Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

HEALTHCARE PRIVACY—AUSTRALIA

E-Health Violations To Result in Fines (September 30, 2011)

Australia's government will fine health practitioners $66,000 for breaches of electronic health records, iTNews reports. Draft legislation includes penalties of $13,200 for each instance of a record being either breached or accessed without authorization. It also states that healthcare practitioners can only upload patient data if consent is obtained and that Australians will have access to their own data. Exceptions to patient records access rules include "to prevent a serious threat to an individual's life, health or safety" or to public health and safety. Health Minister Nicola Roxon said the Personally Controlled Electronic Health Record system will be more secure and private than paper-based records.
Full Story

PRIVACY LAW—EU

Cloud Laws Drifting This Way (September 30, 2011)

The European Union will introduce new data protection laws on cloud computing in November, iTNews reports. The Binding Safe Processor Rules will ask EU cloud providers to agree to be legally liable for any data breaches or losses, the report states, acting as a cloud provider accreditation service. Eduardo Ustaran of Field Fisher Waterhouse said service providers can use the accreditation as a selling point for their security models, while those who don't have it may be seen as unsafe. Field Fisher Waterhouse's Stewart Room described the rules as a "bridge" for cloud adoption in light of concerns about liabilities.
Full Story

PRIVACY LAW—EU

Directive Reform Publication Likely Delayed (September 30, 2011)

The European Commission's publication of the EU Data Protection Directive (95/46/EC) reform will likely be delayed beyond the expected November deadline. Matthew Newman, a spokesperson for European Commission Vice President Viviane Reding, said that "this is a comprehensive reform" and the timing for publication will be "within 20 weeks." In this IAPP Europe Data Protection Digest exclusive, experts provide insight into the complexity of this legislation and common ground that stakeholders share.
Full Story

PRIVACY LAW—U.S.

Spammer Banned From Sending Unsolicited Texts (September 30, 2011)

The Federal Trade Commission (FTC) has settled with an operator who allegedly sent millions of illegal text messages to consumers. Operator Phil Flora is banned from sending any unsolicited text messages or "making false or misleading claims about any good or service" after he sent a "mind-boggling" number of spam text messages to consumers for mortgage services and claimed he was affiliated with a government agency, according to the FTC complaint filed in February. Flora's actions violated the FTC Act and the CAN-SPAM Act, the FTC charged, ordering Flora to pay $58,946.
Full Story

SOCIAL NETWORKING

Site Introduces New Privacy Features (September 30, 2011)

Music streaming site Spotify has introduced new privacy features in the wake of complaints about its integration with the world's largest social network, the Financial Times reports. The music service had "quietly introduced the requirement that all new users sign up with a Facebook account rather than the usual e-mail" and "defaulted to sharing all a user's listening habits," the report states. While users could choose to opt out of sharing their music tastes through Facebook, in response to "hundreds of complaints," Spotify's CEO has announced a new "private listening" mode, noting, "we value feedback and will make changes based on it." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

New Browser Raises Privacy Concerns (September 30, 2011)

Computerworld reports on Amazon's new Silk browser and the concerns raised by privacy advocates. The browser will connect to a cloud service owned by the company, thereby speeding up browsing capabilities, and, according to the company, a secure connection will be established "from the cloud to the site owner on your behalf for page requests of sites using SSL." A representative from the Center for Democracy & Technology said, "This makes Amazon your ISP...I don't think it's at all clear that Amazon can step into that," but he added it was a "great move" for the company to offer an opt-out to customers. The Electronic Frontier Foundation commented that "there are some worrisome privacy issues" in general around use of browsing history.
Full Story

HEALTHCARE PRIVACY—U.S.

4.9 Million Records Lost (September 29, 2011)
Three healthcare providers have suffered recent data breaches. A Pentagon contractor's website alerts of a data breach affecting as many as 4.9 million patients, San Antonio Express reports. Science Applications International says the lost information--stored on backup computer tapes from electronic health records--included Social Security numbers, addresses, phone numbers and other private health information of patients who received care from San Antonio military facilities since 1992. The Veterans Affairs Illiana Health Care System in Illinois has notified patients of a potential data breach involving 518 veterans. Meanwhile, two Minnesota healthcare facilities report that a stolen laptop contained personal information including Social Security numbers on more than 14,000 patients.

SOCIAL NETWORKING

DPC Opens Investigation; Data Use Concerns Persist (September 29, 2011)

Following an advocacy group's logging of more than 20 complaints, Ireland's Data Protection Commission "will examine all of Facebook's activities outside the U.S. and Canada" with a goal of publishing its findings by the end of the year, siliconrepublic reports. Meanwhile, the Financial Times highlights privacy advocates' concerns that the social network is not adequately informing users of the potential for information "it will collect from new entertainment and media applications" to be used in advertising. One advocate said, "If the ad were to publish facts about you without your knowledge...it would cross into extremely creepy territory," while Facebook stressed its features "only work if people explicitly opt in to them."
Full Story

DATA LOSS—AUSTRALIA

Pilgrim: Sony Did Not Breach Privacy Act (September 29, 2011)

Privacy Commissioner Timothy Pilgrim has cleared Sony Computer Entertainment Australia of wrongdoing in the hacks earlier this year that exposed the personal information of 77 million customers, The Sydney Morning Herald reports. Pilgrim today published his investigation report, which found no breach of the Privacy Act because there was no evidence that Sony "intentionally disclosed" data and the company "took reasonable steps to protect its customers' personal information." However, Pilgrim said he "would have liked to have seen Sony act more swiftly to let its customers know about this incident." Last week, U.S. officials arrested a man in connection with the Sony hackings.
Full Story

FINANCIAL PRIVACY

Firms Scrambling Ahead of PCI DSS Audits (September 29, 2011)

Firms are struggling to maintain compliance with PCI DSS standards, SearchSecurity.com reports. That's based on the "2011 Verizon Payment Card Industry Compliance Report," which looked at more than 100 PCI DSS assessments conducted by Verizon's PCI Qualified Security Assessors in 2010, based on compliance with 12 PCI DSS standards. The report found 21 percent of organizations were fully compliant, and when compliance is achieved, it's not maintained through the next assessment period. Organizations are meeting about 80 percent of requirements, a Verizon spokesman said, adding, "We're seeing lots of scrambling to get things in order for the assessor, and that's not the intent of PCI DSS at all."
Full Story

PRIVACY—U.S.

DHS Reports Progress in Last Year (September 29, 2011)

In its annual report, the Department of Homeland Security (DHS) Privacy Office states that it has made significant progress on a number of initiatives, Homeland Security Today reports. Last year, the office published 68 privacy impact assessments and 20 System of Records Notices; developed its "DHS Privacy Policy and Compliance" management directive based on Fair Information Practice Principles, and launched a new intranet site featuring the office's training resources on the Freedom of Information Act and privacy, among other guiding documents. The office also closed 88 percent of reported privacy incidents, the report states. DHS Chief Privacy Officer Mary Ellen Callahan, CIPP, said she is "pleased with the improvements."
Full Story

PRIVACY LAW—U.S.

Lawmakers Want “Supercookie” Investigation (September 28, 2011)
Reps. Ed Markey (D-MA) and Joe Barton (R-TX) have called for an investigation into the use of "supercookies" by websites, The Washington Post reports. In a letter to the Federal Trade Commission (FTC), the co-chairmen of the House Bipartisan Privacy Caucus said the technology could violate the FTC's "unfair and deceptive acts of practices" rule, adding, "We believe this new business practice raises serious privacy concerns and is unacceptable...the usage of supercookies takes away consumer control over their own personal information, presents a greater opportunity for misuse of personal information and provides another way for consumers to be tracked online." (Registration may be required to access this story.)

GEO PRIVACY—U.S.

Company Reverses Terms and Conditions Policy (September 28, 2011)

USA Today reports on General Motors' announcement that OnStar is reversing its proposed "terms and conditions" policy after privacy advocates voiced concern and Sen. Charles Schumer (D-NY) demanded an investigation. The company has said it will no longer track former customers via GPS-enabled technology. An OnStar representative apologized for "any confusion about our terms and conditions...We want to make sure we are as clear with our customers as possible, but it's apparent that we have failed to do this...We will continue to be open to their suggestions and concerns."
Full Story

DATA RETENTION—EU

Digital Rights Groups Oppose Blanket Retention (September 28, 2011)

More than 30 civil liberties organizations have signed and submitted a letter to the European Commission voicing opposition to the blanket retention of telecommunications data required under the EU Data Retention Directive, PCWorld reports. In the letter to Home Affairs Commissioner Cecilia Malmström, the groups argue that the retention of data is disproportionate and "therefore illegal" under the Charter of Fundamental Rights and the European Convention on Human Rights, the report states. The groups also query whether the practice has a "demonstrable, statistically significant impact on the prevalence or the investigation of serious crime in a given member state..."
Full Story

SOCIAL NETWORKING

Technologist Says Site Fixed Cookie Problem (September 28, 2011)

ZDNet reports that Facebook has denied technologist Nik Cubrilovic's claim that the social networking site tracks users even after they have logged out. Cubrilovic, whose claims incited concerns among privacy advocates this week, says Facebook has since made changes to the logout process, alleviating privacy concerns. He has detailed the functions of what he says are the site's five persistent cookies, including the user ID, which he says is now destroyed when a user logs out. The rest of the cookies, Cubrilovic says, are not concerning and users "shouldn't worry about them."
Full Story

PRIVACY LAW—AUSTRALIA

Minister: Breach Notification Laws Possible (September 28, 2011)

A discussion paper for Australia's proposed federal privacy reforms, announced last week, could introduce a statutory cause of actions for victims of privacy invasions, reports SC Magazine. A spokesperson for Home Affairs Minister Brendan O'Conner says that "proposals for mandatory breach notification rules (would be) considered by the government once foundational reforms to the Privacy Act have been progressed." O'Conner's department has said that it would consider breach notification laws if there is sufficient evidence that the loss of personal information within business is increasing and information security is lacking. The Australia Law Reform Commission recommended breach notification laws in 2008, and they have remained under consideration since. 
Full Story

DATA RETENTION—U.S.

DOJ Document Reveals Cell Data Retention Periods (September 28, 2011)

Wired is reporting on the retention periods of major cellular service providers after the American Civil Liberties Union of North Carolina obtained a Department of Justice document intended for law enforcement through a Freedom of Information Act request. The document reveals carriers' retention terms for text messages and cell-site data. "This brings cellular retention practices out of the shadows so we can have a rational discussion about how the law needs to be changed when it comes to the privacy of our records," said Kevin Bankston of the Electronic Frontier Foundation.
Full Story

HEALTHCARE PRIVACY—U.S.

Nurse Faces 51 Counts For Records Theft (September 28, 2011)

A Colorado nurse is facing five counts of identity theft and 46 counts of theft of medical records, Boulder Daily Camera reports. Cannon Lamar Tubb worked at numerous hospitals in the Denver metro area between May 2010 and January 2011 and, during that time, accessed 85 confidential patient and staff records, a 2010 audit revealed. He allegedly used some patients' financial information to open credit card accounts and make purchases. Letters were sent to patients under Tubb's care and to those whose medical records were breached.
Full Story

GEO PRIVACY—U.S.

Lawmakers Take on Tracking Practices (September 27, 2011)
The Christian Science Monitor reports that Sen. Charles Schumer (D-NY) has asked the FTC to investigate OnStar's privacy policy changes. Schumer and a group of legislators wrote a letter to OnStar's president, saying its recent policy change allowing it to track former customers through its GPS-enabled hardware is a "brazen invasion" of consumer privacy. Apple, Facebook and Google have also come under fire for tracking consumers without appropriately notifying them, and analysts are calling OnStar's actions another example of technology outpacing privacy regulations, the reports states. Rep. Marsha Blackburn (R-TN) will speak about potential regulation of consumer tracking and other privacy issues during a town hall program in Santa Clara, CA, on Wednesday.

SOCIAL NETWORKING

Researcher Says Network Tracks Users Post-Logout (September 27, 2011)

An Australian technologist has found that Facebook tracks the websites its users visit even when they are logged out of the site, reports The Age. The site alters its cookies when a user logs out, but does not delete them, the technologist found. The company responded to the allegations, saying it quickly deletes the collected data and is looking at ways to avoid sending it altogether. New Zealand Privacy Commissioner Marie Shroff said she is looking at the issue closely, and Australia's privacy commissioner said that, in general, users should be allowed to opt out of data collection. Meanwhile, experts are drawing connections between this revelation and other privacy concerns.
Full Story

HEALTHCARE PRIVACY—U.S.

