Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—U.S.

Commissioners Disagree on Do Not Track (June 30, 2011)
Participants at a Senate Commerce Committee hearing voiced differing views on how to legislate online privacy, if at all, The Washington Post reports. FTC Commissioner Julie Brill testified on the need for a do-not-track mechanism online as well as on mobile devices. But FTC Commissioner Thomas Rosch has said the commission must understand do not track's application before promoting it, recommending that the FTC interview ad network executives under oath to collect evidence on common tracking methods. Sen. John Kerry (D-MA) and Sen. Jay Rockefeller (D-WV) discussed their proposed bills, while Sen. Pat Toomey (R-PA) questioned the need for legislation at all. Meanwhile, Reps. Greg Walden (R-OR) and Mary Bono Mack (R-CA) have announced a series of online privacy hearings to begin July 14. (Registration may be required to access this story.)

PRIVACY LAW—INDIA

Official: DSCI To Clarify IT Act Amendment (June 30, 2011)

The Data Security Council of India (DSCI) has announced that it will clarify a data collection amendment in the IT Act within the next two to three weeks. U.S. legal experts have expressed concern over Section 43A of the act, saying that it would put a financial burden on companies that outsource to India because they would have to obtain written consent from every client, The Times of India reports. DSCI CEO Kamlesh Bajaj says that such consent would only be necessary if a client is based in India. "We have discussed this matter with the government and expect them to clarify this stance," says Bajaj. "The fears over increased costs are baseless." Editor's Note: A review of the IT Act is featured in the current edition of The Privacy Advisor.
Full Story

FINANCIAL PRIVACY

Study: Hackers Outpacing Bank Security (June 30, 2011)

Evidence in a recent study suggests that large credit card-issuing banks are not keeping up with the technological sophistication of hackers, TIME reports. One research firm analyzed and graded the online security practices of the financial sector's 23 largest card-issuing institutions. Based on a 100-point scale, the average score was a 59. "The good news is issuers are doing a better job overall of resolution, but that's the easiest thing to do," says the study's lead author. "Prevention is the hardest to do, but it's got the biggest payback." The study also noted that banks have a strong record of eliminating fraudulent charges from individuals' bank accounts.
Full Story

DATA LOSS—INDIA

Database of 300,000 Accidentally Published (June 30, 2011)

The Register reports that Sosasta.com, a subsidiary of Groupon, accidentally published a database containing e-mail addresses and clear-text passwords of approximately 300,000 users. The report also states that the cache was indexed by Google. The published data was discovered by a security consultant in Australia. A spokesman from Groupon said they were alerted of the issue and have addressed the problem, adding, "We have begun notifying our subscribers and advising them to change their Sosasta passwords as soon as possible...We will keep our Indian subscribers fully informed as we learn more."
Full Story

DATA LOSS—U.S.

Report: Breach Victims More Susceptible to Fraud (June 30, 2011)

Victims of a data breach are more than four times as likely to become victims of fraud than other consumers, Reuters reports. That's according to the Javelin Strategy and Research annual report, which says credit card companies should be doing more to alert customers to potential dangers, such as notifications when issuing new cards or changing billing addresses. The report also notes that hackers have become more sophisticated, threatening "the current security model, resulting in a call to action for issuers to take a strong look at the processes in place for detection and prevention of fraud," said Javelin's Philip Blank.
Full Story

DATA RETENTION—EU

Opinion: Directive Should Be Repealed (June 30, 2011)

The European directive on data retention remains as contentious today as it did when it passed parliament five years ago, writes German MEP Alexander Alvaro in EurActiv. Privacy concerns and "flawed and inconsistent data retention practices" demonstrate the law's ineffectiveness, Alvaro says, adding that eight of the 19 member states that have implemented the directive have imposed stricter laws than the directive intended--retaining data for all criminal offenses and not just for the prevention of serious crimes. "The commission should listen to its own data and repeal the directive," Alvaro writes.
Full Story

PRIVACY LAW—U.S.

Committee Focuses on Do Not Track (June 29, 2011)
"Consumers should not be expected to make tracking choices on a company-by-company basis," said FTC Commissioner Julie Brill in an address on Monday at the Center for American Progress, adding that therefore, do not track should apply to mobile devices as well, ClickZ reports. The FTC yesterday published tips for consumers to protect their privacy when using mobile apps. Brill is also scheduled to testify at today's Senate Commerce Committee hearing on privacy and data security. At the hearing, Consumers Union will present survey results indicating that 81 percent of Internet users favor a do-not-track mechanism, and the Commerce Department's Cameron Kerry is expected to testify in support of consumer data privacy legislation, including do not track. Editor's Note: Brill will deliver a keynote address at the IAPP Privacy Academy in Dallas, TX, in September.

ONLINE PRIVACY—EU & U.S.

Analysis: Balancing Innovation with Privacy (June 29, 2011)

The Wall Street Journal reports on the increasing challenges businesses face balancing technological innovation with individuals' right to privacy. European Commissioner Neelie Kroes says, "Updating and improving our legal and administrative tools for privacy protection to make them more effective in a globalized world empowered by new information and communication technologies is one of the key challenges addressed as part of the current review of the EU's data protection rules." According to the article, potential U.S.-EU cooperation could generate a global privacy agreement, but as more services move to the cloud, such an agreement could become complex. One expert says, "Cloud computing and increased use of the Internet will increase the focus on privacy and data protection." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

States Legislate Healthcare, Employee Privacy (June 29, 2011)

Texas Governor Rick Perry has signed a healthcare privacy law that goes beyond HIPAA's requirements, GovInfoSecurity reports. Rep. Lois Kolkhorst (R-District 13) says the push for electronic health records in the HITECH Act's incentive program and the lack of federal HIPAA enforcement spurred the legislation, which will go into effect September 12 and will establish an infrastructure for state oversight and enforcement of healthcare privacy. Meanwhile, Oklahoma's Supreme Court has upheld a lower court's decision barring "state personnel officials from releasing the birthdates of state employees," NewsTimes reports. The court said releasing such information could result in identity theft.
Full Story

ONLINE PRIVACY—INDIA

Cloud Advisory Group To Be Formed (June 29, 2011)

The Data Security Council of India announced that it will form a cloud security advisory group to help come up with a policy framework for stakeholders, reports The Financial Express. The panel will be comprised of lawyers and representatives from cloud service providers, IT companies and law enforcement and will advise the government on security, privacy and server locations as it is expected to encourage cloud use at government data centers. Kamlesh Bajaj, CEO of the Data Security Council of India, said, "Everybody is concerned about cloud security...Clients who are outsourcing to cloud service providers would like to be assured."
Full Story

PRIVACY LAW—U.S.

Court Requires Deposition for Texas Comptroller (June 29, 2011)

A Travis County, TX, judge ruled on Monday that State Comptroller Susan Combs must submit to a three-hour deposition, and a representative from her office may be deposed for up to six hours, in response to a breach-related petition brought by two Austin attorneys, reports the Houston Chronicle. The petition was filed on behalf of a teacher whose information was exposed when a server maintained by the comptroller's office was left open to the public. According to the report, the judge ruled that "the likely benefits of allowing the depositions to investigate a potential claim outweigh the burden or expense of the procedure."
Full Story

SOCIAL NETWORKING

Privacy Emphasized in New Google Network (June 29, 2011)

Google has introduced a new social networking service that will allow users to communicate status updates, photos and links, The New York Times reports. The Google+ project will initially be available to a "select group" of Google users, according to the article, who will then be able to extend the network by inviting friends and groups into the network. Though many of the features will be similar to Facebook, Google's site is engineered to allow small groups to share information without sharing updates with all of an individual's friends. "In real life, we have walls and windows, and I can speak to you knowing who's in the room," says a Google representative, "but in the online world, you get to a 'Share' box and you share with the whole world...We have a different model." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

FTC Levies $1.8 Million Fine for FCRA Violations (June 28, 2011)
The Federal Trade Commission (FTC) has fined Teletrack Inc. $1.8 million dollars for Fair Credit Reporting Act (FCRA) violations. According to an FTC press release, Teletrack sold credit reports to marketers, which violates the federal law. "The FCRA says a credit reporting agency like Teletrack can't sell a consumer's sensitive credit report information for merely sales pitches," said FTC Bureau of Consumer Protection Director David Vladeck. The settlement requires that the company pay a civil penalty of $1.8 million and only provide credit reports to those deemed permissible to receive them under FCRA. The settlement also spells out record-keeping requirements to ensure compliance with the order.

PRIVACY LAW—THE NETHERLANDS

Law Requires Unambiguous Cookie Consent (June 28, 2011)

A new Internet privacy law adopted by the Dutch Parliament requires prior consent from Internet users before website operators may store cookies on users' computers. In this Daily Dashboard exclusive, Nicole Wolters Ruckert and David Korteweg of Kennedy Van Der Laan explore the implications of the new "cookie law" incorporated in the Dutch Telecommunications Act. Under the new law, Web browsers' acceptance of all cookies under standard settings is not considered a form of consent, they note. The new law "goes further than what the ePrivacy Directive required member states to do," the authors write, adding that the law is already stirring up "quite a lot of controversy in the Netherlands and abroad."
Full Story

PRIVACY LAW—U.S.

Supreme Court To Hear GPS Privacy Case (June 28, 2011)

The Supreme Court will review whether the government can track suspects by attaching GPS devices to their vehicles without a court warrant, Wired reports. Urging the justices to overturn a lower court decision, the Justice Department said that "a person has no reasonable expectation of privacy in his movements from one place to another." The Obama Administration also added, "Prompt resolution of this conflict is critically important to law enforcement throughout the U.S." A representative from the American Civil Liberties Union, meanwhile, said, "The court has the opportunity in this case to safeguard Fourth Amendment privacy protections in the face of technological advances. Police surveillance using GPS technology raises significant privacy concerns."
Full Story

DATA PROTECTION—SWITZERLAND

Commissioner Calls for Privacy by Default (June 28, 2011)

There is a need for greater transparency in the processing of personal data, according to Swiss Data Protection Commissioner Hanspeter Thϋr. In his annual report, released yesterday, Thϋr said changes are needed due to the "rapid pace of development in the area of communication technologies," and that "data protection principles must be included in all projects and taken into account from the very outset." The report notes that Thϋr handled many cases related to new technologies in the last year. An issue of particular concern is "evercookies," Swissinfo.ch reports.
Full Story

ONLINE PRIVACY—U.S.

Brill: FTC Will Continue Push for Do Not Track (June 28, 2011)

At a Center for American Progress event yesterday, FTC Commissioner Julie Brill said that the commission will continue to push for a universal mechanism to allow Internet users to stop websites and mobile applications from tracking them, reports Computerworld. While she did not advocate for new laws, Brill called on Internet providers and app builders to support do-not-track mechanisms. "This branch of the information superhighway is in desperate need of basic reform," Brill said. Others at the event voiced support for an "erase button" and legislation to prevent the tracking of children, but FTC Chief Technology Officer Ed Felton said implementation would be a "head scratcher." Editor's note: Julie Brill will present a keynote speech at the IAPP Privacy Academy 2011, September 14-16, in Dallas, TX.
Full Story

DATA LOSS—U.S.

Public Health Dept. Reports Second Breach (June 28, 2011)

The California Department of Public Health (CDPH) has been breached for the second time in six months, Info Security reports. The personal information of 9,000 employees was "improperly copied to a private hard drive and removed from state offices," according to the CDPH. The information includes names, addresses, Social Security numbers, birth dates, next-of-kin names and addresses and workers' compensation documents, the report states. The agency is offering credit monitoring services to those affected and is reviewing its security procedures. The CDPH reported a separate breach in December 2010, which affected up to 2,550 individuals.
Full Story

PRIVACY LAW—U.S.

Privacy, Security the Focus at Hearings, Forum (June 28, 2011)

The Senate Commerce Committee will hold a hearing this Wednesday on data security and privacy and has lined up two panels with witnesses from the Federal Trade Commission (FTC), the Commerce Department, Hewlett-Packard, Sony and other industry representatives. The committee says it will look at "how entities collect, maintain, secure and use personal information in today's economy and whether consumers are adequately protected under current law," Broadcasting & Cable reports. Meanwhile, the Federal Communications Commission's Wireless Bureau is hosting a forum today on location-based services and privacy. The forum features representatives from Google, Facebook, Foursquare, the FTC and the Center for Democracy and Technology, among others.
Full Story

PRIVACY

Expert: Need for Privacy Trumps Cultural Differences (June 28, 2011)

In a blog post for the Center for Democracy & Technology's "CDT Fellows Focus" series, Omer Tene, associate professor at the College of Management School of Law, analyzes the cultural perceptions of privacy in the U.S. and Europe. "While the psychological need for and social value of privacy are universal," Tene says, "legal and societal privacy norms diverge to the extent that we must ask whether we are speaking about the same thing." In highlighting "the varying cultural perceptions of privacy," Tene asserts that "it is not simple, then, to determine whether there is 'more' privacy east or west of the Atlantic."
Full Story

New Dutch cookie law requires prior consent from Internet users (June 28, 2011)

By Nicole Wolters Ruckert and David Korteweg

Last week (on 21 June 2011), the Dutch Parliament passed a bill which transposes the amendments to the ePrivacy Directive. Pursuant to the new “cookie law,” incorporated in the Dutch Telecommunications Act (article 11.7a under 1), website operators will be required to obtain prior consent from users before they can store or gain access to cookies on the user’s computer (opt-in). Furthermore, the use of cookies for behavioral advertising is presumed to be a processing of personal data within the meaning of the Dutch Data Protection Act (DDPA) (article 11.7a under 1, last sentence).

