Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—U.S.

Trial Lawyers: Make a Privacy Mistake, Expect a Lawsuit (June 29, 2012)
MIT's Technology Review reports on privacy as "big business for trial lawyers," suggesting "companies that make privacy mistakes can expect a lawsuit." The report features insights from trial lawyers, including one who, in the past eight months, has sued four tech and web giants "alleging that the companies violated U.S. wiretapping laws and committed computer fraud when they tracked users on the web or via their smartphones in ways that broke the companies' own privacy policies." Another attorney points out, "There is a mushrooming number of cases...A decade ago privacy was a distant worry among CEOs and boards of directors, but now it's a full-blown hurricane."

MOBILE PRIVACY—U.S.

Children’s App Maker Agrees to Settle with NJ AG (June 29, 2012)

A Los Angeles-based mobile app maker has agreed to stop collecting and transmitting personal information gleaned from children who play a series of educational games on mobile devices, the Associated Press reports. New Jersey's attorney general filed a lawsuit against 24x7digital, LLC, because the company allegedly did not tell users that it was providing first and last names and mobile device unique identifiers to third parties. As part of the consent decree, the company also agreed to destroy previously collected data. Meanwhile, in a column for POLITICO, Future of Privacy Forum Co-Chairmen Jules Polonetsky, CIPP/US, and Christopher Wolf write that privacy in the mobile app landscape "will not be easy."
Full Story 

PRIVACY LAW—AUSTRALIA

Regulators: Company Breach Violates Multiple Laws (June 29, 2012)

The Australian Privacy Commissioner and the Australian Communications and Media Authority (ACMA) have both announced that telecommunications company Telstra violated the Privacy Act and the Telecommunications Consumer Protections Code when more than 700,000 customer records were made publically accessible, The Sydney Morning Herald reports. ACMA Chairman Richard Bean said, "We are most concerned about the length of time--more than eight months--during which a significant number of Telstra customers' personal information was publically available and accessible." It is believed the ACMA will send a "direction to comply" to the company, the report states.
Full Story 

DATA LOSS—U.S.

A Breach, Alleged Breach and a Community Service Sentence (June 29, 2012)

The University of Texas MD Anderson Cancer Center is notifying some patients that their Social Security numbers (SSNs) and other information have been made vulnerable due to the theft of an unencrypted laptop from the home of a doctor in April, EHR Intelligence reports. Meanwhile, San Jose State University officials are disputing a hacker's claims about stealing 10,000 SSNs from a school server. They say the hacker accessed student ID numbers, not SSNs, KTVU.com reports. In Minnesota, a Dakota County judge has sentenced three middle school students to probation, community service and empathy classes after they pleaded guilty to inappropriately distributing certain photographs of classmates.
Full Story 

FINANCIAL PRIVACY—U.S.

Updates to PCI DSS Standards Effective Soon (June 29, 2012)

Network World reports on modifications to the Payment Card Industry Data Security Standards, effective at the end of the month. The most significant change is a new requirement for "risk rankings to vulnerabilities," the report states, which means any business "dependent on processing customer debit and credit card information must now be able to show they are not only aware of known vulnerabilities but can demonstrate that they have a process for ranking them according to risks to their own systems and software." One expert described the updates as an "evolution of the requirements."
Full Story 

PRIVACY LAW—U.S.

Lawmakers, Stakeholders Disagree on Self-Regulation’s Merits (June 29, 2012)

The spokesman for an advertising trade group has told U.S. lawmakers industry doesn't need new privacy legislation because it is doing a good job of protecting users' privacy, PCWorld reports. "Our self-regulatory system works," said Bob Liodice, president and CEO of the Association of National Advertisers. But Sen. Jay Rockefeller (D-WV), chairman of the Senate Commerce, Science and Transportation Committee, said at a Thursday hearing that self-regulation is insufficient and indicated concerns about the online tracking of children. "Until consumers are adequately protected, I will continue to push for legislation, and hold hearings, to address this imbalance," Rockefeller said.
Full Story 

IDENTITY THEFT

Support Centre Launched To Combat Crime (June 29, 2012)

The Canadian Identity Theft Support Centre launched in Vancouver yesterday to combat the nation’s fastest-growing crime, reports the Toronto Sun. The centre provides a help line, employing four people to provide phone support, and a step-by-step manual to use if you suspect your identity has been stolen. Privacy Commissioner Jennifer Stoddart lauds the creation of the centre but says, “The responsibility for stopping identity theft is a shared one. Individuals must learn how to best protect themselves. Businesses big and small must improve their security safeguards, constantly. Responsibility also rests with law enforcement agencies and with governments.” Stoddart would also like to see passage of key privacy legislation such as an anti-spam bill.
Full Story

ONLINE PRIVACY—IRELAND

Facebook, LinkedIn “Beefing Up” Privacy Teams (June 28, 2012)

Reuters reports on moves by Facebook and LinkedIn to strengthen their privacy and compliance teams. Following Facebook’s agreement in December to revamp its privacy protection for international users in the wake of concerns from Ireland’s Office of the Data Protection Commissioner (DPC), Deputy DPC Gary Davies said, "They're beefing up their privacy functions in Ireland by bringing in people who've taken a lead in the U.S.” Meanwhile, in the wake of a recent breach currently under investigation by the DPC, a LinkedIn spokeswoman said, “We are putting additional privacy resources in Ireland and moving one of our key directors to our International HQ in Dublin.”
Full Story

PRIVACY LAW—U.S.

House Subcommittee Passes VA Breach Notification Bill (June 28, 2012)
A House Veterans' Affairs subcommittee has passed a bill requiring the Veterans' Affairs Department to notify veterans and the general public of breaches within 10 days of an incident, AirForceTimes reports. HR 3730, the Veterans' Data Breach Timely Notification Act, is sponsored by Rep. Joe Donnelly (D-IN) and has the support of the American Legion. A representative from the American Legion said, "With the rising tide of identity theft and other cybercrimes, veterans have as many concerns about the security of their personal information as any other citizen."

PRIVACY LAW—U.S.

Court Dismisses Real Estate Case (June 28, 2012)

The U.S. Supreme Court has decided to reverse its decision to hear First American Financial Corp. v. Edwards, a case experts had said could have had "a profound impact on the data privacy class actions that have become a routine nuisance for Internet companies." If the case had been allowed to continue, the ruling was said to likely have affected the outcome of a class-action lawsuit against Apple, determining whether a plaintiff may sue if they can't demonstrate injury. The court said today the "writ of certiorari is dismissed as improvidently granted."
Full Story 

PRIVACY LAW—U.S.

EPIC Asks FTC To Probe Facebook on E-mail Switch (June 28, 2012)

The Electronic Privacy Information Center (EPIC) has sent a letter to the U.S. Federal Trade Commission (FTC) stating Facebook's recent e-mail change shows the company "still believes that it can override users' preferences without informing them or obtaining their consent," MediaPost reports. Facebook recently started displaying Facebook.com e-mail addresses within users' profiles rather than the e-mail addresses users had submitted. Although users may reverse the change, EPIC has asked the FTC to probe the company. "It is widely known that access to user e-mail provides additional opportunities for commercialization of data. And the collection of e-mail necessarily creates new security risks for users," EPIC wrote.
Full Story 

HEALTHCARE PRIVACY—U.S.

