Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

HEALTHCARE PRIVACY—UK

Poor Training Led to £70,000 Fine by ICO (April 30, 2012)
Lack of staff training in data protection and failure to have "suitable checks in place to keep the sensitive information they handled secure" are reasons why Aneurin Bevan Health Board (ABHB) has become the first NHS body to be fined by the Information Commissioner's Office (ICO), BBC News reports. According to an ICO press release, a breach occurred when a doctor e-mailed incomplete and inaccurate patient data to a secretary who in turn e-mailed the information to the incorrect patient. ICO spokesman Stephen Eckersley said ABHB has signed an undertaking to address the ICO's concerns, including "ensuring all staff are made aware of and trained on the organization's" data protection policies.

PRIVACY LAW—U.S.

Settlement Reached in Zip Code Suit (April 30, 2012)

Law360 reports that Lowe's HIW Inc. will create a $3 million fund for 280,000 known and unknown class members who allege the company violated California's Civil Code by requesting their zip codes in connection with credit card transactions. The settlement agreement was filed in the United States District Court for the Northern District of California last week. (Registration may be required to access this article.)
Full Story

PRIVACY—U.S.

Lawmaker Drafts Bill To Protect Students’ Online Profiles (April 30, 2012)

A New York lawmaker has introduced federal legislation aimed at protecting students from having to disclose personal online information, The New York Times reports. Rep. Eliot Engel (D-NY) has introduced The Social Networking Online Protection Act, which would forbid administrators from requiring potential or current students to provide usernames or passwords to online services as part of enrollment or disciplinary processes. "We have to draw a line between what is publicly available information and what is personal, private content," said Engel. "I think we would all object to having to turn over usernames and passwords for e-mail accounts, or even worse, to bank accounts. User-generated social media content should be no different." (Registration may be required to access this story.) 
Full Story

PRIVACY LAW—IRELAND

DPC Reports Record Number of Data Complaints (April 30, 2012)

According to an annual report from Ireland Data Protection Commissioner Billy Hawkes, 2011 saw a record level of complaints from the public about data use, The Irish Times reports. The total number of complaints went from 783 in 2010 to 1,161 in 2011, a 48 percent increase. The report also revealed that the complaints ranged from unsolicited marketing to unlawful use of CCTV in the workplace. Hawkes noted a shift in types of complaints, suggesting a "growing level of public awareness of the right of access to personal data." 
Full Story

ONLINE PRIVACY—U.S.

Company’s Controversial Data Collection Not Rogue Act (April 30, 2012)

Less than two weeks after the Federal Communications Commission (FCC) released its investigation report on Google's Street View project, Google released a less redacted version, The Wall Street Journal reports. The report supports the company's contention that the data collection scheme was initiated by one employee, but the employee allegedly shared the plan with other employees, including a senior manager, suggesting the company could have moved more swiftly to halt the activity, the article states. The report revealed a "to do" list that included the item "Discuss privacy considerations with Product Counsel." According to the report, "That never occurred." A Google spokeswoman said the company agrees "with the FCC's conclusion that we did not break the law" and hopes that "we can now put this matter behind us." (Registration may be required to access this story.)
Full Story

DATA LOSS—AUSTRALIA

OAIC Releases Guidelines as Breach Numbers Rise (April 30, 2012)

Evidence shows data breaches are on the rise, putting individuals at risk for harm, warned Privacy Commissioner Timothy Pilgrim at an event to launch Privacy Awareness Week in Australia. Pilgrim said the Office of the Australian Information Commissioner (OAIC) was notified of 56 data breaches last year--compared with 44 the previous year--and opened an additional 59 investigations, The Sydney Morning Herald reports. The OAIC this week released updated guidelines to help businesses develop breach response plans. Though breach notification is not mandatory in Australia, Information Commissioner John McMillan said the "tide is moving" in that direction. 
Full Story

SURVEILLANCE

As Use of Facial Recognition and Surveillance Increase, What Happens To Privacy? (April 30, 2012)

The Economist reports on the increasingly pervasive use of video surveillance in countries around the world. China will soon employ three million surveillance cameras--surpassing Britain--and its industry is expected to reach 500 billion yuan, or $79 billion, in 2015. Alongside the increase in video surveillance is an increase in the use of facial recognition technology, currently employed at Mexican prisons, U.S. bars, Japanese workplaces and many other locations worldwide. Brazilian police will use it to improve security at the 2014 World Cup. The U.S. National Institute of Standards and Technology has found that such technology is improving, raising legal questions about the "reasonable expectation of privacy" in public, the report states. 
Full Story

PRIVACY LAW—U.S.

Blockbuster Agrees to Settlement Terms (April 27, 2012)
Blockbuster has agreed to settle a class-action suit over alleged violations of the Video Privacy Protection Act (VPPA), MediaPost News reports. A Minnesota resident filed the suit in September 2011, claiming the company retained customers' personal data--including credit card numbers, contact information and preferences, the report states. The VPPA requires the destruction of such information when it is no longer needed.

PRIVACY LAW—EU & U.S.

Hustinx: Companies Should “Innovate” on Privacy (April 27, 2012)

The New York Times reports on comments from European Data Protection Supervisor Peter Hustinx urging companies to "innovate" on consumer privacy. Speaking at a Berkeley Center for Law and Technology event in California, Hustinx said EU lawmakers will move forward with far-reaching legislation to protect online privacy, the report states. "It really is based on the idea that when there is not good enough reason to keep the data, it should be deleted," Hustinx said at Thursday's event, adding, "When data have been published or have been shared and it is within your power to get them back, you have to make reasonable effort to get the spirit back in the bottle." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U. S.

Google Says FCC Closed Its Investigation Last Year (April 27, 2012)

In a filing yesterday with the Federal Communications Commission (FCC), Google said federal prosecutors closed an investigation into the company's wireless data collection last May, Bloomberg reports. Earlier this month, the FCC proposed fining the company $25,000 for delaying a probe into Street View, but the company says it has "cooperated fully with investigations around the globe." Meanwhile, the San Francisco Chronicle reports on speculation by some that Google violated an agreement with the FTC by circumventing privacy settings in Apple's Safari Browser. FTC Chairman Jon Leibowitz has declined to address the topic but says such incidents can affect the way consumers view companies.
Full Story 

DATA LOSS—U.S.

Breaches Reported Coast to Coast (April 27, 2012)

A number of entities are reporting data breaches this week. A California lab says data on at least 700 patients was stolen during a break-in, The Record reports, while Sheppard Air Force Base's 82nd Medical Group in Texas says a breach of patient privacy is possible after a man brought in medical records found in a box in his home. Also in Texas, State Attorney General Greg Abbott's office has accidentally given millions of Texas voters' Social Security numbers to opposing lawyers in a voter ID case. Meanwhile, The College at Brockport in New York says it has identified a data breach causing student and faculty credit card fraud. And, in Massachusetts, a new report has found that nearly half of the state's residents' personal information has been improperly accessed in 1,800 breaches in the last four years, with the state playing a role in 10 percent of those breaches.
Full Story

SOCIAL NETWORKING

Study: Your Privacy Depends on Your Friends (April 27, 2012)

The Atlantic reports that as social media grows, "it's increasingly more accurate to think about privacy as a communal affair, something heavily contextual and owned, collectively, by networks." The report references a case study from Brazil's University of Minas Gerais that indicates "just how much tagged photos, in particular--and our connections' tagged photos--can actually reveal, and predict, about our identities." The study's authors note that "Users unintentionally put their friends or even their own privacy at risk when performing actions on social networking sites...the tagged user has no means to control the degree of exposure her pictures are getting, since the 'owner' is another user."
Full Story

PRIVACY LAW—U.S.

House Passes CISPA (April 27, 2012)

The House of Representatives yesterday voted to approve the Cyber Intelligence Sharing and Protection Act amidst a White House veto threat and advocacy groups' concerns about privacy and civil liberties infringements, the NationalJournal reports. Rep. Mike Rogers (R-MI) said, "There is no surveillance, none, not any in this bill," and Rep. Mary Bono Mack (R-CA) said, "Frankly, the privacy concerns are exaggerated." Reps. Joe Barton (R-TX) and Ed Markey (D-MA) voted against the bill, saying in a joint statement, "If this piece of legislation had a privacy policy, it would be 'You have no privacy!'" CNET News and ProPublica both offer a closer look into the details of the bill.
Full Story

PRIVACY LAW—UK

ICO Defends Enforcement Actions (April 27, 2012)

The Information Commissioner's Office (ICO) is defending its history of enforcement actions after a recent report suggested the agency disproportionately fined public organizations more often than private organizations, Out-Law.com reports. Between March 22, 2011, and February 17, 2012, the ICO issued one £1,000 fine to a private company while it fined eight public councils a total of £790,000. In a statement, the ICO wrote, "Effective regulation is about getting the best result in the public interest...The course we choose will always depend on the circumstances of the individual case." Meanwhile, Information Commissioner Christopher Graham said, "Companies that don't properly protect their data will lose out in the next stage of consumer understanding."
Full Story

PRIVACY LAW—U.S.

Politicians Disagree on Privacy Bill of Rights (April 27, 2012)

POLITICO reports on disagreement between two lawmakers on whether Congress should enact a privacy bill of rights. Sen. Richard Blumenthal (D-CT) and Rep. Mary Bono Mack (R-CA) differed in opinion at a briefing yesterday, with Blumenthal arguing that a privacy bill of rights is "absolutely appropriate" and Bono Mack arguing that a bill of rights could go "too far." Bono Mack said congressional intervention could harm innovation, but Blumenthal said preserving personal privacy is a concept that dates back to the Founding Fathers. "People understand about tracking, about algorithms that identify them about being pregnant before they may have even told their parents or their husband," Blumenthal said.
Full Story
 

 

PRIVACY LAW—U.S.

Two Privacy Bills on the Move in California (April 27, 2012)

Two privacy-related bills are on the move in California. The California Genetic Information Privacy Act would prohibit the unauthorized collection, testing and distribution of DNA data. "We have laws to protect the privacy of our financial information, our medical records and even the books we check out from the local library," said the bill's author, State Sen. Alex Padilla (D-Pacoima), adding, "We need genetic privacy protections because nothing is more personal than our DNA." The bill passed the Senate Judiciary Committee on Tuesday, according to a GovTech report. Meanwhile, the California Location Privacy Bill passed the Senate Public Safety Committee earlier this week after a certain disclosure provision was removed.
Full Story

ONLINE PRIVACY

Confusion Over Terms of Service Continues (April 27, 2012)

Reports about how Google's terms of service will apply to its newly launched Google Drive are revealing confusion over ways in which the company will be able to use content stored with the service. While some report that Google's general terms of service say the company can "communicate, publish, publicly perform, publicly display and distribute" the content, others point to a paragraph in the terms stating, "You retain ownership of any intellectual property rights that you hold...In short, what belongs to you stays yours." A report in The Washington Post compares the privacy policies of similar services, noting that "Google's terms are pretty much the same as anyone else's and slightly better in some cases." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

White House Issues Veto Threat, CISPA Moves Forward (April 26, 2012)
House lawmakers supporting the Cyber Intelligence Sharing and Protection Act are moving forward with the legislation even after the Obama administration expressed reservations about the current state of the bill, The Washington Post reports. "The sharing of information must be conducted in a manner that preserves Americans' privacy, data confidentiality and civil liberties," the White House said in a statement, adding "Cybersecurity and privacy are not mutually exclusive." Rep. Adam Schiff (D-CA), who earlier this week proposed amendments to the bill, said the statement "will certainly have an impact...on the margin of the vote, but the bill is still likely to pass." One of the bill's sponsors, Rep. Mike Rogers (R-MI), said, "We think we can answer questions to get it to a place where the president will sign it." (Registration may be required to access this story.)

