Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—UK

ICO: Jail Time Needed for Privacy Violations (July 29, 2011)
A recent phone hacking scandal has prompted Information Commissioner Christopher Graham to call on the British government to implement prison sentences for those who use stolen personal data, Bloomberg reports. The Information Commissioner's Office previously recommended two-year prison terms for such offenses after a 2006 investigation into the sale of stolen personal data to journalists, the report states, but the government did not implement the proposal after journalists claimed it would limit free speech. In calling for stronger laws, Graham noted, "Unless people realize they can go to prison, it seems like a victimless crime."

PRIVACY LAW—U.S.

Judiciary Committee Passes Data Retention Bill (July 29, 2011)

The House Judiciary Committee has passed HR 1981 after defeating an amendment that would have placed limits on Internet service providers' (ISPs) requirement in the proposed law to retain IP addresses for one year and make them available to law enforcement by an administrative subpoena. If approved, the Protecting Children from Internet Pornographers Act would eliminate law enforcement's need for court orders to access such information, prompting arguments from some that the bill grants too much power to the Justice Department and would create a robust database for hackers to potentially access. The committee has adopted amendments requiring ISP compliance with the bill's privacy standards and encouraging breach notifications, Broadcasting & Cable reports.  
Full Story

DATA LOSS—SOUTH KOREA

Breach Affects 35 Million (July 29, 2011)

A hacking operation has compromised the personal information of approximately 35 million South Koreans who use the country's largest social networking site and a major search engine, CNET News reports. The company that runs the Cyworld social networking site and the Nate portal site confirmed that malicious code was used to expose names, phone numbers, e-mail addresses, resident registration numbers and passwords of users. SK Communications, the company that operates the sites, is creating a hotline to help affected individuals avoid phishing scams and spam. 
Full Story

PRIVACY LAW—U.S.

Two Cybersecurity Bills Introduced in Senate (July 29, 2011)

TechJournal South reports that two bills focusing on data breach response have been introduced into the U.S. Senate. One bill, introduced by Sens. Thomas Carper (D-DE) and Roy Blunt (R-MO), would require financial institutions, retailers and federal agencies to protect personal information, investigate breaches and notify customers of a breach. "We need to replace the current patchwork of state and federal regulations for identity theft with a national law that provides uniform protections across the country," said Carper. Meanwhile, Sen. Diane Feinstein (D-CA) has introduced the Data Breach Notification Act of 2011, which would require organizations to notify customers when their personal information is breached. "It is past time," Feinstein said, "for congress to pass a national breach notification standard."     
Full Story

PRIVACY LAW—U.S.

Intelligence Agency Considers Geo Surveillance (July 29, 2011)

The National Security Agency (NSA) is considering surveilling U.S. citizens by intercepting mobile device location data, InformationWeek Government reports. The agency is now determining whether it has the legal right to do so, according to NSA general counsel Matthew Olsen. U.S. law prevents intelligence agencies from spying on U.S. citizens within U.S. borders. But at a Senate Judiciary Committee's Subcommittee on Privacy, Technology and the Law hearing this week, Olsen said he believes there are "certain circumstances where that authority may exist." 
Full Story

SOCIAL NETWORKING—U.S.

GAO Audits Gov’t Agencies’ Social Media Policies (July 29, 2011)

The Government Accountability Office (GAO) has audited the social media policies and procedures of 23 government agencies and issued a 90-page report disclosing the results. The GAO's information security director writes, "Without establishing guidance and assessing risks specific to social media, agencies cannot be assured that they are adequately meeting their responsibilities to manage and preserve federal records, protect the privacy of personal information and secure federal systems and information against threats." The audit found that 12 of the 23 agencies have social media policies and procedures in place; 12 have updated privacy policies, and seven have identified security risks, GovInfoSecurity reports.
Full Story

ONLINE PRIVACY—CANADA

Privacy by Design: A Boon to Business (July 29, 2011)

Kashmir Hill interviews Ontario Information and Privacy Commissioner Ann Cavoukian for Forbes about the ways Privacy by Design is helping improve consumer trust. "One of the core principles," says Cavoukian, "is for companies to make users' data private by default." Privacy By Design means "simply that companies are starting to bake privacy into their products, relying less on privacy policies few bother to read," Hill writes. And the notion is starting to take off globally; U.S. lawmakers incorporated the term into a recently proposed bill, and Hill shows examples of companies' use of the principle. "Privacy has historically been viewed as an impediment to innovation and progress, but that's so yesterday and so ineffective as a business model," Cavoukian says.
Full Story

PERSONAL PRIVACY

Technology Increasingly Diminishing Anonymization (July 29, 2011)

CNET News reports on one operating system's collection of millions of devices' location-based data, including laptops, cell phones and other WiFi devices. According to the report, Microsoft collects and publishes such locations--which can be as specific as a street address--to a database intended to help deliver location-based search results such as weather, movie times, maps and directions. Meanwhile, a Stanford researcher lists the ways identity can be linked to data that was initially collected anonymously, and an article in The Economist reports on soon-to-be unveiled research demonstrating the ease with which facial recognition technology can be used to identify "random passersby" and "personal details about them."
Full Story

PRIVACY LAW—U.S.

Judiciary Debates ISP Data Retention Bill (July 28, 2011)
The House Judiciary Committee has been debating whether the government should require Internet service providers to retain customer IP addresses and associated data for at least a year to help law enforcement investigate and locate child pornographers, Broadcasting & Cable reports. Rep. Barney Frank (D-MA) said the bill, "Protecting Children 5 From Pornographers Act of 2011," violates privacy rights and would not prevent crime. The bill has also drawn criticism from privacy advocates, but committee chairman and co-author of the bill Rep. Lamar Smith (R-TX) says it would exclude public and government WiFi networks like libraries and coffee shops.

DATA RETENTION—EUROPE

Tragedies Cause Leaders To Revisit Internet Laws (July 28, 2011)

After the recent attacks in Norway, information was discovered online that, if found, might have helped to prevent the tragedies. Now, some European leaders are questioning whether stringent data retention laws and more online surveillance could prevent these types of attacks in the future, reports Deutsche Welle. In Germany, conservative leaders are reviving plans to bring back a data retention law requiring telecommunications and Internet companies to store online correspondence and location data for six months--which was recently declared unconstitutional. Meanwhile, Estonian leaders are looking to get faster access to IP addresses. Internet activists, however, have voiced concern that while attempting to fill a "reassurance vacuum," politicians and police will erode online freedoms. 
Full Story

PRIVACY LAW—U.S.

Video Provider To Halt Social Network Launch (July 28, 2011)

Video rental provider Netflix announced this week that it will delay the launch of its Facebook integration in the U.S. due to legal issues. The Facebook feature would allow Netflix subscribers to share movie-viewing information with friends online, but the Video Privacy Protection Act (VPPA) is ambigious as to "when and how a user can give permission for his or her video viewing data to be shared," Netflix wrote in a letter to its shareholders. A proposed amendment to the VPPA intends to clarify consent requirements for sharing, reports the Hunton & Williams Privacy and Information Security Law Blog. Netflix faces several lawsuits for past alleged VPPA violations, the report states.       

Full Story

DATA LOSS—CANADA

Up To 12,000 Cancer Screening Records Missing (July 28, 2011)

Ontario's privacy commissioner is investigating a breach in which up to 12,000 cancer screening tests have gone missing, the Toronto Sun reports. Commissioner Ann Cavoukian announced this week that Cancer Care Ontario alerted her office on June 27 of the missing screening tests. A search for the records--which include patient name, date of birth, age, gender, health card number and screening test results--has been ongoing since then. A spokeswoman for Cancer Care Ontario said the agency is taking the matter seriously and investigating. Premier Dalton McGuinty has said the incident underscores the need for electronic health records, adding that the government treats this as "a very serious issue."     

Full Story

BIOMETRICS—UK

Minister: De-identified DNA Profiles Kept, Re-Identifiable (July 28, 2011)

Months after a bill was introduced to remove the DNA profiles of innocent people from police databases, Home Office Minister James Brokenshire says the profiles will be retained in an anonymized form, at which point they would be considered deleted. However, he added, the original barcode will remain, "theoretically" making the data re-identifiable. Brokenshire also said that the Information Commissioner's Office gave its approval to the plan to allow forensic labs to keep the anonymized profiles. However, a Home Office spokesman told The Guardian that its policy is unchanged, meaning "DNA records of the innocent will come off the database and physical samples will be deleted."
Full Story

PERSONAL PRIVACY—U.S.

Opinion: Industry Tracking Regulations Needed (July 28, 2011)

In an Internet Revolution article outlining the methods companies use to track consumers, John Meyers says if people are honest with themselves, they'll realize privacy no longer exists. While the Internet has made life easier for people, it has also made it easier for companies to glean information on them--from music preferences to insurance claims. "Virtually every industry has an information clearinghouse accruing, storing and passing out data on you," and according to Meyers, unless lawmakers are forced "to create effective and useful regulations for these industries and practices, the abuse of our privacy will continue."  

Full Story

PRIVACY LAW—U.S.

Suit Raises Breach Coverage Questions (July 27, 2011)
A Sony Corp. insurer's assertion that it is not responsible for defending the company from increasing legal claims from recent data breaches highlights the challenges companies can face after cybersecurity incidents, Computerworld reports. Zurich American Insurance filed a suit seeking that it not be required to cover claims asserted in at least 55 class-action lawsuits filed against Sony in the U.S. The insurance company claims it covers "bodily injury" and "property damages" but not damages from cyber incidents. One expert predicts that the court will uphold Zurich's claims, as general insurance typically does not cover cyber liability.

ONLINE PRIVACY—U.S.

Gov’t Eyes Regulation Unless Industry Takes Action (July 27, 2011)

The Washington Post reports on increasing government pressure for industry to agree on an online tracking opt-out mechanism or face regulation. The challenge will be in achieving industry consensus on what that mechanism will look like and designing technology that consumers understand and want to use, experts say, all while allowing the tracking that is critical for the Internet to function and remain cost-free. Currently, industry has reached little agreement, while some browsers have implemented their own versions of "do not track." Jules Polonetsky, CIPP, of the Future of Privacy Forum says websites and advertisers should agree on how to respond before their obligations are defined for them by browsers or government. (Registration may be required to access this story.) 
Full Story

PRIVACY LAW—AUSTRALIA

Commissioner Makes Case for Enforcement Authority (July 27, 2011)

Australian Privacy Commissioner Timothy Pilgrim says the pending changes to the country's privacy legislation would help him hold organizations accountable to data theft victims. Speaking at a panel held by the IAPP ANZ, Pilgrim added, "I can use the powers available to me to require the organization to provide information about what it's done" to resolve a data breach, but "I can't force the company to do anything at the end of the day." Pilgrim also revealed that there has been a 27-percent increase in data breaches in the past year and warned that the number reflects "responsible companies" that voluntarily disclosed an incident, The Sydney Morning Herald reports. Pilgrim warns, "We simply don't know the extent of the data breaches that go on."     
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Proposes Changes to Research Rules (July 27, 2011)

The Department of Health and Human Services (HHS) has published a proposal recommending mandatory data security rules for studies involving personally identifiable data, reports the Hogan Lovells Chronicle of Data Protection. The proposal also states that de-identified data may have to meet HIPAA standards going forward and further recommends that standard be reviewed to ensure it is keeping pace with technology and the associated risks. These proposals would mean significant changes in protocol for many research entities, according to the report, and HHS plans to provide enforcement and regular audits to ensure compliance. The proposals were released as Advance Notice of Proposed Rulemaking and are open for comment. Editor's Note: For more related to HIPAA, register for the IAPP's next Web Conference, The Upcoming OCR HIPAA Audit Program: What To Expect and How To Prepare, which will be held this Thursday, July 28.  
Full Story

PRIVACY LAW—U.S.

