Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

DATA LOSS—NEW ZEALAND

Workers Fired for Privacy Breach (December 23, 2011)
Stuff.co.nz reports that five staff members from South Auckland Work and Income (WINZ) have been fired for illegally accessing information on family and friends. The organization said there were "many breaches," prompting a national investigation. WINZ head Janet Grossman said it is "vital New Zealanders have confidence in the integrity of our staff and the welfare system."

PRIVACY LAW—U.S.

Advocate Sues DHS Under FOI Act (December 23, 2011)

The Electronic Privacy Information Center (EPIC) has filed a lawsuit against the U.S. Department of Homeland Security (DHS) requesting all government communications relating to its online tracking program, reports NextGov. In February, DHS officials expanded a program to follow online forums, social networking sites and message boards and share information with outside contractors "when there could potentially be a risk of harm to an individual," said DHS officials. EPIC filed its lawsuit after the hacker group Anonymous exposed planning e-mails between HBGary and the DHS describing "project proposals for a private firm to monitor and discredit the online activities of Americans," the report states.
Full Story

DATA LOSS

POS Data Hacked, $3M in Fraudulent Charges (December 23, 2011)

Romanian hackers allegedly infiltrated the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway franchises, reports ArsTechnica. Accessing the credit card information of around 80,000 customers and racking up $3 million in fraudulent charges, the hackers reportedly gained access by "cracking" weak passwords. "This is the crime of the future," said Dave Marcus of McAfee Lab, "root them from across the planet and steal digitally." Another security expert said smaller retailers are not required to comply with PCI security standards, but the Subway franchisees were provided security and POS standards, and some "blatantly disregarded" them.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Report Details Privacy Risks in E-Health Proposal (December 23, 2011)

The government has released a report on the privacy impact of the proposed electronic health record system, The Australian reports. The Health Department has accepted or supported in full 77 of the report's 112 recommendations in the privacy impact assessment, and two recommendations were rejected. The report suggests that demographic data such as a person's age, location and gender should be omitted, but the Health Department said such data allows healthcare providers to ensure that they are examining the right patient, the report states. The department says it will review data sets to ensure that "there is not superfluous demographic data being included in mandatory fields." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S. & EU

Kerry Discusses Bill, Self-Regulation (December 23, 2011)

In an interview with viEUws, Cameron Kerry, general counsel at the U.S. Department of Commerce, discusses net neutrality, the efficacy of safe harbor regimes and whether self-regulation is feasible when it comes to protecting consumer data. Kerry believes safe harbor frameworks have been successful in reducing frictions that exist in international data exchanges and says that self-regulation works because of the enforcement of agencies like the U.S. FTC. Kerry, who co-chairs the Subcommittee on Privacy and Internet Policy, says he'll soon announce a Consumer Bill of Rights. He told the Daily Dashboard in July that the bill of rights will be a "clear set of rules for the road...updated for today's environment. We also want to send a message to international partners that the Obama Administration and the United States want to lead on this issue, because international operability is very important to maintaining the free flow of information on the Internet and to maintaining global trade." Meanwhile, the Electronic Privacy Information Center is reporting that a document obtained by a European civil liberties group says  the DoC is opposing efforts by the European Union to update its privacy law.
Full Story

DATA LOSS—U.S.

Experts React to U.S. Chamber of Commerce Breach (December 23, 2011)

The New York Times reports on hackers accessing the U.S. Chamber of Commerce's internal networks last year, calling the breach "in some ways, a twist of fate for the chamber" because it has been "one of the more vocal critics of cybersecurity legislation." The Federal Bureau of Investigation had alerted the chamber that servers in China were accessing its internal network last year, the report states, and the chamber has announced it has taken steps to improve security. "Businesses are already worried about the cyber theft of their internal trade secrets. Now they have to worry that the sensitive information they've shared with the chamber is compromised," one cybersecurity expert said. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

APEC Announces New Members to CPEA (December 23, 2011)

In a press release, APEC has announced the addition of several new authorities to its Cross-border Privacy Enforcement Arrangement (CPEA). APEC launched the CPEA last year in an effort to boost regional cooperation on privacy enforcement. Fifteen Japanese agencies--including the Consumer Affairs Agency, the Cabinet Office, the National Police Agency and the Ministry of Foreign Affairs--have joined the CPEA's founding members. "The participation of privacy law enforcement authorities from Japan further strengthens APEC's cooperation arrangements to the benefit of consumers across the region," said Danièle Chatelois, chair of APEC's Data Privacy Subgroup.
Full Story

PRIVACY LAW—MEXICO

Final Version of Data Protection Law In Effect Today (December 22, 2011)
Mexico has released the final version of its Regulations of the Federal Law for the Protection of Personal Data Held by Private Parties, which includes minor changes to the prior draft, reports Hunton & Williams' Privacy and Information Security Law Blog. The final version includes "clarification of notice and consent requirements, changes to restrictions on cloud computing, updates to requirements regarding data transfers and clarifications regarding data subjects' rights," according to the report.

PRIVACY LAW—U.S.

UCLA Faces Suit After Breach (December 22, 2011)

A class-action lawsuit has been filed against the University of California at Los Angeles Health System after a theft of medical records and other personal information on nearly 16,000 patients, The National Law Journal reports. Filed on December 14, the suit alleges that the system violated California's Confidentiality of Medical Information Act by not protecting the patients' information and allows for $1,000 in damages to each patient per occurrence. The records included names, birth dates, addresses and medical record numbers. The health system has declined to comment on the case.
Full Story

DATA LOSS—U.S.

Hospital, School Experience Breaches (December 22, 2011)

The University of Mississippi Medical Center and the Mississippi Department of Health are notifying 1,400 patients involved in a study that their personal information was compromised when a laptop was stolen, reports Health Data Management. Two password-protected databases on the computer contained medical record numbers, ages, genders, zip codes, blinded test results and, in some cases, medical records. The university is taking disciplinary actions against the employees responsible for leaving the laptop unsecured for failing to follow security guidelines. Meanwhile, a New Jersey school district is investigating how a computer password was compromised, resulting in a security breach. Six students have been identified as possible participants in the breach, which may result in a criminal investigation.
Full Story

PRIVACY LAW—U.S.

FTC Finalizes Settlement with Online Advertiser (December 22, 2011)

The Federal Trade Commission (FTC) has accepted a final settlement with online advertiser ScanScout, which allegedly used deceptive methods to track customers. According to the FTC press release, the settlement "bars misrepresentations about the company's data collection practices and consumers' ability to control collection of the data." ScanScout must also be more transparent in its data collection practices and offer a "user-friendly" online tracking opt-out mechanism.
Full Story

ONLINE PRIVACY—U.S.

Franken Discusses Proposed Law, Consumer Rights (December 22, 2011)

In the midst of controversy involving CarrierIQ's data collection practices, The Verge interviews Sen. Al Franken (D-MN), whose inquiries increased attention to the matter. Franken, who also chairs the Subcommittee on Privacy, Technology and the Law, has introduced the Location Privacy Protection Act--which would require companies to get express consent before recording or sharing users' location data. He says that "the government has a role in protecting the fundamental rights of its citizens" and has seen "time and time again that companies aren't doing enough to protect consumers' sensitive data." The default for collecting any kind of personal data should be opt-in, Franken says.
Full Story

BIOMETRICS

Is a Facial Recognition Opt-Out Possible? (December 22, 2011)

Slate reports on recent advances in facial recognition and detection technology and the inherent difficulties involved when offering an opt-out for individuals in the physical world. Though facial recognition technology is not entirely sophisticated at this point, "critical questions" about personal privacy remain. The column asks, "At what point do people know they are being watched? Where can they find the privacy policy to learn what happens when they're on camera? How can they opt out if they're not comfortable with the technology?" Noting that these questions were discussed at a recent Federal Trade Commission roundtable by industry representatives, regulators and privacy advocates, the report suggests the answers and "suggestions were problematic and superficial."
Full Story

PRIVACY LAW—IRELAND

DPC Publishes Facebook Audit Findings (December 21, 2011)
Irish Data Protection Commissioner (DPC) Billy Hawkes has published the findings of the biggest investigation in the history of his agency--the three-month audit of Facebook Ireland. The DPC made several recommendations for "best-practice" improvements, which the company must make within the next six months, reports siliconrepublic.

PRIVACY LAW—ITALY

Spy Software: The Garante Starts An Investigation (December 21, 2011)

The Italian Data Protection Authority (the Garante) has opened an investigation following news reports about a software, discovered by an American programmer, that is capable of tracing millions of mobile phones and users' text messages. The goal of the investigation is to take a closer look at the issue and to test the software in Italy. (Article in Italian.)
Full Story

PRIVACY LAW—GERMANY

DPAs Publish Social Networking Decision (December 21, 2011)

Bird & Bird reports on a decision published by the Düsseldorfer Kreis, an informal body of all German Data Protection Authorities (DPAs), regarding how Germany's data protection rules apply to social networks. In addition to applicability of the rules, the decision addresses such issues as "strict conditions for companies using fanpages and/or which include 'like-buttons' on their websites," the report states, noting the DPAs agree "such companies are themselves responsible if the operator of a social network collects user data in a noncompliant way." Referencing recent controversy about the use of such tools, the report notes the Düsseldorfer Kreis "has now expressly supported the view of the DPA in Schleswig-Holstein."
Full Story

PRIVACY LAW—AUSTRALIA

Authority Orders Telecom To Comply or Face Fines (December 21, 2011)

The Australian Communications and Media Authority (ACMA) has ordered Vodafone to comply with the telecommunications consumer protections code or face penalties as high as $250,000. An ACMA investigation found that the company had poor systems in place to protect customers' personal details ahead of its breach last January, reports The Sydney Morning Herald. A consumer advocacy group has criticized ACMA because it has not imposed fines or sanctions already. Vodafone's chief executive says the company has already addressed the issues.
Full Story

DATA PROTECTION

Breach Response, One Expert’s Team-Building Strategy (December 21, 2011)