PRIVACY LAW—MEXICO

Critics: Revisions to Federal Law Leave Room for Abuse (April 26, 2012)

Ars Technica reports on concerns about revisions to Mexican federal law that give public authorities and law enforcement the ability to require mobile phone companies to disclose real-time geographic data on their users. Known as the "Geolocalization Law," the revisions--which came into effect last week--aim to help police fight drug and gang violence. But critics say they are too far-reaching. One Mexican law student has initiated a petition to Mexico's Human Rights Commission and recently penned a legal analysis warning of the potential for misuse. Another advocate noted that the law does not require a prior warrant from the government.
Full Story

DATA PROTECTION—UK

ICO To Spend 20 Percent on IT (April 26, 2012)

The Information Commissioner's Office plans to spend £3 million--or about 20 percent of its total budget--on IT security, The Guardian reports. At a recent conference, Information Commissioner Christopher Graham said the office is currently seeking a vendor to provide such services. Graham added that the ICO has issued 14 civil monetary penalties for data protection breaches since his office gained the power to do so 18 months ago. In cases where organizations took action to mitigate risks of future breaches, fines were less likely to be handed down. Asked about the potential for a communications monitoring law in the UK, Graham said it must have the proper safeguards.
Full Story

MOBLIE PRIVACY—U.S.

CDT: Mobile Payments Increase Consumer Data, Weaken Privacy (April 26, 2012)

In advance of today's Federal Trade Commission (FTC) workshop on mobile payments, the Center for Democracy & Technology (CDT) is raising concerns that mobile payments will "provide more consumer data to more companies" and could weaken privacy laws. CDT Policy Counsel Harley Geiger writes, "Without strong user privacy controls, mobile payment services may turn your cell phone into a magnet for telemarketing, spam and online behavioral advertising." Additionally, Geiger states, mobile services will involve more companies--including mobile payment providers, Internet service providers and third-party apps--than the traditional credit card transaction, adding, "consumers should expect...services to use transaction information to hit consumers with offers, coupons and customized advertising." Editor's Note: The Daily Dashboard will be tweeting from today's FTC mobile payments workshop. Follow us @dailydashboard.
Full Story

ONLINE PRIVACY

Critics Say Terms of Service Allows for Lack of Privacy (April 26, 2012)

The New York Times reports on concerns about Google's recently released online storage service, Google Drive. The service offers free storage of documents, pictures and video, among other data. But critics say Drive falls under Google's terms of service, which allow the company to use the stored content for its own purposes. The Electronic Privacy Information Center's Marc Rotenberg said the terms of service are "bad, but even worse is that Google has made clear it will change its terms of service whenever it wishes." A Google representative, however, said the company doesn't "take personal information and use it in a way that we don't represent to the user." (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY—U.S.

Office To Release Mobile App Guidelines (April 26, 2012)

The chief of California's Office of Privacy Protection says the office will soon release guidelines for mobile app developers on data collection, data sharing and written privacy policies, PCWorld reports. Chief Joanne McNabb, CIPP/G, CIPP/IT, CIPP/US, says the guidelines, likely to be released in July, will be developed with an advisory panel of experts and industry stakeholders. Though the office itself has no regulatory power, the guidelines will help companies comply with state laws, McNabb said, adding that the "practices and recommendations we come up with are not a floor of legal compliance nor are they a ceiling of ideal. I think of them as about chair-rail height. You want to push higher than developers are required to go."
Full Story

ONLINE PRIVACY

Opinion: WCIT Meeting Could Upend Internet (April 26, 2012)

In a column for The Wall Street Journal, Andrea Renda writes that proposals will be considered this December at the World Conference on International Telecommunications (WCIT) that could "grant authority for Internet governance to the United Nations and impose new regulations on web traffic," adding, "If adopted, these proposals could upend the web as we know it..." Renda also notes, "Privacy and security are also at risk due to a lack of adequate legal tools and coordination mechanisms," many of which would be international. (Registration may be required to access this story.)
Full Story

PRIVACY—U.S.

Court Dismisses VPPA-Related Complaints Against Sony (April 25, 2012)
The United States District Court for the Northern District of California has dismissed proposed class-action claims against Sony Computer Entertainment America LLC for alleged violations of the Video Privacy Protection Act (VPPA). Judge Phyllis Hamilton on Friday granted Sony's motion to dismiss a plaintiff's claim that the company unlawfully retained his personally identifiable information (PII) under VPPA, citing as precedent Sterk v. Redbox Automated Retail. The court also dismissed the plaintiff's claim that Sony unlawfully disclosed his PII, saying VPPA permits such disclosure "if the disclosure is incident to the ordinary course of business of the provider," according to the decision.

PRIVACY LAW—EU

EDPS: ACTA Could Threaten Privacy (April 25, 2012)

European Data Protection Supervisor (EDPS) Peter Hustinx has said the Anti-Counterfeiting Trade Agreement (ACTA) "could involve the large-scale monitoring of users' behavior and of their electronic communications," which could go "beyond what is allowed under EU law," Reuters reports. Signed by 22 of the EU's 27 member states as well as the U.S. and Japan, ACTA is a global trade deal addressing copyright theft. In an EDPS opinion, Hustinx said, "ACTA measures to enforce intellectual property rights in the digital environment could threaten privacy and data protection if not properly implemented."
Full Story

SURVEILLANCE—U.S.

CISPA Sponsors Support Privacy Amendments (April 25, 2012)

Sponsors of the Cyber Intelligence Sharing and Protection Act (CISPA) said they support proposed amendments that would limit what information government agencies can use under the legislation, IDG News Service reports. The bill, as it stands, would allow agencies to use information on a panorama of issues, but the proposed amendments would limit information sharing to issues such as cybersecurity; investigations of death, serious injury or child pornography, and issues related to national security, the report states. The Center for Democracy & Technology, one of several groups that have criticized the current bill, said "good progress has been made" with the proposed amendments, and "in deference to the good faith efforts" shown by the bill's sponsors, the group will not oppose the House legislation. Full Story

PRIVACY LAW—GERMANY

Germany Could Face Lawsuit, Fines (April 25, 2012)

Bloomberg reports the German government will not attempt to fight off an EU lawsuit based on the country's failure to implement EU data retention guidelines into law thus far. An agreement between the interior and justice ministries will not be reached by the April 26 deadline, which could result in a lawsuit and a fine of at least €32.5 million. The country may face additional fines of €80,000 per day until a decision is reached.
Full Story

DATA PROTECTION—U.S.

Security Professionals Increasingly Talking to Boardrooms (April 25, 2012)

Financial Times reports on data security's ascension to the top of not only IT professionals' worry lists but corporate boardrooms' as well. "I am spending much more time talking to company boards these days," said Mark Lobel of PricewaterhouseCoopers, who adds that hackers' attack methods are becoming increasingly sophisticated and their targets more widespread. "The defense industry became aware of it first, but now the public is becoming aware that anyone with intellectual property is a target," he said. A recent study found that malicious attacks cost 25 percent more in response costs than other breaches, and organizations employing chief information security officers reduce costs by 35 percent per compromised record. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—U.S.

Expert: Breaches Indicate Need for Restricted Employee Data Use (April 25, 2012)

InformationWeek reports on the need to limit employee access to personal data, evidenced by two recent data breaches at state Medicaid agencies. Earlier this month, Utah health officials reported that 780,000 individuals were affected when hackers accessed state computers, and South Carolina health officials recently disclosed a breach affecting 228,435. Employee access to confidential data is increasing, said security expert Bill Morrow, because organizations are using web browsers, which "contain critical security gaps that create significant risks," as the viewing platform. Morrow suggests using "hardened browsers," which allow organizations to limit data collection and specify how it can then be used, preventing unauthorized movement.
Full Story

PRIVACY—U.S.

Opinion: CA 911 Call Bill Lacks Balance (April 25, 2012)

In a column for the Inland Valley Daily Bulletin, Delores Combs discusses two complications inherent in a recently proposed bill that would limit public access to 911 emergency phone calls. Proposed by Assemblywoman Norma Torres (D-Pomona), AB 1275 would prevent public access to 911 calls containing medical information. Combs argues there are two complications "that indicate there is still a need to fine-tune the bill." The first complication stems from whether HIPAA covers a treatment team. "The HIPAA issue is debatable and one that requires further legislation or a legal decision to be clarified," Combs writes. The second complication highlights the "tension between the need for transparency in government and the duty to protect a caller at their most vulnerable." Editor's Note: For more on this topic, see "Assessing public information in the digital age" in this month's edition of The Privacy Advisor.
Full Story

PRIVACY LAW—EU

ECJ: ISPs Can Disclose Data to IP Holders (April 24, 2012)
The European Court of Justice (ECJ) has ruled that EU laws do not prevent Internet service providers from disclosing data to copyright holders for the purpose of identifying file-sharing violators, Out-Law.com reports. The ECJ ruled that the Data Retention Directive "must be interpreted as not precluding the application of national legislation based on (the Intellectual Property Rights Directive) which, in order to identify an Internet subscriber or user, permits an Internet service provider in civil proceedings to be ordered to give a copyright holder or its representative information on the subscriber to whom the Internet service provider provided an IP address which was allegedly used in an infringement, since that legislation does not fall within the material scope of" the directive.

ONLINE PRIVACY—U.S.

Lawmaker Proposes CISPA Amendment (April 24, 2012)

Rep. Adam Schiff (D-CA) plans to introduce an amendment to the Cyber Intelligence Sharing and Protection Act (CISPA) to dampen privacy concerns brought on by the bill, the NationalJournal reports. The amendment would require a policies and procedures framework to protect privacy--including limiting personally identifiable information--and would include language defining what data types will be shared. "It is important to move forward with a cybersecurity bill to address information sharing," Schiff said, "but we must make sure that it includes strong protections for the civil liberties and privacy of Americans." Meanwhile, the Center for Democracy & Technology warns that CISPA "is likely to lead to the expansion of the government's role in the monitoring of private communications."
Full Story

PRIVACY LAW—U.S.