Tech Companies Differ on Cloud Regulation (July 27, 2011)

Two technology associations released recommendations recently with opposing advice for lawmakers on how to best promote the use of cloud computing. The Hill reports that TechAmerica, a group comprised of more than 70 organizations, has called on congress to pass a national data breach law, saying that "Clarity around actions to be taken in the event of a data breach will serve both cloud consumers and providers." Meanwhile, The Washington Post reports the Software and Information Industry Association, made up of 500 software and information companies, is pushing for self-regulation, encouraging lawmakers to focus on open privacy and security standards.  
Full Story

PERSONAL PRIVACY

Unique Identifying Information Collected, Searchable (July 27, 2011)

ZDNet reports that the French data protection authority, the CNIL, has confirmed that "street addresses and unique identifying information for millions of laptops, media players and other wireless devices" were collected during Google's Street View project. Until recently, the collected data could be accessed by individuals who used a specific online search, the report states. In May, Google Chairman Eric Schmidt said the company would improve its privacy practices and consult specialists before launching new products.   
Full Story

PRIVACY

Opinion: Right to Privacy Definitions Need Updating (July 26, 2011)
In The Wall Street Journal, L. Gordon Crovitz writes that in light of a phone hacking scandal, definitions of the right to privacy need to be updated. The debate surrounding the right to privacy in recent years has focused on new media, he writes, "but when we post details about ourselves on social media or reply to online marketing, we are choosing to become less private." Hacking phones is "a clear-cut violation of privacy," Crovitz writes, "but the clarity of this violation highlights how much ambiguity there is in other claimed areas of privacy."

PRIVACY LAW—EU

Article 29 Working Party: Prior Consent Necessary (July 26, 2011)

The Article 29 Working Party guidance on the European e-Privacy Directive states that "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent," reports research-live.com. While the directive does not use the word "prior" specifically, the Working Party writes that it is a "clear and obvious conclusion from the wording of the provision...Otherwise, the processing carried out during the period of time from the moment the processing had started until the moment that consent had been obtained would be unlawful because of lack of legal ground."
Full Story

BIOMETRICS

Facial Recognition Adds to Privacy Risks (July 26, 2011)

Carnegie Mellon University Professors Alessandro Acquisti and Ralph Gross will, at next week's Black Hat Briefings, reveal the findings of their research into "how the convergence of facial recognition technology and data, including images, posted to social networks could lead to the re-identification of individuals and strangers online," reports SearchSecurity.com. The first stage of their research proved that individuals' Social Security numbers could be predicted using publicly-available information. "People may not realize that once they reveal information A or B, a smart third party can infer C, which could be much more sensitive information," Acquisti said, adding, "We're entering a point in the near future in which the puzzle of personal, sensitive information about individuals is almost complete."
Full Story

PERSONAL PRIVACY—U.S.

Commission Issues Smart Grid Resolution (July 26, 2011)

When considering implementing the smart grid, state commissions should consider privacy. That's according to The National Association of Regulatory Utility Commissioners (NARUC) which adopted a new resolution on smart grid principles, Smart Meter News reports. The resolution indicated support for implementation of smart grid technology but notes the importance of consumer education and engagement. NARUC will release a best practice guide on consumer privacy, which it says is essential. State commissions should "review existing privacy policies and, if necessary, adopt or update their policies to ensure that they properly address the privacy concerns created by smart meter data collection," the commission said, adding that third parties should also be required to comply.
Full Story

HEALTHCARE PRIVACY—U.S.

Experts Discuss Patient Access, Privacy (July 26, 2011)

The biggest factor in revolutionizing the healthcare system will be patients' access to their healthcare data, InformationWeek reports. That's according to healthcare experts at a forum in New York earlier this month. Neil Calman, CEO and co-founder of the Institute for Family Health, said patients will soon expect records in downloadable form, and HIPAA and other regulations will be amended to meet those demands. Experts also discussed privacy and security issues in moving patient data to the cloud. As of mid-July, the U.S. Department of Health and Human Services had recorded 292 health data breaches. Although six percent were due to hacking, that number is expected to increase. Editor's Note: For more related to this topic, register for the IAPP's next Web Conference, The Upcoming OCR HIPAA Audit Program: What To Expect and How To Prepare, which will be held this Thursday, July 28.
Full Story

ONLINE PRIVACY—U.S.

Study: Companies Track After Users Opt Out (July 25, 2011)
New research from Stanford University has found that many online advertising companies continue to track users' Web activity even when they've opted out, reports the San Jose Mercury News. The research has prompted renewed calls from advocates for a do-not-track law. The study found that out of 65 online advertising companies, half continued tracking after the user had opted out. One privacy group has asked the FTC to investigate eight of those online companies. Some companies have since revised their privacy policies with regard to opt-out tracking. Meanwhile, one start-up is launching a system allowing users to block online companies that don't honor do not track.

PRIVACY LAW—UK

Commissioner: Stronger Data Theft Laws Needed (July 25, 2011)

In a column for Prospect Magazine, UK Information Commissioner Christopher Graham writes about the widespread and unlawful trade of personal data. Going beyond tabloid journalism, "the problem," Graham writes, "actually involves a much bigger cast list--of lawyers, claims management companies, private investigators and scam merchants, to name but a few." Current attempts to stop the unlawful trade of personal data is a "20th century approach to a 21st century problem," the commissioner writes, and legislators "have not caught up with the reality of data crime." Graham echoes his predecessor, Richard Thomas, saying there needs to be "a custodial penalty" where violators could face jail time and steeper financial penalties. "Armed with that," Graham states, "the ICO could investigate breaches more speedily, and the dealers in data would know they faced the full range of possible court sanctions." 
Full Story

PRIVACY—INDIA

Indian Market Embracing CPOs (July 25, 2011)

"Privacy is of utmost importance to the corporate world and companies are now adding an extra hand to their top management teams--Chief Privacy Officer--to shield business secrets." That's the message in a report in The Financial Express on the importance of the CPO's role and a recent PricewaterhouseCoopers study that found an increase of 113 percent in the number of CPOs appointed in the past four years across 119 countries. Meanwhile, an Indian Institute of Management, Ahmedabad study focuses on "the need to reinforce privacy claims in policymaking" and to recognize "both the individual and shared value of privacy."
Full Story

DATA LOSS

Preparing for Mandatory Breach Notification (July 25, 2011)

As data security breach notification requirements become more widespread on a global scale, businesses are at greater risk for brand damage, customer loss and regulatory scrutiny. In a special pre-release article for the September issue of The Privacy Advisor, Baker McKenzie's Brian Hengesbaugh, CIPP, Michael Stoker and Daniel Krone discuss the 10 steps every organization should take to address these requirements. They say an organization's actions "should be tailored to reflect its industry; geographic footprint; data collections and transfers; history of data security incidents," and other factors. The authors outline specific steps organizations can take. (IAPP member login required.)
Full Story

PRIVACY LAW—ITALY

DPA Fines Agency for Employment Data Collection (July 25, 2011)

The Italian Data Protection Authority (Garante) has found that collecting and processing the sensitive personal information of job applicants violates the law and has censored and fined a real estate agency for asking applicants "a disproportioned quantity" of personal questions. The Garante found the practice violated Italy's Data Protection Code, and further investigation and sanctions may be forthcoming. "It is incredible that notwithstanding strong data protection legislation, we still experience similar shocking data processing in the employment field," notes Rocco Panetta of Panetta & Associati," adding that such behaviors expose organizations "to enormous risks of sanctions." (Article in Italian.)   
Full Story

ONLINE PRIVACY—U.S.

Start-Up Creates Pre-Employment Dossiers (July 25, 2011)

Some companies are requiring applicants to consent to a social media check, reports The New York Times, and a California company has made a business of creating dossiers on prospective employees. Social Intelligence assembles seven years of a person's online activity--from comments on blogs to social networking posts to photos they've been tagged in. The company's CEO says candidates must consent to the check and are informed of adverse information, and all protected information is removed from the report. The FTC has found that the company's practices comply with the Fair Credit Reporting Act, but some privacy advocates worry about employers accessing information unrelated to job performance, the report states. (Registration may be required to access this story.) 
Full Story

BIOMETRICS

Advocates Concerned About Facial Recognition (July 25, 2011)

The Globe and Mail reports on the increasing use and implementation of facial recognition technology online and in home surveillance systems, which has some businesses excited and privacy advocates concerned. Facebook recently began rolling out facial recognition technology, and Google has announced that it has acquired Pittsburg Pattern Recognition, a facial recognition developer. Several digital rights groups have filed a complaint to the Federal Trade Commission alleging that individuals are not adequately informed of the biometric information that is being collected about them. In discussing some uses of biometric software, Ontario Information and Privacy Commissioner Ann Cavoukian says, "I think it's appalling...It is very sensitive information."
Full Story

PRIVACY LAW—EU

The Cloud Is Coming, But Slowly (July 25, 2011)

Data protection laws and differing definitions of what constitutes personal information have made cloud computing a challenge in Europe. And while cloud computing remains "the exception, not the rule," a research study predicts sales of cloud services in Europe to rise 4.3 percent this year, The New York Times reports. Some cloud services sellers are compensating for laws prohibiting data transfer outside the EU by creating EU-based data centers, but one technology expert notes, "The legal landscape is not conducive to cloud computing in Europe." However, the data protection directive is currently under review, and European Commission Vice President Viviane Reding has submitted a revision that she says would benefit businesses and consumers. (Registration may be required to access this story.) 
Full Story

PRIVACY LAW—AUSTRALIA

Opinion: Reform Process Must Be Fair, Balanced (July 25, 2011)

In a blog for Open Forum, former Privacy Commissioner Malcolm Crompton, CIPP, discusses last week's announcement by Privacy Minister Brendan O'Connor on a new push to reform the Privacy Act. "I have been on the record since 2000 with the clear view that the exemptions to the Privacy Act need reconsideration," Crompton writes, noting that the Australian Law Reform Commission has held a similar view. "Now that the process has been revived, it will be essential that the discussion is fact based and balanced. In particular, the media exemption, the political process exemption and the statutory cause of action all need to be considered objectively," he writes. 
Full Story

PRIVACY LAW—U.S.

