Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—U.S.

Lawmakers’ Resolution Asks UN To Let Internet Alone (May 31, 2012)
Lawmakers have introduced a resolution to stop the United Nations (UN) from potentially gaining control over the Internet, reports The Hill. Members of the House Energy and Commerce Committee presented the resolution yesterday, encouraging the United States' delegation to keep the Internet free from regulation and to "preserve and advance the successful multi-stakeholder model that governs the Internet today." It's possible that proposals to give the UN's International Telecommunication Union governance control could come forward at a December conference in Dubai. The proposals "would give the UN more control over cybersecurity, data privacy, technical standards and the web's address system," the report states.

DATA PROTECTION—U.S.

Experts Agree On Mobile Policies, Seven Cos. Agree To Change (May 31, 2012)

NationalJournal reports on yesterday's FTC workshop on advertising disclosures for online and mobile media. Industry reps and privacy advocates agreed that websites' "lengthy and complicated" privacy policies shouldn't be transferred to mobile platforms, the report states. Jennifer King, a researcher at the University of California at Berkeley, urged app developers to come up with succinct and easily accessible ways of informing users about apps' data collection and uses. Sara Kloek of the Association for Competitive Technology said the group Moms with Apps is working on developing an icon to alert users about privacy practices. Meanwhile, seven behavioral ad companies have agreed to make changes to their privacy disclosures.
Full Story

EMPLOYEE PRIVACY

Companies Plan Social Network Monitoring Programs (May 31, 2012)

Research firm Gartner says digital surveillance in the workplace is on the rise, ZDNet reports. Companies are aiming to increase their watch on employees' social networking use, Gartner says, and about 60 percent of corporations will have programs in place to monitor accounts for security breaches and data leaks by 2015. But there are risks of going too far, the report states, such as if an employer were to visit a Facebook page to review an employee's sexuality or marriage status. Meanwhile, CBR also reports on employers' social network monitoring, citing U.S. lawmakers' proposed legislation on the matter and a lack of clarity when it comes to UK laws.
Full Story

PRIVACY LAW—U.S.

California Bills Deal with Warrantless Tracking, Autonomous Cars (May 31, 2012)

The Los Angeles Times reports on a California state bill that would require law enforcement to seek a warrant prior to accessing data from wireless carriers. SB 1434 has passed the Senate and will move to the Assembly for consideration. State Sen. Mark Leno (D-San Francisco) said, "This bill strikes a perfect balance to safeguard Californians against improper government intrusion while ensuring that law enforcement officials can utilize this technology when necessary to protect public safety." Meanwhile, the head of Consumer Watchdog has raised privacy concerns about California legislation that establishes guidelines for autonomous vehicles, saying SB 1298 "should be amended to ban all data collection by autonomous cars."
Full Story

MOBILE PRIVACY—U.S.

FCC Seeks Comment on Cellphone Privacy (May 31, 2012)

The Federal Communications Commission (FCC) has asked the public for comments on how to better protect cellphone users' privacy, The Hill reports. Noting that it had not examined mobile privacy issues since 2007, the FCC said its record in this realm is "badly out of date." The FCC wrote, "The devices consumers use to access mobile wireless networks have become more sophisticated and powerful, and their expanded capabilities have at times been used by wireless providers to collect information about particular customers' use of the network--sometimes, it appears, without informing the customer."
Full Story

PRIVACY LAW—U.S.

Franken To Introduce Encryption Legislation (May 31, 2012)

Sen. Al Franken (D-MN) says he will pursue legislation or federal regulations that would require all laptops containing personal medical information to be encrypted, reports the Associated Press. The announcement follows Franken's hearing on several Minnesota hospitals' debt collection practices during which Franken questioned executives from Accretive Health and Fairview Health Services about a privacy breach. At the hearing, Franken questioned Accretive's senior vice president as to why patient information was stolen from the car of an Accretive employee who had no need for access to the information.
Full Story

DATA LOSS—U.S.

Lessons Learned from Zappos Breach (May 31, 2012)

Retail Info Systems News reports on lessons that can be learned from the Zappos.com data breach. In the report, Matt McKinley writes, "The 'lesson learned' for retailers couldn't have been articulated more clearly: You may be next. Have a plan." McKinley notes that many breaches occur "not because of the sophistication of the attack but because one or more rudimentary security measures weren't properly" considered, including two-factor authentication; non-disruptive, proper network segmentation, and contextual awareness. Meanwhile, NetworkWorld looks at the University of North Carolina-Charlotte breach response, saying, "it's clear that the university is conducting a reasonable post-mortem on the incident."
Full Story

DATA RETENTION—GERMANY & EU

EC To Refer Germany to European Court of Justice (May 30, 2012)
The European Commission plans to refer Germany to the European Court of Justice (ECJ) for not implementing a telecommunications data retention policy in line with the data retention directive, Reuters reports. The directive mandates that all 27 EU member states implement policies obliging telecommunications companies to retain user data for at least six months in order to aid law enforcement authorities in tracking "serious crime." In 2010, Germany's highest court rejected the German government's data retention proposal because it was a "particularly deep intrusion into telecommunications privacy." A referral to the ECJ is the final stage in infringement proceedings and can result in a fine.

PRIVACY—U.S.

FTC Discusses Mobile and Online Advertising Disclosures (May 30, 2012)

The Federal Trade Commission (FTC) is hosting its Advertising and Privacy Disclosures in Online and Mobile Media workshop today to consider the need for new guidance. The workshop will address mobile privacy disclosures and how they can be short, effective and accessible to consumers on small screens, according to an FTC press release. It will address concerns that have arisen since the FTC's online advertising disclosure guidance 12 years ago. UC Berkeley researcher Jennifer King said in her opening statements that consumers generally read as little as 25 percent of a web page and expect that the "least important information is located at the bottom of the screen." The event is being streamed live.
Full Story

SOCIAL NETWORKING—CANADA

Commissioner: Some Sites Disregard Privacy Laws (May 30, 2012)

CBC News reports on comments by Privacy Commissioner Jennifer Stoddart before a House of Commons committee calling for stronger sanctions when social media companies ignore privacy laws. "This is the age of big data where personal information is the currency that Canadians and others around the world freely give away," she said, adding, "I have become very concerned about the apparent disregard that some of these social media companies have shown for Canadian privacy laws." Stoddart told the committee that Canada's Personal Information Protection and Electronic Documents Act is too weak and stricter penalties are needed, the report states.
Full Story

PRIVACY LAW—U.S.

Big Brother and the Privacy and Civil Liberties Oversight Board (May 30, 2012)

NPR reports on the difficulties of staffing the Privacy and Civil Liberties Oversight Board (PCLOB). Last week, Sen. Ron Wyden (D-OR) denounced the Cyber Intelligence Sharing and Protection Act, saying it would open "the door to a dystopian world where law enforcement evaluates your Internet activity for the potential that you might commit a crime." The PCLOB would provide oversight on such intelligence gathering. The Obama administration nominated a bipartisan set of potential board members last December, but some fear the nominations will remain stalled in Congress. Former Congressman Asa Hutchinson said the failure to implement a working PCLOB represents "an extraordinary disappointment in government."
Full Story

PRIVACY LAW—EU

Source: Five Member States To Face Court Action (May 30, 2012)

A European Commission official has said EU regulators are planning legal action against the Netherlands, Portugal, Belgium, Poland and Slovenia "for not implementing new telecoms rules aimed at protecting users' privacy online," Reuters reports. EU countries had until May 25 of last year to adopt the rules, which include the requirement to obtain consent from users before cookies are stored on their devices. The official declined to be identified, the report states, but the commission is expected to formally announce its decision to take the five member states to court this week.
Full Story

PRIVACY LAW—U.S.

Netflix Agrees To Alter Data Retention Policy (May 30, 2012)

MediaPost News reports that Netflix has agreed to change its data retention policies and to pay $9 million as part of a class-action settlement. According to court papers filed last Friday, the media company will "decouple" former users' movie-rental histories from other personal data one year after deleting an account. Previously, the company reportedly retained user histories for two years. U.S. District Court Judge Edward Davila has scheduled a hearing for June 29 on a request for preliminary approval of the agreement, the report states.
Full Story

DATA THEFT—U.S.

PII of 123,000 Federal Employees Exposed (May 30, 2012)

Last July, hackers accessed a computer used by a third-party vendor hired to support the U.S. Federal Retirement Thrift Investment Board (FRTIB) Savings Plan, which housed the personal information of 123,201 savings plan members, IDG News Service reports. The third party, Serco, and the FRTIB conducted forensic analysis, determining that the names, addresses and Social Security numbers of 43,000 participants were accessed with, in some cases, financial account numbers. Separately, the Social Security numbers of approximately 80,000 individuals were also compromised. A Serco representative said, "There is no evidence of any funds being diverted or identity theft resulting from the incident."
Full Story

PRIVACY LAW—SOUTH AFRICA

Protection of Personal Information Bill Moves Forward (May 30, 2012)

The Protection of Personal Information (PPI) Bill is set to be redrafted and presented to South Africa's Justice and Constitutional Development Portfolio Committee, ITWeb reports. The legislation would implement limits around what personal information can be collected and processed by businesses. Data subjects must be informed of and can object to the processing of their information. Additionally, companies may not refuse to do business with a data subject who objects to providing personally identifiable information that is unnecessary to the transaction, and, the report states, end users must be informed when their data has been "accessed or acquired by an unauthorized person."
Full Story



PRIVACY LAW—UK

Cookie Law In Effect, ICO Backs Implied Consent (May 29, 2012)
The UK's date to begin enforcement of the cookie directive went into force on Saturday, hours after the Information Commissioner's Office (ICO) released updated cookie guidance. The Guardian reports the new ICO advice states implied consent is a valid form of user consent. One privacy law expert said, "This is a striking shift...Previously the ICO said that implied consent would be unlikely to work." Since activating a cookie complaint mechanism on its website, the ICO has received at least 64 separate complaints about potential violations. Meanwhile, the European Commission has said that its own website should comply with cookie laws.

PERSONAL PRIVACY—CANADA

VA Report Revives Potential Privacy Violations (May 29, 2012)

The Canadian Press reports that an outside investigation initiated by the Department of Veterans Affairs has revived concerns that veteran Sean Bruyea's privacy was violated. The outside report, headed by a former senior official, found no "malice" or "fault" in VA officials' actions. In a letter to the privacy commissioner, Bruyea said he was not asked for his consent. "In authorizing this investigation and releasing unprecedented large amounts of my personal information" to the investigators, "it is apparent that senior officials grossly and flagrantly broke privacy laws in order to solicit a report which would justify their breaking of those same laws in the first place," Bruyea wrote.
Full Story

PRIVACY LAW—U.S.

