cookie compliance concerns, visit our website to join the IAPP Privacy List, a free service for IAPP members.
Full Story

PRIVACY LAW—U.S.

Lawmakers Propose Expansion to COPPA (May 10, 2011)

Reps. Ed Markey (D-MA) and Joe Barton (R-TX) have presented a draft of their Do Not Track Kids Online Bill that proposes to ban behavioral targeting to minors--users under 18--and limit the collection of teens' information to those companies that adhere to Fair Information Practice Principles, reports MediaPost News. The bill would also broaden the definition of personal information under the Children's Online Privacy Protection Act (COPPA) to include "unique identifiers, IP addresses and anything that permits the identification of a computer." 
Full Story

PRIVACY LAW—U.S.

Rockefeller Introduces Do-Not-Track Bill (May 10, 2011)

Sen. Jay Rockefeller (D-WV) yesterday introduced the Do Not Track Online Act, which tasks the FTC with crafting rules and setting standards for a universal do-not-track mechanism. MediaPost News reports that the bill aims to require ad networks to comply with browser-based do-not-track mechanisms that allow users to opt out of behavioral targeting. Consumer groups including the Center for Digital Democracy, Consumers Union and Electronic Frontier Foundation support Rockefeller's bill. However, Stuart Ingis, counsel to the Digital Advertising Alliance, says the industry self-regulatory program is gaining traction, and this bill could "send the wrong signal to the public--which is that there's something inherently wrong with these practices."
Full Story

PRIVACY LAW—CANADA

Clement Willing To Discuss ICO Fining Powers (May 10, 2011)

In response to Privacy Commissioner Jennifer Stoddart's call for the power to impose "significant, attention-getting fines" for data breaches, Industry Minister Tony Clement said he's willing to discuss the idea, The Vancouver Sun reports. Stoddart said last week that the most recent proposal to update the privacy law--which was tabled in May of 2010 and was based on a review done in 2008--is now "out of synch" with the "continuing occurrence of major data breaches." Clement on Friday agreed that it would "behoove us" to do the consultations again and said that the bill "is a pretty critical component of the broader digital economy strategy."
Full Story

SURVEILLANCE—U.S.

Lawsuit: More Than 50,000 Affected by Laptop Spying (May 10, 2011)

A lawsuit filed by a Wyoming couple and seeking class-action status alleges that one of the country's largest rental companies has been using "secret software" to take their photos, log their keystrokes and keep tabs on private communications, Courthouse News Service reports. The suit against lead defendant Aaron's, its sales and leasing division, franchisees and software company Designerware alleges violations of the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, and the firm behind the suit believes "the class exceeds 50,000 people or entities," the report states. The company has posted a statement on its website that "we're taking this allegation very seriously. We are conducting a thorough investigation and diligently reaching out to our customers to address any of their concerns."
Full Story

PRIVACY LAW—U.S.

Legislators, Experts Discuss Mobile Technology (May 10, 2011)

In anticipation of today's U.S. Senate hearing, "Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy," Sen. Al Franken (D-MN) joined privacy experts last Friday to discuss consumer privacy and electronic devices on National Public Radio. Franken said he wants to ask industry representatives about their data collection practices while also receiving facts from experts in the legal, technology and privacy fields. The senator added, "The Internet has spawned all this unbelievable...innovation, and we want that. We just want also to make sure that when we're doing this, we strike the right balance and that we have our privacy laws keep up with technology" without stymieing innovation.
Full Story

DATA PROTECTION—U.S.

California Utility Commission Proposes Privacy Rules (May 10, 2011)

A proposed ruling by the California Public Utilities Commission would impose privacy rules on home device platforms that automatically use smart meter data, GigaOM reports. The ruling would require the state's three big utilities to impose tariffs on third parties that request certain customer utility data, the report states, and would require them to impose CPUC's privacy guidelines on those parties. Utilities using home device platforms that don't automatically transfer utility data to a third party would be required to provide those customers with information on potential uses of their data. The utilities have three months to establish tariffs.
Full Story

DATA PROTECTION—U.S.