DOC To Anchor Privacy Codes of Conduct Talks (July 22, 2011)
Privacy codes of conduct drafted by a team of businesses, consumers and privacy advocates will work better than government regulation or legislation, said Cameron Kerry of the Department of Commerce (DOC) in a PCWorld report. The DOC will lead stakeholder discussions to create privacy codes of conduct, providing a "nudge from the government" to industry efforts. The Federal Trade Commission would enforce the codes. Kerry spoke on the topic at the Brookings Institution yesterday, saying, "We need a process that is nimble enough to respond quickly to consumer data privacy issues as they emerge and can address them without the need for legislation or regulation. Legislation and regulation simply do not move at Internet speed." Kerry told the Daily Dashboard, "The message that we've gotten from consumers and business is that people want a clear set of rules for the road; that's what we're aiming to set out with the privacy bill of rights. We also want to send a message to international partners that the Obama Administration and the United States want to lead on this issue because international operability is just very important to maintaining the free flow of information on the Internet and to maintaining global trade."

DATA PROTECTION—U.S.

The What and Why of NIST’s Privacy Appendix (July 22, 2011)

Ron Ross, author of the National Institute of Standards and Technology's (NIST) "Security Controls for Federal Information Systems and Organizations" document told GovInfoSecurity that adding privacy controls will offer a "disciplined and structured approach on how to enforce some of the best practices that have been around for quite some time." The controls will cover transparency, data minimization and retention, use limitation, data quality, risk management, individual participation and redress, among others. "The attempt here," says Ross, "is to have the most robust set of security and privacy controls for our customers."
Full Story

ONLINE PRIVACY

History Sniffing Is Not A Past Practice (July 22, 2011)

paidContent reports on "history sniffing" and one company that embraces the practice. Though the FTC has urged browsers to refrain from such analytics, Epic Marketplace deploys software that reads millions of users' Web browsing histories each month, the report states, collecting information such as who may be reading pages on fertility or the IRS. Such sniffing is possible via a browser loophole, which many browsers recently repaired before releasing its latest version, that changes a browser link's color if the user has visited a website before. "Epic's reliance on history sniffing is likely to result in lawsuits," the report states, "And the FTC may decide it wants to take a close look..."
Full Story

CONSUMER PRIVACY—U.S.

Barton and Markey Question Groupon (July 22, 2011)

In light of reports that Groupon will expand its data sharing practices, Reps. Joe Barton (R-TX) and Ed Markey (D-MA) have written a letter to the company's chief executive officer asking how it will protect its customers' data. Bloomberg reports that the legislators asked Groupon to clarify its willingness to allow customers to opt out of geotracking; whether third-party partners will be required to follow Groupon's privacy policy, and whether the company has experienced a data breach. "Avoiding full price shouldn't put your privacy at risk," Barton said.
Full Story

SOCIAL NETWORKING—IRELAND

Opinion: Privacy Protections Should Be Priority (July 22, 2011)

In a feature for the Irish Times, Karlin Lillington reviews the widespread use of social media in Ireland, noting, "With so many people divulging personal information, safe use of social venues should be a priority in this country." Recent surveys indicate that Ireland has some of "the heaviest social network users in Europe and the heaviest business users internationally," the report states. Lillington goes on to note that despite the wide use of social media in Ireland, concerns about privacy protection persist, with 50 percent of Irish respondents to an EU survey reporting they fear that their personal information might be misused. 
Full Story

PRIVACY LAW—U.S.

Insurer Sues, Denies Breach Responsibility (July 22, 2011)

A Sony Corp. insurer has asked a court to rule it does not have to defend the company from increasing legal claims after recent data breaches, Reuters reports. On Wednesday, Zurich American Insurance filed papers in a New York state court asking that it not have to defend or indemnify Sony against any claims "asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general." The insurance company also sued three other insurance companies who had written policies for Sony, asking that the court clarify their responsibilities, the report states.
Full Story

PRIVACY LAW—U.S.

Obama Nominates Ohlhausen to FTC (July 21, 2011)
President Barack Obama has said he plans to nominate Internet policy expert Maureen Ohlhausen to replace Commissioner William Kovacic at the Federal Trade Commission (FTC). Ohlhausen is currently a partner in law firm Wilkinson Barker Knauer's privacy, data protection and cybersecurity practice, reports The Washington Post. From 2004 to 2008, she served as a director in the FTC's Office of Policy Planning. Ohlhausen worked on an Internet task force during that time, exploring issues surrounding e-commerce and marketing.

PRIVACY LAW—AUSTRALIA

Government To Consider Privacy Statute (July 21, 2011)

Privacy Minister Brendan O'Connor has announced the government is considering a statutory right for people to sue for ''serious invasions" of their privacy and has called for the public's input on a right to privacy. While the government has said it will not regulate media ethics, many--including former Prime Minister Paul Keating--have been urging the implementation of the Australian Law Reform Commission's recommendations for federal legislation allowing individuals to seek damages when their privacy is violated. The Australian reports, however, that major media organizations are opposing today's announcement of the government's "plan to enshrine a right to privacy in Australian law."
Full Story
 

PRIVACY LAW—U.S.

SAFE Data Act Moves Forward (July 21, 2011)

The House Energy and Commerce Committee's Manufacturing and Trade Subcommittee yesterday passed a bill aimed at creating a universal standard for notifying consumers and authorities after a data breach. Prior to the bill's passing, legislators debated its definition of PII and how much enforcement authority the Federal Trade Commission should have. PCWorld reports that Republicans touted the bill for balancing consumer protection with regulation, while some Democrats voiced concern that the bill would preempt stronger laws in some states. Rep. Henry Waxman (D-CA) said the bill doesn't cover enough information and is "full of loopholes." The bill will now go to the full committee for debate and a vote, the report states.
Full Story

DATA PROTECTION—CANADA

Commissioner Recommends Charges Against Doctor (July 21, 2011)

Saskatchewan Information and Privacy Commissioner Gary Dickson has released a report that includes 11 recommendations in response to the discovery of patient health records found in a dumpster earlier this year. Dickson has named a doctor as a "trustee responsible for the records" and has recommended that legal action be taken against the individual and clinic for violation of the Health Information Protection Act, The StarPhoenix reports. "This is without question the largest breach of patient privacy that our office has encountered in eight years since the Health Information Protection Act was enacted," Dickson wrote in the report. If convicted, the doctor could face up to a $500,000 fine.
Full Story

HEALTHCARE PRIVACY—U.S.

Experts Discuss HIPAA Changes (July 21, 2011)

In a Healthcare Informatics article, experts weigh in on what proposed rules aimed at strengthening HIPAA will mean for provider organizations. One data security officer suggests the proposed stricter breach notification rules may be alarming to patients, saying "If you report to them a breach when they really aren't impacted--for instance, if the information breached is just their name---patients will get shell-shocked and anxious." Susan McAndrew, deputy director for health information privacy at the HHS Office for Civil Rights, says the final rule pays special attention to finding the right balance between strengthening HIPAA and "maintaining the workability of the requirements so that covered entities of all sizes can smoothly adapt to the changes." Editor's Note: The HIPAA Audit Program will be the focus of the next IAPP Web Conference on Thursday, July 28, from 1 to 2:30 p.m.
Full Story

PRIVACY LAW—PHILIPPINES

Senator: Bill Needs To Strike Right Balance (July 21, 2011)

The Data Privacy Act of 2011 has been approved by the Lower House, and various groups have lobbied for its passage, but Sen. Edgardo Angara wants to make sure it "does not overreach its intentions to improve data privacy in the country." Newsbytes.ph reports that some believe the bill is key to the Philippines' competitiveness in the IT and business outsourcing industries. Angara says the bill needs to encourage "industry expansion while putting in place adequate controls that would protect the public from abuse."
Full Story

SOCIAL NETWORKING—AUSTRALIA & U.S.

AGs To Discuss Parental Access, Suppression Orders (July 21, 2011)

Australia's attorneys general are looking into whether laws should be created to give parents access to their children's social networking accounts, reports The Australian. In spite of privacy concerns, "We need to look at the policing that occurs, who can and should do it and how do you do it," said South Australian Attorney General John Rau. But one privacy advocate says a knee-jerk reaction could "undermine an existing law and relationships between children and parents." Meanwhile, a study in the U.S. indicates that 55 percent of parents there use social media to keep an eye on their children. 
Full Story

BIOMETRICS—U.S.

Law Enforcement To Begin Iris Scanning (July 21, 2011)

Reuters reports on new iris- and face-scanning technology that could improve the speed and accuracy of police work but raises privacy and civil liberties concerns. The Mobile Offender Recognition and Information System (MORIS) scans an individual's iris to detect unique patterns so that law enforcement can identify a suspect more quickly. The MORIS technology can also be attached to smartphones and photograph a person's face, which then runs the image through a database to identify the individual. A representative from the technology's manufacturer says the application will not be intrusive because "it requires a level of cooperation that makes it very overt--a person knows that you're taking a picture for this purpose." 
Full Story

TRAVELERS’ PRIVACY

TSA: Airport Screening Will Be More Private (July 21, 2011)

The Transportation Security Administration (TSA) says it has started installing new software in its full-body scanning machines that will give travelers more privacy. The passenger's image will be replaced by a virtual image while still allowing screeners to observe any potentially dangerous items, USA TODAY reports. Expecting to replace all 241 machines in U.S. airports by year's end, the TSA says it also plans to test out similar technology in 247 additional "backscatter" machines this fall. TSA Administrator John Pistole says, "This software upgrade enables us to continue providing a high level of security...while improving the passenger experience at checkpoints." However, some consumer rights and privacy groups have said they remain opposed to the scanners, the report states. 
Full Story

DATA LOSS—U.S.

Breach Could Affect 7,520 U.S. Customers (July 21, 2011)

A server containing the personal information of approximately 7,520 Toshiba customers has been compromised by hackers. The company has said that e-mail addresses and passwords of 681 customers were stolen but that the server did not contain credit card or Social Security numbers, InfoSecurity reports. The group claiming responsibility for the incident has said that it also gained access to 12 administrators on Toshiba's Electronic Components and Semiconductors and Consumer Products units, the report states. 
Full Story

CONSUMER PRIVACY—U.S.

