Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

BEHAVIORAL TARGETING—U.S.

Senator Questions Credit Card Companies’ Practices (October 28, 2011)
Sen. Jay Rockefeller (D-WV) is questioning two credit card companies on reports that the companies plan to combine information on consumer purchases and online activity to better serve targeted ads, MediaPost reports. "As a general matter, I am already concerned that privacy protections afforded to American consumers in the commercial marketplace are inadequate, whether they are surfing the World Wide Web, using their smartphones or shopping in their local supermarket," Rockefeller said in a letter to Visa's CEO and a similar one to MasterCard. Rockefeller wants both companies to provide details on their plans. Both companies have said that anonymous data is not linked to individuals. MasterCard released a statement saying it "is confident that we are in a strong position to address Senator Rockefeller's concerns."

PRIVACY LAW—U.S.

New Law Could Unintentionally Impact Bloggers (October 28, 2011)

A law professor says California's recently enacted Reader Privacy Act might impose unexpected obligations on bloggers, MediaPost reports. The act, signed into law earlier this month and scheduled to take effect January 1, will require government agencies and other third parties to obtain a search warrant or court order to access customer records from bookstores or online retailers. But Eric Goldman of Santa Clara University says the law's language leaves room for interpretation on who it regulates and could include bloggers whose sites are supported by advertisements. Bloggers could violate the law, for example, if they disclose information about commenters or readers without a court order, Goldman says.
Full Story

IDENTITY THEFT—U.S.

Database of Deceased Individuals’ SSNs Raises Concern (October 28, 2011)

"Most people don't know a number you're told to protect at all costs will one day be exposed on the Internet," ABC 2 News notes in its report on concerns about the Social Security Death Master File. Since 1980, details on 90,000,000 deceased U.S. citizens--including their names and Social Security numbers (SSNs)--have been included in the database, the report states, resulting in cases of identity theft. While families of two deceased infants whose information was used in fraud cases are investigating how their children's data was obtained, one consumer advocate notes, "Making this information public has clearly put people at risk."
Full Story

DATA LOSS—UK

ICO Names Breaches, Study Says Trusts Losing Data (October 28, 2011)

The Information Commissioner's Office (ICO) says Newcastle Youth Offending Team breached the Data Protection Act by failing to protect data on a laptop that was stolen from a contractor, the Belfast Telegraph reports. The ICO has also ordered University Hospitals Coventry & Warwickshire NHS Trust to review its policies and train staff after finding that the trust breached the Data Protection Act on two occasions, according to an ICO press release. Meanwhile, the group Big Brother Watch has released a report showing that during a three-year period between 2008 and 2011, NHS trusts experienced 806 data breach incidents.
Full Story

PRIVACY LAW—CANADA

Toews Unmoved by Letter (October 28, 2011)

Postmedia News reports that Public Safety Minister Vic Toews is unmoved by the federal privacy commissioner's urgings to consider the effect potential lawful access legislation would have on the privacy rights of Canadians. In a public letter to Toews this week, Commissioner Jennifer Stoddart outlined several concerns about the legislation, saying that "Read together, the provisions of the lawful access bills from the last session of Parliament (C-50, C-51 and C-52) would have had a significant impact on our privacy rights." Stoddart added that "the government has not convincingly demonstrated that there are no less privacy-invasive alternatives available to achieve its stated purpose."     
Full Story

SOCIAL NETWORKING

Privacy Concerns Go Global (October 28, 2011)

Human Resource Executive Online reports that just as social media use has become a worldwide phenomenon, "so too has concern over privacy breaches and potential employment-related litigation." The report highlights examples from across the globe--including 99,000 discrimination allegations filed with the U.S. Equal Employment Opportunity Commission last year; the view in many European countries that electronic data is owned by the data subject; varied privacy laws from country to country, and the impact of cultural differences. Despite such differences, the report states, "there are good reasons for parameters, particularly in industries and sectors where personal information breaches could threaten an organization's credibility or survival."
Full Story

PRIVACY LAW—EU

Commission Wants Germany and Romania Compliant (October 27, 2011)
The European Commission (EC) has formally requested that Germany and Romania come into full compliance with EU rules on data retention within two months. The two countries have not yet indicated how and when they will adopt the EU Data Retention Directive, according to an EC announcement. The commission says this will likely harm the internal market for electronic communications and law enforcement's ability to investigate and prosecute crime. The directive--which requires telephone companies and Internet service providers to store telecommunications and location data--was adopted in 2006, and countries were to have transposed it into law by September 2007.

STUDENT PRIVACY—UK

Study: Students Worried About Their Online Data (October 27, 2011)

A survey conducted by YouGov for the Information Commissioner's Office (ICO) has found that 42 percent of students polled are concerned that their online personal data could affect their future job opportunities, but many are not taking steps to protect their privacy, The Press Association reports. Information Commissioner Christopher Graham said "young people are clearly less relaxed about privacy, particularly in relation to information that they post online--but many may not know what they can do about it." To help educate them, the ICO has launched its Student Brand Ambassador campaign. 
Full Story

PRIVACY LAW—CANADA

Stoddart Shares Concerns in Letter to Toews (October 27, 2011)

Privacy Commissioner Jennifer Stoddart has written to Minister of Public Safety Vic Toews to again outline her concerns about the effect potential lawful access legislation would have on the privacy rights of Canadians. "As your government prepares to bring forward legislation, I believe I have an obligation to outline my concerns," Stoddart wrote, adding, "Read together, the provisions of the lawful access bills from the last session of Parliament (C-50, C-51 and C-52) would have had a significant impact on our privacy rights." Stoddart outlined several concerns, including that "the government has not convincingly demonstrated that there are no less privacy-invasive alternatives available to achieve its stated purpose."   
Full Story

PRIVACY LAW—UK

MPs Call for Stiffer Data Breach Penalties (October 27, 2011)

BBC News reports that members of the House of Commons Justice Select Committee have called for increased powers to imprison and fine individuals who abuse the Data Protection Act. Stating that current fines are an "inadequate" deterrent, a report filed by the MPs warns that the Information Commissioner's Office lacks sufficient powers to audit organizations and investigate data abuse incidents. The committee's report said, "We are concerned that the information commissioner's lack of inspection power is limiting his ability to investigate, identify problems and prevent breaches of the Data Protection Act, particularly in the insurance and healthcare sectors."
Full Story

DATA LOSS—HONG KONG

Department Reports PI Loss (October 27, 2011)

7th Space reports on the Hong Kong Labour Department's announcement that it has notified police and the Office of the Privacy Commissioner for Personal Data of the loss of a document containing personal information on 56 employees' compensation applicants. "The department has started a thorough investigation into the case and initiated a review," the report states. It has also begun "calling the persons affected to express its apologies." The Labour Department has stated it is working with authorities to prevent such incidents from happening in the future.
Full Story

DATA PROTECTION—AUSTRALIA

Company: No Laws, No Fines, No Change (October 27, 2011)

According to Verizon Global Security Services Director Jonathan Nguyen-Duy, Australia needs breach notification laws in order to keep its reputation as a leader in information security. Noting that major changes only happened in the U.S. when companies were fined for contravening the Payment Card Industry (PCI) Digital Security Standards, Nguyen-Duy told ZDNet Australia that there's little incentive for Australian organizations to fess up about breaches. "Data breaches have doubled, but there have been no fines, no levies against PCI compliance," he said. Despite the risks, Nguyen-Duy said, "in 92 percent of cases, simple to intermediate controls would have detected and prevented the breach."    
Full Story

HEALTHCARE PRIVACY—U.S. & EU

Study Analyzes Healthcare Privacy Laws (October 27, 2011)

A new study comparing U.S. and EU healthcare privacy law has been released by the Pamplin College of Business at Virginia Tech, Newswise reports. The study, co-authored by Prof. Janine Hiller, also examines the pros and cons of electronic health records (EHRs) and the ability of U.S. laws to address privacy risks and concerns. Hiller said, "EU countries have adopted electronic health records and systems...and legally protected privacy at the same time," and if the U.S. strengthened the legal and technical protections around EHRs, then risks would be minimized and public concern assuaged. The U.S. legal framework, she said, is "a hodgepodge of constitutional, statutory and regulatory law at the federal and state levels," and Americans "have no real control over the collection of sensitive medical information if they want to be treated."
Full Story

DATA LOSS

Survey: Breaches Costs Millions in Brand Damage (October 27, 2011)

A recent survey has found that it takes an organization recovering from a data breach one year to repair damage done to its reputation. The Ponemon Institute survey, sponsored by Experian, found that a company also suffers damage to its brand equity, with the average loss in a company's brand ranging from $184 million to more than $330 million, PR Newswire reports. The minimum brand damage was a 12-percent loss. "A solid reputation is a company's greatest asset, and it is therefore imperative that business leaders take precautionary steps to protect themselves, their customers, their employees and their intellectual property against data breaches," said an Experian spokesperson.
Full Story

BEHAVIORAL TARGETING

Credit Card Companies Look Into OBA (October 26, 2011)
The Wall Street Journal reports on plans by the world's two largest credit card networks to move into the online behavioral advertising business. Though the technology to link purchase transactions with an individual's online profile is still evolving, according to the report, Visa and Mastercard are currently pursuing the idea. The article cites a published Visa patent application that would attempt to incorporate information from DNA data banks into profiles that would target consumers online. Meanwhile, a representative from Mastercard said in an interview in August, "There is a lot of data out there, but there is not a lot of data based on actual purchase transactions...We are taking it a level deeper...it is a much more precise targeting mechanism." (Registration may be required to access this story.)

DATA LOSS—U.S.

Breaches Affect Thousands (October 26, 2011)

The Atlanta Journal Constitution reports that Georgia's Emory Healthcare has notified 7,300 patients of a data breach in which 32 patients' hospital bills were taken, including their Social Security numbers (SSNs), and nine have become victim to identity theft. It is unclear if the recent incident is connected to an April breach, in which thousands of patient bills were stolen. Meanwhile, Wells Fargo says a printing error led to customer data--including some SSNs--being sent to the wrong customers in Florida and South Carolina. And at Eastern Michigan University, a former student has been charged with eight felony counts for breaching student information.  
Full Story

ONLINE PRIVACY—U.S.

Report: Data Requests on Users Increasing (October 26, 2011)

A report from Google says government requests for user data are increasing, CNET News reports, as are requests for content removal. The U.S. had the greatest number of requests for user data with 5,950--up from 4,600 in the second half of last year--with India, France, the UK and Germany following. Google is prohibited by law from providing information on requests for data from law enforcement agencies. A Google spokeswoman said the company released the report in the name of transparency. Meanwhile, U.S. Sen. Mark Kirk (R-IL) has announced he will cosponsor the Geolocation Privacy and Surveillance Act, introduced in June, which would require warrants before law enforcement can access data about individuals from technology providers or location devices.  
Full Story

PRIVACY LAW—U.S.

