Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

ONLINE PRIVACY

Sites Personalize Privacy Settings (August 31, 2011)
Image-hosting website Flickr has announced updates to its privacy settings allowing users to customize who sees geotags on shared photos. Users can now use the site's geofence settings to place a "blanket" privacy control on photos based on location, and geotags that do not fit into a specific category will default to the most private setting, ArsTechnica reports. On its blog, the company wrote, "A few years ago, privacy controls like this would have been overkill...But today, physical places are important to how we use the Web. Sometimes you want everyone to know exactly where you took a photo. And sometimes you don't." Meanwhile, Facebook's new privacy controls allow users to determine who can and cannot view posts and requires user approval for photo and post tagging.

IDENTITY THEFT—U.S.

TX Hearing To Address Child Identity Theft (August 31, 2011)

The chairman of the House Social Security Subcommittee will host a hearing Thursday on Social Security numbers and child identity theft, which has increased by 192 percent since 2003, reports the Plano Star-Courier. Rep. Sam Johnson (R-TX) will hold the hearing at Plano City Hall in Texas, with testimony from a criminology expert whose research involves interviewing people convicted of identity theft. "You usually hear from the victim and from law enforcement, but the offender's perspective is not part of the discussion," the expert said, adding that investing in a shredder is a smart step to take in avoiding identity theft.  
Full Story

IDENTITY THEFT

Finding the Right Protection Takes Work (August 31, 2011)

With large-scale data breaches on the rise, ID theft protection services are also growing, but for consumers, figuring out which services to purchase can be confusing, reports Reuters. Phil Blank of Javelin Strategy & Research, which conducted a study on ID theft protection offerings, says the industry is evolving, but it's important for consumers to know that services are not "one-size-fits-all." The Consumer Federation of America and Privacy Rights Clearinghouse have released a guide with tips for consumers to help evaluate services including understanding costs, cancellation and refund policies; features of the program being offered; limitations and exclusions for fraud assistance, and policies for handling and sharing personal information.
Full Story

SURVEILLANCE—U.S.

APEC Surveillance Cameras Raise Concerns (August 31, 2011)

Plans to install 30 surveillance cameras ahead of November's APEC summit in Hawaii is prompting privacy concerns, reports KHON2. The Honolulu Police Department says the cameras are necessary for security. But concerns about privacy invasion were raised before the City Council Committee on Safety, Economic Development and Government Affairs. Referring to the 21 world leaders, staff members and media scheduled to arrive, Honolulu Police Department Assistant Chief Greg Lefcourt said, "Their security, the security of the city and county and of the general public is of paramount importance to us." The American Civil Liberties Union says that instead of the cameras, the government should use increased lighting and police patrols. 
Full Story

PRIVACY LAW—U.S.

Oversight Board Still Remains Inactive (August 31, 2011)

The Washington Times reports on the status of the Privacy and Civil Liberties Oversight Board, which has remained dormant for years. Privacy advocates have questioned the Obama Administration about the board, which was established under President George W. Bush and charged with ensuring that national security policies don't infringe on individuals' privacy and civil liberties. "If the board is no longer meeting, one would assume it is no longer performing this oversight role, which is concerning given the recent extension of the Patriot Act," said a spokeswoman for the Electronic Frontier Foundation. More than a dozen groups recently petitioned for the board to become operational, the report states. 
Full Story

ONLINE PRIVACY

Company Revises End User License Agreement (August 31, 2011)

Video game developer Electronic Arts (EA) has revised its Origin digital distribution service End User License Agreement (EULA) after websites said the EULA gave the company the ability to collect users' personal information beyond necessary gaming data, GameSpy reports. The updated EULA says, "Information about our customers is an important part of our business, and EA would never sell your personally identifiable information to anyone, nor would it ever use spyware or install spyware on users' machines." 
Full Story

DATA LOSS—U.S.

Former Justice Arrested in Medical Data Case (August 31, 2011)

Authorities have arrested a former justice for the Village of Depew, NY, in connection with illegal disposal of medical records, The Buffalo News reports. John E. Cipolla will appear before a U.S. court in Buffalo, NY, next week. He is charged with making false statements to federal agents investigating the discovery of patient medical records in the garbage behind an Erie County Auto Bureau office in 2010. The records included patient names, addresses, dates of birth, Social Security numbers, diagnoses and treatment plans. 
Full Story

DATA PROTECTION—UK

Opinion: Fraud Relies on Data (August 31, 2011)

"Data is the fuel fraud needs to survive," opines London Police Commissioner Adrian Leppard for The Telegraph. Leppard points to a recent crime in which fraudsters targeted pensioners to illustrate the changing nature of fraud. "In this way, personal information--in this instance, a list of people...is a valuable, tradable commodity." Businesses storing large caches of data, therefore, are becoming a major battleground. "While individuals focus on shredding old utility bills and protecting their PINS, the reality is that businesses are a far greater source of data," he says, adding that a business's reputation for safeguarding customer data is now imperative.
Full Story

PRIVACY LAW—CANADA & U.S.

Officials Say Privacy Must Be Paramount (August 30, 2011)
Amid the release of reports by Canadian Foreign Affairs Minister John Baird in the wake of a declaration between Canada and U.S. leaders on integrating security, the National Post reports on calls for better privacy protections for Canadian citizens. Baird has said, "If we want to ensure cross-border law enforcement activities and other programs, they have to respect the legal and the privacy rights of Canadians. That is incredibly important." Meanwhile, Canadian Privacy Commissioner Jennifer Stoddart is calling for the highest level of privacy protection to cross-border law enforcement, the report states.

PERSONAL PRIVACY

Vintage Mug Shots Raise Privacy Debate (August 30, 2011)

The New York Times reports on questions raised by the sale of mug shots from the 1950s and whether it is legal to distribute and profit from government property containing personal images. A sheriff's department disposed of several mug shots more than 10 years ago because it upgraded to an automated system. The photos were then purchased and digitally reproduced for sale online. Expert Peter Swire, CIPP, said, "In terms of public revelation of private fact, they can say they're not telling the names of anybody, so they're not harming any individual, and that under the First Amendment they're allowed to publish truthful old photos...The fact they're making money doesn't change the analysis."  (Registration may be required to access this story.) 
Full Story

ONLINE PRIVACY—U.S.

IAB Do-Not-Track Icon Deadline Ends Today (August 30, 2011)

The Interactive Advertising Bureau (IAB) has made today the deadline for its members to voluntarily display on their Web pages a do-not-track icon allowing users to opt out of online tracking, USA Today reports. The president and CEO of the IAB said, "Self-regulatory programs are inherently far more adaptable than inflexible technology mandates, especially those imposed by a federal government with no expertise in managing complex, continually evolving technological systems." However, the advocacy group Consumer Watchdog said the introduction of the icon is a "small step" that "does not give consumers meaningful control over tracking of their online activities."   
Full Story

STUDENT PRIVACY—U.S.

New Rules for Schools By End of Year (August 30, 2011)

The U.S. Department of Education (DOE) has announced that by the end of the year it will release final revisions to the data privacy regulations for the Family Educational Rights and Privacy Act. Education Week reports that after receiving about 274 comments on its proposal, the DOE says the changes will include allowances for states to enter data-sharing agreements with researchers on behalf of multiple districts and will extend the privacy protection standards required of data collectors to anyone who handles student data, among others. The department also has plans to submit updated research and reporting rules for researchers and educators by the end of the year.
Full Story

TRAVELERS’ PRIVACY—CANADA

Passenger Behavior Plan Raises Concerns (August 30, 2011)

Privacy Commissioner Jennifer Stoddart is raising concerns about a plan for the Canadian Air Transport Security Authority to scrutinize travelers' behavior at airports, the Winnipeg Free Press reports. The plan, announced by the Canadian government last year, involves "a passenger-behavior observation program to detect terrorists," the report states. While transport officials note the plan provides additional security by adding "unpredictability to the screening process," Stoddart has noted, "There is a huge possibility for arbitrary judgments to come into play." The Office of the Privacy Commissioner is expected to issue a report on airport security measures this fall.
Full Story

DATA LOSS

Phone Company Hacked (August 30, 2011)

Nokia says its developer forum website has been hacked, requiring it to shut down the site until "further investigations and security assessments" have been completed, The Wall Street Journal reports. The company says users' personal information--including e-mail, some dates of birth and other data--were compromised. A hacker known as "pr0tect0r AKA mrNRG," believed to be based in India, claimed responsibility for the breach. "Though we have no evidence of any misuse, we believe the potential risk is an increase in unsolicited e-mail," the company said. (Registration may be required to access this story.)   
Full Story

ONLINE PRIVACY

Identifiable By Association (August 30, 2011)

In an article for Slate, Kevin Gold discusses the "leaky" nature of online privacy. Pattern recognition software has made it increasingly possible to determine a person's identity not by the data that they themselves have shared online, but by what their friends have shared. A researcher from Northeastern University found that only 20 percent of college students needed to participate in filling out profile information online "in order to deduce facts about the nonresponders who friended others," the report states. Using statistics about common characteristics, it's possible to make a "statistically motivated guess as to whether a person belongs to a particular community."     
Full Story

GENETIC PRIVACY—U.S.

Court Decides State Can’t Keep DNA Profiles (August 29, 2011)
A Massachusetts appeals court has unanimously ruled that the government cannot hold on to genetic profiles of individuals who voluntarily provide DNA samples to help solve crimes, The Boston Globe reports. In 2002, a citizen provided his DNA sample for this purpose. The individual was found innocent and was given back his sample, but the state refused to remove his genetic profile from its database. In the court's decision, Judge David A. Mills wrote, "DNA information is highly sensitive...Citizens have a reasonable expectation of privacy in such information...We are not convinced (the district attorney and state police) have acted reasonably as a matter of law."

PRIVACY LAW—U.S.

Should We Allow For The Right To Be Forgotten? (August 29, 2011)

Christopher Wolf of Hogan Lovells and the Future of Privacy Forum appeared on Bloomberg Law recently to discuss privacy law in its current and future states. When asked if the "right to be forgotten," currently being considered as part of the amended EU Data Protection Directive, should become U.S. legislation, Wolf said it depends. "There is some information that it's in the public interest that it remains...It gets incredibly unwieldy if you give individuals the right to erase any evidence of their existence or episodes in which they've participated. There are lots of reasons we want to be able to check up on potential employees, potential babysitters, potential teachers."  
Full Story

BIOMETRICS

Expert: Privacy Concerns Surround Facial Biometrics (August 29, 2011)

In an interview with Information Security Media Group, Beth Givens, founder and director of the Privacy Rights Clearinghouse, says that breaches of facial biometric data are a major concern and that IT security managers need to encrypt the information to protect an individual's right to privacy, GovInfoSecurity reports. "If they back up those applications with good, solid privacy policies and practices, they'll be in good shape." Givens also says that facial recognition technology could result in privacy violations by not obtaining an individual's consent; disproportionate treatment of consumers by businesses, and stalking and violence, the report states.  
Full Story

PRIVACY LAW—EU

Opinion: The Directive’s Likely Direction (August 29, 2011)

In Field Fisher Waterhouse's Privacy and Information Law Blog, Eduardo Ustaran discusses the European Commission's yet-to-be-released revision of the EU Data Protection Directive. Ustaran predicts that the amended law may come in the form of a regulation, rather than a directive. Key changes may include Vice President Viviane Reding's "right to be forgotten" provision and a focus on meaningful transparency and consent, as well as accountability. It's crucial that the new law "shows the benefits of data protection for all and encourages compliance not just for the sake of it, but for the good of the future generations," Ustaran writes. 
Full Story

DATA LOSS—U.S.