GAO Report Criticizes HHS Secondary Use Protections (June 28, 2012)

A Government Accountability Office (GAO) report states the U.S. Department of Health and Human Services (HHS) has not adequately safeguarded personal health information when electronic prescribing data is used for secondary purposes, FierceHealthIT reports. The GAO report also says that the Office for Civil Rights has not done enough to enforce privacy and security mandates under HIPAA. Meanwhile, a Consumers Union and Center for Democracy and Technology report says health data protection laws are not keeping pace with changes in health IT.
Full Story 

PRIVACY LAW—U.S.

Reports Examine FTC Efforts To Address Data Collection (June 28, 2012)

An investigative report published in Wired suggests "the federal government is often the last to know about digital invasions of your privacy." Focusing on the Federal Trade Commission (FTC) in its role as "lead agency in the government's effort to ensure that companies do not cross the still-hazy border between acceptable and unacceptable data collection," the report suggests, "the agency's ambitions are clipped by a lack of both funding and legal authority, reflecting a broader uncertainty about the role government should play in what is arguably America's most promising new industry." Meanwhile, an InformationWeek report examines the recent Spokeo settlement, suggesting the FTC is attempting to enforce the differences between consumer reporting agencies and "people search" services.
Full Story 

BIOMETRICS

Digital Assistant Voiceprints Raise Privacy Concerns (June 28, 2012)

MIT's Technology Review reports on Apple's digital assistant Siri and its use of the human voice as a biometric identifier. The voice command is sent to company servers and broken down by feature extraction to pull out relevant characteristics. Voiceprints can be linked to an individual, which raises concerns that accidental disclosure, hacking or subpoenas could compromise an individual's privacy. A voice recognition researcher said, "Maybe anything that IDs you should stay on the phone," adding that not sending the full voiceprint waveform "would meaningfully improve privacy..." Apple has said that voiceprints are not linked to other user information.
Full Story   

HEALTHCARE PRIVACY—U.S.

OCR Publishes Compliance Audit Protocols (June 28, 2012)

GovInfoSecurity reports the Department of Health and Human Services' Office for Civil Rights (OCR) has released the official protocol for ongoing HIPAA-compliance audits. The protocol offers a detailed breakdown of audit procedures, the report states, and will be used by KPMG to conduct the OCR's audits. It includes 77 areas of evaluation for the HIPAA Security Rule and 88 for the Privacy and Breach Notification Rule. The OCR has said KPMG will conduct 115 compliance audits this year. The first 20 were recently completed.
Full Story   

CONSUMER PRIVACY—U.S.

FTC’s Vladeck Discusses Enforcement Actions, Future (June 27, 2012)
In a Q&A with MIT's Technology Review, Federal Trade Commission (FTC) Bureau of Consumer Protection Director David Vladeck discusses the risks consumers face online, the significance of recent enforcement actions and changing the privacy paradigm to meet the challenges posed in the digital age. Vladeck said the 20-year audits levied in recent settlements are "important signals to industry." In addition to urging industry self-regulation around do not track, the FTC is bringing in more technology experts for its "forensic mobility lab" and warns that the emerging practice of using smartphones as wallets will pose new security and privacy challenges.

PRIVACY

NAAG Theme for 2012: Privacy in the Digital Age (June 27, 2012)

Maryland Attorney General Doug Gansler has been elected president of the National Association of Attorneys General and has selected "Privacy in the Digital Age," as the year's theme. In this exclusive for The Privacy Advisor, Gansler discusses his ambitions to find the line between privacy invasions and companies' legitimate business interests, encouraging companies to be transparent and attorney generals' increasing role as the "Internet police." Gansler says no one seems to have the answer yet on where the line should be drawn between consumer privacy rights and companies' rights to pursue their business interests, but he hopes to help define that line throughout the next year.  
Full Story

 

FINANCIAL PRIVACY

Authorities Arrest Two Dozen for Computer Crimes (June 27, 2012)

The New York Times reports that authorities in 13 countries have arrested two dozen people accused of committing fraud involving computer crime. "Operation Card Shop" was a two-year effort, authorities said, and prevented potential losses of more than $200 million by notifying credit card providers of more than 400,000 compromised credit and debit cards. Janice Fedarcyk, assistant director of the U.S. Federal Bureau of Investigation, said the arrests would cause "significant disruption to the underground economy." Arrests took place in countries such as the U.S., UK, Bosnia, Bulgaria, Norway and Germany. (Registration may be required to access this story.)
Full Story

 

HEALTHCARE PRIVACY—U.S.

Alaska To Settle for $1.7 Million (June 27, 2012)

Alaska will pay $1.7 million to the federal government for a 2009 security breach involving patient data--the second largest HIPAA settlement and the first against a state agency, alaskapublic.org reports. A federal investigation into the breach "found inferior security measures in place at Alaska's Department of Health and Social Services," the report states. The incident involved the theft of a portable hard drive from the car of an employee of the State Department of Health and Social Services. Susan McAndrew of the U.S. Department of Health and Human Services said the settlement amount is high because of the number of infractions and the security lapses being "fairly fundamental and fairly longstanding."  
Full Story

 

PRIVACY

Hong Kong DPA Releases APPA Forum Highlights (June 27, 2012)

Hong Kong Office of the Privacy Commissioner for Personal Data has released a communiqué featuring highlights from the 37th Asia Pacific Privacy Authorities (APPA) forum. Participants, including government representatives from Australia, Canada, Korea, New Zealand and the U.S., discussed topics such as global privacy enforcement, Google's new privacy policy, information on public registers, smartphone apps, legal assistance to aggrieved data subjects and direct marketing regulation. Government representatives from Japan, Macao and Portugal joined the meeting as observers. Editor's note: The Privacy Advisor recently caught up with Hong Kong Privacy Commissioner for Personal Data Allan Chiang for a Q&A.
Full Story

 

ONLINE PRIVACY—U.S.

Researchers Releasing Web Privacy Census (June 27, 2012)

San Francisco Chronicle reports on a tool from University of California Berkeley researchers to measure online consumer tracking. The Web Privacy Census is a process to survey top websites "to evaluate the amount and kind of monitoring under way," the report states, the goal being to create benchmarks on Internet marketers' practices and help inform the debate on online privacy. "We want to provide a longitudinal and empirical basis for the description of privacy problems online," said Chris Hoofnagle, director of information privacy programs at UC Berkeley. Meanwhile, TRUSTe has released the second Consumer Confidence Edition of its Privacy Index Series, which measures privacy concerns of U.S. consumers.  
Full Story

 

PRIVACY LAW—U.S.

