Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—U.S.

Mobile Software Could Prompt Federal Bill (January 31, 2012)
CNET News reports on a draft bill currently being circulated in the House of Representatives that would give the Federal Trade Commission (FTC) regulatory powers over "monitoring software" installed on mobile devices. Introduced by Rep. Ed Markey (D-MA), the Mobile Device Privacy Act comes after last year's discovery of controversial mobile software made by California-based Carrier IQ.

DATA PROTECTION—EU

EDPS Releases Compliance Benchmarks (January 31, 2012)

In response to a survey revealing shortcomings in data protection compliance, European Data Protection Supervisor (EDPS) Peter Hustinx has established "benchmarks" to help EU bodies meet compliance standards, Out-Law.com reports. Hustinx said he is "concerned that not all EU institutions and bodies are performing as well as they should...Implementation of data protection principles is not only a matter of time and resources but also of organizational will." The strictness of the "benchmarks" varies according to the institution, the report states. While all organizations must appoint a data protection officer (DPO), bodies created in the past year must submit to the EDPS the DPOs' "implementing rules." More established institutions, such as the European Commission, will be given much stricter requirements.
Full Story

ONLINE PRIVACY

Google Defends Privacy Changes (January 31, 2012)

Politico reports that a letter from Google's director of public policy to U.S. lawmakers states that recent changes to the company's privacy policy will not affect users' current privacy settings, and users will continue to be able to control how their personal data is tracked and collected. According to the letter, the company believes "the relevant issue is whether users have choices about how their data is collected and used," and it has built in meaningful controls. Meanwhile, in the United Kingdom, two Google executives explained to a joint parliamentary committee why it failed to take down certain images exposed in the News of the World scandal.
Full Story

DATA PROTECTION

Industry Group Set To Fight Phishing E-mails (January 31, 2012)

In an attempt to reduce the amount of phishing scams, several e-mail providers and financial organizations, among others, are banding together to create an environment where consumers can feel secure about whether a message is authentic, The Wall Street Journal reports. Companies such as Yahoo, Google, Microsoft, Paypal and Bank of America have joined a group of 15 businesses to form DMARC.org. The goal is to promote technology standards that will help secure e-mails, the report states, and would include digital signatures and policies guiding e-mail providers to detect authentic messages. One representative from the messaging industry said, "If you are a big bank or a retailer, you have a very strong interest in making sure people trust your messages" and added that DMARC "has a lot of promise." (Registration may be required to access this story.)
Full Story

DATA PROTECTION—U.S.

Illinois AG Publishes Guidance (January 31, 2012)

Illinois Attorney General Lisa Madigan has issued a guide on how businesses can protect themselves from Internet security breaches, reports the Associated Press. Released to mark Data Privacy Day on Saturday, the guide suggests that businesses collect only the data they need and "thoroughly" train employees. Madigan warns in the guide that while customer data can be breached through hacking incidents, "low-tech carelessness with documents" is also a culprit, and businesses have a legal responsibility to protect that data.
Full Story

DATA LOSS—U.S.

Healthcare Facilities, School Report Breaches (January 31, 2012)

Three healthcare facilities and a university are reporting data breaches. Kentucky's Lexington Clinic sent letters last week alerting 1,018 patients that a laptop was stolen from the clinic on December 7 and asking that those affected watch for signs of identity theft, Kentucky.com reports. In New York, a burglar stole two laptops that contained 640 patient records--including some Social Security numbers--from a doctor's office. In California, the names and Social Security numbers of nearly 400 hospital employees were posted to a public website. The incident occurred in 2007 but was not remedied until last month. In Maryland, a state audit recently revealed that the public could access Social Security numbers on thousands of prospective students on a University System of Maryland server.
Full Story

DATA LOSS—UK

ICO Fines Council £140,000 (January 30, 2012)
In response to five separate data breaches involving children's social service reports, the Information Commissioner's Office (ICO) has fined Midlothian council £140,000, The Guardian reports. In each case, the highly sensitive data of children and their caretakers was sent to the incorrect recipients. The ICO found that all five incidents, which occurred between January and June 2011, could have been prevented if the council had stronger data protection policies as well as employee training in place, the report states.

EMPLOYEE PRIVACY—U.S.

FDA Workers Sue for Unlawful Monitoring (January 30, 2012)

Six scientists and doctors are suing the Food and Drug Administration (FDA) for violating their constitutional right to privacy after discovering the agency had been monitoring their e-mails for two years, reports The Washington Post. The FDA intercepted communications between the employees and members of Congress, including drafts of whistleblower complaints; took screenshots of their desktops, and monitored personal e-mail accounts accessed through their work computers. The FDA posts a warning at start-up on all company computers stating employees "should have 'no reasonable expectation of privacy,' in any data passing through or stored on the system," the report states. However, some experts say the issue at hand is whether the monitoring was legal and what level of monitoring is reasonable. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—IRELAND & EU

Judge: Must Directive Comply With Human Rights Law? (January 30, 2012)

The Irish High Court has asked the European Court of Justice (ECJ) to clarify the country's legal ability to require telecommunications providers to retain data on users as stated in the EU Data Retention Directive. The Journal reports that one judge has also questioned the ECJ on whether the implementation of the directive must fall in line with the European Convention on Human Rights in order to be fully compatible with EU law. Laws that breach the human rights convention can be appealed to the non-EU institution, the European Court of Human Rights, and if violations are found, countries can be ordered to change their laws.
Full Story

PRIVACY LAW—U.S.

Connecticut AG Reaches AVC with MetLife (January 30, 2012)

The attorney general and the consumer protection commissioner of Connecticut have reached an agreement with MetLife over a 2009 breach incident involving the disclosure of customers' personal data, Hunton & Williams' Privacy and Information Security Law Blog reports. As part of the Assurance of Voluntary Compliance (AVC), the insurance company has agreed to pay a $10,000 civil penalty, reimburse consumers who paid to freeze their credit files as a result of the incident and update employee training materials to prevent publishing Social Security numbers online.
Full Story

ONLINE PRIVACY

Alternative to the Privacy Policy, An Avatar? (January 30, 2012)

The problem with privacy policies, say many experts, is that people don't read them, and while the broad privacy policy is important--forcing companies to think about how they treat information and providing accountability, notes director of the Future of Privacy Forum Jules Polonetsky--a San Francisco Chronicle report explores other options, including restricting the collection and sharing of personal information and the privacy icon. Ryan Calo of Stanford's Center for Internet and Society suggests the appearance of an avatar when Internet users are being tracked or monitored might be an appropriate solution, citing studies that show people are more likely to pay for coffee on the honor system when a picture of eyes is nearby. "Experience as a form of privacy disclosure is worthy of further study before we give in to calls to abandon notice," he says.
Full Story

PRIVACY LAW—U.S.

Hawaii Drops ISP Data Retention Bill (January 30, 2012)

Legislators in Hawaii dismissed a bill last Thursday that would have required Internet service providers to collect the surfing histories of individuals in the state and store them for up to two years, Computerworld reports. HB 2288 drew criticism from privacy advocates and industry groups. Electronic Frontier Foundation Activism Director Rainey Reitman said the bill would have infringed "on the privacy of hundreds of thousands of Hawaiian citizens as well as any tourists who used Internet services while visiting the Aloha state," and the U.S. Internet Service Provider Association said the bill raised "myriad privacy concerns."
Full Story

BIOMETRICS—INDIA

UIDAI Refutes Data Vulnerability Concerns (January 30, 2012)

The Unique Identification Authority of India (UIDAI)--the governing body for India's unique ID program--has refuted the home ministry's argument that the biometric data it collects could be misused or leaked. UIDAI says the data "cannot be accessed even by the operator," reports India Today. The UIDAI report states that the biometric data collected is immediately encrypted and cannot be decrypted by anyone other than UIDAI's server. "None of the automatic biometric identification systems have access to residents' information," the report states, and the original biometrics are archived and stored offline.
Full Story

PRIVACY LAW—U.S.

Opinion: GPS Ruling Too Narrow (January 30, 2012)

The recent Supreme Court ruling that police violated the Constitution when they tracked a suspect's vehicle for 28 days without a warrant left too many questions unanswered. That's according to an editorial from The New York Times that says the U.S. v. Jones decision did not answer, for example, "how long this kind of surveillance can go on before requiring a warrant or what types of crimes justify GPS monitoring," or how the rules would apply if police used a technology other than a GPS to track a suspect.
Full Story

HEALTHCARE PRIVACY—U.S.

BPC Releases Health IT Recommendations (January 30, 2012)

The Wall Street Journal reports on the release of a new report by the Bipartisan Policy Center (BPC) Health Project. According to the report, "The task force spent six months working collaboratively to forge consensus around a set of recommendations for the most effective use of health IT dollars to support new models of care that improve quality and health and reduce costs." In addition to providing recommendations for improving the use of electronic health records, the task force--headed by former Sens. Tom Daschle (D-SD) and Bill Frist (R-TN)--says there are obstacles to their effective use. The barriers include a lack of health information exchange for hospitals and doctors to share patient records, limited "consumer engagement using electronic tools" and consumer concerns about privacy and security. (Registration may be required to access this story.)
Full Story

INFORMATION ACCESS—U.S.

Brill To Brokers: Give Consumers Access To Their Data (January 27, 2012)
Federal Trade Commissioner Julie Brill has called on data brokers to increase transparency by giving consumers access to data collected about them and correcting inaccuracies, reports National Journal. Brill said data brokers need to provide more information to consumers on what is being done with their data by developing a "one-stop shop" for consumers to gain access to that information.

PRIVACY LAW—EU & U.S.

U.S. Diplomat, Others React to New EU Regulation (January 27, 2012)

An American official said yesterday that the U.S. will carefully examine the data protection regulation proposed by the European Commission this week, AFP reports. Speaking with reporters in Brussels, U.S. Coordinator for International Communications and Information Policy Philip Verveer said it will be important to try and "avoid a situation where there are requirements that may unnecessarily add to compliance costs or administrative costs that will diminish the efficiency with which services can be rendered." The new framework has elicited reaction from many stakeholders. In Politico, Tony Romm said the proposals "laid down markers for two critical policy battles this year: One between regulators in Washington and Brussels, the other pitting privacy hawks against Internet giants."
Full Story

PRIVACY LAW—U.S.

Hawaii Sees First Data Breach Settlement (January 27, 2012)

The University of Hawaii has settled a class-action lawsuit filed after data breaches that involved nearly 100,000 students, faculty, alumni and staff, the Associated Press reports. The agreement is the first data breach settlement in Hawaii and the largest class-action filed or settled in Hawaii, according to one plaintiff's attorney. The university will provide two years of credit protection services and says it will continue to "work diligently so that the chance of future data breaches is significantly reduced," university officials and attorneys said. The settlement is still subject to court approval, the report states.
Full Story

SOCIAL NETWORKING—U.S.

Facebook, State File “Spammers” Suit (January 27, 2012)

Reuters reports that the world's largest social networking site and the state of Washington have filed a lawsuit over a practice known as "clickjacking" or "likejacking," where Facebook users are tricked into visiting ad sites and sharing their personal information. The scam is then spread to users' friends, the report states, and "has grossed $1.2 million a month for the Delaware-based firm, Adscend Media, according to the state attorney general's office." The lawsuit is believed to be the first of its kind, the report notes, and a Facebook attorney said, "It's important to stay a step ahead against spammers and scammers."
Full Story

INFORMATION ACCESS—UK

ICO: Customers Denied Access to Their Data (January 27, 2012)

Information Commissioner Christopher Graham has raised concerns that many consumers are denied access to the information that various organizations hold about them and is launching the Access Aware campaign in an effort to change that. Complaints about mishandled access requests accounted for 38 percent of his office's caseload in the past financial year, the report states, with the financial, healthcare and law enforcement sectors generating the most complaints. "Organizations that handle personal information need to remember that customer records are not simply their property--the individuals who do business with them also have rights," Graham said.
Full Story

ONLINE PRIVACY

Intel Offers Book Download for Data Holiday (January 27, 2012)

In recognition of Data Privacy Day, Intel is offering free downloads of a book on privacy and social media. Written by Stanford business school student Matt Ivester--who previously founded gossip website juicycampus.com--LOL...OMG describes why individuals need to protect their privacy in their use of social media and provides practical steps on how to do so, according to Intel's Director of Security Policy and Global Privacy Officer David Hoffman, CIPP/US. The book is especially relevant for older high school and college students but is "an entertaining read that offers excellent practical advice on how to use technology to defend your online reputation" for any age, Hoffman says.
Full Story

ONLINE PRIVACY

Davos Delves Into Big Data, Privacy (January 26, 2012)
At the World Economic Forum in Davos, Switzerland, the big topic is "lots of data," reports Nick Bilton of The New York Times. "Chancellors, bankers and educators meeting at the conference are being asked to discuss what the forum calls a growing data deluge and how to manage it," Bilton writes, adding "the discussion of privacy is not far behind."