Differing Views on Data Breach Remedies (May 10, 2011)

Kashmir Hill reports for Forbes on the differing opinions in the U.S. on what to do about data breaches. In the wake of two major breaches recently, she writes, The New York Times' Nick Bilton and Time's Jerry Brito took differing views. Bilton notes that though Rep. Bobby Rush's (D-IL) 2009 bill that would provide credit monitoring to victims of data breaches, for example, failed to pass in the senate, regulation looks more likely now following a hearing last week on data breaches. Brito, however, says data breaches are "inevitable" in the digital age, and the answer lies in improving technology, not creating more rules around it.
Full Story

PRIVACY LAW—EU & UK

ICO: Informed Cookie Consent Needed To Comply with New EU Law (May 9, 2011)
The UK Information Commissioner's Office (ICO) has published advice on how organizations can comply with a new EU law on the use of cookies, which goes into effect on May 26. "Not surprisingly, the ICO has adopted a pragmatic approach to the controversial cookie consent requirement. However, it is also clear that inaction is not an option," Eduardo Ustaran of Field Fisher Waterhouse LLP told the Daily Dashboard following the release of the ICO's advice on Monday. The changes will require UK websites "to get informed consent from visitors...to store and retrieve information on users' computers." The advice suggests that "most browser settings are not sophisticated enough" to imply consent, so organizations should obtain consent in other ways.

DATA LOSS

Company Stock Takes Hit After Breaches (May 9, 2011)

The Wall Street Journal reports on the financial impact on Sony after last month's data breaches. Mintz Levin attorney Cynthia Larose, CIPP, said, "Taken as a whole, the number of customers affected, the PR impact and now the legislative inquiries" rank these data breaches "at the top." Late last week, a class-action lawsuit was filed against Sony in U.S. District Court in Boston, MA, for unauthorized data storage, poor security and late customer notification. Sony has defended its customer notification response. Over the weekend, it was announced that the company experienced a third data breach. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Senator: Web Legislation Needed Now (May 9, 2011)

In a report for The New York Times, Nick Bilton poses the question of which federal law would apply when hackers breach consumer privacy by infiltrating companies' servers to harvest PII. The answer is none, he writes, which--when combined with high-profile breaches in recent weeks--has fueled the fire on Capitol Hill to see federal legislation enacted. "There needs to be new legislation," said Sen. Richard Blumenthal (D-CT), adding, "Companies need to be held accountable and need to pay significantly when private and confidential information is imperiled." One privacy expert pointed out, however, that proposed legislation may not be able to keep up with advances in technology. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—NEW ZEALAND

Commissioner Calls for Breach Notification Law (May 9, 2011)

New Zealand Privacy Commissioner Marie Shroff is calling for mandatory notification for breaches that create risk to those affected and criminal sanctions for those who fail to comply, stuff.co.nz reports. "You need to have a sanction there if the scheme is going to be effective," Shroff said. The Law Commission is now reviewing the Privacy Act and will soon make a decision. Shroff says that if the commission opts not to recommend mandatory notification laws, she will consider introducing a statutory code. The chief executive of Business New Zealand said jumping to criminal sanctions is "disturbing" and unjustified.
Full Story  

HEALTHCARE PRIVACY—U.S.

Provider Fires 32 Employees for HIPAA Violations (May 9, 2011)

More than 30 employees of Allina Hospitals and clinics were fired May 5 for HIPAA violations, reports Kare 11. The provider alleges that the 32 employees, without authorization, looked up the electronic health records of 12 patients who were hospitalized for a mass drug overdose. Allina notes the employees did not have "legitimate patient care reasons" to look into the sensitive data. An Allina spokesman adds, "We take our obligation to protect patient privacy very seriously...anything short of a zero-tolerance approach to this issue would be inadequate."  
Full Story

GEO PRIVACY—U.S.

Experts To Testify at Mobile Phone Hearing (May 9, 2011)

Sen. Al Franken (D-MN) has released the names of the company executives being asked to testify at Tuesday's hearing before the Senate Judiciary Subcommittee on Privacy, Technology and the Law on such mobile phone privacy issues as sharing users' location data, Minnesota Public Radio News reports. Among those slated to testify will be FTC and Department of Justice officials, as well as Apple's vice president of software technology and Google's director of public policy. Meanwhile, a feature in USA TODAY asks readers to respond to a poll seeking their thoughts on the exchange of personal information to receive products and services.
Full Story

PRIVACY LAW—AUSTRALIA

Pilgrim Calls for Stricter Laws for Online Posts (May 9, 2011)

Australian Privacy Commissioner Timothy Pilgrim says he has recommended tougher laws for publishing to social networks images that could adversely affect an individual, The Daily Telegraph reports. The government is considering changes to current law, which allows for organizations, but not individuals, to be punished for mishandling personal information. Pilgrim says posting embarrassing photos or damaging information about individuals could harm their chances of gaining employment or put them in physical danger. Because posts can be made by a "much broader range of people rather than just organizations, we need to make sure the community has access to a broader range of remedies to be able to protect personal information," Pilgrim said.
Full Story  

PRIVACY LAW—U.S.