CA Inching Toward Social Media Privacy Law (June 27, 2012)

California's Assembly Judiciary Committee has unanimously passed a bill seeking to prohibit the practice of requiring students to share social media passwords with school and university officials, the Los Angeles Times reports. SB 1349 has already been approved by the full Senate and now moves to the Assembly Higher Education Committee for consideration. Its companion bill, SB 1844, seeks to prohibit the same practice by businesses and is scheduled to be heard today by the Senate Labor and Industrial Relations Committee, the report states. Meanwhile, a student has created "We Know What You're Doing" to help raise awareness around ill-suited social media posts.    
Full Story

 

PRIVACY LAW—U.S.

Nine “Key” Facts to LinkedIn Lawsuit (June 27, 2012)

InformationWeek reports on the class-action lawsuit levied against LinkedIn for allegedly failing to follow "industry standard" security practices and presents nine facts related to the incident. The lawsuit does not cite a compromised U.S. statute, but rather points to the company's privacy policy, which states that it protects personal data "in accordance" with industry standards. Columnist Mathew Schwartz points out that facts relating to the breach are scarce and that it will be difficult for the plaintiffs to prove they sustained harm as a result of the event. 
Full Story

 

PRIVACY LAW—U.S.

FTC Files Suit Against Wyndham Hotels (June 26, 2012)
The Federal Trade Commission (FTC) announced today it has filed suit against Wyndham Worldwide Corporation and three of its subsidiaries citing "alleged data security failures that led to three data breaches at Wyndham hotels in less than two years" resulting in "fraudulent charges on consumers' accounts, millions of dollars in fraud loss and the export of hundreds of thousands of consumers' payment card account information to an Internet domain address registered in Russia." The FTC alleges Wyndham's privacy policy misrepresented security measures; the failure to protect personal information "caused substantial consumer injury," and "security practices were unfair and deceptive and violated the FTC Act."

BEHAVIORAL TARGETING—UK

Supermarket To Target Shoppers By Wealth (June 26, 2012)

Daily Mail reports on moves announced by UK grocer Tesco to divide its loyalty card customers into "wealthy" and "poor" tiers in order to tailor its website to each shopper accordingly. Perceived wealthier shoppers may see ads for fine foods, while less wealthy consumers may see "Tesco's Value promotions." Company head Phil Clarke said, "We're now making changes to our UK website to highlight promotions that are relevant to the customer who is browsing the site," adding, "Using Clubcard data, we would show, for example, offers of our everyday Value range to price-sensitive customers, and offers of our Finest range to more upmarket customers."
Full Story 

ONLINE PRIVACY—EU

European Regulators Back DNT Feature (June 26, 2012)

COMPUTERWORLD reports that European regulators have urged the World Wide Web Consortium (W3C) to let Microsoft set users' do-not-track (DNT) features in its soon-to-be-released Internet Explorer 10 (IE10) browser. The European Commission (EC) also asked the W3C to require browser makers to showcase DNT options when users first install a browser. The head of the EC's Information Society and Media Directorate-General said, "The standard should foresee that at the install or first use of the browser, the owner should be informed of the importance of the DNT choice, told of the default setting and prompted or allowed to change that setting."
Full Story 

BIG DATA—U.S.

Is Big Data Eroding Privacy? (June 26, 2012)

"Big data, particularly personal data analysis, is eroding privacy," writes Kate Knibbs in a piece for Mobiledia. And without policy changes from government and major sites, "this is the way the Internet, and society at large, is headed," she says. But big data is valuable to both companies and government, with government using social media sites to monitor for potential criminal activity, for example, and companies using personal data analytics to improve profits. "Governments will continue to comb through and analyze personal data for their own ends, and this is highly unlikely to slow down or stop," Knibbs predicts.
Full Story 

BEHAVIORAL TARGETING—JAPAN

Officials Asks Whether New Ad System Violates Privacy (June 26, 2012)

The Daily Yomiuri reports on concerns that "interest-matching advertising technology Yahoo! Japan is adding to its free mail service in August will violate the privacy of its users because it displays ads based on analysis of their e-mails." Yahoo has said the technology will not infringe upon privacy because consent will be sought from e-mail users, but the report notes that "the ad technology will read e-mails that have been sent to Yahoo members by people who do not use the free mail service." Japan's Internal Affairs and Communications Ministry has said it will question the company in July to determine whether the ad system violates the Telecommunications Business Law.
Full Story 

DATA THEFT—U.S.

CFTC, Nonprofit Hit By Data Breaches (June 26, 2012)

As a result of a "phishing" e-mail, the U.S. Commodity Futures Trading Commission (CFTC) experienced a data breach affecting employees' Social Security numbers (SSNs) and other personal information, Bloomberg reports. According to the CFTC, "The e-mail account contained e-mails and attachments with the names, SSNs and possibly other sensitive personally identifiable information of certain individuals." Meanwhile, a nonprofit agency, Towards Employment, was hit by a breach after a laptop was stolen. The compromised computer, which was password protected, held a database with names, addresses and SSNs of approximately 26,000 of the group's clients.
Full Story  

SOCIAL NETWORKING

Opinion: Facebook Feature Should Allow Users Choice (June 26, 2012)

In an opinion piece for PCWorld, Charles Ripley discusses privacy concerns about a new Facebook feature called "Find Friends Nearby." The feature allows users to find new online friends by searching for strangers within a certain proximity of the user's location who wish to expand their social network. The feature "doesn't seem to offer any way to restrict who can see you, so you should be careful," Ripley opines, adding that if Facebook wants to avoid a major privacy backlash, "it should implement some security controls" and allow users to choose who sees their data.
Full Story

PRIVACY LAW—EU

Reding: Right To Be Forgotten Must Be Balanced (June 25, 2012)
In a speech last week, European Commissioner for Justice Viviane Reding discussed the right to be forgotten provision within the proposed EU Data Protection Regulation. The right to be forgotten “like the general right to privacy…needs to be reconciled with other rights protected by the EU Charter of Fundamental Rights,” said Reding. The European Parliament’s Economic and Social Committee has recommended the regulation be treated as a floor and not a ceiling, reports Hogan Lovells’ Chronicle of Data Protection. Meanwhile, Jeff Rosen recently opined that though the EU’s treatment of the right to be forgotten might go “overboard,” the threat of regulation may prompt companies to help empower users to clean up their online reputations. Editor’s Note: The Privacy Advisor recently caught up with Irish Data Protection Commissioner Billy Hawkes on the right to be forgotten in this article for the July/August edition

PRIVACY LAW—U.S.

Federal Bill Would Compel Companies To Disclose Breaches (June 25, 2012)

A bill introduced into the U.S. Senate last week would require corporations and other entities to disclose data breaches. Sen. Pat Toomey (R-PA) introduced the Data Security and Breach Notification Act of 2012, which would preempt state data breach laws and create a national standard, Broadcasting & Cable reports. “A number of recent high-profile data breaches combined with the messy patchwork of 46 different state laws highlight how difficult it is for consumers to know their personal information is secure,” Toomey said, adding, a federal law would provide certainty for businesses and ensure “that all consumers and their personal information are afforded the same level of protection.”
Full Story

HEALTHCARE PRIVACY—U.S.