In an interview with GovInfoSecurity, Brian Dean, CIPP/US, senior HIPAA and privacy consultant at SecureState, talks about setting up a breach response team--including the critical roles to put in place and how to make sure it's effective--before you need to use it. Dean says testing is the key to an effective plan; he recommends annual testing for the program and the team and making changes based on those findings. Dean also notes collaborating with peers and speaking with industry groups are crucial to ensure a successful program. "Proper planning will help garner the support needed to build a strong team, and if you position that correctly, the program will be seen as a corporate asset," says Dean.
Full Story

DATA PROTECTION

Breach Response, One Expert’s Team-Building Strategy (December 21, 2011)

In an interview with GovInfoSecurity, Brian Dean, CIPP/US, senior HIPAA and privacy consultant at SecureState, talks about setting up a breach response team--including the critical roles to put in place and how to make sure it's effective--before you need to use it. Dean says testing is the key to an effective plan; he recommends annual testing for the program and the team and making changes based on those findings. Dean also notes collaborating with peers and speaking with industry groups are crucial to ensure a successful program. "Proper planning will help garner the support needed to build a strong team, and if you position that correctly, the program will be seen as a corporate asset," says Dean.
Full Story

PRIVACY

Predictions on Privacy in 2012 (December 21, 2011)

Network World reports on various privacy predictions for 2012. Online privacy solution provider TRUSTe predicts that privacy will become a "hot job skill--companies will conclude that they need to hire people with in-depth privacy backgrounds to deal with increasingly complex privacy regulations, as well as emerging marketing programs like targeted advertising," the report states. TRUSTe also predicts that the U.S. Federal Trade Commission will become more aggressive in its enforcement actions against websites for privacy violations related to third-party tracking and that location-based technology will make headlines frequently for its innovative uses.
Full Story

ONLINE PRIVACY—UK

Opinion: Firms Should Begin To Demonstrate Cookie Compliance Efforts (December 21, 2011)

Websites would be wise to begin demonstrating efforts to comply with the EU's cookie directive, with enforcement set to begin in six months, opines Michael Barnett for MarketingWeek, noting few have done so. Information Commissioner Christopher Graham seems frustrated with the lack of progress, Barnett writes, citing the commissioner's warning last week in his half-term report that firms must do better. Indeed, few digital marketers "seem to be speaking with any confidence about what they plan to do. And those that have indicated progress remain secretive about what it looks like," Barnett writes, adding, however, that the commissioner should issue practical pointers on compliance.
Full Story

PRIVACY LAW

Claus Fined for Maintaining List on Children (December 20, 2011)
The Federal Trade Commission (FTC) has levied a record fine against Santa Claus for violating children's privacy, writes Jeff Jarvis in a satire for the Huffington Post. Claus reportedly maintains a database of naughtiness and niceness--tied to such personally identifiable information as children's names, addresses and ages, solicited online and shared with third parties in some cases.

PERSONAL PRIVACY—CANADA

Commissioner Releases Report on Smart Meters (December 20, 2011)

BC's Information and Privacy Commissioner has released an assessment of BC Hydro's smart meter program and determined that the corporation is not fully compliant with the Freedom of Information and Protection and Privacy Act, CBC News reports. "I think they thought their communication was sufficient and we found it was deficient," BC Commissioner Elizabeth Denham said. The commissioner launched an investigation last summer after receiving some 600 complaints about the corporation's plans to install 1.8 million smart meters. Denham made 14 recommendations for improvement, but says BC Hydro is taking adequate measures to protect customers and that it is compliant with the law when it comes to data collection, use, disclosure, protection and retention.
Full Story

PRIVACY LAW—INDIA

Gov’t Wants Exemptions Under Privacy Bill (December 20, 2011)

Live Mint reports on India's proposed right to privacy bill, aimed at protecting Indians against misuse of their personal information, interception of personal communications, unlawful surveillance and unwanted commercial communication. The home ministry, however, wants intelligence and investigation agencies to be exempted from provisions of the bill in the name of national security. A government official said, "We have come to know the home ministry's stand on the issue. But their view is against the basic framework of the proposed privacy law. It defies the entire purpose." 
Full Story

ONLINE PRIVACY

QR Codes Pose Potential Risks (December 20, 2011)

MSNBC reports on the increasing use of QR or "quick response" codes--puzzle-like square matrixes that populate ads and promotional posters to provide smartphone users with product details. Fifteen percent of consumers are using the codes, up from five percent last year. But experts say there are privacy risks involved, including the ability of the app maker to put in tracking systems and the potential for malware to be installed. "Unfortunately, this is a case of buyer beware," says malware researcher Tim Armstrong. "Being that this is a new territory, be suspicious of everything...users should always know what is being installed and when."
Full Story

HEALTHCARE PRIVACY—NEW ZEALAND

Shroff: Patients Should Be Able To Opt Out (December 20, 2011)

Stuff.co.nz reports on New Zealand's move toward electronic health records and the federal privacy commissioner's expectations on patient information sharing. "In New Zealand, we have very high levels of trust in our health professionals and everyone is working hard to keep it that way," Privacy Commissioner Marie Shroff said, adding e-health records will be successful only if patients and health providers are confident about privacy protections. Shroff also said the $38 million information sharing system must have privacy safeguards built in and that patients should be able to opt out of the sharing. "We can't afford to get it wrong," Shroff said.
Full Story

PRIVACY LAW—SOUTH AFRICA

Data Bill to Become Law in Coming Months (December 20, 2011)

Business Day reports on South Africa's Protection of Personal Information Bill. The legislation will go into effect in the first quarter of 2012, and according to one expert, companies will only have one year to reach compliance even though they may need up to three years to do so. Deloitte Senior Manager of Risk Advisory Daniella Kafouris, CIPP/U.S., said, "We are taking the next step (with the act) to align ourselves with our international counterparts. Several countries are not prepared to share information if they are not assured by legislation such as Protection of Personal Information Bill that the security and integrity of personal information will be protected."
Full Story

HEALTHCARE PRIVACY—U.S.

Study: VA Patients Prefer EHRs (December 20, 2011)

Two studies recently published in the Annals of Internal Medicine suggest that patients are less wary of sharing sensitive health information than doctors and policymakers, the National Journal reports. One study, conducted by Stanford University, found that nearly four out of five Veterans Health Administration (VA) patients currently using electronic health records would prefer to share the sensitive data outside the VA network. The study's author said, "One hears a lot about privacy and data security when it comes to health records, and this has shown to be a concern for many patients...However, it is clear from our findings that patients desire the ability to share their health information." The second study, conducted by Harvard University, indicates that respondents' desire to have access to their medical records outweighs privacy concerns, the report states.
Full Story

STUDENT PRIVACY—U.S.

Opinion: With FERPA Changes, Student Privacy in Peril (December 20, 2011)

Recently, the Department of Education (DE) released new regulations for the Family Educational Rights and Privacy Act that "expand the sharing of student personal data" to "authorized representatives," writes George Washington University Law School Prof. Daniel Solove for the Huffington Post. Solove says this "comes at a great cost to privacy." Pointing to a lack of "responsible privacy protections" and the recent breach on the department's direct loan website, he says DE's increased information collection and dissemination is irresponsible "when the ED and the other entities that collect and maintain the data are ill-equipped to safeguard privacy and provide appropriate data security." Editor's note: Dan Solove is the co-author of the IAPP book Privacy Law Fundamentals.
Full Story

PRIVACY LAW—U.S.

FTC Fines Telemarketer $500,000 (December 19, 2011)
The Federal Trade Commission (FTC) has fined telemarketing firm Americall $500,000 for breaching the Telemarketing Sales Rule, claiming it did not honor customers' requests to be taken off call lists and did not identify itself as the caller. According to the FTC, Americall instructed callers not to, for example, place consumers on a company-specific do-not-call list when a consumer said, "don't call again" or "don't call me back."

DATA LOSS

Advocate Publishes 2011 Breach Report (December 19, 2011)

The Privacy Rights Clearinghouse (PRC) has released its 2011 breach tracking report, highlighting what it considers the six most significant breaches of the year. So far this year, the organization has tracked 535 breaches involving 30.4 million records, and according to PRC Director Beth Givens, this represents just a sampling of the total breaches. The PRC list of most significant breaches includes, Sony PlayStation, Epsilon, Sutter Physicians Services and Sutter Medical, Texas Comptroller's Office, Health Net and Tricare Management Activity. "These breaches highlight some important lessons, among them: the need for strict privacy and security policies; the importance of data retention policies, and the need for data to be encrypted," the report states.
Full Story

HEALTHCARE PRIVACY

Patient Data Breaches on the Rise (December 19, 2011)

Using the example of a stolen laptop at a Massachusetts healthcare nonprofit, The New York Times explores the increased threat of data beaches as healthcare providers are encouraged to move to electronic health records. According to a Ponemon Institute study, data breaches are up 32 percent from last year, costing the healthcare industry about $6.2 billion. Massachusetts eHealth Collaborative's Micky Tripathi says the breach cost the nonprofit $288,000 and about 600 hours. "Breaches are going to be one of the big challenges as more physicians and hospitals adopt electronic health records," Tripathi says.  Meanwhile, Allina Hospitals & Clinics sent the personal information of eight people in a mass e-mail to 250,000 in Minnesota and Western Michigan. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Industry Reacts to Working Party’s Opinion (December 19, 2011)

In the wake of the Article 29 Working Party's announcement last week that industry efforts to comply with EU data protection rules are inadequate, the Internet Advertising Bureau (IAB) has weighed in, the Financial Times reports. The IAB, which created its YourOnlineChoices.eu website as part of a plan for members to comply with the e-Privacy Directive, has indicated it will consider the Working Party's recommendations, the report states, noting its vice president's comments that there has been a "misunderstanding" about the role of the website, which is meant to be one piece of members' overall compliance with the directive. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—U.S.

Experts Discuss Audit Reports, Third-Party Risks (December 19, 2011)

As outsourcing to third parties becomes increasingly common and privacy and breaches dominate headlines, audits to measure internal data controls are of great interest to regulators and government oversight departments. Therefore, ensuring accountability is essential when it comes to using third-party service providers, said KPMG's Doron Rotman at a recent IAPP KnowledgeNet. The meeting focused on audits as good business practice and the various types of reports available under the new attestation standard, Statement on Standards for Attestation Engagements (SSAE) No. 16.
Full Story

PERSONAL PRIVACY—U.S.