By introducing the requirement of prior consent and the assumption of processing personal data when cookies are used for certain purposes, Dutch law goes further than what the ePrivacy Directive required Member States to do. As expected, this new law has stirred and will stir up quite a lot of controversy in the Netherlands and abroad.

Prior informed consent
The new cookie law is part of a larger bill amending the Dutch Telecommunications Act (DTA), thereby implementing the changes to the European ePrivacy Directive. Article 11.7a under 1 DTA only permits online entities to store information or gain access to information stored in the terminal equipment of a user (e.g. storing or accessing cookies) where (i) the user is provided with clear and complete information in accordance with the DDPA, and in any event about the purposes for which the information is stored and accessed; and (ii) the user consents to such an act. The word consent in this article refers to the definition of consent in Article 1.1 (i) DDPA and should therefore be a freely-given, specific and well-informed consent. According to the explanation provided to the bill, the common practice where web browsers automatically accept all cookies under its standard settings cannot be considered as a form of consent within the meaning of this new article. The explanation provided to the bill also explicitly states that such consent should be obtained prior to the storage of and access to cookies.

Presumption of processing personal data: “unambiguous” consent?
The first sentence of article 11.7a under 1 DTA leaves no doubt that the DDPA will apply to the storage of and access to cookies if this entails a processing of personal data (“Notwithstanding the DDPA…”). According to the last sentence of article 11.7a under 1 DTA, the act of storing and accessing usage information...

PRIVACY LAW—EU

Kroes: One Year To Agree to Online Privacy Standards (June 27, 2011)
European Union member states should agree to online privacy standards by June 2012, says European Commission Vice President Neelie Kroes. In a Brussels speech to the Online Tracking Protection & Browsers Workshop last week, Kroes advocated for icons allowing users to opt out of cookies but added that more was needed, computing.co.uk reports. "The standard must be rich enough for users to know exactly what compliant companies do with their information and for me to be able to say to the industry, if you implement this, then I can assume you comply with your legal obligations under the ePrivacy Directive."

STUDENT PRIVACY—CANADA

District: No Posting School Pics Online (June 27, 2011)

The Winnipeg School Division has adopted a new policy aimed at protecting children. The policy forbids posting photos or video of public school events to the Internet, reports the Edmonton Journal. Kristine Barr, chairwoman of the division's policy/program committee, said that parents can photograph events for personal use, but any photos or video that include children other than their own may not be posted online. Principals will be responsible for notifying people of the rule and asking them to remove disallowed content from the Internet. Barr says she recognizes this will be "difficult to enforce" but that the division hopes parents, staff and others will comply. 
Full Story

DATA LOSS

Critics: Breach Response Has Been Lackluster (June 27, 2011)

The Globe and Mail reports that Citigroup's handling of its recent data breach is drawing criticism. Following a hack by cybercriminals that exposed more than 360,000 credit card accounts, Citigroup did not offer to buy those affected one year of preventative credit monitoring services, as has become typical for companies after a breach occurs. The deputy director of national priorities for Consumer Action said that consumers "might want to turn to Citibank and ask them to do more." Marc Rotenberg of the Electronic Privacy Information Center said, "Citigroup needs to take this recent breach more seriously than they have." Meanwhile, Citigroup has disclosed that about 3,400 of those affected have lost about $2.7 million.
Full Story

DATA LOSS

More Companies Train and Prepare for Breaches (June 27, 2011)

Business Insurance reports on the growing concern businesses have in the face of increased hacker attacks and cybersecurity risks. The report notes that breach preparation will place a business in a better position to appropriately respond to an event and, subsequently, improve its ability to receive cyber risk coverage from insurers. Vinny Sakore, CIPP/IT, of Immersion Ltd. says, "With data breaches, experience is critical," adding that it's important for consultants to improve client awareness of data breach issues. Rick Prendergast at Kroll Fraud Solutions says that breach costs have risen 22 percent since 2009, prompting more companies to take breaches more seriously and "to certify that breach training has taken place across the enterprise."
Full Story

HEALTHCARE PRIVACY

Medical Identity Theft on the Rise (June 27, 2011)

Chronicling the story of a man who's roommate stole his medical identity, NPR's "Marketplace" explores the rise in medical identity theft and the affect it has on victims. A recent Ponemon Institute study found that victims of medical identity theft spend, on average, $20,000 in lost time, increased insurance premiums and legal fees, and the report points out that "Once another patient masquerades as you, your medical records are inaccurate, and that can jeopardize your future treatment." Electronic medical records should make tracking thieves easier, the report states, but Pam Dixon of the World Privacy Forum says hurdles remain.
Full Story

PERSONAL PRIVACY

Companies Help Individuals Control Personal Data (June 27, 2011)

In light of the vast amount of information that is collected online, companies are emerging with an alternative business model that allows consumers to control their personal data, The Mercury News reports. Instead of cookies that track consumers online, some companies are attempting to create a new model where individuals could access and track their personal information and refute false personal information that might exist on the Web. Additionally, Google has launched "Me on the Web" to help individuals monitor their personal data. One startup's CEO says, "We felt like there was a huge opportunity to turn the consumer model upside-down--to help people manage, create and grant access to the best data about themselves."
Full Story

PRIVACY LAW—U.S.

Experts React to Supreme Court Ruling (June 24, 2011)
In the wake of the U.S. Supreme Court's decision in Sorrell v. IMS Health, experts have been weighing in on the implications for privacy protection. In a 6-3 ruling, the nation's highest court struck down a Vermont statute that prohibited the use of physicians' prescription drug records for pharmaceutical marketing and data-mining purposes. This Daily Dashboard exclusive examines some of the immediate reactions to Thursday's ruling, which include different perspectives on the implications for privacy protection. One legislator suggests the decision is "a loss for those of us who care about privacy," while other experts suggest the case was not about privacy at all.

DATA LOSS—U.S.

Lawsuit Filed Alleging Lax Security (June 24, 2011)

A lawsuit was filed in a U.S. District Court earlier this week against Sony alleging the company knew it was at a high risk of being attacked by hackers because it had previously sustained smaller breaches, Reuters reports. According to the report, the lawsuit also alleges that Sony laid off network security employees two weeks before the highly publicized breaches compromised consumer data, and the company had set up security "to protect its own corporate information while failing to do the same for its customers' data." 
Full Story

DATA LOSS

External NATO Website Breached (June 24, 2011)

The North Atlantic Treaty Organization (NATO) has released a statement announcing that a NATO-related website, operated by a third party, has been compromised, TIME reports. In addition to blocking access to the site and providing customer notification, the statement noted that "NATO's e-Bookshop is a separate service for the public for the release of NATO information and does not contain any classified data." NATO also announced, according to the report, that is has created a "cyber defense action plan" that will deal with growing cybersecurity threats.
Full Story

PRIVACY LAW—U.S.

Opinion: Why Privacy Legislation Is Hot (June 24, 2011)

In The Hill, Ohio State University law professor and Center for American Progress fellow Peter Swire, CIPP, discusses the hot topic of privacy legislation, saying that three "mega-trends" are driving the current action. As more Americans carry cell phones, the emergence of location data has created "great uncertainty" about who gets to access what information. Swire says social networking and online behavioral advertising are also push points, and he describes children's privacy as a potential "flashpoint for action." Swire says the "biggest legislative question might be whether to go with general privacy principles or sector-specific rules. For the first time in history, the administration itself has come out in favor of broad-based privacy legislation for the private sector."
Full Story

ONLINE PRIVACY

Opinion: Biggest Problem is Policies (June 24, 2011)

In an op-ed for ITWorld, Dan Tynan writes that while online privacy is based on a clear concept--people should have control over their personal information--the average privacy policy is not. "If you want people to understand privacy--and maybe not be either so blasé or so paranoid about how their data is being used--we need privacy policies that human beings can understand," he writes. Using real-life examples of how confusing policies can be, Tynan outlines his suggestion for a pop-up box with four bullet points outlining simple facts about websites' collection and use practices and ways to opt out.
Full Story

Reactions Vary on the Supreme Court’s Sorrell v. IMS Health Decision and What it Means for Privacy (June 24, 2011)

 

By Jennifer L. Saunders, CIPP

In the wake of the U.S. Supreme Court’s decision on Thursday in Sorrell v. IMS Health et al., experts are weighing in on the implications for privacy protection.

In a 6-3 decision, the nation’s highest court found that Vermont’s state law that required physicians to give consent before information about their prescription drug records could be used by pharmaceutical or data-mining companies.

GovInfoSecurity reports on the majority opinion that the law violated First Amendment rights, citing Justice Anthony Kennedy’s writing that the law "prohibits pharmaceutical manufacturers from using the information for marketing (but) allows prescriber-identifying information to be purchased, acquired and used for other types of speech by other speakers…pharmacies may share prescriber-identifying information with anyone for any reason except for marketing…Given the information's widespread availability and many permissible uses, Vermont's asserted interest in physician confidentiality cannot justify the burdens that (imposed) on protected expression."

Shortly after the decision was announced on Thursday, Kirk Nahra, CIPP, a partner at Wiley Rein, told the Daily Dashboard, “From the privacy perspective, the court rejected the efforts of Vermont and others to turn this case into a privacy case, and focused instead on the impact of the law as a commercial speech issue.”

Asked for its reaction to the outcome of the case, the Center for Democracy and Technology issued a statement explaining that although the state of Vermont had argued its statute’s aim was protecting privacy, “the court concluded that it did little to protect privacy and was instead aimed at suppressing a particular type of speech—marketing messages—that the state did not like…The Supreme Court's decision explicitly states that a statute imposing a more comprehensive privacy regime ‘would present quite a different case than the one presented here.’ The court explained that had the state restricted all disclosure except in ‘a few narrow and well-justified circumstances,’ then the court would have viewed the challenged law through quite a different lens.”

Sen. Patrick Leahy (D-VT), who has been one of the driving forces behind privacy legislation efforts at the federal level, had a different reaction to the outcome of the case.

In a statement issued on Thursday, Leahy said the “Supreme Court has overturned a sensible Vermont law that sought to protect the privacy of the...

PRIVACY LAW—U.S.

Supreme Court Strikes Down Prescription Drug Law (June 23, 2011)
The U.S. Supreme Court struck down a Vermont state law today that had prohibited the use of patients' prescription drug records for marketing purposes. In what Reuters described as "a case pitting free-speech rights against medical privacy concerns," the court heard arguments in Sorrell v. IMS Health earlier this year, issuing its opinion this morning. The case was brought forward by pharmaceutical and data mining companies that contested a Vermont law prohibiting the sale of such information as records of which doctors prescribe specific drugs to their patients. "The high court handed a victory to data mining companies IMS Health, Verispan and Source Healthcare Analytics, a unit of Dutch publisher Wolters Kluwer, that collect and sell such information and that challenged the law," Reuters reported following the Supreme Court's decision this morning. In a joint media release officials from the companies hailed the decision. "Today's ruling is clear and unmistakable--these types of laws violate the Constitution and do nothing to improve healthcare, reduce costs or protect privacy as proponents had claimed," said Harvey Ashman of IMS Health. Prior to the 6-3 decision by the court, privacy experts weighed in with varying insights on the potential impact of the case, with some warning that for the court to rule as it did today could mean "significant implications" for patient privacy. "From the privacy perspective, the court rejected the efforts of Vermont and others to turn this case into a privacy case, and focused instead on the impact of the law as a commercial speech issue," Kirk Nahra, CIPP, of Wiley Rein told the Daily Dashboard. "There are many current means of regulating patient privacy directly, and it would not have been useful to the overall protection of patient privacy to address these issues in an essentially unrelated context, through the back door." Editor's Note: The IAPP will host a Web Conference on healthcare privacy on July 14, with a focus on such issues as secondary uses of aggregate data for public and private research. Visit our website for more information as it becomes available.