Rockefeller To Introduce Do-Not-Track Bill Next Week (May 6, 2011)
Sen. John "Jay" Rockefeller (D-WV) will introduce a do-not-track bill next week, The Washington Post reports. The Do-Not-Track Online Act of 2011 "would allow consumers to block websites and marketers from tracking their activity on the Internet," the report states. "Consumers have a right to know when and how their personal and sensitive information is being used online--and, most importantly, to be able to say 'no thanks' when companies seek to gather that information without their approval," Rockefeller said in a press release. The bill would task the Federal Trade Commission with enforcement of the law. (Registration may be required to access this story.)

DATA LOSS

Company Looks to Insurers in Breach Incident (May 6, 2011)

Reuters reports that Sony may be looking to its insurers to help pay for costs resulting from last month's data breaches. Larry Ponemon, CIPP, of the Ponemon Institute, says the breach could cost approximately $20 per person, or more than $2 billion, but, he added, "It's likely to be more expensive because credit data is involved." Sony Chief Executive Howard Stringer apologized to customers in a letter on Thursday. Stringer claimed there is "no confirmed evidence" of credit card misuse, but the company will offer a $1 million identity theft insurance policy per user. Meanwhile, the company faces a subpoena from New York's attorney general for the incidents.
Full Story  

PRIVACY LAW—U.S.

Couple Files Suit Over Laptop Spyware (May 6, 2011)

ABC News reports on a lawsuit filed this week by a Wyoming couple alleging that a national furniture and electronics rental company equipped its laptops with software to spy on customers. The suit, which seeks class-action status, alleges Aarons, Inc., violated the Federal Wiretap Act by renting the couple a computer with software that could intercept electronic messages, take photos and track keystrokes--all without the couple's knowledge, the report states. "To me, this seems to cross all sorts of ethics lines and lines of custom," said Paul Ohm of the University of Colorado Law School, adding the lawsuit includes "the kind of facts that might interest the FBI."
Full Story

GEO PRIVACY—AUSTRALIA

TomTom Announces Plan To Sell Data (May 6, 2011)

Shortly after getting heat in the Netherlands for selling data that was used by police to set speed traps, TomTom Australia has announced plans to sell user data to third parties, The Sydney Morning Herald reports. The company's vice president of marketing says they'll have to figure out how to ensure the data won't be used for speed traps but gave assurances that it cannot be tracked back to an individual. Australia Privacy Commissioner Timothy Pilgrim said companies that provide GPS devices should be clear about their practices, adding that he has concerns about data aggregation, "where pieces of individual data can be put together to build up a profile."
Full Story  

PRIVACY LAW—AUSTRALIA

Breaches May Advance Privacy Law Reform (May 6, 2011)

In light of Sony's recent data breaches, the Australian government may look to expedite reforms of its Privacy Act, reports The Register. Privacy Commissioner Timothy Pilgrim has asked Sony for information about the breaches and says he will investigate, adding, "I am particularly concerned that it involves information stored on an out-of-date database."  Pilgrim says the breach reinforces his view that companies need to further limit the amount of consumer data they collect and how long they store it. The Australian Law Reform Commission has recommended the introduction of a mandatory breach notification law, and the government is considering increasing the privacy commissioner's powers to impose penalties for serious breaches.
Full Story

DATA LOSS

Additional Data Breaches Reported (May 6, 2011)

Online password manager LastPass has warned users of a potential data breach and is asking customers to alter their master passwords, reports SC Magazine. Detecting "an anomaly" in network traffic, the security site said "we're going to be paranoid and assume the worst: that the data we stored in the database was somehow accessed." In two separate data breach incidents, Best Buy and Michaels have both notified customers that personal information may have been accessed.
Full Story  

ONLINE PRIVACY

Stoddart Calls for Transparency and Meaningfulness (May 6, 2011)

Privacy Commissioner Jennifer Stoddart yesterday released a report detailing the results of a series of public consultations about online privacy held last year, The Vancouver Sun reports. In the report, Stoddart calls on companies to better communicate with customers about their practices. "Transparency and meaningfulness of consent are serious issues and they generated a great deal of discussion on the panels," Stoddart said at the IAPP Canada Privacy Symposium in Toronto. "It is perhaps easy to get lost in the issue of opt-in versus opt-out, but one issue that needs serious consideration is that of meaningfulness." Stoddart's report also calls for the creation of standards to ensure privacy in the cloud computing environment.
Full Story

PRIVACY LAW

Judge Rules Against IP Address Linkage (May 6, 2011)