Maine Voter Data Breached (August 29, 2011)

Maine Secretary of State Charlie Summers has announced that malware infected a computer belonging to a town office, potentially compromising the personal information of close to one million voters, reports Infosecurity. The computer was linked to Maine's Central Voter Registration (CVS) system, which contains voters' names, addresses, dates of birth and, in some cases, driver's license numbers. According to the report, Summers "strongly suspects" some data was accessed, and he is assessing what and how much. The U.S. Department of Homeland Security's US-CERT team alerted Summers to the breach, at which time the computer and CVS account assigned to the town clerk were shut down.
Full Story

ONLINE PRIVACY

Virtual World Group Uncovers Real World Data (August 29, 2011)

An organization within the Second Life online virtual world is collecting real-world information on users, sidestepping the sites' terms of use and possibly some data protection laws, reports Avril Korman for Search Engine Watch. While Linden Lab, the company that owns the site, offers tools to customize the user experience, the report states that it is not providing adequate support, causing a rise in self-policing organizations. One such organization has, in concert with others, begun collecting information on "people's real lives, including jobs, medical conditions and family," and posting it to an unsecure wiki site, according to Korman. Some users are dismissing the threat, but Korman says, "Until Linden Lab starts actually managing their own (virtual) land and dealing with security issues in an effective manner, this problem and others like them will continue."  
Full Story

PRIVACY LAW—FRANCE

French Gov’t Publishes Legislation on Cookies and Data Breach Notification (August 26, 2011)
Today, the French government published legislation on cookies and data breach notification in accordance with Directive 2009/136/EC. Bird & Bird Associate Gabriel Voisin tells the Daily Dashboard that "Pursuant to Article 17 of Law no 2011-302 of 22 March 2011, implementation of the Directive 2009/136/EC has been delegated by French Parliament to the government." The legislation "introduces a requirement for consent to be obtained before cookies are placed" and that browser settings or another application can be used to signify consent. "Unlike the UK," Voisin says, "consent given through browser settings is valid even if the subscriber does not amend or set the controls." The legislation also introduces a data breach notification requirement for electronic communication providers.

BEHAVIORAL TARGETING—EU

Working Party Shares Self-Regulation Concerns (August 26, 2011)

Article 29 Working Party Chairman Jacob Kohnstamm has released an announcement of a September meeting with the Internet Advertising Bureau Europe (IAB) and European Advertising Standards Alliance (EASA) to discuss a self-regulatory framework for online behavioral advertising known as the EASA/IAB Code. In his announcement, Kohnstamm highlights input from the U.S. Federal Trade Commission and shares key concerns from the Working Party. Among those concerns, he references a provision in the code that allows tracking unless Internet users object, noting that while it is "an improvement to the current situation, it does not meet the requirement to obtain...informed consent" as required by the EU e-Privacy Directive. 
Full Story

PRIVACY LAW—INDIA

Experts: Clarification Still Leaves Many Open Questions (August 26, 2011)

Nasscom and the Data Security Council of India have welcomed the clarification issued by India's Ministry of Communications and Information Technology, The Economic Times reports. The government said Wednesday that the rules governing service providers' data collection practices will not apply to outsourcing service providers located in India. Miriam Wugmeister and Cynthia Rich of Morrison & Foerster told the Daily Dashboard that the clarification does limit the scope of the privacy rules, but there are still many open questions. "For example, do the privacy rules apply to employers in India? Do service providers in India need to obtain consent in order to transfer information to their corporate customers? Is a password by itself sensitive information subject to all of the privacy rules?"
Full Story

SOCIAL NETWORKING—IRELAND & AUSTRIA

Austrian Group To File Complaint with DPC (August 26, 2011)

The Austrian-based lobby group "Europe v Facebook" will soon file a complaint with Ireland's Data Protection Commission (DPC) over a certain Facebook feature, TheJournal.ie reports. The group wants the DPC to investigate the legality of the site's "like" button, the report states. Last week, the privacy regulator for the German state of Schleswig-Holstein told website owners in that state to remove social plug-ins such as the "like" button from their sites, saying it violates state and federal laws. A spokesperson for the Irish DPC said it would look into "different aspects of Facebook Ireland's compliance with Irish data protection law" if it received a complaint. 
Full Story

DATA LOSS—UK & U.S.

RBS, VA Hospital Announce Breaches (August 26, 2011)

SearchSecurity.co.UK reports that the pay rates of 3,000 contract staff were exposed when a staff member at the employment agency Hays e-mailed 800 RBS employees with the details. "We are extremely disappointed that confidential personnel data has been shared by one of our suppliers," the bank said in a statement. "This is unacceptable and we are taking action to address this issue." The bank stressed that no customer information was comprised. Meanwhile, Becker's Hospital Review reports that 1,900 U.S. veterans have been notified that their personal details were made vulnerable when a Lexington VA Medical Center employee took home patient files in violation of hospital policy. 
Full Story

DATA PROTECTION—IRELAND

Commissioner To Question “Cute” Site Operators (August 26, 2011)

The data protection commissioner will question the operators of a website that encourages people to take pictures of strangers they find attractive, reports The Irish Times. Data Protection Commissioner Billy Hawkes will ask the operators of Luascrush.com--which posts pictures of men using public transportation systems--if they are aware of their legal obligations. Hawkes said based on his examination of the website, the issues "in relation to the operation of the site are as much, if not more, in the general area of the extent of the right to privacy when in a public space--and the right to control the use of one's image--as strictly data protection."
Full Story

PRIVACY

OPC Releases Survey Findings (August 26, 2011)

A survey of 2,000 Canadians has revealed that many technology users fail to take basic steps to protect their personal information. The 2011 Canadians and Privacy Survey, which was commissioned by the Office of the Privacy Commissioner, revealed that the majority of respondents do not use password locks or device settings to protect their personal data. "Mobile phones increasingly hold a lot of personal information, but it doesn't seem like Canadians think they do," Privacy Commissioner Jennifer Stoddart told Postmedia News. The survey also measured Canadians' attitudes about privacy as it relates to social networking, national security and other areas.
Full Story

ONLINE PRIVACY

Gamers Say Licensing Agreement Goes Too Far (August 26, 2011)

Some gamers who have looked closely at one gaming company's end-user licensing agreement (EULA) say the policy goes too far. In order to download EA Origin games, players must agree to allow EA Origin to collect, use, store and transmit information that identifies their computers. "EA may also use this information, combined with personal information for marketing purposes and to improve our products and services," the EULA says. "We may also share that data with our third-party service providers in a form that does not personally identify you." One user has launched a campaign to "raise awareness of Origin's privacy violation," International Business Times reports.
Full Story

French Gov’t Publishes Legislation on Cookies and Data Breach Notification (August 26, 2011)
Gabriel Voisin

On 26 August, the French government published legislation on cookies and data breach notification in accordance with Directive 2009/136/EC.

Bird & Bird Associate Gabriel Voisin tells the Daily Dashboard that “Pursuant to Article 17 of Law no 2011-302 of 22 March 2011, implementation of the Directive 2009/136/EC has been delegated by French Parliament to the government.”

The legislation “introduces a requirement for consent to be obtained before cookies are placed” and that browser settings or another application can be used to signify consent.

“Unlike the UK,” Voisin writes, “consent given through browser settings is valid even if the subscriber does not amend or set the controls.” 

Voisin adds that the legislation also introduces a data breach notification requirement for electronic communication providers. “From now on, those providers are required to notify the French Data Protection Authority (the CNIL) without delay.”

Those affected by the breach must also be notified unless appropriate security measures have been taken to protect the data and make it unusable, according to Voisin.

“Providers are also required to maintain a registry relating to their data breaches. This document can be requested by the CNIL at any time. Failure to meet the above data breach requirements is a criminal offence punishable by up to five years of imprisonment and/or €300 000 in fines."

Read CNIL's public statement on the legislation. (Statement in French.)

PRIVACY LAW—U.S.

Experts: Child Protection Bill Will Impact Privacy (August 25, 2011)
A bill aimed at protecting children from Internet exploitation that was approved by the House Judiciary Committee last month is expected to soon head to the floor of the House, and privacy advocates are warning it goes beyond the scope of what it "claims to be aiming for," NPR reports. The "Protecting Children from Internet Pornographers Act of 2011" would require Internet service providers (ISPs) to keep customer IP addresses for one year. Gregory Nojeim of the Center for Democracy and Technology says law enforcement can already require ISPs to hold data on particular suspects, adding, "What this is about is saving the data about everyone's use, just in case someone might become a suspect."

PRIVACY LAW—CANADA

Company Settles Over Robocalls (August 25, 2011)

Canada's minister of industry says he's pleased with the settlement between the Canadian Radio-television and Telecommunications Commission (CRTC) and Goodlife Fitness Centres, Inc. The settlement is related to the company's telemarketing methods using "robocalls" without members' prior consent. Using automatic dialing-announcing devices without prior consent is forbidden under CRTC guidelines. The company has agreed to pay $300,000; publish corrective notices in newspapers and on its website; cease the robocalls, and organize a business education event with the CRTC to encourage telemarketing compliance, the report states. Minister of Industry Christian Paradis said the settlement is "good news for Canadian consumers."   
Full Story

PRIVACY LAW—U.S.

Judge’s Cell Phone Decision Doesn’t End Debate (August 25, 2011)

A judge ruled this week that law enforcement authorities need a warrant to access location data on a suspect's cell phone. But the debate on the right to privacy when it comes to technology like smartphones and GPS systems is far from over, Wired reports, as a similar case heads to the Supreme Court, and bills by Sen. Patrick Leahy (D-VT) and Sen. Ron Wyden (D-OR) are reviewed. "Regardless of what the courts decide," said an attorney with the Electronic Frontier Foundation, "the right answer when it comes to the Fourth Amendment does not preclude Congress as a policy matter that it should protect location data more strongly." 
Full Story

PRIVACY LAW—U.S.

Hotel Guest Files Credit Card Receipt Suit (August 25, 2011)

A hotel guest has filed a lawsuit alleging that a Virginia Beach hotel breached privacy law by printing sensitive data on his checkout receipt, The Virginian-Pilot reports. James T. Buechler is seeking class-action status for the suit, which alleges that Marjac Suites and its owner, Burlage Hotel Associates, broke the law by printing his credit card's expiration date on his receipt. In 2003, Congress passed the Fair and Accurate Credit Transactions Act, forbidding companies from printing more than the last five digits of a customer's credit card number on the receipt.    
Full Story

PRIVACY LAW—U.S.

Another Settlement in Lower Merion School District (August 25, 2011)

Pennsylvania's Lower Merion School District will pay $10,000 to a teenager who was recorded by his school-issued laptop, Philly.com reports. It is the fourth payout to date resulting from the lawsuits filed by students whose images were captured via the webcams of district-owned computers. So far, the district has paid $205,000 in settlements. One lawsuit is still pending, according to the report. 
Full Story

PRIVACY LAW—INDIA

Gov’t: New Rules Don’t Apply to Outsourcers (August 25, 2011)

India's government said yesterday that the new rules governing service providers' data collection practices will not apply to outsourcing service providers, reports the Hunton & Williams Privacy and Information Security Law Blog. Some had voiced concerns that the new rules would make it difficult for Indian companies performing data processing services for companies outside of the country to meet the consent requirement. But India's Ministry of Communications and Information Technology clarified yesterday that "any body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is exempt from the consent requirement."
Full Story

PRIVACY LAW—U.S.

Lawsuit Alleges Wide-Ranging Privacy Violations (August 24, 2011)
A class-action lawsuit filed in federal court on Tuesday claims that online tracking and analytics company comScore collects personal information--including Social Security numbers, credit card data and passwords--from users without their knowledge, Computerworld reports. The company allegedly offers individuals free software and sweepstakes entries in exchange for their participation and then sells the data to more than 1,800 businesses. The suit also alleges that the firm changed security settings, scanned information on documents and injected data collection code into browsers, according to the report. The complaint states, "The scope and breadth of data that comScore collects from unsuspecting consumers is terrifying." A spokesman from the company said, "We have reviewed the lawsuit and find it to be without merit and full of factual inaccuracies." He added that the company "intends to aggressively defend itself against these claims."