ONLINE PRIVACY—EU

Commissioner: Industry Must Implement Do Not Track (June 23, 2011)

European Commissioner Neelie Kroes has challenged the advertising industry to agree to a do-not-track standard by June 2012, ZDNet reports. Speaking at a workshop in Brussels, Kroes said some Web browsers currently run do-not-track mechanisms, and some businesses say they honor them. "But this is not enough," she says. "Citizens need to be sure what exactly companies commit to if they say they honor do not track." According to the report, Kroes is working with the U.S. Federal Trade Commission to monitor the development of do-not-track technology. Kroes warned the industry that, "If I don't see a speedy and satisfactory development, I will not hesitate to employ all available means to ensure our citizens' right to privacy."
Full Story

PRIVACY LAW—U.S.

VT Supreme Court Hears E-Privacy Case (June 23, 2011)

Forbes reports on a case before Vermont's Supreme Court on how the Fourth Amendment right to protect citizens from unwarranted searches and seizures should apply to electronic devices such as computers, iPads and smartphones. The case stems from a search warrant obtained by Burlington police to search such devices as they investigated potential identity theft. State Attorney Andrew Strauss argued that the judge who granted the search warrant placed too many restrictions on it "by detailing how the search was to be conducted." An Electronic Frontier Foundation spokesperson said the judge acted reasonably to protect privacy. Heidi Salow, CIPP, of Greenberg Traurig, told the Daily Dashboard that "given the wealth of private information that people store on laptops, desktops, iPads, smartphones and other electronic devices these days, it makes sense for courts to limit the scope of and require particularity in search warrants so that the seizure of electronic devices is closely tied to a law  enforcement investigation. On the other hand, criminals have gotten more savvy about hiding data on devices, which makes it harder for law enforcement to search electronic files." While the Electronic Communications Privacy Act (ECPA) was passed to supplement the Fourth Amendment, Salow added that "ECPA was passed well before Congress could have envisioned the amount of data available on electronic devices," and there have been many conflicting court interpretations of ECPA, demonstrating that "ECPA needs to be brought up-to-speed with the digital age, which will provide greater clarity for law enforcement and hopefully avoid lengthy litigation related to the need for warrants and how specific they must be."
Full Story

DATA LOSS

Study: Breaches More Frequent and Severe (June 23, 2011)

A Ponemon Institute study has found that 90 percent of businesses experienced a data breach in the past year, and attacks were more severe and difficult to prevent. Network World reports that mobile devices--employee laptops, smartphones and tablets--are responsible for most breaches, while business partnerships also elevate risk. Fifty-three percent of businesses reported a low level of confidence in their ability to avoid future attacks, which the authors attribute to "the fact that so many organizations are having multiple breaches." An MSNBC report outlines ways for individuals to protect themselves in light of the recent "seemingly endless string" of data breaches, and according to the report, most aren't made public. Meanwhile, CIO has posted an online quiz to test readers' knowledge of data breaches.
Full Story

ONLINE PRIVACY—U.S.

Breaches Build Federal Data Security Momentum (June 23, 2011)

Insurance Networking News reports that recent high-profile data breaches are building momentum for a national standard for breach notification. At Tuesday's Senate Banking Committee meeting, the report notes, financial services representatives spoke in support of an Obama Administration plan to "combine a patchwork of 47 state laws on the issue into a federal standard." Senate Banking Committee Chairman Tom Johnson said, "Breaches are disruptive and raise the potential for financial fraud, identity theft and, potentially, severe threats to our national economic security."
Full Story

PRIVACY LAW—U.S.

Doctor Indicted on Alleged HIPAA Violations (June 23, 2011)

In what it describes as "a rare prosecution" of a possible Health Insurance Portability and Accountability Act (HIPAA) violation, The Virginian-Pilot reports on a federal grand jury's indictment Tuesday of a psychiatrist for allegedly disclosing personal health information (PHI). According to the indictment, the doctor released a patient's PHI "on three different occasions to an 'agent' of the patient's employer without authorization." Criminal prosecution of alleged HIPAA violations is unusual, the report states, noting that of the 9,000 violations reported in 2010, the 30 percent warranting corrective action generally resulted in fines or changes in practices. The doctor, who is scheduled to be arraigned on July 13, could face up to five years in prison.
Full Story

CHILDREN’S PRIVACY—U.S.

Government Forum To Address Kids’ ID Theft (June 23, 2011)

CreditCards.com reports on government efforts to educate parents on preventing children's identity theft following a Carnegie Mellon report that found 10 percent of children's Social Security numbers being used by at least one other person. The Federal Trade Commission (FTC) and the Department of Justice will offer a free public forum on July 12 in Washington, DC, called "Stolen Futures: A Forum on Child Identity Theft," which will feature representatives from government agencies, businesses, victims' advocates, nonprofits and legal service providers, the report states. "Among the things we'll talk about at the forum is how this information is getting out and how better to protect it," said an FTC spokeswoman.
Full Story

PRIVACY LAW—U.S.

Court Rules Against OSHA Request for Records (June 23, 2011)

The Sacramento Bee reports on a California Superior Court's ruling that state workplace safety officials don't have the right to access certain medical records to track disease outbreaks because it violates healthcare privacy rights. The case follows California's Division of Occupational Safety and Health's (OSHA) subpoena for a performer's records from the Adult Industry Medical Healthcare Foundation Clinic, which was the subject of an unrelated breach investigation earlier this year. The actress sued OSHA to keep the records private, and the judge ruled that revealing such information, "even to a government agency charged with protecting worker safety, would constitute a serious invasion of privacy."
Full Story

ONLINE PRIVACY

Browser Updates Do-Not-Track Option (June 23, 2011)

Mozilla has made its new do-not-track option easier to find and set in its latest Web browser update, ZDNet reports. Firefox 5 is the first in the company's accelerated release cycle--a plan to release browser updates every three months. The latest update also includes a do-not-track mechanism for the Android version of the browser. Mozilla's do-not-track feature relays header information to advertising companies, which then have the option to honor the request to avoid data collection. Microsoft's Internet Explorer 9 also features a do-not-track mechanism, but unlike Firefox, the report states, it uses a "tracking protection list--essentially a block list to decide which third-party elements of a Web page to block or allow."
Full Story

ONLINE PRIVACY—CANADA

Commissioner: Dating Sites Must Improve Privacy (June 22, 2011)
Internet dating site eHarmony says it is in the process of providing users with options to permanently delete their online accounts after an investigation by Canada's privacy commissioner, the Toronto Star reports. The investigation followed a complaint from an eHarmony customer who said the dating site told her that her account and personal information could not be permanently deleted, despite her requests. Stoddart's investigation, included in her annual report tabled yesterday in parliament, also found that "a quick scan of other sites reveals that some do not even have the privacy policies. Some that have privacy policies do not specify how they handle personal information after a user is no longer active on the site." Canadian privacy attorney and IAPP Canada Managing Director Kris Klein, CIPP/C, told the Daily Dashboard that Stoddart's eHarmony investigation is interesting because "Facebook was in trouble for a very similar thing. It was very public, what Facebook had to do to change itself and comply, yet eHarmony didn't until now." Klein added he will be "curious to see how many more people have to get in trouble before companies just proactively do the right thing."

FINANCIAL PRIVACY—U.S.

Senator Calls for New Cybersecurity Laws (June 22, 2011)

At a Senate Banking Committee hearing on Tuesday, Sen. Robert Menendez (D-NJ), called for a national law requiring businesses to notify customers of a breach, PCWorld reports. "It seems to me there is a fiduciary responsibility by the (financial) entity to proactively tell their customer that has happened," he said. The hearing comes on the heels a U.S. House breach notification proposal and one EU commissioner's call for financial breach notification in the EU. Mark Rotenberg, president of EPIC, said any federal law should not preempt stronger state laws.
Full Story

ONLINE PRIVACY—INDIA

Street View Vehicles Sidelined By Police (June 22, 2011)

Google is taking its camera-outfitted Street View vehicles off the streets in Bangalore after receiving a letter from city police. Financial Chronicle reports that a Google spokesman said the company is reviewing the letter and has "stopped our cars until we have a chance to answer any questions or concerns the police have." When Google launched Street View in Bangalore in late May with plans to expand to the rest of the country, its product head ensured "Street View is designed to comply with all local laws, including those related to security and privacy in India" and that the company would not be collecting data from wireless networks.
Full Story

PRIVACY LAW—MALAYSIA

Data Protection Office To Be Established (June 22, 2011)

The Malaysian Ministry of Information, Communication and Culture plans to establish a government department to help implement the country's new data protection law, reports Bernama. According to Deputy Minister Datuk Joseph Salang, the office should be up and running by next year. At a press conference, Salang underscored the urgent need for personal data protection laws, saying, "Prior to the implementation of this act, personal data is only bound by contractual agreement or common law." The Personal Data Protection Act was passed in 2010 and is expected to go into effect early next year.
Full Story

PRIVACY LAW—U.S.

FTC Settles Charges Against Ad Network (June 22, 2011)

The Federal Trade Commission (FTC) has finalized its order settling charges that online ad network Chitika tracked consumers online after they'd opted out. The FTC alleged that from at least May 2008 to February 2010, Chitika's cookies resumed tracking users 10 days after they'd opted out. Chitika said the opt-out was meant to last 10 years, but a glitch caused the error. The settlement bars Chitika from misleading consumers about the extent of its data collection and the control users have over the collection, use or sharing of their data. Additionally, every targeted ad must include a hyperlink allowing users to opt out for at least five years.
Full Story

ONLINE PRIVACY

Is Anonymity on the Web Impossible? (June 22, 2011)

In a feature for The New York Times, Brian Stelter suggests the Internet is becoming "the place where anonymity dies." Amidst calls for a "right to be forgotten" in Europe, Stelter suggests, "The collective intelligence of the Internet's two billion users, and the digital fingerprints that so many users leave on websites, combine to make it more and more likely that every embarrassing video, every intimate photo and every indelicate e-mail is attributed to its source, whether that source wants it to be or not." One expert suggests the Web "can't be made to forget," and "an inescapable public world" may be the result. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

Hospital Fires Employees for HIPAA Violations (June 22, 2011)

The Des Moines Register reports that a medical assistant has been fired for violating patient privacy after she reported that her colleague was doing just that. The University of Iowa Hospitals and Clinics fired medical assistant Shawn Sterner after she reported to her employer that she had looked over the shoulder of a coworker who was examining patient files without authorization to do so. In reporting the incident, Sterner used the patient's name. The hospital claims Sterner violated the Health Insurance Portability and Accountability Act (HIPAA) when she glanced at the file and when she identified the patient's name to her employer. The hospital recently fired other employees for HIPAA violations.
Full Story

SURVEILLANCE—CANADA

OPC Bringing Airport Authority Case to Court (June 22, 2011)

Privacy Commissioner Jennifer Stoddart is calling for a court decision after a Greater Toronto Airports Authority (GTAA) employee used surveillance equipment to track her ex-husband through the airport, the Toronto Star reports. Stoddart detailed the unresolved complaint in her report to parliament, noting the GTAA did not respond to a request for information in the 30 days required and "held more personal information about the complainant than it had provided in its belated response to the complainant's access request." Stoddart is asking the court to find the GTAA "failed to meet its obligations under PIPEDA," require implementation of the commissioner's recommendations and award damages to the complainant.
Full Story

STUDENT PRIVACY—CHINA

Student Data Is For Sale Online (June 22, 2011)

Personally identifiable information about elementary and secondary students is for sale online, prompting some legal experts to claim that it is a breach of privacy, China Daily reports. One list cited in the article contains approximately 70,000 students who recently sat for a college entrance exam. The list included students' names, cell phone numbers and home addresses. According to the report, the buyers of the information tend to be educational companies or training institutions. One expert said, "Officials at the schools can make money from the sellers...They are the source of the information and the reason why sellers can easily get private information."
Full Story

CHILDREN’S PRIVACY—EU

Commission: Social Networks Should Better Protect Minors (June 21, 2011)
A European Commission (EC) study of 14 social networks includes in its findings that just two "have default settings to make minors' profiles accessible only to their approved list of contacts," The Wall Street Journal reports. The study comes as the EC continues exploring Internet regulation, the report notes. Commissioner Neelie Kroes reacted by saying she is "disappointed" in the results, urging social networks "to make a clear commitment to remedy this in a revised version of the self-regulatory framework we are currently discussing." A spokesman said the EC will be "sitting down with them over the coming months, and we want them to do more." (Registration may be required to access this story.)