Vladeck Talks Social Networks, Do Not Track (July 20, 2011)
When it comes to social networks, the debate over who owns user profiles continues, says David Vladeck, head of the FTC's Bureau of Consumer Protection. But consumers ought to have control over their data and who it's shared with, Vladeck says in a Q&A with AdAge. "If you wanted to leave a social networking site at some point, you ought to be able to. If you want to delete your profile, you should be able to, unless the site has a legitimate business interest in maintaining it." On do-not-track proposals, Vladeck says data collection--and not just data use--must be addressed.

PRIVACY LAW—RUSSIA

Federal Data Protection Law Amendments Passed (July 20, 2011)

The upper house of Russia's federal legislature has approved amendments to the country's federal data protection law, InformationLawGroup reports. The amendments require businesses that process personal data to conduct threat assessments and examine the effectiveness of data protection safeguards; use only verified data protection methods; implement access controls; log all relevant actions; record incidents of unauthorized access, and implement measures to restore lost, destroyed or damaged data following breaches, the report states. The government will develop regulations for appropriate data protections and requirements for biometric data processing. The report advises that businesses "should be prepared to review and adjust as necessary their privacy and data security practices" as privacy enforcement increases worldwide.
Full Story

DATA PROTECTION—U.S.

NIST Proposes Adding Privacy to Security Doc (July 20, 2011)

The National Institute of Standards and Technology (NIST) has proposed a privacy controls appendix for its "Security Controls for Federal Information Systems and Organizations" document, reports InfoSecurity. The appendix would provide a set of controls to "help enforce requirements of federal privacy legislation, policies, regulations, directives, standards and guidance." It would also link privacy and security controls and officials in order to achieve organizational objectives in these areas and develop assessment procedures for ongoing evaluations. "Privacy and security controls in federal information systems are complementary and mutually reinforcing in trying to achieve the privacy and security objectives of organizations," a NIST spokesman said.
Full Story

PRIVACY LAW—U.S.

Bono Mack Releases Revised Notification Bill (July 20, 2011)

Rep. Mary Bono Mack (R-CA) has released a new version of the SAFE Data Act, which would create a universal standard for notifying consumers and authorities after a data breach. The House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade is scheduled to mark up the bill today. The latest version takes into consideration concerns raised at a hearing last month and requires organizations to inform the FTC and affected customers of a breach within 48 hours of completing a risk assessment--if they are at risk of fraud--and no longer than 45 days from the discovery of the breach under all circumstances, reports Tech Daily Dose.
Full Story

FINANCIAL PRIVACY—U.S.

Industry Group Releases Social Media Guidance (July 20, 2011)

Financial services industry group BITS, a division of the Financial Services Roundtable, has released guidance addressing social media risks and use, Hogan Lovells' Chronicle of Data Protection reports. "Social Media Risks and Mitigation" analyzes issues such as compliance, legal, operational and reputational risks. The report discusses three main types of social media use, including communication between an institution and its customers; employees' personal and professional use of social media within the institution, and employees' and vendors' use outside of the institution.
Full Story

HEALTHCARE PRIVACY—U.S.

Expert Analyzes Reported Data Breaches in 2011 (July 20, 2011)

The Mayo Clinic Center for Social Media's Christopher Burgess reviews reported patient data breaches from January to June of this year to show how the various incidents could have been avoided. With more than 87 breach incidents affecting approximately five million patients in the first five months of this year, Burgess opines, "Sadly, being compliant is not synonymous with being secure." Burgess breaks down the reported breaches into hardcopy, digital and identity theft incidents and provides recommendations to mitigate the risks surrounding patient data protection. "We have no choice," Burgess writes, "we must take action now...your patients are counting on you to protect their crown jewels, their data."
Full Story

PRIVACY LAW—EU

Commission Begins Action Against States (July 19, 2011)
The European Commission has started legal action against 20 member states for failing to implement telecommunications rules, Reuters reports. The commission has written to the states to inquire about why they have not implemented the so-called telecoms package, which was to have been incorporated into practice by May 25. The rules include what has been a controversial mandate for websites to obtain users' consent before placing cookies on their systems. To date, only Britain, Denmark, Estonia, Finland, Ireland, Malta and Sweden have implemented the rules. The states in question have two months to respond.

SOCIAL NETWORKING

Opinion: New Site Puts Privacy First (July 19, 2011)

A new social networking site has learned the lessons of past privacy mishaps and made privacy the "No. 1 feature of its new service," says Nick Bilton in The New York Times. Google launched its new social network Google+ last month and now has 10 million users whose posts are private by default, the report states. Breaches of user privacy on other sites have rarely led to repercussions, and users have mostly stuck with Facebook because there hasn't been a "viable alternative," Bilton writes, adding, Google seems to have learned "the importance of privacy for consumers online." (Registration may be required to access this story.)
Full Story

PRIVACY LAW

Comments Sought in Anti-Spam Regulations (July 19, 2011)

The entities that will implement Canada's Anti-Spam Legislation have each released draft regulations for comment. Industry Canada's draft regulations define what constitutes family and personal relationships--both exceptions to obtaining user consent under the proposed legislation, Hunton & Williams' Privacy and Information Security Law Blog reports, which could affect "forward to a friend" marketing campaigns. The Canadian Radio-television and Telecommunications Commission draft regulations address commercial electronic message content; request for express consent requirements for sending commercial messages, and notice and consent requirements.
Full Story

DATA LOSS—U.S.

Two Hospitals Notify Patients of Data Events (July 19, 2011)

The Boston Globe reports that Beth Israel Deaconess Medical Center is notifying more than 2,000 patients of a potential data breach involving their personal information. The names, birth dates, genders and radiological procedure data of 2,021 patients were contained on a hospital computer that was affected by a computer virus. "We are grateful no Social Security numbers or financial information were released and apologize for the inconvenience and deeply regret any concern this situation may cause," said the hospital's CIO. Meanwhile, Wake Forest Baptist Medical Center in North Carolina has notified hundreds of patients that a former employee was found to have removed their medical records from the center.
Full Story

DATA PROTECTION—U.S.

Will HIPAA Audit Program Become Model? (July 19, 2011)

The Department of Health and Human Services' Office for Civil Rights is one step closer to fulfilling one of its mandates under the HITECH Act. The agency recently chose a firm to conduct HIPAA compliance audits at covered entities and business associates to ensure HIPAA compliance. Could this be a vision of the future of privacy? Could the HIPAA compliance audit program model be adopted by other, non-healthcare industries? If the program is successful, what can be expected, if anything, across the industry spectrum? The Daily Dashboard asked leading privacy attorneys and consultants for their opinions. 
Full Story

SOCIAL NETWORKING—U.S.

Starts-Ups Considering Privacy in Business Plans (July 19, 2011)

Social media start-ups are realizing that--these days--privacy matters when it comes to their business models' success, The Washington Post reports. Investors want to know that the company has a plan to make money off of the multitude of information it collects from users, the report states, but start-ups also are watching how potential regulation out of Washington, DC, could affect stock market prospects. "Privacy is now finally and appropriately being seen as a compliance risk that is real and needs attention," said Hunton & Williams' Lisa Sotto. "These companies realize that they need to be really upfront with what they are doing with data." (Registration may be required to access this story.) 
Full Story

PRIVACY LAW—U.S.

Cloud Storage Company Sued for Breach (July 19, 2011)

A class-action lawsuit filed in a U.S. District Court in California claims that a cloud storage provider failed to secure data or notify users of a data breach, reports News and Insight. The suit claims breach of express and implied warranties, invasion of privacy and negligence, among other transgressions, alleging that a system glitch allowed logged-in Dropbox users to view others' data. A company blog post said the breach affected fewer than 100 people, and the company will implement additional safeguards. The suit seeks an order requiring the company to better secure its site, as well as damages, costs, injunctive relief and attorney fees, states the report. 
Full Story

ONLINE PRIVACY

Company To Certify Ad Network Clients (July 19, 2011)

Evidon, a company behind Digital Advertising Alliance (DAA) you-are-being-tracked icons, is rolling out a new program to certify some of its clients, MediaPost News reports. The program, dubbed GreenLight, aims to demonstrate which networks comply with self-regulatory principles and to act as "an additional level of best practices beyond simple compliance with the DAA program." Thus far, 10 of the more than 40 ad networks that work with Evidon are participating in GreenLight, which requires them to use Evidon exclusively or as a default and provides additional training about the privacy program.
Full Story

ONLINE PRIVACY—U.S.

Opinion: Best Opportunity for Legislation is Now (July 19, 2011)

Justin Brookman of the Center for Democracy and Technology says recent congressional focus on consumer privacy may make this an opportune time for comprehensive privacy reform. Brookman writes for Ars Technica that the lack of a comprehensive privacy law in the U.S. is an "impediment" to business, which a Department of Commerce report has also stated. While many companies would like to see privacy protections, Brookman writes, "imposing unilateral limitations on what they can do with user data" puts them at a competitive disadvantage. "Any privacy law that is enacted doesn't need to, and shouldn't, prohibit data sharing or invalidate business models. As long as...the consumer decides to accept the terms, we shouldn't put limits on what consumers are willing to do with their own information," he says.
Full Story

PRIVACY LAW—U.S.

Judge Grants Wiretapping Appeal (July 19, 2011)

A federal judge has announced that Google has the right to appeal last month's ruling, which stated that the company's Street View information-gathering practices constituted illegal wiretapping, Wired reports. With more than a dozen combined lawsuits seeking damages from the company, U.S. District Judge James Ware said that his ruling is the first of its kind, according to the report, and that an appellate court is better equipped to decide the case. Ware said, "Thus, in light of the novelty of the issues presented, the court finds that its June 29 order involves a controlling question of law as to which there is a credible basis for a difference of opinion and also finds that certification of the June 29 order for appeal would materially advance the litigation."
Full Story

Will the HIPAA audit program become a model for other industries? (July 19, 2011)

 

The Department of Health and Human Services’ Office for Civil Rights (OCR) is one step closer to fulfilling one of its mandates under the HITECH Act. The agency recently chose a firm to conduct HIPAA compliance audits at covered entities and business associates to ensure HIPAA compliance. KPMG, the firm chosen to carry out the work, is expected to conduct 150 audits by the end of 2012. The firm Booz Allen Hamilton will determine which covered entities and business associates should be audited.

We wondered, could this be a vision of the future of privacy? Could the HIPAA compliance audit program model be adopted by other, non-healthcare industries? If the program is successful, what should we expect, if anything, across the industry spectrum?

The Daily Dashboard asked leading privacy attorneys and consultants for their opinions. Here’s what they said.

 

Adam Greene
Partner, Davis Wright Tremaine LLP

“The HITECH Act calls for auditing covered entities (CEs) and business associates (BAs), so there is definitely the potential for audits of non-healthcare BAs (e.g., entities that are not healthcare companies but that host some personal health information for CEs). One of the biggest factors will be the success of Booz Allen in identifying the universe of BAs. I'm skeptical that it can be done reasonably well, and so I'm interested to see their approach.