PRIVACY LAW—U.S.

Judge: Warrant Needed for Cell Phone Location Data (August 24, 2011)

A New York state judge has decided that law enforcement authorities need to have a warrant to access location data transmitted by a suspect's cell phone, Ars Technica reports. Under a provision of the Stored Communications Act, the federal government wanted a cell phone provider to disclose 113 days of location data from a suspect's cell phone. In a 22-page opinion, the judge wrote, "The fiction that the vast majority of the American population consents to warrantless government access to the records of a significant share of their movements by 'choosing' to carry a cell phone must be rejected...the Fourth Amendment doctrine must evolve to preserve cell phone users' reasonable expectation of privacy in cumulative cell-site-location records."  
Full Story

BEHAVIORAL TARGETING—U.S.

Advocates Urge FTC To Issue Tracking Recommendations (August 24, 2011)

Digital rights advocates are asking the Federal Trade Commission (FTC) to draft recommendations for the use of online tracking technologies in its revised advertising guidelines. Chris Hoofnagle of the University of California at Berkeley Law School said, "The revised business guide should make clear that businesses should honor consumers' expressed privacy preferences and that businesses should not use technical means of any kind to circumvent or otherwise make ineffective consumers' actions to protect their privacy." The Center for Democracy & Technology has also asked that behavioral targeting companies allow consumers to opt out of online tracking. The Interactive Advertising Bureau, meanwhile, said that self-regulation "continues to be the appropriate approach for addressing concerns with online advertising," MediaPost News reports.
Full Story

PRIVACY LAW—U.S.

ISP Cleared in Behavioral Targeting Suit (August 24, 2011)

A judge has dismissed a class-action privacy lawsuit against one of six companies that partnered with a now-defunct behavioral targeting company, MediaPost News reports. A U.S. district court judge cleared Internet service provider (ISP) Embarq of any wrongdoing, ruling that NebuAd alone is responsible for wiretap violations. NebuAd--which agreed last week to a $2.4 million class-action settlement--partnered with six ISPs to gather data about Web users' online activities in order to serve them ads. The judge ruled that Embarq itself did not violate the Electronic Communications Privacy Act, as alleged, because it did not intercept communications.         
Full Story

ONLINE PRIVACY

Facebook Unveils New Settings (August 24, 2011)

The Wall Street Journal reports that Facebook has unveiled new options to help users manage the amount of information they share on the site and with whom. The changes, to roll out Thursday, will allow users to check a box indicating which friends can see which online posts; share locations from PCs and laptops; control being "tagged" by others in posted photos, or choose to block a user entirely--disabling them from photo tags or other interactions on the site. The company wants to make the sharing options "unmistakably clear," said a Facebook spokesman. (Registration may be required to access this article.) 
Full Story

PRIVACY LAW—U.S.

Washington’s Approach: Privacy Law Without Regulation (August 23, 2011)
The White House says its approach to Internet consumer protection will be "privacy law without regulation," a White House aide has said. An administration-wide whitepaper is expected this fall, and in December, the U.S. Commerce Department outlined proposals for updates to federal laws regulating companies' data collection practices. CNET reports that Danny Weitzner, associate administrator at the National Telecommunications and Information Administration, said the government has a "key role in articulating what consumer rights ought to be" but that businesses "that are engaged in responsible privacy practices today ought not to face any additional burdens."

IDENTITY THEFT

Caller ID Spoofing Threatens Personal Privacy (August 23, 2011)

The New York Times reports on the rise of an easy-to-find and legal service known as "spoofing" that allows identity thieves to access others' voicemail accounts by disguising their phone numbers and consumer advocate Edgar Dworsky's recent finding that thieves can also access some automated bank and credit card systems. Many mobile phone providers and financial institutions have phone systems that disclose personal information--like recent purchases--when a call is made from the customer's phone number. "There are additional steps mobile phone companies and the card issuers could take to stop this sort of thing from ever happening," the report states. "The fact that many of them don't, however, makes this your problem to solve." (Registration may be required to access this story.)  
Full Story

BEHAVIORAL TARGETING—U.S.

FTC Commissioner Suggests New Do Not Track Approach (August 23, 2011)

Speaking at a technology forum in Colorado, FTC Commissioner J. Thomas Rosch said the agency should investigate online advertisers prior to regulating how companies collect users' information, CNET reports. Rosch said the FTC could require advertisers "to answer under oath questions about their information practices," adding, "We should have reliable information of that kind before we proceed further...accuracy is much more important than speed." Rosch also suggested that government could over-regulate online advertising, which could result in "the loss of relevancy, the loss of free content, the replacement of current advertising with even more intrusive advertising." Meanwhile, the FTC has approved final orders that will require three credit report resellers to improve their data security and undergo audits for 20 years.
Full Story

PRIVACY LAW—U.S.

State Assembly Approves Cell Phone Privacy Bill (August 23, 2011)

The California State Assembly has approved a bill requiring law enforcement to procure a search warrant prior to searching the contents of a cell phone, the San Francisco Chronicle reports. On Monday, the assembly unanimously voted to pass the bill, which now goes to the upper house for approval. The bill would overturn a state supreme court decision from last January that allowed police to search the cell phones of assailants. One law enforcement representative said, "There are circumstances where it's just not practical to get a search warrant...and that subsequent to an arrest (searching a cell phone) is appropriate." Several civil liberties groups, including the American Civil Liberties Union, applauded the move.        
Full Story

ONLINE PRIVACY—UK

Survey: Many Gov’t Websites Unprepared for Cookie Law (August 23, 2011)

An independent audit by Socitm of 603 public-sector websites, including 433 local authorities, has found that only a half-dozen have taken action to be sure their websites comply with new cookie legislation, ZDNet reports. The cookie law, which came into force in May, requires website owners to gain consent from users before cookies are placed on computers or mobile devices. The average number of cookies on sites surveyed was 32, while one site contained 1,346 cookies. The Information Commissioner's Office has given websites one year to come into compliance before taking enforcement action.
Full Story

ONLINE PRIVACY—ISRAEL

Israel To Allow Online Mapping Feature (August 23, 2011)

Israel's government will allow Google to operate its Street View mapping feature there--with conditions, Reuters reports. Addressing privacy and security concerns, Street View has agreed to blur images of license plates and homes in Israel. It will also clearly mark its Street View cars for identification purposes. "The terms approved by us allow the operation of this valuable service while safeguarding the Israeli public's right to privacy," said Yoram Hacohen, head of the Israeli Law Information and Technology Authority.  
Full Story

DATA LOSS—U.S.

Breaches at Yale, SCMLC (August 23, 2011)

Yale University says a 2010 change in the way Google indexed and located FTP servers led to the exposure of sensitive data on 43,000 individuals, Computerworld reports. The university has notified those affected about the exposure and is offering identity theft insurance and free credit monitoring services, the report states. Meanwhile, Southern California Medical-Legal Consultants (SMCLC) has notified 300,000 individuals of a data exposure. SCMLC said the sensitive data of workers compensation applicants was made vulnerable when an internal server "became exposed to web searches," according to the report.       
Full Story

CONSUMER PRIVACY—U.S. & EUROPE

No Right To Be Forgotten (August 22, 2011)
"In a data economy where personal information is an increasingly valuable currency, a customer's automatic access to a delete button remains an exception," writes Natasha Singer for The New York Times. Singer recently received a promotional text message from her dentist's office, though she had given her cell phone number for different purposes. Though the communications company that facilitated the message allowed Singer to delete the information stored on her, companies in the U.S. aren't required to recognize citizens' right to be forgotten,  despite a bill introduced in the house of representatives last May and recommendations from the FTC. EU citizens, meanwhile, have stronger rights under the data protection directive, the report states.

ONLINE PRIVACY—U.S.

Expert: Users “Outgunned” By Marketers (August 22, 2011)

In an interview with the San Francisco Chronicle, Chris Hoofnagle of the University of California at Berkeley Law School discusses marketers' online tracking practices, the upcoming FTC report on do not track and ways to better protect consumers online. A recent paper he co-authored found that marketers are working on ways to ensure they can continue to track consumers after they've opted out of targeted ads, the report states. "It undermines user intent," says Hoofnagle. "When you set your computer to do X and it does Y...It's more malicious than mere advertising." Hoofnagle says while he doesn't see a perfect solution to protecting online privacy, data retention limits would "impair the ability of companies and law enforcement to create long-term profiles about people." 
Full Story

BEHAVIORAL TARGETING

Company Advises Against UDID (August 22, 2011)

Software developers who build programs for Apple's operating system have been asked by the company to avoid using unique device identifiers (UDID) in software for its iPhones and iPads, The Wall Street Journal reports. UDIDs make it easier for advertising networks, analytics firms and others to observe and track users' online behavior. A deadline for the change has not been specified, but the company's website tells developers that the tracking tool "has been superseded and may become unsupported in the future." The Center for Democracy & Technology's Justin Brookman said, "I want to see how this all plays out, but at first glance, this is a really good result for consumers." (Registration may be required to access this story.)        
Full Story

DATA LOSS—SOUTH KOREA

Breach Affects 350,000 (August 22, 2011)

A Naked Security article reminds users of the importance of using multiple passwords across various websites after a breach at Epson Korea affecting 350,000. The company says hackers accessed its website last week and stole customers' personal data, including passwords, phone numbers, names and e-mail addresses. Customers have been advised to change their passwords as soon as possible. "Although you may not care very much if someone can log into your account at Epson, you certainly will care if they can also use the same password to access your other online accounts," the author writes.  
Full Story

DATA LOSS—U.S.

Health Records Exposure Online Is “Warning Bell” (August 22, 2011)

Insurance forms, doctors' notes and Social Security numbers of 300,000 Californians were inadvertently made available online by a medical debt collection company, prompting some experts to warn of the privacy risks involving electronic medical record systems. The Associated Press reports that the company posted the data to a site that it thought was viewable by employees only. "Even the most well-designed systems are not safe...This case is a good example of how the human element is the weakest link," said Beth Givens of the Privacy Rights Clearinghouse. According to the report, the data was found by an Identity Finder researcher who says Southern California Medical-Legal Consultants failed to use basic techniques that could have protected the data.       
Full Story

PRIVACY LAW—U.S.

Sides Await Ruling in E-Privacy Case (August 22, 2011)

In a feature for the Burlington Free Press, Sam Hemingway examines the history of a Vermont Supreme Court case on searches and seizures of electronic devices. The Vermont Defender General's Office and the American Civil Liberties Union have argued that computers and other electronic devices cannot be treated in the same manner as physical locations such a bedroom or a vehicle. As Defender General Matthew Valerio put it, "a computer is like a house with no walls. Once you're in you get to look at the whole thing. There needs to be limits on what they are asking to look for." The Supreme Court heard arguments in the case earlier this year but has not issued a ruling.   
Full Story

SOCIAL NETWORKING—GERMANY

Schleswig-Holstein Commissioner Orders Site Owners To Deactivate Analytics (August 19, 2011)
The Independent Centre for Privacy Protection (ULD)--the privacy regulator for the German state of Schleswig-Holstein--has told website owners in that state to "shut down their fan pages on Facebook and remove social plug-ins such as the 'like' button" from their sites. In a press release, the ULD said that "after a thorough legal and technical analysis," it concluded that use of such features violates the German Telemedia Act, the Federal Data Protection Act and the Data Protection Act of Schleswig-Holstein. The ULD is giving website owners until the end of September to discontinue use or face consequences.

PRIVACY LAW—U.S.