NJ Assembly Passes Copier Data Destruction Bill (May 29, 2012)

The New Jersey Assembly has passed a bill that would require entities to adequately destroy data stored on digital copiers, scanners and fax machines prior to their disposal, Courier Post Online reports. In an attempt to combat identity theft, Bill A 1238 passed the New Jersey Assembly 51-28. Bill co-sponsor Herb Conway (D-Burlington) said, "There's a simple way to eliminate these risks, and we need to make sure it's instituted." Dan Benson (D-Mercer/Middlesex), another co-sponsor, added, "Given how often electronics are leased or resold these days, it's important that measures safeguarding against identity theft are put into place."
Full Story

PRIVACY LAW

Some Authorities Push Ahead, Others Back Off Google Inquiries (May 29, 2012)

Bloomberg reports Google may face further action from the UK Information Commissioner's Office following the U.S. Federal Communications Commission (FCC) report on Google's Street View data collection practices. Australian Privacy Commissioner Timothy Pilgrim, however, says his office will not launch a second investigation after examining the FCC report. Meanwhile, two U.S. legislators have called on the U.S. Justice Department to consider looking further into the matter. "Previous statements and testimony from Google indicated that the privacy violation was unintentional, but a recent investigation by the Federal Communications Commission casts doubt on those statements," said Reps. John Barrow (D-GA) and Frank Pallone (D-NJ).
Full Story

DATA LOSS—U.S.

University, Hospital Report Breaches (May 29, 2012)

The University of Nebraska is investigating a security breach of a database containing personal records of students, applicants and alumni, reports the Syracuse Journal-Democrat. The university is alerting those with bank accounts associated with the Nebraska Student Information System of the breach and asking them to monitor their accounts closely and report any suspicious activity. The database contains Social Security numbers, addresses, grades, transcripts and housing and financial aid information. Meanwhile, Phoebe Putney Memorial Hospital in Georgia announced that patient information may have been compromised after an employee improperly accessed patient records in an attempt to process fraudulent tax returns.
Full Story

PRIVACY LAW—CANADA

Settlement Proposed in Health Region Breach (May 29, 2012)

The Toronto Star reports on a proposed settlement in a class-action lawsuit against Durham Region Health. The suit was filed in April 2011 after one of the region's nurses lost a thumb drive containing the personal information of nearly 84,000 people. It claims the region was negligent, breached its fiduciary duty and violated patients' privacy as well as the Canadian Charter of Rights and Freedoms. Pending a judge's approval, the region will pay $500,000, which amounts to at least $5.99 for each patient's lost data. The settlement allows victims to file compensation claims while also allowing the region to take steps to "mitigate the harm" first.
Full Story

ONLINE PRIVACY—GERMANY

“Streetside” Service Goes Offline After Complaints (May 25, 2012)

Microsoft has taken its Bing Streetside service offline in Germany after receiving complaints from residents "about how Microsoft handles requests for blurring of images," IDG News Service reports. In a statement, the company said it has made photos inaccessible while it evaluates the complaints and considers a solution. A Microsoft spokesman has said he cannot predict "when or if the service will be reinstated" but noted the complaints were not initiated by data protection agencies. "These are single incidents," he said, but did not disclose the number of complaints Microsoft received, the report states.
Full Story

ONLINE PRIVACY—U.S.

Bills Would Ban Anonymous Website Posts (May 25, 2012)
TIME reports on a New York State Assembly proposal that would ban anonymous comments from websites. Identical bills S 6779 and A 8688 would require any New York-based web administrators to "upon request remove any comments posted on his or her website by an anonymous poster unless such anonymous poster agrees to attach his or her name to the post and confirms that his or her IP address, legal name and home address are accurate." The Electronic Frontier Foundation says the bills would violate free speech and that anonymous posts protect users against fear of retaliation and social ostracism or "merely preserve as much of one's privacy as possible."

PRIVACY LAW—U.S.

Hospital To Pay $475K, $225K Towards Education (May 25, 2012)

The Massachusetts State Attorney General's Office (AG) announced that South Shore Hospital will pay $475,000 to settle allegations that it neglected to protect patient information resulting in the exposure of 800,000 consumers' data, reports Boston Business Journal. The settlement includes $225,000 allocated to a fund that the AG can use to promote education on the protection of personal and health information, the report states. The total settlement amounted to $750,000 but the hospital's expenditures on improving security measures--$275,000--was credited back.
Full Story

BIOMETRICS—U.S.

Report Urges Gov’t To Limit Collection, Up Accountability (May 25, 2012)

A report by the Electronic Frontier Foundation and the Immigration Policy Center highlights the groups' concerns over databases of biometric data compiled by government agencies and others, reports Courthouse News Service. An Immigration Policy Center spokeswoman noted, "biometrics are not infallible, and databases contain errors. These problems can result in huge negative consequences for U.S. citizens and legal immigrants mistakenly identified." The report calls for government to "limit unnecessary biometrics collection; instill proper protections on data collection, transfer and search; ensure accountability; mandate independent oversight; require appropriate legal process before biometric collection, and define clear rules for data sharing at all levels."
Full Story

DATA LOSS—U.S.

Reports Examine Lessons Learned from Breaches (May 25, 2012)

GovernmentHealthIT reports that six years after a data breach that resulted in the Department of Veterans Affairs (VA) being "vilified for disregarding its own gap-filled information security and privacy policies, the VA now stands as a model for how to effectively integrate tough safeguards into its daily operations." The report examines the "sea change" that took place in the aftermath of the breach that resulted in "stronger information security requirements across the government." Meanwhile, in a feature for InformationWeek, Mathew Schwartz explores nine lessons learned from Utah's recent breach affecting 28 percent of the state's residents.
Full Story

HEALTHCARE PRIVACY—U.S.

CDT’s McGraw Encourages Healthcare Stakeholder Participation (May 25, 2012)

The Center for Democracy and Technology's Deven McGraw writes for iHealthBeat that even though the healthcare industry paid little attention to the White House's "Consumer Privacy Bill of Rights" and the Federal Trade Commission's (FTC) "Protecting Consumer Privacy in an Era of Rapid Change," the two reports are in fact "very relevant for healthcare stakeholders." McGraw, co-chair of the Privacy and Security Tiger Team advising federal healthcare leaders, notes the FTC's regulatory authority over a number of healthcare entities and the FTC and White House's encouragement of a multistakeholder process. If healthcare leaders fail to participate, they could be excluding themselves from "important conversations that could impact their operations."
Full Story

PRIVACY LAW—EU & U.S.

CNIL Sends Google Fresh Privacy Policy Questions (May 24, 2012)
French data protection authority CNIL has sent additional questions to Google about its new privacy policy, according to a press release. Noting the company's answers are "often incomplete or approximate," the CNIL has given Google until June 8 to answer the questionnaire. According to the statement, "the CNIL considers it impossible to know Google's processings of personal data, as well as the links between collected data, purposes and recipients, and that the obligation of information of the data subjects is not respected." The CNIL's president noted, "All options are on the table." Google Privacy Counsel Peter Fleischer said the company is "confident that our privacy notices respect the requirements of European data protection laws."

DATA LOSS—U.S.

Children’s Hospital Loses Data on 2,100 Patients (May 24, 2012)

The Boston Globe reports that a Boston Children's Hospital employee lost a laptop containing sensitive personal information--including names, birth dates, diagnoses and treatment information--of 2,159 patients. Misplaced in Argentina, the laptop was password protected but not encrypted, and the file in question was an e-mail attachment, the report states. The hospital's chief information officer said, "we are undertaking additional steps to prevent breaches such as this in the future." Meanwhile, a California Department of Social Services spokesman said the agency is changing how it transports sensitive information in light of a recent loss of data on more than 700,000 individuals.
Full Story

PRIVACY LAW

International DPAs Meet on Enforcement (May 24, 2012)

A dozen privacy enforcement authorities from around the world met at a two-day event in Montreal last week to explore ways to cooperate on enforcement. In this exclusive for The Privacy Advisor, Sophie Paluck-Bastien reports on the efforts of the temporary working group formed under the Resolution on Privacy Enforcement Co-ordination at the International Level adopted at the 33rd International Conference of Data Protection and Privacy Commissioners last year. "The group agreed that there is nothing to be gained from a dozen authorities investigating the same incident in silos and everything to be gained from them using their limited resources in a concerted fashion," Paluck-Bastien writes.
Full Story

MOBILE PRIVACY—U.S.

Company BYOD Policy Bars Voice-Activated Assistant (May 24, 2012)

Wired reports on IBM's bring-your-own-device policy and how its IT department disables specific functions, including Apple's Siri software, to help mitigate risk. IBM Chief Information Officer Jeanette Horan said, "The company worries that the spoken queries might be stored somewhere," and, according to the software's user agreement, "the things you say will be recorded and sent to Apple in order to convert what you say into text." Horan said her company also disables file-transfer programs but offers an IBM-controlled program for employees. Siri developer Edward Wrenbeck said privacy was a concern for developers.
Full Story

CHILDREN’S PRIVACY—GERMANY

Court Weighs Freedom of Expression vs. Privacy Rights (May 24, 2012)

Germany's highest court has ruled that lower courts took "too narrow and simplistic" a view of children's privacy rights in a case involving a celebrity's two children, Out-Law.com reports. In the case, an online publisher reported that the two children had been involved in acts of vandalism. The Federal Constitutional Court ruled that lower courts "misunderstood" the media's right to freedom of expression when considering the "personality rights" of the two children, and, the report states, the courts gave "an unjustified precedence to the value of children's privacy rights..." A German district court will re-evaluate the case.
Full Story

SSN PRIVACY—U.S.

ID Theft Rising, As Is Use of Social Security Numbers (May 24, 2012)

Since its January inception, about 4,000 children have been enrolled in Utah's online child identity protection service, which allows parents to register their children for protection by providing the child's name, address, date of birth and Social Security number online, NPR reports. Meanwhile, the American Civil Liberties Union (ACLU) has taken issue with Central Florida counties' collection of students' Social Security numbers for school registration. Only some districts allow an opt-out, which could violate federal law, the ACLU says. The ACLU has also successfully opposed a U.S. Park Police officer's demand for a man's Social Security number during a citation.
Full Story

FINANCIAL PRIVACY—IRELAND

Survey: Banks Violating Consumer Protection Laws (May 24, 2012)

According to a new survey, banks are breaking consumer protection laws by monitoring account transactions and using the information to sell products, The Irish Times reports. The Professional Insurance Brokers' Association (PIBA), which released the survey this week, recently met with the data protection commissioner to discuss the matter. "These are illegal practices. The banks are flagrantly violating consumer protection laws and pressurizing consumers who feel they have little choice because their credit facilities could be curtailed or withdrawn," said PIBA's chief executive.
Full Story

DATA LOSS—U.S.

Researcher: Military Guidelines for Social Sites Need Improving (May 24, 2012)

Security expert Rob Rachwald, who studied the hack of a military online dating website, says the incident illustrates the need for U.S. defense personnel to disguise identities on social networks, Nextgov reports. On March 25, hackers published the names, e-mail addresses and passwords of 170,937 of the site's members. The defense department publishes detailed guidance for social site behavior; a Navy handbook instructs personnel to minimize the information they leave on social sites, for example. But Rachwald says the policies are "completely inadequate," adding, "I hate to suggest falsifying information, but I think that's what you have to do, especially when you are part of a military organization."
Full Story

PRIVACY LAW—AUSTRALIA

Parliament Sees Privacy Act Reforms (May 23, 2012)
COMPUTERWORLD reports that reforms to the Privacy Act 1988 have been introduced to Parliament. The introduction comes six years after the Australian Law Reform Commission began its inquiry. Changes include increased regulation of personal information for marketing purposes; extending privacy protections to unsolicited information; restrictions on sending personal information overseas; improved consumer access to their personal data, and additional protections on e-health information, the report states. Changes to credit reporting are also included in response to "changes to the way we access finance" since the current provisions came into effect, said Attorney General Nicola Roxon.

PRIVACY LAW—U.S.