As for the other questions, the future of these audits is very hard to predict once the HITECH funds run out. In the current budget climate, I don't envision a significant annual budget for such audits after 2012. However, HITECH provides that OCR gets to keep enforcement recoveries, so if the audit program is deemed a success, this may be where enforcement recoveries are allocated.”

***

Christine R. Ravago, CIPP, CISA
Manager, Advisory Services, Ernst & Young

“I would say the HIPAA compliance audit model has already bled into non-healthcare operations. We increasingly see companies that operate in complex environments—where only one facet of their operations is related to healthcare—take a conservative approach because of the potential risk to brand and reputation that a failure may cause. As a result, they are auditing their operations, both healthcare and non-healthcare components, to the standard demanded by HIPAA.”

***

Kirk J. Nahra, CIPP
Partner, Wiley Rein LLP

“The HIPAA compliance audit program is specifically mandated by statute, and addresses the very idiosyncratic requirements of the HIPAA Security...

Working Party Clarifies “Consent” (July 18, 2011)
The Article 29 Working Party has offered clarification on the idea of consent as the basis for data processing. The July 13 opinion includes recommendations for improving the concept of consent in the review of the EU data protection framework. The opinion notes that "only statements or actions, not mere silence or inaction, can constitute valid consent." The ability to withdraw consent should also be guaranteed, the Working Party states. When signing on to a social networking site, for example, default settings do not imply consent to make personal information available. Privacy professionals say that the opinion will be controversial and that the Working Party's opinion takes the most conservative approach wherever there is room for interpretation.

PRIVACY LAW—U.S.

Court: TSA Can Keep Scanner System (July 18, 2011)

A federal appeals court has rejected the Electronic Privacy Information Center's constitutional challenge to the Transportation Security Administration's (TSA) use of full body scanners at U.S. airports, The Wall Street Journal reports. The U.S. Court of Appeals for the District of Columbia Circuit said that the scans don't violate federal laws; the TSA had taken steps to protect passenger privacy, and passengers can opt out and receive a pat-down. But, the court also said the TSA should have followed routine procedures giving the public an opportunity to file comments, the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—HONG KONG

Data Transfer Bill Introduced (July 18, 2011)

A bill that addresses transfers of personal data for direct marketing purposes has been introduced to Hong Kong's Legislative Council for final approval, Inside Privacy reports. The Personal Data (Amendment) Bill 2011 addresses concerns about recent data transfers of customer information for direct marketing without users' consent and acts on proposals from an April public discussions report. If the bill passes the Legislative Council, it would require Hong Kong companies making data transfers for direct marketing purposes to alert data subjects of the transfer's purpose as well as the type of data to be transferred and to whom. It would also allow the privacy commissioner to assist data subjects seeking legal redress after breaches.
Full Story

ONLINE PRIVACY—U.S.

Lawmakers Question Agencies on Data Protection (July 18, 2011)

During Friday's congressional hearing following up on privacy concerns about social networks' handling of personal information, lawmakers questioned the Federal Trade Commission (FTC), Federal Communications Commission and the National Telecommunication and Information Administration on what steps they are taking to protect users' data online, reports TPM. FTC Commissioner Edith Ramirez offered no specific details on her agency's efforts but said it is "looking very closely at the social networking arena." And, the report states, in response to Rep. Joe Barton's (R-TX) question as to whether the FTC needs more legislative authority to effectively regulate the industry, Ramirez said the agency's power was "certainly limited."
Full Story

DATA LOSS—U.S.

Gov’t Told To Improve Breach Notifications (July 18, 2011)

The Treasury Inspector General for Tax Administration has criticized the IRS for not notifying taxpayers quickly enough when their personal information had been compromised, nextgov reports. Draft cybersecurity legislation introduced by the Obama Administration would require companies to notify consumers affected by data breaches within 60 days. But in a sample of 100 incidents between July 2010 and February 2011, breach notification letters were sent out to victims 86 days after the fact in 20 percent of the cases. In five percent of the cases, victims weren't alerted because IRS employees failed to document those affected, and 21 percent weren't alerted because the agency didn't believe a threat existed.
Full Story

DATA PROTECTION

Outsourcers Working to Allay Fears (July 18, 2011)

With reports of large-scale data breaches attracting media attention, companies that outsource services are looking for ways to assure customers that sensitive data is being adequately protected. ComputerWeekly reports that according to PricewaterhouseCoopers (PwC), many outsourcers are using independent reports to show that they have robust protections in place, and this increased trust and transparency has become a competitive advantage. "Companies are increasingly looking for comfort that the operational activities that they have outsourced, be it transaction processing, logistics management or cloud computing, are being properly controlled," said Neil Hewitt of PwC.
Full Story

BEHAVIORAL TARGETING—U.S.

Lawmakers Say Children First in Online Privacy (July 15, 2011)
Amidst proposals for do-not-track legislation and a recent study showing that some online companies are not complying with self-regulatory standards, Rep. Anna Eshoo (D-CA) suggests that focusing on children's privacy may be the way forward. The Washington Post reports that while most lawmakers think children need clear online protections, the current proposals will be hard to turn into law. Meanwhile, Rep. Henry Waxman (D-CA) spoke at a House Energy and Commerce subcommittee hearing, saying, "Self-regulation isn't working," and criticizing the standards for allowing ad networks to continue collecting users' data after they opt out of behavioral targeting. (Registration may be required to access this story.)

PRIVACY LAW—UK

Phone hacking scandal prompts closer look at ICO’s call for jail terms (July 15, 2011)

A renewed interest in issuing custodial sentences for those who flout data protection law has emerged in the wake of the News of the World phone hacking scandal. In a speech this week, Deputy Prime Minister Nick Clegg said those convicted of obtaining personal data by deception should be jailed, according to a BBC News report. And Prime Minister David Cameron acknowledged that 2006 reports from the Information Commissioner's Office that detailed data handling issues and recommended custodial sentences for data infractions were not given the attention they deserved. Stewart Room, a partner at Field Fisher Waterhouse in London, told the IAPP Europe Data Protection Digest that the scandal "has captured the public imagination and the Coalition Government will have to react...The introduction of jail sentences is now inevitable."
Full Story

PRIVACY LAW—KOREA

Lawyer To File Class-Action Following Data Collection (July 15, 2011)

A South Korean lawyer who recently received compensation from a mobile phone company for its collection of location data without consent says that he will now file a class-action lawsuit against the company, The Wall Street Journal reports. An administrative court in South Korea ordered Apple to pay attorney Kim Hyung-seok, an order the company complied with, according to a spokesman. Now, Kim has established a website seeking other plaintiffs for the forthcoming class-action. "I never agreed that my location can be tracked through iPhone," Kim said, calling the data collection "an obvious invasion of privacy." (Registration may be required to access this article.)
Full Story

PRIVACY LAW—U.S.

Third Suit Filed After PIN Pad Breach (July 15, 2011)

A class-action lawsuit claims that Michaels Stores took almost three months to warn customers that their debit cards' PIN numbers may have been stolen in a breach spanning 20 states, Courthouse News Service reports. The class action, filed in New Jersey's Passaic County Court, claims that the company "failed to take any commercially reasonable steps to safeguard its customers' nonpublic, sensitive, personal and financial account information...making its consumers an easy target for third-party skimmers," and that customers were harmed because of the delay in notice they received following the breach. The suit is the third class-action filed since news of the breach broke.
Full Story

DATA LOSS—U.S.

Government Agency Breached, 24K Files Accessed (July 15, 2011)

Deputy Defense Secretary William Lynn has announced that a foreign intelligence service accessed 24,000 Pentagon files by hacking into an unnamed government contractor in March. The New York Times reports that the disclosure came during the release of the Pentagon's new strategy for military operations in cyberspace, which outlined a more proactive approach to cybersecurity. "Current countermeasures have not stopped this outflow of sensitive information," Lynn said during a speech at the National Defense University. "We need to do more to guard our digital storehouses of design innovation." (Registration may be required to access this story.)
Full Story

PRIVACY—U.S.

Report Details CPO, CISO Roles (July 15, 2011)

An Infosecurity report details the expectations for the new chief privacy officer (CPO) and chief information security officer (CISO) hired by Texas Comptroller Susan Combs following a data breach in April that exposed personal information of 3.5 million state residents. Recently named CPO Elizabeth Rogers will oversee "designing and updating privacy standards; performing risk reviews to identify exchanges of personally identifiable information between the agency and other entities or individuals; identifying new privacy risks and developing mitigation strategies, and collaborating with chief privacy officers at the state and federal level on privacy-related initiatives," the report states, while CISO Jesse Rivera will oversee a range of technology security and risk assessment factors. Editor's note: Susan Combs will be a keynote speaker at the IAPP Privacy Academy in Dallas, TX, in September.
Full Story

PRIVACY—EU & U.S.

Should the U.S. Follow Europe’s Lead? (July 14, 2011)
An InformationWeek report examines whether the U.S. should follow the EU's lead when it comes to creating privacy law. Although the EU's protections are stronger than U.S. regulations now, "it's where the rubber meets the road that makes a difference," says Hogan Lovells' Christopher Wolf. In the U.S., "We have a lot more enforcement against violations of the various laws," he said, creating vigilant regimes. Omer Tene of Israel's College of Management School of Law says the expectations of privacy are different in Europe and the U.S. In Europe, he says, governments generally regulate privacy, while the U.S. is concerned with government intrusion.

PRIVACY LAW—KOREA

Court Orders $1M Payment for Collecting Data Without Consent (July 14, 2011)

Reuters reports that a mobile phone user has received compensation from a mobile phone company for its collection of location data without consent. Apple released a software update in May to prevent its mobile devices from collecting and storing such data, but a court has ordered Apple Korea to pay $1 million in compensation to an iPhone user whose data was collected. This is "the first payout by the U.S. company over these complaints," the report states, noting the plaintiff's law firm is now planning a class-action lawsuit against the company.
Full Story

PRIVACY LAW—EU

EDPS: Commission Ambiguous on Cookie Advice (July 14, 2011)

The European Data Protection Supervisor (EDPS) says that the European Commission has offered "inconsistent advice to website owners on how they should obtain users' consent to cookies," OUT-LAW News reports. EU Commissioner Neelie Kroes said last month that European companies had one year to create a uniform way for users to opt out of cookies and that she supported self-regulatory efforts, but EDPS Peter Hustinx says that neither a self-regulatory model nor a do-not-track model comply with EU Directive requirements. Hustinx says the directive's requirements should be "fully respected," and "The Commission should avoid any ambiguity" in making sure that transparency and consumer control online are delivered in the EU.
Full Story

ONLINE PRIVACY

Former Google Employee Offers Insight (July 14, 2011)

In an interview with The Wall Street Journal, former Google employee Douglas Edwards offers insight into the company's attitude on privacy and efforts toward creating a social network. Edwards submits that, for Google's founders, privacy was not an issue. "The facts were that Google was not reading e-mail; Google was not targeting e-mail. So, the facts said there was no privacy issue," Edwards said, adding they "didn't understand that people's perception was reality." Edwards also weighed in on Google's efforts to gain ground in social networking. The company sees information created in social networks as "extremely important and valuable," he says, and without access to it, the founders think "Google will be less valuable as an information source." (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—U.S.