Senators Question Legality of Mobile Phone Apps (October 26, 2011)

The Alexandria Echo Press reports on a bipartisan call led by Sens. Al Franken (D-MN) and Chuck Grassley (R-IA) for an investigation into mobile phone apps that "allow domestic abusers and stalkers to secretly track a victim's movement and location, read a victim's e-mail and text messages or listen to a victim's phone calls--all without the victim's knowledge or consent." The senators have written to the Federal Trade Commission and Department of Justice to determine the legality of so-called "stalking apps," adding that if they are found to be illegal, the federal agencies should "use their full force to investigate and prosecute" their developers and marketers. 
Full Story

PRIVACY LAW—GERMANY

Facebook, Google Meet with Lawmakers (October 26, 2011)

Representatives from Facebook and Google met with data protection officials and a German parliamentary subcommittee to discuss the companies' privacy policies and whether they comply with German and European data protection laws, Deutsche Welle reports. A Facebook spokesperson said, "We are pleased that the new media subcommittee of the German (Parliament) is interested in the issue and felt that their meeting today was helpful." At the meeting, Schleswig-Holstein Data Protection Commissioner Thilo Weichert said, starting in November, his office would "apply appropriate actions" to companies that have not complied with a ruling to disable the Facebook "like" button on their Web pages.  
Full Story

DATA PROTECTION

Study Delves Into the Stress of the Job (October 26, 2011)

A survey commissioned by data protection company Websense shows that while many IT managers feel their jobs depend on keeping company data secure, 91 percent said new levels of management are engaging in data security conversations. Systems & Networks Security reports the study polled 1,000 IT managers and 1,000 non-IT employees in Canada, Australia, the U.S. and the UK about security threats, and 86 percent of respondents said their job would be at risk if a security incident occurred, while 72 percent called protecting company data more stressful than getting a divorce. Meanwhile, "When asked about real-time protection solutions in place, many respondents listed product and vendor names that don't offer real-time protection at all," said a Websense spokesman.
Full Story

PRIVACY—GERMANY

University, Google Open Internet Research Institute (October 26, 2011)

Designed to explore the effects of the digital age, a new institute funded by Google has opened in Germany, The Washington Post reports. Housed at Humboldt University in Berlin, the Institute for Internet and Society will explore Internet privacy, freedom of expression and civil liberties issues. Google will provide the institute with €4.5 million for the next three years. Google Vice President David Drummond said the institute "will be based on a philosophy of openness, open access, standards and an ability to innovation." (Registration may be required to access this story.)     
Full Story

PRIVACY LAW—U.S.

Buzz Settlement Finalized (October 25, 2011)
The Federal Trade Commission (FTC) has finalized a settlement with Google over the launch of its Buzz social network, MediaPost News reports. The move solidifies the tentative settlement reached in March, which requires the company to implement a comprehensive privacy program and undergo mandatory privacy audits for the next two decades. The FTC did not modify the tentative agreement despite the Electronic Privacy Information Center's request for stricter conditions. "While the proposed order sets forth several elements that the privacy program must include, some flexibility is afforded with regard to its implementation," the FTC said in a letter to EPIC this month.

DATA LOSS—ISRAEL

Population Registry Hacked, Suspect Arrested (October 25, 2011)

A gag order was released on Monday allowing investigators from the Justice Ministry's Law, Technology and Information Authority to reveal details on a 2006 hack of Israel's population registry database, which eventually led to the exposure of around 9 million citizens' personal information on the Internet, reports Haaretz. Investigators have arrested a former contract worker at the Labor and Social Affairs Ministry, Shalom Bilik, for the theft. Bilik had access to the database through his work. The database included identity, immigration and familial data. "This should cause every database administrator and every citizen to lose sleep," said Yoram Hacohen, the head of the information authority.  
Full Story

DATA PROTECTION—UK

Information Commissioner: Breaches on the Rise (October 25, 2011)

The Information Commissioner's Office (ICO) says the number of data security breaches in the private sector is on the rise, increasing by 58 percent in 2010. The increase comes despite the fact that private sector organizations reported "unprompted awareness" of data protection obligations under the law, reports Out-Law.com. In a survey of 806 private and public sector organizations, 72 percent acknowledged their data protection obligation, up 18 percent from the previous year. "I'm encouraged that the private sector is waking up to its data protection responsibilities," said Information Commissioner Christopher Graham. "However, the sector does not seem to be putting its knowledge to good use." He added that as the number of breaches rise, public confidence declines.
Full Story

HEALTHCARE PRIVACY—U.S.

CDT Lauds CMS Rule, Calls for HITECH Final Rules (October 25, 2011)

In a blog post, Deven McGraw of the Center for Democracy & Technology (CDT) writes that the new rules adopted by the Centers for Medicare and Medicaid Services (CMS) highlight the need for finalized adoption of the HITECH privacy rules. The new CMS rules allow Medicare recipients to opt out of sharing their claims data history with accountable care organizations while also placing limits on claims data usage. McGraw writes that the CDT is pleased with the new regulations, "But that efficiency only highlights the inexplicable year-long delay to implement final changes to the HIPAA privacy and security regulations...The failure to finalize those regulations means that privacy takes a back seat just as the administration is pushing on the accelerator for health IT adoption and health reform."
Full Story

PRIVACY LAW—U.S.

Proposed Research Changes Concern Scholars (October 25, 2011)

The New York Times reports on concerns submitted by scholars about proposed changes to privacy protections for human research subjects. Wednesday is the deadline for public comments, and tens of thousands of humanities and social science scholars are voicing concern that more robust restrictions will prevent access to "vast collections of publically available information," including census data, market research, oral histories and labor statistics, the report states. One scholar said that the proposed changes "really threaten access to information in a democratic society." The director of the Office for Human Research Protections has tried to assuage concerns by saying that the intent is not to create stronger restrictions on previously public information. "If the technical rules end up doing that," he said, "we'll try to come up with a different result." (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Is Cyber Insurance Worth the Investment? (October 25, 2011)

Network World reports on cyber insurance policies. While an attractive safety net for companies handling data, the policies don't always cover as much of the costs resulting from a data breach as some originally had hoped. Heartland Payment Systems discovered this after its 2008 breach, for example. Larry Ponemon, CIPP, of the Ponemon Institute says policies tend to "have limitations and constraints similar to act-of-God provisions, and that has created a lot of uncertainty about what is covered and what the risks are." Another expert notes that an organization's cyber insurance application may be accepted, but that doesn't mean that the insurance offered will be worth having. Editor's Note: The IAPP recently hosted a Web conference on Evaluating Cyber Liability Insurance. The archive is available on our website. 
Full Story

ONLINE PRIVACY

Researcher Says Skypers Are Vulnerable (October 25, 2011)

A researcher from New York University (NYU) will present findings in Berlin next week asserting that Skype may allow strangers access to users' contact details. "If you have Skype running in your laptop, then I or any other attacker can inconspicuously call you, obtain your current IP address and your current location without you ever knowing about it," says NYU's Keith Ross, a professor of computer science. A high school-aged hacker would be capable of such an act, Ross says, adding that the hacker could scale the operation to track thousands of users. Skype's chief information security officer says determining other users' IP addresses is possible with typical Internet communications software, not just Skype's. 
Full Story

PRIVACY LAW—U.S.

First Circuit Says Victims Can Recover Breach Costs (October 24, 2011)
Though a 2009 appeals court ruling that said data breach costs plaintiffs incurred in a 2007 Hannaford Bros. breach were not recoverable under Maine law was upheld in 2010, the First Circuit has reversed the decision. In the case, hackers targeted the grocer's payment system and obtained consumer credit and debit card numbers. The First Circuit ruled that it was then reasonable for the plaintiffs to purchase credit insurance or new credit cards to protect against identity theft. Maine law permits recovery for "out-of-pocket mitigation costs where it is reasonable to incur such costs," the report states. It's likely, writes Mintz Levin's Kevin McGinty for Privacy and Security Matters, that class-action data breach plaintiffs will try to capitalize on the decision.

PRIVACY LAW—U.S.

SCOTUS Case Draws Industry, Advocates’ Attention (October 24, 2011)

Web companies and privacy advocates are weighing in on a Supreme Court case that involves the Real Estate Settlement Procedures Act and whether a consumer has the right to sue when no economic injury has been sustained, MediaPost News reports. Web companies including Yahoo, LinkedIn, Facebook and Zynga have submitted an amicus brief that states, "Permitting a lawsuit to proceed where the plaintiff has suffered no concrete, particularized, individual injury gives plaintiffs and their attorneys license to use the class-action mechanism to attempt to 'enforce' claimed widespread violations of the law." The Electronic Privacy Information Center countered in a brief that states, "Harms suffered as a result of privacy violations are difficult to quantify."   
Full Story

SOCIAL NETWORKING

DPC Investigating “Shadow Profiles” and Data Logs (October 24, 2011)

The Irish Data Protection Commissioner (DPC) is investigating complaints against Facebook for its data collection practices. Fox News reports on one allegation that the site encourages members to offer information on nonmembers and uses it to create "extensive profiles." The Wall Street Journal reports that another complaint claims Facebook held information on an Austrian student which appeared to have been deleted from his account. The data included rejected friend requests, untagged photos of the student and logs of all his chats. Facebook denies both claims. A company spokeswoman said "the assertion that Facebook is doing some sort of nefarious profiling is simply wrong," adding that its messaging service works the way "every message service ever invented works." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—GERMANY

Social Network Warned About Facial Recognition (October 24, 2011)

Hamburg Data Protection Commissioner Johannes Caspar has announced that the world's largest social network has until November 7 "to bring its facial recognition software into conformity with privacy laws in Germany and the European Union or face legal action," AFP reports. Caspar told the press agency that negotiations with Facebook have been extended, but "If our demands are not met, we will be obliged to take the legal path" regarding the facial recognition application, which the data protection official believes violates national and EU data protection law.
Full Story

DATA LOSS—U.S.

SEC Says Employee Data Was Exposed (October 24, 2011)

The New York Times reports on the Securities and Exchange Commission (SEC) breach that may have compromised its employees' financial information. Two years ago, the commission required its 4,000 employees to use a comprehensive database to clear their security transactions and monitor their financial holdings. Financial Tracking Technologies (FTT) monitors the database, but the SEC told its employees that FTT granted access to an unauthorized party and that employees' personal information might have been exposed. The SEC has offered free credit monitoring to affected employees for one year. There is no evidence that the information has been misused. (Registration may be required to access this story.)   
Full Story

PRIVACY LAW—IRELAND

Commissioner Clarifies Directive Implementation (October 24, 2011)

Ireland's Data Protection Commissioner (DPC) has said that websites do not need to get separate consent from users when employing Google Analytics on homepages, The Sociable reports. The UK's implementation of the EU's e-Privacy Directive (2009/136/EC) requires websites to gain consent prior to loading Google Analytics, according to the report. A representative from the DPC said, "this office expects websites to make information available on their homepages in relation to cookie usage generally including third-party analytics services such as Google Analytics, but we do not consider that SI 336 of 2011 imposes a need for an explicit separate consent for Google Analytics use."
Full Story

PRIVACY LAW—U.S.

California Law Prevents Employee Credit Checks (October 24, 2011)

Earlier this month, California became the seventh state to enact legislation restricting employers from using consumer credit reports in making hiring and personnel decisions, reports the Hunton & Williams Privacy and Information Security Law Blog. Some exemptions exist within the new law, such as if the employment decision is managerial; within the Department of Justice or law enforcement, or involves regular access to cash during the workday. Written notice is required if an exemption applies. Employers using consumer credit reports in making employment decisions should be sure their policies comply not only with the new law in California but in the six other states with similar laws, the report states.
Full Story

PRIVACY

Toth Named Google+ Head of Privacy (October 24, 2011)

The Hill reports on the selection of Anne Toth as head of privacy for the Google+ social network. Toth recently announced her departure as head of privacy at Yahoo, and Google confirmed on Friday that Toth would begin her new role with Google+ this week. "Google agreed to implement a comprehensive privacy program in March as part of a settlement with the Federal Trade Commission related to the rollout of Google Buzz," the report states, noting that while Toth will be head of privacy for Google+, Alma Whitten will remain director of privacy for product and engineering, leading companywide privacy efforts.
Full Story

SOCIAL NETWORKING—GERMANY

Site Will Give Exemption To Schleswig-Holstein (October 21, 2011)
In a private meeting between Schleswig-Holstein Data Protection Commissioner Thilo Weichert and Facebook European Head of Privacy Policy Richard Allen, Allen offered to bar the transfer of data collected from Schleswig-Holstein IP addresses to the U.S., reports The Local. Allen also offered a full account of how the company collects and uses data, the report states. Weichert, who in September threatened websites with fines of up to €50,000 if "like" buttons were not removed, says--if implemented--this agreement would be "a great success." Meanwhile, Hamburg's data protection authority is calling on Facebook to obtain explicit consent from users prior to employing its facial recognition automatic tagging feature, saying, "The time for negotiation is now over."