PRIVACY LAW—U.S.

Subcommittee To Discuss Amendment to Video Rental Law (January 26, 2012)

At a Senate Judiciary Subcommittee on Privacy, Technology and the Law hearing next week, Netflix will testify on the law preventing it from sharing information on users' video rental histories. In addition to Netflix representatives, University of Minnesota Law School Prof. William McGeveran and EPIC's Marc Rotenberg will testify on the Video Privacy Protection Act. A recent amendment to the law--which has passed the House Judiciary Subcommittee on Intellectual Property--would allow rental companies to share users' movie preferences on sites such as Facebook, The Hill reports. Though the amendment would still require user consent for such sharing, that consent would be ongoing rather than per rental.
Full Story

GENETIC PRIVACY—U.S.

Parents Bring Class-Action Against Minnesota (January 26, 2012)

Plaintiffs in a class-action lawsuit filed against the state of Minnesota, its Department of Health and the health commissioner claim that the state violated its own Genetic Privacy Act by "collecting, storing and disseminating their children's genetic information without informed consent," reports Courthouse News Service. The suit claims that after testing blood samples taken from infants under Minnesota's newborn screening program, the state retained the samples and "disseminated the genetic information and conducted tests and research on the genetic information belonging to numerous other persons in Minnesota" without consent. The Genetic Privacy Act, enacted in 2006, states that genetic information can only be used in ways an individual has consented to, according to the report.
Full Story

DATA LOSS—U.S.

VA Analyzing How Many Veterans’ Data Exposed (January 26, 2012)

The Department of Veterans Affairs (VA) has announced that it accidentally handed over the data of living veterans when complying with a Freedom of Information request from Ancestry.com for data from a database of deceased veterans, reports Federal Times. On Wednesday, the VA said the data of 2,257 living veterans had been identified in the database, but that number could potentially grow to more than 4,000, according to VA Chief Information Officer Roger Baker. The data included names, Social Security numbers, dates of birth and military assignments. The VA is continuing to analyze the data and offering a year of free credit monitoring to all those affected. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Third-Party Provision of Mass. Law Effective Soon (January 26, 2012)

Companies storing the personal data of Massachusetts residents have just over one month to comply with the last provision of the Massachusetts data protection law, CIO reports. The law took effect in 2010 and requires companies storing such data to have certain controls in place, including encrypting data and implementing written data protection policies. The last provision takes effect March 1 and will require all companies storing data on Massachusetts residents to "have specific language in third-party contracts that obligates their vendors to employ reasonable measures for protecting personal information," the report states. One expert suggests companies should also include language allowing for third-party audits.
Full Story

FINANCIAL PRIVACY—U.S

Bank To Pilot New Discounts Service (January 26, 2012)

Bank of America (BoA) is moving toward the business of offering consumers targeted online discounts, Reuters reports. This week, the bank is testing a new service to allow customers to save money based on their purchase histories. In BankAmeriDeals, customers will receive offers through the company's online banking website and be rewarded cash payments once a month. BoA will not share the information with third parties, a company spokesperson said. The plan comes as banks try to recover revenue after new regulations were imposed that limit the fees banks can charge per debit card swipe. BoA will test the program on its workforce in February.
Full Story

PRIVACY LAW—U.S.

Hawaii Legislature Weighs IP Tracking Bill (January 26, 2012)

CNET News reports on a Hawaiian bill introduced last week that would require any company that "provides access to the Internet" to create "virtual dossiers" of state residents. Introduced by Rep. John Mizuno (D-Oahu), H.B. 2288 would mandate that providers track "Internet destination history information" and "subscriber's information"--including name and address--and retain the data for two years. According to the report, the bill does not include provisions for privacy protections, third-party data use, warrantless access by authorities or security protections like encryption. One software designer said of the bill, "I assume it's to make the data available to be subpoenaed when the state is pursuing people suspected of serious crimes, but I haven't heard anything from the representatives themselves."
Full Story

ONLINE PRIVACY—EU

Kroes: Do-Not-Track Standards Deadline Approaches (January 26, 2012)

In a speech earlier this week, European Commissioner Neelie Kroes reminded Internet companies to establish a do-not-track (DNT) system by June of this year, Out-Law.com reports. Speaking at a World Wide Web Consortium (W3C) meeting and echoing demands made in June of last year, Kroes said, "Do-not-track today is still an aspiration rather than a reality...we need to act fast to turn do-not-track into a reality for all web users." Draft plans for DNT were also unveiled at the W3C event. Kroes added, "When providers receive do-not-track signals from their users, how they need to respond may be different depending on whether the user is in Europe, the U.S. or wherever...So the system will need to adapt flexibly, depending on the jurisdiction in question." 
Full Story

PRIVACY LAW—EU

European Commission Publishes New Framework on Data Protection (January 25, 2012)
As anticipated, and just days before Data Protection and Privacy Day, the European Commission has released its proposal to reform the European Union's data protection framework. The reform--which takes shape via a regulation on data protection and a directive "protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences"--comes after years of public consultations and dialogue with stakeholders.

ONLINE PRIVACY

Google Revises Privacy Policy, U.S. Rep. Has Questions (January 25, 2012)

The Wall Street Journal reports on Google's revisions to its privacy policy, suggesting the changes could make it more difficult for online users to remain anonymous. The new policy indicates Google's decision to start combining the information it collects on an individual user to provide better services to customers, according to the company. "We'll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience," said Alma Whitten, director of privacy. The changes take effect March 1. U.S. Rep. Ed Markey (D-MA) said such changes deserve evaluation and raise questions about data use. (Registration may be required to access this story).
Full Story

SOCIAL NETWORKING

Facebook Exec: “Right Regulatory Environment” Needed (January 25, 2012)

Facebook Chief Operating Officer Sheryl Sandberg spoke Tuesday at a technology conference amidst discussions of the EU's revised privacy rules, highlighting the type of reactions "global technology companies doing business in Europe are expected to raise against the looming data protection regulation," The New York Times reports. "We want to make sure we have the right regulatory environment--a regulatory environment that promotes innovation and economic growth," Sandberg said. The Wall Street Journal, meanwhile, suggests Sandberg is asking whether the EU's call for a "right to be forgotten" and other data protection provisions is worth potentially jeopardizing €15.3 billion in economic impact. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—U.S.

Senator, Advocacy Group Push for National Legislation (January 25, 2012)

Sen. Patrick Leahy (D-VT) is urging his colleagues to pass a national data breach notification law, The Hill reports. Ahead of Saturday's Data Privacy Day, Leahy issued a statement that the law is needed now more than ever, citing recent high-profile breaches involving e-commerce and government firms, the report states. "Even as the Internet and other rapidly advancing technologies spur economic growth and expand opportunity, there is growing uncertainty and unease about how Americans' sensitive personal information is collected, shared and stored," said Leahy. Meanwhile, Consumer Watchdog has called on President Barack Obama to endorse privacy legislation and support "do not track."
Full Story

PRIVACY LAW—U.S.

Judge: Encrypted Hard Drives Not Constitutionally Protected (January 25, 2012)

A federal judge in Colorado ruled earlier this week that a defendant whose encrypted laptop may have evidence against her in a mortgage scam case is not protected by the Fifth Amendment, CBS News reports. Judge Robert Blackburn has ordered the Colorado woman to decrypt her computer's hard drive no later than February 21 or possibly face contempt of court, the report states. Lawyers for the defendant have argued that sharing her password would be an instance of self-incrimination--a violation of the Fifth Amendment, but Judge Blackburn said, "I find and conclude that the Fifth Amendment is not implicated by required production of the unencrypted contents" of the computer.
Full Story

PRIVACY LAW—NORWAY

DPA Bans Public-Sector Use of Google Apps (January 25, 2012)

The data protection authority (DPA) of Norway has issued a public-sector ban on Google Apps because, according to the Financial Times, the service could potentially put citizens' data at risk. Norway's DPA ruled that the service did not comply with the nation's privacy laws due to insufficient information of where user data was stored. The move comes shortly after Google signed its largest-ever contract with Spanish bank BBVA. Last year, a Danish school was banned from using the service for similar reasons. Meanwhile, the German government is drafting stricter data protection and storage rules, and the French government has set up a venture to promote French-based cloud services. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Anonymous Claims Credit for Hacking FTC Site (January 25, 2012)

MSNBC reports that hacker group Anonymous has claimed credit "for hacking a Federal Trade Commission (FTC) website as part of a continuing attack on government and private industry sites in retaliation for possible anti-piracy legislation in Congress." The Next Web reports that the attack has resulted in a "range of data about the site, including contact details of FTC officials, published on the page." The FTC confirmed the attack on its OnGuardOnline.gov site via Twitter, the report states, and has said it "takes this malicious act seriously," adding the site will be "brought back up when we're satisfied that any vulnerability has been addressed."
Full Story

MOBILE PRIVACY—EUROPE

Company Investigating Possible Breach (January 25, 2012)

European mobile operator O2 is investigating accusations that it shares customers' numbers with websites they visit through its mobile data network, paidContent reports. A web systems administrator noticed the issue, the report states, and set up a website to show users what information O2 is allegedly passing along during visits. One privacy advocate suggests that sharing such information could mean a "very serious breach," while the UK Information Commissioner's Office has said that while sharing a mobile number on its own may not mean a breach, "when it is coupled with any other identifying information, it can constitute a data breach," the report states.
Full Story

PRIVACY LAW—U.S.

Opinion: SCOTUS Ruling No Warrantless Tracking Death Knell (January 25, 2012)

A blog post in The Wall Street Journal analyzes the implications of the Supreme Court's ruling this week on warrantless GPS tracking. Since the court ruled that authorities violated the Fourth Amendment, the column queries, "is this the death knell for warrantless location tracking? Not so much." The ruling "is relatively limited" because it asserts that the suspect's property was intruded upon when the device was placed on the vehicle, but as technology advances, authorities will have greater means to survey individuals without intruding upon a suspect's property. According to the column, justices appear to be prepared to tackle that issue. Justice Samuel Alito said, "the use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy," while Justice Antonin Scalia said that electronic surveillance "may be...an unconstitutional invasion of privacy." Meanwhile, in a blog post, Philip Gordon questions what the ruling will mean for private employers. (Registration may be required to access this story.)
Full Story

European Commission Publishes New Framework on Data Protection (January 25, 2012)
A new regulation and directive set out new landscape
 

As anticipated, and just days before Data Protection and Privacy Day, the European Commission has released its proposal to reform the European Union’s data protection framework. The reform—which takes shape via a regulation on data protection and a directive “protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences”—comes after years of public consultations and dialogue with stakeholders.

“There is quite a buzz in Brussels today,” said IAPP Europe Managing Director Rita Di Antonio.

European Justice Commissioner Viviane Reding held a press conference at 10:30 CET to announce the changes. She said the proposals will improve the protection of Europeans’ personal data, reduce administrative burdens and save companies’ money.

The legislation defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life,” including posts to social networking websites and computer IP addresses.

Eduardo Ustaran, CIPP/E, partner at Field Fisher Waterhouse LLP, said the proposal “is the most radical global attempt ever to regulate the increasing exploitation of personal information.”