PRIVACY LAW—CANADA

Annual Report Issued: Company’s Improvements Insufficient (June 21, 2011)

An audit by the privacy commissioner of Canada has found that Staples Business Depot stores failed to wipe clean the hard drives of devices intended for resale, despite commitments to address such problems. Included in a report to parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), which was tabled today and includes information on other ongoing investigations, Commissioner Jennifer Stoddart's audit found that the office supply store "did improve procedures and control mechanisms after our investigations," but they were "not consistently applied nor were they always effective, leaving customers' personal information at serious risk." The company had said it would take corrective action following two complaints to the commissioner. The audit found that of 149 data storage devices, one-third still contained customer data.
Full Story

DATA LOSS

Online Network Hacked, 1.3 Million Affected (June 21, 2011)

A recent rash of cyberattacks continues, this time affecting 1.3 million members of Sega's online video game network, Sega Pass. Reuters reports that names, birth dates, e-mail addresses and encrypted passwords of users were stolen from the database. Sega Europe discovered the breach on Thursday and notified network users and Sega Corp, which then shut down the site. A company spokeswoman apologized for the breach, saying that Sega is working on improving security measures. A hacker group responsible for attacks on other video game sites has offered to track down these hackers, according to the report.
Full Story

PRIVACY LAW—EU

Commission’s Lawyers: PNR Agreement Illegal (June 21, 2011)

The European Commission's legal counsel has warned that an agreement between the EU and U.S. to store airline passenger data for 15 years is unlawful, The Guardian reports. The passenger name record (PNR) deal is now being finalized and needs the approval of the European Parliament, but the legal counsel's May 16 document raises "grave doubts" that the agreement complies with data protection law. The legal opinion particularly lists the provisions requiring data storage for 15 years, the lack of independent oversight and proper legal recourse if data is misused. One parliamentarian said the legal advice is an indication that the commission should drop the PNR agreement and go "back to the drawing board."
Full Story

PRIVACY LAW—U.S.

Supreme Court To Review Privacy Case (June 21, 2011)

The U.S. Supreme Court has agreed to review a ruling that said an individual could sue a federal agency for emotional distress because of the release of personal information. The case, FAA vs. Cooper, 10-1024, involves a pilot who filed a lawsuit against federal agencies for disclosing his medical records during a fraud investigation, the San Francisco Chronicle reports. In February 2010, the Ninth Circuit Court of Appeals ruled in favor of the pilot, but the Obama Administration has argued that the 1974 Privacy Act does not allow damages for emotional distress. The plaintiff's lawyer said, "More often than not, embarrassment and humiliation are the only damages...Unless these are compensable, it's a free license to the government" to circumvent the law.
Full Story

PRIVACY LAW—AUSTRALIA

Committee: Small Business Should Not Be Exempt (June 21, 2011)

A parliamentary committee is calling on the government to scrap a provision exempting small businesses from Australia's Privacy Act. The Australian Parliamentary Cyber-Safety Committee tabled a report yesterday raising concerns that small businesses with annual revenues of $3 million or less were exempt from the Privacy Act 1988, iTnews reports. The committee recommends that the government drop the exemptions and undertake a review of businesses with "significant personal data holdings" since a "large proportion of the Australian private sector is not subject to any privacy laws." The Australian Law Reform Commission said in 2008 that the exemptions were "neither necessary nor justifiable."
Full Story

DATA PROTECTION—SPAIN

José Luis Rodríguez Álvarez Nominated Director of Spanish DPA (June 21, 2011)

The Spanish Council of Ministers approved on June 17 the nomination of José Luis Rodríguez Álvarez as director of the Spanish Data Protection Agency. The lawyer and professor of constitutional rights in the Faculty of Law of the Complutense University of Madrid was nominated director of the Cabinet of the Spanish Ministry of Justice in February 2009--a role he has now given up due to the circumstances. Rodríguez Álvarez will replace outgoing director Artemi Rallo Lombarte. (Article in Spanish.)
Full Story

PRIVACY LAW—EU

Reding: Banks Will Be Required To Disclose Breaches (June 20, 2011)
EU Justice Commissioner Viviane Reding said today that banks will be among the companies required to disclose serious breaches of customer data, Bloomberg reports. "I understand that some in the banking sector are concerned that a mandatory notification requirement would be an additional administrative burden," Reding said during a speech in London, adding that such a requirement "is entirely proportionate and would enhance consumers' confidence in data security and oversight." Her words come on the heels of several high-profile breaches, including one recently disclosed by Sega Corp. "I can well understand if users lose trust in the Internet and in companies offering online services," Reding said.

DATA PROTECTION—HUNGARY

Leaders Discuss Accountability, Harmonization (June 20, 2011)

On day two of the International Data Protection Conference hosted by the Hungarian Presidency of the Council of the European Union, experts discussed globally compatible data protection standards and accountability. The Hunton & Williams Privacy and Information Security Law Blog reports that Professor Paul De Hert of the Vrije Universiteit Brussel reviewed the case I v. Finland, which is considered a "key document for the concept of accountability in European data protection law," the report states. Former Hungarian Data Protection Commissioner Attila Péterfalvi delivered the event's closing speech, during which he detailed legislation to amend the nation's data protection law to bring it into full compliance with the European Data Protection Directive. 
Full Story

GENETIC PRIVACY—ARGENTINA

Adoptees’ DNA Tests Move Forward (June 20, 2011)

A high-profile case involving two siblings of an Argentine media owner has taken another turn, with the siblings now agreeing to court-ordered DNA tests, the Associated Press reports. The tests were ordered "to determine whether they were among hundreds of infants stolen from political prisoners during Argentina's military dictatorship," the report states, referencing an effort by the human rights group Grandmothers of the Plaza de Mayo to find children abducted between 1976 and 1983. While Argentina's highest appellate court ruled the siblings must submit their DNA, comparisons have been limited only "to people known to have disappeared before the date" of their 1976 adoption.
Full Story

PRIVACY LAW—HONG KONG

Commissioner Admonishes Banks for Sharing (June 20, 2011)

Privacy Commissioner for Personal Data Allan Chiang is displeased with four banks that released customers' personal data to third parties, AFP reports. Citibank, ICBC, Fubon Bank and Wing Hang Bank released customer data, Chiang says, and several profited from doing so. The data was transferred without user consent, and the banks' disclosures on data practices are vague and printed in small font, the commissioner said. "I am disappointed that the banks are less than forthcoming in following good privacy practices," Chiang said, adding, "We trust that the practice of naming data users will invoke the sanction and discipline of public scrutiny" and "encourage compliant behavior."
Full Story

PERSONAL PRIVACY—INDIA

Gov’t Commission Will Meet to Discuss Initiatives (June 20, 2011)

India's Planning Commission has called a meeting to discuss the privacy concerns surrounding government initiatives such as Unique ID, NATGRID and DNA profiling, among others. The Times of India reports that while these initiatives are intended to strengthen national security and assist in delivering public services, the commission has acknowledged that they use IT platforms that bring risks and require built-in security measures. "Steps have to be taken to ensure that a full and better understanding of privacy concerns are factored into our policy and lawmaking process," said Minister for Planning Ashwini Kumar. The meeting will bring together experts, civil society representatives and government officials, the report states.
Full Story

DATA PROTECTION—NEW ZEALAND

Survey To Be Released Despite Complaints (June 20, 2011)

Despite criticism from Privacy Commissioner Marie Shroff, the New Zealand Post will ship out a public survey this week. The Lifestyle survey collects personal information, including income details, and shares it with marketing companies, TVNZ reports. Shroff had criticized the 2009 survey, calling it a "systematic, large-scale breach" of privacy and said that when personal details are collected "solely to on-sell to third parties, it is easy for there to be a blurring of legal and ethical duties." A New Zealand Post spokesman said the company is acting lawfully, and the survey is voluntary. Shroff will release a report on the survey this week.
Full Story

DATA PROTECTION—UK

Graham Closes News Publisher Investigation (June 20, 2011)

Information Commissioner Christopher Graham has ended an investigation into a newspaper publisher after being assured a train of e-mails were not sent to India, The Guardian reports. A News Group Newspapers senior executive had claimed archived e-mails involving a court case on telephone hacking were sent in a "botched transfer." Graham said the company has assured him the incident did not occur, though it has declined to answer investigative questions in detail because of a pending court case. Given that, and "a lack of firm evidence that the e-mails were actually lost or that any damage or distress has been caused...my investigation is closed," Graham said.
Full Story

ONLINE PRIVACY

Browser Unveils Reputation Monitoring Tool (June 20, 2011)

Social Barrel reports that Google has unveiled a new privacy tool aimed at helping users manage their identities online. "Me on the Web" is available on the Google Dashboard and alerts users if their name or e-mail address is mentioned anywhere on the Internet, suggests search terms that users may want to monitor and offers tips on how to remove unwanted content about themselves, the report states.
Full Story

PRIVACY LAW—U.S.

State Supreme Court Rules on Medical Privacy Suit (June 17, 2011)
The California Supreme Court has ruled in a case involving the state's Confidentiality of Medical Information Act. In a unanimous ruling on Thursday, the court determined that a Los Angeles lawyer can sue a debt collector for disclosing personal information to credit reporting agencies, The San Francisco Appeal reports. "Individuals, as patients, have a substantial interest in the privacy of their medical information," Justice Kathryn Werdegar wrote. The decision overturns a lower court's ruling that the Fair Credit Reporting Act preempts the state law.

DATA PROTECTION—HUNGARY

Leaders Discuss Data Protection Issues (June 17, 2011)

European leaders, lawmakers and groups have convened in Budapest for the two-day International Data Protection Conference hosted by the Hungarian Presidency of the Council of the European Union. The Hunton & Williams Privacy and Information Security Law Blog reports that day one featured discussions on the directive review, cloud computing and harmonization of laws, among other topics. The European Commission's Directorate-General Justice noted that the commission continues to revise the bloc's data protection framework, and the proposal will be published in November. A Spanish Ministry of Justice official noted that in the coming months, the European Commission will focus on negotiating a data-sharing agreement with the U.S. government.
Full Story

PERSONAL PRIVACY—U.S.

City Database Sparks Concern (June 17, 2011)

A database created to enable information sharing across city agencies has provoked privacy concerns, The New York Times reports. It contains information on four million residents, linking together "vast amounts of information gathered by city agencies that previously maintained their files separately," the report states. Some are expressing concern about the number of city workers who will have access to it and the potential for misuse. But Deputy Mayor for Health and Human Services Linda Gibbs says controls have been built in to address such concerns. "Not everybody is allowed to see the big picture," she said. "There are a number of doors that open and close." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Leahy Hoping for GOP Support on ECPA Reform (June 17, 2011)

During a speech at an event in Washington, DC, on Thursday, Sen. Patrick Leahy (D-VT) reaffirmed his commitment to updating the 1986 Electronic Communications Privacy Act (ECPA) to make it relevant in the digital age. In May, Leahy introduced an act to amend ECPA. After his speech, he told CNET News he hopes to gain Republican support for it. "Otherwise, we'll have a heck of a time passing it," Leahy said.
Full Story

DATA PROTECTION—U.S.

OPM Moves Forward on Data Warehouse (June 17, 2011)

Computerworld reports on the Office of Personnel Management's (OPM) plans to build a large, centralized database despite privacy concerns. The OPM released two formal notices on the Health Claims Data Warehouse in the Federal Register this week, and work will begin on July 15. The OPM had delayed plans for the database due to privacy groups' concerns about vulnerabilities. Revised plans for the database--which will store information including names, addresses, Social Security numbers and birth dates--include a downsized scope of the database and limits on how information from it can be used, with only de-identified data to be released beyond the OPM.
Full Story

DATA PROTECTION—U.S.

Shift Seen in Data Breach Response (June 17, 2011)

The Wall Street Journal reports on the shift companies are taking in response to data breaches. With the rise in such incidents, "experience shows that revealing an incident won't necessarily cause lasting damage to the brand," the report states. One attorney says that if a breach is handled well, "customer loyalty and your brand can actually improve." Meanwhile, lawmakers in the U.S. Senate and House of Representatives have introduced legislation that would require companies to notify customers within 48 hours of breach incidents. "If companies are going to collect and store consumers' personal information," says Sen. Mark Pryor (D-AR), "safeguarding that information should be priority number one." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—U.S.

AG Jepsen Calls for Meeting (June 17, 2011)

A state attorney general has requested a meeting with Facebook officials to discuss the company's newly implemented facial recognition feature, The Wall Street Journal reports. Connecticut AG George Jepsen said in a statement that the "lack of an opt-in process for Facebook users is troubling because unknowing consumers may have their photos tagged and matched using facial recognition software without their express consent, potentially exposing them to unwelcome attention and loss of privacy." Jepsen joins regulators from around the globe who are voicing their concerns about the new option. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU

EDPS To Increase Inspections This Year (June 16, 2011)
European Data Protection Supervisor (EDPS) Peter Hustinx will carry out more on-the-spot inspections this year in cases where he believes an EU institution is failing to comply with EU law, European Voice reports. That's according to the EDPS annual report, released this week. In a press conference, Hustinx said that though his office prefers to "encourage compliance rather than warn or admonish controllers or make legally binding orders," it now believes "the time has come to take a more robust approach to enforcement, particularly in cases of serious, deliberate or repeated noncompliance with data protection principles." The report also says the office will focus on member states' and the European Commission's implementation of new legislation on border security checks and an EU-wide system on airline passenger data.

GEO PRIVACY—U.S.