Facebook Settles Privacy Lawsuit (May 23, 2012)

MediaPost reports Facebook has tentatively settled a class-action lawsuit alleging plaintiffs were harmed by the company's "sponsored stories" feature and its lack of an opt-out provision. The feature alerts users when their friends have "liked" a product or service and includes the friends' names and photos. Facebook told U.S. District Court Judge Lucy Koh that it will file a motion for a preliminary approval of the settlement by mid-June, the report states. The settlement's terms have not been disclosed. The company faces a separate but related suit alleging the sponsored stories feature violated California law by including minors.
Full Story

CLOUD COMPUTING—U.S. & EU

U.S. Anti-Terror vs. Directive Creates “Stumbling Block” (May 23, 2012)

Financial Times reports on the differing privacy approaches taken by the U.S. and EU and their effect on cloud-based services. U.S.-based cloud providers, because of the USA PATRIOT Act, cannot guarantee to EU-based companies that data will not leave Europe--a violation of the EU's data protection directive. A representative from Taylor Wessing said, "This is a big stumbling block...When data need to move outside the EU, then the data protection law framework and its rights and protections have to follow." Obama administration officials have suggested that European concerns about U.S. anti-terror laws are a "red herring" and amount to "digital protectionism" for EU-based cloud providers, and, according to a recent study, the law does not give the U.S. special access to cloud data. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—EU

Users May Get a Vote on Facebook Policies (May 23, 2012)

Following a campaign to collect comments about Facebook's proposed amendments to its data use policy, the company may be required to allow users to vote on the matter. Facebook's "Statement of Rights and Responsibilities" requires the company to allow a vote if 7,000 users comment, reports Out-Law.com. Facebook's proposed changes drew 47,824 user comments, some of which call for opt-in data uses. The complaints follow the Office of the Irish Data Protection Commissioner's audit of Facebook Ireland's privacy policies last year and its subsequent request that the company make changes to how it uses and stores customer data.
Full Story

ONLINE PRIVACY

Company Keeps Data Practices Behind Closed Doors (May 23, 2012)

The New York Times reports on the data collection practices of Google. "The tale of how Google escaped a full accounting for Street View," the article states, "illustrates not only how technology companies have outstripped the regulators but also their complicated relationship with their adoring customers." Michael Copps, a former commissioner with the Federal Communications Commission, said, "The industry has gotten more powerful; the technology has gotten more pervasive, and it's getting to the point where we can't do too much about it." Meanwhile, in a Salon.com column, David Rosen writes, "Unless you have the time or the technical know-how to encrypt your digital communications, none of what you transmit--however personal...is 'private.'" (Registration may be required to access this story.)
Full Story

BIG DATA

Kaspersky: Too Much Data Is Collected (May 23, 2012)

Speaking at a conference this week, Kaspersky Lab CEO Eugene Kaspersky warned that too much data is being collected about individuals, COMPUTERWORLD reports. "We can forget about privacy," he said, adding, "There's no privacy anymore." Kaspersky said the increased use of CCTV and online tracking makes it "a national security issue," and argues that this kind of "data can be used not just against people but against nations." The IT security expert advocated for regulation. "We should make it forbidden to collect so much information about you," Kaspersky said.
Full Story

DATA LOSS—UK

Poor Staff Training Cited in ICO’s £90,000 NHS Fine (May 22, 2012)
The Central London community healthcare trust has been fined £90,000 by the Information Commissioner's Office (ICO) for sending sensitive medical data on 59 patients via fax to the incorrect recipient, The Guardian reports. The faxes were meant for another hospital but were repeatedly sent to an unidentified individual. The ICO said, "The fact that this information was sent to the wrong recipient for three months without anyone noticing makes this case all the more worrying." The ICO said the trust did not have enough mitigating checks in place and was not adequately training staff on data protection issues.

PRIVACY LAW—U.S.

Judge: Federal Wiretap Law Doesn’t Trump State Law (May 22, 2012)

A federal judge has ruled that a privacy lawsuit filed in a California state court against software developer Carrier IQ may move forward, MediaPost News reports. U.S. District Court Judge Gary Allen Feess overturned the company's argument that federal wiretap laws trump the more strict California state wiretap law. The federal law was meant to "establish minimum standards and not to preempt state laws that meet these standards," Feess ruled, adding there has been "a long-standing view" in courts that "states are free to enact legislation that is more restrictive than the federal law."
Full Story

PRIVACY LAW—UK

ICO To Publish List of Cookie Law Offenders (May 22, 2012)

Out-Law.com reports European privacy watchdogs have not agreed on a single approach to enforcement of new cookie laws, according to UK Deputy Information Commissioner David Smith. Smith said the Information Commissioner's Office would not immediately penalize companies who are noncompliant when the UK's new cookie law comes into effect at the end of this month as long as those companies have begun auditing their use of cookies, the report states. The office will publish a list of 50 websites to receive a warning letter from the ICO for noncompliance, however. Smith said that "big multinational users will feature there."
Full Story

HEALTHCARE PRIVACY—U.S.

OCR Completes 20 Audits, Plans 95 More (May 22, 2012)

Federal authorities have selected another 95 healthcare organizations to be audited for HIPAA compliance this year, GovInfoSecurity reports. The Department of Health and Human Services' Office for Civil Rights (OCR) has completed its initial 20 audits, which served to test the program mandated under the HITECH Act, and is collecting data on the next 25. The remaining 70 entities will be notified in coming months. The audits assess compliance with HIPAA's privacy and security rules, the report states. In selecting audit candidates, the OCR looks at an entity's size, affiliation with other healthcare organizations and past breach notifications, among other factors.
Full Story

PRIVACY—U.S.

Ohm To Join FTC (May 22, 2012)

Law professor and privacy expert Paul Ohm will join the Federal Trade Commission (FTC) in August as a senior policy adviser on Internet and mobile markets, The Wall Street Journal reports. Ohm is a computer programmer, an expert in information privacy and has served as a federal computer crimes prosecutor. At the FTC, he will advise the commissioners and staff on policy and enforcement cases, the report states. "Paul's keen insights on how the law applies to technology and privacy issues will be invaluable to the FTC's work in these areas," said FTC Chairman Jon Leibowitz. (Registration may be required to access this story.)
Full Story

BIG DATA

Privately Held Data Poses Challenge for Academic Research (May 22, 2012)

The New York Times reports on concerns raised by academics that large amounts of privately held data are compromising independent research. Often, companies with large amounts of data do not disclose it for reasons of competitive advantage and consumer privacy, but some academics argue the practice threatens the scientific community, the report states. One physicist wrote, "If this trend continues...we'll see a small group of scientists with access to private data repositories enjoy an unfair amount of attention in the community at the expense of equally talented researchers whose only flaw is the lack of right 'connections' to private data." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA & U.S.

Survey Finds Lack of Preparedness for C-28 (May 22, 2012)

A new survey indicates "an overwhelming lack of preparedness" for a Canadian law aiming to regulate spam messages, according to law firm Fasken Martineau, which conducted the survey. Polling marketing executives based primarily in the U.S., the survey found 60 percent were unaware of Bill C-28, which will require recipient consent before a commercial electronic message can be sent to Canada. The survey also found that of those who were aware of the bill, 75 percent were not aware of the penalties and only 27 percent of respondents knew that compliance with U.S. do-not-call legislation does not ensure C-28 compliance.
Full Story

BIOMETRICS—U.S.

Night Spot App Debuts, Won’t Store Facial Mapping Metrics (May 21, 2012)
A facial detection app made its San Francisco debut last week, but after privacy advocates raised concerns about data storage, the company altered its privacy policy, Ars Technica reports. SceneTap scans faces of night spot patrons to determine their age and gender. Potential customers use the app to check male-to-female ratios and crowd size at participating venues. "Nothing that we do is collecting personal information," said SceneTap CEO Cole Harper. "It's not recorded; it's not streamed; it's not individualized." The policy modification reads, "No facial mapping metrics, measurements or other data used to predict demographics are stored."

PRIVACY

Regulator Says Facebook Model Could “Implode” (May 21, 2012)

The Washington Post reports on provocative comments from the data protection commissioner for the northern German state of Schleswig-Holstein that if European privacy authorities have their way, "Facebook's business model will implode." The regulator says the site's $38 starting share price is "based on practices that breach European privacy rules," the report states. Meanwhile, a U.S. law firm announced it has combined 21 privacy lawsuits against the company into one class-action suit, CNET News reports. The Stewarts Law US suit asks for $15 billion from the company for allegedly violating user privacy by tracking them on the Web. (Registration may be required to access this story.)
Full Story

PRIVACY—U.S.

Consumers Call Hulu Defense “Disingenuous at Best” (May 21, 2012)

Consumers who sued Hulu for alleged privacy violations are asking a judge to dismiss the company's argument that it is not covered under the Video Privacy Protection Act (VPPA), MediaPost reports. The consumers filed the lawsuit last year after Hulu used analytics company KISSmetrics to track users via supercookies to find out what they watched and allegedly shared the data with third parties. The VPPA forbids companies that sell or rent videos from disclosing consumers' data without their consent. Hulu contends that the law only applies to brick-and-mortar stores, which the plaintiffs called "disingenuous at best" in a court filing last week. The suit has been sent to mediation.
Full Story

DATA LOSS—U.S.

“Tragedy of Errors” Led to UMaine Breach (May 21, 2012)

Forensic analysis of a breach at the University of Maine has revealed that data from 2,818 individuals was compromised when hackers accessed a server, the Bangor Daily News reports. Used in conjunction with the University of Arkansas (UoA), the server contained customer information--including Social Security and credit card numbers--from a university computer store. According to the university's information technology chief, the school had planned to phase out the server but kept it running because UoA was still using it. Upon learning of the breach, the server was shut down.
Full Story

MOBILE PRIVACY—U.S.

Capitol Hill Keeps Watchful Eye on Apps (May 21, 2012)

POLITICO reports about efforts on Capitol Hill to protect mobile app users from privacy invasions without stifling innovation. Regulators are concerned because consumers are "maybe aware there are privacy implications of using smartphones" but don't necessarily understand "the value proposition there--getting free or low-price apps in exchange for their information," said the Center for Democracy and Technology's Justin Brookman. In addition to the Federal Trade Commission's first settlements with app developers for COPPA violations last year, many legislators have written letters to app companies and smartphone makers in recent months, two have introduced legislation on geolocation data and Congress has held hearings.
Full Story

ONLINE PRIVACY—U.S.

Lawmakers, White House Praise Site’s Do-Not-Track Commitment (May 21, 2012)

Lawmakers and the White House are praising Twitter's announcement that it will acknowledge do-not-track preferences, ClickZ reports. Rep. Ed Markey (D-MA) called the company an "industry leader," and Sen. John Kerry (D-MA) said its "announcement proves that exercising respect for people's choices on how, when and where to have their information collected is something that responsible, competitive companies can do," adding, "I hope others will follow." White House Deputy Chief Technology Officer Danny Weitzner said the move was "an important step" and is "part of a larger Obama administration strategy to encourage more consumer privacy protections on the Internet."
Full Story

SOCIAL NETWORKING—U.S.

Hospitals Asking Docs To Avoid Social Media with Patients (May 18, 2012)
Network World reports that some hospitals are warning doctors to avoid social media interactions with patients. In one case, a doctor about to begin work at a hospital was sent a letter warning him not to accept patient "friend" requests. The notice also advised the doctor to "review photos" posted on social media sites in order to keep an appropriate online identity as a medical professional, the report states. The chief information security officer for one healthcare group says hospitals are struggling with the question but adds his company is engaged with an Internet-based portal designed specifically for online doctor-patient contact.