Case Dismissed Against Advertisers, Not Network (August 19, 2011)

A federal judge has dismissed a potential class-action lawsuit against four advertisers that allegedly acted "in concert with the ad network Interclick to use controversial 'history-sniffing' techniques for online tracking," MediaPost News reports. However, the judge "did not entirely dismiss the lawsuit against the ad network," the report states. Privacy advocates have spoken out against such practices, but a paidContent report suggests the court's actions indicate they may not be illegal. Scott Kamber, the attorney who filed the case, points out, however, that it can now move forward, saying "the judge has recognized that there is a wrong here that can be remedied."  
Full Story

ONLINE PRIVACY—U.S.

Company Responds to Lawmakers (August 19, 2011)

Groupon has responded to a letter written by lawmakers inquiring about changes to the company's privacy policy and use of geolocation data, The Washington Post reports. In its response, the company clarified its privacy policy, broadened what it considers personal information and addressed questions about its use of data tracking. In a press release, Rep. Joe Barton (R-TX) said, "Because it is growing at such a fast pace, I fear for the potential misuse of customers' personal information as more partnerships are created." Groupon officials said they "understand that our customers can easily vote with their feet if they feel that we are not striking the right balance in all four areas--relevance, timeliness, respect for privacy and value." (Registration may be required to access this story.)        
Full Story

PERSONAL PRIVACY—GERMANY

Berlin Officers To Fight ID Requirement (August 19, 2011)

Berlin police officers are staging a fight against a new requirement for them to wear personal identification on their uniforms, The Local reports. In 2010, the Berlin police superintendent established the mandate, which took effect last month and requires officers to wear their personnel numbers or names. Berlin is the first German state to make such a requirement, according to the report. A Berlin police spokesman said wearing identification "is a form of customer service," but one officer said, "I'm afraid. We deal daily with criminals and people who want to hurt us." The officers have the backing of the GdP police union. A GdP administrator said, "There is no compromising on this."  
Full Story

PERSONAL PRIVACY

This Left Turn Will Be Recorded (August 19, 2011)

Wired explores how insurers are collecting driver data to fuel roadside assistance and usage-based programs. State Farm's voluntary Drive Safe and Save program lets customers save on premiums if their driving habits--as recorded by the company's In-Drive system--indicate they are safe drivers. But, according to the report, such programs raise questions about how the collected data is used, stored and shared. "Though there are significant legal protections dictating what insurance companies can use to set rates, other data that is collected is subject to less transparent privacy policies," the report states. Santa Clara University School of Law professor Dorothy Glancy weighs in. 
Full Story

DATA PROTECTION

Opinion: Are PIAs Enough? (August 19, 2011)

In a Communications of the ACM article, David Wright of Trilateral Research considers whether privacy impact assessments (PIAs) should be mandatory. As databases grow, so do data breaches. PIAs are a reasonable tool for any organization managing personal data, but are they enough? Wright says no; the most effective way to protect sensitive information is to use PIAs with a "combination of tools and strategies, which include complying with legislation and policy, using privacy-enhancing technologies and architectures and engaging in public education..." Whether PIAs will become mandatory, in the meantime, remains to be seen. (Registration may be required to access this story.)      
Full Story

ONLINE PRIVACY

Will Web Giants Be Regulated? (August 19, 2011)

As debates continue about whether websites will self-regulate or be regulated, The Prague Post reports that some experts are skeptical that the EU will be able to force Internet giants to follow potential online privacy regulations. "If Google, Facebook, Microsoft and Apple, et al, simply say 'no,' what is the EU going to do?" asks one expert. "Some of these companies are, financially, as big or bigger than some EU nations. They could and should be responsible for removing personal data, but they won't do it."  
Full Story

ONLINE PRIVACY

Researchers Uncover “Supercookies” (August 18, 2011)
The Wall Street Journal reports on the latest online tracking methods, including the existence of "supercookies" found on popular websites. Researchers at Stanford Univeristy and the University of California at Berkeley say that supercookies are able to recreate a user's profile even after normal cookies are deleted. According to the report, companies who were found to be using the tracking technology have since stopped the practice. A Microsoft representative said as soon as the supercookies were "brought to our attention, we were alarmed. It was inconsistent with our intent and our policy." Hulu said in an online statement that it "acted immediately to investigate and address" the supercookie issue. (Registration may be required to access this story.)

PRIVACY LAW—BELGIUM

Authorities Offer Company Extrajudicial Settlement (August 18, 2011)

A federal prosecutor from Belgium has offered Google the opportunity to pay a €150,000 fine to settle claims of illegal data collection practices stemming from its Street View project, Bloomberg reports. The company now has three months to accept the offer or the case could be brought before the country's federal court, which could declare higher fines or imprisonment. A Google representative said, "We have received an offer of extrajudicial settlement from the Belgian federal prosecutor, and we have to study it carefully."  
Full Story

PRIVACY LAW—U.S.

Company Wants Class-Action Dismissed (August 18, 2011)

Consumers who filed a class-action lawsuit against Amazon haven't sufficiently alleged that they were harmed, the company says. MediaPost News reports that Amazon is asking that the lawsuit--which alleges the company used cookies to track users via a privacy policy that misrepresented its practices--be dismissed. "Plaintiffs assert attenuated theories of liability and harm, recognized by no court or law, based on Amazon's alleged practices in setting 'cookies' on users' computers," the company says in court papers, adding that the users suffered no tangible economic harm.  
Full Story

BEHAVIORAL TARGETING—U.S.

NARC To Begin Self-Regulatory Program Enforcement (August 18, 2011)

The Better Business Bureau's National Advertising Review Council (NARC) is going to enforce privacy principles for online behavioral targeting, MediaPost reports. NARC will also reach out to companies that aren't following the program to ask that they engage. The program requires ad networks using behavioral targeting techniques to notify users about the data collection through a standard icon and allow them to opt out of receiving such ads. NARC says it will name companies that fail to follow the principles.
Full Story

HEALTHCARE PRIVACY—U.S.

EHRs Raise Liability Fears (August 18, 2011)

InformationWeek reports on concerns that the preponderance of electronic health records (EHRs) will increase legal liabilities for healthcare organizations and staff. In addition to making patient information more accessible, EHRs alter the ways in which doctors record patient interactions and clinical decisions. In addition to concerns about how much audit logs reveal, "there are concerns by providers," says Davis Wright Tremaine partner Adam Greene, "that access reports could be used in malpractice suits." It's possible, the report states, that physicians may forget to "check some boxes," thereby increasing the chance of a malpractice suit. One expert added, "The metadata will show this."  
Full Story

DATA THEFT—U.S.

Company Sues Individuals for Mining Data (August 18, 2011)

AT&T is suing two Utah residents for allegedly enacting a data-mining scheme that gleaned information from the company's customer database during a five-year period. By using automatic dialing programs, the individuals manipulated the company's systems into disclosing caller ID information from its customer database. AT&T said the operation cost $6.5 million due to caller ID processing and detection technology to identify and stop the attacks, SC Magazine reports. "By constantly adjusting and refining their data-mining techniques," the complaint stated, the "defendants have been able to launch a series of cyber-attacks on and gain unauthorized access to AT&T's electronic database."      
Full Story

PRIVACY

University Receives $3.2M for Research (August 18, 2011)

The University of Illinois at Chicago (UIC) is receiving $3.2 million from the National Science Foundation to conduct an electronic privacy study, Newswise reports. UIC will receive the funding over the next five years to form an Integrative Graduate Education and Research Traineeship program. Graduate students enrolled in the program will study electronic security and privacy issues in business, engineering, legal and social science. Discussing computer viruses, cyber-attacks and identity theft, the grant's principal investigator said, "Technological expertise is a necessity to fight these threats, but technological solutions divorced from human, social, economic and legal considerations all-too-often fail."
Full Story

PRIVACY LAW—U.S.

Company Settles Behavioral Targeting Lawsuit (August 17, 2011)
Defunct ad company NebuAd has agreed to a $2.4 million settlement in a class-action privacy lawsuit based on its behavioral targeting practices, MediaPost News reports. The seven Web users who filed the suit will receive $1,000 to $5,000 each. The case stemmed from NebuAd's partnership with six ISPs to gather data about Web users' online activities, "including search queries and activity at non-commercial sites," the report states. The plaintiffs claimed such practices violated federal and state privacy laws. NebuAd's insurers will reportedly fund the settlement. Lawsuits are pending against the six ISPs NebuAd partnered with before it folded in 2008.

DATA RETENTION—HUNGARY

Ombudsman Orders Survey Data Destroyed (August 17, 2011)

Hungary's data protection ombudsman, Andras Jori, has declared that the personal data collected from a government-issued survey has not been handled correctly, should be deleted from the records and should not be used or processed in the future. In June, Jori established that the questionnaires did not meet the country's data protection law and ordered the data be erased, but, according to Politics.hu, Jori said on Tuesday that the agency in charge of destroying the data has not complied with his instructions, prompting him to ban the database containing the personal information. 
Full Story

DATA LOSS—U.S.

University Warns Former Students of Breach (August 17, 2011)

Social Security numbers of more than 7,000 former Purdue University students may have been compromised last year when one of the school's servers was breached by an unauthorized user. Breached in April 2010, the affected server contained student course records from the years 2000 to 2005, but, according to jconline.com, there is no evidence the files were accessed. Instead, officials believe the server was accessed to launch attacks against other servers. A university representative said, "Through our investigation, we found no evidence that the unauthorized user attempted to find or read any files with personal information in our system but felt informing people who may have been affected was a necessary precaution."  
Full Story

PRIVACY LAW—CANADA

DPA Releases PIPEDA Guidance for Lawyers (August 17, 2011)

The Office of the Privacy Commissioner of Canada (OPC) has announced the release of a handbook to help lawyers become more familiar with the Personal Information Protection and Electronic Documents Act (PIPEDA). Launched at the Canadian Bar Association Canadian Legal Conference and Expo 2011, PIPEDA and Your Practice--A Privacy Handbook for Lawyers provides best practices for personal information management, use, collection, disclosure and response. "While lawyers may be familiar with privacy laws in general," says an OPC spokeswoman, "they may benefit from some concrete guidance on how to apply the laws to their own practice."   
Full Story

GEO PRIVACY—SOUTH KOREA

Company Sued Over Location Data (August 17, 2011)

Approximately 27,000 South Korean iPhone users are suing Apple, Inc. on claims the company compromised their privacy when it collected location data without their consent, the San Francisco Chronicle reports. The class-action suit against the company's South Korean unit seeks $930 per user for damages. The suit comes just weeks after the company was fined by the Korean Communications Commission for its smartphone data collection practices. 
Full Story

PRIVACY LAW—U.S.

E-mail Scans Prompt Lawsuit (August 17, 2011)

A Massachusetts woman has filed a class-action lawsuit claiming that Google violated state privacy laws by scanning e-mail messages, The Boston Globe reports. The company scans Gmail users' e-mails for keywords in order to present targeted ads. The suit claims that users--such as the plaintiff--who did not use Google's e-mail service but transmitted messages to Gmail users did not consent to having their e-mails scanned. The plaintiff's attorney says Massachusetts wiretapping laws forbid recording "any wire or oral communication" without all parties' consent. Google said it has used automated scanning technology from the beginning for targeted ads that "help to keep our services free." 
Full Story

CHILDREN’S PRIVACY—U.S.

FTC Fines Mobile App Company for COPPA Violations (August 16, 2011)
In a press release, the Federal Trade Commission (FTC) announced that it has fined a mobile apps developer $50,000 for violating the Children's Online Privacy Protection Act (COPPA). The FTC alleges that the company, which has settled with the agency, collected and stored tens of thousands of e-mail addresses of children under the age of 13 without parental consent and allowed users to post messages and personal information on a message board. FTC Chairman Jon Leibowitz said, "Companies must give parents the opportunity to make smart choices when it comes to their children's sharing of information." Sen. Jay Rockefeller (D-WV) and Rep. Ed Markey (D-MA) have applauded the agency's action. Rockefeller added, "it is crucial that the FTC completes its revision of the COPPA Rule to account for changing technology..."