Senators, Reps Introduce Geolocation Bills (June 16, 2011)

Describing Wednesday as "location privacy day on Capitol Hill," The Wall Street Journal reports on two federal geolocation privacy bills aimed at limiting government and industry use of such data. Following an announcement earlier this year about plans to introduce a geo privacy bill, Sen. Ron Wyden (D-OR) and Rep. Jason Chaffetz (R- UT) proposed legislation to require law enforcement agencies to obtain probable cause warrants to track location through mobile devices, with exceptions for emergency responders, parents of minor children and Patriot Act investigations. "GPS technology is unquestionably a great tool," Wyden said, but added, "all tools and tactics require rules, and right now, when it comes to geolocation information, the rules aren't clear." Meanwhile, Senators Al Franken (D-MN) and Richard Blumenthal (D-CT) have introduced a bill requiring companies to obtain expressed user consent before sharing information and delete data upon request. "This legislation would give people the right to know what geolocation data is being collected about them and ensure they give their consent before it's shared with others," Franken said. Amid the announcement of the new bills, however, one technology editor predicts that while many view tracking as "creepy...Privacy is the Web's currency, and most folks will happily trade their locations for a 10-percent coupon." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Parliamentary Committee Adopts Draft Resolution (June 16, 2011)

The European Parliament Civil Liberties Committee has adopted a draft resolution intended to influence the revision of the EU Data Protection Directive. According to a press release, the resolution includes provisions to allow people to access and alter or delete their data online and recommends "severe and dissuasive sanctions" for misuse or abuse of consumer data. The committee is calling for a modern data protection law that will improve international data transfer processes and better protect children--especially on social networking sites. The committee has also put its support behind a requirement for organizations to appoint data protection officers.
Full Story

PRIVACY LAW—U.S.

Bill Would Require Breach Notifications (June 16, 2011)

FTC Commissioner Edith Ramirez said the agency supports legislation introduced by Rep. Mary Bono Mack (R-CA) that would require companies to notify law enforcement and the FTC within 48 hours when a data breach is discovered, The Washington Post reports. The bill, discussed at a House Commerce, Manufacturing and Trade Subcommittee hearing Wednesday, would require companies to delete information about users once that data is no longer necessary for business purposes, the report states. Ramirez said the law would give consumers recourse if their Social Security numbers were breached. (Registration may be required to access this story).
Full Story

DATA PROTECTION

Council Releases PCI Standards Guiding Document (June 16, 2011)

The Payment Card Industry Security Standards Council has released a set of guidelines for companies to ensure compliance with industry standards, Computerworld reports. The 39-page document describes how each of the 12 PCI security requirements can be applied in a virtual environment, the report states, and offers recommendations on how to stay compliant in the cloud, delineating between entities' and cloud vendors' responsibilities. "Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider," the document states. The guidance is the "best document that the PCI Security Standards Council has written to date," an independent PCI consultant said.
Full Story

DATA LOSS—U.S.

Thousands Affected by Breaches (June 16, 2011)

The world's largest payroll processor announced yesterday that it has been attacked by cyber criminals, Reuters reports. Advanced Data Processing says the hack targeted one of its corporate clients and it is "taking measures to address the impact," including working with law enforcement. Meanwhile, Citigroup has announced that about 80 percent more of its customers than originally predicted have been affected by the data breach it reported last week. The financial institution is working with Connecticut's attorney general, other state regulators and federal authorities such as the FBI. A medical foundation in California has also announced a breach.
Full Story

IDENTITY THEFT—U.S.

Nurse Faces 90 Felony Charges (June 16, 2011)

Prosecutors in Adams County, CO, have filed 90 felony charges against a nurse who worked in at least five Denver-area hospitals, 9NEWS reports. The charges include attempted theft, identity theft and theft of medical records. The defendant is alleged to have illegally accessed Social Security numbers and "other sensitive information" from hospital patients to open credit card accounts. It is still unclear how many patients were affected by his actions, the report states.
Full Story

GEO PRIVACY

Nissan Looking Into Data Sharing Claims (June 15, 2011)
Nissan is looking into a blogger's claims that the navigation systems in its Leaf vehicles send drivers' location data to third parties, The Wall Street Journal reports. A SeattleWireless.net blog post claims that the information is transmitted via Nissan's subscription-based Carwings system when a driver updates his RSS feeds. "There is no way to prevent this data from being sent, nor does Nissan or Carwings warn you that your location data can be flung off to random third parties," the blog states.

ONLINE PRIVACY—U.S.

Judge Approves Flash Cookie Settlement (June 15, 2011)

U.S. District Court Judge George H. Wu has approved a final class-action settlement requiring Quantcast and Clearspring to pay $2.4 million, paidContent.org reports. The settlement was first announced last December but received final approval on Monday. The case stems from the companies' use of Flash cookies to track users for targeted advertising. According to the article, the majority of the settlement will go to universities and research groups, but approximately $550,000 will go to the plaintiffs' attorneys for fees and expenses.
Full Story

SOCIAL NETWORKING

LinkedIn Privacy Changes Point To Social Ads (June 15, 2011)

MediaPost News reports on LinkedIn privacy policy updates as hinting at the introduction of "social ads" based on users' activities. LinkedIn "appears eager" to avoid privacy issues, the report states, and will allow users to opt out of social ads. "Most importantly, we do not provide your name or image back to any advertiser when that ad is served," one LinkedIn official noted, while another said, "This upcoming change to the privacy policy reflects the evolving ways in which our members are using the LinkedIn platform, and it allows us to explore this area should we choose."
Full Story

DATA PROTECTION—CANADA

Commissioner Calls for a Change in Thinking (June 15, 2011)

Ontario's privacy commissioner has released a white paper on how organizations can build privacy into legacy systems, reducing data loss risks, SC Magazine reports. Replacing systems that have already been built without privacy considerations is often not an option, Commissioner Ann Cavoukian said at a Toronto event this week. Instead, organizations should create technologies that incorporate privacy as a default by limiting the amount of personal information collected, reducing the amount of time that it's stored and encrypting retained data, among other initiatives. Cavoukian also shared concerns about WiFi systems' ability to report users' location data.
Full Story

PRIVACY LAW—PERU

Personal Data Protection Law Expected in July (June 15, 2011)

The Congress of the Republic of Peru has passed the Personal Data Protection Law (Ley de Protección de Datos Personales, Proyecto de Ley 4079/2009-PE), Hunton & Williams' Privacy and Information Security Law Blog reports, noting that if it is signed into law, Peru will have "EU-style omnibus privacy legislation." The law would include provisions establishing the National Personal Data Protection Authority within the Ministry of Justice, requiring consent for the processing of personal data, limiting communications monitoring and restricting cross-border data transfers. Peruvian President Alan García is expected to sign the law before his term ends on July 28, the report states.
Full Story

DATA LOSS—U.S.

Connecticut AG Wants Answers About Breach (June 15, 2011)

Connecticut Attorney General George Jepsen has written a letter to Citigroup's CEO and general counsel asking for more information about its recent data breach. Bloomberg reports that Jepsen wants details such as "the number and characteristics of impacted accounts, the cause of the breach, the steps taken to notify and protect the affected individuals" and what the company is doing to prevent future breaches. Jepsen gave a June 22 deadline for Citigroup to respond. A company spokesman has said, "None of the data breached was sufficient to perpetrate fraud" and outlined the steps it has taken.
Full Story

PRIVACY

“Cyberinsurance” in High Demand (June 15, 2011)

The "cyberinsurance" industry is experiencing an up-tick in business with recent high-profile breaches driving companies' desire to protect themselves from spending potentially millions of dollars on breach-related costs. Companies are upgrading IT and human resources practices and training employees in order to get coverage--in some cases worth hundreds of millions of dollars. "Concensus is building" on what policies cover, but standardization remains a hurdle, says one insurance expert who predicts, "One day the industry will actually be so robust that...we'll have the leverage to actually create standards." A Ponemon Institute study shows the average breach cost $7.2 million last year, "But with the scale and scope of hacking attacks growing daily, some companies cannot be cautious enough," the report states.
Full Story

PRIVACY LAW—U.S.

House Bill To Address Breach Notifications (June 14, 2011)
Rep. Mary Bono Mack (R-CA) has proposed draft legislation that would require businesses to provide baseline consumer data protection, The National Journal reports. The draft Secure and Fortify Electronic Data (SAFE Data) Act aims to "protect consumers by requiring reasonable security policies and procedures...and to provide for nationwide notice in the event of a security breach." Under the bill, organizations would be required to delete unnecessary consumer data and provide breach notification within 48 hours. Senate Majority Leader Harry Reid (D-NV) has also asked four senate committees to draft a cybersecurity bill, and with the Obama Administration's recently released cybersecurity agenda, William Baker writes that a national law is looking more likely than ever.

PRIVACY LAW—U.S.

Court: Ohio Data Selling Practices Not In Violation (June 14, 2011)

A federal appeals court has overturned a lower court decision, dismissing a 2009 lawsuit against the state of Ohio that alleged privacy violations stemming from the state's practice of selling driver's license data. The Republic reports that while the lower court's ruling allowed officials to be sued for "disclosing personal information not permitted by the Driver's Privacy Protection Act," the appeals court found the "rights under the law weren't sufficiently clear." Three Cincinnati residents filed the lawsuit, and their lawyer has said they haven't decided if they will appeal to the U.S. Supreme Court.
Full Story

DATA THEFT—UK

Opinion: Landmark Ruling in Data Theft Case (June 14, 2011)

In a column for ComputerWeekly, Warwick Ashford writes that the recent decision by the Chester Crown Court to fine two former T-Mobile employees is a landmark ruling. Stewart Room, partner at Field Fisher Waterhouse, says that it is a record fine for data protection violations and shows that the criminal courts are starting to see the seriousness of data protection. "If we view this fine in the context of the monetary penalty of £120,000 imposed on Surrey County Council," Room said, "then we can see that the law is now getting tough on privacy abuses."
Full Story

DATA LOSS—U.S.

State Employee Data Breached (June 14, 2011)

The personal information of approximately 4,900 Texas state employees may have been released to the public, kcentv.com reports. The Texas Department of Assistive and Rehabilitative Services announced the data breach in a press release. The agency said, "The HHSC Office of Inspector General is now investigating the incident, which also has been reported to law enforcement." This is the second data breach affecting Texas state employees this year. 
Full Story

PRIVACY

Experts Discuss the State of Privacy (June 14, 2011)

In his blog, "my heart's in accra," Harvard's Ethan Zuckerman writes about the Hyper-public conference in Cambridge, MA, last week, where privacy experts discussed the state of privacy worldwide. Berkman Center Director Urs Gasser described a Swiss Court's privacy ruling putting restrictions on Google's Street View mapping feature in public spaces and forbidding it in private spheres, indicating the "complexity of delineating between public and private" and pointing to the need for a "nuanced definition of privacy." John Palfrey of Harvard Law School suggested young people have not given up on privacy but don't yet know how to "navigate these new spaces," while conference organizer Judith Donath discussed societies' evolving norms around privacy.
Full Story

DATA THEFT—UK

ICO Fines Former Telecom Employees (June 13, 2011)
Two former employees of T-Mobile have been fined by the Information Commissioner's Office (ICO) for stealing and selling customer data, V3.co.uk reports. The fines totaled £73,000, and for the first time, the ICO will receive part of the settlement to train investigation staff. Information Commissioner Christopher Graham hopes the case will show that his office is being tough on data theft. "Those who have access to thousands of customer details," he added, "may think that attempts to use it for personal gain will go undetected. But this case shows there is always an audit trail, and my office will do everything in its power to uncover it."

ONLINE PRIVACY—U.S.