GEO PRIVACY—U.S.

Subcommittee Considers Geo-Tracking Legislation (May 18, 2012)

A House judiciary subcommittee debated Thursday proposed legislation that would require law enforcement to get a warrant prior to tracking suspects via geolocation data, the NationalJournal reports. Proposed by Rep. Jason Chaffetz (R-UT), the bill would include exceptions in cases of death, serious harm or national emergency. "Just because it can be done," Chaffetz said, "doesn't mean it necessarily should be done." Additionally, University of Pennsylvania Prof. Matt Blaze submitted written testimony arguing that the proliferation of cell towers makes pinpointing the location of individuals by their cell phones more precise than GPS, Forbes reports.  
Full Story

ONLINE PRIVACY—U.S.

Strickling: Privacy Tops NTIA To-Do List (May 18, 2012)

Lawrence Strickling of the National Telecommunications and Information Administration discusses efforts between Internet businesses and advocacy groups to create online privacy codes of conduct, The Hill reports. "I think as people learn more and more about how their information is being used, people become more and more concerned about it," said Strickling, adding that compromised privacy can cause harm. "First and foremost," he noted, "what we're trying to do with our privacy policy, as well as all of our Internet policy activities here, is to see the Internet thrive and grow and be an engine of innovation and job creation."
Full Story

DATA PROTECTION

BYOD Risks Create Opportunities for Vendors (May 18, 2012)

In this era of "bring your own device" to the workplace, IT administrators are having an increasingly difficult time protecting networks from data leakages. The issue has opened up market opportunities for a wide variety of vendors, reports Network Computing. A recent study by Enterprise Strategy Group found that end users are "looking to tackle issues like data sharing, portability and access from multiple intelligent endpoint devices, creating a conundrum for IT as it needs to balance business enablement, ease of access and collaborative capacity with the need to maintain control and security of information assets," the report states.
Full Story

DATA PROTECTION

Opinion: Gov’t Data Collection Should Be Minimal (May 18, 2012)

In the last of a three-part series for Reuters on the benefits and risks of sharing personal information, Rotman School of Management Prof. Don Tapscott discusses how the vast amount of data moving online can become an attractive tool for governments and corporations, noting it's difficult to restrict the information they're able to access. "But we still need to resist attempts of governments to collect unnecessary information. We still need to fight for the basic privacy principle of 'data minimization,'" Tapscott writes, adding, when sharing data, it's important to remember that "with openness can come vulnerabilities."
Full Story

PRIVACY LAW

CNIL To Sit Down with Google (May 17, 2012)
French data protection authority CNIL has scheduled a meeting with Google to more closely examine changes to the company's privacy policy, BBC News reports. The company consolidated its 60 privacy policies into one in March, prompting the CNIL to ask questions on the legality of the move and on how user data would be shared. The CNIL says it was not satisfied with the company's answers and wants to "untangle the precise way that specific personal data is being used for individual services and examine what the benefit for the consumer really is," said CNIL's president.

BIOMETRICS—EU

Working Party Issues Opinion on Biometric Data (May 17, 2012)

The Article 29 Data Protection Working Party has issued an opinion on biometric technologies, identifying and offering guidance on how to mitigate risks when it comes to data subjects' data protection and privacy. Technological advances have allowed for cheaper storage and analysis of biometric data, including fingerprints, vein patterns and DNA. A lack of appropriate safeguards can put the data subject at risk, however, and some technologies could allow for the collection of biometric data without consent, the opinion states.
Full Story

ONLINE PRIVACY—U.S.

Twitter Offers Do-Not-Track Option (May 17, 2012)

Twitter has agreed to implement a do-not-track feature, giving its users the ability to opt out of being followed online. The site will enable the feature through the Firefox browser, which allows users to opt out of cookies--including those from third parties aiming to serve targeted advertisements--that collect information about their browsing habits. Federal Trade Commission (FTC) Chief Technology Officer Ed Felten announced the move at an event in New York today, and in a statement confirming the plan, a Twitter spokeswoman said, "We applaud the FTC's leadership on do not track, and we are excited to provide the benefits."
Full Story

HEALTHCARE PRIVACY—U.S.

DHS Issues Warning on Mobile Devices (May 17, 2012)

The Department of Homeland Security (DHS) has issued a warning about the threat medical devices can pose to IT security and patient data, eWeek reports. On May 4, the department released "Attack Surface: Healthcare and Public Health Sector," which warns that medical and mobile devices attached to networks pose a risk to cybersecurity and put agencies at risk for malware and data loss. "I think it is a very big issue, and healthcare entities need to take it very seriously," said one expert, adding that security conferences where hackers demonstrate vulnerabilities in the system "should serve as a wake-up call."
Full Story

PRIVACY LAW—U.S.

ABA Proposes Data Security Ethics Rule (May 17, 2012)

The American Bar Association (ABA) is proposing to clarify the ethical responsibility of lawyers to safeguard client data against unauthorized disclosures, Hogan Lovells' Chronicle of Data Protection reports. A report from the ABA's Commission on Ethics 20/20 recommended several changes to the ABA Model Rules of Professional Conduct pertaining to lawyers' use of technology and protection of client information. The commission found that "technological change has so enhanced the importance of this duty that it should be identified...and described in more detail through additional comment language." The proposed rule states that lawyers should take "reasonable efforts" to protect client data.
Full Story

MOBILE PRIVACY

Company Defends Wi-Fi Collection Practices (May 17, 2012)

Speaking at a privacy conference, Euclid Elements Co-Founder Will Smith said the company's new product that tracks retail shoppers via unique IDs known as MAC addresses should not raise privacy concerns, CNET News reports. The company offers retailers a sensor that "passively detects smartphones that come near the store," Smith said. The company currently employs an opt-out model; MAC addresses are stored for 18 months and only aggregate information is available to retailers, the report states. A representative from the Electronic Frontier Foundation said, "If it really creates value for the shopper, it should be something they opt in to."
Full Story

SOCIAL NETWORKING

What Does Facebook’s IPO Mean for User Privacy? (May 17, 2012)

CNET News reports on what going public means for the privacy of Facebook's users. The Center for Democracy & Technology's Justin Brookman said the company's focus on revenue leaves user privacy uncertain. The American Civil Liberties Union of Northern California's Chris Conley said, "The fact that they're going public and going to be a public company could enforce trust," or they risk losing revenue. Sarah A. Downey, an online privacy analyst at Abine, says users' expectations have changed. "The assumption in 2004 was that people wanted to be private and would set things to public," she said. "Now, Facebook assumes that all activity will be public."
Full Story

DATA PROTECTION—U.S.

Survey Compares Top-Level Attention to CyberSecurity (May 17, 2012)

The Carnegie Mellon Cylab has released a report on how boards of directors and senior management are managing privacy and cyber risks, Forbes reports. The global survey, which compares sector-specific responses, found that the energy/utilities sector had the poorest governance practices, with 71 percent reporting their boards "rarely or never review privacy and security budgets," for example. The energy/utilities sector tied with the industrial sector for the lowest percentage of cross-organizational committees on privacy and security, the report states. While the survey indicated the financial industry had the best security practices, 52 percent still indicated their boards don't review cyber insurance coverage.
Full Story

DATA RETENTION

Experts: Limited Data Equals Limited Risk (May 17, 2012)

Dark Reading reports on the growing awareness "that one of the best ways to protect sensitive and personally identifiable information (PII) from a breach is to eliminate its existence." One expert said organizations need to improve their analysis of data retention necessity and limit PII on company databases. Another said there are several risks when retaining PII, including the risk of data breach, regulatory compliance and "added litigation cost when it comes time to sift through data to find specific information a judge may ask for," the report states.
Full Story

DATA PROTECTION—CANADA

Gov’t Plans To Eliminate SIN Cards (May 16, 2012)
In an attempt to save money and protect privacy, the Canadian government has introduced plans to cut the nation's social insurance number (SIN) cards, The Globe and Mail reports. The cards--which help government track income, taxes and eligibility for various public programs--lack many of the modern security features utilized by credit cards and driver's licenses. The Office of the Privacy Commissioner (OPC) approves of the proposal. An OPC spokesman said, "If fewer people wind up carrying a SIN card with them as a result of the change, that will be a positive development for privacy."

PRIVACY LAW—U.S.

EPIC Proposes Changes, Experts Weigh In on “Harm” Challenges in Court (May 16, 2012)

Following a recent Supreme Court holding that the Privacy Act "does not unequivocally authorize" compensatory damages for emotional or mental distress, the Electronic Privacy Information Center has proposed changes to the act that would compensate individuals who can prove such harm. Though dissenting justices in FAA v. Cooper wrote in their opinion that "the primary, and often only, damages sustained as a result of an invasion of privacy are...mental or emotional distress," plaintiffs generally have "a very difficult time proving harm in the data loss of theft cases," opines Andrew Serwin of Foley & Lardner in The Privacy Advisor.
Full Story

HEALTHCARE PRIVACY—U.S.

Accretive Responds to Franken, Aims To Restore Reputation (May 16, 2012)

Accretive Health has responded to questions from Sen. Al Franken (D-MN) over the company's patient privacy practices at Fairview hospitals. The 29-page response follows a "highly critical report" from Minnesota's attorney general, who has also filed a lawsuit alleging the debt collection agency illegally obtained and shared patient data, Modern Healthcare reports. Accretive has filed a motion to dismiss the suit. The company has also established a standards group on how healthcare providers interact with patients on financial obligations and has reportedly hired a former Bush administration top health official to lead the new panel. (Registration may be required to access this story.)
Full Story

DATA THEFT—U.S.

Utah Gov. Fires Tech Director, Hires Ombudsman (May 16, 2012)

Following a data breach affecting 780,000 individuals, Utah Gov. Gary Herbert has fired the director of the Department of Technology Services and has created a new "health data security ombudsman" to facilitate redress for victims, The Salt Lake Tribune reports. Herbert said, "The people of Utah rightly believe that the government will protect them, their families and their personal data...As a state government we have failed to honor that commitment." The new ombudsman said she will act as a "portal for victims."
Full Story

HEALTHCARE PRIVACY—U.S.

ONC Guide Calls for Privacy and Security Officers (May 16, 2012)

The Office of the National Coordinator for Health Information Technology's recently released guide to help organizations protect patient data recommends medical practices hire a privacy and security officer, InformationWeek reports. The officer would be responsible for developing and maintaining policies and procedures to protect patient data, the report states. Medical practices are increasingly vulnerable to information security breaches as patient data moves online with the proliferation of electronic health records, said one expert. The 10-step guide also recommends developing action plans, mitigating risks, educating and training employees and communicating with patients, among other suggestions.
Full Story

BEHAVIORAL TARGETING

New Interactive Ad System Raises Privacy Concerns (May 16, 2012)

Microsoft has created an interactive advertisement platform--NUads--by using the Xbox 360 Kinect sensor and plans to unveil the technology this spring, CNET News reports. The technology records and compiles biometric data, including audio and facial recognition, so that it can better serve advertisements to consumers. The company said, "With respect to privacy, Xbox 360 and Xbox Live do not use any information captured by Kinect for advertising targeting purposes, and NUads is no exception...We place great importance on the privacy of our customers' information and the safety of their experiences."
Full Story

HEALTHCARE PRIVACY—U.S.