Judge Rules DA Can Subpoena Protester’s Tweets (April 24, 2012)

A New York judge has ruled that prosecutors are not overreaching by subpoenaing Twitter in order to access an Occupy Wall Street protester's posts leading up to an alleged disorderly conduct incident, The Washington Post reports. Manhattan Criminal Court Judge Matthew A. Sciarrino, Jr., wrote, "There is, in fact, reasonable grounds to believe the information sought was relevant and material to this investigation," but added that he would review the posts--with the defendant's privacy in mind--before the Manhattan District Attorney's Office reviews them. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

CA Bill Would Require Warrants Before Location Tracking (April 24, 2012)

The nation's largest wireless providers are opposing a proposed California location privacy law that would require a search warrant before police could track a wireless customer's coordinates, CNET reports. Only in emergency situations would police be exempt from acquiring a judge's approval to conduct tracking surveillance under SB 1434, which would also require the providers to disclose how many times they had granted or denied police access to wireless location data. A wireless trade association, including such members as AT&T, Verizon Wireless, U.S. Cellular and Sprint Nextel, has written to the bill's sponsor saying the bill would create confusion for wireless providers "when responding to legitimate law enforcement requests."
Full Story

ONLINE PRIVACY

Facebook Privacy Tool To Help Consumers, Push Developers (April 24, 2012)

USA TODAY reports on the release of a new service that grades how each of Facebook's top third-party apps respects consumer privacy. Privacyscore for Facebook grades the privacy policies and tracking practices of more than 200 Facebook apps, the report states. Points are deducted for "sharing data with an excessive number of tracking entities, failing to honor deletion requests, failing to provide an opt-out choice or storing consumer data for long periods." The Future of Privacy Forum's Jules Polonetsky, CIPP/US, said the tool will be useful for consumers, but "it may actually be even more useful in pushing application developers, who don't like getting poor grades, to look more closely at their own privacy practices."
Full Story

ONLINE PRIVACY—U.S.

Opinion: Internet Privacy Is Not a Given (April 24, 2012)

In a column for The New York Times, Henry Alford questions, "when did privacy become a choice rather than a given?" Alford also queries why it sometimes feels like a graduate degree is necessary to slog "through a new app's voluminous terms of service" or to figure out "how to activate a site's privacy control settings." Though the Obama administration is calling for a privacy bill of rights, "Big Brother-like invasions of our privacy continue apace," he opines, adding, "You can't sunbathe nude in this backyard without constantly looking over your shoulder." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Opportunities, Privacy Concerns Abound with Big Data (April 23, 2012)
The Guardian reports on the rise of Big Data and how privacy boundaries shift as personal information becomes more valuable to companies. One O'Reilly Media representative said, "Given enough data, intelligence and power, corporations and government can connect dots in ways that only previously existed in science fiction." The ability of Big Data systems to collect and make sense of huge amounts of information provides some companies with valuable opportunities but brings with it concerns about personal privacy.

SURVEILLANCE—U.S.

FAA Drone Program Draws Lawmakers’ Concerns (April 23, 2012)

Reps. Edward Markey (D-MA) and Joe Barton (R-TX) have sent a letter to the Federal Aviation Administration (FAA) questioning how the agency will address citizens' privacy rights as it begins to issue drone-use licenses to public and private entities, COMPUTERWORLD reports. "The surveillance power of drones is amplified when the information from onboard sensors is used in conjunction with facial recognition, behavior analysis, license plate recognition" among others, the lawmakers wrote, adding, the FAA has "the responsibility to ensure that the privacy of individuals is protected and that the public is fully informed about who is using drones in public airspace and why." The Electronic Frontier Foundation recently released documents revealing dozens of universities and law enforcement agencies that have received FAA approval for drone use.
Full Story

ONLINE PRIVACY—EU & U.S.

Reporter Explores Personal Data Held by Large Sites (April 23, 2012)

In a column for The Guardian, James Ball discovers what personal information is held about him by Google and Facebook. Using EU rights to make requests on personal data held by these online companies, Ball wonders "exactly how much the Internet giants know about us." After reviewing his personal data, Ball concludes, "The tour through a decent swath of my personal data is at once disturbing and comforting...Among the huge tranche of information available to Google and Facebook alone is virtually everyone I know, a huge amount of what I've said to--and about--them and a vast amount of data on where I've been."
Full Story

DATA LOSS—U.S.

Businesses Take Action Following Breaches (April 23, 2012)

A retailer, a food chain and a hospital are all taking remedial actions after reporting data breaches. Middletown Journal reports that Baltimore-based Under Armour has notified employees that a thumb drive containing their unencrypted data, including names, Social Security numbers and salaries, has been lost in the mail by the retailer's auditing firm. The firm will provide 12 months of free credit monitoring and identity theft protection for those affected. Meanwhile, Rubio's Mexican fast food chain, based in California, says a computer disk containing personal information on some of the company's shareholders was taken offsite by a third-party vendor, and the University of Arkansas for Medical Sciences has disciplined an employee for exposing data on 7,000 patients. 
Full Story

PRIVACY—U.S.

Advocates: “Black Box” Bill Requires Stronger Safeguards (April 23, 2012)

A bill currently pending in Congress that would equip all U.S.-manufactured cars with an event data recorder has some privacy advocates concerned about with whom that data may be shared, Ars Technica reports. The bill, S. 1813, which passed the U.S. Senate last month and will likely see a House vote in the near future, would equip new cars with the device--which would record details preceding a crash, including speed rate and seat-belt status--beginning in 2015. Though the bill includes data protection provisions that the Future of Privacy Forum's Christopher Wolf calls a "net plus," one expert envisions legal disputes on such third-party access as insurance companies and law enforcement. 
Full Story

DATA PROTECTION

Experts: Weak Passwords Often Cause Big Breaches (April 23, 2012)

Recent data breaches highlight the risks associated with weak and default passwords, experts say. The recent breach of a server at the Utah Department of Health, which exposed the Social Security numbers of more than 280,000 people, exemplifies what one expert calls "the curse of the reusable password," reports COMPUTERWORLD. Breaches that occur due to weak passwords are especially common in the retail and healthcare sectors, according to a recent Verizon report. One expert said much of hacker group Anonymous's recent success has been because "they have obtained users' passwords to external services and then found the same passwords in use at sensitive internal applications in e-mail systems." 
Full Story

PRIVACY LAW—U.S.

EPIC Wants FCC Report Released In Full (April 20, 2012)
The Electronic Privacy Information Center (EPIC) is demanding that the Federal Communications Commission (FCC) release all 25 pages of the report on its Google Street View investigation, reports the Los Angeles Times. EPIC filed a Freedom of Information Act request following the FCC's release of the report's abridged version last week. EPIC has also called on Attorney General Eric Holder, Jr., to investigate, and Rep. Ed Markey (D-MA) has called for a congressional hearing on the matter. The FCC fined Google $25,000, stating the company "deliberately impeded and delayed" an investigation into its Street View data collection practices--a fine one privacy advocate called "a slap on the pinkie."

DATA LOSS—U.S.

SC Health and Human Services Reports Breach (April 20, 2012)

The South Carolina Department of Health and Human Services (SCDHHS) has discovered a data breach affecting 228,435 Medicaid beneficiaries, CMIO reports. The breach occurred when a Medicaid employee e-mailed personal information to the beneficiaries' personal e-mail accounts--a violation of agency policy, the report states. The department has terminated the employee and called upon the South Carolina Law Enforcement Division to investigate. SCDHHS will mail letters and offer free identity theft protection services to those affected.
Full Story

HEALTHCARE PRIVACY—U.S.

State Law To Curb Drug Abuse Draws Privacy Concerns (April 20, 2012)

The Wall Street Journal reports on a proposed bill in Kentucky that attempts to mitigate prescription drug abuse by restricting ownership of "pain clinics" by physicians and giving law enforcement easier access to the state's prescription drug database. The database includes names of prescribers, patients and pharmacies. A representative from the Kentucky Medical Association says the bill is an "overreach" and a violation of personal privacy, the report states. (Registration may be required to access this story.)
Full Story

GEO PRIVACY—U.S.

Some Apps Promote Safety, Reveal Privacy Conflicts (April 20, 2012)

Researchers at AT&T Labs showcased new technologies Thursday that pave the way for future smartphone and mobile system capabilities but also reveal potential conflicts with personal privacy, The New York Times reports. Among the tools showcased was Driving Safely. The system helps parents track how their teenagers are driving and allows them to disable functions on their children's phones to promote safe driving. The app also collects data over time, the report states, in order to compile the driver's "DNA score." One of the projects' developers said the system would most likely be more popular among those doing the tracking than those being tracked, the report states. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Studies Find Privacy Policies Too Long, Complex (April 20, 2012)

NPR's "All Tech Considered" highlights a study by Aleecia McDonald and Lorrie Faith Cranor of Carnegie Mellon University that found it would take people an average of 250 hours to read the privacy policies of the websites they visit in one year. While the Federal Trade Commission has explored ways to give web users more control over their online privacy, the complexity of privacy policies has many consenting to policies without reading them, says Cranor. Meanwhile, Shannon Wheatman, a plain language expert at Kinsella Media, told the Daily Dashboard that her recent study of Fortune 500 online privacy policies found that policies are written at or above a college level. "This is a big problem since only 28 percent of adults have a college degree," said Wheatman. Editor's Note: Wheatman's Plain Language Primer for Privacy Policies is available to IAPP members on the IAPP Knowledge Center.
Full Story

PRIVACY LAW—U.S.

White House Expresses Concerns About CISPA (April 19, 2012)

COMPUTERWORLD reports on comments made by the White House expressing concerns about the proposed Cyber Intelligence Sharing and Protection Act (CISPA). A spokeswoman from the White House National Security Council said, "The nation's critical infrastructure cyber vulnerabilities will not be addressed by information sharing alone." She added that "while information sharing legislation is an essential component of comprehensive legislation to address critical infrastructure risks, information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens."
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

EP Approves U.S. PNR Deal, MEPs Back EU Agreement (April 19, 2012)
The European Parliament has adopted a passenger name record (PNR) agreement with U.S. authorities, Euroalert.net reports. With 409 votes in favor, 226 against and 33 abstentions, the agreement sets a framework for allowing U.S. authorities access to EU citizens' PNR data and sets conditions for data retention periods and data security, as well as administrative and judicial redress, the report states. Meanwhile, EU interior ministers are preparing a framework for an EU-wide PNR deal, reports EuropeanVoice.com. The agreement, which will reportedly be concluded at a meeting in Luxembourg next week, will set the stage for talks with the European Parliament.

PRIVACY LAW—U.S.

EDPS Calls For Safeguards In Open Data Package (April 19, 2012)

COMPUTERWORLD reports on comments made by the White House expressing concerns about the proposed Cyber Intelligence Sharing and Protection Act (CISPA). A spokeswoman from the White House National Security Council said, "The nation's critical infrastructure cyber vulnerabilities will not be addressed by information sharing alone." She added that "while information sharing legislation is an essential component of comprehensive legislation to address critical infrastructure risks, information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens."
Full Story

DATA LOSS—U.S.