PRIVACY LAW—U.S.

Actress Sues IMDb for Publishing DOB (October 21, 2011)

An actress is suing the Internet Movie Database (IMDb), an Amazon subsidiary, for revealing her age without her consent, the Associated Press reports. The suit filed in U.S. District Court in Seattle last week alleges breach of contract and privacy law violations and seeks more than $1 million in damages. The plaintiff says that she deliberately did not include her date of birth on the IMDb site, but the company sought it out and added it to her profile, resulting in a reduction of roles offered. IMDb refused to remove the information upon request, according to the report.
Full Story

DATA PROTECTION—EU

Article 29 WP Releases Plenary Notes (October 21, 2011)

The Article 29 Working Party held its 82nd plenary meeting in Brussels last week, discussing such topics as harmonization among member states and data breach notification. According to a press release issued yesterday, the group will soon send Vice President Viviane Reding proposals for "a mechanism to ensure cooperation and coordination between data protection authorities and to ensure consistent application of the law." The Working Party also agreed to provide insight to the European Commission on data protection concerns related to the World Anti-Doping Code and has decided to intensify its dialogue with ENISA, the European Network and Information Security Agency. Party members also heard from a Fundamental Rights Agency representative on certain data protection projects.
Full Story

DATA LOSS—U.S.

SEC Notifies Employees of Data Breach (October 21, 2011)

The Securities and Exchange Commission (SEC) has notified employees of a potential data breach and recommends that they take steps to protect themselves from identity theft, Business Insider reports. A former employee of a company hired by the SEC expressed concerns about how the government agency's data was being handled and processed. Financial Tracking Technologies was hired by the SEC to handle employees' brokerage data but says it notified the SEC of the questionable third-party relationship, the report states. The SEC recently issued guidelines urging public companies to disclose data breaches. Stroz Friedberg Managing Director John Reed Stark said, "It's an irony that the SEC experienced the stress that public companies face every day when worrying about a data breach."
Full Story

DATA PROTECTION—UK

Survey Respondents: Online Details Not Protected (October 21, 2011)

The Press Association reports on a survey of more than 1,200 UK residents by the Information Commissioner's Office (ICO) that has found approximately 75 percent do not believe online companies are keeping their personal information secure. Additionally, more than two-thirds of the survey's respondents indicated they believe current UK laws "fail to provide sufficient protection of personal information, and three in five feel they have lost control over the way their information is collected and processed," the report states. Information Commissioner Christopher Graham noted, "Companies need to consider the damage that can be done to a brand's reputation when data is not handled properly."
Full Story

PRIVACY LAW—U.S.

Reagan-Era Laws Need Revision, Say Some (October 21, 2011)

Sen. Patrick Leahy (D-VT), along with civil rights groups and online industry representatives, are calling for revisions to the 25-year-old Electronic Communications Privacy Act. Leahy said Thursday that he will schedule a markup to update the act before the end of the year, according to The Hill. In a statement, he said the law has been "significantly outdated and outpaced" by technology and "the changing mission of our law enforcement agencies after Sept. 11," reports Wired. Meanwhile, MediaPost News reports that Netflix plans to argue that the Video Privacy Protection Act's damages provision is unconstitutional, depriving the company of the due process of law and violating the ban on excessive fines. 
Full Story

PRIVACY LAW—U.S.

Boucher: Legislation Lacks “Critical Mass” (October 20, 2011)
The National Journal reports on recent comments made by former Rep. Rick Boucher on the possibility of Congress passing comprehensive privacy legislation during the current term. "There are some major company supporters of a privacy bill," Boucher said, "but not the critical mass that I think is necessary to drive a bill through to passage." Speaking at a forum Wednesday, Boucher predicted that the House will likely pass a children's privacy bill and move to update a 1988 law that protects the video rental accounts of consumers. Of the children's privacy bill, sponsored by Reps. Joe Barton (R-TX) and Ed Markey (D-MA), Boucher said that when the two congressmen "agree on something, they are very powerful as a duo. And they can often drive the result, and I think they will do so in this case." Editor's Note: See this month's edition of Inside 1 to 1: PRIVACY for insights from privacy experts on whether a federal "Privacy Bill of Rights" will become a reality.

CONSUMER PRIVACY—U.S.

Privacy Groups File FTC Complaint (October 20, 2011)

A group of privacy and consumer advocates has filed a joint complaint to the Federal Trade Commission (FTC) alleging PepsiCo and its subsidiary Frito-Lay North America exercised unfair and deceptive practices during a recent digital marketing campaign aimed at teenagers, Direct Marketing News reports. The complaint also alleges that the marketing campaign attempted to maximize data collection without transparency or user consent while urging teenagers to share photos and access to their social networking accounts, the report states. One of the complaint's contributors said that the company should have "created an appropriate online environment that enables teens to control their data and made clear that these are ads, not games or virtual worlds."
Full Story

DATA PROTECTION—HUNGARY

Groups Appeal to Barroso on Ombudsman Role (October 20, 2011)

Three Hungarian civic groups have asked European Commission President José Manuel Barroso to launch proceedings against Hungary due to its passage of a bill that they say violates EU laws, politics.hu reports. The Károly Eötvös Institute, the Hungarian Helsinki Committee and the Hungarian Civil Liberties Union say Hungary's passage of a "cardinal law" in July that sees the role of the country's independent data protection ombudsman subsumed by the new National Data Protection and Freedom of Information Authority goes against EU legal frameworks, according to the report.
Full Story

BIOMETRICS—U.S.

Committee Wants FTC Report on Facial Recognition (October 20, 2011)

Sen. John "Jay" Rockefeller (D-WV), chairman of the Commerce, Science and Transportation Committee has requested a report from the Federal Trade Committee (FTC) outlining the security implications of facial recognition technology, reports Nextgov. Social networking and law enforcement organizations are increasingly using the technology, with the FBI expected to launch a nationwide service for authorities by January 2012. Rockefeller wrote in his letter that while considering future privacy legislation, the committee "will need to understand the capabilities of this technology, as well as the privacy and security concerns raised by their development." The FTC will hold a workshop on December 8 to discuss issues such as prior consent and possible benefits; it will then report to back to Rockefeller's committee.  
Full Story

DATA LOSS—U.S.

FBI Investigating Former Hospital Employees (October 20, 2011)

The FBI is investigating a breach of patient records at Florida Hospital, WESH 2 News reports. Three employees have been fired for improperly accessing private information on more than 2,000 patients, the report states. The three have not been charged, but they are suspected of selling the information of patients from Orange, Seminole and Osceola counties. "There are so many hospitals and a number of possible victims out there," Osceola County Sheriff's Office Spokeswoman Twis Lizasuain said. "That's why the FBI was brought in to this." One of the suspects allegedly accessed and sold an "extreme" amount of data.
Full Story

HEALTHCARE PRIVACY—U.S.

ACP Proposes Privacy Rule on Health Data Reuse (October 20, 2011)

Healthcare IT News reports that the American College of Physicians (ACP) has proposed a privacy rule that would maximize appropriate uses of health data to improve scientific advances while maintaining ethical and privacy standards. The 15-page policy paper, "Health Information Technology & Privacy," includes 13 policy stances to provide guidance for a comprehensive framework. The paper's release comes before the end of the comment period for the Advance Notice of Proposed Rulemaking. The president of the ACP said, "The paper suggests revisions to the current regulations, which are now being considered because the Department of Health and Human Services believes these changes will strengthen protection for research subjects in a number of important ways."    
Full Story

ONLINE PRIVACY

Advocacy Group: No Concern with Tablet Browser (October 20, 2011)

The Electronic Frontier Foundation (EFF) says the new browser offered by Amazon for its soon-to-be-released tablet computer poses no privacy threat to users. This announcement comes on the heels of a letter written by Rep. Edward Markey (D-MA) questioning the company on how it plans to use data it collects through the browser. TIME reports that Amazon assured the EFF that one of the causes of concern, split browsing--or cloud acceleration--mode, while being the default, "will be easy to turn off on the first page of the browser settings menu." Amazon also will not collect any encrypted traffic, states the report.
Full Story

PRIVACY LAW—U.S.

Akaka Introduces Bill To Update Privacy Act (October 19, 2011)
Sen. Daniel Akaka (D-HI) has introduced a bill to amend the Privacy Act of 1974. This Daily Dashboard exclusive looks at the Privacy Act Modernization for the Information Age of 2011, which would create a federal chief privacy officer at the Office of Management and Budget and a government-wide Chief Privacy Officers Council. It would also seek to overturn the Supreme Court's decision in Doe v. Chao, "which held that an individual has to show actual damages resulted from an intentional or willful improper disclosure of personal information in order to receive an award." In addition, the bill would "tighten requirements for agency controls," update penalties for violations "to reflect similar penalties in other laws" and expand investigative tools to more government agencies, among other measures.

DATA PROTECTION—U.S.

Gov’t Agencies Propose Contractor Privacy Training (October 19, 2011)

Three government agencies have proposed a rule that would require an appropriate level of privacy training for government contractors, GovInfoSecurity reports, "in order to ensure consistency across the government." Issued by the Department of Defense, the General Services Administration and the National Aeronautics and Space Administration in the wake of the TRICARE breach, the proposed rule would cover handling personally identifiable information (PII), authorizing use of a government system of records, restricting use of personal equipment to process or store PII, preventing access by unauthorized users and establishing breach notification procedures and training requirements for specific agencies.
Full Story

DATA LOSS—AUSTRALIA

Company Scrutinized for Unreported Breach (October 19, 2011)

The Sydney Morning Herald reports on a security breach at fund management company First State Super and the reaction of customers who were reportedly not notified of the incident. The event came to light when a security consultant attempted to warn the company of a flaw in its system that allowed access to sensitive customer data. Of its 770,000 customers, the company warned approximately 500 individuals whose information was accessed by the consultant. Acting New South Wales Privacy Commissioner John McAteer said the incident highlights the need for data breach notification legislation. Australian Privacy Commissioner Timothy Pilgrim has announced that he is opening an "own motion investigation" into the company.
Full Story

PRIVACY LAW—U.S.