Strategic Plan Needs More, Some Say (September 27, 2011)

GovInfoSecurity reports that some experts say the Federal Health IT Strategic Plan "doesn't go far enough in spelling out specific action steps and priorities." Following a public comment period, the Department of Health and Human Services' Office of the National Coordinator for Health IT issued the final version of the plan earlier this month. One expert says the plan "incorporates all the right areas of focus with respect to privacy and security but misses the chance to address some important issues that will be critical to healthcare's future success in addressing data security," including giving Health Insurance Portability and Accountability Act enforcement sharper teeth.
Full Story

PRIVACY LAW—U.S.

Judge Approves Bookseller Deal (September 27, 2011)

A New York bankruptcy judge has approved a deal that will make way for Barnes & Noble to purchase a defunct bookseller's customer list, paidContent reports. Judge Martin Glenn approved the deal on Monday. It will give Barnes & Noble access to details on 48 million former Borders' customers. The deal was halted late last week due to privacy concerns related to Borders' privacy policy. Under new data protection provisions in the deal, customers will be notified that Barnes & Noble will take possession of their personal information, and they will have 15 days to opt out of the transfer.
Full Story

SOCIAL NETWORKING

Site’s Redesign Ignites Concerns (September 27, 2011)

Facebook's planned redesign has some users and privacy advocates concerned, The Washington Post reports. The redesign will integrate third-party apps into a user's profile page and update user activity on those apps automatically, meaning "users will have to think more carefully about what apps they use, since their private media consumption, exercise routines and other habits could be automatically published on their profiles," the report states. Pam Dixon of the World Privacy Forum said consumers have voiced that they don't understand the new, more granular privacy controls. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Opinion: Search Engines Need Discretion (September 27, 2011)

In a column for The New York Times, Noam Cohen analyzes the "predicament" surrounding the loss of control of one's online identity through search engine algorithms. One such case involves a U.S. presidential candidate whose lost online identity "stands as a chilling example of what it means to be at the mercy" of a search engine algorithm. A search engine company says that "search results are a reflection of the content and information that is available on the Web," but Cohen writes that the issue should be directed at the companies, not the algorithms, "especially when it comes to hurting living, breathing people." (Registration may be required to access this story.)
Full Story

PRIVACY

Report Spotlights “New World of Corporate Privacy” (September 26, 2011)
The Wall Street Journal explores the value of privacy impact assessments to avoid "running into regulatory fire in the complicated landscape of privacy law" across jurisdictions, pointing out that a "growing cadre of professionals is being hired to manage companies' privacy risk." The report spotlights the work of the IAPP; includes insights from several IAPP members from leading companies including GE, IBM, Apple and Hewlett-Packard, and quotes IAPP President and CEO J. Trevor Hughes, CIPP, who explains that when it comes to the work of privacy professionals, "Early on it was all about compliance. Today, there is as much business-management focus as there is law and compliance." (Registration may be required to access this story.)

PRIVACY LAW—U.S.

FCC “Open Internet” Rule Published (September 26, 2011)

The Federal Communications Commission (FCC) on Friday published its "open Internet" order in The Federal Register. The order aims to balance consumer and content provider interests with those of Web access providers, reports Reuters, and one access provider has pledged to take the FCC to court over it. The rules, adopted last December, go into effect on November 20 and stop ISPs from blocking legal content such as applications that require a lot of bandwidth. An FCC spokesman said the rules will increase certainty and predictability, but some public interest groups are saying the FCC succumbed to industry pressure and the rules don't go far enough.
Full Story

RFID—EU

Product Tagging Increasing (September 26, 2011)

It's not only a computer that can be connected to the Web now, reports BBC News, it's your smartphone, your car, your home and even your jeans. Retailers are increasingly tracking products with radio frequency identification tags (RFID), interconnectivity that could allow for monitoring of virtually anything at any time. Privacy advocates have raised concerns that RFID tags could read more data than intended, such as a consumer's RFID-tagged passport or driver's license, and could lead to cases of identity theft. European Data Protection Supervisor Peter Hustinx has warned that with any tracking devices, "there's privacy relevance" and uses must be compliant with the new European Commission Framework, signed by the commission this year.
Full Story

DATA PROTECTION

New Technologies and Tips for Protecting Data (September 26, 2011)

The frequency and scale of recent data breaches is causing many companies to reevaluate their data protection mechanisms and question what to do in the event of a cyberattack. The Wall Street Journal reports on new methods of system security that go beyond the password, such as two-factor authentication and machine fingerprinting. While not perfect, one expert equates the additional security to "putting speed bumps in front of the bad guys." In a separate report, the WSJ outlines a list of steps to take if your organization has been hacked, including preemptive training and planning; when to call in the experts and authorities, and tips on notifying customers. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Auction Win: Storage Space and Medical Records (September 26, 2011)

A man intending to buy a storage unit in Alabama inadvertently purchased about 20 boxes of personal medical records, TimesDaily.com reports. The boxes contained patient records from 2002 to 2009 belonging to Digital Diagnostic Imaging, Inc., which is now closed. The Alabama State Board of Medical Examiners' rules and regulations state that the physician retiring or terminating a medical practice is responsible for ensuring that patients "receive reasonable notification and are given the opportunity to arrange for the transfer of their medical records." A board spokesman speculated that it's likely the records belonged to the company, not the physicians, however.
Full Story

PRIVACY LAW—U.S.

Bookseller IP Deal on Hold (September 23, 2011)
A bankruptcy judge said at a hearing yesterday that he needs more time to deliberate on whether Barnes & Noble needs consent from certain longtime customers whose information was purchased from Borders Group, Inc., Reuters reports. Implemented in 2008, Borders' privacy policy states that customer information can be sold, but customers who joined before then may be subject to different obligations. Judge Martin Glenn said, "You recognize the risk that even if I approve the transaction...the Federal Trade Commission or state attorneys general may decide they're not satisfied, and they bring an enforcement action." A Barnes & Noble attorney said he was "concerned this deal might fall apart over these issues unnecessarily."

PRIVACY LAW—U.S.

Data Breach Bills Move in House, Senate Panel (September 23, 2011)

The Senate Judiciary Committee has narrowly approved three bills that would require organizations to secure personal data and notify customers if their data is compromised, the National Journal reports. When addressing Sen. Diane Feinstein's (D-CA) bill, Sen. Chuck Grassley (R-IA) said, "we may end up with more burdensome regulations...and consumers still going unprotected because the over-notifications will be ignored." Sen. Patrick Leahy's (D-VT) Personal Data Privacy and Security Act of 2011, would make data breach notification a national standard and data breach concealment a crime. Meanwhile, Rep. Mary Bono Mack's (R-CA) SAFE Data Act was approved by a House subcommittee and will move to the full committee for approval. Bono Mack said, "Consumer notification is often hampered by the fact that companies must first determine their obligations under 47 different state regimes."
Full Story

DATA LOSS—U.S.

Man Arrested in Sony Hacking (September 23, 2011)

An arrest has been made in the Sony Pictures data breach case, the Los Angeles Times reports. A 23-year-old Phoenix man, Cody Kretsinger, faces federal charges of conspiracy and "unauthorized impairment of a protected computer," according to the report. He is believed to be affiliated with the group LulzSec, which claimed responsibility for the breach. Kretsinger will face a federal magistrate in Phoenix today.    
Full Story

GEO PRIVACY—U.S.

Franken, Coons Urge OnStar To Reconsider (September 23, 2011)

Sens. Al Franken (D-MN) and Chris Coons (D-DE) have written a letter to OnStar voicing concerns over the company's recent announcement that it will change its privacy policy, reports The Hill. "OnStar's actions appear to violate basic principles of privacy and fairness for OnStar's approximately six million customers--especially for those customers who have already ended their relationships with your company," the letter reads. The senators say the company's actions reinforce the need for a law protecting consumer data. The letter asks OnStar for details on whether it has suffered a data breach in the past and what it plans to do with the data. 
Full Story

GEO PRIVACY—U.S.

Location Privacy At Issue in Stingray Case (September 23, 2011)

The Wall Street Journal's Jennifer Valentino-Devries reports on issues raised by the FBI's use of cell phone-tracking devices, sometimes referred to as "stingrays," and whether authorities need search warrants to employ the devices when apprehending suspects. In a U.S. District Court in Arizona, a defendant has argued that the use of the "stingray" without a warrant "disregards the United States Constitution." One state authority says that officers do not need warrants because stingrays do not "intercept communication, so no wiretap laws would apply." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Facebook and Netflix Pair Up, But Not in U.S. (September 23, 2011)

At Facebook's f8 conference yesterday, Netflix announced that it will integrate its video streaming services with Facebook, allowing users to watch videos--and see what their friends are watching--on Facebook. The service will be available in 44 countries, not including the U.S., where the Video Privacy Protection Act (VPPA) prevents the disclosure of video sales and rentals, reports The Washington Post. Netflix executives are chiding the law for being outdated, saying "it is ambiguous when and how a user can give permission for his or her video viewing data to be shared." According to the Netflix government affairs director, some members of U.S. Congress have proposed legislation to allow users to make this choice. (Registration may be required to access this story.) 
Full Story

PRIVACY LAW—U.S.

State Senate Passes Breach Notification Legislation (September 23, 2011)

ABC27 reports on the Pennsylvania Senate's approval of legislation that would require state and local government agencies to provide breach notification to the public within one week of an incident involving personal information. Passed unanimously, Senate Bill 162 would also require the state Attorney General's Office to investigate breaches of state agencies, while county district attorney offices would investigate local government breaches. The bill's author, Majority Leader Dominic Pileggi, said the bill is necessary after three breach incidents involving approximately 17,800 Social Security numbers and the personal data of 400,000 state residents went unreported for two to three weeks, the report states.
Full Story

PRIVACY LAW—AUSTRALIA

Gov’t Considers Civil Right of Action for Breaches (September 23, 2011)

The federal government is accepting public comments on its newly released issues paper on privacy law. The paper explores the potential creation of new laws to give Australians a civil right to action for certain privacy breaches, The Sydney Morning Herald reports, which is something the Australian Law Reform Commission has proposed. The paper supports the creation of new federal legislation that would serve to deter breaches. Privacy Minister Brendan O'Connor said, "This government believes in people's right to privacy" but that right must be balanced with free speech and freedom of the media, he said. The government will accept comments until November 4.
Full Story

PRIVACY LAW—U.S.

Judge: No Harm Shown in Apple App Suit (September 23, 2011)

U.S. District Court Judge Lucy Koh has dismissed a group of consolidated class-action suits alleging that Apple and eight mobile-application makers shared users' personal information without their consent. Koh wrote in her opinion that the plaintiffs did not show any tangible injuries from the alleged online tracking but gave the plaintiffs 60 days to file an amended complaint. MediaPost News reports that the plaintiffs claimed Apple devices' unique identifiers allowed for third parties to track consumers "on an ongoing basis and across numerous applications." The plaintiffs' attorney confirmed they will file an amended complaint.
Full Story

DATA PROTECTION—U.S.

NIST Seeks Feedback on Risk Assessment (September 23, 2011)

The National Institute for Standards and Technology (NIST) is seeking comments on its "Guide for Conducting Risk Assessments." The guidance aims to help agencies assess risk within their IT systems and strengthen federal cybersecurity, InformationWeek reports. NIST describes assessment as one of four steps in agencies' general security risk management strategy, the report states, noting risk assessment helps thwart incidents before they can occur. A federal IT official testified to Congress this week that risk mitigation is a key feature to the government's future security measures, especially when it comes to cloud computing.
Full Story

PRIVACY LAW—U.S.

Privacy Policies at Issue in Bookseller IP Deal (September 22, 2011)
After purchasing a bankrupt competitor's customer information at auction, Barnes & Noble has said it does not have to comply with privacy recommendations suggested by a third-party expert, Reuters reports. Covington & Burling Attorney Michael St. Patrick Baxter issued a report on Wednesday including customer information acquisition terms that he believes Barnes & Noble should follow to appropriately obtain Borders Group Inc.'s intellectual property. Border's privacy policy was implemented in 2008, but Barnes & Noble has said that its own privacy policies are appropriate standards to protect the acquired data, the report states. Court approval of the deal will be sought today at a hearing in a U.S. Bankruptcy Court in Manhattan, NY.