Study Shows Companies Inconsistent on Do Not Track (July 14, 2011)

A Stanford Center for Internet & Society study has shown that some companies are not following their own do-not-track rules, reports Ars Technica. The study examined the tracking behavior of 64 National Advertising Initiative (NAI) members once users turn on do-not-track settings or opt out of behavioral advertising. Of the 64, eight companies kept some form of unique user information on users' computers after they opted out of tracking, the report states. The findings also showed that some went above the minimum requirements for NAI members, with two companies honoring browser-specific do-not-track headers and 10 both stopping tracking and removing cookies altogether.
Full Story

PRIVACY LAW—U.S.

Opinion: Congress Should Reinstate Board (July 14, 2011)

Congress must ask itself how the disappearance of a Privacy and Civil Liberties Oversight Board can be justified, opines Alan Charles Raul in The Hill. Congress established the board in 2004 as part of the Intelligence Reform and Terrorism Prevention Act, and it operated from 2006 to 2008. The board's intention is to balance civil liberties with the government's post-9/11 powers to fight terrorism. It is charged with reviewing proposals and the implementation of anti-terrorism legislation, regulations and policies to protect "privacy and civil liberties." Reforms to the board in 2007 led to its eventual demise, and it has yet to be re-established, which Raul says is "no trifling matter."
Full Story

FINANCIAL PRIVACY—EU & U.S.

EU Exploring Its Own Funds-Tracking Program (July 13, 2011)
In the wake of objections by many EU officials to a program that allows the U.S. to access European financial transactions as part of efforts to fight terrorism, the European Commission has presented its own proposals for tracking finances of suspected terrorists. The New York Times reports the plans "are aimed at ending the primary role of the United States in those efforts," quoting Commissioner Cecilia Malmström's statement that an EU system "would need to fully respect fundamental rights and, in particular, ensure a high level of data protection." One of the EU's primary goals will be to limit the amount of data sent to the U.S. (Registration may be required to access this story.)

ONLINE PRIVACY—U.S.

Company Receives $5.2M for Growth (July 13, 2011)

Two venture capitalist companies have invested $5.2 million in a Cambridge, MA, company that provides online privacy services to Internet users, reports The Boston Globe. "Privacy is the next consumer Internet frontier," said one investor, while another touted the company, Abine, for creating a "one-stop shop for consumer online privacy." Abine's president, Bill Kerrigan, said, "Controlling our online privacy has become a universal issue: consumers want basic choice and control over how their personal information is tracked, collected and used." 
Full Story
    

SOCIAL NETWORKING

Privacy Approach May Determine Success (July 13, 2011)

CNNMoney reports on new competition in social networking, and the report says privacy may end up determining the leader. While Facebook holds the major market share, Google's new Google+ is being lauded by testers for its privacy controls. "Web users may benefit from a Facebook-Google rivalry, but for a different reason: The best way for these companies to differentiate their social media offerings is by preserving personal privacy," the report states.
Full Story
 

PRIVACY LAW—U.S.

Resistance to ISP Data Retention Proposal (July 13, 2011)

A leading privacy advocate and a congressman have criticized the proposed federal law that would require Internet service providers to retain customer information for 18 months in order to assist in investigations. Marc Rotenberg, executive director of the Electronic Privacy Information Center, said the proposal contradicts data security trends that encourage deleting data frequently to avoid breaches, The Hill reports. Rep. F. James Sensenbrenner (R-WI) said at a hearing yesterday that the bill "needs a lot of fixing up" and that "It's not ready for prime time."
Full Story

PRIVACY LAW—U.S.

Hearing To Examine Current, Future Privacy Laws (July 13, 2011)

The Hill reports that lawmakers from the House Energy and Commerce Committee will ask federal officials for an overview of current privacy and data security legislation in the U.S. The July 14 "Internet Privacy: The Views of the FTC, the FCC and NTIA" hearing will feature witnesses including FCC Chairman Julius Genachowski, National Telecommunications & Information Administration chief Lawrence Strickling and Edith Ramirez of the Federal Trade Commission. Subcommittee chairs Rep. Mary Bono Mack (R-CA) and Rep. Greg Walden (R-OR) scheduled the hearing in response to recent high-profile data breaches. An internal Republican majority memo notes concerns that plans for tougher laws and regulations could harm Internet commerce.
Full Story

BIOMETRICS—U.S.

Facial Recognition Device Draws Attention (July 13, 2011)

Facial recognition technology is coming to the smartphones of law enforcement officers, raising concerns about constitutional and informational privacy. The Wall Street Journal reports that a Massachusetts technology company has agreements to outfit dozens of agencies with its hand-held facial recognition device in the coming months. The device will let officers identify individuals from five feet away, and it will link to a database with stored biometrics. "The database is the golden nugget of the whole thing," says its maker's CEO, who adds that his company does not sell the stored data. The company hopes to develop facial recognition applications for the healthcare and financial services sectors, too, according to the report. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—EUROPE

Regulators Want Answers on Data Handling (July 13, 2011)

Norway's data protection agency (DPA) last week sent 45 questions to Facebook on behalf of Sweden, Denmark, Finland and itself, asking for information on the site's handling of users' information. AFP reports that the inquiry included questions about the use of members' photos and stated preferences as well as information collected when they click the "like" button, among others. The DPAs have given the company until the end of August to answer the questions. "Despite the fact that Facebook is continuously working on improving information to its members, it is unclear what information Facebook collects and how this is used and passed on," said Bjoern Erik Thon of the Norwegian DPA.
Full Story

PRIVACY LAW—SWITZERLAND & U.S.

ISPs Being Asked To Record Data (July 12, 2011)
In nations on both sides of the Atlantic, Internet service providers (ISPs) may be required to record customer information to assist in investigations. CNET News reports on U.S. law enforcement representatives' endorsement of a proposed federal law, scheduled for a hearing today, that would require ISPs to store user data logs for 18 months. Meanwhile, in Switzerland, plans to revise the Data Protection Act include requiring ISPs to record and release client data and allowing "the government to install Trojan viruses on computers and use mobile phone network data to ease dragnet investigations," swissinfo.ch reports in a question-and-answer with one privacy expert who believes the concept goes too far.

CHILDREN’S PRIVACY—U.S.

Parent Involvement Online and in Healthcare (July 12, 2011)

While the dangers of children using online networks are well documented, some believe that social networking tools may help children learn communication and technical skills that will serve them throughout their lives. NPR reports that studies have shown many children are using social networks, and the American Academy of Pediatrics released a report in April stating that much of children's "social and emotional development is occurring while on the Internet and on cellphones. Parents need to understand these technologies so they can...comfortably parent in that world." Meanwhile, doctors are facing a challenge in deciding when notifying parents of children's medical conditions--especially those relating to sexual or mental health--breaches patient privacy.
Full Story

PRIVACY—U.S.

Researchers Face Privacy Hurdles (July 12, 2011)

The Chronicle of Higher Education reports on the "emerging ethical challenges" researchers face when it comes to privacy. In 2006, Harvard researchers downloaded 1,700 Facebook profiles from the school's class of 2009 to study how race and cultural tastes affect relationships. But the project was halted after the researchers were criticized for using the students' data without their knowledge. Although the project's lead researcher said the data was edited to avoid student identification, a scholar at the University of Wisconsin at Milwaukee showed that data could be identified, noting that there's "a lot of work to do to make sure that we're doing this kind of research correctly..."
Full Story
    

CONSUMER PRIVACY—U.S.

Consumers Willing To Pay More for Privacy (July 12, 2011)

A new study has found that consumers are willing to pay more for purchases from online vendors "with clear, protective privacy policies," ScienceBlog reports. The Carnegie Mellon University study found that, for example, participants in the study shopping for batteries made "significantly more purchases" from sites rated high privacy--47.4 percent--than from sites rated no privacy--5.6 percent. Additionally, consumers were willing to pay, on average, 59 cents more from sites with strong privacy protection. "Our study indicates that when privacy information is made more salient and accessible, some consumers are willing to pay a premium to purchase from privacy protective websites," the authors noted.
Full Story

ONLINE PRIVACY

Cloud Concerns Pervasive (July 12, 2011)

Across jurisdictions, concerns about privacy in the cloud persist. "There is no global law of cyberspace or law of the Internet, although there are separate pieces of legislation relating to privacy, spam, electronic transactions, cybercrime and more," one Australian expert writes, cautioning that recent breaches are a warning to all businesses. Technorati reports that, additionally, concerns about differing regulations, such as the U.S. Patriot Act being at odds with EU data protection rules, are also problematic. "All this could lead to something as drastic as the EU banning--even if only temporarily--U.S. companies from operating cloud services within the EU," the report states.
Full Story
 

HEALTHCARE PRIVACY—U.S.

HIPAA Audits To Begin Soon (July 12, 2011)

The Department of Health and Human Services announced that it will soon begin its HIPAA compliance audits mandated under the HITECH Act with 150 onsite audits to be conducted by KPMG by the end of 2012, reports GovInfoSecurity. Adam Greene of Davis Wright Tremaine notes that the scope of the audits, the selection process for being audited and whether audits will be used as an enforcement or education tool are all unknown. He also notes that due to the volume of covered entities, the likelihood of being audited is small, but organizations should review their programs and ensure they are effective and up-to-date. The report states that Booz Allen Hamilton has been contracted for "audit candidate identification." Editor's Note: Adam Greene will be a featured presenter in an upcoming IAPP Web Conference on the HIPAA Audit Program on Thursday, July 28, from 1 to 2:30 p.m. Registration will open soon. Visit our website for current conferences, and check back for updates as new programs are added.
Full Story

DATA LOSS—U.S.