New Jersey Courts Differ on ZIP Code Collection (October 19, 2011)

In September, two New Jersey courts made opposite rulings on whether retailers can collect ZIP codes as a condition of using a credit card, reports the Hunton & Williams Privacy and Information Security Law Blog. On September 16, a New Jersey Superior Court judge denied Harmon Stores' motion to dismiss a class-action suit claiming the store's policy on collecting ZIP codes violates the Truth-in-Consumer Contract, Warranty and Notice Act (TCCWNA). Ten days later, a U.S. District Court judge dismissed a case against Williams-Sonoma alleging the same violations, saying that a credit card transaction does not constitute a "written consumer contract" under TCCWNA, and, even if it did, a ZIP code "does not constitute a contract provision that violates an individual's rights." Editor's Note: Read about the California Supreme Court's decision in a similar case against Williams Sonoma in the story "California Supreme Court rules that ZIP codes are personal identification information" from the March edition of the IAPP's Privacy Advisor newsletter. Member login will be required.
Full Story

DATA PROTECTION—U.S. & CANADA

Regulators Urge Business Leaders To Limit Data Collection (October 19, 2011)

Speaking at a conference in San Francisco, U.S. and Canadian regulators warned entrepreneurs and business leaders of the dangers of collecting unnecessary data from customers, InformationWeek reports. FTC Bureau of Consumer Affairs Director David Vladek said that businesses should only collect information they need and not retain it longer than is necessary, adding, "It's an albatross that can come back and really bite you." Saying that "privacy is an enabler of innovation" and can provide a competitive advantage, Ontario Information and Privacy Commissioner Ann Cavoukian urged businesses to proactively protect privacy and give consumers control of their data. "Privacy is about control...The individual should control what happens to the information," said Cavoukian.
Full Story

SURVEILLANCE—JAPAN

“Boyfriend Tracker” App Revised After Complaints (October 19, 2011)

A Japanese mobile application developer has released a new version of an app designed to track GPS-enabled mobile devices after receiving hundreds of complaints that the software had been covertly installed on peoples' phones, reports The Telegraph. Kare Log did not display an icon to alert users that the software was in use. Japan's communications ministry said in a statement, "The consent of a tracked individual is very important. There were problems with the way that Kare Log was advertised." While the basic plan allowed location and battery usage to be tracked, an upgrade would allow for the monitoring of calls--including phone numbers dialed and the dates, times and lengths of calls.
Full Story

ONLINE PRIVACY

Site Brings New Meaning to “Creepy” Data Use (October 19, 2011)

A new website--used by 300,000 people in its first 24 hours--accesses information from peoples' Facebook accounts to create a personalized horror movie featuring a man browsing through the user's account and "getting increasingly agitated," reports The New York Times. Take This Lollipop's developer, Jason Zada, says creating the site was a fun seasonal project but adds that its popularity may in part be due to peoples' concerns about how their data is being used. "When you see your personal information in an environment where you normally wouldn't, it creates a strong emotional response," Zada said. "It's tied into the fears about privacy and personal info that we have now that we live online." (Registration may be required to access this story.)
Full Story

Akaka Introduces Bill To Update Privacy Act (October 19, 2011)

 

Sen. Daniel Akaka (D-HI) has introduced a bill to amend the Privacy Act of 1974. The Privacy Act Modernization for the Information Age of 2011 would create a federal chief privacy officer and a government-wide Chief Privacy Officers Council. It would also overturn the Supreme Court’s decision in Doe v. Chao, “which held that an individual has to show actual damages resulted from an intentional or willful improper disclosure of personal information in order to receive an award,” according to Akaka’s remarks in the Congressional Record.

Akaka became a member of the U.S. Senate three years after the enactment of the Privacy Act of 1974. Introducing the modernization bill this week, he said the expansion of technology, increased security needs that put pressure on personal information and the growth of the data “market” prompted him to draft the update. Akaka said he consulted with privacy experts, working groups and advocates to inform the draft, and he examined the recommendations laid out in the 2008 Government Accountability Office (GAO) report “Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information.”

The role of a federal chief privacy officer in the Office of Management and Budget (OMB) has not existed since the 1990s.

Peter Swire, CIPP, who was chief of privacy in the OMB during the Clinton Administration, told the Daily Dashboard, “The most important information sharing often happens across agencies, and a federal CPO can help ensure that the interagency privacy issues are handled more effectively."

The bill’s proposal to create a government-wide Chief Privacy Officers Council would “fill wide gaps in…privacy leadership and ensure consistent development of policies and guidance on the Privacy Act across agencies,” Akaka said.

In addition, the bill would update penalties for violations of the Privacy Act, and it would “clarify Congress’s intent in the statutory damages provision in the Privacy Act by overturning Doe v. Chao, in which the Supreme Court, I believe wrongly, held that an individual has to show actual damages resulted from an intentional or willful improper disclosure of personal information in order to receive an award,” Akaka said.

BEHAVIORAL TARGETING

MMA Rolls Out App Developer Privacy Guidelines (October 18, 2011)
The Mobile Marketing Association (MMA) has released privacy guidelines to provide app developers with a set of best practices for creating and maintaining privacy policies, MediaPost News reports. In addition to addressing mobile-location data collection, the guidelines include advice on appropriate ways to inform consumers about how their data is collected, used and protected as well as recommending an opt-out, seeking legal counsel and disclosing third-party data sharing. Future of Privacy Forum Director Jules Polonetsky, CIPP, said, "With this document, even small app developers will have the tools to properly explain to users the basics of how data is being handled."

PRIVACY LAW—UK

ICO: Cookie Consent Is Not Optional (October 18, 2011)

Information Commissioner Christopher Graham has warned that nearly half of the one-year grace period for implementing cookie consent obligations has elapsed and not enough is being done by the industry to meet the new requirements thus far, Silicon.com reports. Speaking last week at a digital marketing forum, Graham said, "We will shortly be producing the commissioner's half-term report...it will be couched very much in those familiar terms of 'could do better, must try harder.'" Graham also said that a do-not-track approach in browsers is "no silver bullet," adding, "I still think there are a fair number of people in the advertising business and the website business who are in denial about this...However much you don't like it...consent for cookies is the law."
Full Story

PRIVACY LAW—U.S.

Lawmakers, Advocates: ECPA Needs Overhaul (October 18, 2011)

Sens. Ron Wyden (D-OR) and Mark Kirk (R-IL) are meeting with advocacy groups in Washington, DC, today to discuss the need for reform of the Electronic Communications Privacy Act (ECPA), American Public Media reports. With its 25th anniversary this week, groups such as the Center for Democracy & Technology (CDT) say that ECPA does not address changes in technology since the law's inception in 1986. Noting that cell phones and location data collection were virtually nonexistent 25 years ago, a CDT representative said, "There's no consistent rule about what law enforcement has to show to a judge in order to get records about where you are right now, where you're going to be for the next 30 days or where you were for the last six months."
Full Story

PRIVACY LAW—PHILIPPINES

Senate Deliberates Data Protection Act (October 18, 2011)

The Philippines Senate has begun deliberations on the proposed Data Privacy Act, which includes monetary fines and jail terms for data breaches, unauthorized disclosure of data to a third party and disclosure of sensitive personal information, reports Business World. The bill's sponsor, Sen. Edgardo J. Angara, said the country lacks "the over-arching policy framework that upholds privacy laws and penalizes individuals for overstepping them." The Senate committee has approved the creation of a National Privacy Commission to implement the regulations once enacted. A Business Processing Association representative lauded the effort, saying, "a data privacy law will pave the way to increased client or investor confidence as it solidifies our commitment of data security to our foreign clients." 
Full Story

SOCIAL NETWORKING—U.S.

Poll: Frequent Users Less Concerned About Privacy (October 18, 2011)

USA TODAY reports on a recent poll of more than 2,000 U.S. adults that indicates the more individuals use the world's largest social networking site, the less concerned they are about their privacy. "Only 26 percent of respondents who use Facebook at least daily said they were 'very concerned' about privacy, compared with 35 percent who use the social network at least once a week and 39 percent who use Facebook less often," the report states. However, new features on the site remain unpopular, the poll found, and a wave of recent lawsuits, including one filed in Kentucky and one in Mississippi, are focused on such concerns as allegations the site tracked users' online activities after they logged out.
Full Story

PERSONAL PRIVACY—CANADA

Coalition Wants Smart Meters Stopped (October 18, 2011)

A citizens' coalition in British Columbia hopes to stop a utility's installation of smart meters in homes across the province, Nanaimo News Bulletin reports. "These BC Hydro smart meters have to go completely," said spokesman Walter McGinnis of the Coalition To Stop Smart Meters. The group wants to stop the mandatory installation of the meters due to privacy, security and other concerns. It plans to launch an appeal under the BC Recall and Initiative Act. BC Hydro Community Relations Manager Ted Olynyk says that meter installations will continue. The utility asserts that the meters use data protection methods similar to those used by banks.
Full Story

SURVEILLANCE—GERMANY

Police Using Spyware on Suspects’ Computers (October 17, 2011)
A German hacking group has announced that, after analyzing the hard drives of people who had been under investigation, it found software allowing police to log keystrokes, capture screenshots and activate cameras and microphones, reports The New York Times. After the announcement, Justice Minister Sabine Leutheusser-Schnarrenberger called for an inquiry into the matter, and Data Protection Commissioner Peter Schaar said Parliament needs to clarify search and surveillance laws, adding, "In my opinion, this kind of infiltration through software is a deeper intrusion and a greater risk than simply listening in on a phone line." While federal investigators denied using the software, several state investigators admitted using it, states the report. (Registration may be required to access this story.)

PERSONAL PRIVACY—U.S.

Automotive Data Recorders Drive Privacy Concerns (October 17, 2011)

USA Today reports on the privacy concerns raised by event data recorders installed in most new vehicles. The devices can provide information such as a vehicle's speed, brake or accelerator application, steering direction and seatbelt use. Laws to limit access to the collected information have been enacted in 13 states, but many states do not have laws preventing an individual from uploading the data without permission. One consumer advocate says that transponder-style readers will be able to access the data by coming close to a vehicle. A car insurance representative says they are "a valuable tool for insurance companies" to determine the causes of an accident as well as to adjust premiums to match customers' driving habits. 
Full Story

BIOMETRICS—U.S.

Privacy Concerns Raised in Collection of Police DNA (October 17, 2011)

Police officers and unions in locations across the country are voicing concerns over various proposed requirements to collect their DNA and place the information in databases, the Associated Press reports. Some say the collected data helps save time during investigations of crime scenes and prevents doubt about genetic material in trials, while other officers have expressed concern about the management of the collected data, including using it to determine health insurance rates. A Connecticut trooper said, "From a civil liberties standpoint, there are a lot of red flags." Meanwhile, a Louisiana sheriff said, "I think it's a good tool that we're utilizing...I realize that there may be some privacy concerns...We should be leaders in saying we don't have a problem doing it."
Full Story

PRIVACY LAW—U.S.

Judge Sides with Hospital in Privacy Lawsuit (October 17, 2011)

An Arkansas judge has sided with a hospital in a privacy lawsuit that alleges three of the institution's employees illegally accessed a slain television anchor's medical files, 40/29 News reports. Filed by the anchor's mother, the lawsuit was overturned by Pulaski County Circuit Court Judge Leon Johnson, who cited an Arkansas law that halts privacy invasion claims once the affected individual passes away, the report states. The lawsuit was originally filed in 2009. 
Full Story

ONLINE PRIVACY—U.S.

Expert: Choices Need To Be Simplified (October 17, 2011)

The New York Times examines the role of default design choices in online privacy, citing research by a Carnegie Mellon University team that "suggests the difficulty that ordinary users have in changing the default settings on Internet browsers or in configuring software tools for greater online privacy." The project results indicate that, even among privacy-conscious Internet users, "The privacy tools typically proved too complicated and confusing to serve the needs of rank-and-file Internet users." One expert suggests the research points to the need to simplify privacy software, adding, "The defaults are crucial." (Registration may be required to access this story.)
Full Story

IDENTITY THEFT—U.S.