OMB Extends HITECH Review (June 25, 2012)

The Office of Management and Budget (OMB) has announced it is extending its review of the final Health Information Technology for Economic and Clinical Health (HITECH) Act changes, which will cover various aspects of HIPAA compliance, Hall Render Blog reports. An extension is possible under two circumstances, the report states: by permission of the director of OMB, on a one-time basis for 30 days, or at the request of the rulemaking agency for an indefinite period of time. “It is not clear from the OMB’s announcement which of these circumstances occurred, and thus we cannot predict with any certainty how long the extension will last,” the report states.
Full Story

PRIVACY LAW—PHILIPPINES

BPAP Expects Data Privacy Act Finalization Soon (June 25, 2012)

Business Processing Association of the Philippines (BPAP) President and CEO Benedict Hernandez expects President Benigno S. Aquino to sign the Data Privacy Act into law soon, the Manila Bulletin reports. Based on European and Asia Pacific Economic Cooperation standards, the proposed legislation will protect the integrity and confidentiality of personal data, the report states, and will mandate the creation of a National Privacy Commission. Hernandez said, “It brings the Philippines to international standards of privacy protection, so it will increase international investors’ confidence when they outsource their business processes here.”
Full Story

BEHAVIORAL TARGETING—U.S.

Ad Personalization Spurs Growth and “Creepiness” (June 25, 2012)

As more e-tailers use online ad customization, companies are realizing the need for a balance between personalization and restraint, The New York Times reports. Half of the largest online retailers now use ad personalization--up from 33 percent during the previous year--and are turning to specialty software companies to help analyze consumer data. When companies engage in “hyper-customization” they risk alienating their customers, according to one expert. “In conversation, if you think it’s odd that you know something about someone that they didn’t share with you, don’t use it,” he said. “What we’re trying to shoot for is friendly, cordial and helpful as opposed to crossing the line and being creepy.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

Case Illustrates Privacy Questions (June 25, 2012)

The Canadian Press reports on privacy concerns raised in a case where a questionable post appeared on the Facebook page “of a man whose name matches that of the primary suspect” two weeks before his coworkers were shot. “In the days following his arrest…the long-simmering debate over online privacy reached its boiling point,” the report states, referencing questions over employee privacy and content “locked down under privacy settings” on social media sites. While one legal expert suggests employers who see such posts “have a positive obligation to act…regardless of the privacy settings," privacy advocates are concerned that such an interpretation could “lead Canadians down a slippery slope,” the report states.
Full Story

ONLINE PRIVACY

Browser To Patch Tab Security Issue (June 25, 2012)

InformationWeek reports on a tab-restoration feature in Firefox version 13. The updated browser presents the user’s most-visited pages when opening a new tab, but according to one user, the feature was also “taking snapshots of the user’s HTTPS session content.” In one case, after opening a new tab, a user was “greeted by my earlier online banking and webmail sessions complete with account numbers, balances, subject lines, etc.” Mozilla has said it is working on a solution, adding, “We are aware of the concern and have a fix that will be released in a future version of Firefox.”
Full Story

ONLINE PRIVACY—U.S.

California AG Pushing Policies for All Apps (June 22, 2012)
California Attorney General Kamala Harris is on a mission to extend privacy protections common on the Web to smart devices, reports the Los Angeles Times. In her efforts she has brokered deals with seven of the big tech firms, the latest of which is Facebook. In the agreement, any application in Facebook's new App Center will be required to have a privacy policy letting consumers know what information it collects and what it does with that information. Harris says, "App users should know what personal information is collected, how it is used and with whom it is shared. If they know all of that, then they will have the tools and the ability to protect themselves."

FINANCIAL PRIVACY

Nations Working Toward FATCA Implementation (June 22, 2012)

The U.S. has offered up a new model to Switzerland and Japan for implementing the Foreign Account Tax Compliance Act (FATCA)--a law that requires foreign financial institutions to disclose accounts to the U.S. Internal Revenue Service (IRS) or face fines, reports Bloomberg. In a joint statement, Switzerland and the U.S. have said they will work "to ensure the effective, efficient and proper implementation" of FATCA, reports The New York Times. The new model is in response to complaints from both the financial industry and privacy regulators who have said privacy laws may make implementing FATCA illegal. In February, France, Germany, Italy, Spain and the UK signed similar agreements.
Full Story  

SOCIAL NETWORKING—U.S.

Facebook Alters Ad Plans (June 22, 2012)

The New York Times reports that in connection with the recent settlement of a class-action suit against Facebook, the social network "has agreed to make it clear to users that when they click to 'like' a product on Facebook, their names and photos can be used to plug the product" and will give users the chance to decline having their "likes" used in the site's Sponsored Stories. CNBC, meanwhile, reports on privacy concerns about Facebook Exchange, now in its testing phase, which would allow "advertisers to buy Facebook ads that target its users off-Facebook browsing activity." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—UK

Google Responds to ICO Investigation (June 22, 2012)

Google has responded to the decision by the Information Commissioner's Office (ICO) to reopen its investigation into Street View's data collection practices, Out-Law.com reports, citing a letter from the ICO's Steve Eckersley raising "questions over the manipulation of information Google had provided for initial inspection by the ICO and the actual 'raw data' that had been collected." In response, Google Global Privacy Counsel Peter Fleischer wrote that the company had only used software to convert the raw data into "human-readable" form, noting that prior to the ICO's inspection, Google had "not viewed or analyzed the payload data on the hard drive used, and nor has it since."
Full Story  

HEALTHCARE PRIVACY—U.S.

Doctor Fined $20K (June 22, 2012)

A Connecticut physician has been fined $20,000 for inappropriately accessing and downloading patient information held by his employer and contacting the patients to offer services. Dr. Gerald Micalizzi must also pursue ethics training and HIPAA compliance training as part of an agreement with the state's Medical Examining Board, the Valley Independent Sentinel reports. Micalizzi was fired from Advanced Mobile Imaging Radiology in 2010.
Full Story

PRIVACY LAW—EU

EU Lawmakers Vote Down ACTA (June 21, 2012)

The European Parliament's (EP) trade committee has voted down the international anti-piracy agreement ACTA, echoing the responses of the civil liberties, legal and industry committees--which all voted against it in May. Reuters reports that some legislators are calling this a signal that, for the first time since the 2008 increase in its powers, the EP will reject an international agreement. "This vote is the penultimate nail in ACTA's coffin," said one German politician in the legislature. ACTA goes up for a final parliamentary vote on 4 July.
Full Story

RFID—KOREA

RFID-Enabled Cards Cause Privacy Debate (June 21, 2012)

Korea’s National Emergency Management Agency has partnered with Korea Exchange Bank’s credit card unit to issue RFID-enabled cards designed to assist emergency services personnel in obtaining information about patients they treat, The Korea Times reports. The move has generated a heated debate about privacy, according to the report. The cards will contain biological information such as blood type, health conditions and other identity data, and emergency workers will use RFID devices to read the cards’ chips. “All information contained in the chip will be encoded, so only emergency service workers who have the RFID devices will be able to check the data,” an official said.
Full Story

PRIVACY LAW—EU & U.S.