DATA LOSS—SWEDEN

50,000 Patient Records Lost in System Crash (September 22, 2011)

Approximately 50,000 patient records from 14 clinics and two hospitals in Region Skåne may have been lost when a computer system crashed late last month, The Local reports. The compromised hard drives have been sent to a Norwegian company specializing in data recovery. The cause of the system failure and the extent of the lost information is not known, the report states. One representative familiar with the case said, "The job is still ongoing, and they've had to bring in specialists from the United States." The director of the National Board of Health and Welfare's Southern Region said, "We have never before lost so much information."  
Full Story

PRIVACY LAW—FRANCE

CNIL Elects New Chair (September 22, 2011)

The board of France's data protection authority--CNIL--has elected Isabelle Falque-Pierrotin as its new chair, Hunton & Williams' Privacy and Information Security Law Blog reports. The move comes after the resignation of Alex Türk, which became official on September 21. Prior to becoming a member of CNIL in 2004 and Deputy Chair in February 2009, Falque-Pierrotin worked for the Organisation for Economic Cooperation and Development and was chair of the French Internet Rights Forum. 
Full Story

GEO PRIVACY—U.S.

Policy Change in Anticipation of Future Services (September 22, 2011)

OnStar communication service spokesman Vijay Iyer has said the company's recent policy change--to collect location data through its equipment even if the vehicle owner is not an OnStar subscriber--is in anticipation of future services the company may offer, The Wall Street Journal reports. The policy also underscores that the company can share that data--in an anonymized format--with roadside assistance and emergency providers, authorities, credit card processors, data management companies and contracted third-parties for marketing purposes. Iyer said OnStar is working to be transparent about the change, and subscribers can request the two-way connection be shut off upon disabling the service. (Registration may be required to access this story.) 
Full Story

PRIVACY LAW—U.S.

Law Forbidding Warrantless Cell Phone Searches in Effect (September 22, 2011)

A California law took effect this week that requires law enforcement officers to obtain a search warrant before seizing and searching a suspect's cell phone. The law unanimously passed the California Assembly, overturning a California Supreme Court decision last January that allowed police to search the cell phones of assailants. The law applies not only to cell phones but also to all "portable electronic devices...capable of creating, receiving, accessing or storing electronic data or communications." Attorney Hanni Fakhoury of the Electronic Frontier Foundation said the law sends a strong message to other courts and U.S. legislatures--as well the U.S. Supreme Court.     
Full Story

PRIVACY LAW—PHILIPPINES

Senate Introduces Data Protection Legislation (September 22, 2011)

New legislation has been introduced in the Senate that would enact a data protection bill, Newsbytes.ph reports. The Data Privacy Act was sponsored by Sen. Edgardo J. Angara and supported by information technology and business process outsourcing industry representatives. The present version of the bill follows the information privacy principles laid out in the Asia-Pacific Economic Cooperation Privacy Framework, including harm prevention notice and data collection limits, the report states. Angara said, "Our Data Privacy Act will act as another layer of legal protection...This is a clear signal to potential investors that the Philippines is seriously committed to safeguarding information."    
Full Story

PRIVACY LAW—CANADA

No Online Monitoring in Crime Bill (September 22, 2011)

Prime Minister Stephen Harper's crime bill was revealed on Tuesday without a provision to allow for increased access to individuals' online activities, pleasing opponents of "lawful access," reports PostMedia News. "I take this as a positive, that even if Prime Minister Stephen Harper is going to reintroduce this, he'll allow Canadians to debate it," said one lawful access opponent. Canada's federal and provincial privacy commissioners expressed their concerns with the proposal in a letter earlier this year, saying it would "significantly diminish" Canadians' privacy. Government officials are stressing that more anti-crime legislation is on the way, and authorities need "21st century tools" to fight online criminals.     
Full Story

HEALTHCARE PRIVACY—U.S.

Health Breaches Rise, AGs Slow To Act (September 22, 2011)

iHealthBeat reports that only two state attorneys general have used the powers given to them by Congress to enforce the Health Insurance Portability and Accountability Act (HIPAA). Since the government bestowed enforcement powers to attorney generals in 2009 through the economic stimulus package, former Connecticut AG Richard Blumenthal and Vermont AG William Sorrell are the only ones to have taken action. Some experts say that high rates of HIPAA compliance, limited budget resources and AG's choosing to prosecute under state rather than federal laws may be contributing to the lack of action. Meanwhile, Health and Human Services reports that patient data breaches more than doubled from 2009 to 2010.   
Full Story

PERSONAL PRIVACY—GERMANY

Researchers: TV Habits Determinable with Smart Meters (September 22, 2011)

A Münster University of Applied Sciences study found that, by analyzing patterns in electricity consumption transmitted by a household smart meter, researchers could figure out what program was playing on a television, reports The H Security. Previously, it was thought that smart meter data could only be used to distinguish between appliances, but because of the frequency of the data transfers--every two seconds--this finer analysis is possible, the report states. According to the research team, the discovery means tighter regulations on this data are needed.    
Full Story

HEALTHCARE PRIVACY

Survey: Industry Lacks Data Security (September 22, 2011)

A survey of the healthcare industry reveals that less than half the companies surveyed are bolstering privacy and security measures to keep up with the growing use of digital technology, Reuters reports. Of the 600 executives interviewed by PricewaterhouseCoopers' Health Research Institute, nearly 74 percent are planning to expand the use of electronic health records, but only 47 percent are addressing related privacy and security implications. One of the report's contributors, Jim Koenig, CIPP, said, "health IT and new uses of health information are changing quickly and the privacy and security sometimes may not be moving in step...That is some of the most sensitive and important information to a consumer, so with the advancement of healthcare IT, it's only natural that advancements in privacy and security should come along."  
Full Story

ONLINE PRIVACY—EU

Reding: Prior Cookie Consent Required (September 21, 2011)
European Commission Vice President Viviane Reding says that companies must gain prior user consent before processing cookies, reports Out-Law.com. The practices some website operators are using do not comply with EU law, Reding says, adding that privacy policies stating how data may be shared with third parties are not sufficient. Reding's comments are in line with the Article 29 Working Party's recent opinion on cookie consent but contradict guidance by the UK government, which has said consent may be obtained during or after processing and that prior consent is not necessary. Editor's note: The IAPP will host a Web conference Thursday, September 22, on "Cookies and the State of the European Union: Legal and Practical Considerations."

DATA LOSS—U.S.

Massachusetts AG Releases Breach Stats (September 21, 2011)

The Office of the Attorney General of Massachusetts has released statistics detailing the number of residents impacted by data breaches over the past 18 months. The Boston Globe reports that 2.1 million Bay Staters have been affected since the beginning of 2010. Twenty-five percent of reported breaches involved "deliberate hacking of computer systems containing sensitive data," the report states. AG Martha Coakley says these types of incidents will increase as vital personal information is increasingly stored on networks. "There is going to be more room for employee error, for intentional hacking," Coakley said. "This is going to be an increasing target."  
Full Story

SOCIAL NETWORKING—NORWAY

Company Answers Data Collection Questions (September 21, 2011)

Facebook has released a letter to the Norwegian data protection authority answering questions about its data collection and sharing practices, BusinessWeek reports. The company said that it does not use third parties when it takes information from users' pages for targeted advertising and that wall posts, photographs and personal data are only shared with third parties if a user consents, the report states. Saying the company's letter provided "useful feedback," Norway Data Protection Commissioner Bjorn Erik Thon added, "In the continuous dialogue with Facebook, we will aim to argue the company should give their users the opportunity to 'opt in' to new features when they are released rather than being signed on automatically and then having to 'opt out' later."   
Full Story

GEO PRIVACY—U.S.

Policy Update Means Ongoing Vehicle Tracking (September 21, 2011)

Vehicle navigation and emergency services company OnStar is notifying customers of an update to its privacy policy. Wired reports that, effective in December, the company will track the location and speed of OnStar-equipped vehicles even after drivers discontinue the service. It also reserves the right to sell that data in an anonymized format. An OnStar spokesman said the change means the company will "maintain a two-way connection" to vehicles "unless the customer says otherwise," the intent of which is to make it easier for former customers to re-enroll. "We hear from organizations periodically requesting our information," he added. An Ohio forensic scientist said the policy goes too far, calling it a "bullet point allowing them to collect any data for any purpose."
Full Story

DATA LOSS—U.S.

Breach Incidents Affect Three Clinics (September 21, 2011)

In three separate incidents, medical clinics have informed patients that their data was either accessed by unauthorized individuals or inappropriately discarded. In a letter, the Cook County Health and Hospitals System notified affected patients that an unencrypted and non-password-protected hard drive containing names, encounter numbers and administrative information was stolen. The NYU Langone Medical Center recently informed approximately 2,600 patients that records containing "limited personal information" was "mistakenly discarded, compacted and buried in a landfill." The documents contained names, dates of birth, gender and other clinical information. The Yanez Dental Corporation in California notified more than 10,000 patients that three password-protected computers containing sensitive data were stolen. 
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Unveils PHR Template (September 21, 2011)

At last week's inaugural Health and Human Services (HHS) Consumer Health IT Summit, HHS launched its Personal Health Record (PHR) model privacy notice, intended to help consumers understand the privacy policies and data handling practices of PHR products, reports InformationWeek. The template--a collaborative effort by HHS and the Federal Trade Commission--will "enable companies to present complex information in a manner that is accessible, consistent and conducive to promoting informed choice by consumers," the national coordinator for health IT told the audience. One industry analyst applauded the agencies for "working with industry to tackle a formidable barrier to adoption."
Full Story

ONLINE PRIVACY—GERMANY

Aigner Meets with Tech Giants, Consumer Groups (September 21, 2011)

German Consumer Protection Minister Ilse Aigner met with Facebook's spokesperson for global policy on Tuesday, calling the meeting "open and constructive" and adding that the company's popularity means it plays an important role in data protection, and it needs to change its data-handling practices, reports Deutsche Welle. The meeting comes on the heels of Facebook's entry into a code of conduct agreement with Schleswig-Holstein Data Protection Commissioner Thilo Weichert. While in the U.S., Aigner also met with Google and Microsoft representatives and consumer protection groups, and she has a meeting scheduled with the U.S. Trade Department about the Safe Harbor program. Aigner has voiced her desire for "strict bloc-wide rules on facial recognition, geodata and the profiling of individual Internet users," the report states.   
Full Story

HEALTHCARE PRIVACY

Study: Majority Concerned About EHRs (September 21, 2011)

The Australian reports on a survey that reveals more than 80 percent of citizens living in Australia, the U.S. and UK are concerned about the move towards electronic health records. Approximately 37 percent of Australians expressed concern about identity theft; 30 percent worried personal information would find its way onto the Internet, and three percent thought that an employer could access private health data, while only 17 percent expressed "no concerns." A survey representative said, "In all three countries, the growing use of e-medical records is a prime concern because adults believe that having healthcare organzations manage their data electronically exposes them to more threats." 
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: Are Data Breaches Overreported? (September 21, 2011)

In Computerworld, Jay Cline, CIPP, examines whether the required reporting of some medical data breaches is warranted. Pointing to a recent Health and Human Services report to Congress on breaches involving personal health information in 2009 and 2010, Cline writes that many of the breaches involved loss of electronic devices or paper, misdirected communications or similar nonmalicious errors--seemingly low-impact breaches. Cline suggests that healthcare organizations "band together" to "voluntarily adopt a self-regulatory standard for medical data breach notification that specifies which types of data incidents do and do not pose a significant risk of harm according to the criteria laid out in the interim final rule."
Full Story

PRIVACY LAW—U.S. & NETHERLANDS

U.S. Cloud Providers Banned Pending Law Revision (September 20, 2011)
The Dutch government has announced it will ban U.S. cloud service providers from government contracts due to compliance concerns surrounding the U.S. Patriot Act, reports ZDNet. The Dutch government says this is a temporary measure until the European Commission changes data protection laws. U.S. providers must comply with Patriot Act information requests, which contravenes an EU data protection law stating that organizations must have users' permission to share their data with non-European third parties. Dutch minister Ivo Opstelten said, "This basically means that companies from the United States in such bids and contracts are excluded." The report states that the Dutch government is also considering a ban on Google and Microsoft cloud offerings and asking for policies on requirements for awarding contracts.