Opinion: “Oops” Moments Should Serve as a Lesson (December 19, 2011)

A Nextgov editorial says companies could learn from others' "oops" moments, such as CarrierIQ's recent admission that a bug may have allowed for unintentional data collections. Such glitches will only increase with innovation and as the desire for data analysis grows, the editorial suggests. "Companies who have taken the lead in addressing their 'oops' could provide valuable lessons to others and possibly could help create a voluntary framework on addressing this issue," which means it may be possible to differentiate bad actors from human mistakes, the report states.
Full Story

PRIVACY LAW—U.S.

Oversight Board Gets Necessary Headcount (December 19, 2011)

Forbes reports on President Barack Obama's announcement last week on the appointment of two lawyers and a former judge to the Civil Liberties and Privacy Oversight Board. The appointments, when confirmed, will give the board the necessary headcount to become operational again. Created after September 11, 2011, the commission has remained dormant since 2007, inciting widespread criticism. The commission aims to provide oversight to U.S. surveillance and security measures in the fight against terrorism. The announcement is "a promising first step toward improving the oversight of our government's counterterrorism activities," said an ACLU spokeswoman.
Full Story

PRIVACY LAW—U.S.

Judge Dismisses Heartland Complaints (December 19, 2011)

A judge has dismissed most of the complaints brought against Heartland Payment Systems for its 2009 data breach, Credit Union Times reports. U.S. District Judge Lee Rosenthal dismissed the suit, brought by credit unions and banks that chose not to participate in a previous settlement agreement, writing in her decision that the plaintiffs were not specifically covered under contracts by Heartland Payment Systems and its acquiring banks. The institutions had alleged breach of contract, negligence and violations of consumer privacy laws in some states, among other charges.
Full Story

PRIVACY LAW—U.S.

President To Appoint Three to Oversight Board (December 16, 2011)

President Barack Obama has announced his intention to appoint three individuals to the Privacy and Civil Liberties Oversight Board. According to a White House press release, the president will appoint David Medine as chairman of the board and Rachel Brand and Judge Patricia Wald as members. Medine is of the law firm WilmerHale and led the FTC's efforts on Internet privacy and chaired an advisory committee during his eight years at the agency. Brand is chief counsel for regulatory litigation at the U.S. Chamber of Commerce, and Wald served 20 years on the U.S. Court of Appeals. Established after September 11, 2001, the board has remained dormant since 2008, drawing widespread criticism.
Full Story

PRIVACY LAW—U.S.

Sens. Seek Additional Answers from Company (December 16, 2011)

Sens. Al Franken (D-MN) and Christopher Coons (D-DE) have said that CarrierIQ has not adequately answered questions about how its software collects data on mobile phones, BusinessWeek reports. Franken said he is "still troubled by what's going on" after reviewing a report submitted by the company. "I'm also bothered by the software's ability to capture the contents of our online searches," he said, "even when users wish to encrypt them...there are still many questions to be answered here and things that need to be fixed." CarrierIQ's vice president said the company "appreciates" Franken's inquiry and looks "forward to our ongoing dialogue with the senator to answer his additional questions." After meeting with company executives, a spokesman for Coons said, "We hope and expect that this meeting is the first of several constructive conversations to get answers to the questions the senator has and the public deserves to know." 
Full Story

STUDENT PRIVACY—U.S.

School Databases “Honey Pot” for ID Thieves (December 16, 2011)

Writing in "Burdened Beginnings," a Huffington Post series analyzing children's identity theft, Gerry Smith highlights three data breaches where student Social Security numbers were illegally accessed for the purpose of identity theft. "Across the country," Smith writes, "schools have become conduits for children's pristine Social Security numbers, which are increasingly falling into the hands of credit-hungry identity thieves" prompting "calls for schools to stop collecting sensitive student data..." Noting that most schools collect the sensitive data to track student progress, some privacy experts say there are less risky methods of student tracking. One expert said, "This is making a much bigger honey pot for people with malevolent purposes to gain access to children's information...it's a meltdown waiting to happen."
Full Story

PRIVACY LAW—EU

EU Becoming “De Facto” World Regulator? (December 16, 2011)

European Voice reports on European Commission Vice-President Viviane Reding's recent comments on the forthcoming revised data protection framework for the EU. Reding said that the changes are necessary in order to create growth. The new rules are scheduled to be "adopted by the college of European commissioners on 25 January," the report states. After that, negotiations with parliamentarians and members states will begin. The new rules are expected to apply to companies located outside the EU that have customers in member states. One EU official said, "With these proposals, the EU is becoming the de facto world regulator on data protection." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—HONG KONG

Commissioner Says Two Banks Violated Privacy Regs (December 16, 2011)

Hong Kong Commissioner for Personal Data Allan Chiang Yam-wang said that, following investigations in two separate incidents, banks were in violation of privacy regulations, The Standard reports. In response, Hang Seng Bank has changed its bankruptcy data retention policy from 99 years to eight years. Chiang said that banks do not have "the right to retain the personal data for an extensive period of time without due justifications." Meanwhile, Chiang also found that CITIC Bank violated privacy regulations when it transferred the personal data of more than 150,000 of its customers to three insurance companies for marketing purposes over a four year period. The bank has since altered its marketing practices. Chiang said that banks should exercise "a more proactive customer-centric and privacy-friendly approach" in their marketing strategies.
Full Story

PRIVACY LAW—INDIA

Gov’t Clarifies New Regulations for Outsourcers (December 16, 2011)

The Indian government has clarified its new privacy regulations. The new regulations will apply only to Indian companies that collect information from "natural persons," and it is the responsibility of the companies collecting and sending data--not the outsourcers--to protect the privacy of the data according to their respective countries' rules, Data Privacy Monitor reports. Since the rules were issued in April, there have been concerns that they would make it difficult for Indian companies performing data processing services for companies outside of the country to meet the consent requirement.
Full Story

SURVEILLANCE—U.S.

ACLU Wants Rules for Domestic Drone Use (December 16, 2011)

In advance of an expected uptick in the domestic use of unmanned drones by law enforcement agencies, the American Civil Liberties Union (ACLU) wants to set "good privacy ground rules" so "society can enjoy the benefits of this technology without having to worry about its darker potentials," according to a report by the organization. CNN reports that the ACLU acknowledges current regulations but recommends limits on how and when unmanned aerial vehicles can be used. "The deployment of drone technology domestically could easily lead to police fishing expeditions and invasive, all-encompassing surveillance that would seriously erode the privacy that we have always had as Americans," said a co-author of the ACLU report.
Full Story

DATA LOSS

Navigating the Complexities of Breach Response (December 16, 2011)

In an interview with GovInfoSecurity, Hunton & Williams Managing Partner Lisa Sotto says the complexities surrounding breach response have organizations looking toward attorneys for help. Sotto said, "A lawyer who's well-versed in managing data breaches knows that she or he needs to manage really much more than the straight legal compliance issues," such as forensics investigations; public relations management; call-center agent hiring and training, and retaining a credit monitoring service. Sotto also delves into why attorneys play significant roles during forensic investigations and public relations campaigns; how attorneys can become better acquainted with information security and why they should, and why attorneys are the "gatekeepers of data privacy" within an organization.  
Full Story

DATA LOSS—EUROPE

Visa Investigating Potential Breach (December 16, 2011)

Visa is investigating a potential security breach at a European payment processor, PCWorld reports. Multiple banks have been alerted to the breach and some are taking precautions; a Romanian bank is now reissuing 17,000 payment cards, though it says its customers weren't specifically targeted. The Romanian Association of Banks says it was alerted of a potential breach that may have exposed customer information and transactions but that it doesn't expect customers to be affected. "Visa Europe has been informed of a potential data security breach at a European processor and an investigation is underway," the company said.
Full Story

PRIVACY LAW

Experts: Avoid Settlements by Building in Privacy (December 16, 2011)

A feature in The Globe and Mail suggests the U.S. Federal Trade Commission (FTC) settlement with Facebook will require the company to "get it right" when it comes to privacy, suggesting that such settlements could be avoided if companies come to understand the importance of Privacy by Design. "It's all about being proactive and embedding the necessary protections into the design of your systems," notes Ontario Information and Privacy Commissioner Ann Cavoukian. "By doing so, you can prevent the privacy harm from arising, thereby avoiding the costs associated with data breaches." Meanwhile, the Los Angeles Times reports on a call from the Electronic Privacy Information Center for the FTC to strengthen the settlement.
Full Story

PRIVACY LAW—U.S.

Lawmakers, Stakeholders Discuss COPPA, Facebook Settlement (December 15, 2011)

At a public forum in Washington, DC, yesterday, lawmakers, regulators and experts agreed that the Children's Online Privacy Protection Act (COPPA) is imperative and effective when it comes to keeping kids safe, but more must be done. As the end to the FTC's public comment period on proposed changes to COPPA approaches, discussion at the forum centered around whether children are capable of giving "meaningful consent;" the feasibility of an "eraser button" for children and teens, and the role parents play in keeping their kids safe. Also discussed was the FTC's recent settlement with Facebook over its privacy practices, with EPIC's Mark Rotenberg calling on the FTC to strengthen the deal.
Full Story

PRIVACY LAW—EU

Working Party: Industry BT Solutions “Inadequate” (December 15, 2011)
The Article 29 Working Party has released its opinion on the Online Behavioral Advertising Self-Regulatory Framework proposed by the European Advertising Standards Alliance (EASA), noting that while it welcomes the self-regulatory efforts, "adherence to the EASA/IAB Code on online behavioral advertising and participation in the website www.youronlinechoices.eu does not result in compliance with the current e-Privacy Directive" and creates "the wrong assumption that it is possible to choose not to be tracked while surfing the Web."