University Breach Settlement Reached, Another School Reports Breach (April 19, 2012)

A circuit court judge in Honolulu has approved a settlement that will bring victims of University of Hawaii data breaches two years of credit monitoring and fraud restoration services, Hawaii News Now reports. Five breaches exposed the data of more than 90,000 individuals affiliated with the university. Those impacted have until May 1 to sign up for the services. Meanwhile, Emory University Hospital in Atlanta is notifying 315,000 patients that disks containing protected health information and Social Security numbers are missing. An Emory Healthcare official said, "There is no actual or attempted breach or hacking into any of our electronic medical records."
Full Story

DATA PROTECTION

Commissioner: “Accountability Is the Bedrock” (April 19, 2012)

Privacy Commissioner Jennifer Stoddart and two provincial privacy commissioners have together released guidance aiming to help private-sector organizations build privacy management programs, according to a press release. "Getting Accountability Right with a Privacy Management Program" advises businesses and organizations to take data protection seriously--especially as data collection and management becomes more pervasive--and aims to assure Canadian businesses that there is consistency among commissioners' expectations. British Columbia Information and Privacy Commissioner Elizabeth Denham said, based on what commissioners see in their investigations, it's necessary to outline the basics of privacy management. Stoddart noted that accountability is the bedrock of Canadian privacy law.
Full Story

PRIVACY LAW—U.S.

Oversight Board Nominees Noncommittal at Hearing (April 19, 2012)

At yesterday's U.S. Senate Judiciary Committee meeting to question the five nominees to the Privacy and Civil Liberties Oversight Board--created after September 11, 2001, to provide oversight on U.S. surveillance and security measures--members asked nominees to opine on domestic spy drones, facial recognition technology, warrantless cell phone surveillance and immunity for private companies sharing data with the military, among other privacy-sensitive topics, Courthouse News Service reports. Two nominees indicated they felt law enforcement shouldn't be permitted to conduct warrantless cell phone surveillance, but as a group, the nominees mostly declined to comment definitively on the topics at hand, according to the report.
Full Story

ONLINE PRIVACY

Berners-Lee: “Demand Your Data” (April 19, 2012)

World Wide Web creator Tim Berners-Lee has urged Internet users to demand their personal data from web companies in order to help begin a new era of customized computer services, reports The Guardian. He says consumers have not fully realized the value of their personal data held by online companies. "My computer has a great understanding of the state of my fitness," Berners-Lee said, "of the things I'm eating, of the places I'm at." By taking advantage of such personalized data, services "with tremendous potential to help humanity" could be created, but only if web companies allow users access to their data.
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Reaches $100 K Settlement with Provider for HIPAA Violations (April 18, 2012)
According to an HHS press release, Phoenix Cardiac Surgery, P.C., has agreed to pay the U.S. Department of Health and Human Services (HHS) $100,000 and implement corrective measures and policies after an investigation revealed a number of HIPAA violations. An HHS Office for Civil Rights (OCR) probe uncovered HIPAA breaches that included the posting of clinical and surgical data to publicly accessible Internet calendars and limited electronic health record safeguards. OCR Director Leon Rodriguez said, "This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rule...We hope that healthcare providers pay careful attention to this resolution agreement...and OCR expects full compliance no matter the size of a covered entity."

PRIVACY LAW—EU

WP Calls for Assessment of Reform Costs to DPAs (April 18, 2012)

The Article 29 Working Party (WP) wrote a letter to Justice Commissioner Viviane Reding stating that the European Commission (EC) may not have "sufficiently recognized" the added strain data protection reforms will have on data protection authorities (DPAs), reports Out-Law.com. Calling for an independent assessment of the added costs that will come with the reforms, the letter says that without member states committing to provide "financial, human and technical resources...there is a risk that DPAs will not be able to cope with the demands on them and will act as an impediment to rather than an enabler of the innovation and growth that you are seeking to promote." The letter also suggests the EC scale back certain duties if member states and the EC are not prepared to commit to the cost of necessary resources.
Full Story

DATA LOSS—UK

ICO: Lack of Staff Training Led to Breach (April 18, 2012)

The Information Commissioner's Office (ICO) says insufficient staff training has led to the breach of two unencrypted memory sticks from a London-based hospital, COMPUTERWORLD UK reports. According to an ICO undertaking, one memory stick contained the personal information of 600 maternity patients while the other held medical data of 33 children. The ICO said, "Due to not having received up-to-date information on governance training, the employee was unaware that an encrypted device issued by the data controller should have been used."
Full Story

HEALTHCARE PRIVACY—U.S.

Study: Regulations Driving Internal Policies, But Breaches On The Rise (April 18, 2012)

Organizations prioritizing compliance with healthcare privacy regulations are increasingly doing so at the expense of protecting patient information. That's the message coming out of a new study on data breaches in the healthcare sector, Corporate Counsel reports. The "2012 HIMSS Analytics Report: Security of Patient Data" found that though 96 percent said they had conducted a formal risk analysis, 27 percent experienced a breach--an eight-percent increase from 2010--with 69 percent reporting they had experienced more than one. The study, which surveyed 250 hospital administrators, found that "changes in external policies and regulations such as HIPAA and ARRA HITECH drove updates to their action plan for securing patient information."
Full Story

DATA LOSS—U.S. & UK

Breaches Hit ICANN, University and Company (April 18, 2012)

MediaPost reports that the Internet Corporation for Assigned Names and Numbers (ICANN) has experienced a security breach. ICANN said that it has temporarily stopped accepting new domain name applications until it "can confirm that the problem has been resolved." Meanwhile, Texas A&M University has confirmed that an employee mistakenly disclosed the personal information--including names, addresses, Social Security numbers and phone numbers--of 4,000 former students. The list containing the personal data was attached to an e-mail that was sent to a student requesting a transcript. In a separate incident, Toshiba is promising the UK Information Commissioner's Office that it will handle personal data with more care after a security flaw exposed the personal data of 20 individuals.
Full Story

ONLINE PRIVACY—UK

Study: High Cookie Rate Among Popular Websites (April 18, 2012)

A recent study revealed that there are, on average, 14 tracking mechanisms per web page on the UK's most popular websites, BBC News reports. The TRUSTe study also suggests that a user will typically encounter approximately 140 cookies while visiting one site. Undertaken in March and covering the UK's 50 most popular websites, the study notes that 68 percent of the tracking mechanisms belong to third parties, most of which are advertisers. A TRUSTe representative said, "It's not illegal to do the tracking--the question is whether you are giving consumers enough awareness that it is happening and what you are doing with the data." The UK Information Commissioner's Office is expected to begin enforcing the cookie rule on May 26.
Full Story

PRIVACY LAW—U.S.

Advocates, Congressman Call for Action, New Probe Launched (April 17, 2012)
The Electronic Privacy Information Center (EPIC) has called on U.S. Attorney General Eric Holder, Jr., to launch a new investigation into Google following a Federal Communications Commission probe that resulted in a $25,000 fine. Rep. Ed. Markey (D-MA) has called on Congress to hold a hearing, The Los Angeles Times reports. Google says it will file a response to the FCC report. Meanwhile, the FCC fine has some scoffing. Ryan Calo of Stanford's Center for Internet and Society calls it "a slap on the pinkie." For a company "worth almost $200 billion, this amount is so meaningless it's basically laughable," said an EPIC spokesperson. Under the EU's proposed data protection rules, Google could have paid a $990 million fine. Meanwhile, the FTC is also investigating Google in a case involving the bypassing of default privacy settings in Apple's Safari browser.

PRIVACY LAW—U.S.

CISPA Gets a Tweak, Concerns Remain (April 17, 2012)

CNET News reports that new revisions to the Cyber Intelligence Sharing and Protection Act (CISPA), which permits Internet companies to share confidential consumer data with the National Security Agency, have not eased fears that the bill will allow the government unfettered access to the private online lives of Americans. Some privacy advocates say CISPA will dismantle protections found in the Federal Wiretap Act and the Electronic Communications Privacy Act. A representative from the American Civil Liberties Union said the bill would allow the NSA to collect "all sorts of sensitive information like Internet use information and the contents of e-mails." Groups such as the Electronic Frontier Foundation, the Center for Democracy & Technology and TechFreedom have launched the "Stop Cyber Spying" campaign in an attempt to defeat the bill.
Full Story

BIOMETRICS—U.S.

Facial Recognition Software at Bars, Malls (April 17, 2012)

KABC-TV reports that an increasing number of nightclubs are using cameras equipped with facial recognition software. A number of shopping malls are also testing the technology, the report states. While some suggest it is helpful for businesses that "want to know who their customers are," other experts opine it won't be long before retail stores are using the technology to track customers spending habits. The Federal Trade Commission says it has privacy concerns related to such uses, citing a recent Carnegie Mellon University study in which facial recognition technology was applied to individuals on an anonymous dating site, making identification possible when compared to a social media site that used real names.
Full Story

ONLINE PRIVACY

Site Aims To Help Users Understand Their Privacy (April 17, 2012)

PCWorld reports on a new site aimed at helping users understand online privacy. Priveazy launched its beta site earlier this week and allows users to watch tutorials and then take quizzes on how well they understand various sites' privacy practices. They can then take action to improve their online privacy. Lessons include topics such as browsing the web safely, blocking web trackers and protecting one's e-mail account. The site does not sell users' information to advertisers, its owner says, and destroys visitors' IP addresses after 72 hours. "We have identified four or five ways we could make money, but advertising isn't one of them. It's simply not in our DNA," he said.
Full Story

PRIVACY

Data Collection Coverage Gets Pulitzer Nod (April 17, 2012)

For its coverage of personal privacy issues, The Wall Street Journal was nominated as a finalist for the 2012 Pulitzer Prize Winners in the Explanatory Reporting category for its "What They Know" series. In a press release from Pulitzer, The Wall Street Journal staff was included as a finalist "for its tenacious exploration of how personal information is harvested from cellphones and computers of unsuspecting Americans by corporations and public officials in a largely unmonitored realm of modern life." (Registration may be required to access to this story.)
Full Story

DATA LOSS

Expert: Communication Is Key in Breach Response (April 17, 2012)

In an interview with BankInfoSecurity, Heartland Payment Systems CEO Bob Carr discusses how companies should react to a breach. Since a breach can affect the reputation of an entire industry, Carr says information sharing is key. "Share information," he says, "The bad guys might be in somebody else's system, so it is good for everyone to communicate." Carr, whose company experienced a large breach in 2008, adds, "Over the past three years, we've overcome it mainly because we took responsibility for it; we weren't trying to blame anybody else." Editor's Note: Heartland Payment Systems won the 2011 HP-IAPP Privacy Innovation Award in the technology category. Nominations are now being accepted for the 2012 innovation and vanguard awards.
Full Story

 

PRIVACY LAW—U.S. & EU

Opinion: The Case for American-Style Privacy (April 17, 2012)

In a column for The Daily Caller, Sidley Austin Attorney Alan Charles Raul examines the American and European approaches to privacy legislation and proposes why the former approach is better for global data flows and innovation. In light of recent proposed frameworks on both sides of the Atlantic, Raul writes, "it could turn out to be pretty important to the Internet, information technology companies and consumers whether the world goes American or European on privacy." Raul argues that the American approach is more flexible and the European approach is too rigid. "What we lack in a single, consolidated, omnibus privacy law, we make up for in a consistently aggressive standard of enforcement," writes Raul.
Full Story

PRIVACY LAW—U.S.