PRIVACY LAW—U.S. & EU

U.S. Attorney General Defends Umbrella Agreement (September 20, 2011)

Speaking with the European Parliament's Civil Liberties Committee, U.S. Attorney General Eric Holder defended data sharing agreements between the EU and U.S., saying there was "not one single example of privacy being breached," the BBC reports. Holder added that the U.S. is committed to privacy protection but said the EU and U.S. "should not impose each other's system on each other." Although Holder did not provide details about the current negotiations between the EU and U.S., he did say that they are "much closer than some might have suggested."
Full Story

PRIVACY LAW—ANGOLA

National Assembly Passes Data Protection Law (September 20, 2011)

Hunton & Williams' Privacy and Information Security Law Blog reports that the National Assembly of the Republic of Angola has passed a national data protection law. Law 22/11 on Personal Data Protection will apply to all automated and non-automated personal data processing by controllers based in Angola. The legislation enacts a data protection agency (DPA) and establishes data processing principles, including transparency, proportionality, accuracy and data retention limits. The DPA must approve all international data transfers with countries that are not deemed adequate. Express consent from and notification to a data subject is required when processing his information. Data subjects also will have the right to access, opt out and delete their personal information. 
Full Story

EMPLOYEE PRIVACY—U.S.

Screening Site Questioned by Senators (September 20, 2011)

Sens. Richard Blumenthal (D-CT) and Al Franken (D-MN) have submitted a list of questions to an employment screening service looking for information on whether it violates applicants' privacy and the law. "We are concerned that there are numerous scenarios under which a job applicant could be unfairly harmed by the information your company provides to an employer. We are also concerned that your company's business practices may in some cases violate the law," the senators wrote in their letter. The Hill reports that the questions include whether people can correct mistakes in their profiles and how the firm, Social Intelligence Corporation, differentiates between people with common names, adding that its practice of taking screen shots of online profiles may violate some sites' terms of use.
Full Story

BIOMETRICS—U.S.

FTC To Host Facial Recognition Workshop (September 20, 2011)

The Federal Trade Commission will host a workshop on December 8 to explore the privacy and security implications of facial recognition technology. "The FTC workshop will gather consumer protection organizations, academics, business and industry representatives, privacy professionals and others" to examine the landscape, including the benefits, current and future uses, legal protections, use by children and teens and other topics. The FTC is accepting written reports and studies related to the topic at facefacts@ftc.gov.
Full Story

PERSONAL PRIVACY—U.S.

Commissions Agree on Smart Grid Data Policies (September 20, 2011)

UTC Insight reports that U.S. states seem to be accepting a standard approach to customer data access and privacy when it comes to the smart grid. The Colorado Public Utilities Commission recently made a decision that follows in line with an earlier California Public Utilities Commission decision that utilities have a right to collect and use customer data to provide services, but the same rules do not apply for sharing that data with non-utility third parties. In that case, customer consent will be required, the two commissions agree. 
Full Story

PRIVACY LAW—U.S. & MACAU

Case Seeks Return of “Massive Amounts” of Data (September 19, 2011)
A former Las Vegas Sands (LVS) Macau CEO who is involved in a wrongful termination suit has been accused of refusing to return "massive amounts of confidential company data," AsiaOne News reports. LVS has listed concerns that Steven Jacobs "will disclose company documents that contain personal data in violation of Macau law. The Macau Personal Data Protection Act provides for serious sanctions in such circumstances." An attorney for Jacobs is disputing the plaintiff's claims and has said "Macau data privacy laws do not prevent any of the parties from producing documents in this action."

DATA LOSS—AUSTRALIA

Pilgrim: PSR Breached Privacy Act (September 19, 2011)

After a 14-month investigation, Privacy Commissioner Timothy Pilgrim has determined that the Professional Services Review (PSR) breached the Privacy Act, The Australian reports. Pilgrim said the agency stored pharmaceutical and Medicare claims information in the same database, which "was in contravention of PSR's obligations under the privacy guidelines for Medicare benefits and Pharmaceutical benefits programs," Pilgrim said. The PSR has agreed to improve its data handling practices as a result; it will separate the stored data and update its information technology policies. Pilgrim also examined PSR's data security practices, finding that it "has appropriate security safeguards in place."  
Full Story

ONLINE PRIVACY—EU

Regulators Weigh Opt-In, Opt-Out (September 19, 2011)

The European Commission has been weighing how to best address issues around online tracking, The New York Times reports, and while there appeared to be some consensus around a self-regulatory model earlier this year, "regulators representing EU member states, backed by consumers' rights groups, are balking at the voluntary arrangement, which they argue does not adequately protect individuals from unwittingly permitting marketers to collect personal data." The report focuses on the push-and-pull between calls by consumer advocates for an opt-in mandate as part of the revised EU Data Protection Directive and the industry position that such a move would be "cumbersome" and using an opt-out model "fits with the needs of today's Internet users." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Researcher: Smartphone IDs Not Secure (September 19, 2011)

The Wall Street Journal reports on the use of smartphones' unique ID numbers as a way for criminals to access users' social networks. While the IDs do not contain user information in and of themselves, the report notes that "app developers and mobile ad networks often use them to keep track of user accounts, sometimes storing them along with more sensitive information like name, location, e-mail address or social-networking data," effectively using the IDs as what researcher Aldo Cortesi describes as a not-too-secure key to that information. "Mobile security is not limited to a singular app or games overall--it's an issue that the entire mobile ecosystem needs to address," Cortesi said. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

State Employee Could Face Prison Time for Tax Breach (September 19, 2011)

A Connecticut state employee faces up to six years in prison for breaching the privacy of taxpayers, Hartford Business Journal reports. The 33-year-old Department of Revenue Services employee was arrested on Friday for allegedly reviewing 15 individuals' tax returns without a legitimate business need, the report states. The agency is notifying those affected and offering free identity theft protection services. Last week, Connecticut Attorney General George Jepsen announced the creation of a Privacy Task Force that will investigate data breaches and educate the public about data protection. Assistant Attorney General Matthew Fitzsimmons will lead the task force.
Full Story

ONLINE PRIVACY

The Online Driver’s License? (September 19, 2011)

The New York Times explores the issue of online identity authentication. The government's National Strategy for Trusted Identities in Cyberspace aims to enhance authentication so citizens will feel emboldened to conduct business via the Internet. But some say the creation of an Internet ID will make users more vulnerable to misuse and identity theft. "The whole thing is fraught with the potential for doing things wrong," says Microsoft engineer Kim Cameron. One privacy advocate says new laws would be necessary in order to control how identity verifiers could use Netizens' data. (Registration may be required to access this article.)
Full Story

PRIVACY LAW—U.S.

Use of ETags Brings Another Lawsuit (September 19, 2011)

Another lawsuit has been filed against analytics company KISSmetrics and one of its partners for their alleged use of ETags, reports MediaPost. Four Texas residents filed the suit on Wednesday in U.S. District Court for the Central District of California. They allege that the companies' actions "caused both economic harm and non-economic harm" and that the "personal information defendants compiled and misappropriated included sensitive information, such as users' video viewing choices." In August, privacy researchers published a report showing how, using ETags, KISSmetrics could recreate cookies erased by users. At that time, KISSmetrics CEO Hiten Shah defended his company's use of the technology.
Full Story

PRIVACY

Jennifer Barrett Glasgow Receives 2011 Privacy Vanguard Award (September 16, 2011)
Jennifer Barrett Glasgow, CIPP, Acxiom Corporation Executive for Global Public Policy and Privacy, received the 2011 IAPP Privacy Vanguard Award at the annual Privacy Dinner last night in Dallas, TX. Presenting the award, past IAPP Board Chairman and GE Chief Privacy Leader Nuala O'Connor Kelly, CIPP, CIPP/G, described Barrett Glasgow as an educator, advocate and "model of courage, of poise and grace." Also recognized at the dinner were the winners of the 2011 HP-IAPP Innovation Awards--Warner Bros. Entertainment, Inc., Ontario Telemedicine Network and Heartland Payment Systems. Texas Comptroller Susan Combs delivered the evening's keynote address on how agencies, businesses and organizations can learn from a data breach, make proactive data protection choices and improve for the future.

DATA LOSS—UK

NHS Trust Signs Undertaking for Breach (September 16, 2011)

An NHS trust has signed an undertaking with the Information Commissioner's Office for contravening the Data Protection Act by improperly disposing of sensitive personal data, publicservice.co.uk reports. During an office move, the Eastern and Coastal Kent Primary Care Trust left a CD containing data on 1.6 million people in a filing cabinet that was sent to a landfill, according to the report. The undertaking requires that the trust develop certain policies and procedures and increase staff training.
Full Story

EMPLOYEE PRIVACY—U.S.

GPS Tracking of Worker Challenged in Court (September 16, 2011)

A New York Civil Liberties Union (NYCLU) lawyer is arguing that placing a GPS tracking device on an employee's private car violates an individual's right to privacy, The Wall Street Journal reports. A government employee was fired last year after it was determined that he claimed pay during times he was not working. The government agency was able to prove the discrepancy because it placed a GPS device on the employee's private car, which tracked the employee during evenings, weekends and vacations, the report states. The NYCLU lawyer said, "There's no cause that can justify such an intrusive search." However, Deputy Solicitor General Kate Nepveau disagreed, saying, "It has the reasonableness pattern of continuing misconduct." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Proposed COPPA Rule Changes Bring Praise, Concern (September 16, 2011)

The Wall Street Journal reports on the Federal Trade Commission's proposed changes to the COPPA rule, announced on Thursday. The changes would require websites to obtain parental consent for certain tracking and profiling activities, among other provisions. While some lawmakers and privacy advocates are lauding the proposed rule changes--Rep. Edward Markey (D-MA) described them as a "much-needed step"--the advertising industry has expressed concerns. "We think they may have gone a little too far," said the Direct Marketing Association's Jerry Cerasale. The public comment period on the proposed rule changes will be open until November 28. (Registration may be required to access this article.)
Full Story

PRIVACY LAW—U.S.

Committee Explores EU Regulatory Approach (September 16, 2011)

Witnesses at a House subcommittee hearing yesterday offered differing perspectives on the need for a broad-based privacy law in the U.S. A Commerce Department official said baseline privacy protections "would help the competitiveness of our businesses," while others warned about the burdens such a law could pose. During the "Internet Privacy: The Impact and Burden of EU Regulation" hearing, which also served to help the committee understand more about the European approach to privacy regulation, Peter Swire, CIPP, law professor and Center for American Progress fellow, cautioned that a "'we don't care about privacy'" attitude from the United States creates major risks for U.S. jobs, exports and businesses. 
Full Story

PRIVACY LAW—U.S.

Exodus of Senators Stalls Cybercrime Talks (September 16, 2011)

The departure of all but one Republican member from a Senate Judiciary Committee meeting--after raising concerns that two cybercrime bills "could overburden businesses with new regulations that they can't afford"--resulted in the lack of a quorum and the inability to move forward with amendments, the National Journal reports. The first of the two bills seeks to require companies to protect the consumer information they collect and provide notification in the event of a breach. It also includes increased penalties for data theft. The second bill includes only the reporting requirement. The markup has been postponed to a later date, the report states.   
Full Story

BIOMETRICS—U.S.

Givens Discusses Facial Recognition (September 16, 2011)

In an interview with Privacy Rights Clearinghouse founder Beth Givens, GovInfoSecurity explores anxieties brought by advances in facial recognition technology and the lack of rules around its use. "Facial recognition technology can be used without the knowledge or the consent of the individual, to be totally oblivious," says Givens. "Yet, once you identify that person based on the unique characteristics of their face, you could then match it with other databases." Givens cites a Carnegie Mellon University study that looked at the convergence of biometric and other data and found that much can be revealed about a person using facial recognition technology.    
Full Story

PRIVACY LAW—U.S.

Two Hearings on Capitol Hill Today (September 15, 2011)
Two privacy-related hearings took place on Capitol Hill today. The Senate Committee on the Judiciary convened at 10 a.m. to discuss legislation including the Personal Data Privacy and Security Act of 2011; the Data Breach Notification Act, and the Personal Data Protection and Breach Accountability Act of 2011. The House Subcommittee on Commerce, Manufacturing and Trade met at 9:30 a.m. for "Internet Privacy: The Impact and Burden of EU Regulation," where, according to its background memo, members were to "examine the European Union's privacy and data collection regulations and how they have impacted the Internet economy." In an American Public Media feature, academics explore this topic. USA Today reports that a coalition of 80 consumer organizations has sent a letter to the committee's chairwoman expressing concern that the hearing is biased toward industry rather than consumer concerns.