ONLINE PRIVACY—EU

Microsoft Signs EU Data Protection Agreement (December 15, 2011)

In efforts to ease European organizations' use of its new software suite, Microsoft has signed the EU Model Clauses agreement, allowing "member nations to transfer personal data for processing to countries that cannot ensure an adequate level of protection," reports ITNews. Signing the agreement means EU regulators will have the ability to request that customers stop using Office 365 if they find it has not taken "appropriate steps" to protect data. The software stores data in servers in the U.S., Ireland and the Netherlands, among others. Microsoft has also created a "trust center" that shows users the "geographic boundary" of their Office 365 data, states the report, but stops short of disclosing exactly how many servers it has and where they are located.
Full Story

PERSONAL PRIVACY

CarrierIQ Reassures Regulators, Customers on Privacy Practices (December 15, 2011)

CarrierIQ says it contacted the Federal Trade Commission (FTC) and Federal Communications Commission (FCC), not the other way around, VentureBeat reports. The company has faced scrutiny since computer programmers discovered that CarrierIQ software--used by many smartphone service providers--logs users' keystrokes and other personal information. In the U.S., several lawsuits have been filed, and lawmakers have written to the company, which says it sought meetings with the FCC and FTC for transparency and that it will "comply with all domestic and foreign regulators" as European agencies investigate. CarrierIQ recently published a 19-page report explaining how its technology works. 
Full Story

CHILDREN’S PRIVACY—U.S. & CANADA

Advocacy Group Alleges Site Violates COPPA (December 15, 2011)

A child advocacy group has filed a complaint with the U.S. Federal Trade Commission alleging a Canadian company violated provisions of the Children's Online Privacy Protection Act with its interactive children's website, the Los Angeles Times reports. Among its allegations, the Campaign for a Commercial-Free Childhood contends that Ganz fails to provide a link to its privacy policy on the homepage of its Webkinz site, stating the policy itself is "vague, confusing and contradictory" and alleging third parties are allowed to track users on the site for targeted advertising. Ganz is in the process of reviewing the complaint, the report states.
Full Story

DATA LOSS—JAPAN

Game Developer’s Servers Hacked (December 15, 2011)

A Japanese game developer says servers containing data on 1.8 million customers has been hacked, AFP reports. The extent of damage done is not yet known, but Square Enix says it stopped service an hour after discovering the intruder, who breached an unknown number of servers storing data--including names and e-mail addresses--on one million members in Japan and 800,000 in North America. The server for its 300,000 European members was not breached, however. Earlier this year, Square Enix was breached after a hacker attacked its European server and accessed consumer e-mails and the resumes of 250 job applicants.   
Full Story

IDENTITY THEFT—U.S.

SSNs Removed from Genealogy Sites (December 15, 2011)

In a move to help curb identity theft, makers of the largest commercial genealogy website have removed Social Security numbers (SSNs) from recently deceased individuals, The Republic reports. Noting that "there was some sensitivity" around the company's practice of releasing the SSNs, an Ancestry.com spokesman said the company has made a "purposeful decision" to cease disclosing the sensitive data. A recent investigation showed that identity thieves obtained the SSNs of the recently deceased and used them to file fraudulent tax returns in order to collect refunds. Earlier this month, four lawmakers wrote a letter to the five largest online genealogy companies asking them to remove SSNs. So far, two have acquiesced. 
Full Story

ONLINE PRIVACY

On the Web: Weighing Convenience Against Data Protection (December 15, 2011)

BBC News reports on Web giants in the social networking and search spheres and the convenience they provide to users, suggesting privacy "is becoming the thorn in the side of this marriage of convenience." The feature examines recent calls by regulators from the EU and Canada, as well as the U.S. Federal Trade Commission, for better privacy protections from online firms. Looking at regulators' responses to such issues as cookies and shadow profiles, the report suggests, "2012 could see a change in the balance of power between Net firms and citizens, with citizens, for once, holding the upper hand."
Full Story

DATA LOSS—CANADA

Breach Linked to Criminal Activity (December 15, 2011)

An RCMP investigation has revealed that an Insurance Corporation of British Columbia (ICBC) employee inappropriately accessed the information of 65 people--13 of whom have had their property damaged by shootings or arson, reports The Vancouver Sun. The employee has been fired and is under continuing investigation, and the police are pursuing "significant investigative avenues to determine if others could be at risk," said a police spokeswoman. All 13 victims identified are affiliated with the Justice Institute of British Columbia, and police are still looking for a motive. ICBC CEO Jon Schubert expressed his concern for the victims, adding that the company is taking preventative measures.
Full Story

ONLINE PRIVACY—U.S.

Study: Americans More Trusting of Gov’t Than Business Sites (December 15, 2011)

A new study has found that a majority of Americans deem government and big media websites to be more reliable and trustworthy than private business websites, reports the Associated Press. Published by the University of Southern California, the study, which surveyed more than 2,000 U.S. households, found that almost half of the respondents said they are concerned about companies tracking them online, while 38 percent expressed the same concern about tracking by the government. 
Full Story

Regulators, Stakeholders Discuss How Best To Protect Children (December 15, 2011)
Lawmakers, experts and regulators at a public forum in Washington, DC, yesterday agreed that the Children’s Online Privacy Protection Act (COPPA) is imperative and effective when it comes to keeping children safe, but more must be done--especially due to industry’s reluctance to self-regulate.

PRIVACY LAW—AUSTRALIA

Pilgrim’s First Determination: Damages, Apology, Training (December 14, 2011)
Australia Privacy Commissioner Timothy Pilgrim has declared that the Wentworthville Leagues Club breached National Privacy Principle 2.1 when it disclosed information on a member's gambling habits to his former partner. In 2005, the club was issued a court subpoena to turn over the information to the court, instead it gave the documentation to the former partner--who then shared it with others.

PRIVACY LAW—EU & U.S.

PNR Deal Seeks Parliamentary, Member State Approval (December 14, 2011)

National interior ministers yesterday approved the signing of a new agreement between the EU and U.S. on sharing passenger name record data, the European Voice reports. The agreement is expected to be signed today but will require approval from EU member states and Parliament, which rejected a 2007 agreement. MEP Jan Philipp Albrecht has said the new agreement "fails to address the fundamental rights concerns repeatedly raised by the European Parliament and various European courts." European Data Protection Supervisor Peter Hustinx has also expressed dissatisfaction with the agreement's provisions.
Full Story

PRIVACY LAW—U.S.

Insurance Company Agrees to Breach Settlement (December 14, 2011)

CBS reports that Progressive Direct Insurance has agreed to a $125,000 cash settlement following allegations the company broke Massachusetts state law by "using customers' private credit information." The consumer complaint alleged the company allowed customers to "unknowingly link to a private credit inquiry to calculate insurance rates," the report states, noting the link to the credit inquiry was removed from the company's website last month. Editor's Note: On Friday, the IAPP will host a Web conference on "The Evolving Nature of Privacy 'Harm'" in the courts.
Full Story

STUDENT PRIVACY—U.S.

Student Database Project To Move Forward (December 14, 2011)

Though previously halted due to privacy concerns, a project to build a database on students is moving forward. The database aims to connect New York to several states and allow educators to share student data--from transcripts to test answers--among other resources, reports The Wall Street Journal. New York State Comptroller Thomas DiNapoli halted the project last summer, citing student privacy. The state's contract with Wireless Generation--which would build the project's framework--could grant the company access to the student data if the system needed maintenance or upgrades. But the New York Board of Regents has authorized the Education Department to hire at least one company to implement the project. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—ISRAEL

ILITA Proposes CCTV Guidelines (December 14, 2011)

The Israeli Law Information and Technology Authority (ILITA) has announced new proposed guidelines on the use and deployment of surveillance cameras. The guidelines include principles on process, deployment, locational considerations and public awareness. In this Privacy Advisor article, Dan Or-Hof, CIPP, of the firm Pearl Cohen Zedek Latzer provides an outline.
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

EDPS: PNR Agreement Does Not Address Concerns (December 13, 2011)
In the wake of issues raised by other EU regulators with a passenger name record (PNR) sharing plan between the EU and U.S., European Data Protection Supervisor (EDPS) Peter Hustinx has released a statement detailing his concerns with the plan. "Any legitimate agreement providing for the massive transfer of passengers' personal data to third countries must fulfill strict conditions," he noted, adding, "Unfortunately, many concerns expressed by the EDPS and the national data protection authorities of the member states have not been met."

DATA PROTECTION—HUNGARY

Head of New Independent Authority Named (December 13, 2011)

President Pal Schmitt has appointed Attila Peterfalvi the head of Hungary's National Data Protection and Freedom of Information Authority, Politics.hu reports. The new authority--established by Parliament as an independent entity to replace the data protection ombudsman--will retain the duties of the ombudsman but will be more in line with EU legislation, the report states. Peterfalvi, who will serve a nine-year term beginning January 1, will have broader powers than the ombudsman and may impose fines of up to €33,000. Peterfalvi served as Hungary's data protection ombudsman from 2001-2007.
Full Story

GEO PRIVACY

Experts Detail Concerns About Emerging Technologies (December 13, 2011)

"The sheer scale of technological change and the ingenuity with which people are using location-based service data feeds means we are always playing catch-up." That was the message from Jonathan Bamford of the UK Information Commissioner's Office at a recent privacy event, V3.co.uk reports. Considering the future of privacy, one U.S. expert suggested it may soon be impossible to opt out of sharing location data, noting, "As we match the physical world to the virtual world, by placing items such as fridges or even your car keys on the Internet, firms could have even more access to your data, your location and your life."
Full Story

PRIVACY LAW—U.S.