FCC Fines Google $25,000 (April 16, 2012)
The Federal Communications Commission (FCC) has found that Google "deliberately impeded and delayed" an investigation into its Street View data collection and has fined the company $25,000. The FCC report differs significantly in tone from a Federal Trade Commission report last year, which accepted Google's explanation that it was "mortified by what happened" when it was collecting data for its Street View project and promised improvements, reports The New York Times. But the FCC said in its report that Google "repeatedly failed to respond to requests for e-mails and other information and refused to identify the employees involved," and "unilaterally determined that to do so would 'serve no useful purpose.'" (Registration may be required to access to this story.)

MOBILE PRIVACY—TURKEY

Authority Fines Three Leading Mobile Phone Companies (April 16, 2012)

The Information Technologies and Communications Authority (BTK) has fined three major mobile phone operators for violating client privacy, Today's Zaman reports. The authority has fined Turkcell, Avea and Vodafone a total of TL 13.6 million ($7.5 million) after the firms opened phone lines using customers' personal information, registering multiple lines under each person's name. The BTK implemented a new regulation in 2009 that prohibits the use of personal information to register phone lines without user consent, the report states, in an effort to thwart criminal use of individuals' information.
Full Story

PRIVACY LAW—INDIA & EU

India Seeking Adequacy Designation from EU (April 16, 2012)

The Economic Times reports on India's call for the EU to "lift restrictions on flow of sophisticated outsourcing business to India by designating it as a data secure country." The lack of an adequacy designation "prevents flow of sensitive data, such as patient information for telemedicine, to India under data protection laws in the EU," the report states. One official has said, "We have made adequate changes in our domestic data protection laws to ensure high security of data that flows in," noting that for India to receive high-end business process outsourcing, the "stamp of approval from the EU" is needed.
Full Story

FINANCIAL PRIVACY—U.S.

Card-Linked Offers Raise Privacy Concerns (April 16, 2012)

The Wall Street Journal reports on card-linked offers and the corresponding privacy concerns raised by the new practice. To gain new sources of revenue, lenders are using transaction data to offer cardholders discounts based on their shopping habits. Some worry the card-linked offers will be an invasion of consumer privacy and fear the potential effects of a security breach. According to the report, vendors and their clients note that individual consumers' identities are masked and no personal information leaves the financial institution's system. A financial technology company analyst said banks will adopt the technology slowly, adding, "You're walking on a razor's edge with privacy." (Registration may be required to access this story.)
Full Story

DATA PROTECTION—U.S.

The Privacy Officer’s Times Are A-Changin’ (April 16, 2012)

HealthImaging reports on the ways the role of the privacy officer has changed since it was mandated in 2003 by HIPAA. One expert says new regulations, technologies and data-sharing practices have required the privacy officer's evolution. "Protecting patient health information has become much more complex since 2003, when nearly all healthcare organizations used time-tested systems to protect paper records," he said. "In turn, privacy officers now require an expanding set of knowledge and skills." Modifications to HIPAA, via the HITECH Act, created additional pressure on privacy officers to conduct regular audits, investigations and risk assessments, he said, adding that one of the greatest challenges privacy professionals face today is documenting the potential for harm.
Full Story

MOBILE PRIVACY—U.S.

FTC To Host Mobile Payments Workshop (April 16, 2012)

The Federal Trade Commission (FTC) has announced it will host a workshop to "examine a wide range of issues, including the technology and business models used in mobile payments and the consumer protection issues raised," according to an FTC press release. "Paper, Plastic...or Mobile? An FTC Workshop on Mobile Payments" will be held at the FTC Conference Center in Washington, DC, on April 26 and will include representatives from industry, consumer and privacy advocacy, government, technology and academia.
Full Story

PRIVACY

Site’s Security Prompt Incites Concerns (April 16, 2012)

The Telegraph reports that a new security verification feature currently being tested by Google is raising concerns among some privacy advocates. The new feature asks users to verify their account by typing in house numbers taken from Google's Street View images. Since the house number images are blurry, the security check can filter out bots, the report states, but the data entry--checked against entries from other users--also verifies Street View data for the company. Big Brother Watch's Nick Pickles said, "There is a serious privacy issue with identifying the individual number of people's homes." A company spokesman said the security feature is only used about 10 percent of the time and that there are no security risks in the practice.
Full Story

PRIVACY LAW—U.S.

Opinion: Individuals, Not Congress, Should Decide What Is TMI (April 16, 2012)

In a feature for the San Francisco Chronicle, Future of Privacy Forum Founder and Co-Chair Christopher Wolf writes about a Senate Judiciary Privacy Subcommittee hearing on the Video Privacy Protection Act where senators expressed concern about whether consumers will share too much information if there are not legal restrictions in place. "A law limiting the ability of people to choose to share all of the movies they watch online is not what privacy law should be about," Wolf writes. "Privacy is about empowering individuals with the ability to choose what information they want to disclose and to whom. It is not the business of privacy law to decide."
Full Story

SOCIAL NETWORKING

Facebook Offering “More Disclosure” About Data Storage (April 13, 2012)
The New York Times reports that in an attempt "to address criticism of the social network's privacy practices," Facebook has said it will give users "an expanded, downloadable archive of the many types of data on individuals that the company stores and tracks." The announcement came in the form of a post on Facebook's privacy blog that indicated the site would expand its "Download Your Information" archive. Max Schrems, a law student who has challenged Facebook's data collection practices in the EU, responded, "We welcome that Facebook users are now getting more access to their data, but Facebook is still not in line with the European Data Protection Law." (Registration may be required to access this story.)

ONLINE PRIVACY—U.S.

Huseman Heads to Amazon (April 13, 2012)

Intel's Senior Policy Counsel Brian Huseman, CIPP/E, CIPP/US, is heading to Amazon to fill a newly created privacy position, POLITICO reports. In early May, Huseman will assume the role of director of federal policy. Huseman has been with Intel since 2008, the report states, and before that he worked at the Federal Trade Commission.
Full Story

PRIVACY LAW—INDIA

Panel To Submit Privacy Bill Report by June (April 13, 2012)

Led by retired Delhi High Court Judge Ajit P. Shah, a committee comprised of public- and private-sector representatives says it will submit a report of the proposed privacy bill by the end of June. Formed in February by the Planning Commission, the panel was expected to submit the report by the end of March. "There were some procedural delays, but we are meeting soon to start the proceedings," said Shah. "We have to give our recommendations by June."
Full Story

DATA THEFT—U.S.

Health System Fires Data Thieves, CWRU Notifies Alumni of Breach (April 13, 2012)

Florida's Memorial Healthcare System has begun notifying 9,500 patients that their personal information--including names, dates of birth and Social Security numbers--may have been stolen by two former employees, The Miami Herald reports. The employees have been terminated, according to the report. Meanwhile, Case Western Reserve University officials have notified 600 alumni that their sensitive personal data may be vulnerable due to the theft of two unencrypted laptop computers two months ago.
Full Story

ONLINE PRIVACY

Privacy-Focused ISP Raises $43K in One Day (April 13, 2012)

CNET reports that Nicholas Merrill's efforts to launch a "privacy-protective and surveillance-resistant" ISP appear to be paying off--raising more than $43,000 in donations in one day on a crowd-funding site. "I had no idea that the crowd funding would take off as much as it has in such a short time," Merrill said. "I hope that people will continue to spread the word and help Calyx reach its funding goal so this plan can come to fruition sooner rather than later." The goal is to raise $1 million, the report states.
Full Story

SSN PRIVACY—U.S.

Study: 20 Percent of Nonprofits Include SSNs on Public Docs (April 12, 2012)
A recent study has revealed that nearly one in five nonprofits publish Social Security numbers (SSNs) on public tax documents, The Chronicle of Philanthropy reports. Conducted by a security and privacy software company, the study analyzed more than three million tax returns--Form 990s--submitted between 2001 and 2006 and found that approximately 132,000 charities published at least one SSN on their tax forms, the report states. A majority of the SSNs belonged to donors, trustees, employees, directors and scholarship winners. The chief executive of the company that conducted the survey said, "Given the seriousness and ubiquity of identity fraud, tax preparers should avoid including" SSNs on Form 990s.

PRIVACY LAW—CANADA

Commissioner: Breach Notification Should Be Mandatory (April 12, 2012)

BC Privacy Commissioner Elizabeth Denham wants private businesses to be required to report privacy breaches. BC needs to amend its Personal Information Protection Act, Denham told CBC News, or watch the province fall behind other jurisdictions. Breaches have reached "epidemic" proportions there, she says, adding that her office investigated 500 cases last year in the private and public sectors, and often times her office found out about the breaches as a result of media reports. "I would like to get a commitment from government--but I know that they are looking at it," Denham said.
Full Story

HEALTHCARE PRIVACY—U.S.

ONC Issues Privacy and Security Guidance for SDEs (April 12, 2012)

Last month, the Office of the National Coordinator (ONC) released privacy and security guidance for state designated entities that have received awards under the State Health Information Exchange Cooperative Agreement Program, Government Health IT reports. The guidance--known as the Program Information Notice--draws from recommendations from the ONC Health IT Policy Committee and the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, the report states. The guidance focuses on individual access; correction; openness and transparency; individual choice; collection, use and disclosure limitation; data quality and integrity; safeguards, and accountability.
Full Story

EMPLOYEE PRIVACY—U.S.

Teacher Alleges Privacy Violation (April 12, 2012)

WSBT-TV reports on a legal battle at an Indiana school district over whether employers have the right to look at an employee's Facebook page. Teacher Kimberly Hester says that after one student's parent found a picture Hester posted inappropriate, her school's principal asked that she open her Facebook page in front of him. Upon her refusal, Hester says, she was put on paid administrative leave and finally suspended. The principal maintains that he never asked Hester for her password and that the school district has done nothing wrong." If we don't fight for our rights, then nobody will, and this is the right to privacy," Hester said. Maryland recently passed a law related to such practices.
Full Story

PERSONAL PRIVACY—UK

Gov’t Says Consent Required for Third-Party Access (April 12, 2012)

The Department of Energy and Climate Change says third-party companies will not be able to access consumer smart meter data without their consent, Out-Law.com reports. "Consumers should be able easily to access their own smart metering energy consumption data, and share it with third parties, should they choose to," said the department in its consultation on data access and privacy for its smart meter implementation program. The department says safeguards will be put in place to verify that the person granting third parties access to data is valid. "This information is useful to energy suppliers, but it is also potentially valuable to a whole host of other organizations, too," said one expert.
Full Story

PRIVACY LAW—U.S.

Judge Throws Out Site’s Reimbursement Request (April 12, 2012)

A federal judge has dismissed Facebook's attempt to recover more than $700,000 in legal fees stemming from a potential class-action lawsuit that was thrown out last year, MediaPost News reports. Five individuals sued Facebook for allegedly contravening California's publicity law because the site used their names and images in its Friend Finder advertisements. U.S. District Court Judge Richard Seeborg said that while Facebook "may have achieved its 'objective' of a dismissal, the decision in effect was only that plaintiffs had sued in a forum that could not decide their claims, not that the claims failed for a substantive reason."
Full Story

PRIVACY

Expert: Three Steps To Creating “Culture of Compliance” (April 12, 2012)

In an interview with BankInfoSecurity, Indiana-Bloomington University Clinical Assistant Professor of Management Jan Hillier says establishing a "culture of compliance" in an organization requires more than "management by committee." Instead, a culture of privacy and compliance should come from rank-and-file staff across all departments. Hillier says, "Leaders frequently want to form a committee with representatives of various departments on it to manage change," adding, "Management by committee is a mistake." Hillier's three-step approach to a compliance culture includes defining a vision, creating a change vision value proposition and managing the process.
Full Story

ONLINE PRIVACY—U.S.