Medical Records and the Digital Age (May 16, 2012)

In a series of articles for Businessweek, Jordan Robertson explores health exchanges, medical record identity theft and the use of data mining by healthcare providers. Health information exchanges are popping up around the country, but "a gap in federal law" allows states to enact their own rules regarding consent and choice. Additionally, Robertson writes that medical records provide a treasure trove of personal information for data thieves--"that's one reason why medical providers are breached more than any other type of organization." Meanwhile, hospitals are employing data-mining techniques to help diagnose patients.
Full Story

DATA LOSS—U.S.

Utah Hires PR Firm Following Breach; IL Hospital Fires Data Thief (May 15, 2012)
The state of Utah is hiring a public relations firm to manage the fallout from a breach involving the personal information of nearly 800,000 Utah residents, including the Social Security numbers of 55,000. The contract calls for a communications plan "to rebuild trust with the public, specifically those who were directly impacted by the breach and those who rely on the Utah Department of Heath for critical health services," reports The Salt Lake Tribune. Meanwhile, an employee at Chicago's Northwestern Memorial Hospital has been charged with stealing patients' identities to pay personal bills.

DATA THEFT—ISRAEL

Six Charged in Data Theft (May 15, 2012)

The Tel Aviv district attorney has charged six people with violating the Privacy Protection Law in connection with a data theft that exposed millions of Israelis' personal details, The Jerusalem Post reports. Included in the indictment is 55-year-old Shalom Bilik, a computer programmer who reportedly made copies and sold population registry data between 2005-2006 when he was contracted for computer maintenance work in the Welfare and Social Services information systems department. Nine million Israelis were affected by the data theft, their information "exposed to publication" on overseas websites and file sharing sites, the report states.
Full Story

ONLINE PRIVACY—U.S.

FTC Shifts Privacy Approach; New Commissioner Cautious (May 15, 2012)

The Hill reports on the Federal Trade Commission's (FTC) shift in approach to protecting online privacy. Instead of focusing its efforts on safeguarding personally identifiable information, new FTC efforts will focus on data that can "reasonably be connected to a device or a person," according to FTC Division of Privacy and Identity Protection Associate Director Maneesha Mithal, adding the agency is taking a broader view of what data needs regulation because the old model is "somewhat obsolete." Conceding the new model is "unpredictable," Mithal said FTC enforcement actions will act as a kind of case law to help guide industry. Meanwhile, newly appointed FTC Commissioner Maureen Ohlhausen has expressed caution about the new approach laid out in the FTC's recent privacy report.
Full Story

DATA LOSS—U.S.

Online Retailer Announces Breach (May 15, 2012)

A clothing and shoes retailer has reported a breach of its online boutique that compromised customers' personal details, BankInfoSecurity reports. Customers making online purchases between February 16 and March 21 are at risk due to malware discovered on the site, according to the company's CEO in a letter to those affected. "Unfortunately, the hacker may have accessed the names, addresses and credit card information of customers who purchased an item on our website during this period," the letter said. As an e-commerce site, the company is not required to undergo PCI-DSS audits, but can self-assess, which one expert says is a checklist retailers don't take seriously.
Full Story

HEALTHCARE PRIVACY—U.S.

VA Seeks Comments on EHR System Privacy Policy (May 15, 2012)

The Department of Veterans Affairs (VA) is seeking public comment on its privacy policy for the proposed Virtual Lifetime Electronic Record (VLER) system, Modern Healthcare reports. Data in the system may be shared between the Department of Defense and VA health networks and with outside providers through the proposed Nationwide Health Information Network, the report states. Personal information within the VLER will be subject to the HIPAA privacy rule and a federal privacy law that mandates veterans' consent before a provider discloses personal data pertaining to treatment for drug or alcohol abuse, among other conditions. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—INDIA

Gov’t Releases Telecom Draft (May 15, 2012)

The Indian government has released the first draft of its national telecom security policy, Livemint reports. The draft aims to balance law enforcement needs for real-time telecom data with individuals' privacy. The policy should ensure "that privacy of (the) individual is not transgressed without valid reasons provided in the law and development needs of the country are not hampered," the draft states. Telecom data privacy has gained increasing attention in India, in part due to the government's demand for Blackberry data and a case involving the recording of a corporate lobbyist's phone conversations.
Full Story

CHILDREN’S PRIVACY—U.S.

Opinion: With Kids, Tech CEOs Should Be More Accountable (May 15, 2012)

In The Atlantic, James P. Steyer opines that technology executives should not consider children simply as data points. "We need social media business leaders," Steyer writes, "to provide us with the same level of privacy they would want for their own families." With an "unbridled pursuit of data," large Internet companies are creating "platforms that seek more and more control of our personal information and data." Steyer notes, "nobody seems to be asking how you can be a responsible tech CEO and a responsible parent raising healthy children at the same time," adding, "The more that digital media shapes our lives and those of our children, the more we need accountability from the engineers and executives who dominate the tech industry."
Full Story

DATA LOSS—U.S.

Breaches Hit State, County and University Data (May 14, 2012)
In three separate incidents, personal information was compromised in California and North and South Carolina. The personal data of at least 700,000 recipients of California's In-Home Supportive Services program--some of which reportedly included names, Social Security numbers and wages--may have been compromised when it was lost in the mail, the Los Angeles Times reports. The state has opened an investigation and law enforcement has been notified. Meanwhile, approximately 350,000 Social Security numbers and additional financial data may have been exposed due to a "system misconfiguration" at the University of North Carolina at Charlotte. And, York County, South Carolina, officials have detected a security breach into a web server that could affect the personal data of nearly 17,000 individuals.

PRIVACY LAW—U.S.

FTC Acts as Nation’s Privacy Enforcer (May 14, 2012)

The Obama administration is pushing Congress to enact federal privacy legislation, but in the meantime, the Federal Trade Commission (FTC) has stepped into the role of the "main government agency focused on online privacy protection," reports The Hill. FTC Chairman Jon Leibowitz has referred to the agency as the "nation's privacy protection agency," and in the last year, the agency settled charges with Google, Facebook and Myspace under its jurisdiction over "unfair or deceptive" trade practices, citing privacy agreement violations. In March, the FTC released its online privacy report.
Full Story

PRIVACY LAW—U.S.

Publisher Wants Verizon Customers’ Data in Copyright Case (May 14, 2012)

Verizon is challenging a book publisher that wants the IP addresses of 10 of its customers accused of illegally sharing electronic copies of a book. Verizon claims the information is "protected from disclosure by third parties' rights of privacy and protections guaranteed by the First Amendment," PCWorld reports. Attorneys for publisher John Wiley & Sons claim that in copyright infringement cases, the right to pursue a "meritorious copyright infringement claim" trumps constitutional rights. A federal district court judge will hear arguments on Verizon's actions during a May 14 conference call.
Full Story

PRIVACY LAW—CANADA

BC Commissioner Weary of Four Draft Laws (May 14, 2012)

British Columbia Information and Privacy Commissioner Elizabeth Denham has expressed concerns over four pieces of provincial legislation because of potential conflicts with personal privacy and government transparency, The Victoria Times Colonist reports. In letters sent to provincial ministers, Denham has asked the government to withdraw the Emergency Intervention Disclosure Act and is asking lawmakers to alter a law on pharmaceutical drug prices because it gives the health minister too much authority over personal information disclosures; the Coastal Ferry Act because it's a "step backward" for transparency, and the Animal Health Act because it compromises freedom of information legislation, the report states. 
Full Story

SOCIAL NETWORKING

Facebook Clarifies Data-Use Policy (May 14, 2012)

Forbes reports on changes being made to Facebook's data-use policy, including how it reserves the right to serve ads to users outside of Facebook and a clarification on how long it keeps user data received from advertisers and third parties. Users can provide feedback on the site, or join a video chat with Facebook Chief Privacy Officer Erin Egan this afternoon. The updated policy also provides explanations on how cookies work on the site, what data developers receive when a user downloads an app and what the company does with users' data after deleting an account.
Full Story

ONLINE PRIVACY

Opinion: Living an ‘Open Life’ a Clear and Present Danger (May 14, 2012)

There are a growing number of advocates for living a publicly open life. The argument, articulated by "some of the smartest and most influential thinkers of the digital revolution" is that we benefit individually and as a society by sharing information, and so privacy regulation should be avoided, opines Don Tapscott for The Malaysian Insider. "But given that there are few social and legal controls over what happens to our personal information, a life plan of 'being open' is probably a big mistake...The clear and present danger is the irreversible erosion of that most enabling of liberties: anonymity," he writes.
Full Story

MOBILE PRIVACY

Security, Sharing Concerns Persist (May 11, 2012)

A NetworkWorld report looks at the "Trusted Mobility Index" survey of more than 4,000 IT professionals and mobile users in the U.S., UK, Germany, China and Japan who reported "abundant use of mobile devices but profound concerns about security and how employee-owned devices ought to be used for business purposes." Meanwhile, a survey for Intel Corporation on "mobile etiquette and digital sharing showed that 90 percent of Americans think too much is being divulged and nearly half feel overwhelmed by all the all the data that is out there."
Full Story

MOBILE PRIVACY—U.S.

Franken Wants Answers from DoJ on Cell Tracking (May 11, 2012)
Sen. Al Franken (D-MN) asked the Justice Department to describe its process for gathering cell phone location data, including how often it requests such data from carriers and what the law should be surrounding the practice, The Hill reports. In a letter to Attorney General Eric Holder, Franken said law enforcement might be "working around" a recent Supreme Court decision stating police need a warrant before using GPS technology to track criminal suspects. Franken asked for an explanation on "whether the Justice Department's practices have changed since the ruling," the report states.

FINANCIAL PRIVACY—FRANCE

CNIL Investigating Contactless Bank Cards (May 11, 2012)

The French data protection authority (CNIL) has begun an investigation into the security of contactless bank cards, Telecompaper reports. The investigation will look at security problems when it comes to near field communication (NFC) technology and any resulting implications on privacy following recent press reports on the matter. "Recent tests reportedly found that NFC payment cards distributed by certain banks could communicate information about their carriers and their transactions over several meters," the report states.
Full Story

PRIVACY LAW—U.S.

Users File New Complaint, Keep Suit in Federal Court (May 11, 2012)

In order to keep a lawsuit in federal court, two web users have withdrawn a number of complaints against one of the companies that partnered with now-defunct behavioral targeting company NebuAd, MediaPost reports. Wide Open West (WOW) subscribers filed new court papers on Wednesday, alleging WOW violated federal wiretap laws when it intercepted web users' communications and disclosed them to NebuAd. The subscribers' earlier complaints alleged violation of privacy, among others, but a federal judge sent those complaints to arbitration based on WOW's terms of service. The terms make an exception, however, for potential violations of the federal wiretap law.
Full Story

HEALTHCARE PRIVACY—U.S.