ONLINE PRIVACY—UK & NEW ZEALAND

ICO Gives Google Good Grades, Not a “Rubber Stamp” (August 16, 2011)

After auditing the company's privacy structure, the Information Commissioner's Office (ICO) says that Google "has taken reasonable steps to improve its privacy policies" but adds that the audit "is not a rubber stamp," The Telegraph reports. The company agreed last year to let the ICO conduct the audit in light of its controversial Street View project. The ICO said that "the audit verified that Google made improvements to their internal privacy structure," but it "needs to ensure its work in this area continues to evolve alongside new products and technologies." Meanwhile, in a Google blog post, the company announced that it will conduct a privacy impact assessment on any additional Street View activities in New Zealand.   
Full Story

HEALTHCARE PRIVACY—U.S.

OCR Reveals Top Audit Interests (August 16, 2011)

The Office for Civil Rights (OCR) has announced the top areas of interest on its HIPAA privacy and security compliance radar, HealthLeaders Media reports. Its top issue is incident detection and response. It will also focus on reviews of log access; secure wireless networks; management of user access and passwords, and theft or loss of mobile devices, among other requirements. The OCR plans to look at 150 organizations by the end of the year. Cliff Baker, chief strategy officer at HITRUST Alliance, says the audits will initially focus on covered entities and not necessarily organizations that have experienced a breach. The audits will be a "learning opportunity for the entire industry," he said. 
Full Story

HEALTHCARE PRIVACY

Health Industry Prepares To Mine Patient Data (August 16, 2011)

With the increased use of remote monitoring systems and new digital imaging technology, "tremendous amounts of data" are being generated but not analyzed, The Australian reports. A vice president of an analytics company says that "doctors have live data coming out of these devices and equipment, but to date it really hasn't been analyzed." According to the report, healthcare suppliers will begin selling equipment and software that can analyze the streaming data. "If there was a national healthcare database in the U.S.," he says, "the value of that information in terms of mining it to identify trends across population segments is phenomenal."         
Full Story

PERSONAL PRIVACY—U.S.

Protecting Cell Phone Privacy (August 16, 2011)

By 2015, 36 percent of consumers in the U.S. will use mobile Internet services, The Atlantic Wire reports, and the importance of privacy protection will only increase. Sen. Al Franken (D-MN) has proposed legislation that would require cell phone companies to obtain consent before collecting user data. That and other methods are good "first steps" in informing consumers, but much more needs to be done, Franken says. The article offers steps consumers can take to increase privacy on their mobile devices, including anti-theft applications. Some developers are also offering users simpler, more transparent privacy policies. 
Full Story

ONLINE PRIVACY

Company Creates DIY Privacy Policies for Apps (August 15, 2011)
Privacy policies can be difficult to write and read--especially on mobile devices--prompting one company to create a tool to help mobile application developers make consumer-friendly policies, reports The New York Times. PrivacyChoice analyzed hundreds of privacy policies across the web, devising a tool that asks developers questions about their data handling practices and then formulates a policy based on the answers. "The mobile environment requires you to say things very succinctly, and it requires you to say things in layers," says Jim Brock, founder of PrivacyChoice. One industry advocate says solving the "privacy problem" is crucial to developers, many of whom are small businesses dependent on income from selling consumer data. (Registration may be required to access this story.)

PRIVACY LAW—UK

Commission: Privacy Laws Insufficient (August 15, 2011)

A report from the Equality and Human Rights Commission says that UK privacy laws do not do enough to protect citizens, The Inquirer reports. Current privacy laws have failed to prevent breaches and keep pace with advances in technology and increases in the amount of data organizations collect about individuals, the report states. "This needs to change so that any need for personal information has to be clearly justified by the organization that wants it. The law and regulatory framework needs to be simplified and, in the meantime, public authorities need to check what data they have and that it complies with the existing laws," said Commissioner Geraldine Van Bueren.
Full Story

GEO PRIVACY—U.S.

Court: GPS Technology Conflicts with Legislation (August 15, 2011)

Courts around the U.S. are grappling with how to balance law enforcement's use of GPS data with an individual's right to privacy. A district judge in Maryland recently denied a warrant requested by federal authorities who were attempting to locate a suspect via his cellphone's GPS data. The judge said that for some, "this use of location data...would appear chillingly invasive." Meanwhile, courts in California and Oregon have upheld warrantless GPS searches by authorities, and the U.S. Supreme Court will review a GPS privacy case, The Baltimore Sun reports. "For investigators, the cellphone has become one of the greatest tools available," says one expert. "But certainly we want to do this the right way and protect people's right to privacy."   
Full Story

BEHAVIORAL TARGETING—CANADA

Paperless Receipts Raises Privacy Concerns (August 15, 2011)

CTV News reports on the increased use of paperless receipts by large retailers and the subsequent privacy issues that accompany the new shopping option. To get the electronic receipt, customers must provide an e-mail address, which allows marketers to cross-reference preferences and buying habits. The Office of the Privacy Commissioner's Anne-Marie Hayden says that Canadian privacy laws require that retailers inform customers about the use of their data, adding that customers "should be aware of the implications of choosing an e-receipt over a paper one" because "an e-receipt creates a record that could be tied back to them."
Full Story

HEALTHCARE PRIVACY—U.S.

OCR Data Breach List Hits 300 (August 15, 2011)

HealthLeaders Media reports that the Office for Civil Rights (OCR) has logged almost one healthcare breach every other day since it began keeping its online list in February 2010. The OCR notification website lists breaches of health information protected under HIPAA affecting 500 or more individuals and was created as part of the breach notification interim final rule. According to the report, the tally has reached 300 breaches, and of the 420 complaints claiming violations of HIPAA since October 2009, 192 have been closed after "investigation and appropriate corrective action."
Full Story

DATA PROTECTION

Tokenization Guidelines Released (August 15, 2011)

The Payment Card Industry Security Standards Council (PCI SSC) has released guidelines on tokenization, SC Magazine reports. The PCI DSS Tokenization Guidelines Information Supplement provides suggestions for "developing, evaluating or implementing a tokenization solution, including insight on how a tokenization solution may impact the scope of PCI DSS efforts," the report states. "These specific guidelines provide a starting point for merchants when considering tokenization implementations. The council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements," said PCI SSC General Manager Bob Russo. 
Full Story

PRIVACY

PR Firm Adds Privacy to Comms Quiver (August 15, 2011)

Legal firms have been adding data privacy and security groups rapidly in recent years. Now a public relations firm has launched privacy-related services. Edelman's new data security and privacy group aims to help clients communicate on the issues, according to The Holmes Report. "Privacy and information security have moved from the back office to the boardroom," said Edelman global practice chair Pete Pedersen. "These topics are brand and reputation drivers now, not just legal and IT considerations."    
Full Story

Company Cancels Advertising Scheme (August 12, 2011)
LinkedIn has announced that it will no longer pursue its new form of advertising called "social ads," which shared users' activities and included their pictures, The Wall Street Journal reports. The company began testing the initiative in late June after announcing it to users. Complaints about user privacy followed, including a statement from the Dutch Data Protection Authority that the company's changes may have breached Dutch privacy law. The company's head of marketing solutions told users, however, that "The only information that (was) used in social ads is information that is already publicly available and viewable by anyone in your network." (Registration may be required to access this article.)

ONLINE PRIVACY—CHINA

Ministry Proposes New Rule for PI (August 12, 2011)

China's Ministry of Industry and Information Technology (MIIT) is seeking comment on a draft rule regulating the processing of personal information by "Internet Information Service Providers," the Hunton & Williams Privacy and Information Security Law Blog reports, defining "Internet Information Services" as "service activities for the provision of information to Internet users over the Internet." If enacted, the rule's provisions include requiring Internet Information Service Providers to refrain from collecting personal information (PI) without users' consent, only collect PI as necessary to provide services, inform Internet users of how and why their PI is collected, not disclose PI to third parties without consent and "immediately take remedial measures" in the event of any breach. 
Full Story

HEALTHCARE PRIVACY—U.S.

One Year Later, Drugstore Investigation Continues (August 12, 2011)

HealthLeaders Media reports that the Office for Civil Rights (OCR) investigation into the nation's largest pharmacy chain remains ongoing. The investigation began in August 2010 in relation to a four-year-old media story involving the improper disposal of personal health information at drugstore chains. The OCR reached settlement agreements with two other chains within the last two years, which included provisions for compliance audits, employee training and sanctions for employee noncompliance. An OCR spokeswoman said the office cannot comment on the details of open investigations.
Full Story

PRIVACY LAW—U.S.

Blumenthal Holds Roundtable, Discusses Bill (August 12, 2011)

Sen. Richard Blumenthal (D-CT) held a roundtable to discuss legislation he will introduce in the coming weeks aimed at combating data breaches, reports Political News. Blumenthal told data breach experts, consumer advocates and community leaders, "The staggering increase of data breaches in the past year compromising personal and financial information warrants a swift and comprehensive federal response to hold companies accountable." He will propose ways to combat breaches involving personal data, states the report, including immediate breach notification for consumers and ensuring proper protections are in place to prevent breaches. 
Full Story

BEHAVIORAL TARGETING

New Site: Watch Ads, Give Data, Get Prizes (August 12, 2011)

Since the new website Loffles was launched on June 27, more than 3,400 users have registered to watch video ads with the chance to win prizes of their choosing, reports The New York Times. The site's founder said he's taking advantage of the "endless stream" of people taking part in online contests. Users of Loffles are about 60 percent men and average 24 years of age, and one advertiser says he saw the site as a way to connect with young people. One user, a college marketing student, said of the concept of trading his personal information for targeted ads, "I understand what they're doing here with the whole marketing aspect," adding, "I'm not wasting time watching advertising that I really have no interest in." (Registration may be required to access this story.)      
Full Story

DATA LOSS—U.S.

UW Announces Data Exposure (August 12, 2011)

The University of Wisconsin-Milwaukee has announced that the personal information of 75,000 students, alumni and staff may have been exposed as a result of malware discovered on a university server on June 30. "There is no evidence that the unauthorized individuals were aware of your personal data in the compromised database or that it has been retrieved," officials said in a statement on the school's website. Local and federal law enforcement are involved in the investigation.
Full Story

SOCIAL NETWORKING

Threat To Destroy Site May Be Hoax (August 12, 2011)

A reported threat by a hacker group to destroy Facebook on November 5 may have been a hoax, reports eWeek. The group claimed earlier this week that it would destroy Facebook on the grounds of privacy issues, stating that the site's privacy controls are lacking. But some are skeptical about the claims. The CEO of Kapersky Lab, Eugene Kaspersky, tweeted about the news on Wednesday, saying it "most probably is fake." Others have also registered skepticism.  
Full Story

DATA PROTECTION—UK

Smartphone Use by Rioters Creates Privacy Dilemma (August 11, 2011)
Research in Motion (RIM) has placed itself in the smartphone market as the provider able to ensure security and corporate privacy for its users, Zack Whittaker writes for ZDNet. But currently, its secure Messenger service is being used by rioters in London to organize, and UK authorities will be issuing warrants to access these messages, Whittaker writes. While RIM has pledged to help UK authorities whenever possible, it still needs to maintain its reputation as a secure provider, he states. RIM does not hold the encryption keys, however, so the messages it provides will be encrypted. According to Whittaker, RIM has one consideration, "how it can continue to market itself as a secure communications platform, when ultimately it is still vulnerable to the laws of the land."

PRIVACY LAW—U.S.