Judge: Convicts May No Longer Shred Documents (December 13, 2011)

In the wake of concern raised by a news organization, a Texas judge has called for an end to a Dallas County program that allowed convicted criminals on probation or parole to meet their community service requirements "by destroying thousands of sensitive documents--including psychiatric exams of juveniles, copies of Social Security cards, birth certificates, court records, drug tests and even medical records," WFAA reports. County Judge Clay Jenkins has taken action to stop the practice, the report states. "It's important we protect the confidential data the people entrust the government with. Period," he said. "And we need to make sure we get that done right."
Full Story

RFID

Expert: Banks Should Allow Opt-Out for New Technology (December 13, 2011)

The lack of consumer choice when it comes to banks' use of near-field communication (NFC) enabled bank cards is of grave concern, according to one expert. ISACA's Richard Hollis recently visited five banks to ask for a bank card without the embedded technology--a method of wireless communication--but was refused at each, V3.co.uk reports. "The industry is not leading on the issue of privacy but just saying, 'User Beware' and carrying on with its practices, and we are still some way from the tipping point of consumers starting to ask questions about what is actually being done with their data," Hollis said at a recent conference on cyber privacy.
Full Story

PRIVACY LAW—EU

Opinion: Proposed Rules Send “Disturbing Message” (December 13, 2011)

In a feature for Forbes, Richard Levick suggests that the proposed revision of the EU's data protection laws "should send a clear and disturbing message to businesses that do business globally." Levick highlights the proposals, which include increased penalties--to the tune of five percent of the global turnover of organizations that mishandle data--in suggesting that even if the rules are not adopted as presented, "they now provide a real window on how EU regulators are already thinking...If nothing else, the trend line points toward ever more aggressive regulatory prerogatives." Editor's Note: The IAPP 2012 Global Privacy Summit will offer several preconference and breakout sessions related to the new EU data protection framework.
Full Story

DATA PROTECTION—U.S.

Moving Toward Concise Policies (December 13, 2011)

The U.S. Consumer Financial Protection Bureau is testing a new credit card agreement with the Pentagon Federal Credit Union that it says is "short, simple (and) easy to understand," reports NPR's Planet Money Blog. The two-page agreement gets around the need for lengthy definitions by including them on a referenced Web page. One lawyer explains that the reason policies are so long is that they have to include "everything from 'What happens if you lose your credit card? to 'You have to pay us back.'" Meanwhile, TRUSTe has released its first privacy index, which analyzed 100 U.S. websites and found that while nearly 100 percent had privacy policies, they are long, complex and difficult for the average person to understand.
Full Story

DATA LOSS—AUSTRALIA

Commissioner To Investigate Website Glitch (December 12, 2011)
The Australian privacy commissioner says his office has launched a formal investigation into the most recent Telstra breach, ZDNet reports. The commissioner has asked the company for a detailed written report on the incident, including what information was compromised and what action the company is taking to prevent a similar occurrence in the future.

HEALTHCARE PRIVACY—UK

Advocates: Data Sharing Plan Needs Strong Safeguards (December 12, 2011)

The Guardian reports that a Department of Health (DH) plan would see the NHS Information Centre and Connecting for Health (CfH) providing patient data to private research firms, causing concern for some privacy advocates. While CfH claims only anonymized data would be shared, in some cases--with permission from the secretary of state for health--data would be shared in an identifiable format, or "pseudonymized." Privacy advocates say that more details are needed about the distinction between the two formats. "The safeguards in place need to be robust and clearly communicated," says Nick Pickles of Big Brother Watch. "The long-term risk to privacy of patients' identities and their health details being connected cannot be quantified, so these plans should be implemented with absolute care."
Full Story

PRIVACY LAW—U.S.

Concerns Persist Over VPPA Changes (December 12, 2011)

Privacy advocates are voicing concerns about potential changes to the Video Privacy Protection Act (VPPA). The New York Times reports that Netflix is supporting a bill that passed in the House of Representatives last week to amend the VPPA to "allow consumers to give one-time blanket consent online for a company to share their viewing habits continuously." However, privacy advocates including Marc Rotenberg of the Electronic Privacy Information Center are concerned the new legislation will result in users' losing the ability to select how they share specific information. "They are not trying to modernize the law," Rotenberg said. "They are trying to gut the law." (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

McGraw: Update to HIPAA Needed Soon (December 12, 2011)

As electronic health records and information exchanges proliferate, privacy and security issues must be addressed in order to improve the quality of healthcare, says Deven McGraw, co-chair of the Privacy and Security Tiger Team advising federal healthcare leaders. McGraw tells HealthcareInfoSecurity she feels that although her team has given the Department of Health and Human Services "a lot of good recommendations over the past year...few of them have been acted on yet." She recently testified before a Senate subcommittee to express concern about the delays in HIPAA updates. Meanwhile, she writes in a recent blog post that breach reports should include details about the impact on affected patients or providers.
Full Story

ONLINE PRIVACY

Opinion: Online Anonymity Isn’t So Achievable Anymore (December 12, 2011)

In a column for The New York Times, Nick Bilton describes how easily a supposedly anonymous Web user can be identified. Bilton recently uploaded images to a photo-sharing app, eliciting comments from a stranger. But it took Bilton only 10 minutes to piece together bits of the stranger's personal information online to identify her full name, phone number, home address and place of employment. Privacy expert Elizabeth Stark of Stanford University said, "Previously you could have searched every photo on the Internet for a photo of Nick Bilton until you eventually found one, but that would take a lifetime. Now, facial recognition software can return more images about someone instantly." (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—U.S.

Opinion: Consumers Deserve Transparency, Accountability (December 12, 2011)

In a USA TODAY op-ed, Daniel Castro, senior analyst with the think-tank Information Technology and Innovation Foundation, says that proposed do-not-track regulation represents a "net loss for consumers." When it comes to protecting privacy, more transparency and accountability are what's needed, Castro writes. "The Internet was built on advertising," he says, suggesting do-not-track would break the economic model--eventually leading to less or lower quality content, more ads or paying for access to content. "Consumers should know what companies are doing with their information, and companies that deviate from their stated practices should be held liable," he writes. "All consumers...deserve these protections."
Full Story

BIOMETRICS—U.S.

Forum Explores Facial Recognition Implications (December 9, 2011)
Facial recognition was the topic of discussion yesterday at a roundtable hosted by the Federal Trade Commission (FTC) and attended by companies using facial detection and recognition technology as well as consumer and privacy advocates, government officials and academics. While facial recognition becomes more common in products and services, privacy advocates and academics have been among those expressing concern that such innovations could erode individual privacy.

DATA LOSS—AUSTRALIA

Website Glitch Could Affect Millions (December 9, 2011)

The federal privacy commissioner has been notified of the exposure of potentially millions of customers' information on a Telstra webpage, The Australian reports. Usernames and passwords were believed to have been included in the Telstra customer service agents' search page, which was openly accessible until a user discovered the issue. While Telstra took down the page, it was "not before computer security experts showed that it could be used to access customer details including their account numbers, broadband packages, technician visits and, in some cases, their e-mail's usernames and passwords," the report states. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—U.S.

Legislators Seek Answers on Privacy Practices (December 9, 2011)

The Hill reports on a request by legislators for details on Facebook's privacy practices in the wake of a recent settlement between the social network and the Federal Trade Commission. In a letter sent to Facebook CEO Mark Zuckerberg on Thursday, Reps. Cliff Stearns (R-FL) Diana DeGette (D-CO), Joe Barton (R-TX) and Edward Markey (D-MA) asked for explanations of the site's tracking and information gathering practices by January 3. A Facebook spokesman has responded that the company is "pleased to answer any questions they may have." Meanwhile, Facebook has declined an invitation from the Congressional Privacy Caucus to attend a briefing on teen privacy next week.
Full Story

PRIVACY LAW—INDIA

Parliament Sends ID Bill Back for Redrafting (December 9, 2011)

The National Identification Authority of India Bill will go back to the government for redrafting, reports Livemint. The Parliamentary Standing Committee on Finance has been studying the proposed legislation, which would impose strict punishment for identity theft and privacy breaches and provide 11 enforcement and intelligence agencies with access to citizens' personal information, including credit card transactions and phone records--a provision that has raised privacy concerns. "We have rejected the bill," said Gurudas Dasgupta, a member of Parliament. "We have found that the project is not necessary as there are many other ways of identification."
Full Story

PRIVACY LAW—U.S.

Commerce Committee Approves of Leibowitz, Ohlhausen (December 9, 2011)

The Senate Commerce, Science and Transportation Committee yesterday approved the proposed reappointment of Federal Trade Commission (FTC) Chairman Jon Leibowitz and the nomination of Maureen Ohlhausen to fill an open commissioner's seat, The Hill reports. The nominations must still be approved by the full Senate. If approved, Ohlhausen will replace Republican Bill Kovacik on the five-commissioner panel.
Full Story

PRIVACY

Executives Discuss Importance of Privacy Teams (December 9, 2011)

IDG News Service reports on the privacy teams at Microsoft and Google and their efforts to help the companies avoid violating "complicated U.S. privacy regulations and prepare for changes coming to privacy laws around the globe." Microsoft has a team of 40 employees dedicated fully to privacy issues, with 400 spending at least part of their time on privacy, explained Associate General Counsel Michael Hintze, CIPP/G/C/IT. Meanwhile, Google's privacy team includes about 60 engineers, said Senior Privacy Counsel Keith Enright, CIPP/G. The size of the privacy teams is "an indication of what's required today to keep pace with data privacy issues," one expert explained.
Full Story

PRIVACY LAW—U.S.

Another Suit Filed Against School District (December 9, 2011)

The sister of a student who received a $175,000 settlement in a case against the Lower Merion School District (LMSD) in Pennsylvania has filed a suit in U.S. District Court alleging that her privacy was invaded due to the remote monitoring of her brother's school-issued laptop, reports myfoxphilly.com. In the seven-count suit, Paige Robbins accuses the LMSD of violating the federal Electronic Communications Privacy Act, Computer Fraud and Abuse Act, Stored Communications Act and Civil Rights Act in addition to Pennsylvania's Wiretapping and Electronic Surveillance Act. In a statement yesterday, the LMSD described the suit as "the epitome of an attempted money-grab and a complete waste of tax dollars."
Full Story

PRIVACY LAW—U.S.