The changes create “a single set of European rules—valid everywhere across the EU,” Reding said in the press conference. “So, one rule for the 27 member states and the 500 million people.”

The new regulation sees national data protection authorities as the go-to regulators for organizations, meaning that an organization will only have to work with one DPA rather than many, or, as Reding described it in her press conference, “One DPA for one company—a one-stop shop.”

She said this will eliminate unnecessary administrative burdens and costs to companies incurred as a result of the current need to deal with varying rules and authorities among member states.  “This will save businesses around 2.3 billion euros per year,” Reding said.

Other facets of the regulation include:

A breach notification mandate: In the event of a serious breach, organizations must notify the national supervisory authority “as soon as possible (if feasible within 24 hours).”

Increased enforcement powers for data protection authorities: DPAs will be able to fine organizations that violate the rules up to €1 million or “up to 2 percent of the global annual turnover of a company.”

A data protection officer requirement:...

Framework Strengthens Privacy, Worries Business (January 24, 2012)
The European Union's proposed new data protection framework--due for release tomorrow--could include strengthened privacy protections for individuals and serious implications for Internet companies trading in personal information, The New York Times reports. The reforms--including harmonization of the 27 EU Member States, the "right to be forgotten," mandatory breach notification and robust financial penalties for privacy violations--have some technology firms concerned about the reach of the new legislation.

DATA LOSS—U.S.

Utility Companies Report Unauthorized Access (January 24, 2012)

New York State Electric & Gas and Rochester Gas and Electric have announced that a consulting firm hired by the utilities allowed unauthorized access to customer accounts. The Rochester Democrat and Chronicle reports that the information breached included Social Security numbers, dates of birth and the bank account numbers of some of the utilities' customers. While there is no evidence of misuse, the companies are offering free credit monitoring to all affected customers and have set up a help line, and the New York Public Service Commission is conducting an investigation into which customers were affected and the cause of the breach.
Full Story

CONSUMER PRIVACY—U.S.

FTC and CFPB To Coordinate Efforts (January 24, 2012)

The Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) have signed an agreement to work together to protect consumers in an effort to eliminate duplication of efforts. In a press release, Richard Cordray, the newly appointed director of the CFPB said, "We are both motivated by the same thing: To do right by consumers," adding that the agreement "is important to making sure markets for consumer financial products are getting efficient and effective federal government oversight." According to the agreement, the agencies will consult on rulemaking and guidance, cooperate on consumer education efforts and inform each other prior to an investigation or enforcement action.
Full Story

PRIVACY LAW—U.S.

Experts: GPS Ruling To Enhance Citizens’ Rights (January 24, 2012)

The U.S. Supreme Court's recent decision to require police to obtain a warrant before placing GPS on automobiles will "broadly enhance Americans' electronic privacy rights," experts say. CNET News reports on this week's United States v. Jones decision in which nine justices agreed that Antoine Jones's Fourth Amendment rights were violated when police placed a GPS on his Jeep to monitor the vehicle's movements, asserting that such tracking constitutes a "search." Such reasoning suggests that police would also need warrants to search mobile devices such as cell phones, says an attorney for the Center for Democracy and Technology.
Full Story

ONLINE PRIVACY

TRUSTe Receives $15M Toward Growth (January 24, 2012)

TRUSTe, an online privacy solution provider, has secured $15 million from investors to boost its technology platform, VentureBeat reports. The company will also use the funding to "expand its global presence by addressing the increased data privacy challenges across the world," the report states. The company aims to facilitate online commerce by simplifying privacy, making such interactions safe for consumers and advertisers.
Full Story

PRIVACY LAW—U.S.

Supreme Court Rules Police Need Warrant for GPS Tracking (January 23, 2012)
The Supreme Court has ruled that police must obtain a search warrant before using GPS technology to track criminal suspects, The Washington Post reports. All nine justices agreed that Antoine Jones's Fourth Amendment rights were violated when police placed a GPS on his Jeep to monitor the vehicle's movements, asserting that such tracking constitutes a "search." Jones's drug conspiracy conviction had been overturned because police did not have a warrant when they placed the GPS, but the government asserted that Jones didn't have a reasonable expectation of privacy because he was tracked on public streets.

PRIVACY LAW—EU

Reding Previews Framework Ahead of Wednesday’s Release (January 23, 2012)

At an event in Munich on Sunday, European Commission Vice President Viviane Reding previewed elements of the bloc's new proposed data protection framework, which will be published on Wednesday, The Wall Street Journal reports. The new regulation, which will replace the Data Protection Directive, will include a breach notification mandate, a so-called right to be forgotten and new powers to fine companies that violate the rules, among other provisions. Reding says in the data-as-currency digital market, "Only if consumers trust that their data is well protected will they continue to entrust businesses and authorities with it, buy online and accept new services." (Registration may be required to access this article.) Editor's Note: The IAPP will host a Web conference to discuss the new regulation shortly after its release.
Full Story

HEALTHCARE PRIVACY—U.S.

Suit Filed Over Unauthorized File Views (January 23, 2012)

A man is suing the West Virginia University Medical Corporation for negligence after an employee accessed his medical records on three separate occasions, The Record reports. The man received a letter in 2009 that his records had been accessed by an employee of the corporation without authorization, according to the complaint, which the man claims caused him emotional distress and embarrassment. The corporation, operating under the name University Health Associates, violated HIPAA laws by failing to protect the man's data from such unauthorized access, the suit alleges. The man seeks compensatory damages.
Full Story

PRIVACY LAW—FRANCE

Court Upholds Search and Seizure of E-Mails (January 23, 2012)

The French Court of Cassation has upheld an appeals court ruling that dismissed claims that an investigation by the French Competition Authority violated Janssen-Cilag employees' rights to privacy, secrecy of correspondence and protection of personal data. The appeals court ruled that the unlimited search and seizure carried out by the authority was exempt from the French data protection law under the French Commercial Code, which grants the authority "the power to inspect the premises of a company suspected of anti-competitive practices and to search and seize all company documents and information that may be relevant to an investigation," reports the Hunton and Williams Privacy and Information Security Law Blog.
Full Story

HEALTHCARE PRIVACY—U.S.

Should Americans Move to Unique Health Identifiers? (January 23, 2012)

Is it time for every American to be assigned a unique healthcare identification number? That's the question The Wall Street Journal (WSJ) examines in a recent article on the pros and cons, noting the U.S.'s shift from paper to electronic records. Proponents of universal patient identifiers (UPIs) say they are the most efficient way to connect patients to their medical data, the report states, and also will help to connect doctors and information flows. But privacy advocates say medical data is already collected and sold to marketers without patient consent and UPIs would only make that easier, among other concerns. The WSJ is now taking a reader poll on the topic. (Registration may be required to access this story.)
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

Article 29 WP Responds to Recent PNR Draft (January 23, 2012)

In an open letter to the members of the LIBRE Committee of the European Parliament, the Article 29 Working Party (WP) acknowledges that modest improvements have been made to the latest draft of the EU-U.S. Passenger Name Records (PNR) agreement, but says many of its concerns stand. The WP says that it has not received evidence proving the agreement is warranted in the first place and goes on to outline its concerns, including uncertainty about how the U.S. Department of Homeland Security is allowed to use PNR data, the 15-year data retention term, the masking--and not deletion--of sensitive data and whether the access and redress mechanisms are in line with EU laws.
Full Story

PRIVACY LAW—U.S.

AG Sues Debt Collector for Patient Privacy Violations (January 20, 2012)
CBS News reports that Minnesota Attorney General Lori Swanson has sued a debt collection agency for allegedly violating state and federal health privacy laws, state debt collection laws and consumer protection laws. According to the suit, Accretive Health, a debt collector that works with hospitals, accessed medical information through its relationship with two Minneapolis hospitals, used the data to score patients on their likelihood of future hospitalization and then shared that information with its investors--all without patient consent.

BEHAVIORAL TARGETING—U.S.

Thai 4 Two: Will the Right Ads Find You? (January 20, 2012)

The Digital Advertising Alliance (DAA) today unveiled a campaign designed to raise awareness about targeted advertising, The New York Times reports. The campaign strives to show the benefits of targeted advertising and bring attention to the triangular icon the group introduced in 2010 to give Internet users more information about the goings-on behind advertisements and let them opt out of behavioral ads. The icon was created to scratch the itch for more industry-wide self regulation when it comes to online privacy. With today's rollout of the campaign, DAA counsel Stu Ingis says, "We're on record as publicly committing to the Federal Trade Commission, to members of Congress and to consumers that education is a key component to a lot of the uses of data." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Company, Mobile App Developers Defend Practices (January 20, 2012)

MediaPost News reports that Apple wants a federal judge to dismiss a lawsuit filed by iPhone and iPad users who allege that their privacy was violated when the devices' unique identifiers were shared with app developers and their affiliates. Last year, a class-action lawsuit was filed on similar grounds but was dismissed because users did not prove harm. In the latest case, plaintiffs claim that, had they known the data would be shared, they would not have paid as much for the devices and that the transfer of the data--including gender, age and searches performed--consumed battery power, storage and bandwidth. Apple says its privacy policy states it has the "right to collect, use and transfer" the data. Meanwhile, mobile developers call the new suit "an amorphous policy critique and generalized grievance about the core business model of the mobile application industry as a whole..." 
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

E-Health Record System Gets Upgrade (January 20, 2012)

To help upgrade the Healthcare Identifier service, Medicare will be granted $34 million, which will also allow it to create a PCEHR (Personally Controlled Electronic Health Record) system. Privacy groups have voiced concern over "greater data linkages" between federal agencies, including Medicare and Human Services, The Australian reports. The department, thus far, has not heeded calls by Privacy Commissioner Timothy Pilgrim to take "a unified approach to privacy protections" and "streamline operation across the patchwork of jurisdictional health and privacy legislation," the report states. However, according to the department's submission, "Instead of overriding local privacy laws, the bill will allow existing laws to operate wherever they are not inconsistent with the PCEHR legislation." (Registration may be required to access this story.)
Full Story

CLOUD COMPUTING—U.S.

Officials Defend Commitment to Privacy in the Cloud (January 20, 2012)

Senior U.S. officials spoke to reporters on Wednesday seeking to allay fears surrounding the protection of data held in cloud data centers. Network World reports that Deputy Assistant Attorney General Bruce Swartz underscored the Justice Department's "core belief in the importance of protecting citizens from government intrusion," saying that protections provided under U.S. regulations are equal to those in Europe. Swartz highlighted longstanding cooperation between the U.S. and Europe on computer security issues, saying the USA PATRIOT Act has not fundamentally changed how the government approaches "the issues of stored data," but European concerns over government access under the act continue.
Full Story

PERSONAL PRIVACY

Opinion: Defining Privacy in the Digital Age (January 20, 2012)

In a column for The Huffington Post, 15-year-old high school freshman Susannah Meyer explores the implications of privacy in the digital age. "Now, as rapid technological advances are being made," she writes, "the right to privacy is questionable, in my opinion." An individual's personal record is now much more permanent, yet, "every day, people all over willingly write down personal information on a website, just for convenience, discounts and other benefits, even though those benefits may later be outweighed, she says, adding, "in this way, online data presents itself as a privacy minefield." Beyond the Internet, location-based services, digital parking meters and security cameras are constantly recording people's movements, prompting Meyer to query, "is it fair that, as technology improves, our rights to privacy dissipate?"
Full Story

PRIVACY LAW—CANADA

Ontario Court Creates Privacy Tort (January 19, 2012)
The Ontario Court of Appeals has recognized a common law tort for invasion of privacy, which allows individuals to sue others that invade their privacy, reports The Globe and Mail. The three judge panel unanimously agreed that the case--in which a bank employee snooped on the financial records of her common-law spouse's ex-wife to find out how much child support she was receiving--was in need of a "legal remedy." Justice Robert Sharpe wrote, "it is appropriate for this court to confirm the existence of a right of action for intrusion upon seclusion.

PRIVACY LAW—U.S.