ISP Tracking Spurs Class-Action Suit (August 11, 2011)

GigaOM reports on researchers' discovery that some Internet service providers (ISPs) have been rerouting users' online traffic to provide Web search results "that can generate money for firms selected by the ISP as well as the ISP itself." The practice has resulted in a class-action lawsuit against companies Paxfire and RCN, and Sen. Richard Blumenthal (D-CT) has said he is considering investigating the practice. Referencing past ISP tracking incidents, the report suggests the key issue is "ISPs, in their quest for revenue, are once again interfering with users without their knowledge or consent."    
Full Story

DATA PROTECTION—UK & CANADA

DPAs Warn Retailers (August 11, 2011)

The Information Commissioner's Office (ICO) has announced that cosmetics retailer Lush will not be fined for a hacker breach that compromised the payment data of approximately 5,000 customers over a four-month period. According to an ICO news release, the company is required to "sign an undertaking" that says it will comply with the Payment Card Industry Data Security Standard (PCI DSS). Some are criticizing the ICO for not fining the company, but the ICO's Sally-Anne Poole said, "This breach should serve as a warning to all retailers that online security must be taken seriously and that the PCI DSS or an equivalent must be followed at all times." Meanwhile, Canada's privacy commissioner has warned Canadians to guard their personal information when shopping at retail stores.
Full Story

FINANCIAL PRIVACY—U.S.

Visa To Waive Some PCI DSS Compliance (August 11, 2011)

In an effort to encourage chip authentication technology, Visa will allow qualified U.S. merchants to abstain from the requirement to annually validate compliance with the Payment Card Industry Data Security Standard (PCI DSS). Infosecurity reports that as of October 1, Visa will grant the waiver to merchants that support both EMV contact and contactless chip acceptance. However, those merchants will still be required to protect sensitive data by "ensuring their systems do not store track data, security codes or PINs," the report states. A Visa spokeswoman said dynamic authentication is the future of securing payments and shrinks "the battlefield against criminals" by adding a security layer.
Full Story

ONLINE PRIVACY

Researchers Warn of Trusting Data Too Much (August 11, 2011)

Researchers at two technology-focused conferences in the U.S. last week warned of making "strong extrapolations about weak data," reports MIT's Technology Review. Alessandro Acquisti of Carnegie Mellon University explored the ability of facial recognition technology--combined with online profiles--to determine birth dates, Social Security numbers and more, correctly identifying about one-third of subjects. Acquisti expects the technology to improve and notes that being misidentified in a future where this information is trusted most of the time could have negative consequences. Other researchers are exploring the reliability of social data in determining personality traits, finding positive but weak correlations, according to the report.  
Full Story

DATA PROTECTION

Report Analyzes Advanced Persistent Threats (August 11, 2011)

In its latest global threat report, Cisco has found that data breaches have been "seemingly nonstop" in 2011, with unique instances of malware more than doubling, siliconrepublic reports. The report discusses advanced persistent threats (APTs) and the difficulty of identifying them, saying that APTs "must enable the attacker to remotely manipulate a system while remaining virtually invisible to standard defenses." A Cisco representative said, "If anyone attempts to sell your organization a hardware or software solution for APTs, they either don't understand APTs, don't really understand how computers work or are lying--or possibly all three."      
Full Story

PRIVACY LAW—EUROPE

Court Case Results from “Transatlantic Clash” (August 10, 2011)
Spain's government has ordered Google to halt its indexing of data on certain individuals, The New York Times reports. Ninety individuals who filed complaints with the Spanish Data Protection Agency will benefit from the order, which is now being considered in court. Google has asserted that the requirement "would have a profound chilling effect on free expression without protecting people's privacy." Experts weigh in on the order, the origins of the concept of a "right to be forgotten" and the differing perspectives. "What you really have here is a transatlantic clash," said a Swiss native and Georgetown University professor. (Registration may be required to access this story.)

DATA LOSS—JAPAN

Credit Card Data Compromised (August 10, 2011)

InfoSecurity reports on a credit card data breach affecting approximately 92,400 Japanese Citigroup customers. Compromised data includes names, addresses, credit card account numbers, phone numbers, dates of birth and dates accounts were opened. According to the report, an individual employed by a Citigroup subcontractor sold the data to a third party. This is the second breach that has affected the company this year.    
Full Story

GENETIC PRIVACY—U.S.

CA Court Declares DNA Act Unconstitutional (August 10, 2011)

The First District Court of Appeal in San Francisco has overturned a voter-approved proposition that requires adults charged with a felony to provide a DNA sample. The court said Proposition 69 is unconstitutional because the law allows searches of individuals without a warrant, Wired reports, adding it authorizes "the warrantless and suspicionless search of individuals...for evidence of a crime unrelated to that for which they have been arrested." The court also noted, "The question this case presents, which is increasingly presented to the courts of this state and nation, is the extent to which technology can be permitted to diminish the privacy guaranteed by the Fourth Amendment."
Full Story

PRIVACY LAW—THE NETHERLANDS

Company May Have Breached Law (August 10, 2011)

A recent change to its privacy settings may mean that a social networking site has breached Dutch privacy law, Radio Netherlands Worldwide reports. LinkedIn should have asked users for explicit consent before using their profile pictures for advertising material, the Dutch Data Protection Authority (CPB) says, adding that default settings on social networking sites should be privacy-friendly and opt-in. The CPB statement is in concert with a recent Article 29 Working Party clarification on consent requirements.    
Full Story

HEALTHCARE PRIVACY—U.S.

AMA Discusses Prescription Data Selling Practices (August 10, 2011)

American Medical Association (AMA) President Peter Carmel is refuting a New England Journal of Medicine (NEJM) article that insinuates the AMA has financial incentives to support a Supreme Court decision allowing the sale of prescription drug information to pharmaceutical companies, reports Information Week. The NEJM article also claims the AMA has not done enough to promote its program allowing doctors to opt out of data mining. But Carmel calls the assertions "unfounded speculation" and outlines ways the AMA has promoted the opt-out program. While the AMA believes physicians should have the right to opt out, the report states, it "prefers its own approach to state laws that might be overly restrictive." 
Full Story

DATA LOSS—U.S.

Lost Memory Sticks Affect Bottom Line (August 10, 2011)

Lost memory sticks holding sensitive data can be detrimental to a company's bottom line, PCWorld reports. That's according to a recent Ponemon Institute study, which surveyed more than 400 organizations and found they will lose $2.5 million because of missing memory sticks. On average, the companies lost 12,000 records stored on the sticks, costing about $214 per record. More than 70 percent of survey respondents said they are either certain or feel it was likely that data breaches were caused by missing memory sticks. A U.S. Department of Homeland Security experiment placed USB sticks in parking lots and found 60 percent of those who picked them up accessed the data.
Full Story

SOCIAL NETWORKING

Hacker Group Vows To Destroy Site (August 10, 2011)

A hacker group has threatened to destroy Facebook on November 5, International Business Times reports. The group "Anonymous" claims that it will destroy the social network because of privacy issues, stating that the site's privacy controls are lacking. "Everything you do on Facebook stays on Facebook regardless of your 'privacy' settings, and deleting your account is impossible. Even if you 'delete' your account, all your personal info stays on Facebook and can be recovered at any time...Facebook knows more about you than your family," the group states.
Full Story

DATA PROTECTION—U.S.

Organization Loses PCI Assessor Credentials (August 10, 2011)

The Payment Card Industry (PCI) Security Standards Council has revoked an organization's status as both Qualified Security Assessor and Payment Application Qualified Security Assessor after a regular review showed a "failure to satisfy the high standard set forth" for the credentials, reports SC Magazine. The PCI Council is not saying why Chief Security Officers (CSO) lost the credentials, but one expert predicts it will be costly for merchants currently being assessed by or waiting for validation from CSO. "If the work done was truly insufficient for the PCI Council, the product vendors, merchants and service providers will need to address their customers' concerns that will inevitably come following this announcement," he said.     
Full Story

PRIVACY LAW—U.S. & INDIA

Court: Non-Citizen E-Mails Protected Under ECPA (August 9, 2011)

The Ninth Circuit Court has ruled that under the Electronic Communications Privacy Act (ECPA), Microsoft does not have to turn over an Indian citizen's e-mails. Indian energy company Suzlon Energy, claiming the man defrauded it, has requested copies of all e-mails sent to and from his Web mail account and of written agreements he had with Microsoft, reports Courthouse News Service. The court ordered Microsoft to hand over the contracts but ruled the e-mails are subject to protection under ECPA, sparking a debate over the intent of the law. Suzlon's lawyer commented, if by "parking" e-mails in the U.S. criminals could avoid discovery, "every felon in the world would do so." But Judge Milan Smith remarked, if congress wants to distinguish between a U.S. citizen and noncitizen, "it knows how to do it."  
Full Story

DATA PROTECTION—SOUTH KOREA

KCC Proposes Plan for Online Data Protection (August 9, 2011)

In light of a recent breach affecting 35 million citizens, the Korea Communications Commission (KCC) has announced a plan that will require website operators to limit the amount of stored personal information of users and to encrypt data that is stored, The Chosun Ilbo reports. Under the proposal, websites would be required to encode information such as telephone numbers and e-mail addresses and provide free security software to companies that cannot afford the required security systems upgrade but would not be able to request resident registration numbers from subscribers. The KCC will have a "detailed action plan" by December, the report states.   
Full Story

PRIVACY

Expert: Pros Should Prepare for Tight Budgets (August 9, 2011)

In a Datamation article, analysts warn that privacy officers around the world should prepare to do more with less. Privacy programs will be underfunded through 2012, the analysts predict, which will require privacy officers to "build and maintain strong relationships with corporate counsel, lines of business, HR, IT security, IT operations and application development teams," said expert Carsten Casper. Key areas privacy professionals should focus on include compartmentalizing information, restricting access and encrypting data--especially data that is stored, will travel across public networks or lives on portable devices, Casper advises. He added that pros should support cloud computing initiatives, keeping privacy in mind.   
Full Story

PRIVACY LAW—U.S.

ID Thief Sentenced to 11 Years (August 9, 2011)

A North Carolina Veterans Affairs (VA) employee has been sentenced to serve 11 years in jail and pay $464,000 in restitution for stealing veterans' identities and filing fraudulent tax returns, reports WRAL. Michael Ray Woods ran a tax preparation business and used the information of disabled veterans--whose patient data he was to enter into a computer at his VA job--to create fake dependents, netting the filer more money and himself around $150,000 annually in fees. Woods was convicted of two counts of preparing false tax returns, 10 counts of wire fraud, 10 counts of identity theft and two counts of aggravated identity theft, according to the report.  
Full Story

HEALTHCARE PRIVACY—U.S.

Expert Discusses Cloud Computing Options (August 9, 2011)

In a Q&A with eWeek, IT expert Chris Witt discusses ways healthcare companies should handle moving data to a cloud computing infrastructure. In light of a recently released report concluding that healthcare companies are uncertain about moving to the cloud, Witt discusses how an organization can determine if the cloud is the appropriate step; recommended cloud platforms; maintaining HIPAA compliance when implementing the cloud system; necessary steps when migrating to the cloud, and differences between private and public clouds in healthcare. Editor's Note: For more about cloud computing privacy issues, register for the IAPP's next Web conference, Outsourcing to the Cloud: Practical Considerations for Data Owners and Cloud Vendors, which will be held this Thursday, August 11. 
Full Story

PRIVACY LAW—U.S.

Social Network Seeks Suit’s Dismissal (August 9, 2011)

The world's largest social networking site is seeking the dismissal of a class-action lawsuit filed in June by two parents on behalf of their children, claiming that minors are unable "to consent to the use of their name and photographs for marketing, advertising and selling of goods and services," Courthouse News Service reports. In a motion seeking either dismissal of the case or a "more definite statement," Facebook has contended that consumer opinions, such as its "Like" statements, "have repeatedly qualified as matters of public interest under the First Amendment." In seeking the dismissal of the current Illinois complaint, Facebook has also cited a similar case that was dismissed in federal court in California.     
Full Story

DATA THEFT—U.S.