Accretive To Answer Senator’s Questions (May 11, 2012)

The Minneapolis Star Tribune reports that Accretive CEO Mary Tolan plans to answer questions posed by Sen. Al Franken (D-MN) over the company's patient-privacy practices at Fairview hospitals. The company has already missed two deadlines set by Franken, some of which include questions about an incident involving the loss of an unencrypted laptop containing the personal information of approximately 23,000 Minnesotans. Franken said he is "concerned about the allegations in Attorney General (Lori) Swanson's report, and I want to hear all sides of this story."
Full Story

PRIVACY LAW—EU

Working Party Releases Draft Agenda (May 11, 2012)

The EU Article 29 Data Protection Working Party has released a draft agenda for its meeting next month in Brussels, Belgium. The main topics that will be discussed include the cloud computing draft opinion; the Binding Corporate Rules for processors draft opinion; a future opinion on purpose limitation; pretrial discovery; European investigation order, and developments on the draft data protection directive.
Full Story

SOCIAL NETWORKING—CANADA

Lawmaker Calls for Parliamentary Investigation (May 11, 2012)

A Canadian Member of Parliament (MP) is urging a parliamentary committee to investigate whether social media sites have implemented an appropriate level of privacy protection for citizens, CBC News reports. Quebec MP Charmaine Borg is set to bring forth a motion Tuesday at a House of Commons Committee on Access to Information, Privacy and Ethics meeting calling on MPs to probe privacy measures taken by social media sites. "Times are changing, and Parliament needs to keep up," said Borg. "This is the new frontier in managing Big Data and keeping Canadians' privacy safe from the appetites of market research interests." Borg's motion includes a specific call to investigate children's privacy protection on social media sites, the report states.
Full Story

HEALTHCARE PRIVACY—CANADA

Hospital Fires Seven Over Patient Records Breach (May 11, 2012)

A Peterborough, Ontario, hospital has fired seven employees for breaching patients' privacy, CTV.ca reports. Officials at Peterborough Regional Health Centre say curiosity was the impetus for the breach of at least one of the confidential medical records involved. Hospital Vice President Jane Parr says the facility is working to prevent future breaches.
Full Story

PRIVACY LAW—U.S.

Lawmakers, Regulators Debate Online Privacy (May 10, 2012)

Representatives from the Federal Trade Commission (FTC) and the Department of Commerce (DoC) testified yesterday in front of a Senate subcommittee to press for Congressional action on the agencies' proposed privacy frameworks. The DoC's Cameron Kerry said, "Granting direct enforcement authority to the FTC would enable the commission to take action against outliers and bad actors even if their actions do not violate a published privacy policy," The New York Times reports. Sen. Pat Toomey (R-PA) cautioned, "Proponents of privacy legislation and of granting the (FTC) authority to regulate online activity really should clearly demonstrate the market failure and consumer harm they seek to address." FTC Chairman Jon Liebowitz said the agency is "optimistic" that a do-not-track mechanism "will be in place by the end of the year." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Marketing Company, AG Reach $100,000 Settlement (May 10, 2012)

Affiliate marketing company Adscend has reached a settlement with Washington Attorney General Rob McKenna for allegedly violating the CAN-SPAM Act of 2003, MediaPost News reports. According to the allegations, the company and its affiliates misled Facebook users by having them fill out marketing surveys--including their names, e-mail addresses and additional personal data--before viewing "salacious content" that appeared to have been sent from users' friends. As part of the settlement, Adscend agreed that CAN-SPAM applies to content sent via social networking sites and to e-mail inboxes.
Full Story

HEALTHCARE PRIVACY—U.S.

ONC Launches Dashboard, Releases Tips for Meaningful Use (May 10, 2012)

The Office of the National Coordinator for Health Information Technology (ONC) has launched its new Health IT Dashboard, reports Healthcare IT News. The dashboard allows users interactive access to data related to grants programs, regional extension centers and other health IT adoptions, the report states. Next month, the ONC will release a dashboard related to electronic health records and health information exchange. Meanwhile, the ONC has also released its "Guide to Privacy and Security of Health Information," aiming to help physicians, nurses and IT staff better understand the importance of patient privacy in implementing electronic health records and mobile devices.
Full Story

PRIVACY LAW—U.S.

Appeals Court Says Plaintiffs Can Sue New Mexico AG (May 10, 2012)

A federal appeals court has sent a lawsuit based on an identity theft law back to a New Mexico district court, LegalNewsline reports. Calling the case non-justiciable, the district court had dismissed the lawsuit filed by credit reporting agencies against state Attorney General Gary King, which alleged the Fair Credit Reporting and Identity Security Act--enacted by the state's legislature--was preempted by the federal Fair Credit Reporting Act. Though the district court ruled the plaintiffs failed to prove "redressability," the U.S. Court of Appeals for the Tenth Circuit has found the plaintiffs do have standing to sue King for injunctive relief.
Full Story

PERSONAL PRIVACY—U.S.

Professor: Netflix-Backed Amendment Risks Intellectual Privacy (May 10, 2012)

A COMPUTERWORLD blog discusses a proposed amendment to the Video Privacy Protection Act that would allow consumers to give one-time, blanket consent for their viewing preferences to be disclosed by a "videotape service provider" and for that consent to be obtained via the Internet. Netflix supports the amendment, which passed the House in 2011. But a professor at Washington University School of Law says the amendment compromises "intellectual privacy," which allows individuals to use various mediums--such as books, movies and websites--to interpret the world without fear of being judged.
Full Story

BIG DATA

Opinion: Exploring the Cultural Context of Big Data (May 10, 2012)

In a GiGaom blog post, Jiyan Wei queries whether Big Data is "just a fad or something more profound?" Wei writes that Big Data can potentially help us make better decisions and is mainly comprised of two parts--technological innovation and cultural evolution. Some of the "unique attributes" of Big Data, according to Wei, are the rise in popularity of social media, which has "created a living, breathing archive of human activity"; the "broader cultural and institutional shifts" of data to the cloud, and a "new age of openness and transparency." Wei notes that "making more data available is just one-half of the Big Data equation," adding, "The other half is how we make sense of that data." Meanwhile, COMPUTERWORLD reports on investors "pouring" funds into Big Data.
Full Story

PRIVACY LAW—UK

Queen Details Communications Bill, Promises “Strict Safeguards” (May 10, 2012)
In her speech this week, Queen Elizabeth announced plans to move forward with the draft Communications Data Bill, which would give the government access to citizens' communications data including the telephone numbers and e-mail addresses of contacts and the time and duration of communications, reports Out-Law.com. Under the bill, communications service providers would be required to hold data for one year and make it available to authorities "under strict safeguards to protect the public," Her Majesty said. Information Commissioner Christopher Graham noted some "core decisions" related to privacy have not yet been made, saying his role is to "look at the details and suggest where there need to be changes." Privacy advocates are voicing concerns over the bill.

PRIVACY LAW—U.S.

Zip Code Class-Action Moves Forward (May 9, 2012)
A federal judge has ruled that a proposed class-action lawsuit against Ikea can proceed, Courthouse News Service reports. Filed in February 2011, the suit alleges that the company's policy of requesting zip codes during purchases violates the Song-Beverly Credit Card Act (SBCCA), the report states. U.S. District Judge William Hayes said the SBCCA "does not provide an exception allowing a retailer to request or require the cardholder to provide personal identification information as a condition of accepting a credit card payment when the individual has previously or subsequently provided any personal information to the retailer. Such an exception would contravene one of the purposes" of the SBCCA, "which is to prevent store clerks from obtaining customers' personal identification information."

PRIVACY LAW—U.S.

Twitter Denounces Court Order; Hackers Breach Spammers Accounts (May 9, 2012)

MSNBC reports on a motion filed by Twitter requesting that a New York court overturn an order mandating the site disclose user data to prosecutors in a case involving an Occupy Wall Street protester. The company's filing claims the court order violates its own terms of service, the Fourth Amendment and California's Uniform Act. In a statement, Twitter wrote, "As we said in our brief, 'Twitter's Terms of Service make absolutely clear that its users own their content.'" Meanwhile, hackers have reportedly breached as many as 55,000 Twitter accounts--publishing their user names and passwords online. The compromised accounts are thought to be those of spammers and not ordinary users, the report states.
Full Story

PRIVACY LAW—U.S.

Legislators To Introduce Employee Privacy Bill (May 9, 2012)

Sen. Amy Klobuchar (D-MN) is expected to introduce federal legislation today that would ban employers from requiring current or potential employees to provide passwords to their Facebook or other online accounts, Echo Press reports. Klobuchar will announce the legislation with Sens. Richard Blumenthal (D-CT) and Charles Schumer (D-NY) and Rep. Martin Heinrich (D-NM). "This is about the right to privacy," Klobuchar said. "No person should be forced to reveal their private online communications just to get a job. This is another example of making sure our laws keep up with advances in technology and that fundamental values like the right to privacy are protected." Maryland recently passed a similar bill. Editor's note: For more on this topic, see "Employers are making good use of applicants' social network profiles, but should they?" from the May edition of The Privacy Advisor.
Full Story

PRIVACY LAW—U.S.

FTC Joins Agencies In Support of FCRA (May 9, 2012)

The Federal Trade Commission has joined the Department of Justice and the Consumer Financial Protection Bureau in submitting a brief supporting the constitutionality of the Fair Credit Reporting Act (FCRA), which allows consumer reporting agencies access to accurate information while protecting consumers from invasion of privacy. The agencies filed a memorandum urging a federal district court to uphold "an important provision of the FCRA, which has protected consumers' privacy for more than 40 years." The brief was filed in opposition to the General Information Service's assertion in Shamara T. King v. General Information Services, Inc., that the FCRA provision restricts free speech by banning credit reporting agencies from disclosing unfavorable information that is more than seven years old.
Full Story

ONLINE PRIVACY

Carrier IQ Hires Chief Privacy Officer (May 9, 2012)

Carrier IQ is taking action to improve its reputation following a privacy glitch last year, reports The Washington Post. Computer programmers discovered that Carrier IQ software--used by many smartphone service providers--logged users' keystrokes and other personal information, prompting questions from regulators and advocates and a pending class-action lawsuit. The company recently announced that it has hired a new chief privacy officer and general counsel--Magnolia Mobley--and is aiming to instill a "culture of privacy," the report states. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

New Privacy Tools Promote Transparency (May 9, 2012)

Developers are creating new ways for online users to see how their personal data is used by online companies. Independent researcher Ashkan Soltani has helped create MobileScope "as a proof-of-concept tool" that automates the monitoring of "mobile devices for surprising traffic and highlighting potentially privacy-revealing flows," according to a TechRepublic interview. Meanwhile, three Yale students have created Privacy Simplified. The service allows website owners to generate a series of icons to help users more easily understand a company's privacy policy. Author Cory Doctorow said the creators have "done a good job," but "without a compliance mechanism, it's likely that any site that adopts this will only display the icons for their 'good' policies and not show the 'bad' ones."
Full Story

PRIVACY LAW—U.S.

Myspace Agrees to FTC Settlement (May 8, 2012)
Myspace has agreed to settle Federal Trade Commission charges it misrepresented its protection of users' personal information. The settlement requires Myspace to implement a comprehensive privacy program and calls for privacy assessments for the next 20 years. It also requires that Myspace avoid future privacy misrepresentations. The company's privacy policy said it would not share users' personally identifiable information or use it for purposes other than stated without notice and user consent. But the FTC charged that Myspace provided some users’ Friend IDs, allowing advertisers to “use the Friend ID to locate a user’s Myspace profile to obtain personal information publicly available on the profile and, in most instances, the user’s full name.” Deceptive statements in the company’s privacy policy violated federal law, the FTC said.

PRIVACY LAW—U.S.