Lawsuit Filed Following Breach (January 19, 2012)

A Texas woman is suing two online retailers alleging harm from the release of millions of users' personal information following a server hack, reports The Washington Post. The lawsuit, filed in Kentucky this week and seeking class-action status, alleges that Zappos--and therefore its parent company, Amazon--violated the Fair Credit Reporting Act and seeks damages for emotional distress and loss of privacy as well as a court order for the company to offer credit monitoring and identity theft insurance to those affected. The suit also seeks an order for mandatory audits to ensure customer data protection in the future. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

If You Love Me, You’ll Give Me Your Password (January 19, 2012)

The New York Times reports on a new trend among young people as a way to express affection: sharing passwords. Young boyfriends and girlfriends are increasingly sharing them--at the risk of harm following a breakup such as the dissemination of private e-mails or scorned exes sending messages under each others' identities. A 2011 survey by the Pew Internet and American Life Project found that 30 percent of teenagers who regularly use the Internet had shared a password with a friend, boyfriend or girlfriend, and girls were almost twice as likely as boys to share, the report states. "It's a sign of trust," one teen said of sharing with her boyfriend. "I have nothing to hide from him, and he has nothing to hide from me." (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

Expert: InfoSec Staff Professionalism Helps Protect Data (January 19, 2012)

Ali Pabrai, a California-based health IT consultant, recommends that hospital IT departments increase the professionalism of staff assigned to protect and secure data, FierceHealthIT reports. Pabrai recommends that CIOs "take a deeper look at the skills, the knowledge (of) your information security officer, across the security professionals that may be within the IT department." In addition to implementing stronger encryption and authentication procedures, Pabrai says hospitals should consolidate audit logs to ensure that they know when data has been misplaced, breached or abused. Meanwhile, a nurse was fired after viewing patient records without authorization. Her case has been referred to the Texas Board of Nursing, according to The Daily Tribune.
Full Story

ONLINE PRIVACY—AUSTRALIA

Watchdogs: Don’t Respond to Cyber Attackers (January 19, 2012)

After a series of denial-of-service attacks on Australian businesses, the Computer Emergency Response Team (CERT Australia) and the Australian Federal Police (AFP) are telling companies to report cyber attacks immediately and not to respond to attackers, reports The Sydney Morning Herald. One company's website was shut down by millions of Web requests, and shortly afterwards, the managing director received an e-mail asking for money in order to stop the attack. It is unknown whether other companies received similar demands. CERT Australia is working with affected businesses.
Full Story

DATA PROTECTION

Research: Users Voting With Their Feet on Privacy (January 19, 2012)

PC PRO reports on new research indicating that customers abandon websites that "hide data rules or leak information." The Forrester research found that customers are increasingly reading company policies on how their data is handled and "voting with their feet if they didn't like what they saw." The survey questioned 37,000 North American customers and found that more than 55 percent of respondents over age 55 said they had decided to not complete an online transaction with a company because of something in its privacy policy, up from 40 percent in 2008. Overall, 44 percent reported they have left a site because of privacy concerns, up from 38 percent in 2008. Older users tended to walk away more than younger ones, the survey found.
Full Story

PRIVACY LAW—HUNGARY & EU

EC Launches Proceedings Against Hungary (January 18, 2012)
European Voice reports that the European Commission (EC) has begun infringement proceedings against the Hungarian government over three laws that took effect January 1 and are considered by the commission to violate EU law. One of the laws in question pertains to the independence of the country's data protection authority. EC President José Manuel Barroso announced the legal challenge in Strasbourg on Tuesday. The Hungarian government has until February 17 to respond.

PRIVACY LAW—U.S.

President Obama Opposes SOPA, PIPA (January 18, 2012)

Forbes reports on the Obama administration's opposition to the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA). A White House release said, "Any provision covering Internet intermediaries such as online advertising networks, payment processors or search engines must be transparent and designed to prevent overly broad private rights of action that could encourage unjustified litigation that could discourage startup businesses and innovative firms from growing." Rep. Darrell Issa (R-CA), chairman of the House Oversight and Government Reform Committee, postponed a hearing that would have brought in cybersecurity experts and Internet entrepreneurs because he felt, according to The Miami Herald, that lawmakers have begun taking note of the bill's opponents. Issa said, "Much more education for members of Congress about the workings of the Internet is essential if antipiracy legislation is to be workable and achieve broad appeal."
Full Story

PRIVACY LAW—U.S.

SCOTUS To Hear E-Filing Privacy Lawsuit (January 18, 2012)

The Supreme Court of the United States will decide whether the government is liable for an e-filing glitch that reportedly exposed an attorney's credit card expiration date, Courthouse News Service reports. After using his credit card to pay an e-filing fee, attorney James Bormes received a confirmation with the expiration date from the government's pay.gov system. Bormes filed a class-action lawsuit claiming the incident violates the Fair Credit Reporting Act. Originally dismissed by a federal judge, the case was revived by the Federal Circuit after Bormes filed an appeal.
Full Story

DATA LOSS—U.S.

Judge Sentences Data Thief to 13 Months (January 18, 2012)

After pleading guilty to charges of hacking his former employer's database, stealing patient data and deleting it from the company's system, Eric McNeal was sentenced to 13 months in prison, three years of post-release supervision and 120 hours of community service, reports Information Week. McNeal downloaded the names, telephone numbers and addresses of patients of perinatal practice APA and used them to carry out a direct marketing campaign for his current employer--a competitor of APA. One cybersecurity expert says this highlights the importance of having and enforcing exit strategies for employees, including "cutting off the employee's access to all of the company's databases..."
Full Story

DATA LOSS—UK

ICO Takes Action Following Breach (January 18, 2012)

The Information Commissioner's Office (ICO) has taken action against a healthcare provider following a data breach, Computer Business Review reports. In August, Praxis Care Limited lost an unencrypted memory stick containing sensitive patient information, breaching the UK Data Protection Act and the Isle of Man Data Protection Act. The 160 individuals affected have been notified, and the company has not received any complaints so far, the report states. Praxis Care Limited has agreed to ensure that all portable media devices are encrypted and not retain unnecessary data. It has also updated its data security guidance, the report states.
Full Story

DATA LOSS

Customers React To Breach Responses (January 18, 2012)

Highlighting individual consumer experiences, The New York Times delves into the ongoing string of online data breaches, saying, "The attacks point to an unsettling new world in which even the supposed stalwarts of the Internet...cannot seem to keep personal information safe." Commonly, company breach response plans amount to telling consumers they are responsible for protecting their data, the report states. One Internet expert says the recent breaches have the potential to cause consumers to lose confidence in Internet commerce. One woman--whose data has been breached three times in 2012 alone--says, "Companies have to do a better job protecting our privacy." The report notes that a White House initiative, the National Strategy for Trusted Identities in Cyberspace, is working to help online organizations adopt higher standards for verifying users and storing data. (Registration may be required to access this story.)
Full Story

DATA LOSS

Analysts React to Zappos Breach Response (January 18, 2012)

PCWorld reports on Zappos' response to its recent breach affecting 24 million customers. The online shoe retailer notified affected customers via e-mail and has asked them to change passwords after discovering a hacker had gained unauthorized access to company servers containing names, e-mail addresses and billing addresses. But some analysts say that the company's response was the wrong one, and that deleting 24 million customer passwords makes the company look like it's in panic mode. Another expert and Zappos customer, however, says data encryption should have been more broadly applied because the "definition of what is sensitive is changing. It's not just card numbers anymore..."
Full Story

DATA PROTECTION—U.S.

Expert: Privacy Law Eventually, But Not Today (January 18, 2012)

WebProNews reports on the impending reports due from the Commerce Department and the FTC. Jules Polonetsky, CIPP/US, of the Future of Privacy Forum says it's likely that someday, the U.S. will have a privacy law. "The question is whether it's gonna be a good one. If we are able to craft privacy law that supports innovation and gives users more protection, we'll win," he said. The Commerce Department framework would likely encourage companies to develop rules for their industries, potentially enforced by the FTC's Safe Harbor rules. In the meantime, "Any company that wants to avoid legislation ought to be really pushing to show how it is self-regulating," said Polonetsky.
Full Story

HEALTHCARE PRIVACY—U.S.

Hospital Cyber Insurance Use on the Rise (January 18, 2012)

Healthcare providers are increasingly purchasing cyber insurance, FierceHealthIT reports. According to Okemos President and CEO Larry Harb, data breach insurance covers HIPAA fines, defense costs in litigation--including class-action lawsuits--as well as "third party liability." Harb added, "Every time there's a breach, more and more people jump onboard cyber insurance, because they say, 'This stuff can happen to me." Editor's Note: The IAPP Global Privacy Summit will include the breakout session, HIPAA and Beyond: The Evolving Landscape of Health Privacy.  
Full Story

PRIVACY LAW—U.S.

Mass. Court: ZIP Code is Personal (January 17, 2012)
In a case against a major retailer, a Massachusetts court recently ruled that a ZIP code should be considered personal identification information under a state statute on security. In this IAPP Privacy Advisor article, Venkat Balasubramani of the firm Focal PLLC details the court's decision in Tyler v. Michaels Stores, Inc., and differentiates it from last year's California Supreme Court ruling in Pineda v. Williams-Sonoma.

HEALTHCARE PRIVACY—U.S.

HHS Head of IT Discusses the Work Ahead (January 17, 2012)

In an interview with HealthLeaders Media, National Coordinator for Health Information Technology Farzad Mostashari discusses his office's plans for the year ahead. "Adoption of meaningful use, information exchange and interoperability and maintaining privacy and security" top Mostashari's list of challenges, he said, noting that in order to be successful, "what has to be paramount for everybody is the shared responsibility of maintaining the privacy and security of those patient records." He says the cost-to-value ratio must change in order to get facilities on board with record exchange programs, as well as "creating the preconditions for trust to emerge...People trust their doctors, and one of the things they trust their doctors for is to keep their record secure."
Full Story

PRIVACY LAW—U.S.

Lawmakers Aim To Postpone PIPA Vote (January 17, 2012)

In a letter to Senate Majority Leader Harry Reid (D-NV), six senators asked that the Protect IP Act (PIPA) vote be postponed until the bill is more thoroughly analyzed and debated, COMPUTERWORLD reports. The letter cites "possible unintended consequences of the proposed legislation, including breaches in cybersecurity," among others. One provision of particular concern would require U.S. Internet service providers and search engines to block access to foreign sites that sell counterfeit products and infringe on copyrighted material by using DNS filtering. Sen. Patrick Leahy (D-VT), the bill's sponsor, has asked for a more detailed evaluation of the provision. Meanwhile, President Barack Obama's IP, technology and cybersecurity chiefs wrote, "While we believe that online piracy by foreign websites is a serious problem that requires a serious legislative response...we will not support legislation that reduces freedom of expression, increases cybersecurity risk or undermines the dynamic, innovative global Internet."
Full Story

PRIVACY

Google Launches Educational Campaign (January 17, 2012)

Google will launch a new ad campaign designed to alleviate privacy concerns, reports the Los Angeles Times. The Good to Know campaign will encourage individuals to protect their personal information online and will appear in two dozen U.S. newspapers and magazines as well as in subways in New York and Washington, DC. "Given who we are, we have a strong incentive to make the Internet a place that people feel safe to do interesting things," said Alma Whitten, Google's director of privacy. The company launched the campaign in Britain in October. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Suit Filed, Questions Asked in Surveillance (January 17, 2012)

A privacy advocacy group has filed a suit to force the Department of Transportation to release its records on the use of drones in U.S. airspace in recent years, The Washington Post reports. "Drones give the government and other unmanned aircraft operators a powerful new surveillance tool to gather extensive and intrusive data on Americans' movements and activities," said an attorney for the Electronic Frontier Foundation. "As the government begins to make policy decisions about the use of these aircrafts, the public needs to know more about how and why these drones are being used to surveil United States citizens." Meanwhile, members of Congress are asking the Department of Homeland Security questions about a social media monitoring program. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING

Do-Not-Track Option Released for Browser (January 17, 2012)

Privacy expert Jonathan Mayer of Stanford University has released a do-not-track extension for Google's Chrome browser allowing users to opt out of tracking by targeted advertising companies, reports PC Pro. While other browsers have had do-not-track mechanisms for "quite some time," Mayer says Google has declined thus far to add the feature to Chrome. The do-not-track initiative has been criticized for being unenforceable, among other reasons, and while Mayer acknowledges the criticism, noting that "websites have to add support for it," he says "that line has largely faded, partly because researchers have demonstrated again and again how Web measurement tools can catch bad actors."
Full Story

HEALTHCARE PRIVACY—U.S.