Entrepreneur Plans To Launch Privacy-Friendly ISP (April 11, 2012)
CNET News reports on plans by Nicholas Merrill to launch a telecommunications provider "designed from its inception to shield its customers from surveillance." A veteran of running ISPs, Merrill is raising money to create the Calyx Institute, a national "nonprofit telecommunications provider dedicated to privacy, using ubiquitous encryption" that will not only provide Internet connectivity but mobile phone service as well. The service, the report states, will also challenge the legality and constitutionality of the USA PATRIOT Act. "Calyx will use all legal and technical means available," says Merrill, "to protect the privacy and integrity of user data."

DATA LOSS—U.S.

Utah Governor Pledges Breach Alleviation (April 11, 2012)

After the personal information of nearly 800,000 Utah residents, including the Social Security numbers of approximately 225,000, was compromised in a security breach last month Utah Gov. Gary Herbert has vowed to commit everything in his power to help citizens regain trust in government, The Salt Lake Tribune reports. In a statement, Herbert said, "The Department of Technology Services is doing everything they can to restore security. Now we must do everything we can to restore trust." Meanwhile, Thomas Jefferson University Hospitals has notified as many as 600 patients of a reported theft of radiology records, and a Seton Healthcare Family affiliate mistakenly mailed approximately 555 health plan member cards to incorrect recipients.
Full Story

PRIVACY LAW—U.S.

Opinion: Maryland Law Leaves Breathing Room (April 11, 2012)

Earlier this week, Maryland became the first state in the U.S. to ban employers from asking employees and job applicants for their social media account passwords. Similar bills are pending in five other U.S. states. But the law, while seemingly overly broad at first, contains no enforcement provision, opines Phil Gordon of Littler Mendelson, an employment and labor law firm. Further, "It's critical for employers to understand the types of conduct that the law does not prohibit," he writes, including passwords to personal devices, such as smartphones, and "shoulder surfing," meaning an employer could still ask an employee to log in to a social media site while the employer observes.
Full Story

ONLINE PRIVACY

Meeting To Determine Do-Not-Track Standards (April 11, 2012)

The "privacy showdown at the DC corral." That's what the Center for Digital Democracy's Jeff Chester is calling the World Wide Web Consortium's (W3C's) do-not-track working group's meeting this week, which aims to establish standards on the W3C privacy tool, reports NationalJournal. Hosted by Microsoft, the three-day meeting will consider proposals submitted by a number of stakeholders, including the Electronic Frontier Foundation and Mozilla, and one developed by a group of online advertising groups. The difficulty will likely be in determining under what circumstances a user's do-not-track preference may be overridden. Some experts suggest do not track include exceptions for cases of fraud prevention or for website functionality, but others warn too many loopholes will make the mechanism meaningless.
Full Story

DATA PROTECTION—U.S.

Board Calls on Gov’t For Medical Device Standards (April 11, 2012)

A privacy and security advisory board is calling on the government to grant a federal authority such as the Food and Drug Administration the power to assess the security of wireless medical devices before they are put on the market, Wired reports. The Information Security and Privacy Advisory Board sent a letter to the Office of Management and Budget stating that due to advances in technology, an unauthorized third party could potentially communicate and tamper with the medical devices. The board suggests working with the National Institute of Standards and Technology to determine risks and asks that the government take a lead in informing doctors and patients about them.
Full Story

HEALTHCARE PRIVACY—U.S.

Study: Uptick in Regulations Hasn’t Prevented Uptick in Breaches (April 11, 2012)

Healthcare IT News reports on a new study indicating healthcare providers are "still badly lacking when it comes to privacy protections." Increased and more stringent regulations on reporting and auditing procedures have not succeeded in reducing the number of breaches in recent years, the report states. Rather, breach incidents have increased in the last six years, with more than two-thirds of those surveyed having experienced a breach in the last 12 months. The 2012 "HIMSS Analytics Report: Security of Patient Data" also found that human error was the leading cause of security breaches and mobile devices also pose a significant risk.
Full Story

SURVEILLANCE—U.S.

Opinion: Drone Fears “Warranted” but “Premature” (April 11, 2012)

Forbes' contributor Greg McNeal reports on the legal, policy and privacy implications of domestic drone use in light of  the Federal Aviation Administration (FAA) Modernization and Reform Act of 2012. "While a robust public debate over the bill and the domestic use of drones is warranted," writes McNeal, "the conclusion that widespread privacy violations are imminent is premature." McNeal says the bill sets forth several provisions that "seek to implement a very broad framework under which the FAA can explore the uses and feasibility of such a program." Under the bill, the FAA will "draft plans, standards and rules," which will provide "a public process where civil liberties and privacy groups will no doubt have a voice in crafting the rules," he writes.
Full Story

PRIVACY LAW—UK

Companies Risk Cookie Regulation Fines (April 10, 2012)
Financial Times reports that a majority of British companies are not prepared for the new cookie regulations slated to go into effect this May. According to KPMG, approximately 95 percent of UK companies have not yet reached compliance with the new rules and could risk fines up to £500,000. Online companies worry consumers will become annoyed with repeated cookie permission requests and that they will lose valuable consumer data. One representative from a web analytics company said, "If you follow the letter of the law, you will go bust very quickly...It's like asking a retailer to operate with a blindfold on." Several companies are hoping the Information Commissioner's Office will take a lenient view, the report states, but many worry that European regulators "might not take the same approach." (Registration may be required to access this story.)

SOCIAL NETWORKING

Privacy Concerns Raised by Facebook-Instagram Merger (April 10, 2012)

After yesterday's announcement that Facebook has acquired Instagram, several privacy advocates and users are worried the merger will create new privacy issues, CNET News reports. Facebook CEO Mark Zuckerberg said in a pledge yesterday that the company would not "integrate everything." Stanford University Center for Internet and Society Researcher Ryan Calo said, "The larger issue for me is that Facebook is adding Instagram data to its own...I picture the consumer happily paddling down a data rivulet only to find themselves suddenly on the open waters of the social sea." Instagram's privacy policy does not indicate what happens in an acquisition, but the Center for Democracy & Technology's Justin Brookman said, even after the merger, users who "signed up under certain, privacy-protective terms" still have valid protections, but "for new data posted to Instagram, Facebook can set new terms."
Full Story

PERSONAL PRIVACY—U.S.

Maryland First State To Ban Employers From Requesting Passwords (April 10, 2012)

Maryland became the first state in the U.S. to ban employers from asking employees and job applicants for their social media account passwords, The Hill reports. The legislation, passed Monday, was drafted in response to a case involving a Maryland corrections officer, whose employer asked for his Facebook password to check for gang activity. He refused and contacted the American Civil Liberties Union, which filed a lawsuit. Maryland "has trail-blazed a new frontier in protecting freedom of expression in the digital age and has created a model for other states to follow," said an ACLU spokesman. Lawmakers are now in the process of drafting national legislation.
Full Story

MOBILE PRIVACY—U.S.

FCC Announces Planned Database For Stolen Smartphones (April 10, 2012)

Addressing the on-the-rise crime of smartphone theft, the Federal Communications Commission (FCC) and wireless phone industry plan to create a central database to track stolen phones and prevent them from being used again, reports The New York Times. Julius Genachowski, chairman of the FCC, will meet with police chiefs and representatives from the wireless phone industry this week to announce the plan. Sen. Charles Schumer (D-NY) plans to draft legislation making it a federal crime to tamper with a phone's unique identifiers, which will be used to disable a phone from being used once it's reported stolen. "Our goal is to make a stolen cellphone as worthless as an empty wallet," Schumer said. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

Texas Needs 10,000 Health IT Workers (April 10, 2012)

In order to meet its goals when it comes to implementing electronic health records (EHR) at healthcare provider facilities, Texas will need 10,000 more health IT workers by 2013, reports InformationWeek. That's according to a new report by the Department of Health Information Management at Texas State University San Marcos, which revealed that authorities had underestimated the number of IT employees required. Estimates originally predicted the state would need around 3,500. The report's findings were based on interviews with 94 health IT employers on operations at their offices--including vacancies and positions they expect to hire in 2013. The fast pace of EHR implementation is the result of government incentive programs initiated in 2009.
Full Story

ONLINE PRIVACY—U.S.

No Consensus Yet on Do-Not-Track Mechanisms (April 10, 2012)

NPR reports on the ongoing debate over how best to implement web browsing privacy for online users. More than 10 million users have already clicked the do-not-track button on browsers that now offer the option. The World Wide Web Consortium's Tracking Protection Working Group will meet this week in Washington, DC, to try and determine standards for how websites should respond to a user's signal that they don't want to be tracked online. But Mike Zaneis of the Interactive Advertising Bureau says a "big red flashing button on a browser toolbar" will scare users into clicking it, robbing them of the value exchange in content and free services that tracking allows sites to offer users.
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: Privacy and Care are Not Mutually Exclusive (April 10, 2012)

In a column for FierceHealthIT, Ken Terry writes that several cost effective steps can be implemented to curb healthcare security spending and limit data breaches. A few recent examples, according to Terry, prove that universal encryption of data "could eliminate the biggest source of breaches," while the virtual desktop infrastructure ends the need "to store any personal health information on end-user devices." Since, in general, hackers seek Social Security numbers, Terry asserts, the "only cure for that...is to replace the 'social' with a national patient identifier." With patient control of data among potential security and privacy challenges, healthcare providers could do a better job educating patients about available data control options, he writes.
Full Story

DATA LOSS—U.S.

Medical Breach Affects 182,000 (April 9, 2012)
Utah health officials said the hackers that accessed state computers have compromised approximately 182,000 beneficiaries of Medicaid and the Children's Health Insurance Program, The Washington Post reports. Among those affected, hackers may have accessed as many as 25,000 individuals' Social Security numbers. The Utah Department of Health is alerting those affected and offering one year of free credit monitoring. Meanwhile, a Massachusetts-based medical center is notifying 6,831 patients that that their financial information--including credit card numbers and security codes--has been compromised when documents containing the data were improperly disposed. The Recorder reports that health data breaches are becoming fertile ground for class-action lawsuits. (Registration may be required to access this story.)

SOCIAL NETWORKING

Apps As Portals to Personal Data (April 9, 2012)

The Wall Street Journal reports on the social networking app industry and the ways in which developers gain vast amounts of users' personal data. After an examination of 100 of the most popular Facebook apps, The Wall Street Journal found that apps sought a range of personal data--from e-mail addresses to sexual preferences of the user and user's friends. The force behind personal data collection, the report states, "reflects a fundamental truth" about Facebook and the Internet economy--users are paying for free services with personal data rather than money, and companies then profit from that data. According to one market researcher, taking into account the entire "app economy," the burgeoning industry is estimated to have generated $20 billion in revenue in 2011. Editor's Note: The IAPP will host the session Mobile Applications and Third-party Platforms and Social Media at the Practical Privacy Series in Chicago and New York. (Registration may be required to access this story.) 
Full Story

DATA LOSS—U.S.