A U.S. judge has ruled that a copyright holder may not force Internet service providers to hand over subscribers' personal details, OUT-LAW News reports. Federal Judge Harold Baker said Canadian adult entertainment provider VPR Internationale cannot seek the personal information of illegal file sharers because an IP address--which, when linked with subscriber information, can identify the owner of the Internet connection line--could falsely identify the illegal file sharer, who could be a subscriber's family member, friend or anyone using the subscriber's IP address. The judge described trying to identify file-sharers by IP addresses as a "fishing expedition," which he said wouldn't be allowed for the "purpose and intention of class actions."
Full Story

PRIVACY LAW—INDIA

New Privacy Regulations Stricter Than EU, U.S. Provisions (May 5, 2011)
In a client alert released Wednesday, Morrison & Foerster reports on a "dramatic transformation" in the privacy landscape for India with the issuing of final regulations for the protection of personal information. The Information Technology Rules 2011 "apply to all organizations that collect and use personal data and information in India," the report notes, and represent the implementation of parts of the Information Technology Act. The rules include a provision for prior written consent for the collection and use of sensitive personal information in what the report's authors, Miriam Wugmeister and Cynthia Rich, describe as much stricter provisions than current laws in the EU and U.S. As a result, "U.S. and European multinational businesses...may have to adjust their personal data collection practices to conform to Indian data protection rules," the report states.

DATA LOSS—U.S. & CANADA

Lawmakers, Commissioner Press for New Powers (May 5, 2011)

In response to Sony's recent data breaches, U.S. lawmakers are pressing for legislation that would set up national standards in cases of data breaches, reports the Financial Times. At a U.S. House of Representatives meeting on Wednesday, Rep. Mary Bono Mack (R-CA) said, "We need a uniform national standard for data security and data breach notification and we need it now." The U.S. attorney general has also confirmed that the Department of Justice is investigating the breach. Meanwhile, Canada's privacy commissioner wants new powers to exact "significant, attention-getting fines" on companies with poor breach protection and response. Sony has suggested that a cyber-activist group is behind the breaches. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Capitol Hill Talks Focus On Recent Breach Headlines (May 5, 2011)

Two hearings on Capitol Hill yesterday focused on recent data breaches and location-based data privacy concerns. The House Commerce Manufacturing and Trade Subcommittee heard from witnesses including the FTC's David Vladeck on recent incidents at Apple and Google. Vladeck said the industry isn't taking self-regulation seriously enough and called for comprehensive data security legislation. Members expressed frustration at Sony and Epsilon for failing to appear at the hearing. At a Senate Judiciary Committee hearing, U.S. Attorney General Eric Holder confirmed a Department of Justice investigation into the Sony breach.
Full Story

PRIVACY—CANADA

Commissioner Calls for Fining Powers (May 5, 2011)

"It seems to me that it's time to begin imposing fines--significant, attention-getting fines--on companies when poor privacy and security practices lead to breaches," said Canadian Privacy Commissioner Jennifer Stoddart this week. Unlike its counterparts in the UK, Spain and France, Canada's Office of the Privacy Commissioner does not have the power to impose fines. But at a recent event in Ontario, Stoddart said that gaining such powers is one of her top priorities, the Financial Post reports.
Full Story

DATA PROTECTION—CANADA

Privacy Offices Launch Assessment Tool (May 5, 2011)

In the wake of recent high-profile data breaches, three of Canada's privacy commissioners have together created a tool for small- to medium-sized businesses to assess whether they are meeting federal and provincial data protection standards. The federal privacy commissioner and those from Alberta and British Columbia developed the online tool, which is made up of "dozens of yes or no questions," covering topics such as network and database security, access control and incident management, reports IT Business. One privacy expert questions how much the tool will be used, saying it may be better suited for larger organizations, as it "may be over the heads of most smaller businesses."
Full Story

HEALTHCARE PRIVACY—NEW ZEALAND

Shroff Rolls Out Toolkit for Awareness Week (May 5, 2011)

Privacy Commissioner Marie Shroff has released a toolkit for healthcare providers and consumers as part of Privacy Awareness Week. The kit contains brochures and fact sheets for consumers as well as an updated privacy reference guide, case notes and a training presentation for providers. Otago Daily Times reports that Shroff said the patient-provider relationship is "based on confidentiality and trust," and while providers do their best, it's important for consumers to know their rights. "Consumers need the chance to participate in the conversation about how their health information can be appropriately managed. They need some control. And they can only do this if they know what's going on," she said.
Full Story

PRIVACY LAW—U.S.