A Look Into Digitizing Health Records (January 17, 2012)

The New York Times reports on Epic Systems and the company's history of digitizing electronic health records. Helping keep track of 40 million patient records, the organization supplies some of the largest healthcare providers with software, training and support. Judith Faulkner, Epic's chief executive, who serves as an industry representative on a government panel that is examining health data privacy and security issues, seeks a balance between privacy and easy access to patient records. "I'm worried if we put up too many barriers in order to make things private," she said, "and if that makes the flow of information slow and hard to share, in effect more people will be harmed." (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Experts: Passwords Don’t Protect You (January 17, 2012)

Two researchers say that online passwords, while helpful for websites aiming to sign up millions of users, overlook "really scary and effective attacks." While password advice usually instructs users to choose something strong, memorable and a mix of numbers and letters, strong passwords aren't as important as they used to be, given more advanced hacking methods such as phishing and keylogging. Researchers Cormac Herley and Paul C. van Oorschot say in a new paper that the computer industry wrote off the significance of passwords a decade ago after Bill Gates said they'd become obsolete soon, so not enough work has gone into improving them and understanding how they get compromised, Wired reports.
Full Story

DATA LOSS

Breaches Hit Online Retailer, College (January 16, 2012)
The online shoe retailer Zappos is advising 24 million customers to change their site passwords after discovering unauthorized access to servers that contained names, e-mail addresses, billing and shipping addresses, phone numbers, partial credit card numbers and scrambled passwords, reports CNET News. "The database that stores our customers' critical credit card and other payment data was not affected or accessed," said CEO Tony Hsieh, who also notified all Zappos employees of the incident via blog post. Meanwhile, City College of San Francisco is notifying students, faculty and staff that widespread malware discovered on its system may have compromised their personal data, msnbc reports. "We looked in the system and discovered (viruses) all over the place," said Board of Trustees President John Rizzo.

PRIVACY LAW—EU

EC: New Framework on Track for January Release (January 16, 2012)

Despite reports last week warning of a possible delay to the release of the revised European data protection framework, a spokesman for EU Justice Commissioner Viviane Reding told Bloomberg that the framework will be published by the end of January. "The data protection reform is well on track for adoption by the commission by the end of January," Matthew Newman said. Editor's note: The IAPP will host a Web conference to discuss the changes shortly after the release of the new framework.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

APF Questions E-Health System (January 16, 2012)

The Australian reports on the Australian Privacy Foundation's (APF) Senate inquiry submission, which raises concerns about the nation's e-health system (PCEHR). APF Health Chair Juanita Fernando says in the submission that new technical specifications are being rushed in order to finalize the legislation. Calling it a "mash up," Fernando adds that the legislation "will diminish data confidentiality, integrity and availability, so that records stored in the system will provide an unreliable basis for medical care." Fernando added, "We are concerned that the bills do not embody informed consent arrangements and that citizens are not being advised by federal authorities about the breadth and depth of data Australian governments hold, use, disseminate and data-mine about individuals without consent." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

Trust Challenges ICO Fine (January 16, 2012)

Saying that it was a "victim of a crime," Brighton and Sussex University Hospitals NHS Trust is challenging an Information Commissioner's Office (ICO) £375,000 fine over the theft of sensitive personal information, COMPUTERWORLD UK reports. At least 232 hard drives containing the data were stolen from the trust and sold for profit. "We subcontracted the destruction of these hard drives to a registered contractor, who subsequently sold them on eBay," said the hospitals' chief executive. "As soon as we were alerted to this, we informed the police and with their help we recovered all the hard drives stolen by this individual. We are confident that there is a very low risk of any of the data from them having passed into the public domain."
Full Story

CONSUMER PRIVACY—U.S.

FTC Expected To Expand Oversight (January 16, 2012)

After last year's settlements with Google, Facebook and Twitter, in 2012 the Federal Trade Commission (FTC) is expected to expand its probe into online consumer privacy--with a focus on mobile products and services, reports the San Francisco Chronicle. "We want to really get an understanding of what's happening with consumers' information," said FTC Commissioner Julie Brill in Palo Alto, CA, last week. Brill says she'd like to see tech companies working harder on consumers' behalf. "I would like to see us move to a place where it isn't so burdensome for consumers," said Brill, adding, "We want choices on the dashboard. But we also need to build some of the mechanisms under the hood so there are privacy protections that are built into products and services."
Full Story

PERSONAL PRIVACY

Opinion: Rosen Reviews Jarvis’s Public Parts (January 16, 2012)

George Washington University Law Prof. Jeffrey Rosen discusses the new book, Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live, and the man behind it, for The Washington Post. Rosen says that while author Jeff Jarvis vigorously advocates for openness on the Internet, his actions with regard to his personal information speak otherwise. Pointing out Jarvis's refusal to share his browsing history because people may draw "unwarranted conclusions" about him that he cannot "see and correct or explain," Rosen writes, "he is happy to reveal personal details selectively when they serve his financial interests by creating an illusory bond with a faceless audience, but as soon as transparency threatens to embarrass him, he rediscovers the virtues of privacy." (Registration may be required to access this story.) Editor's note: Jeff Jarvis will deliver a keynote address at the IAPP Global Privacy Summit 2012.
Full Story

PRIVACY LAW—U.S.

EPIC Asks FTC To Investigate Search Engine (January 13, 2012)
The Electronic Privacy Information Center (EPIC) is asking the Federal Trade Commission (FTC) to investigate whether Google's new Search Plus function violates antitrust rules, CNET News reports. EPIC Executive Director Marc Rotenberg said, "We asked the FTC, as part of its current investigation of possible antitrust violations, to assess whether the changes in Google Search violate the consent order Google recently signed" with the FTC.

PRIVACY LAW—EU

Directive Finalization Possibly Delayed (January 13, 2012)

Out-Law.com reports that the finalized proposals to the EU data protection directive may be delayed until late February or early March. Originally slated for finalization by the end of January, EU Justice Commissioner Viviane Reding's spokesman, Matthew Newman, said that Reding "will make a protocol decision" by January 23 and will speak that same day in Munich outlining the reform's major components. "Because the legislative text is a regulation," Newman added, "it has to be very precise because it would be directly applicable to the Member States." Editor's Note: The IAPP will host a Web conference, "The New EU Data Protection Framework: Major Revisions Expected," upon the reform's release.
Full Story

PRIVACY LAW—U.S.

Legislators Seek Hearing on CarrierIQ (January 13, 2012)

Three U.S. lawmakers are seeking a Congressional hearing on the implications of the use of CarrierIQ software by wireless carriers, COMPUTERWORLD reports. Citing a letter sent by Reps. Henry Waxman (D-CA), G.K Butterfield (D-NC) and Diana DeGette (D-CO) to the chairman of the House Energy and Commerce Committee, the report states the legislators are requesting an investigation of such data collection and transmission capabilities. "There continue to be many unanswered questions about the handling of this data and the extent to which its collection, analysis and transmission pose legitimate privacy concerns for the American public," the legislators wrote. Their letter follows concerns from two senators in December.
Full Story

GEO PRIVACY—THE NETHERLANDS

TomTom Gets Green Light from Dutch DPA (January 13, 2012)

The Dutch Personal Data Protection Agency (CBP) has cleared navigation device maker TomTom of claims that it violated data protection laws by collecting and selling user data without gaining customers' consent, reports Reuters. TomTom's head of privacy and information security, Simon Hania, said while the company sells aggregated, anonymous data, "it was confirmed by the CBP that we never have and we never will sell data from our individual users to anyone else, including governments and the police." Hania also said the company has amended its third-party contracts to limit the use of information it sells and will update the consent software on its products to ensure consumers know how the company uses their data.
Full Story

ONLINE PRIVACY—U.S.

Brill Discusses FTC Privacy Efforts (January 13, 2012)

In a recent talk at Stanford Law School, Federal Trade Commissioner Julie Brill discussed the commission's increasing involvement in online privacy--specifically the actions taken against Facebook, Google and Twitter and recent calls for sites to implement do-not-track features, reports The Stanford Daily. Brill calls the Facebook and Google settlements significant because, "for the first time, we are calling on companies...by order of us (the FTC), to institute a comprehensive privacy policy." Highlighting the settlement with Facebook, Brill noted that in the commission's eyes, "simply having something down somewhere in a very complicated document...will not absolve a company of potential problems" if consumers find their personal information used in unexpected ways.
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: HIPAA Requirement Would Mean More Suits (January 13, 2012)

A proposed amendment to the Health Information Portability and Accountability Act (HIPAA) would require that, upon request, healthcare providers share with patients the documentation of who has electronically accessed their records. HealthLeaders Media reports that one lawyer believes this change would bring an increase in privacy litigation. "If I'm a covered entity, I think this rule really does scare me from a litigation perspective and a compliance perspective," says Nathan Kottkamp, a partner at McGuireWoods. "It makes it that much easier to find a smoking gun demonstrating that your staff is not in compliance with HIPAA." While covered entities are currently required to keep track of access to personal health records, there is no requirement to share that information with patients.   
Full Story

PRIVACY LAW—HUNGARY & EU

EC: Hungary Must Act Before Tuesday (January 12, 2012)
The Hungarian government must modify some of its new constitutional measures by Tuesday or face potential infringement proceedings by the European Commission (EC), European Voice reports. The commission is troubled by changes to Hungary's constitution that took effect on January 1 and may flout EU law. In particular, the independence of the country's data protection commissioner has come into question.

DATA LOSS—AUSTRALIA

Commissioner Investigating Breach at Bank (January 12, 2012)

The privacy commissioner is investigating a cybersecurity breach after bank customers were sent strangers' account data. ANZ Bank has shut down its online bank statement service after the incident, The Australian reports, which the bank became aware of on Monday while reinstating statements that were disabled after a different security bug last month. The banks says it will apologize to the 60 customers affected by the breach and will compensate those potentially affected by fraud. Privacy Commissioner Timothy Pilgrim says he is pleased the bank "promptly sought to notify affected customers." (Registration may be required to access this story.)
Full Story

BIOMETRICS—INDIA

UID Concerns Persist (January 12, 2012)

The Times of India reports that activists and experts are echoing the recommendations of the Parliamentary Standing Committee on Finance (SCF) objecting to the Unique Identification (UID) project. "It violates citizens' basic and constitutional right to privacy because collecting biometric information of an individual was limited to criminals," said Gopal Krishna of Citizens Forum for Civil Liberties. The report also references concerns from a biometrics expert on how such information is "vulnerable to exploitation." And Sunil Abraham of the Centre for Internet and Society, Bangalore, has raised concerns about the lack of privacy laws, noting, "The UID project was allowed to march on without any protection being put in place."
Full Story

CONSUMER PRIVACY

Polonetsky: Consumers Need To Think About Data (January 12, 2012)

In an interview with The Washington Post, Jules Polonetsky, CIPP/US, director of the Future of Privacy Forum, discusses the privacy challenges that come with the new breed of "smart" devices and appliances. Tech companies are collecting behavioral data on users to offer better services, create efficiencies and target advertising, among other uses, and while tech companies say they are committed to protecting that data, some are concerned about the lack of regulation requiring it. "Consumers need to think more about how their data is being sent outside the home in more ways than ever and not get caught off guard when that data lands in the hands of unintended third parties," Polonetsky says. (Registration may be required to access this story.) Editor's Note: Polonetsky will present in the breakout session, "ABCs of OBA," at this year's IAPP Global Privacy Summit.
Full Story

PERSONAL PRIVACY

Searls: Goodbye Data Collection, Hello Intention Economy (January 12, 2012)

In the Harvard Business Review, tech guru Doc Searls says the age of collecting data on customers is over. The intention economy will soon arrive, he says, and it will render unnecessary the mining and amassing techniques companies have used to get to know their customers better. "Businesses soon will no longer own the data...customers will." Searls says when this happens, vendors will realize greater benefits than they do now because when customers own and control their data, "demand will drive supply more efficiently than supply currently drives demand. Customers not only will collect and manage their own data but will be equipped with tools for declaring their intentions directly to the whole marketplace."
Full Story

PRIVACY LAW—ISRAEL

Opinion: Ounce of Prevention Worth a Pound of Cure (January 12, 2012)

Recent cyber attacks on Israeli websites has the authors of a Jerusalem Post op-ed calling now an opportune time to begin "public debate, and hopefully some legislative follow-up," on the need for a data breach notification law in Israel. Referencing laws in other regions across the globe, the authors say a notification law would not only allow consumers to take steps to protect themselves after a breach but also would motivate companies to better protect consumer data to avoid the reputational and financial costs of a breach. While some organizations claim implementation is cost-prohibitive, the authors point to a survey showing that 92 percent of data breaches could have been detected and prevented by "simple, intermediate controls."   
Full Story

DATA LOSS—UK

ICO Serves Intent To Fine £375,000 (January 11, 2012)
The Information Commissioner's Office (ICO) has served an NHS Trust with a notice of intent to fine, The Argus reports. The fine follows an ICO investigation into the theft of 232 hard drives from Brighton General Hospital. The drives contained the private medical data of tens of thousands of patients. They were sold on eBay, and the purchaser notified the trust, which recovered the data.