Experts Talk Medical ID Theft Cause and Effect (October 17, 2011)

A PricewaterhouseCoopers (PwC) study found that one-third of healthcare organizations have experienced patients misidentifying themselves in order to obtain services, and, according to an American Medical News report, experts say the repercussions of--and the privacy challenges surrounding--medical ID theft will grow alongside electronic records sharing. Jim Koenig, CIPP, of PwC notes that medical ID theft is the fastest growing segment of identity theft, and Larry Ponemon, CIPP, of the Ponemon Institute says that nearly half of these are willing "victims" who have lent their identity to another to get needed services. The PwC report recommends ways that organizations can prevent the misuse, including deputizing "all workers as privacy champions."
Full Story

ONLINE PRIVACY—U.S.

Markey Letter Questions Retailer About Browser (October 17, 2011)

Rep. Edward Markey (D-MA) has written to Amazon CEO Jeffrey Bezos with questions about how the company plans to use the data it collects from its new browser, which is partly housed on Amazon servers, reports The New York Times. Markey has asked what data Amazon plans to collect, whether it plans to sell or rent customer information to other companies and whether the tracking will be opt-in or opt-out, among other questions. "As the use of mobile devices, especially tablets, becomes ubiquitous, we must ensure that user privacy is protected and proper safeguards are in place so that consumers know if and when their personal information is being used and for what purpose," said Markey. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

DoD Hit with $4.9 Billion Lawsuit Over Data Breach (October 14, 2011)
The Department of Defense is facing a $4.9 billion lawsuit over the Tricare data breach that affected 4.9 million beneficiaries, ArmyTimes reports. The suit names Defense Secretary Leon Panetta and Tricare but not the defense contractor Science Applications International Corp., whose employee had backup tapes stolen from his vehicle on September 13. Plaintiffs are seeking $1,000 for each individual affected by the exposure. The suit alleges that plaintiffs incurred economic losses and "suffered emotional upset." The suit also seeks credit monitoring services. "It doesn't make us happy to bring this lawsuit," said one of the plaintiffs' attorneys involved.

PRIVACY LAW—U.S.

Judge: No Warrant for Cell Tower Location Data (October 14, 2011)

A Washington, DC, judge has ruled that police do not need a warrant to obtain cell phone location data collected through cell towers; however, prosecutors must present evidence as to why the information is material to the investigation, reports The Blog of Legal Times. A "reasonable cellular phone customer presumably realizes that his calls are all transmitted by nearby cell-site towers and that cellular phone companies have access to and likely store data regarding the cell-site towers used to place a customer's calls," Judge Royce Lamberth said, adding that the information reveals only an approximate account of users' movements. The U.S. Supreme Court will review a case in November exploring whether ongoing use of GPS technology to monitor a suspect's movements requires a warrant.
Full Story

DATA PROTECTION

SEC Division Wants Breach/Risk Disclosures (October 14, 2011)

The Securities and Exchange Commission's (SEC) Division of Corporate Finance has issued a Disclosure Guidance calling for risk assessments and disclosures, reports the Hogan Lovells Chronicle of Data Protection. The guidance "is not a rule, regulation or statement of the SEC," writes Christopher Wolf, adding that the commission has neither approved nor disapproved the document. "Still," writes Wolf, "companies that ignore the advice...and fail to assess and disclose material cybersecurity risks do so at their peril--risking regulatory and legal action." Wolf summarizes the guidance and predicts that it "is likely to result in public corporations engaging in a substantial and detailed assessment" of their risks and "may lead to a litigation trend of plaintiffs suing" over breaches.
Full Story

PRIVACY LAW—U.S.

Subcommittee Talks Behavioral Advertising, Consumer Choice (October 14, 2011)

Lawmakers at yesterday's House subcommittee hearing on consumer expectations agreed that online privacy matters to consumers, reports this Daily Dashboard exclusive. But how to ensure those expectations are met was up for debate, with some arguing baseline privacy legislation has been a long time coming and others advocating for industry self-regulation. The World Privacy Forum's Pam Dixon argued that industry self-regulation has had a troubled past and there's no evidence to indicate that this time will be different, while the Direct Marketing Association's Linda Woolley said the industry can regulate better than government because it's "nimble" and can "move quickly."
Full Story

SSN PRIVACY—U.S.

SSA Accidentally Releases SSNs of 14,000 Per Year (October 14, 2011)

The Social Security Administration (SSA) estimates that it includes the personal information of about 14,000 living citizens in its Death Master File, in which it records the information of about 90 million deceased Americans each year, reports The Seattle Times. The report notes that while 46 states have breach laws requiring organizations to disclose such a breach, the SSA--exempt from state laws--does not notify the affected citizens of the exposure of their information. "This is a clear failure to follow the rules meant to warn consumers when their most private information has been exposed," said one consumer advocate. An SSA representative said the organization takes "prompt action" to correct mistakes in the file.
Full Story

PRIVACY LAW—U.S.

Psychologists Take Insurers to Court (October 14, 2011)

The New Jersey Psychological Association has filed a lawsuit against two insurance companies claiming the companies ask for information protected by privacy laws in order to cover services, reports Newsworks. One association doctor says the insurers are asking about the issues patients are discussing with doctors, adding, "if you say, you're asking for information which violates the licensing law--which violates the patient's privacy, and I can't give it to you...they then say, we'll deny the treatment." A similar suit was dismissed for technical reasons last year, but the association believes that because two patients have joined the suit, they have a better chance of success.
Full Story

HEALTHCARE PRIVACY—U.S.

GOP Brings Privacy Concerns to Healthcare Debate (October 14, 2011)

House Republicans are asking government health leaders to block the Obama Administration's healthcare legislation, saying that the plan will mean giving the federal government access to citizens' medical records, reports The Hill. In a letter to Health and Human Services Secretary Kathleen Sebelius, Rep. Tim Huelskamp (R-KS) writes, "Regardless of whether the data collection would involve raw claims data or individual risk scores, the creation of such a risk adjustment database constitutes extreme government overreach, impinges on patients' rights to privacy and jeopardizes fair competition in the healthcare market." Steve Larsen, director of the Center for Consumer Information and Insurance Oversight, said in a blog post that the Centers for Medicare and Medicaid Services "does not propose that states collect personal data such as name, Social Security number or address for the risk adjustment program."
Full Story

Lawmakers Discuss Behavioral Advertising, Consumer Choice (October 14, 2011)

 

By Angelique Carson, CIPP

Online privacy matters to consumers when it comes to their own data, agreed lawmakers at yesterday’s House subcommittee hearing on consumer privacy expectations. But how to ensure those expectations are met was up for debate, with some arguing baseline privacy legislation has been a long time coming and others advocating for industry self-regulation.

Representatives of the Commerce, Manufacturing and Trade Subcommittee heard testimony on topics such as online behavioral targeting and the collection, use and sale of consumer data from witnesses representing industry, advocacy and trade groups. Data processing costs have decreased, while the value of consumer data has increased, a subcommittee internal memorandum noted, raising concerns from privacy advocates on a “lack of transparency and, and in some cases, a lack of choice for the consumer to opt out of having their data collected and/or shared with unknown parties.”

Though Mozilla and Microsoft both introduced do-not-track features into their browsers earlier this year, there are no regulations requiring website operators to comply with user preferences, resulting in low levels of compliance.

The World Privacy Forum’s Pam Dixon submitted a report stating the industry’s track record with self-regulation is marred with failures. The report cites examples such as the Individual Reference Services Group, the Privacy Leadership and the Online Privacy Alliance.

“Is there any reason to think that privacy self-regulation will work today when it did not work in the past?” the report asks.

Dixon did not call for federal legislation as a remedy, but Rep. G.K. Butterfield (D-NC) said he “feels strongly that a national baseline privacy law is the best way to ensure that consumers have basic common sense and permanent rights over the collection and use of their information.”  Rep. Joe Barton (R-TX) agreed, as did Microsoft’s Michael Hintz who added, however, that decisions about consumer privacy are complicated.

“Privacy means different things to different consumers,” said Hintze. “Consumers also have different privacy expectations depending on the context in which their data is collected and used.”

Barbara Lawler, CIPP, of Intuit said the company’s position on consumer data is that it belongs to the consumer, not the company.

“Data privacy matters to consumers,” she said. “While they don’t pour over privacy statements, they do care deeply about privacy and how their data is used.”

Barton,...

PRIVACY LAW—U.S.

House Committee Visits Consumer Attitudes on Privacy (October 13, 2011)
The House Energy and Commerce's Subcommittee on Commerce, Manufacturing and Trade convened this morning for the hearing "Understanding Consumer Attitudes About Privacy." Subcommittee Chair Mary Bono Mack (R-CA) opened the hearing, the purpose of which was "to examine consumers' attitudes toward privacy as reflected by their utilization and manipulation of existing privacy controls," according to a House memorandum. Members heard from witnesses representing industry, academia and advocacy. One witness, Pam Dixon of the World Privacy Forum, submitted testimony in the form of a report entitled "Many Failures: A Brief History of Privacy Self-Regulation in the United States." Editor's Note: The Daily Dashboard tweeted from the hearing. Click to follow The Daily Dashboard.

HEALTHCARE PRIVACY—UK

Patients Fret About Breaches, ICO Wants Auditing Powers (October 13, 2011)

A study conducted by an auditing solutions firm has revealed that more than half of National Health Service (NHS) patients would withhold personal information from their doctors due to concerns over data breaches or confidentiality, PublicService.co.uk reports. Of the more than 1,000 respondents, nearly 40 percent said they would seek alternative treatment if a clinic had a poor data security reputation. Meanwhile, Information Commissioner Christopher Graham has once again called for powers to conduct compulsory data protection audits in the local government, health and private sectors, according to a press release. Graham said, "Something is clearly wrong when the regulator has to ask permission from the organizations causing us concern before we can audit their data protection practices."
Full Story

DATA LOSS—U.S.

Recent Medical Breaches Affect More Than 1.6 Million (October 13, 2011)

A Florida-based medical company, Nemours, has reported the loss of unencrypted computer backup tapes containing names, addresses, dates of birth, Social Security numbers, insurance information, medical treatment information and direct deposit bank account information on 1.6 million patients and their guarantors, vendors and employees at facilities in Delaware, Pennsylvania, New Jersey and Florida, Becker's Hospital Review reports. In separate incidents, Genentech has advised the New Hampshire Attorney General of a loss of similar patient data by an unnamed vendor, and United Healthcare has advised that a hard drive containing personal information on 582 members from Ohio was stolen from a vendor this summer and reported to the company in September. 
Full Story

PRIVACY LAW—U.S.

Judge: Medical Privacy Suit Belongs in State Court (October 13, 2011)

Courthouse News Service reports on a federal judge's ruling in a case involving the loss of confidential medical information on more than 280,000 children. The proposed class-action involves an unencrypted flash drive missing from Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan. The lead plaintiff sought to have the case remanded to a Pennsylvania state court while the insurers argued that allowing state courts to interpret HIPAA's privacy provisions "would flout the congressional intent to maintain the national uniformity of HIPAA." Federal Judge Anita Brody has disagreed, however, writing in a seven page opinion that it "is well established that there is no federal private right of action under HIPAA," the report states.
Full Story

PERSONAL PRIVACY—U.S.

USPS Welcome Kits Deliver Privacy Concerns (October 13, 2011)

U.S. Postal Service (USPS) "Welcome Kits," which are delivered to people who fill out a change of address form, are a topic of concern for some privacy advocates who say that by selling advertising included in the kits, the USPS may be violating the Privacy Act, reports The Washington Times. Under the act, federal agencies are not allowed to rent or sell personal information. The USPS says it is not doing either of those things and the "move-related special offers" are helpful to new residents. But one advocate says, "you have a federal agency collecting information for one purpose--forwarding mail--and using it for a wholly different purpose--direct marketing."
Full Story

BEHAVIORAL TARGETING—U.S.