Heartland Breach To Face One Suit from Banks (December 9, 2011)

U.S. District Court Judge Lee Rosenthal has dismissed nine of the 10 counts filed by financial institutions against Heartland Payment Systems related to a 2007 breach that resulted in the theft of 130 million payment card numbers, reports Courthouse News Service. Rosenthal split the numerous complaints into consumer complaints and financial institution complaints. Nine banks filed a class-action suit with 10 causes of action, and while he granted the banks leave to amend many of the claims, he agreed with only the claim that the company violated Florida's Deceptive and Unfair Trade Practices Act.
Full Story

Facial Recognition: Experts Explore Opportunities and Privacy Impact (December 9, 2011)
Representatives from Google, Facebook, Intel, face.com and others using facial detection and recognition technology say they are building privacy protections in from the start and are willing to work with others to ensure that basic fair information practices like consumer notice and choice are maintained in emerging products. Concern remains, however, that the sheer amount of personal information already available online—combined with facial recognition technology—will irreparably erode individual privacy.

PRIVACY LAW—EU

Draft Framework Offers Glimpse of Upcoming Changes to Directive (December 8, 2011)
The European Commission has released two documents that will serve as the basis of a new data protection framework in the European Union. The documents are under review by Directorates-General, whose comments will be considered before the final version of the new regulation is published in late January.

DATA LOSS

Data of 3.5 Million Online Poker Players Exposed (December 8, 2011)

A defunct gambling site experienced a breach affecting 3.5 million members this past weekend, SecurityNewsDaily reports. The names, screen names, birth dates, phone numbers and IP, home and e-mail addresses of Ultimate Bet users in Canada, the U.S., the UK and elsewhere were posted to online poker forums, the report states. The data was removed after eight minutes.
Full Story

PRIVACY LAW—U.S. & CANADA

Border Security Pact Unveiled (December 8, 2011)

The long-anticipated "Beyond the Border" perimeter security pact between the U.S. and Canada has been unveiled, The Vancouver Sun reports. The plan is aimed at improving security and harmonizing regulations for both nations, but privacy advocates have voiced concerns over the amount of data that will be shared. The new plan will enhance the tracking of travelers in the U.S. and Canada to identify threats and will allow more information--including biometrics--to be obtained from individuals seeking to enter either country. Canadian Privacy Commissioner Jennifer Stoddart says her office will conduct a complete review of the deal. She noted both countries have agreed to develop joint privacy principles by next May.
Full Story

ONLINE PRIVACY—U.S.

As Mobile Phone Suits Announced, Expert Calls for “Transparent Tracking” (December 8, 2011)

Amidst recent announcements of concerns and now pending lawsuits against mobile phone company CarrierIQ over allegations the company collected location, app usage and keystrokes from various mobile phones, one expert is calling for "industry to give users a one-click way to see what their gadgets are actually doing," MIT Technology Review reports. Harvard Law School Prof. Jonathan Zittrain, cofounder of the Berkman Center for Internet and Society, recommends building in an auditing function that could "show with whom the phone has been communicating and the sorts of things it has been sending."
Full Story

RFID—U.S.

Recycling Cart Chips Trashed for Privacy Concerns (December 8, 2011)

The Gastonia, NC, city council voted on Tuesday to stop the delivery of RFID-chipped recycling bins to its residents, citing citizens' privacy concerns, the Gaston Gazette reports. The bins are part of a city-wide program aimed at guiding recycling education efforts toward communities that recycle less than others, but some are worried that the monitoring will eventually lead to penalties for residents who are not recycling. Meanwhile, one organization has created a privacy impact assessment tool for RFID implementation--a practice encouraged in the EU--that helps identify privacy controls that can be built into systems.
Full Story

ONLINE PRIVACY

Survey: Social Networkers Care About Privacy (December 8, 2011)

A recent survey conducted by the Asia Pacific Privacy Authorities has revealed that people care about their privacy when it comes to social networking sites, according to a press release from New Zealand Privacy Commissioner Marie Shroff's office. More than 10,000 individuals in Mexico, Australia, New Zealand, Hong Kong and Korea completed the survey, which found that 55 percent of respondents "said they would stop using a site that used their information in a way they hadn't expected." Fifty percent said they were uncomfortable with being tracked online for marketing purposes; however, 65 percent said they do not read privacy policies or terms and conditions.
Full Story

ONLINE PRIVACY—U.S.

Employees Use 1930s Labor Law Today for Social Media Protection (December 7, 2011)

The Wall Street Journal reports that workers are now using a decades-old labor law to defend themselves from repercussions for making online comments about their employers. The National Labor Relations Act of 1935 grants private-sector employees certain rights to complain and is presided over by the National Labor Relations Board (NLRB). More than 100 employers have been accused in the last year of “improper activity related to social media practices or policies,” the report states, and the NLRB has decided that about half are worthy of action—generally a civil complaint against the employer to be heard by a NLRB judge. Philip Gordon of Littler Mendelson, an employment and labor law firm, says that before disciplining employees, employers should ask themselves if the complaint pertains to wages, hours or working conditions—specifically protected by the law--and if the employee is expressing an individual gripe or speaking on behalf of coworkers about a shared concern. “The NLRB’s own focus on analyzing complaints on a case-by-case basis highlights the difficulty for employers in determining whether an employee’s social media activity is legally protected. Still, some types of posts rarely will enjoy legal protection. These include unauthorized disclosure of a patient’s protected health information or of trade secrets and other confidential business information; false statements about the quality of an employer’s products or services, and individualized complaints about a supervisor,” Gordon said, adding that, as a practical matter, “employers need to toughen their skin a bit, which should help to avoid unnecessary tangles with the NLRB or a union” and focus their attention on comments that are truly damaging to the brand or the work environment. (Registration may be required to access this story.)

Commissioner Brill: COPPA Needs To Be Fixed, Not Abandoned (December 7, 2011)

By Jedidiah Bracy, CIPP

Speaking at the IAPP’s Practical Privacy Series in Washington, DC, yesterday, Commissioner Julie Brill of the Federal Trade Commission (FTC) equated the current privacy paradigm to the age-old “tenet of the toddler room: share, don’t take.” Among the many topics discussed, Brill defended the viability of the Children’s Online Privacy Protection Act (COPPA) and said that the FTC plans to expand the legislation to cover emerging mobile technologies and online behavioral advertising.   

On the heels of a settlement with Facebook and shortly before the public comment deadline on COPPA, Brill countered recent claims that the federal legislation is no longer effective “in the Facebook age.”

A recent report by Microsoft researcher danah boyd found that social media sites restrict access to children under the age of 13 altogether rather than meet the requirements mandated under COPPA. As Brill put it, the report concludes that COPPA “inadvertently undermines parents’ abilities both to choose to allow their children access to these services and to protect their children’s data online.”

Brill disagreed with boyd’s assertion and claimed the “well-respected research” proved otherwise, adding, “parents would respond well to the notice and consent process if Facebook chose to use it.” Parental involvement in the creation of a social media account—something boyd’s report found common among those surveyed—“indicates they want what COPPA seeks to provide—the power to hold their children’s hands as they learn to make choices about how to share data online,” said Brill.

Additionally, Brill warned that “without COPPA, there would likely be a significant decrease in sites and services that give parents notice and control over the collection of their children’s personal information—a bad outcome as far as I’m concerned and, it seems, as far as the parents in this study are concerned.”

Though current legislation “is not perfect,” Brill said the FTC’s approach will be to fix existing holes by applying COPPA rules to new media like mobile technology and by providing “more streamlined, meaningful information to parents and improve the way in which it affects verifiable parental consent.”

Brill added that the FTC wants to “expand the definition of the personal information COPPA covers to include photos, videos and audio files containing children’s images or voices and to address online behavioral advertising to children…another online phenomenon...

DATA LOSS—UK

Council Receives “Record Fine” for Disclosure Error (December 7, 2011)
The Information Commissioner's Office (ICO) has fined Powys County Council for breaching the Data Protection Act in what it called "the most serious case it had dealt with since receiving the power to fine organizations," BBC News reports. The council was fined £130,000--the highest penalty the ICO has issued--and says it has since reviewed its policies and procedures.

PRIVACY LAW—U.S.

House Approves Amendment to Video Privacy Law (December 7, 2011)

The House of Representatives has approved an amendment to the Video Privacy Protection Act (VPPA) in light of new technologies, reports Covington & Burling LLP's Inside Privacy. The amendment--H.R. 2471--clarifies certain ambiguities within the VPPA, specifically the provision that states that "video tape service providers" are not permitted to share a consumer's "video usage information without informed, written consent from the consumer given at the time the disclosure is sought," the report states. The amendment clarifies the rules around disclosure requests and consent, noting that consent may be obtained electronically via the Internet.
Full Story

ONLINE PRIVACY—U.S.

Official: White House Whitepaper “Imminent” (December 7, 2011)

POLITICO reports that White House Deputy Chief Technology Officer for Internet Policy Daniel Weitzner has said the Obama Administration's whitepaper on online privacy will be released "in a matter of weeks," noting that with the evolution of thinking around online privacy, "now we need some substantive privacy rules written into statute." Weitzner also spoke in favor of a consumer privacy bill of rights, the report states, and contended that the U.S. is not behind the EU in terms of online privacy regulations but "more or less exactly on the same schedule."
Full Story

CHILDREN’S PRIVACY—U.S.

Commissioner: COPPA Should Be Fixed, Not Abandoned (December 7, 2011)

Speaking at the IAPP's Practical Privacy Series in Washington, DC, FTC Commissioner Julie Brill equated the current privacy paradigm to the age-old "tenet of the toddler room: share, don't take." Among several pressing topics covered--including social media, big data collection and developments in do-not-track self-regulation--Brill disputed recent research suggesting that COPPA is no longer effective "in the Facebook age." This Daily Dashboard exclusive looks at Brill's reasoning behind the continued need for COPPA protections for parents and children and how the FTC plans to address and expand the federal legislation to meet new challenges found in the mobile technology and online behavioral advertising landscapes.
Full Story

ONLINE PRIVACY—U.S.