DATA THEFT—CANADA

Stolen Devices Contained Unencrypted PII (January 11, 2012)

The theft of laptops and mobile devices containing sensitive information of approximately 11,700 University of Victoria employees has prompted an investigation by British Columbia's Office of the Information and Privacy Commission to determine whether the school had appropriate levels of data security in place when the incident occurred, The Victoria Times Colonist reports. Some of the devices contained employee names, payroll information and social insurance numbers dating back to January 2010. A police officer familiar with the incident said the stolen electronic devices were not encrypted. "In terms of British Columbia," said Privacy Commissioner Elizabeth Denham, "this is a large breach of sensitive information."
Full Story

DATA LOSS—CHINA

Four Detained, Eight Punished In Hacking Incident (January 11, 2012)

Last month, hackers infiltrated a popular social networking site and a programmers' site exposing the information of six million users and undermining trust in China's Internet security, Reuters reports. Amid the actual breaches, rumors of attacks on other websites surfaced online--many of which turned out to be fictitious. Chinese authorities have detained four people and punished eight after an investigation showed nine cases of reselling user data and three cases of "fabricating and promoting speculation of data leaks," the report states.
Full Story

PRIVACY LAW—UK

Online Retailers Told To Prepare for EU Cookie Rules (January 11, 2012)

COMPUTERWORLD UK reports on recommendations to online retailers to "act now to address new EU cookie legislation" before the Information Commissioner's Office (ICO) begins enforcing the law later this year. One expert suggests that not to act early will have a negative impact on customers' online experiences and marketers' optimization efforts. "Finding out which approach works and assessing the right wording and design elements will be a critical part of ensuring ICO demands are met without affecting the bottom line," said Peter Ellen of website testing company Maxymiser, adding that must be done now "so the results can be acted on before May 2012."
Full Story

DATA PROTECTION—U.S.

Study: Data Recovery Outsourcing Weak Link (January 11, 2012)

According to a study conducted by the Ponemon Institute, organizations need to improve their vetting of third-party data recovery services. Among the respondents whose companies suffered a data breach, 21 percent said the event occurred when a hard drive was outsourced to a third-party data recovery service provider, InfoWorld reports. "Trends in Security of Data Recovery Operations" surveyed 769 IT specialists--the majority of whom report to a CIO or CISO--across industry sectors in the U.S., including healthcare, financial and government. Ponemon recommends that companies develop policy guidelines when selecting a provider; institute training programs for employees, and ensure the provider's employees are trained in leading encryption products, among others.
Full Story

PRIVACY LAW—CANADA

Advocates: Stronger Law, Fining Powers Needed (January 11, 2012)

A public interest advocacy group says proposed changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) don't go far enough in requiring organizations to report breaches, reports the Financial Post. The Public Interest Advocacy Centre says PIPEDA--even with the proposed changes--gives organizations the ability to unilaterally deem a breach not harmful to consumers, adding, "The result is likely to be a vast underreporting of serious data breaches." The group is calling for all breaches to be reported to the "relevant privacy commissioner," who would then decide whether the public should be notified. Echoing Privacy Commissioner Jennifer Stoddart's calls, the group would also like to see fines assessed to organizations that don't report breaches.
Full Story

ONLINE PRIVACY

Google Searches May Include Google+ Info (January 11, 2012)

Google search results will now include photos and commentary from its Google+ social network, the Huffington Post reports. "The Internet search leader eventually hopes to know enough about each of its users so it can tailor its results to fit the unique interests of each person looking for something," the report states, in what the company has described as "the new era of social and private data search." The new feature, which was rolled out on Tuesday, will be the default "for all English-language searches made by users logged into Google," the report states, but can be turned off permanently with a settings change or on a per-case basis via an icon.
Full Story

FINANCIAL PRIVACY—U.S.

Banks Unite To Fight Cyber Threats (January 10, 2012)
In light of recent large-scale cyber attacks, financial firms are taking steps to unite against hackers and prevent online theft. The Wall Street Journal reports that, together with the Polytechnic Institute of New York University, some Wall Street financial firms are discussing the creation of a new center that would help detect potential attacks, and Bank of America (BOA) has begun quarterly roundtables hosting experts from other banks to discuss possible solutions to cybersecurity threats.

SOCIAL NETWORKING—U.S.

Lawmakers Say Social Network’s Response is Lacking (January 10, 2012)

Two lawmakers are not impressed with Facebook's recent response to their inquiry over the company's online tracking practices, The Hill reports. Citing the company's recent application for a U.S. patent that would allow for tracking methods and Chief Privacy Officer Erin Egan's recent response to the lawmakers' inquiry on the topic, Reps. Ed Markey (D-MA) and Joe Barton (R-TX) say they are dissatisfied. "Facebook seems to be saying one thing and doing another," Barton said, while Markey added that he remains "concerned about unanswered questions about how Facebook uses consumers' personal information" and plans "to follow up with Facebook on this matter and work with my colleagues in Congress to investigate."
Full Story

PRIVACY LAW—EU

EDPS Releases 2012 Priorities (January 10, 2012)

European Data Protection Supervisor (EDPS) Peter Hustinx today released a strategic planning document for the upcoming year in the area of legislative consultation. Noting that 2012 will be a demanding year, Hustinx said, "The EDPS will face the challenge of fulfilling an ever-increasing role in the legislative procedure and at the same time guarantee high-quality and well-appreciated contributions to it with limited resources." Among the major issues of strategic importance for the EDPS are the revision of the EU data protection framework; technological developments in the digital agenda, IP rights and the Internet; continued development of the area of freedom, security and justice, and financial sector reform, according to an EDPS press release.
Full Story

PRIVACY LAW—U.S.

Court: Song-Beverly Does Not Apply Online (January 10, 2012)

Morrison & Foerster reports on a U.S. District Court's dismissal of two cases that raised the question of whether the Song-Beverly Credit Card Act applies to online transactions, referencing last year's decision by the California Supreme Court in Pineda v. Williams-Sonoma, which found that ZIP codes are "personal identification information" for the purposes of the Song-Beverly Credit Card Act. The court dismissed cases related to collecting personal information for online transactions and self-service video rental kiosks. The court found that the law's language "contemplates 'pen and paper' transactions, rather than 'electronic entry of numbers on a keypad or touchscreen' and thus does not apply to online transactions," the report states.
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: Time To “Walk the Walk” on EHR Security (January 10, 2012)

Deven McGraw of the Center for Democracy and Technology writes for iHealthBeat that while many Americans support the use of electronic health records, significant data security concerns remain. "Building and maintaining public trust in health IT and health information sharing will be critical to leveraging their benefits to improve individual and population health," writes McGraw. The Office of the National Coordinator for Health IT and the Department of Human Services need to take "big, concrete steps" toward a comprehensive privacy and security policy and framework, McGraw adds. She recommends preliminary steps including acting on the policy committee's recommendations, releasing the final HITECH modifications to HIPAA and issuing the Nationwide Health Information Network Governance rule.
Full Story

PRIVACY LAW—U.S.

Class-Action on Breach Fails To Move Forward (January 10, 2012)

A class-action lawsuit filed in December after a breach involving the personal information of 16,000 UCLA Health System patients has failed to move forward, The Daily Bruin reports. Legal representation for the University of California Board of Regents has not responded since the complaint was filed, the report states. The suit alleges that the board violated California's Confidentiality of Medical Information Act by not protecting patient information and allows for $1,000 in damages per occurrence to each patient. The breach involved the burglary of a hard drive at a physician's home, which resulted in the loss of patient names, birth dates, addresses and medical record numbers.
Full Story

DATA PROTECTION

Opinion: How To Handle a Third-Party Breach (January 10, 2012)

The key to mitigating risk when it comes to using third-party vendors and contractors is a close working relationship, opines Adam Ely for Dark Reading. When a breach does occur, it is essential to understand the incident, assess damage and establish a plan of action, he writes. Within the working contract, there should be language on an organization's rights. "The trickiest part is timing. Disclose too early and you risk communicating bad or incomplete information. Wait too long and the public will balk at you for waiting so long," he writes, adding that, typically, earlier is better when it comes to breach reports.
Full Story

SOCIAL NETWORKING—U.S.

EPIC Asks FTC To Investigate “Timeline” (January 9, 2012)
Forbes reports on concerns from the Electronic Privacy Information Center (EPIC) that Facebook's "Timeline" redesign could violate the social network's recent settlement with the Federal Trade Commission (FTC). EPIC is asking the FTC to investigate, questioning if "reducing 'privacy through obscurity' is a privacy violation," the report states.

DATA THEFT—ISRAEL

Officials: Cyber Attack Is An Act of Terrorism (January 9, 2012)

Reuters reports on comments made by Israeli government officials who have said that the recent cyber attack that exposed the personal data of Israeli citizens is a form of terrorism and will be countered. A 19-year-old hacker from the United Arab Emirates is said to have perpetrated the breach that affected as many as 400,000 Israeli citizens, including the exposure of approximately 25,000 credit card numbers. Deputy Foreign Minister Danny Ayalon said that a cyber attack of this magnitude is "comparable to a terrorist operation, and must be treated as such," adding that the incident may have been carried out by a group "more organized and sophisticated...than a lone youth." Government officials and credit card companies have said the overall financial damage thus far has been minimal, the report states.
Full Story

FINANCIAL PRIVACY—U.S.

Restaurant Tells Credit Card Cos. “Prove It” In Suit (January 9, 2012)

Restaurant owners Stephen and Cissy McComb are suing their credit card processing bank after it collected fines claiming that the couple violated industry data-handling rules. Bloomberg reports that the couple is suing USBancorp, saying there is no proof that customer data was stolen from their restaurant and industry contracts are unfair. The couple says Bancorp took money from their accounts to pay for loss claims without giving them an opportunity to prove they were not at fault, and two investigations showed no evidence of hacking. According to one expert, the dispute highlights merchants' dissatisfaction with the industry. "This case has the potential to send the message that merchants can stick up for themselves in these relationships."
Full Story

DATA LOSS—U.S.