Company’s Privacy Policy To Permit Location-Based Ads (October 13, 2011)

Verizon is altering its privacy policy to allow advertisers to target customers based on their physical address, ZDNet reports, but says it will not share customer addresses with advertisers. The new program is opt-out and has been questioned by at least two U.S. lawmakers. In the e-mail, the company states that the program "will improve the ability of advertisers to reach our Verizon Online customers based on your physical address...Using this program, national brands and local businesses can tailor their offers, coupons and incentives to your local area."
Full Story

ONLINE PRIVACY—U.S.

Researcher Finds Majority of Sites Leaking User Data (October 12, 2011)
Reuters reports on a Stanford University researcher's finding that dozens of companies are gathering and selling bits and pieces of presumably "anonymous" data on users. Researcher Jonathan Mayer says that 61 percent of 185 sites surveyed shared user information with other sites. And opting out of behavioral targeting doesn't stop the data collection, Mayer says of do-not-track efforts, adding, "It's a fact of life that information is going to leak to third parties." FTC Chairman Jon Leibowitz says tracked information "could be traded through an invisible lattice of companies, snowballing into an exhaustive profile of you available to those making critical decisions about your career, finances, health and reputation."

BIOMETRICS—U.S.

FBI Introducing National Facial Recognition System (October 12, 2011)

The FBI's Next Generation Identification system will soon be launched, NetworkWorld reports, and it aims to "combine biometric identifiers like fingerprints, palms, iris scans and voice recordings" while matching names to unidentified photos. With testing to begin in January, the new face-search tool is expected to be available to law enforcement authorities across the country by 2014, but privacy advocates are concerned some of the uploaded photos may be of people who are not ultimately convicted of a crime, the report states. One civil liberties advocate suggested removing those not convicted from the system, but the FBI has not commented, the report states.
Full Story

DATA LOSS

Company Suspends 93,000 Online Accounts (October 12, 2011)

Sony announced that it has locked 93,000 online network user accounts because of an unusual amount of sign-in attempts from an unauthorized user, AFP reports. The suspicious activity reportedly took place between October 7 and 10 and verified user IDs and passwords. The company said that the incidents "appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or sources," and "only a small fraction of the 93,000 accounts showed additional activity prior to being locked." Sony is continuing an investigation into the breaches and has notified affected users.
Full Story

ONLINE PRIVACY—U.S.

“Data Eye in the Sky” Plan Raises Concerns (October 12, 2011)

Some researchers have come to believe that "the vast resources of the Internet--Web searches and Twitter messages, Facebook and blog posts, the digital location trails generated by billions of cell phones" could be used "to predict political crises, revolutions and other forms of social and economic instability." Based on that, The New York Times reports that the federal government is becoming interested in a program that could create a "data eye in the sky." The experiment, which is being financed by the Intelligence Advanced Research Projects Activity, would use an automated data collection system to gather publicly available data, but privacy advocates and some social scientists "are deeply skeptical of the project," the report states. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

FTC Chairman Shares Privacy Concerns (October 12, 2011)

Speaking at an online privacy event Tuesday, Federal Trade Commission (FTC) Chairman Jon Leibowitz said he shares "general privacy concerns" that have been expressed by lawmakers who have called on the FTC to investigate Facebook's online tracking practices, reports The Hill. Leibowitz pointed out that the FTC does not confirm investigations unless the subject of the inquiry discloses it first. Facebook has said that it does not track people, create browsing history profiles or sell such information to advertisers. Leibowitz also implied that the FTC may consider an investigation of supercookies, according to the report. 
Full Story

PRIVACY LAW—U.S.

Company Agrees To Settle FTC Charges (October 11, 2011)
A peer-to-peer file-sharing application developer has agreed to settle Federal Trade Commission (FTC) charges that it caused consumers to "unwittingly expose sensitive personal files stored on their mobile devices" and "misled consumers about which downloaded files from their desktop and laptop computers would be shared," according to an FTC press release. Under the settlement, Frostwire LLC is barred from "using default settings that share consumers' files" and is required to "provide free upgrades to correct the unintended sharing." The settlement also bars Frostwire from "making material misrepresentations about the file-sharing behavior of their applications."

TRAVELERS’ PRIVACY—CHINA

Engineer: Transport Cards Reveal Travel History (October 11, 2011)

A Beijing engineer says that public transportation cards are capable of serving as a tracking mechanism, China Daily reports. By entering a card's 17-digit code into the Beijing Municipal Administration and Communication Card Co's website, an individual can see where a passenger has traveled, which software engineer Li Teijun says violates travelers' privacy, "may undermine public safety" and could be used for nefarious purposes. "The database may also be an easy target for hackers," he says. A spokesperson from the administration says the cards--45 million of which are currently in use in Beijing--are not connected to real names, which negates privacy concerns.
Full Story

ONLINE PRIVACY—EU

Hustinx: Net Neutrality Must Include Privacy (October 11, 2011)

V3.co.uk reports that European Data Protection Supervisor Peter Hustinx has urged the European Commission (EC) to include users' confidentiality in any policy discussions dealing with net neutrality. Hustinx has also asked the EC to work with stakeholders to create guidance on implementation of data protection laws in any ISP monitoring. "By looking into users' Internet communications," Hustinx said, "ISPs may breach the existing rules on the confidentiality of communications, which is a fundamental right that must be carefully preserved...A serious policy debate on net neutrality must make sure that users' confidentiality of communications is effectively protected."  
Full Story

BIOMETRICS—UK

Committee: Bill May Infringe on Privacy (October 11, 2011)

A human rights committee in Parliament says that a bill designed to reform the government's retention of data in its DNA database may infringe on individuals' right to privacy, ZDNet reports. In a summary that reviewed the Protection of Freedoms Bill, the committee said it is concerned with three main components regarding biometric data--the bill's proportionality; a mechanism that would retain suspects' biometric information, and that the bill would create a "catch all" data retention system. The committee also commented on sections in the bill that deal with parental consent concerning the collection of children's biometric data as well as CCTV surveillance code.
Full Story

BEHAVIORAL TARGETING—U.S.

OBA Scrutinized (October 11, 2011)

Reps. Ed Markey (D-MA) and Joe Barton (R-TX) have sent a letter to the heads of Verizon and Verizon Wireless asking them to clarify how users' personal information will be disclosed to third parties in its new geotargeting ad campaign, ClickZ reports. Markey said, "As a longstanding advocate for clear, easy-to-use opt-in policies for sharing and disclosure of consumers' personal information, I am concerned that Verizon's new plan will put third parties in control of the sensitive information of its customers--especially their location." Meanwhile, the National Advertising Review Council has published procedures for the Online Interest-Based Advertising Accountability Program, and Federal Trade Commission Chairman Jon Leibowitz is among those speaking today about the implications of online tracking at the National Press Club. 
Full Story

PRIVACY LAW—U.S.

High Court To Hear Plenty on Privacy (October 11, 2011)

CNET News reports that the U.S. Supreme Court has no shortage of privacy-related cases on its docket as it starts its fall term. Many of the cases involve the use of GPS devices, as in the case of Antoine Jones, whose appeal is based on the argument that Washington, DC, police should have obtained a warrant before using GPS technology to track his vehicle on suspicion he was selling illegal drugs. Another case will examine whether police had the right to search an arrested suspect's cell phone contents without a warrant. Yet another will examine whether a pilot's Privacy Act rights were violated when his medical data was shared among government agencies.
Full Story

DATA PROTECTION—U.S.

Report: Gov’t Agencies Lack Effective Frameworks (October 11, 2011)

A government watchdog agency has said that the Department of Homeland Security (DHS) "does not adequately review the privacy and effectiveness of data-mining systems it uses in counterterrorism efforts," reports InformationWeek. The Government Accountability Office (GAO) determined that personal privacy may be at risk after it evaluated six systems at DHS and its three affiliated agencies, Customs and Border Protection, Immigration and Customs Enforcement and Citizenship and Immigration. None of the agencies had an effective oversight framework or "performed all of the key activities associated with an effective evaluation framework," the GAO states in its report.  
Full Story

STUDENT PRIVACY—U.S.

DoE Focused on Protecting Schools’ Data (October 7, 2011)
SC Magazine reports on efforts by the Department of Education (DoE) to safeguard the privacy of approximately 55 million students as tens of thousands of schools hold such information as their names, addresses, Social Security numbers, health data, staff notes, discipline records and academic standing. The DoE's new CPO, Kathleen Styles, who leads the Privacy Information and Records Management Services division, points out that the focus on privacy is needed amidst an "explosion of information about students" and the digitization of student data, adding, "The challenge is how to use that information to improve education and increase accountability, while still preserving privacy protections for our children."

HEALTHCARE PRIVACY—U.S.

ONC Addressing e-Consent Issue (October 7, 2011)

In order to support its e-Consent initiative, the Office of the National Coordinator for Health Information Technology's Office of the Chief Privacy Officer has awarded a $1.2 million contract to software developer APP Design, InformationWeek reports. According to the contract, the developer must create ways to "educate and inform" patients of their electronic health data sharing options in the clinical arena, and a vendor must help patients grasp the consequences of their choices. One healthcare expert said, "e-Consent is an extremely important, yet difficult, effort...Patient data can be used in a multitude of ways across the continuum of care." Meanwhile, Health Data Management reports that the industry will continue to see an "increased emphasis" on the privacy and security of health data.  
Full Story

CONSUMER PRIVACY—U.S.

FTC Reminds Customers of Opt-Out Option (October 7, 2011)

The Federal Trade Commission is reminding Borders Group customers that they have until October 15 to decide what they want done with their personal information. Customers have the option to opt out of Barnes and Noble's acquisition of the bankrupt company's customer data, which includes contact information and purchase history. Customers have received an e-mail from Barnes and Noble on how to opt out of the data sharing. Information is also posted on both companies' websites. Editor's Note: The IAPP recently hosted a Web conference on "Privacy Due Diligence in Merger and Acquisition Negotiations," available for purchase through our website.
Full Story

PERSONAL PRIVACY

Cavoukian: Web Users Must Have Freedom To Choose Privacy (October 7, 2011)

In a letter to the editor in The Wall Street Journal, Ontario Information and Privacy Commissioner Ann Cavoukian writes that reviewers of a new book by Jeff Jarvis, Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live, have been "seduced by the virtues of 'publicness'" and "generally fail to give appropriate weight to his contrasting observations about the importance of retaining control over one's personal information." Cavoukian writes, "The decision whether or not to share--indeed, the very ability to control that which is shared--must lie with the individual." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—IRELAND

Opinion: Audits Will Require Appropriate Staffing (October 7, 2011)

The Irish data protection office will conduct a privacy audit of Facebook, internationally headquartered in Ireland, a task likely to extend to other companies within the country, opines Karlin Lillington for The Irish Times. Because of this, Ireland should staff the commissioner's office appropriately, Lillington writes, adding the office "will need to decide where the balance lies between the fact that a social network is predicated on the notion that people choose to share personal information and a reasonable expectation of how that information could be used." Lillington notes that if Ireland "wants such companies here," it must consider such issues.
Full Story

PERSONAL PRIVACY

Opinion: iPhone Technology To Change Lives (October 7, 2011)

New iPhone plans will bring highly sophisticated facial recognition technology to millions of users, reports Kit Eaton for Fast Company. The technology will allow for automatic identification of photo subjects, authorization of online payments and potentially perform lip reading. But Eaton wonders if iPhone manufacturer Apple will also use the technologies for advertising efforts. "The ubiquitous use of face IDs and deep integration of social networking into iOS 5 will be bound to cause hand-wringing about the erosion of personal privacy," Eaton writes.  
Full Story

PRIVACY LAW—U.S.