Reding, Holder Discuss Data Privacy Protection Agreement (June 21, 2012)
At the EU-U.S. Justice and Home Affairs Ministerial Meeting, European Commission Vice-President Viviane Reding and U.S. Attorney General Eric Holder released a joint statement highlighting their "determination to finalize negotiations on a comprehensive EU-U.S. data privacy and protection agreement that provides a high level of privacy protection for all individuals and thereby facilitates the exchange of data needed to fight crime and terrorism" and the progress made to date. Citing key principles including data security, transparency of data processing and data protection oversight, they added they will review progress at the 2013 ministerial meeting and "consider next steps to ensure the continued rapid advancement of the negotiations."

PRIVACY—EU

EDPS Releases Annual Report (June 21, 2012)

European Data Protection Supervisor (EDPS) Peter Hustinx and Assistant Supervisor Giovanni Buttarelli presented their annual report for 2011 to the European Parliament's Committee on Civil Liberties, Justice and Home Affairs on Wednesday, detailing actions in the past year and "efforts to push the effective protection of personal data." In advance of the report's release, Hustinx spoke on the need for "more effective and consistent data protection across the EU." The EDPS has signaled its main priorities for 2012 to include raising awareness, defining procedures, visits and inspections, technological developments and determining "the state of play for DPOs in EU institutions and bodies in order to provide support for the DPO function in line with the accountability principle."
Full Story  

BEHAVIORAL TARGETING—U.S.

Regulator, Privacy Co. Speak Out Against Default DNT (June 21, 2012)

In a letter to the World Wide Web Consortium (W3C), Federal Trade Commissioner J. Thomas Rosch said he opposes Microsoft's plan to set do-not-track (DNT) as the default in its latest version of Internet Explorer, reports MediaPost. In the letter, Rosch pointed to his divergence from the views of Reps. Ed Markey (D-MA) and Joe Barton (R-TX), who recently endorsed Microsoft's plan. "Microsoft's default DNT setting means that Microsoft, not consumers, will be exercising choice as to what signal the browser will send," Rosch wrote. Meanwhile, online privacy seal company TRUSTe has also come out against the plan. CEO Chris Babel says consumers "should make their own decisions" about their privacy online but notes most consumers are not "adequately informed or equipped" to do so.
Full Story  

PRIVACY LAW—U.S.

Utah’s Reid Wants Better Privacy Notices (June 21, 2012)

A Utah state senator this week promised to sponsor legislation that would require health providers to inform patients of their intent to share data with government entities for payment-seeking purposes, The Salt Lake Tribune reports. The promise follows a breach that affected 780,000 patients and resulted in the firing of Utah's technology services director, the suspension of two state employees and a request for one manager to resign. "If I sign a form allowing my doctor to 'ping' Medicaid, that's one thing," said Sen. Stuart Reid (R-South Ogden). "But for him to do it without informed consent, that's another thing."
Full Story  

PRIVACY LAW—U.S.

AB 1275 Rejected in Committee (June 21, 2012)

The California Senate's Public Safety Committee has rejected a bill to prevent recordings of 911 calls from being made public in order to protect patient privacy, The Sacramento Bee reports. Bill AB 1275 had cleared the Assembly, but the Senate committee rejected it on Tuesday.
Full Story 

ONLINE PRIVACY

Apple Obtains Online “Cloning” Patent (June 21, 2012)

Apple has been awarded a patent for a method of generating fake online identities, or "clone" identities, to thwart the online profiling of Internet users, reports InformationWeek. Apple received U.S. Department of Justice approval for the patent on Tuesday. Known as "Techniques to pollute electronic profiling," the patent describes how the clone identity "appears to be the principal to others that interact (with) or monitor the clone over the network," performing activities that would not reflect the interests of the real user. The patent calls automated online monitoring programs "little brothers" and says, "Even the most cautious Internet users are still being profiled over the Internet via dataveillance techniques from automated (little) brothers." Apple has not confirmed the acquisition.
Full Story  

PRIVACY LAW—EU & HUNGARY

Court Registers Infringement Procedures (June 20, 2012)
European Commission infringement procedures against Hungary were registered by the EU court on Monday, Politics.hu reports. One of the proceedings concerns the independence of Hungary's data protection authority. In April, the commission said that while Hungary had made progress, the premature ending of the previous data protection commissioner's term as part of the creation of a National Agency for Data Protection Hungary conflicted with EU laws, the report states. "The personal independence of a national data protection supervisor, which includes protection against removal from office during the term of office, is a key requirement of EU law," the commission said.

PRIVACY LAW—EU

Working Party Adopts Document on BCRs (June 20, 2012)

The Article 29 Working Party has adopted a working document on Binding Corporate Rules (BCRs) for Processors. The document includes a full checklist of requirements for processors and is designed both for companies and data protection authorities. The adoption is based on BCRs' success and the proposal to include BCRs for controllers and processors in the European Union's legal framework. The document's processor checklist includes the definition of what must be found in BCRs and what must be presented to data protection authorities during the application process. Next, the working party will develop a European coordination procedure on BCRs for processors.
Full Story  

PRIVACY LAW—UK

ICO Levies £225,000 Fine on Belfast Trust (June 20, 2012)

The Information Commissioner's Office (ICO) has fined the Belfast Health Trust £225,000 for failing to secure the sensitive information of Belvoir Park Cancer Hospital patients, UTV News reports. The files of 20,000 patients were discovered abandoned at the hospital, which closed in 2006. "The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose," said ICO Assistant Commissioner for Northern Ireland Ken MacDonald. "The severity of this penalty reflects the fact that this case involved the confidential and sensitive personal data of thousands of patients and staff being compromised."
Full Story 

PRIVACY LAW—U.S.