“AntiSec” Continues, Defense Contractor Hacked (July 12, 2011)

The hacker group Anonymous claims to have released the e-mail addresses and encrypted passwords of 90,000 military personnel that it accessed through a defense contractor's server. This breach is the latest in a cyber attack campaign the group calls "AntiSec," targeting companies for insufficient data protection, reports Forbes. Anonymous scrambled the passwords before releasing them and claims the company was using an encryption method that many consider inadequate. A tweet by Booz Allen Hamilton said the company doesn't generally "comment on specific threats or actions taken against our systems," and the Department of Defense said it's aware of the incident and is "coordinating with our federal partners."
Full Story

DATA PROTECTION—UK

ICO Publishes Guidance on Fines (July 11, 2011)
The Information Commissioner's Office (ICO) has released details on how it will use its new fining powers under the Privacy and Electronic Communications Regulations (PECR), OUT-LAW.COM reports. Amendments to the PECR let the ICO fine up to £500,000 for offenses, and "It is possible that a single breach may be sufficient to meet this threshold," the ICO says in its guidance, which offers insight into potential triggers for fines. Organizations will have the chance to weigh in on the guidance before it is adopted.

PRIVACY LAW—U.S.

Court: GPS Tracking Not an Invasion of Privacy (July 11, 2011)

A New Jersey appellate court ruled last week that a wife's use of a GPS to track her husband's location was not an invasion of privacy, NJ.com reports. The court ruled against Kenneth Villanova, who alleged that his privacy was invaded when his ex-wife placed a GPS in his vehicle's glove compartment to determine whether he was cheating. Villanova had sued the private investigator his ex-wife hired to track him. The appellate judges ruled that Villanova had no expectation of privacy because his movements were tracked on public streets.
Full Story

ONLINE PRIVACY

Groupon To Collect, Share More User Data (July 11, 2011)

Groupon has e-mailed its 83 million subscribers to announce changes to its privacy policy, including that it will begin collecting more information about its customers to share with its business partners, The Washington Post reports. It will also begin using geolocation information for marketing purposes. The expanded categories of information Groupon will now collect include user habits and interests, which it will share with third parties. It now shares contact, relationship, transaction and mobile location information. The company has also released details on the ways it collects and uses such information. (Registration may be required to access this story.)
Full Story

SSN PRIVACY—U.S.

Banks Unnecessarily Expose Customers to ID Theft (July 11, 2011)

A TIME "Moneyland" feature highlights the importance of Social Security numbers (SSNs) as personal identifiers and why banks--in light of the threat of identity theft brought on by the digital age--continue to use them to verify customers' identities. According to a Javelin study, 70 percent of banks still use SSNs to identify customers in some way, but one researcher says there are other methods that don't pose as much risk. A 2008 Federal Trade Commission (FTC) report agreed, and the FTC recently testified in front of a congressional subcommittee to limit reliance on SSNs, the report states.
Full Story
 

SOCIAL NETWORKING

New Site Tests Privacy Settings (July 11, 2011)

A new social network planned to launch later this summer is using a limited-access trial period to get user feedback and make changes to features such as privacy settings, reports The Wall Street Journal. Google+ allows users to create circles of people with whom they want to share certain information and includes a way to disable resharing. Some trial-period users have had confusion with the features, and Josh Bernoff of Forrester Research says the effectiveness of its privacy features won't be clear until the site goes live. The report states that, according to Bernoff, different networks and customized settings are causing confusion. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

It’s a Privacy Policy. It’s a Game. It’s Both! (July 8, 2011)
An online game manufacturer yesterday launched "PrivacyVille," a tutorial on its privacy policy that users play like a game. Players follow along and learn about how Zynga will protect users' personal information, reports CNET News. The company says the game is not meant as a substitute for its official privacy policy and Privacy Center but as an educational tool. Unlike Zynga's other games, PrivacyVille does not require a Zynga or Facebook account, but players earn points redeemable in some of the company's other games that do.

PRIVACY LAW—U.S.

Hospital Settles for $865,000 (July 8, 2011)

UCLA Health System has agreed to pay an $865,000 settlement for potential violations of federal privacy laws after hospital employees allegedly looked at certain celebrities' medical records, reports the Associated Press. The settlement follows a U.S. Department of Health and Human Services investigation, which concluded that hospital employees accessed the records between 2005 and 2008. The hospital has agreed to a three-year corrective plan, to be overseen by a federal monitor. In a statement, UCLA said, over the "past three years, we have worked diligently to strengthen our staff training, implement enhanced data security systems and increase our auditing capabilities."
Full Story

PRIVACY LAW—MEXICO

Privacy Regulations Issued for Public Comment (July 8, 2011)

Mexico's secretary of economy and the Federal Institute for Access to Information and Data Protection have released privacy regulations for public comment, Hunton & Williams' Privacy and Information Security Law Blog reports. The rules and guidelines established by the proposed regulations are for the implementation of the country's Federal Law on the Protection of Personal Data in the Possession of Private Parties. According to the report, the regulations cover jurisdictional issues; notice and consent details; data controller and processor relationships; data transfers and security; self regulation; data subjects' rights; automated processing, and enforcement.
Full Story
 

DATA PROTECTION—U.S.

After Breach, State Office Hires CPO (July 8, 2011)

After experiencing a breach that exposed the sensitive data of 3.5 million Texans, the state comptroller's office has hired a chief privacy officer. KXAN reports that Elizabeth Rogers will serve as the agency's first CPO. Comptroller Susan Combs said Rogers has the "experience, know-how and commitment to help ensure that a major data issue does not happen again here." Rogers will create privacy standards and conduct risk assessments for the agency, among other responsibilities.
Full Story
 

PERSONAL PRIVACY—U.S.

Immigration Database Worries Advocates (July 8, 2011)

Immigration and Customs Enforcement's Secure Communities program is raising red flags for some privacy advocates who worry that it will grow into a comprehensive database on all Americans, reports U.S. News & World Report. The program is part of a post-9/11 mandate for data sharing between agencies working to stop terrorism and is meant to identify illegal immigrants. Lillie Coney of the Electronic Privacy Information Center has concerns about transparency and oversight with such a broad database, the report states. "It's the rules that are out there to protect the individual and the society from abuse and misuse of that information," she said, "We just don't have that."
Full Story

IDENTITY THEFT—U.S.

Opinion: Lessons Can Be Learned from Breaches (July 8, 2011)

In the wake of a recent high-profile data breach, a columnist for The Wall Street Journal writes that stolen Social Security numbers pose a greater and longer-lasting threat to breach victims. Stolen credit card numbers can be changed quickly, but identity thieves can hold on to Social Security numbers for extended periods of time and use them to create debts, medical expenses or criminal records. Identity Theft 911 Co-founder Adam Levin says that "identities are currency; they're evergreen." Identity thieves can "re-create you," Levin says and in some cases even reach out to victims posing as the breached organization in order to mine for additional personal information. (Registration may be required to access this story.)
Full Story

ICO Report: Audits a Badge of Honor (July 7, 2011)
The Information Commissioner's Office (ICO) released its annual report yesterday, which states that more companies should offer themselves up for voluntary audits, The Register reports. Last year, there were 603 reported data breaches, and 186 occurred in the private sector. Of those businesses, 19 percent accepted the ICO's offer for a free data protection audit. In the public sector, 71 percent agreed to the voluntary audit, the report states. "These audits are not about naming and shaming those who are getting it wrong. The fact that a company has undergone a consentual audit should count as a badge of honor, showing that the business takes data security seriously," said Information Commissioner Christopher Graham.

PRIVACY LAW—EU

Parliament Approves Calls for Access, Breach Notifications (July 7, 2011)

Computing reports that the European Parliament has approved a document that calls for mandatory breach notifications and granting individuals greater access to and control over their personal data. European Commission Vice President Viviane Reding lauded the vote and the report, which was authored by German Christian Democrat Axel Voss. "Putting people back in control of their personal data is a priority for me," Reding said. "I welcome the European Parliament's support for this approach."
Full Story
 

PRIVACY LAW—AUSTRALIA

Commissioner: Breach Due to Human Error, Investigation Closed (July 7, 2011)

Privacy Commissioner Timothy Pilgrim has closed his investigation of Telstra's data breach, saying it "was caused by a one-off human error," and the company "adequately dealt with the matter." ZDNet reports that according to Pilgrim, the incident breached the Privacy Act, but it was "not a result of Telstra failing to have reasonable steps in place to protect the personal information of its customers, as required by the Privacy Act." A Telstra spokesman acknowledged the commissioner's finding and assured that the company has put measures in place to prevent a similar breach in the future.
Full Story

PRIVACY LAW—HONG KONG

Privacy Bill To Be Introduced in Legislative Council (July 7, 2011)

A bill addressing the transfer of personal data for direct marketing purposes will be introduced in the Hong Kong Legislative Council on July 13, news.gov.hk reports. The Personal Data (Privacy) (Amendment) Bill 2011 acts upon proposals from a public discussions report that was released in April. The bill seeks to address concerns about recent data transfers of customer information for direct marketing without users' consent. Entities transferring customer data for direct marketing would have to provide customers with written notice explaining the nature of the transfer. The bill would also implement a customer opt-out and would impose stiff fines and potential imprisonment for companies that fail to comply.
Full Story

DATA LOSS—U.S.

Job Site Hacked, E-mail Addresses Exposed (July 7, 2011)

Hackers accessed an employment website last week, exposing the user IDs and e-mail addresses of about 1.27 million job seekers, reports CNET News. In a notice on its job site, The Washington Post said that no passwords or other data were affected, and it is warning users to be on the lookout for phishing scams. "We quickly identified the vulnerability and shut it down and are pursuing the matter with law enforcement," the notice states.
Full Story

DATA LOSS

A Property Right in Personal Information? (July 7, 2011)

Plaintiffs in data breach claims have been unsuccessful in convincing courts that they have suffered harms as a result of a breach, but "a new theory that claims a property right in personal information has recently been tried," writes Andrew Clearwater, CIPP, in an article for the current edition of the IAPP's Privacy Advisor newsletter. Clearwater says that, under this theory, a data breach causes a loss of personal information property and, therefore, a concrete or particularized harm has been realized." The approach is being tested in a case against RockYou Inc.
Full Story
 

Insurer Gets Fined for Slow Breach Notification (July 6, 2011)
Indiana Attorney General Greg Zoeller announced on Tuesday that an Indiana-based insurer will pay a $100,000 fine and take other steps for waiting months to notify 32,000 customers of a data breach. The Associated Press reports that Wellpoint has agreed to pay the fine; provide up to two years of credit monitoring and identity theft protection to affected customers, and reimburse up to $50,000 for breach-related losses. "This case should be a teaching moment for all companies that handle consumers' personal data," said Zoeller. A Wellpoint spokeswoman said the company has made security changes to prevent further breaches.

PRIVACY LAW—EU & U.S.