Hearing Focuses on Proposed COPPA Changes (October 6, 2011)
Lawmakers at yesterday's subcommittee hearing on proposed changes to the Children's Online Privacy Protection Act (COPPA) rule weren't shy about identifying their stake in the outcome: their children and grandchildren are growing up online. The Federal Trade Commission began a review of COPPA last year and will accept comments until November 28. This Daily Dashboard exclusive features comments from lawmakers and experts at the hearing who agree that COPPA has been essential in protecting children's online safety since its inception in 1998 but have concerns about the proposed changes' potential impact on industry, the feasibility of eliminating the "e-mail plus" method of parental consent and how to protect children over the age of 13.

TRAVELERS’ PRIVACY—U.S. & EU

DHS Defends Draft Sharing Agreement (October 6, 2011)

The U.S. Department of Homeland Security (DHS) is defending a draft airline passenger data sharing agreement with the EU, saying that such data has prevented terrorist threats, AFP reports. Members of the European Parliament could veto the agreement and have expressed concern that a 15-year data retention period is too long and doubt that the system would prevent terror plots. Testifying in front of a congressional subcommittee, DHS Chief Privacy Officer Mary Ellen Callahan, CIPP, cited three audits that she said prove data had not been abused by authorities and argued that the department's powers are not "disproportionate." Callahan refuted suggestions that only criminal data should be collected, adding, "We don't know who all the bad guys are. We have unknown terrorists out there."
Full Story

DATA LOSS—U.S.

Stanford Breach Was Series of Missteps (October 6, 2011)

The New York Times reports on the causes of last month's Stanford Hospital data breach and how a "series of missteps" often leads to major data breaches. One of the individuals responsible for the incident attributed the breach to "a chain of mistakes which are far too easy to make when handling electronic data." Representatives from the U.S. Department of Health and Human Services (HHS) have said that HITECH's breach reporting requirements show flaws in organizations but encourage "renewed vigilance." The HHS Office for Civil Rights' new director, Leon Rodriguez, said, "Are there still a lot of problems out there? Yeah, my sense is there are still a lot of problems." Meanwhile, Corporate Counsel reports on handling a data breach notification. (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY—U.S.

DVS Database Profile Accessed 400 Times (October 6, 2011)

Authorities in Minnesota are investigating why a woman's Driver and Vehicle Services' (DVS) profile was accessed by law enforcement authorities approximately 400 times, Fox 9 News reports. An audit of the state's DVS division uncovered the potential breach, prompting 18 law enforcement agencies--including the FBI--to investigate. The system is used by police officers to check the backgrounds of individuals during a traffic stop, but authorities need a reason to access a profile. A representative from the Department of Public Safety said, "We do not know why this data was accessed...Our audit revealed a pattern that showed this individual's driver's license data was accessed more often than usual." 
Full Story

FINANCIAL PRIVACY

Expert: Many Complacent on PCI DSS Compliance (October 6, 2011)

In an interview with BankInfoSecurity.com, Verizon PCI Consulting Services Director Jen Mack says that many organizations are still struggling with the Payment Card Industry Data Security Standard (PCI DSS). In its PCI Compliance Report, Verizon disclosed results of a study of 100 organizations--ranging from Fortune 500s to small businesses--showing that many are complacent about security. "Many take the approach that it's a compliance project versus trying to achieve what I think can be an optimal security posture for the long-term health of the business," says Mack. She also discusses how organizations maintain compliance; why many are complacent with security, and why cardholder data breaches should be a concern for the industry.
Full Story

PRIVACY

Pro Bono Privacy Initiative Brings Expertise to Nonprofits (October 6, 2011)

Amidst a growing need among nonprofits for expertise in the protection of personal information, privacy professionals have come together to form the Pro Bono Privacy Initiative, which is now in its pilot phase. In this Daily Dashboard exclusive, pilot volunteers--who hail from such well-known firms and companies as Baker & McKenzie, Hogan Lovells, Hunton & Williams, Deloitte, Intuit, Verizon and IBM--discuss their hope for this new program. As IBM VP Security Counsel and Chief Privacy Officer Harriet Pearson, CIPP, puts it, "The true sign of a mature profession is when people step back and give back."   
Full Story

DATA PROTECTION—U.S.

Researcher: Don’t Be Hasty With Data Collection (October 6, 2011)

A researcher from the University of New South Wales has published a paper warning businesses and academics on the dangers of big data collection, MIT Technology Review reports. Combining data from different sources can lead to unexpected results for those involved, according to Kate Crawford, as researchers have shown that it is possible to identify data subjects by combining data said to be anonymous. Carnegie Mellon researcher Alessandro Acquisti says, "handing big data sets takes almost impossible care," and Microsoft Research New England recently cancelled a contest for researchers after realizing the extent that data was identifying subjects. Crawford says researchers should "slow down and think about the methods they use," the report states. 
Full Story

Subcommittee Hosts Proposed COPPA Changes Debate (October 6, 2011)

 

By Angelique Carson, CIPP

Lawmakers at yesterday’s subcommittee hearing on proposed changes to the Children’s Online Privacy Protection Act (COPPA) rule weren’t shy about identifying their stake in the final outcome: their children and grandchildren are growing up online.

Six witnesses testified at The House Subcommittee on Commerce, Manufacturing and Trade hearing, “Protecting Children’s Privacy in an Electronic World,” which focused on whether COPPA’s age threshold should be raised, if Congress should revisit COPPA given advances in technology and whether proposals to expand COPPA’s definition of personal information are sufficient.

Lawmakers and industry advocates agreed that COPPA has been effective since its inception in 1998 and is necessary to protect children online. But some voiced concerns about the potential impact new rules may have on small businesses and the economy, the technical implementation of proposed changes--including new consent requirements--and what should be done to protect older children.

COPPA requires websites and online services to obtain parental consent before collecting data from children ages 13 and under. The Federal Trade Commission (FTC) initiated a review of the rule last year.

The proposed changes include updating COPPA’s definition of personal information to address concerns including geolocation information and identifiers such as online cookies. The changes would also revise parental consent requirements; clarify the direct notice operators must give parents prior to collecting children's personal information; provide for new methods of obtaining parental consent, including electronic scans of parent signatures and videoconferencing, and strengthen rules on third-party security provisions as well as on FTC oversight of self-regulatory “Safe Harbor” programs.

In her opening remarks, Chairwoman Mary Bono Mack (R-CA) advised parents to take a hands-on approach with their children. “Talk to them often, and make them more self-aware,” she said.

Rep. Henry Waxman (D-CA) said COPPA has been a legislative success and has withstood the test of time.

“One of the reasons for its success is that it was written to be flexible. It gives the FTC the authority and discretion to carry out several broad mandates,” he said. “The updates to the COPPA rule proposed by the FTC are appropriate, reasonable, well thought-out and true to the intent of the law.”

Rep. Ed Markey (D-MA), who has proposed legislation aimed at protecting...

PRIVACY LAW—U.S.

Advocate Criticizes Bookseller Notice (October 5, 2011)
The Wall Street Journal reports on accusations by consumer privacy advocate Michael St. Patrick Baxter that an e-mail from Barnes & Noble to former Borders customers regarding their personal information "read more like a generous corporate gesture than a court-ordered disclosure." Meanwhile, Sen. Richard Blumenthal (D-CT) is among those calling for stronger consumer privacy restrictions in the wake of the sale of Borders' customer lists. "It was clear to the ombudsman that a robust and meaningful opt-out was critical to reaching the negotiated privacy-related terms of the sale," Baxter wrote, adding, "failure to provide such relevant and material information" may defeat the notice's purpose. "We believe the notice complies with all applicable requirements of the sale order," Barnes & Noble attorneys responded. (Registration may be required to access this story.)

FINANCIAL PRIVACY—EU

Article 29 Working Party Submits TFTS Dissent (October 5, 2011)

In a press release dated October 3, the Article 29 Data Protection Working Party has announced that it is "not convinced" that the proposed Terrorist Finance Tracking System (TFTS) is needed. The Working Party has sent a letter to European Commissioner Cecilia Malmström calling for evidence that the TFTS is necessary and proportional. "The Data Protection Authorities make clear that the mere added value of the information to be gained from the system is not sufficient," the release states. The commission has not yet presented a detailed TFTS proposal but will complete an impact assessment on possible options before submitting a finalized proposal.     
Full Story

PRIVACY LAW—U.S.

Hearing Discusses Proposed COPPA Changes (October 5, 2011)

The Subcommittee on Commerce, Manufacturing and Trade held a hearing on the FTC's proposed amendments to its Children's Online Privacy Protection Act (COPPA) rule today. The changes include updating the definition of personal information to include geolocation and identifiers such as online cookies and revising parental consent requirements. Six witnesses testified at the "Protecting Children's Privacy in an Electronic World" hearing, including privacy expert Hemanshu Nigam, who commended COPPA's role in providing clear parameters for businesses since its inception in 1998 but warned against changes to it that could adversely affect the online marketplace. Subcommittee Chairwoman Mary Bono Mack (R-CA) stressed the importance of parental involvement, urging parents to make kids more aware of their own online privacy, and Rep. Henry Waxman (D-CA) said, "It is possible to provide legislation without killing innovation on the Internet." A public comment period on the COPPA rule ends November 28. Editor's Note: The IAPP will host the Web conference, COPPA Review--Fall 2011, on Thursday, October 27, at 1 p.m. EDT.
Full Story

PRIVACY LAW—CANADA

BC Legislation Proposes Sweeping Changes (October 5, 2011)

Lawmakers in British Columbia have proposed legislation that would make "significant changes" to its Freedom of Information and Protection of Privacy Act, The Victoria Times Colonist reports. The proposed changes would allow the province to issue CareCard-driver's licenses with a microchip giving citizens access to government services such as electronic health records, voting and school registrations, according to the report. The legislation also includes an opt-out for citizens. One critic warned, "The whole idea of consenting to government services in exchange for your privacy is absurd on its face," while British Columbia Privacy Commissioner Elizabeth Denham said, "This is a step in the right direction, but I think there's still a lot of work to do."
Full Story

DATA PROTECTION—EU

Kroes Discusses Privacy, Do-Not-Track Challenge (October 5, 2011)

Speaking at a Lisbon Council event in Brussels yesterday, European Union Digital Agenda Chief Neelie Kroes said trust and privacy are essential to the expansion of Europe's digital economy. Kroes said three principles are needed to quell users' concerns about online privacy--transparency, fairness and control. Kroes added that a citizen's right to privacy must not be sacrificed to economic interests, "but we can also not afford to damage legitimate economic interests by insisting on too inflexible or cumbersome implementations of privacy rules and the paternalistic attitude towards citizens they embody." Kroes mentioned her challenge to the web industry to agree to a do-not-track technology by June of 2012.
Full Story

DATA PROTECTION

Experts Offer Advice on Legacy IT Systems (October 5, 2011)

Though businesses rolling out new IT systems or collecting new data on their customers are increasingly privacy-conscious, the same is not true for legacy systems, reports Computerworld Canada. Experts including Ontario Privacy Commissioner Ann Cavoukian and Sagi Leizerov, CIPP, of Ernst & Young, offer advice on how to address the most pressing issues when it comes to such systems, including advising IT staff that more is not better when it comes to data collection, taking stock of "which systems your sensitive information is passing though...evaluating and improving upon the password policy settings in custom apps" and looking at any "unrestricted mass data storages and share folders."
Full Story

PERSONAL PRIVACY—UK

Phone Manufacturer To Fix Security Flaw (October 5, 2011)

Android phone manufacturer HTC says it will soon release an update to fix a flaw that could expose users' GPS locations and call logs to "a malicious third-party application," BBC News reports. The announcement comes after Android Police, a blog focused on Android phones, discovered a security loophole. "HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices," said a company spokesperson, adding that no customers have thus far reportedly been affected. The blogger who discovered the flaw has raised concerns about the amount of personal data stored in one file.  
Full Story

PERSONAL PRIVACY

Opinion: Privacy? Fuhgettaboutit. Enter Extreme Transparency (October 5, 2011)

In the BBC News Magazine, an advertising consultant and founder of an Internet start up proposes that we forget about privacy and, instead, focus on image. "The new reality that all of us live in today, personally and professionally, is one of complete transparency," says Cindy Gallop, who goes on to propose "a very simple solution" for individuals and companies--"identify exactly who you are...what you stand for, what you believe in, what you value...and if you then only ever behave, act and communicate in a way that is true to you, then you never have to worry about where anybody comes across you or what you're found doing."   
Full Story

Pro Bono Privacy Initiative Pilot Gets Underway (October 5, 2011)

 

By Jennifer L. Saunders, CIPP

Amidst growing needs across disciplines and organizations for expertise in the protection of personal information, several privacy professionals, attorneys and other experts have begun working together on the Pro Bono Privacy Initiative, which aims to help nonprofits ensure they are using personal information responsibly while also providing privacy professionals with the opportunity to give back to their communities by sharing their expertise.