Post-Breach Lawsuit Filed (June 20, 2012)

A lawsuit has been filed against LinkedIn, claiming the company's failure to protect users' personal data led to the online posting of millions of members' passwords recently. The suit, which seeks class-action status, was filed Monday by an Illinois resident, PCWorld reports. It claims the company failed to use "long-standing industry standard encryption protocols" and that it engaged in deceptive practices. LinkedIn says the suit is "without merit," according to the report.
Full Story 

TRAVELERS’ PRIVACY—CANADA

Toews Halts Audio Surveillance Plan (June 20, 2012)

Ottawa Citizen reports Public Safety Minister Vic Toews has directed the Canada Border Services Agency (CBSA) to halt plans for airport audio recording "until a privacy impact assessment can be submitted and recommendations from the privacy commissioner can be reviewed by the government," said a public safety spokesperson. The order comes just one day after Toews voiced support for the plan in the Commons and after vociferous opposition from both the federal and Ontario privacy commissioners. Toews has received privacy-related opposition to his "lawful access" bill in the past, and one editorial questions the CBSA's "respect for the basic rights of citizens."
Full Story 

TRAVELER’S PRIVACY

Senator Introduces Bill of Rights (June 20, 2012)

A U.S. lawmaker has introduced a so-called air passengers' bill of rights, reports the Los Angeles Times. Sen. Rand Paul (R-KY) said passengers must be protected "from being subjected to humiliating and intrusive searches by TSA agents, especially when there is no obvious cause." Paul's bill would allow passengers who fail a body scan to walk through the machine again rather than face an automatic pat-down and would eliminate pat-downs for those over age 75 and those 12 and under unless the passenger is carrying a prohibited item or deemed "suspicious." Passengers could also request a pat-down be administered using the back of the hand rather than the palm.
Full Story 

PRIVACY LAW—U.S.

Lawmakers, Witnesses Discuss Self-Regulation Vs. Legislation (June 20, 2012)

At yesterday's House subcommittee hearing on privacy in online and mobile spaces, witnesses disagreed on whether Congress should enact legislation that creates baseline rules for websites and mobile app developers, PCWorld reports. At the Subcommittee on Intellectual Property, Competition and the Internet hearing, TRUSTe CEO Chris Babel said efforts by online companies to self-regulate on privacy have worked effectively. But some lawmakers disagreed, with Rep. Thomas Marino (R-PA) saying, "I have a little problem with the fox setting rules for the hen house." Rep. Bob Goodlatte (R-VA) said as new rules are considered, it's important to "encourage, and not stifle, innovation."
Full Story 

PRIVACY LAW—EU & U.S.

Europe’s Regulations Offer a Glimpse at Similar Effects in U.S. (June 20, 2012)

While the U.S. debates enacting tougher privacy rules, "Europe offers a laboratory for studying their economic impact," reports MIT's Technology Review. Advertisers point to the effect European privacy rules have had on the region's €20.9 billion online advertising sector. And MIT's Catherine Tucker found in her 2010 study that within European countries that implemented the EU's 2002 e-Privacy Directive, online ads' efficacy dropped 65 percent. Additional research indicates European regulations have scared off investors--by 73 percent, estimates one expert. Others, however, have found the rules a boon to business.
Full Story  

TRAVELERS’ PRIVACY—CANADA

Audio Plans Concern Privacy Commissioners (June 19, 2012)
A government initiative to allow Canadian officials to record conversations in airports and at border crossings is causing concern, CTV.ca reports. Public Safety Minister Vic Toews told Parliament this week that plans for the Canadian Border Services Agency (CBSA) to install microphones and cameras in strategic areas is necessary to detect illegal smuggling. He said CBSA will protect Canadians' privacy rights. The federal Office of the Privacy Commissioner said CBSA installed the equipment without completing a privacy impact assessment--which is required of government departments. "We're surprised and we're concerned by seeing that the process has not been followed," said Assistant Privacy Commissioner Chantal Bernier. Ontario's privacy commissioner said she is appalled.

DATA LOSS—U.S.

Hospital Unknowingly Exposes Patient Data (June 19, 2012)

Memorial Sloan-Kettering Cancer Center has announced that patients' names, dates of birth, medical record numbers, medical information and, in some cases, Social Security numbers were exposed on pages of two medical professional organizations' websites for more than six years, reports the Long Island Press. "The hidden data would not have been visible to individuals viewing the presentation in a routine way. However, a person who accessed the presentation could manipulate the graphs to reveal the private information," a hospital statement said. How many patients were affected, who accessed the unencrypted files or if any copies of them exist is still unknown, states the report. The hospital is notifying affected individuals.
Full Story

ONLINE PRIVACY—U.S.

Schumer Wants Aerial Photos Blurred (June 19, 2012)

A U.S. lawmaker is asking Google to make changes to some of its map images, The Wall Street Journal reports. Sen. Charles Schumer (D-NY) wants the company to blur images of people captured by aerial cameras. Schumer also wants the company to give individuals the chance to opt out of being pictured. The company says the images' resolution makes this unnecessary because individuals cannot be identified. (Registration may be required to access this article.)
Full Story 

SOCIAL NETWORKING

Facial Recognition Acquisition Spurs Privacy Concerns (June 19, 2012)

Facebook has announced the acquisition of its long-time vendor Face.com, the company that provides the technology for its photo tagging suggestion feature, reports Daily Mail. A Facebook spokesman said, "Face.com's technology has helped to provide the best photo experience. This transaction simply brings a world-class team and a long-time technology vendor in house." But the company's use of facial-recognition technology "has spurred concerns about user privacy," the report states. The deal means Facebook will acquire the technology and the 11 employees of the Israeli company.
Full Story 

SURVEILLANCE—U.S.

Drones Raise Privacy Concerns (June 19, 2012)

As the aerial drone market grows, so grow privacy concerns. The Washington Post reports that Congress, advocacy groups and "ordinary people" are taking note and voicing concern. "It's raising an alarm with the American public," said U.S. Rep. Jeff Landry of Louisiana. Chris Calabrese of the American Civil Liberties Union said people "worry about being under surveillance from the skies." Meanwhile, PoliceOne.com reports that Kentucky Sen. Rand Paul has introduced the Preserving Freedom from Unwarranted Surveillance Act to require police to obtain a warrant before using aerial drones.
Full Story 

DATA LOSS—U.S.

Hacker’s Data Dump Appears To Be Old (June 19, 2012)

A hacker that posted a batch of names, addresses, e-mails and phone numbers of credit card customers from around the world may have posted old data, PCWorld reports. Despite the hacker's Twitter post that he had "penetrated over 79 large banks" and holds 50 gigabytes of data on MasterCard and Visa cardholders, a payment card industry source says the data may have been copied from another site. "We see people try to dump stuff all the time and claim that it is real," the source said. One of individuals whose data was posted says the home address listed for him is seven years out of date.
Full Story

PRIVACY LAW—U.S.

Facebook Settles Suit for $10 Million (June 18, 2012)
Facebook has agreed to pay $10 million to charity to settle a lawsuit that alleged the company violated user privacy with its "Sponsored Stories" feature and its lack of an opt-out provision. The suit was filed by five Facebook members and was settled last month with U.S. District Court Judge Lucy Koh agreeing the plaintiffs had proven economic injury could occur through Facebook's use of their names, photos and "likenesses" within the feature, Reuters reports.

PRIVACY LAW—U.S.