EU Lawmakers Concerned About Patriot Act (July 6, 2011)

Members of the European Parliament are expressing concern about the conflict between the European Union's Data Protection Directive and the U.S. Patriot Act. Last week, Microsoft admitted that it may have to disclose European users' data, found in its new cloud service, to U.S. authorities, while keeping transfer details secret, Computerworld reports. Such disclosure would be a violation of the directive, prompting MEP Sophie in't Veld to ask, "Does the commission consider that the U.S. Patriot Act thus effectively overrules the EU Directive on Data Protection? What will the commission do to remedy this situation and ensure that EU data protection rules can be effectively enforced and that third-country legislation does not take precedence over EU legislation?"
Full Story

DATA LOSS—UK

Graham Calling for Stiffer Penalties (July 6, 2011)

Information Commissioner Christopher Graham is prepared to impose fines of up to £500,000 on NHS trusts and hospitals after a number of data breaches including the loss of laptops and memory sticks, among other incidents, The Independent reports. "There's just too much of this stuff going on," Graham said. "The senior management is aware of the challenge, but the breaches continue. Whether it's a systemic problem in the NHS or an epidemic, we have got to do something about it." Graham also called for stiffer penalties for unlawfully obtaining personal data, which he says is a wider problem than the courts recognize.
Full Story

DATA LOSS—U.S.

PII of 34,000 Customers Missing (July 6, 2011)

Two CD-ROMs containing the personal information of approximately 34,000 Morgan Stanley Smith Barney customers have gone missing, CNET News reports. Compromised data includes customers' addresses, account and tax identification numbers and, in some cases, Social Security numbers. According to the report, the disks were in a package that was sent to the New York State Department of Taxation and Finance, but were missing upon arrival. After a two-week investigation, the company notified affected customers and has offered a year of free credit-monitoring service.
Full Story

ONLINE PRIVACY—U.S.

Fitness Site Exposes Calorie Burning Activities (July 6, 2011)

An online fitness tracking company, which encourages users to share calorie-burning activities through the company's website, has reset its new-user defaults to "private" after unknowingly exposing some users' intimate activities, reports Forbes. Fitbit has historically made user profiles public to promote competition, but a spokesperson said the company did not intend for "the sharing of intimate information." About 200 users' activities were searchable online. The company has contacted search engines to remove the data, hidden all activity records on its site and removed identifiable information from user profiles. "Out of a desire to have a successful 'social strategy,' too many companies are choosing to publicize their users' information as much as possible,"the report states.
Full Story

SURVEILLANCE—EU & U.S.

Opinion: Employee Monitoring a Touchy Subject (July 6, 2011)

Employers considering monitoring employees should watch recent developments in the U.S. and Europe before proceeding, advises Philip Gordon in a Littler Workplace Privacy Counsel blog. Two bills were introduced on Capitol Hill last month on the use of location data; the Supreme Court has agreed to review a court decision holding that police tracking of a suspect violated Fourth Amendment rights, and the EU Article 29 Working Party's recently published opinion on geolocation services on smart mobile devices states that employers cannot lawfully monitor employees unless for a "legitimate business purpose." Such a focus in the EU "very well may spill over to the U.S. workplace," Gordon writes.
Full Story

PRIVACY LAW—U.S.

PI of Jurors, Gun Owners Protected (July 5, 2011)
A North Carolina judge has issued a blanket administrative order that seals court records containing personal information of jurors, the Charlotte Observer reports. Superior Court Judge Donald Stephens issued the order protecting jurors' addresses, phone numbers and private information on court-issued questionnaires. Public records advocates and media lawyers have criticized the move, the report states, saying that it violates the constitution and puts the openness of judicial proceedings at risk. The judge said, "I'm just exercising the authority of the court to create an environment in which jurors can do their job." Meanwhile, Illinois Gov. Pat Quinn signed into law a bill that will prevent the public from knowing who possesses firearm owner identification cards.

PRIVACY LAW—CANADA

Saskatchewan Commissioner: Consequences Needed (July 5, 2011)

Saskatchewan Information and Privacy Commissioner Gary Dickson cited an incident from earlier this year where boxes of patient medical records were disposed of in a dumpster as an example of the need for stricter privacy laws, The StarPhoenix reports. Speaking after the release of his annual report on Monday, Dickson said, "We're not going to have the level of compliance and the pervasiveness of compliant practice that I think Saskatchewan residents are entitled to until there are particularly serious consequences." Investigations are often the result of careless errors or the curiosity of employees who "snoop in somebody else's health records or somebody else's personal information," he said.
Full Story

DATA LOSS—U.S.

Millions of State Residents Affected by Breaches (July 5, 2011)

In a Boston Herald report, Barbara Anthony of the Massachusetts Office of Consumer Affairs and Business Regulation highlights the number of data breaches the state has been notified of since its reporting law was passed almost four years ago. "We get about 50 a month," Anthony said, noting that because the state's law "is very stringent," the reports range from high-profile hack attacks to minor mistakes. While 5 million state residents have been affected since the law was enacted, one expert notes, "This really is the tip of the iceberg. For every breach we hear about, there are at least 100 that we don't hear about of equal or greater impact."
Full Story

PRIVACY LAW—AUSTRALIA

Commissioner Examines Cookie Directive (July 5, 2011)

Privacy Commissioner Timothy Pilgrim has said that his office is looking into the new European Union cookie law that went into effect last May, iTnews reports. Pilgrim noted his office is examining the European rules "to better understand their intent and application" and consider whether the rules apply to current obligations Australian organizations face under the Australian Privacy Act. "We will be reviewing our advice and guidance," Pilgrim says, "based on what we learn from this." Pilgrim says that the government will address new technologies in an ongoing law reform process as the Privacy Act currently covers the collection of personal information but may not apply to cookies, the report states.
Full Story

CHILDREN’S PRIVACY—U.S.

Online Network for U-13s (July 5, 2011)

With the Children's Online Privacy Protection Act (COPPA) regulating how the information of children younger than 13 years of age is collected and used, online social networking sites have largely excluded the age group. Some, however, are specifically targeting the under-13 crowd, which involves achieving and maintaining compliance with COPPA--notably, gaining parental consent before collecting any information from children, reports paidContent. Social network Everloop verifies parental consent with a credit card number, giving parents "veto power every step of the way," from approving friends to accessing text messages, states the report. The company has also recently launched what it touts as the first COPPA-compliant SMS service. Meanwhile, one expert says social networks need a universal standard for privacy settings--consistent and recognized across all platforms and sites.
Full Story

BIOMETRICS—CANADA

Opinion: Don’t Trade Privacy for Quick IDs (July 5, 2011)

An editorial in the Victoria Times Colonist opines that while the desire to catch Vancouver rioters is understandable, Insurance Corp. of British Columbia (ICBC) sharing its database of images with police raises significant privacy issues. "None of the three million people in the ICBC database gave their consent for their images to be used in this way," the report states. And British Colombia Privacy Commissioner Elizabeth Denham has said that though the sharing is legal, she has concerns about using the photos for a purpose other than that for which they were collected. "Technology has outstripped our privacy regulations and laws. Until we catch up, ICBC and other organizations should be putting privacy first," the author writes.
Full Story

PRIVACY LAW—U.S.

State Supreme Court Approves Privacy Rules (July 1, 2011)

The Florida Supreme Court has issued new privacy rules for the state court system in order to protect personal information filed in court cases. The rules, which will temporarily not cover traffic and criminal cases, have been approved to ensure that personal information is protected before full electronic access to court cases is provided to the public, Wink News reports. Driver's license, credit card and Social Security numbers as well as e-mail addresses, passwords, birth dates and full names of minors will either be truncated or not included in court documents. The justices who approved the rules said that defense lawyers, prosecutors, law enforcement and others will still have access to the full information.
Full Story

HEALTHCARE PRIVACY—UK

ICO: Systemic Problem in Health Data Storage (July 1, 2011)

Information Commissioner Christopher Graham has said that the health service is not doing enough to keep patients' personal information secure, Public Service reports. "The security of data remains a systemic problem," Graham said, pointing to the loss of up to eight million patient records at NHS North Central London and five health organizations recently found to have breached the Data Protection Act. "The health service holds some of the most sensitive personal information of any sector in the UK," Graham said, adding that "policies and procedures may already be in place, but the fact is that they are not being followed on the ground."
Full Story

PRIVACY LAW—INDIA

Consent Rules Won’t Apply to Outsourcers (July 1, 2011)

The Information Technology Rules 2011 require companies to gain written consent from individuals about the use of the sensitive personal information they collect, reports PC World, but they will not apply to companies outsourcing data processing to service providers in India. Kamlesh Bajaj, CEO of the Data Security Council of India, says the Indian government will soon issue a clarification that the new rules will only apply to a "body corporate" in India. Pavan Duggal, a cyberlaw consultant and advocate in India's Supreme Court, says the new rules imposed on service providers will "not be well known or understood by the vast majority of Indian outsourcers," resulting in infringements of the law. Editor's note: For more information on the new Indian information technology rules, see this month's edition of The Privacy Advisor newsletter. (IAPP member login required.)
Full Story

PRIVACY LAW—U.S.

Wireless Data Collection Suable Under Wiretap Act (July 1, 2011)

A federal judge has found that Google can be sued for collecting private data from open wireless routers, saying that "plaintiffs plead facts sufficient to state a claim for violation of the Wiretap Act," reports Wired. U.S. District Judge James Ware said, "In particular, plaintiffs plead that defendant intentionally created, approved of and installed specially-designed software and technology" used to intercept data from wireless networks. The report calls the ruling a "serious legal setback" for Google and notes that it also sets precedent for data collected through open WiFi networks in public spaces. Google maintains that the collection was a mistake and says the lawsuit is "without merit."
Full Story

DATA PROTECTION

OECD Communiqué Pleases Some, Nettles Others (July 1, 2011)
At a high-level meeting on the Internet economy this week, the Organisation for Economic Co-operation and Development released a Communiqué on Principles for Internet Policy-Making, which outlines the OECD's commitment toward promoting the free flow of information; investing in high-speed networks and services; enabling cross-border delivery of services, and strengthening "consistency and effectiveness in privacy protection at a global level," among others areas. While some have lauded the principles--U.S. NTIA Administrator Lawrence E. Strickling described it as a "major achievement that will support the continued innovation...of the global Internet economy"--others have criticized its plans to make Internet service providers more responsible for policing copyright infringement, something the Civil Society Information Society Advisory Council says could "lead to network filtering."

PRIVACY LAW—NEW ZEALAND

Commissioner Pushes for Privacy Act Reforms (July 1, 2011)

Privacy Commissioner Marie Shroff has said that she hopes the Law Commission's study of privacy will spur reforms to the Privacy Act, Computerworld reports. The issue was raised during a discussion of a recent survey that "rented" results to third parties for marketing purposes. Though the survey breached privacy principles, the article states, it did not violate the Privacy Act because no harm was demonstrated. "I hope the Law Commission will look at this issue," Shroff said, noting "generic harms are difficult to deal with, because often they don't raise sufficient harm to one person to enable it to be addressed" as a Privacy Act breach.

Full Story