Those efforts have now reached the pilot program stage, with privacy pros working hand-in-hand with nonprofits to share best privacy practices.  Pilot volunteers include Baker & McKenzie, HoganLovells, Hunton & Williams, Deloitte, Intuit, Verizon and IBM.

As IBM VP Security Counsel and Chief Privacy Officer Harriet Pearson, CIPP, explains, most nonprofit organizations do not have that level of in-house privacy expertise, and with 1.4 million nonprofits in the U.S. alone, “it is a matter of public interest” to ensure they are able to properly handle and protect personal information.

“There’s a real need for people with our expertise to address these issues,” Pearson notes, adding the initiative can provide that opportunity for privacy professionals “to advise nonprofits as to the responsible and pragmatic practices they should consider and follow to protect individual privacy and data security.”

The aim of the initiative is for companies, law firms and consultants--with the assistance of the IAPP--to provide pro bono privacy and data protection services to nonprofits.

As detailed in the concept design for the new initiative, “The number of privacy and data protection professionals has grown considerably in the past decade. Most of these individuals devote their energies to helping their employers or clients in the for-profit and governmental sectors to navigate the increasingly complex web of privacy-related requirements and public expectations in an informed and disciplined way. And many of them continue building their expertise and professional stature by belonging to the leading professional society for this quickly evolving discipline, the International Association of Privacy Professionals. As this is a relatively young profession, there has not yet emerged the tradition of service in the public interest that exists in other professions; e.g., medicine and law.”

The initiative’s launch committee began meeting in July and the pilot phase of the Pro Bono Privacy Initiative was...

PRIVACY LAW

Court: U.S. ECPA Covers Noncitizens (October 4, 2011)
A federal court has ruled that individuals who are not citizens of the U.S. are covered under the protections provided by the Electronic Communications Privacy Act (ECPA), Courthouse News reports. An Indian-based company wants Microsoft to disclose the e-mails of an individual accused of fraud in Australia, but the 9th Circuit Court has ruled that the defendant's e-mail account is protected under ECPA. One judge wrote that "this case ultimately turns on the plain language of the relevant statute" and the "plain language" is the term "any person." Meanwhile, the U.S. Supreme Court will not review a California Supreme Court case that upheld law enforcement's right to search suspects' cell phones without a warrant. Editor's note: The IAPP will host the Web conference How to Craft Plain Language Privacy Notices on Thursday at 1 p.m. ET.

PRIVACY LAW—U.S.

Man Files Suit Over Logout Tracking (October 4, 2011)

A man has filed a lawsuit seeking class-action status following an Australian technologist's assertion last week that the world's largest social networking site has been using cookies to track users even after they've logged out, CNET News reports. Perrin Aikins Davis of Illinois filed the suit against Facebook seeking unspecified damages and asking the court to "block the tracking based on alleged violations of federal wiretapping, computer fraud and abuse laws." Facebook says it will fight the complaint "vigorously." Ten advocacy groups and two U.S. representatives have called on the Federal Trade Commission to investigate the site over the use of post-logout cookies and its sharing practices.   
Full Story

PRIVACY LAW—U.S.

Law To Protect Reader Privacy Signed (October 4, 2011)

California's Reader Privacy Act of 2011 was signed into law this week, PC Magazine reports, and will include e-books. The law, effective January 1, will require government agencies and other third parties to obtain a search warrant or court order to access customer records from bookstores or online retailers. The bill's sponsor, Sen. Leland Yee (D-San Francisco), said, "California law was completely inadequate when it came to protecting one's privacy for book purchases, especially for online shopping and electronic books. Individuals should be free to buy books without fear of government intrusion and witch hunts." A columnist for ReadWriteWeb writes, however, that the law doesn't go far enough. 
Full Story

HEALTHCARE PRIVACY—U.S.

Stanford Sued, Three Hospitals Suffer Breaches (October 4, 2011)

A law firm has filed a class-action suit against a hospital and its collections service following a data breach. Keller Grover has been investigating since Stanford Hospital & Clinics and Multi-Specialty Collection Services announced in September that 20,000 patients' records had been breached. The exposed information--posted on a public website for a year before being removed--included patient names, diagnostic codes and billing amounts. Stanford Hospital and Clinics said in a statement that it "intends to vigorously defend the lawsuit." Meanwhile, the personal information--including Social Security numbers--of 500 First Priority life insurance policyholders has been reported stolen, and a Florida hospital has admitted to breaches involving 2,000 emergency room patients.  
Full Story

HEALTHCARE PRIVACY—U.S.

New OCR Director Shares Enforcement Agenda (October 4, 2011)

HealthcareInfoSecurity interviews the new director of the Department of Health and Human Services' Office for Civil Rights (OCR). In addition to highlighting his belief that "enforcement promotes compliance," Leon Rodriguez also points out that education will help reinforce it. "It's going to be important for us to make sure that we do everything we can to assist those covered entities that want to understand what the rules are," Rodriguez says, "So we're going to be focused on outreach and education no less than on enforcement." Additionally, the OCR will continue ramped-up HIPAA enforcement and plans to conduct 150 audits by the end of 2012 through its new HIPAA compliance audit program. Editor's Note: For more on the HIPAA audit program, the archived IAPP Web conference, The Upcoming OCR HIPAA Audit Program: What To Expect and How To Prepare, is available for purchase on our website.
Full Story

SSN PRIVACY—U.S.

Financial Analyst Fined, Jailed for Data Breach (October 4, 2011)

A former senior financial analyst for a home loan firm has been sentenced to eight months in prison, fined $1.2 million in restitution and restricted from future access to consumer data for his actions related to a data breach in 2008, Infosec Island reports. Rene Rebello was arrested in 2008 after investigators found that he had accessed, processed and sold the financial information of approximately 2.5 million Countrywide Home Loan customers. Rebello admitted that in nearly 50,000 instances, individuals' Social Security numbers were revealed. The former employee pled guilty to violating 42 U.S. Code 408 (a)(8) for illegally disclosing the Social Security numbers.  
Full Story

SOCIAL NETWORKING—U.S.

Sparapani Leaves Facebook (October 4, 2011)

Facebook's Washington-based director of public policy, Tim Sparapani, is leaving the company to "pursue new opportunities," Politico reports. Company spokesman Andrew Noyes said Sparapani "has made a lasting impact by helping build our DC team and policy portfolio. We are sad to see him go...and we wish him well." Sparapani joined the company in March 2009 and was, until recently, one of only two Facebook employees based in Washington, DC. Last month, the company announced the hiring of a privacy lawyer and a public policy expert for its Connecticut Ave. address.
Full Story

SOCIAL NETWORKING—U.S. & AUSTRALIA

Reps, Groups Call for FTC Investigation (October 3, 2011)
USA Today reports that 10 consumer and privacy groups and two U.S. representatives have called on the Federal Trade Commission (FTC) to investigate Facebook's new sharing mechanisms. Groups including the Electronic Privacy Information Center and the American Civil Liberties Union (ACLU) and Reps. Ed Markey (D-MA) and Joe Barton (R-TX) want the FTC to investigate Facebook's new features including Timeline, which automates user sharing processes and, according to an ACLU spokesman, taps "deeper into user data amassed by the company," the report states. Meanwhile, Australian Privacy Commissioner Timothy Pilgrim says he will not investigate the site following an unrelated privacy matter.

ONLINE PRIVACY—U.S.

Experts Warn Against Potential Yahoo Changeover (October 3, 2011)

Privacy advocates say "the possibility of Yahoo falling under Chinese control raises significant privacy risks," Financial Times reports. Jack Ma, the founder of Chinese Internet group Alibaba, has indicated his interest in acquiring the company and has a right of refusal to buy back his 40-percent stake should it be sold. Jeff Chester of the Center for Digital Democracy says, "Lawmakers should oppose a deal where the data of Americans come under the control of a foreign company with links to the Chinese government," while Alibaba has said, "We've demonstrated consistently that we follow the laws in the countries in which we do business." (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY—INDIA

UIDAI Receives Breach of Privacy Complaint (October 3, 2011)

The Unique Identification Authority of India (UIDAI) has received its first complaint pertaining to the misuse of personal information while assigning Aadhaar numbers to citizens, The Times of India reports. A spokesman for the UIDAI said that "a complaint regarding misuse of address proof was received," but no additional details about the complaint were provided. "The authority envisions a balance between privacy and purpose when it comes to the information it collects," the spokesman said. "The agencies may store the information of the residents they enroll if they are authorized to do so but will not have access to the information in the Aadhaar database."   
Full Story

GENETIC PRIVACY—U.S.

State DNA Collection Legislation Moves Forward (October 3, 2011)

The Pennsylvania State Judiciary Committee unanimously passed legislation last week that would require the collection of DNA from suspects accused of serious crimes, reports the Associated Press. Currently, the state mandates that DNA be collected from individuals convicted of serious felonies, but the proposed law would collect DNA upon arrest and prior to conviction. Critics of the legislation fear that it infringes on an individual's privacy and burdens the taxpayer with excess costs. Sen. Daylin Leach (D-Montgomery County) said, "Privacy rights are very important...We should only take them away from people in clear circumstances." The legislation now goes to the full Senate for vote.  
Full Story

ONLINE PRIVACY—U.S.

Jarvis: “Publicness” a Matter of Ethics, Not Regulation (October 3, 2011)

Journalism Prof.  Jeff Jarvis's frank online postings about his prostate cancer and the at-times embarrassing side effects of treatment allowed him to receive support and advice from male readers who suffered the same disease, The Wall Street Journal reports. This is just one example of the kinds of benefits social media sites allow for, Jarvis says, arguing that government's attempt to regulate online privacy would be a "dire mistake." Instead, the onus should be on each individual to weigh the risks and rewards of sharing online. "When new technologies cause change and fear, government's reflex is to regulate them to protect the past," he notes. "But in doing so, they can also cut off the opportunities for the future." (Registration may be required to access this story.) 
Full Story

Privacy Dinner: A Night of Honors and Insights (October 1, 2011)
When it comes to privacy protection planning, Texas Comptroller Susan Combs may have summed it up best, telling a crowd of approximately 500 privacy professionals, “Never assume you’ve done enough…it’s always evolving.”