Group Breaches Law Enforcement Websites (August 8, 2011)
The Associated Press reports on the theft of data from approximately 70 law enforcement websites across the U.S. The hacker group Anonymous posted 10 gigabytes of compromised information pertaining to law enforcement investigations in retaliation for the arrests of its sympathizers in the U.S. and the UK, the report states. Stolen data includes tips about suspected crimes, gang member profiles, security training and credit card information. The group said it hopes to "disrupt and sabotage" law enforcement investigations. Authorities in the U.S., UK and the Netherlands arrested 21 individuals related to the group last month for reported data theft activity.

DATA LOSS—U.S.

Hospitals Expose Patient Data (August 8, 2011)

Beth Israel Deaconess Medical Center is notifying more than 2,000 patients of a data breach that occurred when a vendor performing computer maintenance did not restore security controls to a hospital computer, reports American Medical News. The computer was infected by a virus. Meanwhile, a Brigham and Womens/Faulkner Hospitals doctor accidentally left a hard drive in a cab that may have contained information on 638 patients, reports the Boston Herald. After an internal investigation, the hospital said the records--which include patient names, medications, diagnoses and treatments, among other data--had been deleted from the drive, but it is not sure whether they are still accessible. Both institutions are offering affected patients a year of identity theft protection.
Full Story

ONLINE PRIVACY

The War On Anonymity (August 8, 2011)

A SPIEGEL International report discusses what some describe as a war on online anonymity. Some say anonymity is the Internet's greatest strength--promoting free speech and privacy--but others see it as increasingly dangerous. In the wake of terrorist acts and cyber-bullying worldwide, there is a push to reveal the identities of extremist bloggers and online bullies. In fact, a Carnegie Mellon study found that when users were required to identify themselves by using their real names, they behaved in a more civilized way. However, an American Association for the Advancement of Science report states that "Anonymous communication should be regarded as a strong human right."  
Full Story

ONLINE PRIVACY

CEO Defends ETag Intent (August 8, 2011)

Saying his company was "blindsided" by privacy violation allegations, KISSmetrics CEO Hiten Shah responded to a paper that disclosed the company's use of ETags, MediaPost reports. Shah said, "We use the same URL for all customers to reduce server and bandwidth resources and increase end-user performance, which is critical given our small size...an incidental consequence of this is that the same anonymous identifier was returned externally across multiple websites."  
Full Story

SOCIAL NETWORKING

Start Up Allows for Privacy On the Web (August 8, 2011)

A social network launched in April of this year claims to give people "real-world style, disposable interaction on the web," reports PaidContent. In an interview, SecretSocial co-founder Zubin Wadia discusses the idea behind the company and its plans for the future, including becoming the "go-to place" for private conversations when using other online networks. All SecretSocial conversations have an expiration date set by the users involved, at which time the conversation is deleted from user browsers as well as the company's servers. According to Wadia, one of the problems behind Internet privacy is the assumption that data needs to be retained forever. "A lot of this data analysis, complex or not, can occur in realtime," he says.
Full Story

ONLINE PRIVACY

Researcher Questions Real-Name Policy (August 8, 2011)

A researcher known for speaking about issues of online identity and culture recently criticized the "real-name" policies of a popular social networking site, eWeek reports. Google+ requires users to fill out profiles "to help connect and find real people in the real world." The company's policy suspended accounts of users who used pseudonyms or fake names, but the vice president of Google+ said the company revised its policy late last month to provide "a clear indication of how the user can edit their name to conform to our community standards." The researcher, who works for Microsoft, said, "what's at stake is people's right to protect themselves."   
Full Story

HEALTHCARE PRIVACY—U.S.

OCR Undecided on BA Inclusion in HIPAA Audits (August 5, 2011)
The Office for Civil Rights (OCR) has not decided whether it will include business associates (BAs) in its HIPAA-compliance audit plans, HealthLeaders Media reports. OCR Deputy Director of Health Information Privacy Susan McAndrew says KPMG, the company that was granted the OCR's $9.2 million contract, will develop BA audit protocols. McAndrew also says the "OCR has not yet determined whether it will audit business associates in addition to covered entities during the audits that are anticipated to take place in 2011." Editor's Note: For more on the HIPAA audit program, request the archived recording from last week's Web conference,The Upcoming OCR HIPAA Audit Program: What To Expect and How To Prepare, from IAPP Knowledge Manager Dave Cohen.

HEALTHCARE PRIVACY—U.S.

Hospital Being Investigated for HIPAA Violation (August 5, 2011)

An Office for Civil Rights (OCR) employee has confirmed that the OCR is investigating an anonymous complaint claiming that an Alabama hospital violated HIPAA laws when it sent patient records to a law office. The Anniston Star reports that a doctor at Regional Medical Center (RMC) faxed the names of students involved in a bus accident to a law firm in February 2010, and while the doctor was reprimanded, RMC's CEO said hospital attorneys indicated the incident did not violate HIPAA laws. A Department of Health and Human Services spokeswoman would not confirm that the OCR was investigating RMC, and according to its CEO, the hospital has no knowledge of an investigation.   
Full Story

A PROTECTION—UK

Are Fines the Best Incentive to Keep Data Secure? (August 5, 2011)

The Information Commissioner's Office (ICO) has fined six organizations for breaching the Data Protection Act, and of the fines assessed, four were to local councils already struggling with budget cuts, reports Computing. This has some wondering whether fines are appropriate incentives for protecting data. One council's head of IT said, "Training and education is the best way to prevent data breaches. And we could have funded more of both if we hadn't been fined." But an ICO spokeswoman says, "The best way a public authority can protect taxpayers' money is by not being lax in the way it looks after personal information." Meanwhile, Information Commissioner Christopher Graham has asked for custodial sentencing to be added to his enforcement tools.    
Full Story

PRIVACY LAW—U.S.

Health Data Not Covered in Breach Legislation (August 5, 2011)

The Center for Democracy and Technology's Harley Geiger writes that the data breach notification bills currently in congress would not protect health data processed by certain commercial services. The HIPAA Privacy Rule requires covered entities to notify individuals when their data is compromised, but with the influx of commercial health IT systems and applications, sensitive health data is increasingly being used by commercial products and services. As a result, neither current data breach draft legislation nor the Privacy Rule would require non-covered entities processing health data to notify individuals of a breach, which "makes it all the more important that the law evolves with technology to provide blanket privacy protection for health information in commercial contexts," the report states.
Full Story

DATA PROTECTION—UK

MPs Urge Gov’t to Consult with ICO on ID-handling Plan (August 5, 2011)

In a report published this week, MPs urge the government to work with the Information Commissioner's Office on its plans to develop an "ID assurance" protocol that could see ID handling outsourced to third parties, The Register reports. Published on Tuesday, the Public Administration Select Committee report, "Government and IT - 'a recipe for rip-offs': time for a new approach," says that the ID-handling model being proposed by the Cabinet Office will "need to be trialled extensively," and warns that concerns about privacy "could act as a barrier to implementing such a radical reform." The authors recommend the government work with the ICO to "review potential barriers" and explore development options.
Full Story

DATA PROTECTION

Report Identifies Global Cyberspying (August 5, 2011)

A U.S.-based cybersecurity company has issued a report stating that it has identified a single cyberspying perpetrator that has infiltrated governments around the world as well as U.S. corporations and U.N. groups over the course of the past five years, The New York Times reports. Stating the attacker may be a "state actor," the report did not disclose the location of the transgressing computer system or the specific business targets. McAfee, the company that issued the report, said it has identified 72 targets, 49 of which are U.S.-based. Department of Homeland Security Secretary Janet Napolitano said of the report, "We obviously will evaluate it, look at it and pursue what needs to be pursued in terms of its contents." (Registration may be required to access this story.) 

Full Story

BEHAVIORAL TARGETING

Web Tracking Raises Revenue, Threatens Privacy (August 4, 2011)
USA Today reports on the rise in online tracking for behavioral advertising and the subsequent challenges tracking poses to personal privacy. Privacy advocates are concerned that digital shadowing will erode "traditional notions of privacy," while new research suggests that as more companies exercise online tracking, opportunities for the loss of privacy increase, the report states. Ernst & Young's Sagi Leizerov, CIPP, says, "It is a mistake to consider tracking benign...It's both an opportunity for amazing connections of data as well as a time bomb of revealing personal information you assume will be kept private."

HEALTHCARE PRIVACY—U.S.

AHA Wants HIPAA Access Provision Withdrawn (August 4, 2011)

The American Hospital Association (AHA) says federal regulators need to "significantly alter" the access report provision in their proposed HIPAA disclosures rule, HealthLeadersMedia reports. In a letter sent to the Department of Health and Human Services, the AHA says the access report provision--which would allow patients to request a history of who has accessed and disclosed their personal health records--is "misguided and does not appropriately balance the relevant privacy interests of individuals with the burdens that will be imposed on covered entities, including hospitals."
Full Story

ONLINE PRIVACY

Company To Sell Tracking Abilities to Merchants (August 4, 2011)

Online deals company Foursquare is looking to bring in revenue by selling its merchants software that will enable them to track--and therefore better target specials to--their customers who use the service. Traditionally, social media companies have turned to advertisers to monetize "free" services, and Foursquare's method may end up putting them in the center of the privacy debate, according to Erik Sherman, writing for BNET. "The minute you start analysis on people at specific stores, particularly smaller stores with repeat customers, consumer anonymity begins to fade," Sherman writes. "Set the right specials, and a store owner could begin matching faces, names (especially from credit card purchases) and online identities."
Full Story

EMPLOYEE PRIVACY—CANADA

Medical Records Used in HR Investigation (August 4, 2011)

According to the Alberta Office of the Information and Privacy Commissioner (OIPC), Alberta Health Services (AHS) violated the Health Information Act when it used an employee's addiction counseling information in a human resources investigation. After signing a consent form to allow his health records to be shared with his treating physician, the employee's records were given to the AHS human resources department to determine "the fitness of the employee to continue his duties," reports the Edmonton Journal. An AHS spokesperson said the company would comply with the OIPC's request to change their data sharing policies in these circumstances.   
Full Story

DATA PROTECTION—U.S.

Demand for Info Sec Pros Expected to Grow (August 4, 2011)

According to a report from the recruitment firm Barclay Simpson, demand for information security professionals is up and will continue to grow through the end of the year, reports InfoSecurity. "The information security recruitment market recovered during the course of 2010," the firm said, adding, "By the end of the year, all sectors outside of the public sector were experiencing demand similar to pre-recessionary levels." According to the report, driving the demand is the need for risk-assessment and Payment Card Industry Data Security Standard skills.    
Full Story

PRIVACY LAW—ITALY

Garante Rejects Claim to Deceased Person’s Data (August 4, 2011)

The Italian Data Protection Authority has rejected the appeal of an individual who wanted access to a deceased relative's data, reports attorney Rocco Panetta from the firm Panetta & Associati in Rome. In denying the request of a woman who wanted access to a life insurance policy, the Garante said that, in the absence of a direct claim, personal interest or family interest worthy of protection, the data could not be released. The privacy of the deceased must be protected, the Garante said. (Site in Italian.)  
Full Story

PRIVACY—U.S.

New Federal CIO Named (August 4, 2011)

FCC managing director and former Microsoft executive Steven VanRoekel will be the next federal chief information officer, The New York Times reports. VanRoekel will replace Vivek Kundra, who has held the position since 2009 and is leaving to take a position at Harvard. VanRoekel says he plans to further the work that Kundra began. "We're trying to make sure that the pace of innovation in the private sector can be applied to the model that is government," he said. For two years, VanRoekel has served as managing director of the Federal Communications Commission. Before that, he spent 15 years with Microsoft. (Registration may be required to access this story.)  
Full Story

BIOMETRICS—GERMANY

DPA Demands Changes to Facial Recognition Feature (August 3, 2011)
In a statement released on Tuesday, the head of Hamburg's data protection authority said Facebook's facial recognition feature violates German data protection laws, the Financial Times reports. "The problem is not with the facial recognition itself," said Johannes Caspar, "but the data that is stored in the background to allow the system to recognize a face." He said the company "needs to design a new kind of system to get consent from people before their data is stored." Caspar has given Facebook two weeks to respond to his demand for change or disablement. Other European regulators are looking into the feature. (Registration may be required to access this story.)