TRICARE Contractor Says Insurance Will Cover Breach Costs (April 9, 2012)

In a filing with the Securities and Exchange Commission last week, Science Applications International Corp. (SAIC) disclosed that it has enough insurance to cover settlements over the 2011 TRICARE breach, Nextgov reports. The incident involved the theft of computer tapes containing the medical records of 4.9 million beneficiaries of the military health insurance program, contracted with SAIC. Since the incident, several victims have found potentially fraudulent activity on their accounts, and several lawsuits have been filed--one claiming $4.9 billion in damages. SAIC says that after a $10 million deductible, its insurance policy will cover any costs. 
Full Story

HEALTHCARE PRIVACY—UK

FOIA Request Reveals Patient Data Breaches Have Doubled (April 9, 2012)

The number of security breaches involving missing or mishandled patient records have doubled in the last four years. That's according to The Telegraph, which reports that a Freedom of Information Act inquiry revealed incidents such as medical tests in bins outside of hospitals, personal data left on public transportation and faxes sent to unintended recipients. The number of incidents increased from 90 in 2008 to 179 in 2011, the report states. 
Full Story

HEALTHCARE PRIVACY—CANADA

Privacy Director Eliminated, Commissioner Concerned (April 9, 2012)

Saskatchewan Information and Privacy Commissioner Gary Dickson is concerned with a recent change at Saskatoon Health Region, The StarPhoenix reports. The organization has eliminated its director of privacy and compliance, who reported to a superior one step away from the CEO. The model was an excellent one for other organizations to follow, Dickson said, adding, it's important to have privacy officers reporting to top-level officials because, otherwise, "sometimes the advice that needs to get to the people ultimately responsible for an organization tend to get filtered out, diluted or just aren't clearly presented." Editor's note: To see where the majority of privacy management functions reside in relation to the organization's top management, view the IAPP 2012 Privacy Professionals Role, Function and Salary Survey. (IAPP member login required.)
Full Story

PRIVACY LAW

Google Defends New Policy To CNIL (April 6, 2012)
Google is defending its new privacy policy to French data protection regulator the CNIL, Reuters reports. In its response to the CNIL's request that Google answer "69 questions on its privacy policy before 5 April," the company's global privacy counsel said it is "convinced that the overall package of our privacy notices respects completely the requirements of European data protection law." The company answered half of the CNIL's questions in its 18-page letter and will provide answers to the remainder of the questions by April 15. CNIL may issue an administrative caution or a fine, according to Article 29 Working Party Chairman Jacob Kohnstamm.

DATA LOSS

Arizona Man Pleads Guilty in Sony Hack (April 6, 2012)

An Arizona man and former member of the hacker group Lulz Security yesterday pleaded guilty to hacking Sony Pictures Entertainment computers, the Mercury News reports. Cody Kretsinger faces 15 years in prison for federal charges of conspiracy and unauthorized impairment of a protected computer, the report states. Kretsinger was arrested in September 2011 for his role in what was one of the largest data breaches of that year.
Full Story

HEALTHCARE PRIVACY—U.S.

NY Establishes Committee on Sharing, Access Policies (April 6, 2012)

The New York eHealth Collaborative and New York State Department of Health have established a new state committee to handle patient privacy and health data access, InformationWeek reports. The Statewide Health Information Network of New York Policy Committee is tasked with creating and updating policies to protect personal health information while permitting sharing between healthcare providers and will be comprised of 16 members including public officials, healthcare providers, attorneys and public advocates, the report states. A recent New York Civil Liberties Union report criticized the state's current policies on the sharing of electronic medical records, including that providers do not need patient consent to access records.
Full Story

PRIVACY LAW—U.S.

Class-Action Suit Filed Over Tracking (April 6, 2012)

Top Class Actions reports on a federal suit claiming social network Path's mobile app "spies on consumers; gathers sensitive data such as their exact location, photos and videos; tracks their mobile browsing activity and more, and then stores this information" in an insecure manner. The class-action lawsuit, filed at the end of March, comes in the wake of Path's apology in February after it was discovered that its software automatically uploaded address books without users' consent. The suit alleges that Path accessed the information "knowingly, and with the intent to obtain data" and seeks an injunction as well as damages and restitution. Meanwhile, COMPUTERWORLD reports on Path's upgrade of its app security.
Full Story

HEALTHCARE PRIVACY—U.S.

Experts: Breaches Indicate Need for Encryption (April 6, 2012)

The recent breach at Howard University Hospital in Washington, DC, and another at California's Department of Child Support Services involving the loss of backup tapes containing records on 800,000 individuals are the latest in a series of preventable breaches and indicate the need for data encryption, says one expert. Mark Bower of Voltage Security says in the case of the hospital--in which a contractor downloaded patient files to a personal laptop--the data should have been deidentified on an individual basis. Another expert says the department of child support services should have encrypted the tapes--which included health insurance information and driver's license numbers.
Full Story

ONLINE PRIVACY—U.S.

Opinion: Pressure, Bills Not Enough (April 6, 2012)

Writing for part one of the Ars Technica "DCoded" series, Aaron Brauer-Rieke of the Center for Democracy & Technology describes the current "scattershot" congressional approach to dealing with data privacy concerns in the smartphone era encouraging but "unsustainable." Bills and pressure are not enough, he writes. Brauer-Rieke mentions the two recent reports released by the Obama administration and the Federal Trade Commission, saying of the latter that, absent congressional support, some of the best suggestions lack teeth. He goes on to say, "The bottom line is this: We deserve to have better laws on the books. Modest progress is welcome, but without fundamental change, our privacy remains at risk."
Full Story

PERSONAL PRIVACY—U.S.

Opinion: Who Owns Our Data? (April 6, 2012)

In a Los Angeles Times column, David Lazarus asks a question he describes as fundamental to current debates around privacy protection, "Who owns your personal information--you or the business you share it with?" Lazarus questions "whether your name, address, birth date and other sensitive data can be reasonably considered yours in an age when we've all been reduced to computer bits and when personal info has become a commodity to be bought and sold by marketers and merchants." The report includes perspectives from FTC officials, business executives and the Electronic Privacy Information Center's Marc Rotenberg, who notes that such data is considered by many businesses as "their primary asset."
Full Story

SOCIAL NETWORKING—CANADA

Commissioner Releases Facebook Probe Results (April 5, 2012)
Privacy Commissioner Jennifer Stoddart on Wednesday released results from three investigations into complaints filed about Facebook, The Canadian Press reports. Stoddart said the site has made improvements in some areas but needs to build privacy in from the beginning when introducing new features, according to an Office of the Privacy Commissioner press release. Stoddart said that the company is "providing clearer, more understandable information to members on various personal information handling practices," but added, "Despite these general improvements, we were disappointed that Facebook hadn't anticipated the widespread privacy concerns that followed the launch of its 'friend suggestion' feature."

PRIVACY LAW—U.S.

Committee To Hold Oversight Nominations Hearing (April 5, 2012)

The U.S. Senate Committee on the Judiciary has announced it will hold a hearing on "Nominations to the Privacy and Civil Liberties Oversight Board" on April 18. Last December, Sen. Patrick Leahy (D-VT) said, "At a time when our nation faces growing threats to our national security at home and abroad, and in cyberspace, having a fully functioning Privacy and Civil Liberties Oversight board to help ensure that privacy and civil liberties concerns are appropriately considered in our national security policies is more important than ever before."
Full Story

DATA LOSS—U.S.

Patients Notified of Breaches Involving Health Data (April 5, 2012)

A state department of health and a hospital have both announced breaches this week. The Utah Department of Health says hackers accessed information on 24,000 individuals last week. The information includes Medicare data such as client names, addresses, birth dates, Social Security numbers, physician names and procedure codes, FOX 13 News reports. Meanwhile, Howard University Hospital in Washington,  has notified patients that their health information was potentially disclosed in late January when a former hospital contractor downloaded patient files to a personal laptop. A recent report on protected health information by IT security firm Redspin found that 19 million patient health records were breached last year, up 97 percent from 2010.
Full Story

PRIVACY LAW—U.S.

Colorado Strikes Down Internet Tax Measure (April 5, 2012)

The U.S. District Court of Colorado has halted efforts to institute an Internet tax on Colorado families and businesses, The Denver Post reports. The court entered a permanent injunction against a measure that would have required out-of-state online businesses to report online Colorado consumers to the state's Department of Revenue so it could penalize consumers for failing to pay a "use tax" on Internet purchases, the report states. The court found that the measure discriminates against and "imposes an undue burden" on remote sellers. The Colorado ruling follows a similar one in North Carolina, which addressed First Amendment and privacy concerns in relation to the reporting.
Full Story

FINANCIAL PRIVACY

Opinion: “Cashless Society” Will Need Privacy Provisions (April 5, 2012)

In a feature for The New York Times, George Mason University Senior Research Fellow Jerry Brito writes of Canada's move to eliminate the penny in coin form, suggesting it is "almost inevitable that digital money will soon replace not just the penny, but all physical money--in the U.S., Canada and elsewhere." While that makes sense in terms of costs and efficiency, he notes, "when it comes to privacy and freedom, cash can't be beat." In the move toward a "cashless society," Brito writes, "preserving some untraceable payment method" is necessary to "defend consumers' privacy and limit the power of government and businesses." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

FTC Approves Settlement with Rebate Company (April 4, 2012)
The Federal Trade Commission (FTC) has approved its settlement with Upromise, PCWorld reports. The FTC alleged in a complaint that the rebate company's toolbar featured a "personalized offers" setting that collected users' information for targeted ads and, in 2009, began collecting data from users' shopping and banking sites, though its privacy policy said such data "would be filtered out before it was transmitted to the company." The settlement, revealed earlier this year and opened to a public comment period, bars Upromise from making misrepresentations about its policies and requires that it establish an information security program. It also must undergo independent audits for 20 years.

ONLINE PRIVACY—U.S.

Groups Call on White House for Rules (April 4, 2012)

Sen. Al Franken (D-MN) and a number of public interest groups are urging the Obama administration to fight for new measures to regulate online privacy, The Hill reports. Along with the senator, dozens of organizations and companies submitted comments to the National Telecommunications and Information Administration, which has been tasked by the White House with leading talks among stakeholders on how best to develop codes of conduct to protect users online. The groups wrote to the agency that voluntary codes won't be enough and legislation is necessary. The Digital Advertising Alliance, however, wrote that legislation won't be flexible enough to keep pace with technology and instead supports the voluntary codes.
Full Story

MOBILE PRIVACY

Study: Majority Use Geolocation, Privacy Concerns Persist (April 4, 2012)

IDG News reports on a study revealing that nearly 60 percent of smartphone users acquire geolocation apps even while the respondents expressed privacy and safety concerns. Conducted by ISACA, the study polled 1,000 smartphone users. Some of the largest concerns for the users, according to the report, are advertisers' access to their data and possible risks to their personal safety. A representative from the Center for Democracy & Technology said, "If you think about it, most of us have one location where we spend our daytime hours at work and one location where we spend our nighttime at home, so after just a day or two of these data points, it's fairly obvious who they describe." Meanwhile, TRUSTe is releasing a new tool to help mobile companies target smartphone users while also allowing users to opt out of in-app advertising.
Full Story

RFID—U.S.