Texas Bill Bans Patient Record Sales (May 5, 2011)

Privacy advocates say that State Rep. Lois Kolkhorst's (R-District 13) bill aiming to protect Texans' healthcare privacy is a vast improvement over federal law, The Texas Tribune reports. The bill would ban the sale of Texans' healthcare records and notify them when their electronic health records have been transferred, the report states. Penalties for noncompliance would carry fines of up to $3,000 per violation with up to $1.5 million in legal damages. Opponents say the bill will stifle business. Kolkhorst says the bill, which will see a final vote in the house this week, "is to protect your health records as we move into the electronic age." 
Full Story

DATA PROTECTION—EU

Reding Speaks Out on Recent Incidents (May 4, 2011)
The New York Times reports that recent worldwide data privacy incidents have spurred increased interest in data protection regulation. In a speech on Tuesday, EU Justice Commissioner Viviane Reding said she will propose expanding breach notification requirements to businesses outside the telecommunications sector. Citing recent breach events, Reding said in a statement that "European citizens care deeply about protecting their privacy and data protection rights...Any company operating in the EU market or any online product that is targeted at EU consumers should comply with EU rules." A Georgetown University professor said, "Authorities in Europe have decided that consumers better not be duped." (Registration may be required to access this story.)

DATA LOSS

Senator, Commissioner Take Action Following Breach (May 4, 2011)

Reaction from last month's data breaches of Sony's PlayStation Network and its Online Entertainment service continues. Sen. Richard Blumenthal (D-CT) sent a follow-up letter to Sony on Tuesday saying he is "deeply concerned about the egregious inadequacy of Sony's efforts thus far to notify its customers of these breaches," reports The New York Times. Australian Privacy Commissioner Timothy Pilgrim will question whether Sony's Australian outfit was in violation of the country's Privacy Act, and a Canadian law firm has announced a $1 billion class-action lawsuit against Sony. The company said it has hired outside investigators and cybersecurity detectives "to help with the clean-up." Larry Ponemon, CIPP, chairman of the Ponemon Institute, said, "This may be the mother of all data breaches at this point." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

FTC Settles Charges Against Two Companies (May 4, 2011)

The Federal Trade Commission (FTC) has settled charges against two companies that allegedly failed to protect sensitive data about their business customers--despite claims to the contrary--in violation of federal law. According to an FTC press release, Ceridian Corporation and Lookout Services, Inc., have agreed to the settlement, which will require the companies to "implement a comprehensive information security program" and obtain biennial security audits for the next 20 years. The consent agreements will be subject to public comment through June 2.
Full Story

PRIVACY LAW—U.S.

Do-Not-Track Bill Gets State Senate Hearing (May 4, 2011)

California Sen. Alan Lowenthal (D-Long Beach) gave testimony Tuesday to the Senate Judiciary Committee on his proposed do-not-track bill, SB 761. If passed, the bill would enable Internet users to opt out of being tracked by websites; require businesses to disclose how tracked data is being used, and subject violators to civil action for damages. Lowenthal was joined by three witnesses in support of the legislation, but several witnesses were present to oppose it, saying it would hurt business and the job market, reports this Daily Dashboard exclusive. Editor's Note: Privacy Tracker subscribers can hear more during Thursday's audio conference at noon EDT.
Full Story

ONLINE PRIVACY

Study: Define “Do Not Track” (May 4, 2011)

Initial results of a study of 200 Web users reveal that consumers might define the term "do not track" differently than Web companies, MediaPost reports. Preceding last week's World Wide Web Consortium workshop, researcher Aleecia McDonald asked Internet users what kind of data would be collected after activating a do-not-track option. Nearly 40 percent of respondents felt that "nothing at all" would be collected. Fifty-one percent of those polled indicated that they would not be surprised if nothing changed after they activated a do-not-track option. Eighty-one percent said it was the first time they had heard the phrase do not track.
Full Story

DATA LOSS—CANADA

Suit Seeks $1 Billion in Damages (May 4, 2011)

A $1 billion suit has been launched against Sony Corporation and its PlayStation and Qriocity networks for alleged negligence associated with the company's recent data breaches, the Toronto Star reports. The suit was filed in the Ontario Superior Court of Justice and seeks class-action status. The plaintiff, a 21-year-old college student and self-described loyal Sony customer, said in a statement that she was disappointed. "If you can't trust a huge multinational corporation like Sony to protect your private information, who can you trust?" she asked. The complaint alleges that Sony "failed to adequately safeguard certain personal information, financial data and usage data" and that it delayed notifications to affected and interested parties.
Full Story

DATA LOSS—U.S.