CHILDREN’S PRIVACY—U.S.

FTC Seeks Comment on COPPA Changes (September 15, 2011)

The Federal Trade Commission (FTC) is seeking public comment on proposed amendments to the Children's Online Privacy Protection Rule. The changes include updating the definition of personal information to include geolocation and identifiers such as online cookies; clarifying the direct notice operators must give parents prior to collecting children's personal information; new methods of obtaining parental consent, including electronic scans of parent signatures and videoconferencing; strengthening rules on third-party security provisions, and fortified FTC oversight of self-regulatory safe harbor programs. The FTC initiated a review of the Children's Online Privacy Protection Act in 2010. The proposed amendments take into consideration feedback following a public roundtable and industry submissions.
Full Story

DATA PROTECTION—EU

Company Pushes To Offer Europe-Only Cloud Services (September 15, 2011)

A telecommunications company is asking regulators to issue a certificate for German or European cloud service providers to help protect online data from government access, Bloomberg reports. Deutsche Telekom AG's T-systems wants to offer customers secure servers designed to prevent outside access such as that allowed under the U.S. Patriot Act, the report states. A representative from the company said, "Certain German companies don't want others to access their systems. That's why we're well-positioned if we can say we're a European provider in a European legal sphere and no American can get to them."
Full Story

BEHAVIORAL TARGETING—EU

WP Will Give OBA Opinion by End of Year (September 15, 2011)

In a meeting yesterday between industry groups and members of the Article 29 Working Party (WP), WP Chairman Jacob Kohnstamm recapped regulators' concerns over the advertising industry's self-regulatory code for online behavioral advertising (OBA) and announced plans to release an opinion on the code by the end of the year. The WP underscored the code's noncompliance with EU and national regulations because it "legitimizes processing on the basis of inaction or silence of the user." Industry representatives responded that the code's intent was not to achieve compliance but to level the playing field. Kohnstamm asked the representatives to respond to the WP's letter to the OBA industry and said the WP will use the information in forming its opinion. 
Full Story 

CHILDREN’S PRIVACY—EU

Commission Urges Improvements, Will Issue Proposals (September 15, 2011)

The European Commission (EC) says that European Union nations are not doing enough to protect children in the digital world, AFP reports. Citing insufficiencies in current recommendations, an EC report said new proposals on safeguarding children will be issued later in the year. The report urges member nations to "improve awareness of hotlines and privacy risks on social networking sites," noting that one out of three children aged 9-12, and three out of four teenagers aged 13-16 have online profiles. 
Full Story

DATA PROTECTION—U.S.

CT AG Creates Privacy Task Force (September 15, 2011)

Connecticut Attorney General George Jepsen yesterday announced the creation of a Privacy Task Force that will investigate data breaches and educate the public about data protection, reports CTMirror.org. "If you asked me a year ago where Internet privacy considerations rank in my office in terms of significant cases, I would have put it a lot further down than it has been," he said. "It seems like every month since I've taken office there's been some accident or issue that we've had to respond to." Four Jepsen staff members make up the task force, including personnel from the consumer protection, finance and healthcare units. 
Full Story 

TRAVELERS’ PRIVACY

Scanner Amendment Passes Subcommittee (September 15, 2011)

The House Subcommittee on Transportation Security has unanimously approved an amendment banning the full-body images produced by some airport security scanners, reports MSNBC. Privacy advocates have pushed for the removal of the scanners calling the images revealing and questioning the scanners' ability to store images. If signed into law, the Transportation Security Administration (TSA) would have 90 days to install automated target recognition software--which produces a generic stick-figure image--on the machines. On September 7, the TSA announced plans to spend $44.8 million on 300 additional millimeter-wave scanners to be installed with the new privacy-enhanced software. 
Full Story 

PRIVACY LAW—THAILAND

Opinion: Bill Falls Short of True Protection (September 15, 2011)

As Thailand's proposed Personal Information Bill awaits passage, an op-ed in the Bangkok Post outlines the pros and cons of the bill. While it lays out regulations for commercial data controllers, requiring them to adopt adequate data storage systems that meet Personal Information Protection Commission standards, the author writes that the bill also has some fundamental problems. "Almost every aspect of the individual right to personal information protection is heavily qualified," making it "difficult to rely on the act to provide any sort of framework for effective human rights protection," attorney Narun Popattanachai opines. "The second concern is the idea of allowing for open-ended qualifications to the data protection right, which is flatly inadmissible."
Full Story 

PRIVACY—FRANCE

Alex Türk Resigns as CNIL President (September 14, 2011)
The head of the French data protection authority--CNIL--has announced his resignation. According to the CNIL, Alex Türk will resign effective September 21, 2011. The announcement follows new legislative provisions drafted in March that prohibit Türk from serving as both head of CNIL and as a senator. A new CNIL president may be elected at a meeting to be held by the authority on September 21. (Article in French.)

ONLINE PRIVACY

Google Offers Location Service Opt-Out (September 14, 2011)

The New York Times reports Google will provide an option for residential WiFi routers to be removed from a registry the company uses to locate cell towers. The change comes in the wake of warnings by EU data protection regulators that "unauthorized use of data sent by WiFi routers, which can broadcast the names, locations and identities of cell phones within their range, violated European law," the report states. Google Global Privacy Counsel Peter Fleischer noted the opt-out comes at the request of several European data protection authorities and "will allow an access point owner to opt out from Google's location services." The opt-out will be available internationally, the report states. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Facebook Hires Three: A Privacy Expert, Obama Advisor and Former MEP (September 14, 2011)

Facebook has hired a privacy expert for its Washington, DC, office, The Washington Post reports. Erin Egan, who is currently a partner at Covington & Burling and co-chair of that firm's global privacy and data security practice, will join the company in October as its senior policy advisor and director of privacy. Facebook spokesman Andrew Noyes said, "It's imperative that we scale our policy team so that we have the resources in place to demonstrate to policymakers that we are industry leaders in privacy, data security and safety." The company also announced the hiring of legislative advisor Louisa Terrell as its director of public policy and former European Parliament member Erika Mann as head of its Brussels office. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

Damages Awarded Under PIPEDA (September 14, 2011)

A Canadian bank must pay monetary damages to a client after one of its employees disclosed the client's account information, reports Employment Law Today. An attorney representing Nicole Landry's husband in their divorce case subpoenaed a Royal Bank of Canada (RBC) employee to deliver Landry's bank account information to court. The employee also faxed Landry's information to the attorney without her consent, which violates RBC policies and the Personal Information Protection and Electronic Documents Act (PIPEDA). Landry claimed personal harm and humiliation--for which PIPEDA allows monetary damages--and was awarded $4,500. This is the second time damages have been awarded in PIPEDA's 10-year history.
Full Story

ONLINE PRIVACY—EU

Groups Dissatisfied with Status Quo (September 14, 2011)

While industry groups continue to push for self-regulation of online advertising, many consumer advocates and lawmakers are dissatisfied with the level of control Internet users have over their personal information, reports EurActive. The European Commission, regulators and advertisers are meeting today in Brussels to discuss recent efforts, including the Interactive Advertising Bureau's do-not-track icon. "While this mechanism is welcome and constitutes an improvement to the current situation, it does not meet the requirement" to obtain informed consent, wrote Dutch regulator Jacob Kohnstamm. Meanwhile, civil liberties groups plan to meet in Brussels on Saturday to protest the EU Data Retention Directive and the European Commission's plans to store passenger name records currently held by airlines.
Full Story

PRIVACY LAW—U.S.

Maine Lawyers Debate Breach Damages (September 14, 2011)

Lawyers on both sides of the class-action lawsuit stemming from a 2007-2008 Hannaford Bros. data breach debated whether the victims were entitled to damages during a hearing on September 8. A 2010 decision, which upheld a 2009 court of appeals ruling, said "time and efforts alone...to avoid or remediate reasonably foreseeable harm" do not constitute a "cognizable injury," reports Corporate Counsel. In this most recent appeal, the plaintiffs' lawyer argued that the judge failed to consider claims for actual losses including bank and card replacement fees, loss of rewards points and ID theft insurance charges. Hannaford's lawyer claimed the original complaint does not plead that the plaintiffs paid any of these fees, and there are "plenty of Maine cases that say risk of future harm is not compensable."
Full Story

DATA PROTECTION—EU

New Agency To Oversee Database Security (September 13, 2011)
The European Union's General Affairs Council has approved plans to establish a pan-European agency to manage its large-scale IT systems, PCWorld reports. The new agency will be responsible for operational management of the Schengen Information System--which stores data on the exchange of information between individuals and law enforcement--and the Visa Information System--which stores visa data, including biometrics. The agency, to begin its work in the summer of 2012, will also oversee the EURODAC, which compares the fingerprints of asylum seekers and illegal immigrants, the report states. Experts have warned that effective security is essential given the sensitive nature of the data stored.

HEALTHCARE PRIVACY—AUSTRALIA

Doctors To Have Emergency Access to EHRs (September 13, 2011)

The Department of Health and Ageing (DHA) has revised its concept of operations to eliminate the "no access" tier of its document security levels, effectively giving doctors access to all electronic health records (EHRs) in the case of an emergency, reports ITNews. In a former draft of the initiative, patient-controlled EHRs had three levels, "no access," "limited access" and "general access." Privacy Commissioner Timothy Pilgrim has said the "limited" and "no access" security levels are central to consumer trust in the e-health system, while the Australian Medical Association president supports the change--which the DHA says was in response to doctors' concerns that vital information would not be available in an emergency.
Full Story

PRIVACY LAW—GERMANY

Commissioner Imposes Fine for Third-Party Sharing (September 13, 2011)

The data protection commissioner of the German federal state North Rhine-Westphalia (DPA) has imposed a €60,000 fine on an electronic payment service provider, reports Hunton & Williams' Privacy and Information Security Law Blog. Easycash GmbH unlawfully transferred bank account information in approximately 400,000 instances to an affiliated company to analyze the data for customer loyalty and bonus programs, the report states. The data included location, time and amount of bank account transactions. The DPA stated that companies "offering payment transaction services to merchants as trustees must exercise special care regarding such data" and should not share it with third parties for profiling purposes.
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Releases Plan, Appoints OCR Director (September 13, 2011)

The Office of the National Coordinator (ONC) for Health Information Technology at HHS has released the final version of its Federal Health Information Strategic Plan, reports ModernHealthcare. The new version calls for an "HHS Inter-Division Task Force" to establish policy direction on privacy and security issues. An ONC spokeswoman said a major area being addressed is patient choice in the electronic exchange of their health information. Meanwhile, HHS has announced the appointment of Leon Rodriguez as director of the Office for Civil Rights. David Wright Tremaine partner Adam Greene opines that the biggest question for HIPAA covered entities and business associates will be what impact this will have on enforcement. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Opinion: Court Decision May Redefine Scope of Privacy (September 13, 2011)

The U.S. Supreme Court will hear a case in November to decide whether warrantless GPS tracking by authorities over a month's time violated a suspect's Fourth Amendment rights. Privacy expert Jeffrey Rosen says, "It's imperative that the court says yes." In a New York Times op-ed, Rosen writes that after two federal appellate courts upheld warrantless GPS tracking, Judge Douglas Ginsburg of the U.S. Court of Appeals for the District of Columbia Circuit argued that ubiquitous tracking over a month is "qualitatively different" than the public surveillance the court has upheld in the past. "If the court rejects his logic...surveillance is likely to expand, radically transforming our experience of both public and virtual spaces," Rosen writes, adding, "what's at stake...is more than just the future of GPS tracking: there's also online surveillance." (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Payment Card Data Exposed in Hacking Incident (September 13, 2011)

A vending machine company has announced that a hacker accessed its point-of-sale systems, exposing the payment card data of waterpark visitors in Tennessee and Wisconsin, reports Computerworld. Vacationland Vendors announced the breach on its blog, and while the post does not specify numbers, a Credit Union Times report estimates the breach affected 40,000 people. The blog claims that the hacker has targeted other similar companies, and the breach did not result from internal security weaknesses. The company is urging customers to monitor their bank and credit card statements but has not said whether affected customers have been notified.
Full Story

SOCIAL NETWORKING

Facebook Tests “Smart Lists” Feature (September 13, 2011)

Facebook has been testing a new privacy feature with a select number of users, reports Mobiledia. Smart Lists allows users to group their friends in categories and customize news feeds to deliver content to certain lists. The report states that the feature may be Facebook's response to Google+, which uses its "Circles" feature to categorize groups of people. Facebook has not officially announced the feature or when it will be released to all users.
Full Story

PRIVACY

Mexican DPA Discusses Data Protection, International Conference (September 12, 2011)
For the first time in its 33-year history, the International Conference of Data Protection and Privacy Commissioners (ICDPPC) will be held in Latin America, hosted this year by Mexico's Federal Institute for Access to Information and Data Protection (IFAI). In this Daily Dashboard exclusive, IFAI President Commissioner Jacqueline Peschard discusses the highlights of the upcoming 2011 conference, entitled "PRIVACY: The Global Age," as well as the work of the IFAI and the international data protection landscape. As Peschard puts it, in a time when data is not hemmed in by geographic boundaries, DPAs must work together across borders, which is one of the key aims of ICDPPC.