Employees Use 1930s Labor Law Today for Social Media Protection (December 7, 2011)

The Wall Street Journal reports that workers are now using a decades-old labor law to defend themselves from repercussions for making online comments about their employers. The National Labor Relations Act of 1935 grants private-sector employees certain rights to complain, and more than 100 employers have been accused in the last year of "improper activity related to social media practices or policies," the report states. Philip Gordon of Littler Mendelson, an employment and labor law firm, says that before disciplining employees, employers should ask themselves if the complaint pertains to wages, hours or working conditions--specifically protected by the law, and should focus their attention on comments that are truly damaging to the brand or the work environment. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

House Bill Proposes Info-Sharing Organization for Cybersecurity (December 7, 2011)

Proposed legislation aimed at improving security in government and private-sector companies that operate financial networks, power plants and telecommunications networks calls for more sharing of cybersecurity threats and the creation of an information-sharing organization, reports Bloomberg. Lawmakers, industry experts and consumer advocates have weighed in on the bill, saying more definition is needed to protect consumer privacy and better define the role of the envisioned organization--as well as how the Department of Homeland Security fits into the picture. The bill's backer, Rep. Dan Lungren (R-CA) says, based on the testimony, he will incorporate more privacy protections and clarity. He plans to formally present the bill next week.
Full Story

HEALTHCARE PRIVACY—U.S.

Health Data at High Value, High Risk (December 7, 2011)

Government Health IT discusses the findings of the Ponemon Institute's second annual Benchmark Study on Patient Privacy and Data Security in an interview with institute founder Larry Ponemon, CIPP, and Rick Kam, CIPP, president of ID Experts, which sponsored the study. Health data breaches are up 26 percent from last year, according to the study, and noting that notification requirements may have had an effect, Ponemon points to increased "criminal enterprise around data theft" and says that breach numbers appear to be on the rise across the board. Unlike other forms of data, says Kam, healthcare data "cannot be put back into the box." Ponemon says balancing security with efficiency, financial challenges and a cultural focus on healing--not data protection--are possible explanations for providers' lack of proper protections.
Full Story

PRIVACY LAW—ITALY

Italian Gov’t Passes Interim Rule on Legal Entities’ Data (December 6, 2011)
The government of new Italian Prime Minister Mario Monti has passed an interim rule by means of which legal entities' personal data are no longer protected and covered by Italian data protection legislation. According to Rocco Panetta of Panetta & Associati in Rome, Italy was one of only a few countries in the European Union extending protection provided for by EU Directive 95/46/CE over legal entities' data.

DATA PROTECTION—EU & U.S.

Reding: EU Reforms Should Inspire U.S. and Others (December 6, 2011)

EU Justice Commissioner Viviane Reding said in a speech today that she supports the growth of cloud computing, including data centers, in Europe, but "this cannot be the only solution. We need free flow of data between our continents. It doesn't make much sense for us to retreat from each other." Bloomberg reports that the European Commission plans to present its proposal for changes to current data protection laws by the end of next month, and Reding said the reforms can act as "an inspiration for changes in the U.S. and elsewhere." Reding expressed concern that self-regulation may be the path forward for the U.S.--which may not be "sufficient to achieve full interoperability between the EU and U.S."
Full Story

BEHAVIORAL TARGETING—CANADA

Stoddart Releases Online Advertising Guidance (December 6, 2011)

Privacy Commissioner Jennifer Stoddart has released a new guidance document on the use of online behavioral advertising aimed at helping advertisers, websites and browser developers ensure that they are compliant with Canada's private-sector privacy law. "The use of online behavioral advertising has exploded and we're concerned that Canadians' privacy rights aren't always being respected," Stoddart said, adding that Canadians should easily be able to opt out of being tracked online. The guidelines also address tracking children online and whether children are capable of providing "meaningful consent."
Full Story

STUDENT PRIVACY—U.S.

Education Department Announces New Safeguards (December 6, 2011)

The U.S. Department of Education (DoE) has released new regulations to strengthen the Family Educational Rights and Privacy Act (FERPA) to better protect student privacy while allowing states to share data to help determine how effective educational investments have been. Speaking to the importance of such data, U.S. Secretary of Education Arne Duncan noted, "At the same time, the benefits of using student data must always be balanced with the need to protect students' privacy rights and ensure their information is protected." The regulations include increased ability for the DoE to "more effectively hold those who misuse or abuse student information accountable for violating FERPA."
Full Story

HEALTHCARE PRIVACY—U.S.

Survey: Providers Not Ready for Audits (December 6, 2011)

A study conducted by HCPro has found only 17 percent of respondents--including health information management directors and compliance officers--say they are prepared for Office for Civil Rights (OCR) HIPAA-compliance audits, reports iHealthBeat. The OCR says it plans to carry out 150 audits within 2012. The audits aim to determine how many organizations will be HIPAA compliant by the end of 2012 and help build corrective action plans. Of the 400 survey respondents, 70 percent said they are "somewhat prepared" and pointed to several reasons for noncompliance, including a lack of commitment by upper management, the report states.
Full Story

ONLINE PRIVACY—U.S.

New Technology Capable of Scanning Massive Data Sets (December 6, 2011)

FOX News reports on a security research project built to scan instant messages, texts and e-mails. PRODIGAL, the Proactive Discovery of Insider Threats Using Graph Analysis and Learning can read a quarter billion communications per day and is currently undergoing testing at the Georgia Tech School of Computational Science and Engineering. It will be used to scan the communications of military volunteers and government employees, but some have raised concerns about the project's future uses. "Some people say it's one step further toward a police state," said one security expert.
Full Story

PRIVACY LAW—ISRAEL

Landmark Case Establishes Employee Monitoring Guidelines (December 5, 2011)
Employee e-mail use policies usually grant employers wide-ranging powers to monitor and review employees' Internet usage and e-mail correspondence. According to a recent major decision by the Israeli National Labor Court, however, this situation is likely to change, and generic, sweeping or vague Internet-use policies of employers will no longer be allowed.

PRIVACY LAW—U.S.

Judge Dismisses Suit, Questioning “Harm” (December 5, 2011)

A U.S. District Court judge has dismissed a proposed class-action lawsuit against Amazon related to users' privacy, MediaPost reports. The plaintiffs have 30 days to revise the complaint, which alleged the company violated consumer protection and computer fraud laws by circumventing "the privacy settings of Internet Explorer users" and setting cookies without permission, the reports states. Judge Robert Lasnik determined the plaintiffs did not "plead adequate facts to establish any plausible harm" and that the plaintiffs' "use of defendant's site to make purchases would appear to serve both as an acknowledgment that cookies were being received and an implied acceptance of that fact." The decision comes amidst other recent dismissals and a filing by several companies to the Supreme Court on the issue of demonstrating harm. Editor's Note: The upcoming Web Conference, "The Evolving Nature of Privacy Harm" will feature expert insights on privacy harm issues on December 16.
Full Story

HEALTHCARE PRIVACY—UK

Critics Say PM’s Data-Sharing Plan Contains Risks (December 5, 2011)

Plans by Britain's prime minister to allow pharmaceutical companies access to anonymous patient data are drawing criticism that commercial interests are coming before privacy concerns, BBC News reports. Prime Minister David Cameron hopes that by anonymizing NHS records and then allowing private firms access, medical breakthroughs and treatment options may proliferate. Advocates including Patient Concern and Big Brother Watch are skeptical that data will remain anonymous. Patient Concern says the data can be traced back to the individuals concerned and that patient consent should be required before records are shared. The proposal is to take effect December 14. 
Full Story

PRIVACY LAW—EU

Updated Directive Could Mean Hefty Fines for Some (December 5, 2011)

Financial Times reports that under the European Commission's update to the Data Protection Directive, companies found to have mishandled personal data could be fined up to five percent of their global turnover--which could mean billions in losses for some. The rules would apply to foreign companies' European subsidiaries as well. Companies that have experienced a breach would have 24 hours to notify authorities of the incident. The proposal--now reportedly being finalized--would also require companies with more than 250 employees to dedicate staff to data protection, the report states. 
Full Story

PERSONAL PRIVACY

Mobile Software Company To Face Suits, Inquiries (December 5, 2011)

After computer programmers discovered that CarrierIQ software--used by many smartphone service providers--logs users' keystrokes and other personal information, the company is facing four lawsuits and possible inquiries by the U.S Federal Trade Commission (FTC), Department of Justice (DoJ) and Federal Communications Commission (FCC). CNET News reports that Rep. Edward Markey (D-MA) has asked for an FTC inquiry saying, "Consumers neither have knowledge of this data collection nor what Carrier IQ intends to do with this information." Meanwhile Consumer Watchdog says probes by the DoJ and FCC should "extend beyond the software developer" to include operating systems, carriers and device manufacturers. Mobile phone carriers and makers were questioned in Germany after the discoveries surfaced, and regulators in the U.K., France, Ireland and Italy are reviewing whether the software is used in their jurisdictions.
Full Story

HEALTHCARE PRIVACY—U.S.

There’s an App for That, But It Could Be Risky (December 5, 2011)

Medical apps for smartphones are increasingly popular, but they come with risks, NPR reports. That's because medical apps aren't covered by U.S. healthcare privacy law, which means that those with access to a customer's medical information can do with it as they please. "It just depends on the company. It's really a customer-beware atmosphere," said Deven McGraw of the Center for Democracy and Technology, adding, "They are offering to store and share some pretty sensitive information." 
Full Story

ONLINE PRIVACY—U.S.

The Pros and Cons of Five Proposed Solutions (December 5, 2011)

Amidst an abundance of news coverage on large-scale data breaches, a paidContent report outlines five popular proposals--with pros and cons for each--to give consumers control over their personal information online. The highlighted solutions include class-action lawsuits, technological tools, federal legislation, privacy as a market commodity and industry self-regulation. "An effective solution to the privacy problem will be based on a combination of measures," the report states. "In doing so, everyone--consumers, companies and government--will have to agree on an approach that restores privacy protections without also harming innovation."
Full Story

DATA LOSS—U.S.