Opinion: Technology Is the Answer (June 13, 2011)

Government and tech companies alike have recently launched campaigns to solve issues of online privacy; browsers by Mozilla, Google and Microsoft have created do-not-track tools, and at least five bills have been proposed to combat online privacy concerns. Neither public nor private solutions have overwhelming support, reports Fast Company. Some are concerned that private corporations won't go far enough, and others say that without necessary technology, any regulation will fall flat. Mozilla Foundation Chairwoman Mitchell Baker says, "We need technology to solve this issue--I'm 100 percent sure of that," adding that the "government can't keep up" with the fast pace of change on the Internet.
Full Story

PERSONAL PRIVACY—AUSTRALIA

Taxpayer Data Being Sold Without Notice (June 13, 2011)

Adelaide Now reports that taxpayer assessment records--including the name, address and property value of individuals--can be purchased from town councils by businesses and other entities without individuals' consent. Several real estate companies are using the purchased information to create databases in order to personalize marketing campaigns, the report states. Currently, there are not existing laws to prevent the sale of such information for profit. An investigation by the paper revealed that taxpayer data can be accessed through council computers without charge or registration and, though individuals can opt out, most are not aware of the process.
Full Story

SOCIAL NETWORKING

Facial Recognition Concerns Persist (June 13, 2011)

Financial Times reports that privacy groups have filed a complaint over Facebook's facial recognition technology with the U.S. Federal Trade Commission. Meanwhile, questions persist across the globe about the automatically enabled feature, which allows users to more easily identify and "tag" people they know in photos on the site. Among those raising concerns is the New Zealand Privacy Commission, which suggests the feature may breach users' privacy. The U.S. complaint, meanwhile, seeks the suspension of the feature "pending a full investigation, the establishment of stronger privacy standards and a requirement that automated identification, based on user photos, require opt-in consent." (Registration may be required to access this story.)
Full Story

SURVEILLANCE—UK

Civil Liberties Groups Petition ICO (June 13, 2011)

Three civil liberties groups have sent a complaint to the Information Commissioner's Office (ICO) about plans to install surveillance cameras around the town of Royston in Hertfordshire. In a written complaint to the ICO, the groups claim that automatic number plate cameras (ANPR) are "unlawful" because their use "has not been as the result of any parliamentary debate, Act of Parliament or even a Statutory Instrument," The Guardian reports. They also argue that data collected from the cameras is retained too long. The police defended the cameras, saying they are used "to target criminals and unsafe drivers, not law-abiding motorists." A spokeswoman from the ICO said, "We have received the letter and are looking into it." 
Full Story

PRIVACY LAW—U.S.

Class-Action Status Sought for TCPA Violations (June 10, 2011)
Lawsuits have been filed in a California federal court that claim Twitter and American Express Centurion Bank violated the Telephone Consumer Protection Act when they sent opt-out confirmation texts to the plaintiffs, Hunton & Williams' Privacy and Information Security Law Blog reports. In each case, the defendants sent the plaintiffs a single text to confirm the requested opt-out. Both lawsuits are seeking class-action status and highlight "a potential vulnerability in the mobile marketing programs of companies that have not fully considered how telemarketing law should inform their implementation of the Mobile Marketing Association's U.S. Consumer Best Practices," the report states.

FINANCIAL PRIVACY—U.S.

Recent Breach Puts Spotlight on Security (June 10, 2011)

Regulators are pressuring banks to improve data security measures, and some experts are forecasting a "systemic overhaul" of the industry's practices after a recent breach exposed data on as many as 200,000 credit cardholders. The breach is drawing attention to ongoing vulnerabilities in bank security, and The New York Times reports that the prevalence of outsourcing and the "patchwork of data protection law and regulatory agencies" make matters worse, the report states. An Identity Theft Resource Center report states that in the past six years, 288 breaches at financial institutions have exposed 83 million customer records. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—HUNGARY

Ombudsman Voices Concern Over Citizen Survey (June 10, 2011)

Hungarian Data Protection Ombudsman Andras Jori says government questionnaires sent to more than six million Hungarian citizens are not anonymous, and he's asking for personal information to be deleted from the database, reports The Budapest Times. Jori last month launched an investigation into bar codes on the questionnaires that he suspected could reveal subjects' identities. The questionnaires ask about pensions, welfare and education, and, according to Jori, the responses--and whether a citizen participates--could be interpreted as "giving a political opinion." A spokesman for the prime minister said Jori's office was consulted prior to sending the questionnaires and raised no personal data protection concerns. Jori has refuted that assertion.
Full Story

PRIVACY LAW—U.S.

Maine Law Allows Opt Out of EMRs (June 10, 2011)

Forbes reports on a new law in Maine that will give two-thirds of its citizens the choice to opt out of the state's electronic medical records program. The HealthInfoNet database contains citizens' full medical records in order to enable medical providers to share data. The bill strikes a compromise between those concerned about patients being enrolled in the database without their knowledge and those who seek to expand its scope. In April, groups debated a bill to make the system opt-in; supporters said it would give patients more control over data, but opponents were concerned about getting enough patients to opt in to make the system effective.
Full Story

SOCIAL NETWORKING

Regulators: Facial Recognition Concerns Abound (June 10, 2011)

Privacy concerns continue to surface in the wake of the announcement of Facebook's new facial recognition feature, with regulators being called upon to investigate. The Electronic Privacy Information Center (EPIC) is organizing an effort in the U.S. to file a complaint with the Federal Trade Commission, Financial Times reports, while in Europe, the Article 29 Working Party, Irish DPA, UK Information Commissioner's Office and German DPA are among those raising concerns. "Again Facebook has changed its Privacy Declaration without the users' consent," said German Data Protection Commissioner Peter Schaar, adding, "I do not think that Facebook's action conforms to European and German data protection law."
Full Story

DATA LOSS—UK

ICO Levies £120,000 Fine (June 9, 2011)

The Information Commissioner’s Office (ICO) has fined Surrey County Council £120,000 for lax data protection practices, 24dash.com reports. The council breached the Data Protection Act in May 2010 when it e-mailed a file containing sensitive personal data to the wrong recipients, the report states. Two separate incidents involving misdirected e-mails occurred in June 2010 and January 2011. “This significant penalty fully reflects the seriousness of the case,” said Information Commissioner Christopher Graham in a press release. “Surrey County Council has paid the price for their failings, and this case should act as a warning to others that lax data protection practices will not be tolerated.”

BEHAVIORAL TARGETING

IPv6 Rollout Could Necessitate Privacy Rethink (June 9, 2011)

Yesterday, hundreds of companies began testing the next-generation Internet address protocol--Ipv6. The new standard will replace IPv4, which is running out of unique IP addresses for the world's many devices, Computerworld reports. IPv6 will "have the ability to profile Internet behavior to more accurately target online ads," writes Laurie Sullivan for MediaPost. And although it is too soon to tell, "IPv6 could likely require companies to go back to the drawing board and renegotiate privacy laws with the SEC because of the ability to identify more granular data collected through ad targeting," she adds.
Full Story

DATA LOSS—U.S.

SEC: Companies Should Disclose Cyber Attacks (June 9, 2011)

In a letter to Senate Commerce Committee Chairman Jay Rockefeller (D-WV), the U.S. Securities and Exchange Commission (SEC) said that publicly traded companies should notify investors about cyber attacks that present a "specific and material risk," Bloomberg reports. SEC Chairman Mary Schapiro told the senator that federal securities law requires that investors be notified of risks that could impact investment decisions, the report states. "I have asked the commission staff to provide me with a briefing on current disclosure practices," Schapiro wrote. Meanwhile, Sen. Richard Blumenthal (D-CT) has asked Sony to explain its latest breach incident. The AFP has reported that Sony shares have fallen as a result of recent cyber attacks affecting customer data. 
Full Story

DATA LOSS

Citigroup Announces Hack (June 9, 2011)

Citigroup has announced that about one percent of its North American credit card customer data was exposed when hackers breached its security, reports The New York Times. The names, account numbers, addresses and e-mail addresses of hundreds of thousands of customers were exposed. Citigroup says it is contacting all affected customers, and it "has implemented enhanced procedures to prevent a recurrence of this type of event." This breach is the latest in a series of large-scale cyber attacks--including those at Sony, RSA and Fox--and, according to the report, it presents the greatest threat to consumers. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Investigation Finds Apps Put Data at Risk (June 9, 2011)

A computer security firm has found that some popular mobile applications store users' personal data in plain text on their mobile devices, reports The Wall Street Journal. The viaForensics investigation found information such as unencrypted user names, passwords and transaction amounts on smartphones, which goes against industry best practices. "Data should not be stored on a phone," said Andrew Hoog, chief investigative officer of viaForensics. Hoog also said that while app developers are becoming more aware of data security issues, the fact that vulnerabilities still exist indicates security is not a top priority. One app maker's spokeswoman said that it's necessary for some information to be stored on phones, and the practice is allowed by the PCI Security Standards Council. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Facial Recognition Plan Spurs More Concerns (June 9, 2011)

Privacy concerns abound after announcements about Facebook's new facial recognition feature allowing users to more easily identify and "tag" people in photos. Reports indicate that both the EU Article 29 Working Party and Ireland's Data Protection Authority plan to study the new feature, which is activated by default and requires users to opt out if they don't want to be tagged. The UK Information Commissioner's Office is speaking to Facebook about the new technology, while probes about online tagging are already underway in Switzerland and Germany. In the U.S., Tech Daily Dose reports, Bipartisan Congressional Privacy Caucus Co-Chairman Ed Markey said, "Requiring users to disable this feature after they've already been included by Facebook is no substitute for an opt-in process."
Full Story

SOCIAL NETWORKING

Concerns Raised Over Facial Recognition Feature (June 8, 2011)
Facebook has activated its facial recognition software, Tag Suggestions, aimed at simplifying tagging friends in photos on the site, Bloomberg reports. Graham Cluley of security firm Sophos said, "The onus should not be on Facebook users having to opt out of the facial recognition feature but instead on users having to opt in." A representative of the EU's Article 29 Working Party has said this "should only happen based on people's prior consent...it can't be activated by default," and, the report states, EU data protection regulators plan to examine the feature.

PRIVACY LAW—U.S.

Leahy Presents Consumer Protection Bill (June 8, 2011)

Sen. Patrick Leahy (D-VT) has introduced the Personal Data Privacy and Security Act, which would set a national standard for breach notification requirements and provide criminal penalties for offenders, reports Bloomberg. Leahy points to recent large-scale breaches as evidence that "developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country." This marks the fourth time Leahy has presented the bill to congress; each time it has passed the Senate Judiciary Committee but has not come up for a vote in the senate.
Full Story

DATA LOSS

Opinion: Management Lessons from Breaches (June 8, 2011)

The Financial Times reports on lessons that should be gleaned from data breaches that have affected several large companies. Saying that recent high-profile data breaches were "more a failure in management than a failure in security," the column notes that chief executives should place data governance on par with processes such as financial reporting and brand management. A major breach of privacy can have an effect on a company similar to a product recall or defect. "Managing consumers' data and privacy is an executive matter of the highest priority," the column states, adding that security efforts like encryption and firewalls are "only part of the challenge."  (Registration may be required to access this story.)
Full Story

DATA LOSS

Admission Comes Too Late, Some Say (June 8, 2011)

Industry experts say RSA Security's admission--after a hacking attack in March--that its SecurID tokens are vulnerable came too late, The New York Times reports. Computer security consultants "have been increasingly critical of how long it took the company to acknowledge the severity of the problem," the report states, raising the possibility that customers will seek other technologies for their computer networks. RSA had previously stated that replacement tokens were unnecessary but now offers replacements. "They got pushed really hard by some of their customers," said one chief technology officer, adding, "They came around, but they came around late." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Opinion: A Tale of Two Ideologies (June 8, 2011)

In a feature for The Atlantic Monthly, John Hendel explores the push-and-pull between calls for a "right to be forgotten" online and support for an open Internet in suggesting the world's "two biggest transnational institutions may soon fall into a complex, ideological struggle over people's rights to digital expression." One United Nations official suggests the removal of data, as sought in the right to be forgotten being advocated in the EU, would violate free expression. Hendel questions, "Could Europe's right to be forgotten evolve into a direct violation of the UN's newly entrenched principles and commitment to Internet liberty?" And his conclusion is, "Expect the battles to only be beginning."
Full Story

PRIVACY LAW—U.S.

Court: State Law Trumps HIPAA (June 8, 2011)

A Michigan court case ruling could restrict the information physicians can release during legal proceedings, American Medical News reports. The decision follows a 2009 lawsuit, in which Michigan doctor Isidore Steiner alleged former colleague Marc Bonanni stole patients after leaving the practice, violating an established agreement. Steiner asked for a list of patient names Bonanni had seen at his new practice, citing the Health Insurance Portability and Accountability Act (HIPAA). But the court ruled that Michigan law, which prevents such disclosures, trumps HIPAA. A Michigan-based attorney predicts that "When entities do not want to disclose information, they're going to use this case as their response."
Full Story

BEHAVIORAL TARGETING—U.S.

Growing Interest in Self-Regulatory Program (June 8, 2011)

The Digital Advertising Alliance (DAA), a coalition of advertising trade associations, says that more companies are adhering to its self-regulatory program for behavioral targeting, AdAge reports. Currently, there are 98 companies that have adopted the program and, according to DAA Managing Director Peter Kosmala, CIPP, the coalition is "seeing tremendous interest from advertisers, ad agencies and ad networks." The program includes an icon on participating websites, which notifies users that the ad was generated from behavioral targeting and allows them to opt out. The program's icons are also appearing in political and advocacy group advertisements, ClickZ reports. The FTC's David Vladek says that his agency will be reviewing the self-regulatory program in the next few months.
Full Story

DATA PROTECTION

Study: Popular Sites Leaking User Data (June 8, 2011)

A new study concludes that many of the most popular online publishers are leaking reader data to outside parties. Conducted by researchers from AT&T and Worcester Polytechnic Institute, the study found that 56 percent of 120 sites studied leaked personally identifiable data, MediaPost News reports. Nine out of 10 sites in both health and travel were found to leak information, with health sites tracking what search terms people used. The report notes that, in some cases, it was possible to link a user's leaked e-mail address and search term to a cookie placed by an outside party, revealing, for example, "the e-mail address of a user interested in learning more about pancreatic cancer."
Full Story

DATA PROTECTION—CANADA

Commissioner Gives Google Good Grades (June 7, 2011)
Canadian Privacy Commissioner Jennifer Stoddard has announced that Google has taken satisfactory steps towards protecting personal data, ITWorld reports. Google has agreed to implement five recommendations from the commissioner, including increased privacy and security training to all of its employees and the creation of a "governance model" that reviews the privacy protections within its products prior to launch. The company has also agreed to undergo an independent, third-party audit of its privacy programs within the next year and disclose the results to the commissioner's office. Stoddart added, "given the significance of the problems we found during our (Street View) investigation, we will continue to monitor how Google implements our recommendations."