SOCIAL NETWORKING—GERMANY

Minister Calls for Government Ban on Site (September 12, 2011)

German Consumer Protection Minister Ilse Aigner has called on her cabinet colleagues to stop using Facebook, reports SPIEGEL. Aigner has cited ongoing German concerns about the site's data privacy practices in asking ministries to set a "good example and show that they give a high priority to the protection of personal data" by ceasing to use the site. Aigner's concerns follow orders by Schleswig-Holstein Data Protection Commissioner Thilo Weichert that Facebook remove its "like" buttons or face fines. Facebook has since agreed to develop a code of conduct. One expert says the degree of public concern over companies' data collection practices is currently "understated." 
Full Story

BEHAVIORAL TARGETING

W3C Announces Tracking Protection Working Group (September 12, 2011)

The World Wide Web Consortium (W3C) recently announced its Tracking Protection Working Group, established to create a "set of standards that enables individuals to express their preferences and choices about online tracking and enables transparency concerning online tracking activities," the group said on its blog. The Register reports that one of the first hurdles the group may face is getting all the stakeholders to agree on the standards. "A critical element of the group's success will be broad-based participation," W3C said, adding that do-not-track efforts by Microsoft and Mozilla will act as the basis for the group's work. Aleecia McDonald, senior privacy researcher at Mozilla, and another unidentified industry leader will co-chair the group. 
Full Story

BEHAVIORAL TARGETING—U.S. & EU

Consumer Group Says Web Paths Are Personal Data (September 12, 2011)

In a letter to the U.S. Federal Trade Commission and Europe's Article 29 Working Party, an international consumer group has asked that both regulatory bodies not accept the self-regulation of online behavioral advertising (OBA), PCWorld reports. Trans-Atlantic Consumer Dialogue (TACD) is concerned with the industry's move to define users' Web paths as "non-personal data." A representative from TACD also wrote that the industry's icon program attempts to dissuade users from opting out of OBA, while the director general of the European Consumers' Organization said, "The EU should not accept the advertising industry's attempt to redefine people's Internet usage as 'non-personal data.' It's certainly personal, and a clear line should be drawn..."
Full Story

PERSONAL PRIVACY—U.S. & CANADA

9/11’s Effect on Societal Norms (September 12, 2011)

American Public Media's "Marketplace" explores how the convergence of the government's post-9/11 intensified security efforts and Internet giants' remake of the online environment created a "data collection revolution." Researchers and an industry executive weigh in on ways that government investments in surveillance technology--such as facial recognition--have made possible online features and applications that, according to Alessandro Acquisti of Carnegie Mellon University, are "bringing us closer to a world where online and offline data merge. The consequences can be cool but also very creepy." Meanwhile, British Columbia Privacy Commissioner Elizabeth Denham questions whether the "progression of security measures," and subsequent loss of privacy, "has been effective or proportionate to the threat." Editor's Note: For more on the implications of Sept. 11 on privacy, read the Daily Dashboard exclusive, "An Unexpected Sept. 11 Legacy: Privacy and Civil Liberties Oversight Board Remains Dormant," and "How 9/11 Changed Privacy," from this month's Privacy Advisor.
Full Story

DATA LOSS—U.S.

Thefts Affect Thousands of Hospital Patients (September 12, 2011)

The Indiana University School of Medicine says the theft of a physician's laptop may have resulted in the loss of 3,000 patients' confidential information, the Chicago Tribune reports. The theft was reported to police, and the school has sent letters to those potentially affected by the breach. The personal data includes names, ages, genders, diagnoses, medical record numbers and--in some cases--Social Security numbers. Meanwhile, a Texas hospital employee has been charged with organized criminal activity after she was accused of taking hospital patients' personal information and using it to apply for short-term loans. Those affected have been notified. 
Full Story

DATA LOSS—U.S.

20,000 Patients’ Data Posted Online (September 9, 2011)
Stanford University's hospital has confirmed that the records of 20,000 emergency room patients were available online for almost a year. Names, diagnosis codes, account numbers, admission and discharge dates, among other data, were posted to a website that offers students assistance with schoolwork, reports The New York Times. The hospital informed local authorities and wrote letters to all affected patients, and the website removed the information. Healthcare security experts say the breach highlights the possible risks of allowing third-party contractors access to personal data. According to the Department of Health and Human Services, in the past two years, the medical data of about 11 million people has been breached. (Registration may be required to access this story.)

PRIVACY LAW—U.S.

Blumenthal Presents Online Security Bill (September 9, 2011)

Sen. Richard Blumenthal (D-CT) on Thursday introduced the Personal Data Protection and Breach Accountability Act, which would place data handling and protection requirements on organizations processing the personal information of more than 10,000 people. "While looking at data breaches, I've been struck by how many are preventable," Blumenthal told The New York Times. The Hill reports that the bill would require organizations to submit to regular testing of controls and systems on a timeframe directly related to the level of risk as determined by required risk assessments. In the event of a breach, the bill includes notification requirements that put the onus on organizations to show evidence supporting the timeliness of notification and increased penalties for identity theft, and would require that organizations cover credit-monitoring costs for two years.
Full Story

PRIVACY LAW—U.S.

Experts: 10 Years After 9/11, Privacy Oversight Needed (September 9, 2011)

In anticipation of the 10th anniversary of Sept. 11, 2001, privacy experts have been weighing in on the balancing act of anti-terrorism efforts and privacy rights. In this Daily Dashboard exclusive, Alan Charles Raul, who previously served as the vice-chairman of the federal Privacy and Civil Liberties Oversight Board, offers insight into the need for the board and the concerns many privacy experts are raising about its dormancy since 2008. Given its lack of action to make the board operational, Raul notes, "Congress should really ask itself how seriously it takes its own privacy mandates."  
Full Story

DATA RETENTION—SWEDEN

Sweden Responds to European Court of Justice (September 9, 2011)

The Swedish government has responded to the European Court of Justice about its failure to implement the Directive on Data Retention, according to EDRI-gram. In correspondence this week, Sweden said implementing the directive is unnecessary, and daily financial penalties proposed by the European Commission as punishment for not implementing the directive are disproportionate. All EU member states were to have transposed the directive by September 15, 2007. The European Commission has referred Sweden to the European Court of Justice twice--once in February 2010 and again earlier this year.
Full Story

PRIVACY LAW—U.S.

Book Retailer Settles with Website Operator (September 9, 2011)

A bankruptcy court has approved an agreement between bankrupt bookseller Borders and Next Jump over the use of customer data, the Hunton & Williams Privacy and Information Security Law Blog reports. Next Jump--which operated a Borders website for customer rewards points--will not communicate with individuals on Borders' customer list, the agreement states, after Borders filed a complaint alleging that Next Jump solicited Borders Rewards and Borders Rewards Plus customers to join a Next Jump website and falsely claimed that the companies had partnered. The settlement states that Next Jump will disable the website, cease sending e-mails to Borders' customers and cease using their data, among other stipulations.
Full Story

DATA LOSS—IRELAND & U.S.

Irish Jobs Website, U.S. School District Breached (September 9, 2011)

A website for jobseekers has suffered a security breach, The Irish Times reports. The company has written to users to inform them and ask them to use "best practice in choosing all Internet passwords" and not use the same password on any two sites. Police have apprehended two suspects, and the data protection commissioner has been made aware of the breach. Meanwhile, the superintendent of schools for Beaumont Independent School District in Texas has announced that letters are being mailed to nearly 15,000 families to inform them of a potential breach involving confidential student information--including Social Security numbers--stored on a staff server.
Full Story

TRAVELLERS’ PRIVACY

Stoddart Offers Conditions for Perimeter Agreement (September 9, 2011)

In The Huffington Post Canada, Privacy Commissioner Jennifer Stoddart discusses the emerging Canada-U.S. perimeter agreement and the need to incorporate a respect for privacy. "As the pursuit of greater security continues, it doesn't have to come at privacy's expense," Stoddart writes, noting that she takes comfort in a recent comment by Foreign Affairs Minister John Baird that a respect for "the legal and privacy rights of Canadians" is essential to the process. "Given my role, I want to see those words ring true," says Stoddart, going on to offer three "essential conditions that any future agreement should meet in order to truly and properly 'promote' and 'respect' our privacy rights."     
Full Story

An Unexpected Sept. 11 Legacy: Privacy and Civil Liberties Oversight Board Remains Dormant (September 9, 2011)

 

By Jennifer L. Saunders, CIPP

With the 10th anniversary of Sept. 11, 2001, fast approaching, privacy experts have been weighing in on the myriad impacts beyond the immediate tragedies of the events of that day, including the implications of anti-terrorism efforts on privacy rights.

In companion features for The Privacy Advisor, Mathew Schwartz and Peter Swire, CIPP, take a close look at the past 10 years and the evolution of privacy and data protection, and one issue in particular has been making headlines of late with regard to privacy protection and anti-terrorism: the continued dormancy of the Privacy and Civil Liberties Oversight Board.

“There is currently no central review or coordinating body in government to convene the privacy and civil liberties officers in the various relevant departments, and to report to the president and agency heads whether these crucial interests are being adequately and appropriately taken into account,” Alan Charles Raul, who served as the board’s vice-chairman from 2006 to 2008, told the Daily Dashboard. “Congress intended the Privacy Board to serve this critical function and to help the president balance privacy and civil liberties with the dictates of national security.”

A Huffington Post retrospective on the privacy and security aftermath of Sept. 11 points out, “The aftermath of the terror attacks was marked by an extraordinary growth in data gathering and surveillance powers by federal law enforcement and intelligence agencies,” suggesting the Privacy and Civil Liberties Oversight Board has been “ineffectual under both the Bush and Obama administrations, according to 9/11 commissioners.”

The report states that while two members of the five-person board have been nominated by the president and await confirmation by the Senate, the other three posts remain vacant.

Features in the Chicago Sun-Times and The Washington Times published in advance of the Sept. 11 decade anniversary, also describe how the board--which was established by Congress during the Bush Administration to ensure that security efforts did not undermine privacy rights and became an independent agency in 2007 with required Senate confirmation of its members--has remained dormant since early 2008.

In response to recent reports on the disappearance of the board, Raul told the Daily Dashboard, that former President George W. Bush “originally nominated and appointed a full slate of members for the Privacy Board after Congress established the Board in...

ONLINE PRIVACY—EU & U.S.

Advocacy Groups: Industry’s Do-Not-Track Not Enough (September 9, 2011)

Advocacy groups are going on the record against an online advertising industry do-not-track mechanism. USA Today reports on a letter from Trans Atlantic Consumer Dialogue (TACD) to the Federal Trade Commission's David Vladeck and Jacob Kohnstamm of the Article 29 Working Party asking them "to reject the current OBA self-regulatory regime as inadequate, and work with industry and consumer and privacy groups to ensure that significant revisions are made to protect consumer privacy." A Digital Advertising Alliance spokesman has disputed the claims, pointing to the oversight of independent organisations. 
Full Story

DATA PROTECTION—EU & U.S.

Parliament Discusses Data Transfers, Online Privacy (September 8, 2011)
ZDNet reports on the European Parliament Privacy Platform's meeting Wednesday on "a wide range of transatlantic data protection matters, which have yet to be resolved." The meeting included officials from high-profile online companies as well as privacy advocates in discussions about ongoing EU-U.S. data transfer negotiations. Following up on a recent request from MEPs regarding the U.S. Patriot Act's reach in the EU, Francoise Le Bail of the European Commission said the "key thing" is that the U.S. cannot impose its laws on data held in the EU and "normal channels through the relevant authorities" must be followed.