TV Show’s Audition Database Hacked (May 4, 2011)

Techworld reports on a television show's data breach resulting in the loss of 250,000 individuals' personal information. Hackers illegally accessed a database containing information about individuals auditioning for Fox Broadcasting's "The X Factor." The lost information includes names, addresses, phone numbers and dates of birth. Those affected have been notified by e-mail and the FBI has been informed. "The worry now is that criminals will use the data to mask social engineering or identity attacks," the report states.
Full Story

Do-Not-Track Bill Gets State Senate Hearing (May 4, 2011)

 

By Jedidiah Bracy, CIPP

Saying it was a “historic moment,” California Sen. Alan Lowenthal (D-Long Beach) gave testimony Tuesday to the Senate Judiciary Committee on his proposed do-not-track bill, SB 761. Conceding that there are “recognizable concerns” with the proposed legislation, Lowenthal also stated that Californians have a “fundamental right to privacy.”

“This is the first bill of its kind to have a public hearing in the nation,” he said.

Introduced in April, the bill would enable Internet users to opt out of being tracked by websites, advertising networks or any business that “collects, uses or stores” a consumer’s online data. It would also require businesses to disclose how that data is gathered, processed and retained. Violators also would be subject to civil action for damages.

Consumer Watchdog’s Jamie Court, one of three witnesses who were present in support of the legislation, said that people using smartphones “should not have to worry that their personal information is being collected.”

Travis LeBlanc, California’s special assistant attorney general who oversees the office’s work on technology, high tech crime, privacy and healthcare, also provided testimony. He said he joins Lowenthal in launching the conversation and cited California’s “laudable spirit” to protect privacy.

At least 13 witnesses were present to oppose the legislation, including representatives from TechNet, the California Chamber of Commerce, Yahoo, Google, LexisNexis, the Direct Marketing Association and the Motion Picture Association of America.

A TechNet representative expressed concern that the bill was “unworkable and unenforceable” and was “targeted at the part of the California economy that is growing the fastest.” He also argued that major browsers like Mozilla and Microsoft already offer opt-out technology.

A representative from the California Chamber of Commerce noted that the bill would have a “chilling effect on job growth” and that it would negatively impact industry beyond the Internet, including banking, retail and insurance.

Opponents have also noted that there could be constitutional and interstate commerce issues with the bill.

Yet, Court drew a parallel between the arguments heard from those against the do not track mechanism to those who were against the U.S. Do Not Call Registry. “When we established the do-not-call list, telemarketers made the same claim,” but it didn’t hurt the industry, he said.

When asked if industry representatives have...

Company Reports Second Data Breach

Company Reports Second Data Breach (May 3, 2011)
The Washington Post reports that Sony has been hit by a second data breach that may affect up to 24.6 million users. On April 16 and 17, prior to the larger breach of Sony's PlayStation Network, hackers breached Sony Online Entertainment and accessed personal information, including 23,400 debit and credit card numbers. Meanwhile, Sony has declined to testify before a U.S. House of Representatives hearing on data breaches because of its own "ongoing investigation," saying it will provide lawmakers with answers in writing. A spokesman for Rep. Mary Bono Mack (R-CA) said, "While we certainly understand that the company is going through a difficult time, there are still millions of American consumers twisting in the wind, and we're determined to get some answers for them." (Registration may be required to access this story.)

GEO PRIVACY—THE NETHERLANDS

TomTom Data Used by Police for Speed Traps (May 3, 2011)

Personal navigation device and service provider TomTom is amending its contracts to ban police from using its data after finding out that Dutch police were using it to place speed traps, reports The Wall Street Journal. TomTom collects anonymous data from owners of its devices to provide real-time data to subscribers and also sells the data to governments throughout Europe, Canada and the U.S. Chief Executive Harold Goddijn says that while the company adheres to "strict privacy laws," the realization that the police were using the data in this way was "a sobering experience." While, there is no indication that this has occurred anywhere other than the Netherlands, Goddijn said the company can't rule it out. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—AUSTRALIA

Commissioner Warns Gov’t Agencies of Cloud’s Risks (May 3, 2011)

The desire to reduce costs by using cloud computing should be weighed against the risk factors, warns Victoria Privacy Commissioner Helen Versey. State government entities that store data in a cloud hosted internationally complicate the state government's ability to protect the data from misuse, loss and unauthorized access, Versey said, adding that it "may even be possible for foreign governments to access the information if that government requires it. By using a cloud service, the government agency is relinquishing some--if not all--control over their data." Versey this week released a decision-making guide on cloud computing, The Australian reports.
Full Story

GEO PRIVACY—U.S.