PRIVACY LAW—U.S.

Lawsuit Alleges Smartphone Data Misuse (June 7, 2011)

A lawsuit filed in Florida alleges that Google's Android smartphones collect data about users and then transmit the information back to databases, The Post and Courier reports. The federal class-action lawsuit could include tens of millions of customers, the report says. The suit alleges that the transmitted data goes to Google, Internet radio provider Pandora and ad companies AdMob and Traffic Marketplace. The suit also claims that Pandora collects location and other data that is provided to third parties. Spokespeople for the involved parties said they do not comment on pending litigation, the report states.
Full Story

BIOMETRICS—ISRAEL

Government To Establish Biometric Database (June 7, 2011)

Despite concerns from privacy groups, the Knesset Science and Technology Committee has approved the ordinances necessary to establish a biometric identification database, reports the Jerusalem Post. The Knesset passed a law allowing for the database in 2009, and the Interior Ministry will begin a two-year pilot of the database in November, the report states. The project allows citizens to voluntarily choose biometric identification cards and passports that include a computer chip containing such information as photos, dates of birth and fingerprints. The Association for Civil Rights in Israel is among the groups opposing the policy due to privacy concerns.
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Calls for More Protections, ONC Responds (June 7, 2011)

The Health and Human Services (HHS) Inspector General's Office recently released a white paper criticizing the Office of the National Coordinator for Health Information Technology (ONC) for not doing enough to protect healthcare information. ModernHealthcare reports that the inspector general called on the ONC to improve security measures for online health information with encryption and recommended it use its power to push data handlers to be more security-conscious. Joy Pritts, CPO of the ONC, says it is headed in that direction, adding that it has provided training tools and videos and is using the HHS's data breach list to help "identify the issues where we should devote our efforts to educating people."
Full Story

PRIVACY LAW—PHILIPPINES

Lack of Legislation Raises Concerns (June 7, 2011)

Manilla Bulletin reports on the Joint Foreign Chambers and the business processing outsourcing (BPO) industry's warning that a lack of data privacy legislation is a growing concern for prospective investors. The country's proposed Data Privacy Bill aims to benefit the growth of IT and BPO, while also protecting "citizens whose personal data are stored by government offices and commercial establishments," the report states. In a statement to the Senate Committee on Science and Technology, industry leaders warn that without a law in place, there is a "real danger of losing investors to countries with a more favorable legislative framework" for privacy protection.
Full Story

TRAVELERS’ PRIVACY—U.S.

Body Scanners Get Privacy Updates (June 7, 2011)

Transportation Security Administration head John Pistole has said the agency is on track to equip half of U.S. airport body scanners with privacy filters by the end of the year, SecurityInfoWatch reports. Meanwhile, in a Salon.com article, Daniel Solove argues that, too often, debates about security vs. privacy employ inaccuracies to tip the scales in security's favor. During times of crisis, Solove writes, the pendulum often swings towards greater security, with the promise that, when danger subsides, privacy provisions will again return. But, he writes, during "times of peace, the need to protect privacy is not as strong because we're less likely to make such needles sacrifices."
Full Story

GEO PRIVACY—U.S.

Court Case Raises Privacy Issues (June 7, 2011)

The Advertiser reports on a Delaware Supreme Court case that "could help define personal privacy and set limits on how far police can go when using electronic surveillance in Delaware and perhaps across the U.S." The case, Delaware v. Michael D. Holden, involves police use of GPS without a court-approved warrant to track a suspect for more than 20 days. The case was initially overturned in a lower court because the judge ruled it was an illegal search. One attorney noted the case could raise the issue of the "reasonable expectation of privacy."
Full Story

DATA LOSS—U.S.

4,500 Records Stolen From Hospital (June 7, 2011)

An Alabama woman has been charged with a HIPAA violation after allegedly stealing the personal information of 4,500 Trinity Medical Center patients, reports GovInfoSecurity. The stolen documents span several years, and, according to a post on the Birmingham hospital's website, consist of surgery schedules that have all been recovered. While the hospital says it "has no reason to believe this information has been or will be used in a way that would cause harm," it has notified all affected patients and offered them a year of free credit monitoring services.
Full Story

ONLINE PRIVACY

Mobile Phone CEO Advocates Regulation (June 6, 2011)
The chief executive of a UK-based mobile phone company is among those calling for global Internet regulation, European Voice reports. Vodafone's Vittorio Colao has written in support of a call by President of the French Republic Nicolas Sarkozy for more regulation—a perspective that contradicts some high-profile U.S.-based Internet companies that are advocating instead for self-regulation. "If electronic commerce is to flourish and more jobs are to be created, we all need to feel we can trust those we deal with and that the law will protect our trust," Colao wrote, adding,"We need to feel that our privacy will be safeguarded and that personal data will be secure."

PRIVACY LAW—CANADA

Commissioner Seeks Appeal to Court Decision (June 6, 2011)

Alberta Information and Privacy Commissioner Frank Work says an Alberta Court of Appeal decision sets a "dangerous precedent" that will compromise privacy rights, The Montreal Gazette reports. The case originated when furniture retailer Leon's required a customer to provide her driver's license number and license plate number in order to pick up an item she'd purchased and put on hold there. The woman reported the incident to Work's office, and an adjudicator ruled against Leon's, requiring it to cease the practice and destroy similar data it had already collected. The company appealed twice and won in a March decision. Work has requested an appeal to the Supreme Court.
Full Story

ONLINE PRIVACY—U.S.

Weitzner: “Greater Sense of Urgency” Needed (June 6, 2011)

The Obama Administration will continue to push for online privacy regulation while encouraging the industry to self-regulate, reports The Wall Street Journal. According to Daniel Weitzner, deputy chief technology officer in the White House Office of Science and Technology Policy, the administration thinks "there needs to be a greater sense of urgency" on privacy issues. Weitzner said that, this year, the administration plans to release a whitepaper with detailed proposals and convene industry representatives and privacy advocates to work towards stronger protections for personal information online. The administration proposed a "privacy bill of rights" this past March, and at least five bills presented to congress this year have targeted online privacy. (Registration may be required to access the story.)
Full Story

PRIVACY LAW—INDIA

Privacy Law May Become Fundamental Right (June 6, 2011)

The Times of India reports that the law ministry is working on a proposal to make the right to privacy a fundamental right under Indian law. The right would encompass confidentiality of communication; banking, financial, medical and legal information; protection from identity theft, and protection of use of "a person's photographs, fingerprints, DNA samples," among other data, the report states. India's law minister said it's difficult to fix a timeframe, but the law is "likely to be tabled in the monsoon session of parliament." If passed, the law will address concerns some have had about the accessibility and use of information available through the country's Universal ID project.
Full Story

DATA LOSS

Hacker Groups Breach Websites (June 6, 2011)

Nintendo announced that one of its affiliate servers in the U.S. was illegally accessed "a few weeks ago," The New York Times reports. The company said the server did not contain consumer information, and "the server issue was resolved some time ago." The hacker group LulzSec claimed responsibility for the incident and a breach of an FBI partner organization called InfraGuard--a group dedicated to disclosing information about physical and cyber threats to the U.S. infrastructure. Meanwhile, hackers breached a European server belonging to the computer manufacturing company Acer last weekend. The incident may have compromised the data of approximately 40,000 customers. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—U.S.

Report: University Lacked Strong Data Security (June 6, 2011)

An independent report prepared by a consulting firm concluded that the University of Hawaii did not invest "sufficient" funds for information security. As a result, the report stated, the university suffered from "numerous" data breaches in recent years. A second report issued last year by the Liberty Coalition estimated that "close to half a million personal records have been breached in the state of Hawaii, with more than half of those breaches occurring at the University of Hawaii." Additionally, a lawsuit has been filed against the university because of the breaches. A university spokesman said the lawsuit is "totally without merit," and the organization plans to file a motion to dismiss the suit, InfoSecurity reports.
Full Story

PRIVACY

Experts Discuss Best Privacy Practices (June 6, 2011)

In a Security Management report, John Wagley writes about the importance of taking "a business-oriented, risk-based approach to building privacy programs" as discussed by experts at this year's IAPP Global Privacy Summit. The report highlights one expert opinion that the most effective privacy executives "have offices that are located in or near an organization's c-suite." Among the privacy experts cited in the report is Microsoft's Peter Cullen, CIPP, who spoke on the importance of being aware of international regulations, as there is "an increasing chance a law could be passed somewhere in the world that may have an external impact upon our business."
Full Story

PRIVACY LAW—U.S.

Companies Testify Before Congress (June 3, 2011)

Representatives from Sony and Epsilon appeared before a House Energy and Commerce subcommittee on Thursday, saying they would support a national breach notification law, PCWorld reports. Rep. Mary Bono Mack (R-CA) said she will introduce legislation that will address data breach notification. "These recent data breaches only reinforce my long-held belief that much more needs to be done to protect sensitive consumer information," said Bono Mack. Sony witness Tim Schaaff said companies need support from the U.S. government to safeguard against cyber attacks. Schaaff added that network security is "a process that requires continual investment," and without government support, cyber attacks "will threaten the livelihood of the growing Internet economy." On the same day as the hearing, a hacker group announced that it has breached several Sony databases.  
Full Story

PRIVACY LAW—COSTA RICA

Omnibus Bill Moves Forward (June 3, 2011)

The Supreme Court of Justice on April 27 endorsed the "Protection of the Person in the Processing of His Personal Data." The bill previously survived an initial vote in the unicameral legislative assembly and, if passed into law, would see Costa Rica adopt a legal regime similar to that of the EU data protection framework, reports Hunton & Williams' Privacy and Information Security Law Blog. The law would require express written consent for many data processing activities and create the Agency for the Protection of Citizens' Data under the Ministry of Justice. The bill has been returned to the legislative assembly.
Full Story

GENETIC PRIVACY—ARGENTINA

Court Demands DNA Samples (June 3, 2011)

An Argentine court has ruled that the adult children of adoptive parents must submit to DNA testing in order to determine whether they were born to military prisoners during the country's Dirty War from 1976 to 1983. BBC News reports that Marcela and Felipe Noble Herrera must submit blood or saliva samples. They will be compared to those of military prisoners from that period whose babies were kidnapped by the military junta. The Noble Herreras have objected to the testing, saying that it's a violation of their privacy. A 2009 bill passed by the Argentine congress allows for the forcible extraction of DNA in certain cases.
Full Story

PRIVACY LAW—U.S.

Funding of Online Privacy Enforcement Questioned (June 3, 2011)

POLITICO reports on the ongoing consideration by the U.S. Congress to expand the role of the Federal Trade Commission (FTC) when it comes to enforcing online privacy and the question of whether the funding will be in place to assist such efforts. "The FTC over the past few months has brokered landmark privacy settlements...even as the agency's privacy team and roughly $291 million budget for 2011 has remained relatively small," the report states, questioning whether plans to task the FTC with overseeing laws related to online advertising and children's privacy will "drown under the wave of fiscal austerity sweeping Capitol Hill this year."
Full Story

IDENTITY THEFT—U.S.

Taxpayer Identity Theft Is on the Rise (June 3, 2011)

A new Government Accountability Office (GAO) report indicates that taxpayer identity theft is increasing in spite of Internal Revenue Service (IRS) attempts to prevent it, Bloomberg reports. The number of reported IRS identity thefts rose from 51,702 in 2008 to almost 250,000 in 2010. The report noted that employment fraud is also difficult to spot. "By the time both the victim and the IRS determine that an identity theft incident occurred," the report states, "well over a year may have passed since the employment fraud." The GAO said the IRS is taking additional steps to address the issue.
Full Story

PRIVACY LAW—U.S.