PRIVACY LAW—BERMUDA

Opinion: Protections in Place and On the Way (August 3, 2011)

A Royal Gazette report outlines the "right to privacy" and what protections are in place for Bermuda citizens. While they are not afforded the same privacy rights as citizens of the UK, writes Allan Doughty of Trott & Duncan Ltd., Bermuda's Telecommunications Act and Common Law protections cover certain aspects of citizens' privacy, such as computer and voicemail hacking and the scope of confidential information. Last year, the government passed the yet-to-be-enacted Public Access to Information Act, which allows people to access government-held information and puts safeguards on when that data can be released. Also in the works is a Personal Information Protection Act to regulate how organizations can use individuals' data.   
Full Story

PRIVACY LAW—SOUTH KOREA

Gov’t Fines Company Over Location Data (August 3, 2011)

The Korea Communications Commission has fined Apple, Inc. $2,855 for collecting users' location data without authorization, the Chicago Tribune reports. This is the first time, the report states, that punishment has been levied on the company in response to its collection of location information. Meanwhile, approximately 27,800 South Korean iPhone and iPad users are planning to file a class-action lawsuit against the company for its collection practices. A company representative said, "Apple is not tracking the location of your iPhone" and "has never done so and has no plans to ever do so."  
Full Story

PRIVACY LAW—U.S.

Court: Impersonation on Social Networking = Identity Theft (August 3, 2011)

A California court of appeals has upheld an earlier decision that a student committed identity theft when he used a fellow student's e-mail address to gain access to her social networking account and--while impersonating her--post defaming messages. According to an OUT-LAW.COM report, the court ruled that because the student kept a record of the e-mail address with intent to use it later, and because the messages "defamed" the girl, he is guilty of a misdemeanor. The boy said he meant the messages as a joke. He has been ordered to serve 90 days to one year in a juvenile detention center program.
Full Story

DATA PROTECTION—EU & U.S.

European Companies Avoiding U.S. Cloud Providers (August 3, 2011)

The Financial Times reports that European companies are choosing not to use U.S.-based cloud service providers because of legal obligations the service providers have to the U.S. government under the USA Patriot Act. According to the U.S. legislation, data that is stored, processed or retained by a U.S.-based service provider must be made available for inspection by U.S. authorities without notification to users, which is a violation of the European Data Protection Directive. One European IT chief said, "We would never be able to use a U.S.-based provider of cloud services, even if the data is stored in a data center in the EU," suggesting that European companies would instead use local service providers. (Registration may be required to access this story.)  
Full Story

PERSONAL PRIVACY—U.S.

States Look at Privacy and Smart Grid (August 3, 2011)

States continue to prepare for and implement smart grid technologies. Last week, the California Public Utilities Commission (CPUC) adopted data protection rules for smart grid providers and suppliers. The rules "establish a solid framework for creating balance between protecting consumer privacy and fostering a new market for third-party participants," said CPUC Commissioner Mark Ferron. Meanwhile, as the state of Vermont prepares to spend its $70 million in federal monies to implement the smart grid, its Public Service Board is looking into the privacy considerations. "As there's more data...there are concerns..." said a Public Service Department official. Ohio officials are also looking into smart grid privacy considerations.   
Full Story

PRIVACY LAW—NEW ZEALAND

Law Commission Recommends Breach Notification, Do-Not-Call Register (August 2, 2011)
The Law Commission tabled its final report on its review of the Privacy Act in parliament on Tuesday, The New Zealand Herald reports. In it, the commission recommends the creation of a do-not-call register, more authority for the privacy commissioner and mandatory breach notification provisions. "People have a right to know if their information has been compromised in a serious way," said Law Commissioner John Burrows. Privacy Commissioner Marie Shroff said the commission's suggested reforms "would power up privacy law to meet the challenge of protecting New Zealanders' personal information in the digital age."

DATA LOSS—U.S.

Mass. AG Fines Bank for Breach (August 2, 2011)

Massachusetts Attorney General Martha Coakley has imposed a $7,500 fine on a bank for failing to protect customer data, BelmontPatch.com reports. The sensitive information of Belmont Savings Bank customers was exposed in May 2011 after an employee failed to secure a backup tape. "Our office will continue to take action against companies that fail to follow protocol to protect the information entrusted to them by consumers," Coakley said. In addition to the monetary penalty, the bank must shore up its data inventory system; secure sensitive data, and train its employees.  
Full Story

ONLINE PRIVACY

Web Analytics Firm Stops Using ETags (August 2, 2011)

A company specializing in Web analytics has changed its Web tracking operations to allow users to opt out of being tracked, Wired reports. The move comes after two of its clients, Hulu and Spotify, suspended the KISSmetrics service because of the company's use of ETag technology, which stores information in users' browsers even if they delete their cookies. Two users have filed potential class-action claims against KISSmetrics and Hulu, saying the companies violated federal and California state law. In response, KISSmetrics revised its privacy policy and pledged to stop using ETags, saying on its website, "As of July 30, 2011, KISSmetrics uses standard first-party cookies to generate a random identity assigned to visitors to our customers' sites."
Full Story

PRIVACY LAW—U.S.

Data Retention Bill Draws Fire (August 2, 2011)

A bill aimed at curbing child pornography has drawn criticism from privacy advocates for requiring Internet service providers (ISPs) to retain personal data on temporarily assigned network addresses for 12 months, reports InfoWorld. The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) are speaking out against the bill, saying it would open up the data to abuse and misuse. "Essentially what this bill is attempting to do is make it such that you can never post anything online without there being a record indicating that you posted it," said Kevin Bankston of the EFF. An ACLU representative wants answers to questions about ISPs' current data collection practices. 
Full Story

GEO PRIVACY

Company Limits WiFi Location Database (August 2, 2011)

CNET News reports that Microsoft has stopped publishing the locations of WiFi connections on its Live.com database. Access to the website has been restricted as of last Saturday, according to the report. The location data was gathered from Windows Phone 7 phones and "managed driving" that records WiFi signals accessed from public roads. A Microsoft representative wrote, "This change improved filtering to validate each request so that the service will no longer return an inferred position when a single Media Access Control address is submitted," adding, "We will continue to update our service with improvements that benefit the consumer in both positioning accuracy as well as individual privacy."  
Full Story

DATA PROTECTION—U.S.

SAFE Data Act Could Hurt Consumers (August 2, 2011)

Some security experts are concerned that shortening breach notification requirements to within 48 hours of the discovery of a breach--as in the SAFE Data Act, which recently passed the House Energy and Commerce Committee--may hurt consumers in the long run, reports Dark Reading. Highlighting the importance of understanding the scope of a breach, Larry Ponemon, CIPP, of the Ponemon Institute, says, "How can you go through the process in a way that is systematic and highly accurate in 48 hours? A lot of people are going to get notices that don't necessarily apply to them, and that will actually diminish the value of the data breach notification itself." The bill's sponsor, Rep. Mary Bono Mack (R-CA) says "we can no longer afford to do nothing."  
Full Story

PRIVACY LAW—U.S.

Federal Breach Notification Welcome by Some (August 2, 2011)

On the heels of the introduction of another federal data breach notification bill, Microsoft voiced its support for a federal standard, saying the current varying state requirements are challenging for businesses, The Hill reports. Chief Privacy Officer Brendon Lynch, CIPP, said that a federal notification law should require that consumers be notified only if sensitive information, such as healthcare and financial data, has been affected. "If people get notices all the time, they'll just ignore them," Lynch said. 
Full Story

PRIVACY LAW—NETHERLANDS

New Law Aims to Deter Privacy Breaches (August 1, 2011)
A new law expected to become effective this year will allow for the imposition of fines for data privacy violations, Radio Netherlands Worldwide reports. "People's personal data are being used by others all the time, without their realizing it in the least," said Dutch Data Protection Commissioner Jacob Kohnstamm, who is assisting the justice ministry in drafting the law. "The new, steep fines will make sure that people's privacy will be respected." Violators risk fines from 25,000 to several million euros. Kohnstamm has also announced that his office is investigating the presence of regional electronic medical records.

PRIVACY LAW—U.S.

Preliminary Settlement Reached in Class Action (August 1, 2011)

WellPoint has reached a preliminary settlement in a class-action lawsuit involving the exposure of 600,000 health applicants' sensitive data, American Medical News reports. The suit, filed in March 2010, alleged that the company failed to protect the privacy of those affected, the report states. The settlement would see WellPoint provide two years of credit monitoring to those involved and would entitle class members to reimbursement for instances of identity theft. The settlement will be approved or declined after a November fairness hearing. In July, the company agreed to pay a $100,000 fine in a settlement with the Indiana attorney general's office for notification failures surrounding the incident. 
Full Story

PRIVACY LAW—CANADA

Commissioner Takes Prison Agency to Court (August 1, 2011)

The Office of the Privacy Commissioner (OPC) is taking the federal agency responsible for the country's prison system to court for allegedly violating the Privacy Act, the National Post reports. Stoddart says that on two occasions the Correctional Service of Canada has not appropriately responded to requests to provide inmates with the personal information the prison system keeps about them. The Privacy Act requires government agencies to provide personal information within 30 days of a request. The OPC's communications director, Anne-Marie Hayden, says, "In both complaints, our investigators found that the Correctional Service of Canada had failed to give complainants timely access to their personal information."  
Full Story

BIOMETRICS

Study: Facial Recognition Technology Powerful, Intrusive (August 1, 2011)

The Wall Street Journal reports on research conducted at Carnegie Mellon University that successfully identified approximately one-third of participants using the same facial recognition technology recently acquired by Google. Using profile data from Facebook, the study's author could also correctly predict the first five digits of the participants' Social Security numbers nearly 27 percent of the time. One law professor notes that the combination of available, "anonymous" online data and the technology makes re-identifying people possible. The study's author says, "This paper really establishes that re-identification is much easier than experts think it's going to be." (Registration may be required to access this story.) 
Full Story

GEO PRIVACY—U.S.

Proposed Mileage Tracking Raises Concern (August 1, 2011)

Amid the growth of fuel efficiency and alternative fuel vehicles, governments are trying to find ways to recoup some of their gas-tax dollars by taxing mileage, reports the Las Vegas Sun. Nevada residents were presented with the idea of using GPS systems to track mileage, and more than 80 percent opposed it, most often citing privacy concerns. Another method being tested is one in which a transponder mounted to the car tells the gas pump how many miles the car has travelled and tacks on the appropriate mileage tax to the gas price. The University of Nevada at Las Vegas is conducting the test with 25 drivers and says the transponders are not capable of tracking vehicles. 
Full Story

ONLINE PRIVACY

Background Check App Is Back (August 1, 2011)

A mobile application that allows people to conduct background checks is back in the marketplace, reports The Star-Ledger. The app was first launched for the iPhone in 2009, but was pulled by Apple due to privacy concerns. BeenVerified has relaunched the app--which searches online public records for information on a name entered into the system by the user--saying that it merely modernizes the information databases that already exist. But some privacy advocates and cybersecurity experts say the risk of stalking and identity theft outweigh the benefits of the service. "There are deep implications for privacy even if it's not certain these tools violate the law," says an Electronic Frontier Foundation spokesperson.
Full Story

DATA PROTECTION

Privacy As A Selling Point (August 1, 2011)

Forbes reports on the continued use of privacy as a competitive differentiator in the marketplace, pointing out how some companies are asserting their privacy strengths sometimes by highlighting their competitors' privacy weaknesses. Columnist Kashmir Hill describes how this may be happening in the lead up to the release of a new e-mail client.
Full Story