Advocates: “Clear Control Needed” for Location Data (May 3, 2011)

In the wake of reports about mobile devices tracking and sharing users' locations, the San Francisco Chronicle reports on calls from researchers and privacy advocates alike for users to have awareness of and control over such practices. "Consumers also deserve a clear and easy way to turn off location tracking," the report states. Meanwhile, Verizon has announced plans to put a warning sticker on its devices to let users know they can be used to track locations. A paidContent feature suggests that when it comes to location-based services, the "disconnect between modern technology and traditional notions of privacy" must be resolved.
Full Story

PRIVACY—EGYPT

Egypt Delves Into Data Privacy (May 3, 2011)

Egypt is in transition from a dictatorship to a democracy, and some say now is the time to call for changes in law. Sarwat Nafei, president advisor of the National Telecom Regulatory Authority (NTRA), says that privacy law under President Mohamed Hosni Mubarak's regime was not enforced and no data retention law exists. A May 9 KnowledgeNet in Cairo aims to gather government, advocacy group and industry representatives to discuss what privacy law should look like and how stakeholders can facilitate change. In this Daily Dashboard special, Nafei talks about the event.
Full Story

HEALTHCARE PRIVACY—U.S.

Expert: New Rules, Increased Enforcement En Route (May 3, 2011)

Over the course of this year and into the next, we'll continue to see confusion in the healthcare industry when it comes to privacy, says Kirk Nahra, CIPP, of Wiley Rein. That's because many entities that are covered by the Health Insurance Portability and Accountability Act don't realize that they're liable, Nahra told The Metropolitan Corporate Counsel. For that reason, this year there will likely be both increased enforcement and rules around healthcare privacy. When it comes to social media, Nahra says "companies need to both educate and inform their employees," adding that companies must evaluate everything they do involving personal information.
Full Story

HEALTHCARE PRIVACY—U.S.

Large PHI Data Breach Incidents Now at 265 (May 3, 2011)

The number of large health data breaches reported to the Office for Civil Rights (OCR) is now at 265, according to HealthLeaders Media. As a provision to the HITECH Act, the OCR now posts entities who have reported a breach of personal health information that affects more than 500 individuals. The single largest reported breach affected 1.9 million individuals. In the 15 months since the OCR began posting the breaches, there has been an average of nearly 18 per month, or slightly more than one every other day, the report states.
Full Story

ONLINE PRIVACY—U.S. & SOUTH KOREA

Google Services Prompt Questions, Investigation (May 3, 2011)

The Center for Digital Democracy (CDD) is asking the FTC to require Google to remove statements in its privacy policy that its behavioral advertising program does not collect PII, MediaPost reports. Asking the FTC to include behavioral targeting restrictions in its proposed Buzz settlement, the CDD wrote, "the commission should require Google to revise its policies to reflect the inherently personal nature of cookies and related data targeting and collection applications." Meanwhile, police in South Korea are investigating Google's privacy policies over what one official said are concerns that the company's "AdMob collected personal location information without consent or approval from the Korean Communication Commission."
Full Story

DATA LOSS—U.S.

Baseball Franchise Mistakenly Distributes PI (May 3, 2011)

An employee for the New York Yankees sent an e-mail to "several hundred" season ticket holders with an attached spreadsheet containing their personal information of all recipients. According to The Street, the spreadsheet in question included the names, addresses, phone numbers and e-mail addresses of the ticket holders but did not include more sensitive information like Social Security numbers, birth dates and credit card numbers. Some experts are asking whether e-mail addresses should be considered personally identifiable information. "Immediately upon learning of the accidental attachment of the internal spreadsheet," the team said, "remedial measures were undertaken so as to assure that a similar incident could not happen again."
Full Story

Plans for Data Retention and Privacy Laws in Egypt (May 2, 2011)
Egypt’s recent revolution presents an ideal opportunity for changes and improvements to the country’s data protection and privacy laws. That’s according to Sarwat Nafei, president advisor at the National Telecom Regulatory Authority, who says privacy must be made more of a priority than it was under the previous regime, and now is the time to make it so.

ONLINE PRIVACY—U.S.

“Big Data” Worries Abound (May 2, 2011)
In a feature for The New York Times, Natasha Singer reviews recent events in what she writes "was not a good week for those who guard their privacy." From recent research indicating that smartphones have been gathering users' location data to a breach affecting a gaming network and the Supreme Court's review of a data-mining case that has attorneys pitting free speech against privacy in determining whether doctors can let pharmacies sell prescription records, Singer suggests that along with "Big Oil" and "Big Pharma," consumers need to worry about "Big Data." The report suggests that the current Supreme Court case may help answer the question, "to what extent do others have a right to share and sell that information?" (Registration may be required to access this story.)

PRIVACY LAW—U.S.