CA Social Networking Bill Fails Again (June 3, 2011)

For the second time in two weeks, a California bill that would have required social networking sites to set privacy defaults to "private" and allow users to customize privacy settings upon registering was voted down. The Mercury News reports that the bill's author, Sen. Ellen Corbett (D-San Leandro), has vowed to keep working on the issue, saying people "who use social networking sites need their personal information better protected." Opponents to the bill--including social networking sites and Internet companies--said that the law would force consumers to make blanket privacy choices before using services, and it does not recognize the efforts the companies have already made to protect privacy online.
Full Story

DATA LOSS

Hackers Claim Responsibility for Breach (June 3, 2011)

The New York Times reports on a hacker group that has claimed it breached SonyPictures.com, accessing the personal information of approximately one million customers. The group, calling itself LulzSec, claimed the website was unencrypted and contained e-mail addresses, birth dates, addresses and passwords. In a statement released on Thursday, the group said it has accessed several databases and used SQL injection to infiltrate SonyPictures.com. A Sony spokesman said the company is "looking into these claims." The news of the breach comes on the same day that Sony representatives appeared before a U.S. House of Representatives subcommittee hearing on data security. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

HHS Proposed Rule: Unreasonable or Overdue? (June 3, 2011)

Experts are reacting to the Health and Humans Services' Office for Civil Rights proposal to allow healthcare consumers to request reports detailing who has accessed their health records. GovInfoSecurity reports that healthcare privacy expert Kirk Nahra, CIPP, says the rule is "fundamentally inconsistent with the normally very reasonable approach regulators have taken with most of these rules." He and others are recommending that providers write to regulators explaining the difficulty of complying, especially since many providers don't have the ability to aggregate data from their multiple information systems. But one security specialist says, if they don't, they should, adding, "The notice of proposed rulemaking assumes that...covered entities and certain business associates already have access or audit logs showing record-level access."
Full Story

PERSONAL PRIVACY—U.S.

Drivers Missing Database Opt-Out (June 3, 2011)

The box on Wisconsin Department of Motor Vehicles (DMV) forms asking whether drivers want to opt out of having their name and addresses on a list the Department of Transportation sells often goes unchecked, Channel3000 reports. A database containing drivers' names, addresses, dates of birth and gender, among other information, can be purchased for $250. Though federal laws regulate who can purchase the information and how it can be used, there is no state or federal agency overseeing compliance, the report states. A spokesman for Wisconsin's DMV said, "We don't take a position on anyone's use on the records we provide," adding that the Department of Justice enforces that.
Full Story

PRIVACY LAW—U.S.

Portion of Settlement To Establish Undergrad Privacy Program (June 2, 2011)
Fourteen privacy organizations and nonprofits will split $6 million of the $8.5 million settlement approved by a federal judge in the Google Buzz case, MediaPost News reports. Originally, 12 entities were to split the settlement, but U.S. District Court Judge James Ware has ruled that Markkula Center for Applied Ethics at Santa Clara University (SCU) and the Electronic Privacy Information Center should each receive $500,000, the report states. SCU's Markkula Center says it will use the money to create an undergraduate curriculum on Internet privacy and a site that discusses users online choices about privacy.

PRIVACY LAW—U.S.

HHS Proposes Changes to HIPAA (June 2, 2011)

The Health and Humans Services' Office for Civil Rights (OCR) has proposed changes to HIPAA in accordance with the new HITECH provisions that would allow healthcare consumers to request reports detailing who has accessed their health records. The changes would split the privacy rule into two separate rights, reports InformationWeek, "an individual's right to an accounting of disclosures" and "individual's right to an access report, which would include electronic access by both workforce members and persons outside the covered entity." Currently, covered entities are required to track access to records but not required to provide that information to users, the report states. The lead author of the proposed rule, Adam Greene, offers advice and analysis in a GovInfoSecurity podcast. The OCR will take comments on the proposal until July 31.
Full Story

 

DATA PROTECTION—EU

Associations Call on EC To Recognize CILs (June 2, 2011)

Four data protection associations are appealing to the European Commission to recognize the role of the data protection officer when considering revisions to the EU Data Protection Directive. The groups--the French Association of Data Protection Correspondents, Spanish Association of Privacy Professionals, German Association for Data Protection and Data Security and the data protection association of the Netherlands--feel that the role of the data privacy controller should be strengthened. In a recent press release, they say that data protection officers are "key players in protecting the privacy of consumers, employees and citizens," and their roles, missions and legal status should be defined and harmonized across Europe. (Article in French.)
Full Story

PRIVACY LAW—CANADA

Rosen Warns of Strict Anti-Spam Enforcement (June 2, 2011)

When Canada's anti-spam law comes into effect, Andrea Rosen of the Canadian Radio-television and Telecommunications Commission will be charged with enforcing it. Speaking at a conference on Wednesday, Rosen stressed that the she has "the tools to find the spammers wherever they're hiding and the power to shut down their operations," reports ITWorld. Under Bill C-28, consumers have to give consent to receive unsolicited e-mails, and businesses could see fines of up to $10 million for serious infractions, while fines for individuals could reach $1 million. According to the report, Rosen hopes the law will come into effect this fall.
Full Story

PRIVACY LAW—U.S.

Committee Outlines Privacy Approach (June 2, 2011)

Pledging a "comprehensive review," the House Energy and Commerce Committee has released an agenda that outlines its approach to privacy issues for the current congressional session. The focus will be on data security, risks posed from security breaches and online data collection, the National Journal reports. "While data security and prevention of data theft will mark the first phase of the committee's action," said Rep. Fred Upton (R-MI), the committee "will also look later in the year at broader electronic privacy concerns." A commerce subcommittee hearing is scheduled today on the issue of data breaches, including testimony from representatives of Sony and Epsilon.
Full Story

PRIVACY LAW—U.S.

Breaches Spur Class-Action Suits (June 2, 2011)

Reuters reports on class-action lawsuits filed in federal court in the wake of recent high-profile data breaches. "At least 40 lawsuits have been filed in federal courts--including at least two this week--on behalf of millions of Sony PlayStation users," the report states, while noting that in breach cases, "it is both difficult to prove economic damage and to divvy up a settlement among classes that can number in the millions or even tens of millions." The report examines who benefits most from such lawsuits by reviewing what plaintiffs and attorneys received for compensation in six privacy class-action suits settled between 2007 and 2010.
Full Story

PRIVACY

Opinion: “Nothing To Hide” Argument Flawed (June 2, 2011)

The argument that "Only if you're doing something wrong should you worry, and then you don't deserve to keep it private," stems from faulty assumptions about privacy and its value, writes Daniel Solove in The Chronicle of Higher Education. Privacy can't be reduced to one simple idea, and people, courts and legislators often have trouble acknowledging certain privacy problems because they don't fit into a "one-size-fits-all conception of privacy," Solove writes. The "nothing to hide" argument assumes that privacy is about hiding bad things, without taking into consideration the freedoms privacy infringements erode, such as free speech and association. "In the end, the nothing to hide argument...has nothing to say," Solove says.
Full Story

DATA LOSS—U.S.

FBI, NSC Investigating E-mail Hack (June 2, 2011)

The Washington Post reports that China-based hackers have gained access to the Gmail accounts of U.S. government and military personnel. Google said yesterday that hundreds of accounts have been affected by the phishing attack, giving the hackers access to "vast quantities of e-mail content," the report states. The FBI and White House National Security Council are investigating. (Registration may be required to access this story.)
Full Story

 

PRIVACY LAW—EU

EDPS Denounces Directive (June 1, 2011)
European Data Protection Supervisor Peter Hustinx said Tuesday that the 2006 directive on data retention does not adequately meet privacy and data protection requirements, Deutsche Welle reports. The directive has "failed to meet its main purpose," Hustinx said in his 16-page opinion, adding that the need for data retention "as provided for in the Data Retention Directive has not been sufficiently demonstrated." Hustinx is calling on the European Commission to consider repealing the directive for a more "targeted EU measure." Cecilia Malmström, commissioner for home affairs, recently said the five countries that have not yet implemented the directive would face legal action, though she noted the directive's "serious shortcomings."

PRIVACY LAW—U.S.

Buzz Settlement Approved; EPIC Gets Portion of Funds (June 1, 2011)

A U.S. District Court judge has approved a settlement reached in a class-action suit over Google's Buzz social networking feature, Reuters reports. The settlement will see more than $6 million in funds distributed to privacy advocacy groups and mandates that the company undergo independent privacy audits for the next two decades. In approving the settlement yesterday, Judge James Ware also awarded the Electronic Privacy Information Center (EPIC) $500,000 in settlement funds, saying that "EPIC has demonstrated that it is a well-established and respected organization within the field of Internet privacy."
Full Story

DATA LOSS—CANADA

Company Faces Lawsuit After Breach (June 1, 2011)

In response to a data breach affecting Honda Canada, a class-action lawsuit has been filed seeking $200 million in damages, reports threatpost. Filed in Ontario, Canada, the suit claims the company exercised "poor security" and failed to notify customers in a timely manner. Honda Canada has apologized for the breach and has defended its notification actions, claiming that it needed to investigate the breadth of the breach and determine what information was compromised. (Editor's note: The IAPP will host a Web conference on June 23 from 1 - 2:30 p.m. on privacy-related class-action lawsuits and a recent and potentially instructive Supreme Court decision in this area. Watch for more details soon.)
Full Story

PRIVACY LAW—INDIA

Tips for CIOs To Navigate New Rules (June 1, 2011)

India's new data protection law includes elements--such as a requirement to get written consent prior to collecting sensitive personal information--that are more restrictive than laws in the EU and U.S., according to a CIO article that explores the challenges of the new rules and gives tips for chief information officers on how to move forward if their companies do business in India. The report suggests letting service providers take the lead on finding compliant solutions, but adds "there are penalties (up to two years imprisonment or a fine, and directors are also liable), so organizations with a presence in India may want to be more proactive."
Full Story

DATA LOSS—U.S.

Second Lawsuit Filed in PIN Pad Skimming Scam (June 1, 2011)

On Friday, in a U.S. District Court in Illinois, a Michaels Stores customer filed a lawsuit alleging the company failed "to ensure the physical security of its checkout line terminals and test its payment processing equipment to protect customer data," reports the Chicago Tribune. The suit, which seeks class-action status, also claims that the company did not provide "timely and clear notification" to customers about the breach. The plaintiff reported to the police that two unauthorized transactions appeared on her bank account statement totaling more than $1,000. It is the second breach-related suit filed against Michaels. (Editor's note: The IAPP will host a Web conference on June 23 from 1 - 2:30 p.m. on privacy-related class-action lawsuits and a recent and potentially instructive Supreme Court decision in this area. Watch for more details soon.)
Full Story

PRIVACY LAW—UK & EU

Cookie Law Guidance Needed (June 1, 2011)

The EU cookie law came into force last Thursday, and The Guardian reports that while UK Information Commissioner Christopher Graham has given websites a year to comply with the law, many are wondering just how to do that. Guidance from the Information Commissioner's Office has been "disappointing," according to one law firm's blog. Graham has called the new rules "challenging," and has said that he will "take a commonsense approach" to enforcement, adding, "Browser settings giving individuals more control over cookies will be an important contributor to a solution, but the necessary changes to the technology aren't there yet." The report questions, "What is the advice in the meantime?"
Full Story

PRIVACY LAW—GERMANY

DPAs Release FAQs on Breach Requirements (June 1, 2011)

Two German data protection authorities (DPAs) have issued a paper that addresses the data breach notification requirements under Section 42a of the German Federal Data Protection Act. Hunton & Williams' Privacy and Information Security Law Blog reports that the paper includes frequently asked questions that address breach notification procedures that private organizations and some public entities must follow to achieve compliance. The paper contains "practical guidelines" to help organizations identify when notification is required and appropriately comply with notification obligations.
Full Story

ONLINE PRIVACY

Schmidt: Google Now More Cautious on Privacy (June 1, 2011)

Intensifying scrutiny by public- and private-sector watchdogs has Google taking a more guarded approach toward privacy, CNN reports. "We're so sensitive on the privacy issue now," Google Executive Chairman Eric Schmidt said yesterday at an event in California, where he also shed light on the company's privacy processes. "Historically, we would just throw stuff over the wall," he said. "We now have a very, very thorough process." Google lawyers and policy experts now collaborate with development teams during product creation. Schmidt's comments follow the recent announcement that the company is withholding its rollout of a facial-recognition app due to the potential privacy ramifications.
Full Story

PRIVACY LAW—U.S.

E-Mail Searching: Warrant or Not? (June 1, 2011)

Under Fourth Amendment rights, your home, phone, body and letters are protected from unreasonable searches. However, writes Adam Cohen for TIME, e-mails don't fall into that same category...yet. Sen. Patrick Leahy (D-VT) is trying to give e-mail similar protection. "E-mail is today's equivalent of what postal letters and telephone calls once were," says Cohen, but currently searching e-mail stored for 180 days--or those you've already opened--does not require a warrant. Leahy's bill would "impose a single standard; the government must get a search warrant" to read your e-mail or when it wants to find your location using smartphone or tablet computer signals. But, some say the bill could go even go further.
Full Story