Breach Victim To File Complaints with Federal Agencies (June 18, 2012)

A University of Utah health law professor is filing complaints with two federal agencies following the recent Utah Department of Health breach. Prof. Leslie Francis learned her name and Social Security number were exposed in the breach and decided to investigate. As a result, Francis will file complaints with the Federal Trade Commission and the Health and Human Services Office for Civil Rights alleging hopsital owner IASIS Healthcare does not contain "sufficient detail" about its handling of patient data, The Salt Lake Tribune reports. Meanwhile, the Utah Hospital Association is writing a "clearer, bolder" uniform privacy notice for the state's hospitals and clinics, a spokesman said.
Full Story

BIG DATA—U.S.

Data Brokering In Focus (June 18, 2012)

The New York Times reports on the amount of data collected for marketing purposes at one Arkansas company. Acxiom Corporation helps companies perform database marketing by collecting details such as age, race, sex, weight, height and buying habits on about 500 million active consumers worldwide. FTC Commissioner Julie Brill says data brokers should tell the public about their data collection, sharing and uses. Acxiom's Chief Privacy Officer Jennifer Barrett Glasgow, CIPP/US, is quoted as saying she supports increased industry openness and that it's "not an unreasonable request to have more transparency among data brokers." (Registration may be required to access this story.) 
Full Story 

DATA LOSS—U.S.

NM Agency Warns 100,000 After Computer Theft (June 18, 2012)

New Mexico's Public Employees Retirement Association (PERA) is notifying 100,000 individuals that their personal information may have been exposed, The New Mexican reports. A computer possibly containing names, addresses and financial and other data was stolen from the agency's offices. The computer was password protected, the report states, but according to PERA Executive Director Wayne Propst, "We don't fool around when it comes to members' personal information. We are taking an abundance of caution." 
Full Story 

PRIVACY LAW—U.S.

Internet Law Practice Becomes Mainstream (June 18, 2012)

The Washington Post reports on the growth in the number of law firms specializing in Internet law. When Venable's Stuart Ingis graduated from law school in 1997, there were few U.S. lawyers practicing in the field. Today, "every firm in the country has or wants to have a privacy practice...What had been a boutique practice with a narrow focus has become one that is very mainstream," Ingis said. Covington & Burling now has 50 lawyers worldwide focused on privacy law in "response to the increasing attention regulators, plaintiffs lawyers, Congress and everyone else is giving privacy these days," said a chairman from the firm. (Registration may be required to access this story.)
Full Story 

PRIVACY LAW—JAPAN

Man Sues Over Auto-Complete Function (June 18, 2012)

A suit filed in Tokyo District Court on Friday claims the auto-complete function of Google's search engine violates the plaintiff's privacy, The Daily Yomiuri reports. The plaintiff claims that typing his name into the search box brings up unsavory results. He is seeking damages and changes so the function no longer brings up such results.
Full Story 

SOCIAL NETWORKING

Experts: Privacy Is the Hitch with Age Verification (June 18, 2012)

The New York Times outlines the difficulties of identifying the ages of Internet users, noting "everyone--not only sex offenders--has an incentive to lie." Recent cases of adults masquerading as children on a social network aimed at 13- to 17-year-olds has the site looking for a better way to vet users, but those who've studied age verification technologies are not optimistic. In 2008, a task force was convened to examine ways to verify age, but danah boyd, co-director of the task force and Microsoft researcher, says the technologies "would not address any of the major safety issues we identified." Others note that the available options--such as a national identity database--are considered by many to be privacy violations. (Registration may be required to access this story.) 
Full Story 

MOBILE PRIVACY—U.S.

NTIA Multistakeholder Meeting To Focus on Mobile Apps (June 15, 2012)
The National Telecommunications & Information Administration (NTIA) has announced it will hold the first meeting in its privacy multistakeholder process on developing "a code of conduct to provide transparency in how companies providing applications and interactive services for mobile devices handle personal data." The topic for the first process was selected after receiving extensive input from stakeholders in varied sectors during its public comment period in March, the NTIA notes, adding, "Mobile applications are socially and economically important, but mobile devices pose distinct consumer privacy challenges, such as disclosing relevant information on a small display." The July 12 meeting is open to all interested stakeholders and will also be webcast.

PRIVACY LAW—U.S.

FCC Issues Revised Rules on Telemarketing Calls (June 15, 2012)

The Federal Communications Commission (FCC) has finalized its rules that require telemarketers to obtain prior written consent for all autodialed or pre-recorded telemarketing calls to wireless phones and prerecorded telemarketing calls to residential lines, reports Hunton & Williams' Privacy and Information Security Law Blog. The rules implement the FCC's February 2012 Report and Order, which the commission called "yet another victory for consumers...By requiring prior written consent, consumers will be making an affirmative and definitive choice whether or not to receive telemarketing robocalls," the report states. The rules become effective July 11.
Full Story 

PRIVACY LAW—KOREA

KCC To Begin Cracking Down on Data Collection (June 15, 2012)

Beginning next month, Korean website operators will be prohibited from requiring that consumers divulge their resident identification numbers in order to use their sites, The Korea Herald reports. "We will strictly restrict this practice of gathering and using personal identification numbers online as a means to protect individual information," said an official from the Korea Communications Commission. The aim is to reduce instances of identity theft and boost data protection. In addition, sites will be required to delete existing ID numbers within two years.
Full Story 

DATA LOSS—U.S.

Student Info Posted to Web (June 15, 2012)

The personal information of 2,700 Pennsylvania school students was posted to the Internet, the Associated Press reports. Fleetwood school and law enforcement officials are examining how a spreadsheet containing names, birthdates, addresses and parents' names was published on Wikispaces. The information has since been removed.
Full Story 

MOBILE PRIVACY

Apple iOS6 To Offer More Granular Privacy Controls (June 15, 2012)

Apple will offer users a way to manage which applications can access their contact information, CNET News reports. The increased security will be featured in the company's iOS6 product and follows regulator and lawmaker inquiries into the company's data collection practices via its products' apps. The feature would require users to interact more to use certain parts of an app but adds the ability to control what types of information are shared, the report states.
Full Story 

DATA LOSS

ICANN Apologizes for Data Exposure (June 15, 2012)

The Internet Corporation for Assigned Names and Numbers (ICANN) has apologized for publishing the postal addresses of applicants for generic top-level domains (gTLDs), Out-Law.com reports. According to an ICANN statement, "postal addresses of some primary and secondary contacts for gTLD applications were published as part of the application details. The information in these fields was not intended for publication." ICANN said it "temporarily disabled viewing of the application details. We removed the unintended information and restored this functionality. We apologize for this oversight."
Full Story 

ONLINE PRIVACY—UK & U.S.