Online Breach Affects School Employees (January 9, 2012)

As many as 4,289 individuals may have had their personal information compromised after it was discovered that the Spotsylvania County school system's tax information was accessible online, Fredericksburg.com reports. An employee discovered the breach after accessing her W-2 form through a Google search. Employee names, addresses, Social Security numbers, salary earnings and taxes paid are all included on the forms. School officials did not inform the affected employees until 13 days after the issue was discovered but have since begun notifying employees by mail. 
Full Story

PERSONAL PRIVACY—BRAZIL

Opinion: Pregnancy-Registration Violates Privacy (January 9, 2012)

A new law passed on December 27 intends to help quell Brazil's high maternal mortality rate by requiring all pregnant women to register their pregnancies with the state, but according to a Slate.com blog, the law will do little to that end and instead violate a woman's rights "by the compulsory government registration to control and monitor her reproductive life..." The law sets out to ensure pregnant women receive proper access to quality healthcare; however, citing strong ties between the country's president and the Catholic Church, and enacting the law during the holiday season without congressional approval, the author questions the motives behind the law.
Full Story

DATA LOSS

Hackers Allegedly Access Sensitive Server Data (January 9, 2012)

A group of hackers claims it has stolen the source code to antivirus software company Symantec's flagship product, eWEEK reports. The group calls itself the Lords of Dharmaraja and claims to have breached an Indian military server and stolen documents, posting excerpts from some of them to prove their legitimacy--including an internal document discussing the application programming interface for one of the company's products. One expert says that more important than the stolen-source code is the fact that there's a group breaching military servers, which could "prove harmful to cooperation between public and private sectors." Symantec has neither confirmed nor denied the attack.
Full Story

PRIVACY LAW—U.S.

Company Settles with FTC Over Data Collection (January 6, 2012)
A rebate company has agreed to settle privacy charges with the Federal Trade Commission (FTC), MediaPost News reports. Upromise has agreed to destroy data collected on about 150,000 Web users between 2005 and 2010, to clearly disclose its data collection practices and to inform users on how to remove its toolbar, the report states.

PRIVACY LAW—U.S.

Court To Decide on Forcing Unencryption (January 6, 2012)

U.S. District Court Judge Robert Blackburn is expected to rule soon on whether a defendant will be required to give up her encryption password, thereby allowing authorities access to her laptop, reports Wired. The defendant says the request violates her Fifth Amendment right against forced self-incrimination, and digital rights groups agree, saying, "it might reveal she had control over the laptop and the data there." But prosecutors say the government knows the defendant had control of the computer, and neglecting to force unencryption would amount "to a concession to her and potential criminals...that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers...and thus make their prosecution impossible."
Full Story

GEO PRIVACY—U.S.

Illinois Law Protects Drivers’ I-PASS Data (January 6, 2012)

An Illinois Tollway policy went into effect January 1 to protect the information of drivers enrolled in the I-PASS program in accordance with a recent state law, reports the Chicago Sun Times. The policy "ensures that the Illinois Tollway will not be forced, under Illinois' Freedom of Information law or by other means, to disclose any personal data, including the date, time, location or direction of travel of I-PASS customers, with anyone other than the customer." Exceptions will be made for subpoenas, public safety emergencies or other lawful purposes, the report states.
Full Story

SURVEILLANCE

Forensics Software Tracks, Sorts IMs (January 6, 2012)

The Globe and Mail reports on digital forensics software used by more than 1,100 corporate clients and security organizations. The Internet Evidence Finder tool, created by former police officer Jad Saliba, can trace and sort instant messaging logs to glean potential digital evidence against a suspect. National security agencies--including the Royal Canadian Mounted Police, the FBI and Scotland Yard--use the software because, the report states, a high percentage of crimes now have a digital footprint. In discussing the efficiency of the software, Saliba said, "Especially with the size of hard drives these days, there's so much information left behind. It can work to help the person accused or against them." Some fear the privacy implications of the software, noting that Saliba's website recommends the software to parents to help them "watch their children's activity" online. 
Full Story

PRIVACY—U.S.

Privacy Expected To Be Hot Topic in 2012 (January 6, 2012)

The National Journal reports that while the U.S. may not see broad-based privacy legislation passed within the next year, "privacy will still get a lot of attention in 2012, starting with the release in the coming weeks of two highly anticipated federal reports providing guidance on protecting consumer privacy online." The article focuses on what might be expected in these forthcoming reports from the Commerce Department and the Federal Trade Commission (FTC). Meanwhile, ITWorld highlights key technology policy issues to be watched in the year ahead, including the FTC's forthcoming comprehensive framework. Editor's Note: The IAPP Global Privacy Summit will feature a breakout session on The Final FTC Report: Implications for Consumers, Businesses, Legislation and Enforcement
Full Story

PRIVACY LAW—U.S.

Obama Appoints CFPB’s First Director (January 5, 2012)
President Barack Obama yesterday appointed Richard Cordray as the first director of the Consumer Financial Protection Bureau (CFPB). The recess appointment of the former Ohio attorney general will allow the consumer agency to oversee non-bank organizations such as mortgage brokers, debt collectors, credit reporting agencies and payday lenders, The New York Times reports.

ONLINE PRIVACY—IRELAND

Complaint Filed Against Utility Payment Website (January 5, 2012)

An Irish Socialist Party MEP has filed a complaint with the Data Protection Commissioner claiming a website set up by the Irish government to facilitate the payment of a new household utilities charge contravenes EU privacy regulations, reports The Independent. "The website's privacy statement declares that the site uses 'session cookies,' which are erased after use, whereas in fact it uses so-called 'persistent cookies' that remain on people's computers after they visit the website," says MEP Paul Murphy. Data Protection Commissioner Billy Hawkes has also voiced his concerns over a proposed plan to tap into homeowners' utility bills in order to collect the charge.
Full Story

DATA LOSS—U.S.

State AG Queries Bank in Potential Breach (January 5, 2012)

The Wall Street Journal reports that Connecticut's attorney general has asked Wells Fargo whether it illegally disclosed customers' sensitive personal information, including Social Security numbers. In its investigation of potential fraud involving several state employees, the Department of Social Services provided the bank with at least two subpoenas listing suspects. The attorney general said the bank reportedly provided its customers with copies of the subpoenas without redacting other customers' personal data. A spokesman for the bank said it will offer affected customers the "option of signing up for identity theft protection safeguards." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Group Sues City Over Smart Meters (January 5, 2012)

A nonprofit group claims an Illinois community is installing smart meters without offering residents the chance to opt out, Courthouse News Service reports. Naperville Smart Meter Awareness sued the city in federal court, claiming that the government's funding and deployment of smart meters has neglected meaningful privacy and security standards and regulations. Citing pervasive reports of cyber attacks and security breaches, the group says smart meters present the potential to "collect, store and share private customer information without customer consent or control" and adds that the meters "provide rich knowledge about intimate details of a customer's life" and present serious concerns "regarding access to personal data gleaned from the devices."
Full Story

DATA PROTECTION

Survey Respondents Focused on Data Security (January 5, 2012)

SC Magazine reports on its fifth annual "Guarding Against a Data Breach" survey, which found that 63 percent of 488 respondents "are confident that their company's IT security departments have the power, executive support and budget/resources necessary to safeguard customer, client and other critical corporate data." That share is up from 58 percent of last year's respondents. The report also highlights concerns that 2012 "promises still more of the advanced cyber attacks" that occurred in 2011, as well as increases in regulatory audit "and a continuation of end-users and consumers relying on an array of vulnerable technologies to conduct business."
Full Story

Obama Appoints CFPB’s First Director (January 5, 2012)

By Jedidiah Bracy, CIPP/US

President Barack Obama yesterday appointed Richard Cordray as the first director of the Consumer Financial Protection Bureau (CFPB). The recess appointment of the former Ohio attorney general will allow the consumer agency to oversee non-bank organizations such as mortgage brokers, debt collectors, credit reporting agencies and payday lenders, The New York Times reports.

In a letter posted on the CFPB’s website, Cordray wrote, “starting today, we can now exercise the full authorities granted to us under the law and begin to supervise these nonbanks.”

Alan Charles Raul, a Washington lawyer and former government official, told the Daily Dashboard that Cordray’s appointment “will help provide leadership for the CFPB and likely facilitate high-level coordination with the Federal Trade Commission and banking agencies regarding overlapping jurisdiction on privacy and other issues.”

The recess appointment of Cordray has some questioning the move’s legality, says Morrison & Foerster Partner Andrew Smith.

Since there are questions around whether the Senate was truly “in recess” during the appointment, and since section 1066 of the legislation provides that the appointment be confirmed by the Senate, Raul adds, “It would not be surprising if many of these issues end up being litigated and sowing confusion over the director’s and agency’s authority.”

Editor’s Note: Andrew Smith will be a presenter during the breakout session, Who’s on First? New Roles and Authority for the CFPB, FTC, Banking Agencies and Securities, at the IAPP Global Privacy Summit 

DATA LOSS—ISRAEL

Hackers Target Israeli Sites, Expose Personal Data (January 4, 2012)
Hackers have infiltrated multiple Israeli-based websites, exposing the information of hundreds of thousands of users online, reports Haaretz.com. One hacker said he revealed names, phone numbers and credit card details and alluded to political reasons for the attack, claiming to be part of the Saudi hacker group Group-XP; however, some of the hacked websites say only the names of users were exposed, and the credit card companies say the number of records exposed is around 14,000.

GEO PRIVACY—U.S.

Judge: GPS Tracking Warrant Unnecessary (January 4, 2012)

A federal judge in Missouri has ruled that the FBI did not need a warrant to place a GPS tracking device on a suspect's car. The tracking device was employed by the FBI because the defendant was suspected of inaccurately filling out time sheets as a St. Louis treasury employee. According to a report in Wired, Magistrate David Noce said the defendant did not have any "reasonable expectation of privacy in the exterior" of his vehicle, adding, "Installation of the GPS tracker device revealed no information to the agents other than the public position of the vehicle." The decision comes just months before the U.S. Supreme Court rules on the issue of warrantless GPS tracking.
Full Story

PRIVACY LAW—HUNGARY & EU

Commission Concerned About Changes to Constitution (January 4, 2012)

The European Commission (EC) has expressed concern about Hungary's newly revised constitution, European Voice reports. The commission is looking into whether certain changes comply with EU laws. EC spokesman Olivier Bailly said that EC Vice President Viviane Reding is concerned about the independence of the new data protection supervisor, the report states. In July, the Hungarian government passed a law that saw the role of the country's independent data protection ombudsman subsumed by a new National Data Protection and Freedom of Information Authority. Reding wrote to Hungarian ministers last month expressing "doubts" about the changes.
Full Story

PRIVACY LAW—CANADA & PAKISTAN

RIM Says It Will Protect User Privacy Despite Request (January 4, 2012)

Research In Motion (RIM) says it will defend the legal privacy rights of BlackBerry users in response to a Pakistan judicial commission's order for smartphone communications, AAJ News reports. RIM says it is "guided by appropriate legal processes and publicly disclosed lawful access principles in this regard as we balance any such requests against our priority of maintaining the privacy rights of our users." The judicial commission ordered government officials to provide the record of conversation between Pakistan officials and the U.S. in an alleged request for U.S. help with Pakistan's military.
Full Story

DATA PROTECTION—UK

ICO Lays Out Plans for This Year (January 4, 2012)

The start of 2012 "marks a pivotal moment for both data protection and freedom of information," writes UK Information Commissioner Christopher Graham in his latest blog post. For his office's part, it will take a practical but principled approach in the coming year, he says. This week it is releasing its Information Rights Strategy, which reveals that the office will place a priority on the areas of health; credit and finance; criminal justice; Internet and mobile services, and information security. Noting increases in data collection amidst a struggling economy, Graham says companies shouldn't look to information security budgets to save on costs.
Full Story

PRIVACY LAW—U.S.

Compliance of Address-Correction Program Questioned (January 4, 2012)

United States Post Office (USPS) memos obtained by The Washington Times are drawing attention to privacy concerns with a long-standing USPS program offering credit, marketing and data-service providers updated names and addresses. "The Privacy Act prohibits federal agencies from selling personal information unless specifically authorized by law," the report states. The USPS says the program falls within "routine use," allowed under the statute, and a memo proposing legislation to "immunize the...services from any challenge under the Privacy Act" was "offered to make stronger what the Postal Service already believes is a strong legal position." Prof. Peter Swire of Ohio State University says, "The tricky question is whether the routine use is permitted under the statute," adding, "I think it's not clear."
Full Story

DATA LOSS—U.S.