HEALTHCARE PRIVACY—U.S.

HIPAA Turns 15, Enforcement Actions Increase (September 8, 2011)

In the year of Health Insurance Portability and Accountability Act's (HIPAA) 15th birthday, The Tennessean looks back on what it calls "one of the most popular healthcare bills of the generation." HIPAA passed the Senate with a 98-0 vote, and 421-2 in the House of Representatives, a rare consensus for a Congressional bill, the report states. Meanwhile, the Office for Civil Rights (OCR) reports that more than 30,750 data breaches have occurred since new breach notification requirements under HIPAA went into effect in 2009. The OCR has warned covered entities that its forthcoming HIPAA audit findings may lead to formal enforcement. 
Full Story

PRIVACY LAW—GERMANY

Facebook Enters Code of Conduct (September 8, 2011)

The Local reports that Facebook has agreed to enter into a voluntary code of conduct after Schleswig-Holstein's Independent Centre for Privacy Protection concluded that certain Facebook features--such as the "like" button--violate both the German Telemedia Act and the Federal Data Protection Act. Data Protection Commissioner Thilo Weichert threatened Schleswig-Holstein websites with fines of up to €50,000 if "like" buttons were not removed by the end of September, and, according to the report, it is not clear if the agreement will stave off fines. "With Facebook's willingness to sign up for this self-regulation...the debate over the extent to which German data protection law applies to Facebook has been considerably defused," the Interior Ministry said.
Full Story

PRIVACY LAW—U.S.

Teacher Settles Laptop-Tracking Suit (September 8, 2011)

The Associated Press reports that an Ohio teacher has settled her lawsuit against a software company on allegations that it invaded her privacy. The teacher said Absolute Software Inc. violated the Electronic Communications Privacy Act and the Stored Communications Act when it remotely captured images and text messages from her laptop and shared them with police. The computer was equipped with tracking software. It is at least the second settlement in recent weeks related to the use of laptop-tracking technology. Late last month, Pennsylvania's Lower Merion School District agreed to pay $10,000 to a teenager who was recorded by his school-issued laptop. 
Full Story

DATA PROTECTION

In-depth on Incident Response (September 8, 2011)

SCMagazine looks at incident response and data protection. Lockheed Martin CISO Chandra McMahon discusses the company's "kill chain" approach to network protection. "The way the kill chain is set up, you're doing incident response as soon as the attack gets started," McMahon says. The company was the target of hackers earlier this year. The premise of its seven-step kill chain "is that the attacker has to be correct every step of the way. Somewhere between steps one and seven, we have to stop those attacks." The feature also looks at other high-profile data incidents and offers incident response "steps to success."  
Full Story

CHILDREN’S PRIVACY

Experts: Kids Unaware of Internet Threats (September 8, 2011)

USA Today reports on the likelihood that social networks and mobile apps could violate the privacy of the children and teens who use them. From a recent settlement of a Children's Online Privacy and Protection Act violation in the U.S. to calls by the UK's data protection authority for children to know their rights regarding online privacy, experts are calling for more education for youth who "exchange their personal data to Web services without knowing the possible consequences." Meanwhile, WBAL-TV 11 News reports on parents in one U.S. state who are questioning why they should provide schools with their children's Social Security numbers.  
Full Story

BIOMETRICS—AUSTRALIA

Vein Scanning To Track Librarians (September 8, 2011)

Melbourne's City of Monash may next month begin tracking library employee work hours with vein scanning technology, reports ABC News. City officials say they are only considering the plan, but the Australian Services Union claims it has received confirmation from the council that the technology will be employed in libraries next month, affecting as many as 100 workers. Victoria Privacy Commissioner Helen Versey says that without the facts, she can't determine whether the plan contravenes the Privacy Act, but notes, "If they're creating a database of their employees' biometrics, then that does raise some significant issues in terms of data security."
Full Story

DATA THEFT

Company Halts Authentication Certificates (September 8, 2011)

A security company has suspended issuing authentication certificates for secure websites in response to claims that an unauthorized individual accessed the company's servers, BBC News reports. The Belgian-based company, GlobalSign, has stopped issuing the certificates while it investigates the allegations. The hacker also claims to have accessed additional certificate authorities, including DigiNotar. A GlobalSign representative said that the company takes the hacker's claims "very seriously."        
Full Story

PRIVACY LAW—U.S.

Commerce Committee To Prioritize Privacy (September 7, 2011)
NationalJournal reports that the House Energy and Commerce Committee will make privacy and cybersecurity legislation a priority in the coming months. The Commerce, Manufacturing and Trade Subcommittee, headed by Rep. Mary Bono Mack (R-CA), will focus on privacy and data security, including online data collection, consumer awareness and the effect of international privacy standards on U.S. business. Bono Mack has also indicated that she plans to hold hearings on the creation of national standards for breach notification. Additionally, the Oversight and Investigations Subcommittee plans to find ways to improve the nation's cybersecurity infrastructure.

PRIVACY LAW—U.S.

Opinion: Oversight Board a Failure (September 7, 2011)

If it ever comes into being, the Privacy and Civil Liberties Oversight Board will have plenty to discuss, opines Jacob Sullum for the Chicago Sun-Times. The board was established under President George W. Bush to ensure that national security policies after 9/11 didn't infringe on individuals' privacy and civil liberties. But the board has been dormant since 2008, which Sullum calls a failure and "vivid testimony to the continuing disregard for civil liberties and the rule of law..." Congress made the board an independent agency in 2007 and required Senate confirmation of its members. Sullum writes that, in theory, the changes aimed to strengthen the board but, in practice, made it disappear.
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Extends ANPRM Comment Period (September 7, 2011)

The Department of Health and Human Services (HHS) has extended the deadline to October 26 for comments on the Advance Notice of Proposed Rulemaking (ANPRM) to the Common Rule, which governs research conducted by federal agencies on human subjects, Lexology reports. The HHS proposes that the ANPRM include HIPAA standards for personally identifiable information and de-identified information; mandatory data protection standards, and more robust enforcement mechanisms, including random audits. The notice states, "Rapidly evolving advances in technology, coupled with the increasing volume of data readily available, may soon allow identification of an individual from data that is currently considered de-identified." 
Full Story

DATA LOSS

Study: Breaches Cost Companies Almost $157 Billion (September 7, 2011)

A recent study found that from 2005 through 2010, data breaches cost companies $156.7 billion dollars, reports InfoSecurity. The Digital Forensics Association studied 3,765 publicly disclosed data breach incidents encompassing more than 800 million lost records--65 percent of which disclosed victims' names, addresses and Social Security numbers. Incidents of confirmed criminal use of breached data increased by 58 percent from the prior study, states the report, with hackers responsible for 48 percent of the records studied.
Full Story

PRIVACY LAW—U.S.

ACLU Wins Appeal on Warrantless GPS Tracking (September 7, 2011)

The American Civil Liberties Union won an appeal on Tuesday requiring the government to hand over details on some cases where prosecutors tracked suspects through cell phones without obtaining a judge's approval, reports Reuters. The court upheld a 2010 decision stating that in cases where the suspect was convicted, the government must provide details. The government has offered to show the nature of the charges, whether a motion was made to suppress the data and the outcome of the motion, states the report. "The disclosure sought by the plaintiffs would inform this ongoing public policy discussion by shedding light on the scope and effectiveness of cell phone tracking as a law enforcement tool," wrote Judge Merrick Garland. A further appeal is possible. 
Full Story

SURVEILLANCE

Facial Recognition Technology Seeing “Boom Time” (September 7, 2011)

Forbes reports on the increasing popularity of facial recognition technology, now experiencing its "boom time." The technology is being used by police departments, casinos and bars, among others. Shoe retailer Adidas is now testing the technology in order to market shoes to specific age and gender demographics, and Kraft foods is working with supermarket chains with hopes of installing facial recognition kiosks in order to better target specific consumers. "You can put this technology into kiosks, vending machines, digital signs," said a spokesman for Intel, a developer of the software. "It's going to become a much more common thing in the next few years."    
Full Story

IFAI President Commissioner Discusses the Upcoming Mexico City Event and More (September 7, 2011)
Jacqueline
Peschard

By Jennifer L. Saunders, CIPP

For the first time in its 33-year history, the International Conference of Data Protection and Privacy Commissioners (ICDPPC) will be held in Latin America, as Mexico’s Federal Institute for Access to Information and Data Protection (IFAI) hosts the 2011 conference, entitled “PRIVACY: The Global Age.”

In advance of the event, IFAI President Commissioner Jacqueline Peschard spoke with the Daily Dashboard about her work, the data protection efforts of the IFAI and of what conference attendees can expect at what promises to be an ICDPPC unlike any other.

“We are very happy to host it for the first time,” Peschard says, speaking of the importance of the conference’s role as a path for data protection authorities (DPAs) and privacy commissioners to create and build relationships.

The 33rd ICDPPC will be held in Mexico City-- a premiere international tourism destination known for its historical, cultural and architectural features as well as the warmth of its people--from November 2 to 3 with a special closed section for regulators on November 1 and preconference events set for October 31

Regardless of borders, DPAs need to focus on the new businesses and applications that use data in innovative ways that at the same time pose new challenges in the privacy and data protection sphere, Peschard explains.

As president of the Iberoamerican Network of Data Protection (RIPD), a forum for the promotion of the fundamental right to data protection within this community of 22 countries, she has a key perspective on this need.

Peschard, who holds a PhD from El Colegio de Michoacán, has been a member of the National Board of Researchers since 1988 and as a political science professor at the National Autonomous University of Mexico (UNAM) since 1979. Her other experience includes being appointed counselor to the Federal Electoral Institute (IFE), where she was an advisor to the United Nations Electoral Assistance Division, and serving as a member of the Mexican Culture Seminar and IFAI commissioner since 2007.

Elected by her fellow commissioners as president commissioner in 2009, Peschard explains that while much of her work with the IFAI has been in moving from a reactive to proactive approach with regard to managing information access, last year’s new commitment from Congress gave the IFAI oversight of data protection in the private sector.

This prompted a reorganization of the entire institute, as it...

BIOMETRICS—INDIA

Database To Collect 1.2 Billion Identities (September 6, 2011)
The New York Times reports on India's creation of the world's largest biometric database. Aadhaar, as the project is called, is collecting the biometric data of India's 1.2 billion citizens. In addition to iris and fingerprint scanning, Aadhaar is collecting individuals' names, birth dates, gender and addresses. Each individual is then assigned a 12-digit number for identity verification using handheld devices that are connected to a mobile phone network, the report states. Privacy advocates have expressed concern that the system could potentially violate citizens' civil liberties. Meanwhile, a representative of Aadhaar said that the project "is a road that in some sense connects every individual to the state." (Registration may be required to access this story.)

SOCIAL NETWORKING—IRELAND

Site Faces Privacy Audit (September 6, 2011)

The Office of the Data Protection Commissioner (DPC) has announced that it will conduct an audit of Facebook's privacy practices after an Austrian group submitted 17 complaints about the site's handling of personal information, Independent.ie reports. The complaints allege that the site's Dublin headquarters retains all of its users' data, including "likes," e-mails and phone numbers, the report states. A DPC spokesman said that it will "go into the premises and go through in great detail every aspect of security...It's a very significant, detailed and intense undertaking that will stretch over four or five days. Then we'll publish a detailed report and Facebook will respond." A spokesman for the social network said the company is cooperating with the DPC.     
Full Story

ONLINE PRIVACY

Smartphone Makers Respond to Tracking Allegations (September 6, 2011)

Microsoft has responded to a class-action lawsuit, saying the location data it collects through its Windows Phone camera is not linked to a specific device or user, reports The Next Web. While the suit claims the software collects users' geographical coordinates even after they request not to be tracked, Microsoft says that because it does not collect unique identifiers, "the Windows Phone camera would not enable Microsoft to identify an individual or 'track' his or her movements." Meanwhile, smartphone maker HTC responded to claims that at least two of its phones collect location and personal data, explaining that the data in question is de-identified, encrypted and only collected upon user opt-in.
Full Story

PRIVACY—EU & U.S.