Judge Dismisses Flash Case (May 2, 2011)

A judge has dismissed a lawsuit alleging an ad network used Flash cookies to track users online, MediaPost News reports. The seven users who filed the suit did not "adequately allege" economic losses, ruled U.S. District Court Judge George Wu. The plaintiffs alleged that their data has value, that they were not compensated when ad company Specific Media used it and that their privacy was violated when they were tracked. Specific Media has denied using Flash cookies, the report states. Last year, two companies paid a $2.4 million settlement in a similar case
Full Story

DATA LOSS

Company Apologizes for Data Breach (May 2, 2011)

Sony apologized for the security breach that may have affected up to 77 million users and announced it will create a new chief information security officer position to oversee consumer data protection, The Wall Street Journal reports. The EU is "considering possible actions" against Sony, and U.S. lawmakers are pushing for more information about what personal data was compromised. Rep. Mary Bono Mack (R-CA) has scheduled a hearing on data theft on May 4, and Rep. Bobby Rush (D-IL) released a statement announcing he will re-introduce a bill on data security legislation. "It is my hope," said Rush, "that industry and consumer advocates will engage with this congress so that we can craft a strong, bipartisan bill that...mitigates foreseeable threats against consumers' sensitive, personal and confidential information." (Registration may be required to access this story.)
Full Story

DATA PROTECTION—AUSTRALIA

Pilgrim: Companies Need To Protect Consumer Data (May 2, 2011)

Privacy Commissioner Timothy Pilgrim is calling on companies to make sure their data protection efforts are "world standard." Citing the breach notification laws in 40 U.S. states, the commissioner said the Australian Law Reform Commission is recommending similar regulations, reports ABC Sydney. Pilgrim says that while the onus is on companies to protect information online, users can do more by setting privacy settings to the strongest level. For those who feel their privacy has been breached, the commissioner will hear complaints, but, the report states, the Law Reform Commission is also asking for an "explicit right to privacy" so people can bring lawsuits.
Full Story

PRIVACY LAW—U.S.

Suit Alleges File Sharing Violates Privacy (May 2, 2011)

An H&R Block franchise in Colorado and seven of its clients have filed a complaint in district court alleging H&R Block is requiring them to use software that enables customer file sharing across the company, reports The Coloradoan. Linda Wild, who owns the franchise, says H&R Block informed her that her contract with the company would be terminated for not using the software, which provides access to such data as children's Social Security numbers, account numbers, names and addresses. Wild objects to the software because it stores the customer information in a central database accessible to all H&R Block agents, employees, affiliates and their employees.
Full Story

DATA PROTECTION—NEW ZEALAND

Survey: Organizations Need Guidance for Offshore Data Storage (May 2, 2011)

Results from a survey conducted by New Zealand Privacy Commissioner Marie Shroff indicate that the public and private sectors need more guidance for the offshore storage of personal information, reports Voxy. "The International Disclosures and Overseas ICT Survey" queried 50 businesses and government agencies about where they stored personal information; reasons for its use and storage overseas, and how it was protected. The article suggests that many organizations have controls for data in transit but no controls for information once it's sent overseas. "If New Zealand businesses and government agencies are going to take advantage of the benefits the cloud can offer," said Shroff, "it is imperative that privacy issues are tackled and got right."
Full Story

DATA LOSS—U.S.

Comptroller Takes Blame, Gets Sued (May 2, 2011)

Computerworld reports that Texas Comptroller Susan Combs has, in a statement, apologized for her office's recent data breach, saying she takes "full responsibility for it." Combs also said her office will be adding staff--including a chief privacy officer, reorganizing reporting structures and implementing new software to prevent future breaches. The office is providing free credit monitoring to those affected, and the report states that Combs has said she'll pay for identity restoration services from her own campaign funds. A Houston lawyer filed a class-action lawsuit to ensure that promise is kept, reports the Houston Chronicle. The suit, filed against Combs and the state of Texas, asks that "Combs be required to pay for costs relating to credit monitoring and identity theft."
Full Story

ONLINE PRIVACY—U.S.

Despite Breaches, Consumers Dish Out Data (May 2, 2011)

Consumers continue to share their personal information with online retailers and social networks despite the frequency and size of breaches involving sensitive data, reports the Associated Press. Jim Dempsey of the Center for Democracy and Technology says that, as consumers, we are "schizophrenic" about technology in that, "We love it, we use it...we've woven it into our daily lives professionally, socially and personally. But we don't really trust it, and we get upset when our data is lost or stolen." According to the Privacy Rights Clearinghouse, more than half a billion records have been exposed in the past six years, the report states.
Full Story