Class-Action Suit Against Apple To Move Forward (May 8, 2012)

Class-Action Suit Against Apple To Move Forward

Despite Apple's request that a federal judge dismiss the lawsuit filed against it by iPhone and iPad users, the suit will move forward, MediaPost reports. U.S. District Judge Lucy Koh has set a trial date of September 16 for the class-action lawsuit that alleges Apple violated user privacy when their devices' unique identifiers were shared with app developers and affiliates. Koh dismissed the suit without prejudice last year because the plaintiffs failed to prove harm. But the new suit amends the complaint, alleging that the plaintiffs wouldn't have paid what they did for the devices had they known their personal information would be transmitted. Apple is fighting the suit.
Full Story

PRIVACY LAW—U.S.

FTC, DoC To Testify at Senate Hearing (May 8, 2012)

Officials from the Federal Trade Commission (FTC) and the Department of Commerce (DoC) are slated to testify Wednesday in front of the Senate Commerce, Science and Transportation Committee, The Hill reports. FTC Chairman Jon Liebowitz will provide testimony on the Obama administration's Privacy Bill of Rights with recently confirmed Commissioner Maureen Ohlhausen as well as DoC General Counsel Cameron Kerry, the report states.
Full Story

CLOUD COMPUTING—EU

Working Group Releases Working Paper on Cloud Privacy (May 8, 2012)

The International Working Group on Data Protection in Telecommunications has issued a working paper on privacy and data protection issues related to cloud computing, Hunton & Williams' Privacy and Information Security Law Blog reports. Led by the Berlin commissioner for data protection and freedom of information, the working paper attempts to limit uncertainty around the definition of cloud computing, the report states, and lays out best practices and guidance to reduce risks as well as promote accountability and appropriate governance. The paper also recommends technical safeguards, cloud service agreements and impact and risk assessments, and it discusses the legal requirements toward data subjects, among others.
Full Story

PRIVACY LAW—U.S.

Lawmakers Aim To Limit Access to Death Master File (May 8, 2012)

U.S. lawmakers are trying to limit access to the Social Security Administration's Death Master File in response to crimes involving identity theft, Bloomberg reports. The legislation responds to instances such as when Illinois resident Lisa Watters filed her taxes and claimed her recently deceased five-year-old son as a dependent and found an identity thief had already done the same. The Death Master File contains information on more than 89 million individuals and is the subject of a U.S. House of Representatives hearing today. Sen. Bill Nelson (D-FL) has sponsored legislation to limit access to the file. Credit reporting agencies, pension funds and life insurers are opposing restrictive proposals that would deny them access to the data they need, the report states. Editor's Note: For more on this topic, read "Accessing public information in the digital age," in May's edition of The Privacy Advisor.
Full Story

DATA LOSS—U.S.

VA Hospital Investigates Improper Disposal of PII (May 8, 2012)

Bangor Daily News reports on an incident involving the improper disposal of Veterans' Affairs (VA) medical records at a VA hospital in Maine. Unshredded documents containing patient data were placed in a dumpster on the hospital grounds but were discovered by a VA employee. The medical center's privacy officer notified the VA central office, inspected the dumpster and transportation vehicles and repossessed any documents with sensitive information. A spokesman for the VA hospital said the documents never left VA possession. The privacy officer has since set up training and counseling for all employees involved and has conducted follow-up monitoring to ensure the mistake would not be repeated, the spokesman said.
Full Story

PRIVACY—U.S.

Google Facing FTC Fine (May 7, 2012)
Bloomberg reports Google is negotiating with the Federal Trade Commission (FTC) over the fine it will face following its breach of Apple's Safari Internet browser. The fine could cost $10 million, the report states, and would be the FTC's first fine for Internet privacy violations. Reps. Ed Markey (D-MA) and Joe Barton (R-TX) earlier this year asked FTC Chairman Jon Leibowitz to open an investigation into whether Google violated its 2011 settlement with the commission after a privacy researcher disclosed that a loophole allowed advertisers to place temporary cookies on Safari users' iPhones and iPads without consent. A Google spokesman said the company "will of course cooperate with any officials who have questions."

PRIVACY—U.S.

FBI Proposes Expansion of Wiretap Law (May 7, 2012)

The Federal Bureau of Investigation (FBI) has proposed an amendment to existing law that would require social networking sites, VoIPs, instant messaging and e-mail providers to alter their code to make their products accessible to wiretapping, CNET News reports. The proposal would amend the Communications Assistance for Law Enforcement Act, which currently covers telecommunications and broadband companies. Senior FBI officials argue that Internet communications are making it more difficult for agents to wiretap suspects, the report states. An industry representative familiar with the proposal said, "If you create a service, product or app that allows a user to communicate, you get the privilege of adding that extra coding."
Full Story

HEALTHCARE PRIVACY—U.S.

Hospital Cited for Repeated Breaches (May 7, 2012)

FierceHealthcare reports that the California Department of Public Health has issued citations against Shasta Regional Medical Center (SRMC) for repeated patient privacy breaches. The CEO of SRMC, which is under Prime Healthcare Services (PHS), sent an e-mail with sensitive health data to approximately 800 employees. Additionally, SRMC's CEO along with its chief medical officer released a patient's medical files to the media. A PHS spokesman said that the organization "continues to believe that the disclosures, if any, were permitted under both federal and state law." The professional practice director of the American Health Information Management Association said, "It fully demonstrates the need for continued privacy and security education and training at all levels within healthcare."
Full Story

SOCIAL NETWORKING

Facebook Privacy Back in the News (May 7, 2012)

As Facebook prepares to take its stock public this month, "user privacy will have to be a major consideration for potential investors," The Washington Post reports. The company said in its recent U.S. Securities and Exchange Commission filing that changes in user sentiment about its "privacy and sharing," could have a negative impact. POLITICO reports on actions the company has taken in order to navigate through privacy issues. Meanwhile, a survey recently found that users are concerned with the site's "Timeline" feature, which automatically opts users in, and privacy concerns have been raised about the newest version of Facebook Messenger. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Class-Action Lawsuit Filed for TRICARE Breach (May 7, 2012)

The Boston Globe reports on last year's breach of TRICARE and a class-action lawsuit filed against Pentagon subcontractor Science Applications International Corp. (SAIC) for the alleged loss of personal data affecting approximately 4.7 million individuals. Seeking unspecified damages, the suit alleges that SAIC "has experienced no fewer than six security failures" since 2005. Rep. Ed Markey (D-MA) said, "The bottom line is that people in charge of safeguarding our service members' personal data need to transition from the twentieth century to the era of iPads," adding, "TRICARE has given me no assurance that it is moving toward such a modern system."
Full Story

ONLINE PRIVACY

Introducing…Privacy’s “Nutrition” Label (May 7, 2012)

ZDNet reports on the efforts of a pair of entrepreneurs who hope to bring a privacy label to websites worldwide. The Standard Information Sharing Label (SISL), which could resemble a nutrition label, aims to make it easier for companies to communicate about data usage. "Terms of Use policies are ransom notes," says SISL co-collaborator Joe Andrieu. "We agree to all sorts of things we don't understand." He says the label could change that. Andrieu and partner Iain Henderson are raising funds for the project.
Full Story

ONLINE PRIVACY—EU & U.S.

Regulator Discusses Europe’s Privacy Approach (May 4, 2012)

In an interview with the San Francisco Chronicle, Dutch Data Protection Authority and Article 29 Working Party Chairman Jacob Kohnstamm discusses the European view of privacy, the current do-not-track debate and the status of the European Commission's proposed data protection framework. When asked about the "right to be forgotten," Kohnstamm said that, "fundamentally, behind the principle of the right to be forgotten is this idea that you shouldn't judge a child on its childish behaviour 20 years later." Kohnstamm has recently spoken out to several large Internet companies to respect European privacy regulations.
Full Story

DATA THEFT

Card Processor Breach Grows (May 4, 2012)
The Wall Street Journal reports that the data breach announced by Global Payments last month might have exposed more account details than originally estimated. Initial reports of the breach stated that about 1.5 million credit and debit cards were compromised, but now it is believed that seven million accounts may have been exposed. (Registration may be required to access this story.)

MOBILE PRIVACY—U.S.

Experts Debate App Privacy Responsibility (May 4, 2012)

A group of experts and industry representatives convened yesterday to discuss mobile app privacy but didn't agree on who bears the responsibility of protecting user privacy, IDG News Service reports. Independent security and privacy researcher Ashkan Soltani said app developers are most responsible for protecting privacy and should commit to a standard set of privacy practices, adding, "We can try to exercise some maturity in app development." The founder of app vendor TMSoft warned that there will always be renegade app developers, and the Interactive Advertising Bureau's Sarah Hudgins said there needs to be a wider effort in privacy protection. "This is a shared responsibility," she said. "At the end of the day, this has to be a community effort."
Full Story

DATA RETENTION—AUSTRALIA

Roxon: Public Would Have Say in Legislative Amendments (May 4, 2012)

The Australian government will seek public input on potential legislative reforms that could require telecommunications companies to retain communications data, ZDNet reports. The government wants to reform national security legislation, and a parliamentary committee is exploring whether amending the Telecommunications (Interception and Access) Act 1979 to include retention terms could help investigators. Attorney General Nicola Roxon said this week that "the Gillard government wants to give the public a say in the development of any new laws, adding, "National security legislation is important, but also important is the trust and confidence that Australians have in those laws."
Full Story

PRIVACY LAW—U.S.

Confusion Around Location Tracking Law (May 4, 2012)

POLITICO reports on "the high-stakes privacy debate" over how law enforcement tracks citizens using geolocation data and how Congress has left the issue up to the courts. A San Francisco law professor said, "It couldn't be more up in the air than it is right now...Practices just vary magistrate judge to magistrate judge and law enforcement agency to law enforcement agency." A Justice Department official called on Congress Thursday to clarify the law, adding, "There really is no fairness when the law applies differently to different people depending on which courtroom you are standing in." There are bills pending in both Houses of Congress, but Sen. Ron Wyden (D-OR) said it will be "a real challenge" to get the Senate bill passed soon.
Full Story

SOCIAL NETWORKING—U.S.

Consumer Reports: Facebook Users Unaware of Privacy Controls (May 4, 2012)

A Consumer Reports survey suggests that Facebook users might be uninformed when it comes to how to protect their privacy on the site. The survey found that out of the 150 million Facebook users in the U.S., nearly 13 million don't use or aren't aware of the site's privacy settings, and 28 percent of those polled share all or almost all of their wall posts with people beyond those designated as their "friends" on the site, CNET News reports. The survey also found that 4.8 million people have posted details about where they will spend their day, putting them at risk for attracting burglars. The report offers privacy tips, among them, "think before you type."
Full Story

PRIVACY LAW

Regulators May Reopen Inquiries (May 3, 2012)
European regulators say they may reopen inquiries into Google's Street View project following the release of a U.S. Federal Communications Commission (FCC) report, The New York Times reports. Regulators in the UK, Germany and France may take action. Johannes Caspar, Hamburg's data protection commissioner, says the FCC report's revelations will have a big impact. "This is apparently a totally different situation than what we thought initially," he said, adding that it's time for data protection authorities worldwide to hold the company accountable. Questions have recently been raised about the role of data privacy within data-driven organizations. (Registration may be required to access this story.)

PRIVACY LAW—U.S.