State Senate Considers RFID License Plates (April 4, 2012)

A bill has been approved by a Connecticut Senate subcommittee to explore the viability of inserting RFID tags in license plates, NASDAQ.com reports. The identification tags could track and automatically generate tickets for overdue vehicle registration, emissions or car insurance. A representative from the American Civil Liberties Union of Connecticut said, "Using RFID technology to track the movements of drivers and their cars is so incredibly invasive that we don't see how it could fail to violate the right to privacy...The chips broadcast individually identifiable information to anyone with a receiver, and the potential for abuse, by the government or by private industry, is staggering."
Full Story

EMPLOYEE PRIVACY—U.S.

Social Media Password Sharing: Where’s the Precedent? (April 4, 2012)

In a column for The Atlantic, Megan Garber reports on recent issues raised in cases where job applicants or employees are asked to share their online passwords with employers. With initiatives to address the issue stalled in state and federal legislatures, it's the courts that may have to determine a future course, Garber writes, adding, "there's nothing on the books that stipulates, in specific terms, which privacy claims we hold on behalf of our online selves." Meanwhile, Bloomberg reports that social media password sharing "could pose major legal, ethical and public relations challenges for employers." Editor's Note: The IAPP is hosting a web conference,  The Privacy Line Between Employee and Employer--Shifting Legal Boundaries, on April 12.
Full Story

ONLINE PRIVACY—UK

ICC UK Releases Cookie Guide (April 4, 2012)

The International Chamber of Commerce UK has released a cookie guide designed to help organizations comply with new EU cookies rules. The guide aims to "give practical recipes to website operators so they can provide users with information in language they can understand and enable users to make an informed choice," says Gabriel Voisin of Bird & Bird, adding, "As the ICO deadline for compliance is coming up (May 25), this guide should be viewed by website operators as an additional opportunity to address the issue." David Evans of the UK Information Commissioner's Office describes the guidance as "a good starting point from which (organizations) can work towards full compliance."
Full Story

PRIVACY LAW—CANADA & U.S.

Officials: U.S. Laws Too Weak for Border Deal (April 3, 2012)
Canadian Privacy Commissioner Jennifer Stoddart and her provincial counterparts have issued a warning that a new border security deal with the United States could breach Canadian citizens' privacy, The Chronicle Herald reports. The deal could result in Canadians' private data being secretly shared with the U.S. or could see it "fall under the control of a foreign jurisdiction," the report states. The deal, announced by Canadian Prime Minister Stephen Harper and U.S. President Barack Obama last year, would see an increase in sharing of security details. But Canadian privacy officials say data stored on U.S. servers would be at risk because some U.S. privacy laws are weaker than those in Canada.

BEHAVIORAL TARGETING

Studies: Users Are Confused By Icons (April 3, 2012)

Studies: Users Are Confused By Icons

MediaPost reports on recent studies that the "centerpiece of the ad industry's self-regulatory privacy program"--icons aimed at advising users about behaviorally targeted ads--is confusing to users. The pair of Carnegie Mellon University studies "cast doubt on whether the icons effectively inform Web users about data-based advertising," the report states. A study of 1,500 Internet users found that "icons, taglines and landing pages fell short both in terms of notifying participants about OBA and clearly informing participants about their choices." The second, which focused on interviews with 48 Internet users, found that "five out of 48 thought the icon was aimed at informing users about tailored ads," the report states.
Full Story

SURVEILLANCE—UK

New Gov’t Surveillance Powers Raise Concerns (April 3, 2012)

The Information Commissioner's Office (ICO), British lawmakers and privacy advocates are raising concerns that a proposed expansion of government surveillance powers will be an invasion of citizens' privacy. The proposed plan, to be introduced later this year, would require ISPs to install monitoring hardware, which would allow the Government Communications Headquarters to examine the communications of any British citizen--including e-mails, phone calls and websites visited--without a warrant. Police and other intelligence authorities would also be able to access the data, The Telegraph reports. The ICO said the "case still needs to be made" for the proposed plan, and the move would be a "step change in the relationship between the citizen and the state."
Full Story

PRIVACY LAW—EU & HUNGARY

Disputed DPA Law Amended (April 3, 2012)

A state news service has said that Hungary has amended its "disputed bill on the data protection agency (DPA) to bring the law in line with European Union recommendations," Bloomberg reports. "The amendment strengthens the agency's independence and curbs the power of the president and the prime minister to dismiss the head of the institution," news service MTI has reported. The announcement comes amidst infringement procedures the EU started against Hungary over multiple pieces of legislation. Politics.hu reports the government presented its official response to the European Commission last Friday.
Full Story

PRIVACY LAW—EU & IRELAND

Student To Bring Facebook Concerns to EC (April 3, 2012)

The student who challenged Facebook's data collection policies may complain to the European Commission that Ireland's Office of the Data Protection Commissioner (DPC) has not yet brought the site into compliance, The Irish Times reports. Max Schrems is "also considering a case in the Irish courts" over the social network's data collection policies. In December, the DPC "issued a report and to-do list to make Facebook compliant before a second audit in July," with Facebook working toward "simpler explanations of its privacy policies" by March 31. A DPC official has said that while that deadline was not met, Facebook is "very engaged, I'm seeing a lot of effort and response."
Full Story

PRIVACY LAW—U.S.

FTC Rules Place CIOs Between Rock and Hard Place (April 3, 2012)

The Wall Street Journal reports on the "strong message" the Federal Trade Commission (FTC) has sent to chief information officers (CIOs) and organizations delving into Big Data. In light of the FTC's final privacy report, CIOs who create the tools that make data collection possible are "caught between the rock of business requirements and the hard place of possible enforcement actions," the report states. FTC Consumer Protection Bureau Director David Vladeck said, "I think one message we can send: If we bring cases against Google and Facebook, we can bring cases against anyone," adding, "We need to clean up commerce on the Internet." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

If Web Tracking Is Regulated, What Happens To Revenue? (April 3, 2012)

Reuters reports on big brands' dependence on targeted advertising and fears surrounding the effect do-not-track rules could have on business. L'Oreal, for example, has increased its ability to reach its ideal consumer by 168 percent, according to Nugg.ad, the company that performs its web tracking functions. "There is no way websites will survive without targeting," said a spokesman from the Internet Advertising Bureau. Nugg.ad says it is unclear how much revenue could be lost as a result of requiring users to grant explicit consent in order to be tracked, but it could definitely hurt business.
Full Story

DATA THEFT

Payment Processing Breach Affects 1.5 Million (April 2, 2012)
The security breach of Global Payments, Inc., reported last Friday, has affected 1.5 million card numbers, according to The New York Times. Hackers reportedly compromised Track 1 and Track 2 data--including names, card numbers and validation codes--but in a statement, the company said the breach was limited to Track 2 data and did not include Social Security numbers, addresses or cardholder names. The company said, "Based on the forensic analysis to date, networking monitoring and additional security measures, the company believes that this incident is contained." In response, Visa has removed Global Payments from its approved providers list, the report states. (Registration may be required to access this story.)

SURVEILLANCE—U.S.

Phone Tracking Common Law Enforcement Tool (April 2, 2012)

Local police departments around the country are increasingly tracking suspects through cell phone activity, The New York Times reports. To determine a suspect's location, cellphone carriers are charging law enforcement officials "surveillance fees," according to the report. With some police departments using the surveillance without court orders, the American Civil Liberties Union says the practice raises legal and constitutional concerns, particularly in light of January's Supreme Court decision on GPS tracking. Congress and several states are considering legislation to more narrowly define restrictions on cell phone tracking. (Registration may be required to access this story.)
Full Story

GEO PRIVACY

App Creator Defends “Girls Around Me” (April 2, 2012)

The Wall Street Journal reports that the developer of a mobile app that employs publicly available information from two social networks to give users the locations of women in their vicinity "defended its intentions Saturday after drawing a firestorm of criticism over privacy concerns." Over the weekend, one of the networks the app relies on for data cut off its access, the report states, citing violation of its policies on "aggregating information across venues." "Girls Around Me" app developer i-Free Innovations said it is "unethical to pick a scapegoat to talk about the privacy concerns. We see this wave of negative as a serious misunderstanding of the apps' goals, purpose, abilities and restrictions." (Registration may be required to access this story.)
Full Story

PRIVACY—U.S.

FTC Chair: In Privacy Protection, “Stakes Are High” (April 2, 2012)

In a feature for The Washington Post, Federal Trade Commission (FTC) Chairman Jon Leibowitz writes about the FTC's recent report on privacy, describing privacy in the words of Louis Brandeis as "the most comprehensive of rights and the right most valued by civilized men." Detailing the goals of the report and what both public- and private-sector organizations need to do to ensure privacy rights are protected, Leibowitz writes, "The stakes are high. There are clear benefits to the collection and sale of personal information...But allowing the minute details of our browsing behavior, shopping habits and even sensitive financial, health and family decisions to run loose in a freewheeling, high-tech data market comes with equally clear risks." (Registration may be required to access this story.) Editor's Note: The IAPP will host a web conference on the FTC's final report this Tuesday, April 3.  
Full Story

BIOMETRICS

The Rise of Voice Recognition Technology (April 2, 2012)

The New York Times reports on voice recognition technology developed by Nuance Communications. Going beyond dictation, the new technology can extract meaning from and respond to human voice commands and, in addition to computers, could be featured in common household appliances. Privacy advocates worry that the biometric identifier will leave a digital trail for more data mining. The company says its system recognizes individuals' voices by unique codes, not by consumers' names, and its privacy policy states that it only uses consumers' voice data to improve its internal systems. The FTC's David Vladeck said, "Just as we are concerned about the possible applications of facial recognition, there are other forms of biometric identification, like voice, that pose the same kind of problems." (Registration may be required to access this story.)
Full Story

PRIVACY

Where Privacy Meets Antitrust (April 2, 2012)

During a speech to the American Bar Association's antitrust section on Thursday, Sen. Al Franken (D-MN), the chair of the Senate Judiciary subcommittee on privacy and technology, said that people's "right to privacy can be a casualty of anti-competitive practices." He said that giant companies are becoming immune to market pressure, and "The more dominant these companies become...the less incentive they have to respect your privacy." Franken added, "When companies become so dominant that they can violate their users' privacy without worrying about market pressure, all that's left is the incentive to get more and more information about you. That's a big problem if you care about privacy, and it's a problem that the antitrust community should be talking about."
Full Story

PRIVACY—U.S.

Poll: Data Gathering Worries Californians (April 2, 2012)

A telephone survey of 1,500 Californians has revealed that consumers in America's most high-tech state are wary about the data collection activities of Internet and smartphone companies. The poll, conducted on behalf of USC Dornsife College of Letters, Arts and Sciences and the Los Angeles Times, found that those polled are also "concerned that personal data could become public or be harvested to sell them products," the Los Angeles Times reports. Those polled rated six companies on their trustworthiness with personal data, revealing scores that one commenter described as "strikingly low."
Full Story