Breach of Privacy Cited in State Investigation (January 4, 2012)

An attorney representing several Connecticut state employees says investigators made a "huge breach of privacy" when they released at least two subpoenas listing dozens of names and Social Security numbers, the Hartford Courant reports. Investigators are attempting to determine whether state employees falsified their finances to acquire emergency food stamp benefits. Any state employee on a subpoena was able to see other individuals who were under investigation and could see their Social Security numbers, the report states. The chief legal counsel in the case argues that it was not the state government that released the information but the bank where the employees' finances were held.    
Full Story

PRIVACY LAW—EU

EDPS Discusses Need for Stronger Data Protection (January 3, 2012)
In a feature for NEWEUROPE Online, European Data Protection Supervisor Peter Hustinx explains that despite its impressive history, the Data Protection Directive 95/46/EC "is starting to show its age." Given the increasingly Internet-based nature of the world we live in and other factors, he writes, "there is not only a need for modernization but also an urgent need to ensure that the principles of data protection continue to be fully effective in a changing world."

DATA LOSS—U.S.

Three Patient Privacy Breaches Reported (January 3, 2012)

Three breaches involving the sensitive personal and medical information of thousands of patients have been reported. In Texas, five computers containing patients' names, Social Security numbers, birthdates and diagnoses were stolen from a physician's office, San Antonio Express reports. In California, Loma Linda Patch reports that the Loma Linda University Medical Center has fired an employee who violated hospital policy by bringing home the records of approximately 1,336 patients. "Information such as date of birth, address, medical record number, driver's license and in some instances Social Security number was included in the breach," according to a hospital spokeswoman. Providence Holy Cross Medical Center is also investigating a potential breach of patient privacy involving an employee's post to Facebook.
Full Story

BIOMETRICS—U.S.

FTC Seeks Public Feedback on Facial Recognition (January 3, 2012)

Shortly after hosting a roundtable on the uses and implications of facial recognition technology, the Federal Trade Commission (FTC) announced on December 23 that it is seeking public comment on the emerging technology, Hunton & Williams' Privacy and Information Law Blog reports. The FTC has specifically requested public comment on several issues, including current and future uses of the technology; potential consumer benefits and special considerations; privacy and security concerns; best practices in providing notice and choice, and whether notice and choice is the most appropriate framework. The FTC will accept comments until January 31.
Full Story

PERSONAL PRIVACY

PRC Releases Privacy Complaint Tool (January 3, 2012)

To help consumers who have experienced privacy abuse, the Privacy Rights Clearinghouse (PRC) has released an interactive online complaint tool. PRC Director Beth Givens says this new tool will not only help streamline and simplify the complaint process, but will educate consumers and connect them with the appropriate channels for help. In this Daily Dashboard exclusive, Givens describes the catalyst for the online mechanism, how it works and why it might help consumers and organizations.
Full Story

DATA PROTECTION—FRANCE

CNIL Inspects Bank Units (January 3, 2012)

The French data protection authority--the Commission Nationale de l'Informatique et des Libertes (CNIL)--is analyzing data gathered during a recent inspection of two bank units, Bloomberg reports. The CNIL inspected a newspaper and an information technology unit of Credit Mutuel-CIC based on a report of a system failure on December 28, according to the report.
Full Story

PERSONAL PRIVACY—CHINA

Forthcoming Marriage Database Incites Concerns (January 3, 2012)

The Chinese government has announced that it will launch a national online marriage database, inciting concerns about privacy, CNN reports. The database, which will be available next year and completed in five, aims to fight bigamy--a problem in China, according to the report. The announcement comes amidst reports that hackers gained access to six million China Software Developer Network users' personal information last week.    
Full Story

ONLINE PRIVACY

User Authentication Goes High-Tech (January 3, 2012)

Studies show that sophisticated technologies are making it easier for hackers to crack the current system of user authentication--passwords--meaning some tech firms are looking at other ways of identifying users, reports The New York Times. A recent blog post predicted that users may no longer need passwords, pointing to biometrics as the wave of the future, but one Web researcher says a problem with biometric authentication is "once your digital biometric signature is compromised, you cannot even replace it." A security expert warns all authentication has drawbacks, and using more than one is always best. One tech giant recently launched a behavioral password system using gestures in addition to a password and facial recognition. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Cyber Insurance Expected To Become More Popular (January 3, 2012)

When it comes to cyber insurance, "Everybody needs it, and most companies don't realize they don't have it until it's too late," says one expert in a report for The New York Times. Despite recent high-profile cyber attacks, only one-third of companies surveyed said they had purchased a policy. But experts say new regulations by the Security and Exchange Commission--specifically, a provision that requires companies to disclose a description of relevant insurance coverage to shareholders--will likely change that. Experts advise small businesses to look closely at what kind of cyber-insurance coverage they need based on the amount of personal information handled. (Registration may be required to access this story.) Editor's Note: The IAPP recently hosted a Web conference on Evaluating Cyber Liability Insurance. The archive is available on our website.   
Full Story

CHILREN’S PRIVACY—U.S.

Advocates Endorse COPPA Changes (January 3, 2012)

A coalition of advocacy groups has endorsed the Federal Trade Commission's updates to the Children's Online Privacy Protection Act, reports The Hill. The updates would require websites offering youth content to provide clearer notifications for parents surrounding data collection and expand the definition of personal information to include online and locational tracking data. The 17 groups in the coalition--including the Center for Digital Democracy (CDD), American Academy of Pediatrics and Privacy Rights Clearinghouse--submitted comments stating, "Strong arguments can be made that behavioral targeting is an inappropriate, unfair and deceptive practice when used to influence children under 13."
Full Story

PRC unveils online privacy complaint tool (January 3, 2012)

By Jedidiah Bracy, CIPP/US

As it approaches its 20th year of consumer advocacy, the Privacy Rights Clearinghouse (PRC) this week has unveiled an online tool to make filing a privacy complaint simpler. PRC Director Beth Givens says this new tool will not only help streamline and simplify the complaint process but also will educate consumers and connect them with the appropriate channels for help.

Found on the PRC website, the online complaint tool involves a five-step process, which takes about five minutes to complete. In addition to providing an e-mail address and state in which an incident occurred, users can choose with whom they would like to share their complaint--whether a government agency like the Federal Trade Commission, a lawyer who is “sympathetic” to a given issue, or the media--if anyone at all.

The tool aims to help the consumer determine against whom the privacy complaint should be filed--whether a business, government agency or individual. The complainant can describe the incident and attach documents that support a given complaint. For example, a user could file a complaint against a social network for refusing to delete undesirable photos posted by an individual for malicious reasons. The complaint could include a description of the incident, photos and a request to share the complaint with a government agency.

The interactive tool also features an autofill function that is sourced by the Consumer Action Handbook--published annually by the General Services Administrations’ Federal Citizen Information Center.

A catalyst for the new complaint mechanism stems from a study conducted by researchers at the University of California-Berkeley School of Information in 2009. In the KnowPrivacy report, researchers found that in addition to individuals’ concerns about controlling their data online and the apparent lack of awareness of companies’ data collection practices, users simply did not know to whom they should file a privacy complaint. “Even the act of complaining about privacy,” the report states, “is frustrated by a lack of clarity. Consumers do not know where to complain, in part because privacy policies do not provide clear information about remedies.”

At a PRC-hosted event that same year, consumer advocates discussed emerging trends, including the need for a privacy complaint magnet. Givens says that Chris Hoofnagle, director of the UC-Berkeley Center for Law & Technology's information privacy programs and senior fellow to the...

PRIVACY LAW—U.S.

Suit Survives Motion To Dismiss (January 2, 2012)
Forbes reports that a lawsuit against Facebook has survived a motion to dismiss, despite the fact that judges have generally dimissed similar class-action cases recently. Fraley et al. v. Facebook alleges that the plaintiffs were harmed by Facebook's "Sponsored Stories," which alerts users when their friends have "liked" a product or service and includes the friends' names and photos in the notification.

DATA LOSS

Hackers Dump Security Company Data (January 2, 2012)

The hacker collective Anonymous has exposed the usernames, e-mail addresses and passwords of 860,000 users of the security think tank Stratfor--including the credit card information of 75,000 of them, reports VentureBeat. Stratfor has consequently shut down its website pending the completion of a "thorough review and adjustment by outside experts." Anonymous reportedly broke into Stratfor's Web servers and downloaded 200 gigabytes of data. A New York Times report notes this breach could be "especially embarrassing" if hackers can prove the company--"which markets its security expertise"--did not encrypt its sensitive data. One security expert says requisite credit card fraud has already been "well documented," and advises Stratfor customers to contact their credit card companies.
Full Story

DATA RETENTION—EU & GERMANY

German Gov’t Writes to Commission (January 2, 2012)

Telecompaper reports that in a letter dated December 23, the German government notified the European Commission (EC) that it has partially implemented the EU Data Retention Directive. The commission could take legal action in the European Court of Justice if Germany does not come into compliance with the directive. A government spokesperson said Germany is "preparing a reasonable compromise to present a stable constitutional solution" in the event the EC takes such action. In its letter, the German government said it is awaiting details on the so-called Quick-Freeze procedure, according to the report.   
Full Story

DATA LOSS —AUSTRALIA

Company Admits to Second Breach (January 2, 2012)

The personal information of approximately 1,500 Telstra customers was accessible last Friday when a spreadsheet was posted online, International Business Times reports. The spreadsheet reportedly contained customers' e-mail addresses, phone numbers and postal addresses, but the company said it has "no reason to believe it contained passwords or credit or financial information." Some customers have expressed concern that they have yet to be notified by the company. A spokesman said, "Customers are being progressively contacted either by phone or e-mail as we work through the data that was contained on the spreadsheet." Telstra has also notified the appropriate authorities, the report states. Last month, nearly 800,000 Telstra customers were affected when their private data was accessible through the company's website search tool.
Full Story

ONLINE PRIVACY

Accidental E-mail Incites Concerns (January 2, 2012)

The New York Times says data security has not been compromised after it accidentally sent an e-mail to 8 million people telling them that they had canceled their subscriptions. A Times employee erroneously sent the message to a list of people who'd previously given their e-mail addresses to the company. Initially, the company indicated via its Twitter feed that the message had been spam, inciting concerns from some recipients about who had access to their data. But The Times later confirmed that it sent the e-mail. "We regret the error and we regret our earlier communication noting that this e-mail was spam," a Times spokesperson said. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

When Sites Shut Down, Data in Limbo (January 2, 2012)

Websites shut down and merge frequently, writes Cecilia Kang for The Washington Post, and "In many cases, the data that people have entrusted to such sites exist in a cyber limbo, and users' rights are unclear." Because of the lack of standard privacy rules for websites, customers may come across many different practices and some have voiced a feeling of futility when trying to maintain all their online data; "At some point you just have to surrender control," said one Internet user. The Federal Trade Commission's assistant director of privacy and identity protection said more issues surrounding data handling are requiring its attention. (Registration may be required to access this story.)
Full Story

DATA LOSS

Reviewing the Top Breaches of 2011 (January 2, 2012)

InformationWeek reports on the most significant data breaches of 2011. Citing a new report by the Privacy Rights Clearinghouse (PRC), the past year saw some of the largest data breaches in history. Though 535 breaches were officially reported in 2011, many go unreported. PRC Director Beth Givens said, "Because many states do not require companies to report data breaches to a central clearinghouse, data breaches occur that we never hear about." Identity Theft 911 Chairman and Founder Adam Levin said that "Gaming networks and similar sites are delicious targets" for cyber criminals. Additionally, breaches cost organizations millions of dollars, and, as one attorney said, "It is inevitable that the costs will be passed on" to the customer.
Full Story