Senate To Examine Privacy Bill of Rights (May 3, 2012)

A Senate committee will examine the Obama administration's plans to protect user privacy, The Hill reports. The Senate Commerce, Science and Transportation Committee will hold a hearing May 9 on the administration's "Privacy Bill of Rights," released in February. The House Subcommittee on Manufacturing and Trade held its own hearing on the topic in March. Advocates and experts have voiced concerns about the proposed framework, with Rep. Mary Bono Mack (R-CA) citing concerns about economic impact and advocates releasing a preferred set of principles.
Full Story

MOBILE PRIVACY—U.S.

Rep. Markey Questions Telecoms on Police Access to Mobile Data (May 3, 2012)

Where should the line be drawn between granting law enforcement officials the tools they need to solve crimes and protecting the public's privacy? Seeking answers to this question, Rep. Ed Markey (D-MA), co-chairman of the Congressional Bipartisan Privacy Caucus, has sent a letter to eight major wireless carriers indicating his concern that police tracking of cell phone users "may violate the privacy rights of Americans." Markey is seeking data from the carriers on how many requests they have received from police for cell tracking and surveillance operations and whether warrants have been required, among other questions. Gray areas in the law have created discrepancies on which cases require warrants, The New York Times reports. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Federal Judge Dismisses DPPA Class-Action (May 3, 2012)

The U.S. Court of Appeals for the Sixth Circuit has upheld a lower court's dismissal of a class-action lawsuit over the bulk purchase and distribution of personal information obtained from a state's motor vehicle records, LegalNewsline.com reports. A district court ruled in December 2010 that the purchase by Ascom Transport System Inc. did not violate the Driver's Privacy Protection Act (DPPA). In a ruling filed Monday, U.S. District Judge Lawrence Zatkoff said, "Plaintiffs have not cited any case law, legislative history or other 'any authority or persuasive argument for concluding that (the DPPA) clearly and unambiguously limits disclosure of personal information to one individual at a time.'"
Full Story

PRIVACY—CANADA

OPC Awards $500,000 for Privacy Research (May 3, 2012)

The Office of the Privacy Commissioner of Canada (OPC) announced Wednesday the recipients of its 2012-2013 Contributions Program, which awarded $500,000 for 11 independent research and awareness projects. The program hits upon all four of the OPC's policy priorities, including identity integrity and privacy; information technology and privacy; genetic information and privacy, and public safety and privacy, according to an OPC press release. Privacy Commissioner Jennifer Stoddart said, "By supporting privacy research, my office is encouraging the exploration of complex privacy issues as well as the development of information and tools to help Canadians make informed decisions about protecting their personal information."
Full Story

ONLINE PRIVACY

Researcher Proposes Stock Exchange for Personal Data (May 3, 2012)

A senior fellow at HP Labs has proposed an alternative marketplace for personal information, Technology Review reports. Bernardo Huberman, director of HP Labs' Social Computing Research Group, coauthored "A Market for Unbiased Private Data: Paying Individuals According to their Privacy Attitudes," which proposes a framework similar to the New York Stock Exchange for personal data. Huberman said, "There's an immense amount of value in data about people...That data is being collected all the time." With the help of a trusted market operator, the proposed marketplace would give consumers control and compensation for transactions of their personal data based on their privacy preferences. The proposal could pose challenges to social networking sites, according to one report.
Full Story

ONLINE PRIVACY

The Impact of an Engineering Culture on Privacy (May 2, 2012)
The news of recent weeks has been rife with articles about global regulators' scrutiny of data collection practices. Since the release of the U.S. Federal Communications Commission's report on its investigation into Google's collection of payload data from global WiFi networks, and the subsequent release by Google of non-redacted portions of that report, new investigations into the company's actions have been called for and contemplated, and questions have been raised about the appropriate role of data privacy within data-driven organizations. In this InformationWeek article, Mathew Schwartz explores how an engineering culture can challenge privacy efforts.

PRIVACY LAW—AUSTRALIA

Reforms Aim To Boost Privacy Protections (May 2, 2012)

Australian Attorney General Nicola Roxon announced this week measures that will tighten rules over organizations' use of personal information and provide the privacy commissioner with additional investigative powers, The Australian reports. The privacy commissioner will be able to order an organization to cease certain conduct, pay compensation or take "reasonable actions to redress any damage," the report states, and the measures will allow for stricter regulation of personal data used for direct marketing or being moved out of the country. Roxon said, "In introducing these changes, the Gillard government is doing its bit to protect the privacy of Australian families." Privacy Commissioner Timothy Pilgrim said the new powers will allow him "to resolve major privacy investigations more effectively." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Organ Donation Feature Garners Applause and Warnings (May 2, 2012)

The announcement of Facebook's new feature allowing people to add organ donation status to their profiles has members of Congress and organ donation advocates lauding the company, but Deven McGraw of the Center for Democracy and Technology warns that medical information on Facebook isn't protected under healthcare privacy laws, noting, "The sensitivity of health information underscores the need for there to be some baseline regulations on privacy protection to guard people." While one expert says a Facebook declaration is legal, questions remain, and privacy settings mean doctors may need to gain access to users' donation preference. Rep. Mary Bono Mack (R-CA) has praised the company for including "important privacy safeguards" in the feature.
Full Story

DATA PROTECTION

Felten: Anonymization May Not Anonymize As Presumed (May 2, 2012)

In two blog posts, FTC Chief Technologist Ed Felten discusses the efficacy, or inefficacy, of hashing and pseudonyms when it comes to data anonymization. Hashing is a mathematical function often used to create pseudonyms for sensitive data such as Social Security numbers, for example. But Felten says the assumption that hashing "is sufficient to anonymize data is risky at best, and usually wrong." In addition, he writes, an online pseudonym can be tracked over time, revealing details about a user that could eventually lead to identification. The practice of using Social Security numbers as pseudonyms is risky, Felten writes, because they're shared across many data collectors for decades and are difficult to change.
Full Story

PRIVACY LAW

Are Privacy Class Actions Helping Or Hurting? (May 2, 2012)

Though privacy advocates often cheer class-action lawsuits, such praise should be reconsidered, opines Santa Clara University High Tech Law Institute Director Eric Goldman in his essay "The Irony of Privacy Class Action Litigation." For example, most class actions typically require consumers to opt out of the suit, not opt in, which privacy advocates generally disapprove of in commercial settings. Further, consumers typically lack meaningful choice when it comes to opting out of a class-action suit, and class-action lawyers may sometimes advance their own agendas rather than their clients', Goldman writes, adding that if "enforcement will undercut the ideals encoded in the underlying privacy rights, perhaps privacy advocates aren't making real progress." Editor's note: For more on this topic, see "Empirical Analysis of Data Breach Litigation." (IAPP member login required.)
Full Story

PRIVACY LAW—EU & SPAIN

Opinion: New EU Framework Good for Data Processors (May 2, 2012)

In a Privacy and Information Law Blog post, Nuria Pastor reasons that the new EU draft data protection framework is "good news" because "data processors have finally been given a voice." Pastor adds that "Binding Safe Processors Rules are the obvious next step for global data processors," but some European-based processors will not have to wait long. The Spanish data protection authority recently drafted proposed model clauses "that will allow data processors in Spain to engage sub-processors outside" the European Economic Area (EEA). By providing a more flexible mechanism to cover processor-to-processor exports, these new model clauses could "eliminate some of the regulatory barriers that place EU processors at a competitive disadvantage with their non-EEA competitors."  
Full Story

ONLINE PRIVACY—EU & U.S.

EU Regulator Pressures U.S. Tech Companies (May 1, 2012)
While touring Silicon Valley, Jacob Kohnstamm, chairman of the EU's data protection regulatory group, warned that U.S. tech companies should respect European privacy regulations or face the consequences, adding, "Enforcement actions will be taken against them," NPR reports. Kohnstamm says European users should be able to prevent websites from tracking them online. "To say American companies rule this world could be a very dangerous sort of thinking," said Kohnstamm. The Digital Advertising Alliance's Stu Ingis said, "I can tell you as somebody who's around these companies every day that they're creating untold benefits to both our economy and to consumers, and it'd be a shame if the Europeans want to limit those benefits."

PRIVACY LAW—U.S.

Accretive Wants MN AG’s Lawsuit Dismissed (May 1, 2012)

Attorneys for debt-collection agency Accretive have filed a motion for dismissal in response to a lawsuit filed by Minnesota Attorney General Lori Swanson, Minnesota Public Radio reports. The lawsuit alleges that Accretive accessed medical information through its relationship with two Minneapolis hospitals, used the data to gain patients and shared the data with its investors--all without patient consent. Minnesota Attorney General Lori Swanson released her report on the case last week, calling the practices "abominable" and "abusive" and a violation of privacy laws. Accretive calls the findings baseless. Meanwhile, Sen. Al Franken (D-MN) has written to the company outlining his concerns and requesting a response by May 4, and Rep. Pete Stark (D-CA) has called for a federal investigation.
Full Story

PRIVACY LAW—CANADA

Adjudicator: Police Breached Employee Privacy (May 1, 2012)

Calgary Police Service (CPS) has violated the Freedom of Information and Protection of Privacy Act, an adjudicator has found, after it accessed a woman's personal e-mail account during a workplace investigation, CTV News reports. During CPS's monitoring of the woman's computer activities following complaints about her behavior, an IT manager found login and password information to the woman's personal e-mail account, revealing evidence of misconduct and leading to the woman's termination. An Office of the Information and Privacy Commissioner adjudicator ruled that the evidence was not "necessary" to the investigation because it was obtained via unauthorized use of the woman's personal information. CPS has been ordered to stop the practice and provide employee training on data collection and use during investigations.
Full Story

BEHAVIORAL TARGETING—U.S.

Uncovering the Data-Sharing Trail (May 1, 2012)

In a column for The New York Times, Natasha Singer reports on her personal investigation on how information brokers use and share some of her personal data. Singer notes that "there's no easy way for consumers in the United States to track the data dealers who profile our spending, web browsing and social media habits" for the purpose of advertising. By subscribing to a number of magazines--spelling her name differently for each one--Singer was able to track with whom her information was shared. "Although all of the magazines contacted for this article said the subscribers could opt out," Singer wrote, "some publishers took a more active approach than others to notifying readers of their practices." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—NEW ZEALAND

Survey: User Privacy Concerns Up, Support Accountability (May 1, 2012)

According to a new UMR research survey, concerns among New Zealanders about online privacy are growing, and a majority of respondents think public- and private-sector organizations should be held accountable for breaches of the Privacy Act, according to the Office of the Privacy Commissioner of New Zealand. Commissioner Marie Shroff said, "The survey shows that people are increasingly conscious of privacy while they're engaging online, so there are some lessons in here particularly for the Internet corporate giants." Approximately 88 percent of the respondents also said they wanted businesses punished for compromising personal information.
Full Story

BEHAVIORAL TARGETING—U.S.

Study: Users Concerned With Mobile Payment Data Sharing (May 1, 2012)

A new study has found that consumers are uneasy with the idea that mobile devices may divulge their personal information to marketers. Law professors Chris Hoofnagle and Jennifer Urban from the University of California, Berkeley, surveyed 1,200 Americans and found that four out of five "objected to the transfer of their phone number to a store where they purchase goods," The New York Times reports. Three percent said they would "definitely allow it." Consumers were less concerned with the sharing of their e-mail addresses, however. As mobile payment transactions increase on social networking sites, the researchers warned of the potential for transaction histories to be added to already "rich databases of behavioral information." (Registration may be required to access this story.)
Full Story