Opinion: Data Anonymization Isn’t Black and White (September 6, 2011)

In a dataprotectionlaw&policy featured article, Omer Tene, of the Israeli College of Management School of Law, discusses the complexity of defining "personal data" as the legal frameworks for data protection and privacy are reviewed in both the EU and U.S. Researchers have found, Tene writes, that data thought to be anonymous can often be de-anonymized or re-identified, a finding that has "significant implications for policymakers." If all data is considered identifiable and, therefore, covered by data protection rules, business models based on anonymization and encryption will suffer, Tene says. Therefore, the nature of data should be considered a continuum--rather than either identifiable or not--and treated accordingly, he suggests.
Full Story

PRIVACY LAW—EU & U.S.

MEPs Raise Concerns About ACTA (September 6, 2011)

Members of the European Parliament (MEPs) are raising concerns about the Anti-Counterfeiting Trade Agreement (ACTA), IDG News reports, and one MEP has said Parliament's legal department will discuss whether it must go to the European Court of Justice. Questions linger as to whether the agreement with the U.S. and other countries is compatible with EU law. "The ACTA agreement has been mired in controversy from the beginning due to secrecy imposed by the U.S. and worries that it may not uphold EU rules on data privacy," the report states, "as national authorities would be able to order ISPs to disclose personal information about customers."
Full Story

TRAVELER’S PRIVACY—U.S.

New Body Scanners Unveiled (September 6, 2011)

Body scanning technology thought to be less privacy-invasive than previous models is being installed at U.S. airports. The new technology was unveiled at Newark Liberty International Airport last week, USA Today reports, after trials were conducted at airports in Atlanta, Las Vegas and Washington, D.C. It will be installed on 241 machines at 40 U.S. airports in the coming months and eventually at all U.S. airports, according to the Transportation Security Administration. The new technology addresses privacy concerns about body scanners by using a generic body image of the passenger and placing the viewing screen where both passenger and security agent can view it.   
Full Story

PERSONAL PRIVACY—U.S.

Rights or Protection, That Is the Question (September 6, 2011)

Two-thirds of Americans polled said they're willing to give up some of their civil liberties in order to fight terrorism, but if they had to choose, 54 percent said they'd pick their rights over protecting people from terrorists, an Associated Press (AP)-NORC Center for Public Affairs Research survey found. Ten years after the 9/11 terrorist attacks, respondents drew "a zigzag line" on where to choose rights over protection, and vice versa--similar to national policies, which two-thirds of respondents felt were a reactive "mish-mash," reports the AP. For example, one policy under the USA Patriot act allows government access to library records without a warrant, causing concern for some. Editor's Note: Read more about the effect of the 9/11 attacks on privacy in the U.S in this month's Privacy Advisor.
Full Story

SURVEILLANCE—AUSTRALIA

Commissioner To Conduct CCTV Audit (September 6, 2011)

Queensland's privacy commissioner says she will audit the number of closed circuit television (CCTV) camera networks after concerns about privacy, including a police investigation into stolen security footage from a casino. A count of cameras and their purposes will begin within weeks and will involve about 200 government departments, News.com.au reports. Acting Privacy Commissioner Rachael Rangihaeata said councils are increasingly using the cameras as a law enforcement tool. "We have significant concerns with reports in the rise in the use of CCTV," Rangihaeata said. "And we are very keen to make sure security footage is used properly...There needs to be a higher responsibility." 
Full Story

PRIVACY LAW—U.S.

Gov. Brown Signs Breach Notification Bill (September 2, 2011)
After two vetoes by the previous administration, California Gov. Jerry Brown on Wednesday signed into law SB-24, which updates the state's data breach notification law to specify what information should be included in notification letters and to mandate that notices be written in plain language. According to DLA Piper's Jim Halpert, who outlined the bill on yesterday's Privacy Tracker monthly audio conference, notification letters must include the type(s) of personal information affected, the data or data range of the breach and the date of the notice, among other criteria. Halpert also outlined certain exemptions, such as one for entities that are subject to the HITECH Act.

ONLINE PRIVACY—EU & U.S.

EU Cookie Requirement Snubs Self-Regulation (September 2, 2011)

USA Today reports that an EU Article 29 Working Party proposal rebuffs self-regulation efforts by the online advertising industry and would likely shrink online ad revenue. The proposal would require online companies to include a check box for Internet users to accept every cookie that marketers and data aggregators place to track them. According to Christopher Wolf of Hogan Lovells, it may effectively "impede business initiatives to advance privacy" by not recognizing and rewarding genuine efforts. But one consumer advocate disagrees, saying, "The Europeans have exactly the right approach" compared to the U.S.    
Full Story

DATA LOSS

Major Breaches Reported Across the Globe (September 2, 2011)

Targeted attacks have affected two U.S.-based agencies and a Dutch company, reports indicate. The Texas Police Chief Association suffered a breach Thursday, with such information as classified e-mails allegedly leaked by a high-profile hacking group. Meanwhile, the FBI is investigating another Texas incident where the El Paso Independent School District suffered a hacking attack involving access to names, Social Security numbers, dates of birth and addresses. In a separate incident, Computerworld reports that hackers may have obtained more than 200 secure digital certificates--some of which were valid for international Web companies--from a Dutch company after breaking into its network--up from an initial estimate of "several dozen" SSL certificates.    
Full Story

DATA LOSS—UK

Children’s Administration Breaches Act Twice (September 2, 2011)

The Information Commissioner's Office (ICO) has found the Scottish Children's Reporter Administration (SCRA) in breach of the Data Protection Act in two incidents, ComputerWeekly reports. In the first instance, nine files containing personal information including names, dates of birth and social reports were sold to a secondhand furniture shop. Later, legal papers containing sensitive information about a child's court case were sent to the wrong e-mail address, the report states. The ICO says the SCRA failed to ensure that staff followed proper data protection and security rules. The SCRA says it has made improvements, and the ICO is urging "other organizations, particularly those handling sensitive information relating to young people, to follow suit." 
Full Story

IDENTITY THEFT—U.S.

FTC Educates on Protecting Children’s Data (September 2, 2011)

The Federal Trade Commission (FTC) recently discussed the importance of protecting children's personal information from identity thieves during a testimony before the House Committee on Ways and Means Subcommittee on Social Security. An FTC official told the committee, "Protecting consumers--especially vulnerable consumers such as children--against identity theft and its consequences is a critical component of the commission's consumer protection mission." The testimony also detailed initiatives the FTC is using to fight identity theft. Meanwhile, the FTC also announced that it has released a publication, Protecting Your Child's Personal Information at School, to advise parents about how to protect their children from identity theft. 
Full Story

HEALTHCARE PRIVACY—INDIA

Blood Donors’ Directory To Go Online (September 2, 2011)

The Times of India reports on the move to online directories for blood donors in the city of Pune. A representative from the software firm that has created the blood donor network said, "What we are going to do is computerize the physical directories of donors as well as create a database of those...who have not done it so far. This consolidated data will be made available on one single portal" and "will eliminate the loss of precious time which goes into ferreting a possible donor."    
Full Story

PRIVACY LAW

Class-Action Filed on Behalf of Mobile Phone Users (September 2, 2011)

A proposed class-action lawsuit filed on behalf of Windows Phone 7 users in a Seattle, WA, court on Wednesday alleges that Microsoft designed the phone to track customers regardless of their preferences, The Sydney Morning Herald reports. The suit alleges the company designed camera software on the phone's operating system to collect users' geographical coordinates even if they had requested not to be tracked, the report states. The suit also alleges that statements the company made in a letter to the U.S. Congress were "false." 
Full Story

ONLINE PRIVACY

Kundra: Cloud Concerns re: Privacy “Unfounded and Ridiculous” (September 1, 2011)
Former U.S. Chief Information Officer Vivek Kundra is sounding off on governments' reluctance to adopt cloud computing due to privacy and information security concerns, noting the U.S. government's outsourcing of more than 4,700 systems "and yet when it comes to cloud for some reason these fears are raised," reports The Australian. In The New York Times, Kundra  writes that "governments around the world are wasting billions of dollars on unnecessary information technology," adding that cloud computing is often more secure than traditional methods. Taking part in a Digital Agenda panel on Wednesday, Kundra urged government officials to think about how they are serving constituents. "All that money's being spent on redundant infrastructure, redundant application that we're not able to optimize," he said. Meanwhile, Kundra's Digital Agenda co-panelist Vice President of the European Commission Digital Agenda Neelie Kroes said that while she agrees there are benefits to the adoption of cloud computing, the value depends on trust and security in the system, and there are cultural hurdles to overcome that will take time, ZDNet reports. Editor's Note: Navigate, an IAPP executive forum being held on September 14 in Dallas, TX, will feature a special program entitled Putting Cloud Computing on Trial to fully explore these issues.

PRIVACY LAW—EU & U.S.

MEP Seeks Patriot Act Clarity (September 1, 2011)

ZDNet reports on Dutch MEP and Civil Liberties, Justice and Home Affairs Committee Vice Chair Sophie in 't Veld's "mission to clarify the reach of the Patriot Act in Europe and to amend laws to prevent its reach." Based on reports in June that EU datacenters holding data provided by U.S.-based cloud providers "cannot guarantee that data will not be handed over to U.S. authorities for interception or intelligence gathering," in 't Veld and four other MEPs are asking European Commissioner Viviane Reding to clarify the Patriot Act's reach and "remedy this situation" to ensure that "third-country legislation does not take precedence over EU legislation," the report states. 
Full Story

HEALTHCARE PRIVACY—U.S.

Florida Drug Database Implemented (September 1, 2011)

A statewide database of patient prescription information will become mandatory in Florida today, ABC Action News reports. Aiming to curb the illegal sale of prescription drugs, the new measure requires pharmacies to send weekly reports to a state database of every controlled prescription drug sold, the report states, including painkillers, sleep aids and steroids. Patient name, drug, dosage and doctor will be included in the report. One pharmacy customer said he's not concerned about privacy if security is enhanced, while another woman said, "This is another invasion to where they're able to get our information."   
Full Story

CHILDREN’S PRIVACY—UK

ICO Recommends Privacy Education for Children (September 1, 2011)

The Information Commissioner's Office (ICO) has announced that primary and secondary students should receive data privacy and freedom-of-information rights education and that both issues "should be embedded in the formal education process," OUT-LAW News reports. In a recent survey that revealed 88 percent of secondary students and 39 percent of primary students have social networking profiles, the ICO found that most respondents were not familiar with the sites' privacy policies. A representative from the ICO said, "Young people today are growing up in an age where an ever-increasing amount of information is held about them...It is vital that they understand their privacy rights and how to exercise them."  
Full Story

PRIVACY LAW—U.S.

Judge Rules Tracking Service Violated Federal Law (September 1, 2011)

U.S. District Judge Walter Rice has ruled that a company providing tracking services for stolen laptops violated an individual's privacy rights when an agent working for the company intercepted video transmissions of the individual using the stolen laptop, Wired reports. In his decision, Rice wrote, "It is one thing to cause a stolen computer to report its IP address or its geographical location in an effort to track it down...It is something entirely different to violate federal wiretapping laws by intercepting the electronic communications of the person using the stolen laptop."  
Full Story

HEALTHCARE PRIVACY—U.S.

Survey: Most Health Breaches An Inside Job (September 1, 2011)

The number of breaches involving protected health information are on the rise, and those responsible are often internal staffers, SC Magazine reports. That's according to a survey by Veriphyr, which found that 70 percent of organizations surveyed had been breached within the last year. The 2011 Survey of Patient Privacy Breaches also found that 35 percent of those responsible were insiders looking at fellow employees' medical records, and 27 percent were looking at those of patients and friends. Besides curiosity, identity theft is a motivating factor for the breaches, Veriphyr's CEO said, as medical personnel are increasingly recruited to help commit the crime. 
Full Story

ONLINE PRIVACY—U.S.

Needed: Simple Policies in Laymen’s Terms (September 1, 2011)

The Federal Trade Commission (FTC), the Department of Commerce and consumer advocates have all pointed to a need for clearly written, comprehensible privacy policies, but the FTC has found that "consumers typically do not read, let alone understand" most corporate policies. Writing for Corporate Counsel, Paul Bond and Chris Cwalina offer tips on how to formulate a policy that is both "comprehensive and comprehensible." It is important to know what information your company collects and how it is used--and to anticipate change, the authors write. Policies should "focus on information the consumer needs to make choices," and "above all, say it in plain language."  
Full Story