Contra Costa Patients Notified About Breach (December 5, 2011)

In California, Contra Costa County officials have begun notifying thousands of county hospital patients that their personal information was exposed in a breach, Contra Costa Times reports. The county published the names of more than 5,000 patients in a public document--the Health Services Write-Off Report--that was posted to the Internet. Patients' financial records and other personal information also were included in the report. The data has since been redacted, according to County Administrator David Twa. "It's not the public's right to know that," Twa said.  
Full Story

PERSONAL PRIVACY

Mobile Software Company Faces Scrutiny (December 2, 2011)
Smartphone software maker CarrierIQ has said in a statement that it does monitor all keystrokes on mobile devices but only for "legitimate purposes," thinq.co.uk reports. The company said its "software does not record, store or transmit the contents of SMS messages, e-mail, photographs, audio or video." In an open letter to the company, U.S. Sen. Al Franken (D-MN) queried why the application "captures a broad swath of extremely sensitive information from users that would appear to have nothing to do with diagnostics," adding, "These actions may violate federal privacy laws...This is potentially a very serious matter." The company has asserted that it has not breached any "wiretap laws." France's data protection authority has said in an e-mail that it is also investigating the matter. Meanwhile, companies including Google, Apple and Microsoft are distancing themselves from the software, and phone carriers that use CarrierIQ say they do not collect users' personal information.

SOCIAL NETWORKING—EU & U.S.

French Advocates File Complaint Against Facebook (December 2, 2011)

The French online consumer rights group Internet Sans Frontières has filed a complaint with the CNIL against Facebook, claiming unfair data collection and retention practices, reports ZDNet France. The organization says the company collected users' data without prior notice and consent--using "zombie" cookies and facial recognition, among other methods. The complaint also points to data retention periods and claims users are prevented from deleting their data. The group says the agreement between the U.S. Federal Trade Commission and Facebook is not sufficient to ensure compliance with EU data protection rules since the commitment of Facebook to obtain consent from Internet users arrives too late and because the audit schedule--every two years--does not match the high speed of social networking innovations. (Article in French.)
Full Story

PRIVACY—AUSTRALIA

Technology Changes, Privacy Pillars Remain The Same (December 2, 2011)

Speaking at the iappANZ Privacy Summit this week, Microsoft Chief Privacy Officer Brendon Lynch, CIPP, said that while the technology landscape may be shifting, the fundamentals of privacy remain constant, iTWire reports. "Privacy is about the appropriate collection, use and protection of personal information," Lynch said. Privacy's core concepts are about empowering individuals with control over the use of their information, transparency and choice, he added. Meanwhile, eBay Global Privacy Leader Scott Shipman, CIPP, has warned that banks using mobile applications and social networking to engage customers should be careful. "When you change how you use information, you have to be able to communicate that clearly to the customer and make sure that they're comfortable with how you've done that," he said.
Full Story

PRIVACY LAW—ITALY

Google Appeal Soon To Begin (December 2, 2011)

Bloomberg reports that Google plans to "begin an appeal as soon as January of a conviction by an Italian court of two managers and a former executive for violating privacy laws." The case stems from an incident where Turin students uploaded a video to a Google site showing them bullying a classmate. In February of 2010, a Milan judge found three Google executives guilty of privacy violations. Each received a suspended sentence. Google announced at the time that it would appeal.
Full Story

CHILDREN’S PRIVACY—EU

Coalition Created To Protect Children Online (December 2, 2011)

Reuters reports on a coalition that includes the European Commission and 28 technology companies--including Apple, Facebook, Google, BSkyB, BT, Deutsche Telekom, Nintendo, Nokia and Orange--working together to better protect children on the Web with such initiatives as an age-based privacy ratings system. Announcing the coalition's creation on Thursday, European Commissioner Neelie Kroes said, "This new coalition should provide both children and parents with transparent and consistent protection tools to make the most of the online world."
Full Story

HEALTHCARE PRIVACY—U.S.

Study: Healthcare Breaches Increasing (December 2, 2011)

Healthcare data breaches have increased by more than 30 percent and could be costing the healthcare industry $6.5 billion annually, Dark Reading reports. That's according to the Ponemon Institute's "2011 Benchmark Study on Patient Privacy and Data Security," which found that the main reason for such breaches is employee error. The rise in breaches is also due to improved breach detection capabilities, according to the institute's founder, Larry Ponemon, CIPP. Of the organizations surveyed for the report, 96 percent had experienced a data breach in the last two years. "Small leaks can become big leaks pretty easily," Ponemon said.
Full Story

CHILDREN’S PRIVACY—U.S.

Dear Santa, Please Don’t Misuse My Data (December 2, 2011)

The Better Business Bureau and the Children's Advertising Review Unit (CARU) are advising parents to carefully review "Dear Santa" websites before allowing their children to write letters to Santa, reports The Augusta Chronicle. All sites directed toward children should have a privacy policy, says CARU, and the policy should contain the name and contact information of the company and information on how the company will use consumers' data. The report outlines tips offered by CARU on how to vet and use sites, including limiting the amount of data children share with Santa and checking for inappropriate content or links to inappropriate content on the site.
Full Story

PERSONAL PRIVACY

Hidden Rootkit Software Fuels Privacy Debate (December 1, 2011)
Several programmers have discovered a hidden software application found on Android-based HTC phones that logs a wide range of detailed information about a user's activities, Network World reports, prompting Sen. Al Franken (D-MN) to demand answers from the software maker. The software is called CarrierIQ and has been termed by one expert as a "classic rootkit" that lets carriers locate and correct performance issues on the cell phones but can also monitor key presses, locations and received messages of its users without notification.

PRIVACY LAW—U.S.

Rosen on Technological Challenges to Constitutional Law (December 1, 2011)

In an interview on NPR's "Fresh Air," George Washington University Law Prof. Jeffrey Rosen discusses current and future technologies and how they do or could challenge constitutional law--particularly the Fourth Amendment. Calling the Supreme Court case United States v. Jones potentially "the most important privacy case of the decade," Rosen equates deciding the constitutionality of warrantless GPS tracking to the leap "Justice Brandeis took in the 1920s when the court decided for the first time the constitutionality of wiretapping." Rosen also touches on the role major online tech companies play in determining what content falls within constitutional rights to free expression, saying, "At the moment, lawyers at Facebook and Google and Microsoft have more power over the future of privacy and free expression than any king or president or Supreme Court justice."
Full Story

PRIVACY LAW—U.S.

Administration, Advocates Concerned About Cyber-Sharing Bill (December 1, 2011)

A bill introduced Wednesday by the House Intelligence Committee that has strong support from the telecommunications industry is being met with concerns from the Obama Administration and privacy advocates, The Washington Post reports. The Cyber Intelligence Sharing and Protection Act of 2011 would exempt "private firms from liability" if they share such data as IP addresses detected in hacking incidents with the government, the report states. The bill's sponsors envision such options as sharing information about cyber threats with ISPs. However, a White House spokeswoman has said, "The administration will not support anything that does not include a customized set of requirements for privacy protection." (Registration may be required to access this story.)  
Full Story

PRIVACY LAW—U.S.

Supreme Court Grapples with “Harm” in Pilot Case (December 1, 2011)

CNN reports on the Supreme Court case involving a pilot who filed a lawsuit against federal agencies for disclosing his medical records during a fraud investigation. In FAA v. Cooper, Stanmore Cooper claims mental and emotional distress over government agencies' data-sharing practices. Justices grappled Wednesday with whether Cooper's claims of harm are covered under the Privacy Act. The Justice Department argued that though Cooper may have suffered "an adverse effect," he didn't necessarily suffer "actual damages" under the Privacy Act. But one justice said Congress likely intended the act to allow for emotional distress suits, since that is the kind of harm most characteristic of privacy violations. A ruling is expected in the spring.
Full Story

PRIVACY LAW—EU & U.S.

European Companies Weary of USA PATRIOT Act (December 1, 2011)

EurActiv.com reports on the current discussions between the European Union and the U.S. about cloud service providers and the role of the USA PATRIOT Act. Many EU companies are reluctant to use U.S.-based cloud providers, fearing that their data could come under the auspices of U.S. law. EU Vice President Viviane Reding, who has been in talks with U.S. Attorney General Eric Holder, says she has been reassured by the U.S. that it will "seek assistance from member states using existing police and judicial cooperation channels." Yet, several European cloud service providers do not want to follow the U.S. legislation at all. Meanwhile, two Swedish companies have banded together to offer a "fully European Database-as-service solution."  
Full Story

PRIVACY LAW—U.S.

Trade Group Questions Settlement (December 1, 2011)

Responding to the recent privacy settlement between the Federal Trade Commission (FTC) and Facebook, a trade group representing companies such as Google and Microsoft has questioned the length of time of required privacy audits, The Hill reports. Computer & Communications Industry Association President Ed Black said, "Regardless of the merits of this latest settlement, we have some concern that the 20-year oversight provisions seem to be becoming the norm. This may be unnecessarily long when dealing with dynamic companies that have competitive reasons to be responsive to the privacy demands of their customers." Many lawmakers have applauded the settlement, however, including Rep. Mary Bono Mack (R-CA), who said that "in many ways, this settlement clearly demonstrates that the privacy debate in Washington remains unresolved."  
Full Story

PRIVACY

Expert: Attorneys Increasingly Important in Breach Responses (December 1, 2011)

Data breaches are all about reputational risk, says Hunton & Williams Managing Partner Lisa Sotto in this BankInfoSecurity podcast. Attorneys play increasingly integral roles in data breach responses, Sotto says, including deciding what steps must be taken beyond a jurisdiction's data breach notification mandates. "The law only requires that an entity notify those who had sensitive information compromised, like Social Security numbers. But now we know other things, like e-mail addresses, can lead to compromise through social engineering and phishing," Sotto says. 
Full Story

ONLINE PRIVACY—U.S.

Opinion: Mobile Call Act Would Be an “Abomination” (December 1, 2011)

In a feature for Reuters, John C. Abell writes about HR 3035, known as the "Mobile Informational Call Act of 2011," that would "permit informational calls to mobile telephone numbers and for other purposes" through an "automatic telephone dialing system." While suggesting the likelihood of the bill's passage is small, Abell writes that "the mere attempt to start this conversation...has sparked outrage from the privacy and personal space crowd," adding that given the varied uses of mobile phones, "whatever the prospects for HR 3035, this is a defining moment in the relatively young history of the mobile Internet."  
Full Story