Study: Consumers Not Willing To Compromise on Privacy (June 15, 2012)

Edelman has released its sixth "Value & Engagement in the Era of Social Entertainment and Second Screens Survey" exploring consumer attitudes, behaviors and habits in the U.S and UK. This year's study shows that Internet entertainment is growing but that many consumers are unlikely to use automatic notifications that share their viewing or reading habits on social media sites, reports The Wall Street Journal. "Over the past six years, privacy has always been the one factor that audiences are not willing to sacrifice," said Jon Hargreaves of Edelman Europe, noting that U.S. respondents were twice as likely to use these features as their British counterparts. "Social networks offer great opportunities to brands, but audiences want to remain in control and do not want to automatically share what they are viewing," said Gail Becker, also of Edelman. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Judge Allows Apple Suit To move Forward (June 14, 2012)

A federal judge has rejected Apple's motion to dismiss a class-action lawsuit filed against it by iPhone and iPad users, MediaPost reports. Despite her dismissal of the suit without prejudice last year citing plaintiffs' failure to prove economic harm, U.S. District Court Judge Lucy Koh ruled in her written opinion this week that the amended harm claims are sufficient to pursue under California consumer protection laws. The suit claims Apple violated users' privacy when it transmitted their devices' unique identifiers to third parties. The Recorder reports Koh has dismissed claims against other defendants in the case, including Google, AdMarval, Admob, Flurry and Medialets.
Full Story 

DATA LOSS—U.S.

Hackers Target School, Post Data Online (June 14, 2012)

A Tennessee School system is working with investigators to determine when and how a hacker group infiltrated its systems, exposing the names and Social Security numbers of potentially 110,000 current and former employees and students of the schools. COMPUTERWORLD reports that the group, which calls itself Spex Security, posted 14,500 records online and has threatened to post more, saying it gave "Tennessee a chance to comply and they didn't, therefore, this is the consequence they'll have to swallow." The school has shut down the website and is working to notify all affected individuals.
Full Story

PRIVACY LAW—U.S.

FTC Fines Auto Dealer on GLB Violations (June 14, 2012)

The Federal Trade Commission has cited a Georgia car dealership for violations of the Gramm-Leach-Bliley Act and Section 5 of the FTC Act, Automotive News reports. The agency said Franklin's Budget Car Sales, Inc., of Georgia, "compromised consumers' personal information by allowing peer-to-peer software to be installed on its network, which resulted in sensitive financial information being uploaded to a P2P network," affecting 95,000 consumers. A proposed settlement agreement would prohibit Franklin from misrepresenting itself on privacy and from violating the GLB Safeguards and Privacy Rule. Franklin must also establish and maintain an information security program and undergo audits for the next two decades, according to an FTC press release.
Full Story

IDENTITY THEFT—U.S.

Woman Charged with Stealing Records of 800 (June 14, 2012)

An employee of a Troy, AL, hospital allegedly stole the identities of 800 people for the purpose of tax fraud and has been charged with 22 felony counts including conspiracy to defraud the federal government, reports the Dothan Eagle. Assistant U.S. Attorney Clark Morris said the woman and her conspirators "were using the IDs to file fraudulent tax returns and would fill out the tax return so that they would get a refund." The woman reportedly used her position at the hospital to access names, Social Security numbers and birthdates of patients, which she then sold to another person who used the information to file the tax returns.
Full Story

PRIVACY LAW—NETHERLANDS

Dutch CBP Fines Rail Company €125,000 (June 14, 2012)
The Dutch data protection authority (CBP) has fined rail company NS €125,000 for retaining passenger information, DutchNews.nl reports. The CBP found that, despite its warnings, the company retained student smart card data beyond a two-year period.

PRIVACY LAW—UK

Commissioner: Consumers Complaining About Cookie Noncompliance (June 14, 2012)

The UK Information Commissioner's Office says it has received 169 complaints thus far about websites failing to comply with the cookie law that came into force May 26, V3.co.uk reports. Information Commissioner Christopher Graham said the complaints should serve as a warning to organizations that failure to comply with the law can lead to reputational damage. "It's fair to say that some have a little too much rhetoric, but there are many where customers are pointing that well-respected brands are not doing anything about the cookie law and can't understand why not," Graham said.
Full Story

DATA PROTECTION

Data Mining For Credit Scores and More Not A Rarity (June 14, 2012)

TIME reports on a change of plans by Germany's largest credit reporting agency to use social networking to determine if a person is credit-worthy. Schufa had established a research group to determine how to link social networking information to other details about a person's credit rating, but a public outcry following media coverage of the plans prompted the university slated to do the research to back out of the plans. Privacy advocates say similar plans are likely in the not-too-distant future, given the amount of data collected by companies and the widespread interest in trying to use that information to generate revenue.
Full Story

PRIVACY LAW—U.S.

Lawmakers Call for Digital Bill of Rights (June 13, 2012)
Two U.S. lawmakers have called for a digital bill of rights to protect Internet users, The Hill reports. Sen. Ron Wyden (D-OR) and Rep. Darrell Issa (R-CA) say bills like the Stop Online Piracy Act (SOPA) and Protect Intellectual Property Act (PIPA) indicate the need for a provision to protect Internet freedom from regulations. Wyden said the digital bill of rights, which declares users' rights to equality, privacy, sharing and property on the Internet, is part of his vision of "changing power in Washington, DC," and would give the average Internet user more power. A draft of the bill has been posted on Issa's website for public feedback.

DATA LOSS—U.S.

Breached Payments Processor: Damage Greater Than Estimated (June 13, 2012)

A Georgia-based payments processor that suffered a data breach earlier this year says the breach's effects may be broader than originally estimated, The Wall Street Journal reports. Global Payments, Inc., says it now believes thieves may have gained access to personal information from its merchant customers, the report states, and still believes data from 1.5 million accounts was stolen in the breach. "It is unclear whether the intruders looked at or took any personal information from the company's systems," the company said in a statement, adding that it has "made substantial progress" in its investigation and in its remediation efforts. It will provide additional information on the breach by July 26. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

ICO Reopens Street View Investigation (June 13, 2012)

Steve Eckersley, enforcement chief of the Information Commissioner's Office (ICO), sent a letter to Google executive Alan Eustace saying the ICO is reopening its investigation into the collection of personal data by Google's Street View service, reports The Washington Post. An April U.S. Federal Communications Commission report found that Google deliberately collected the data. According to Eckersley's letter, the ICO was told the collection was a "simple mistake," adding, "If the data was collected deliberately, then it is clear that this is a different situation than was reported to us in April 2010." Google responded in a statement saying, "We're happy to answer the ICO's questions." On Tuesday, Google released documents relating to the U.S. federal investigation into its activities, including affidavits from nine people denying any knowledge of the data collection. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Judge Says Real Estate Case Will Affect Hulu Ruling (June 13, 2012)

A real estate case pending in the Supreme Court could affect the ruling in the case against video provider Hulu, MediaPost reports. Both cases hinge on whether a judge will allow plaintiffs to sue in federal court if they haven't suffered economic injury. The Supreme Court case involves a plaintiff's claim that she was affected by an illegal kickback deal when she purchased title insurance for her home. U.S. Magistrate Judge Laurel Beeler said this week that the court's decision "will likely alter the standing analysis" in the case against Hulu, which alleges the company disclosed consumer data without consent. Beeler asked both sides to submit papers on whether consumers can sue in federal court without proof of harm.
Full Story

HEALTHCARE PRIVACY—U.S.

Breaches Indicate Organizations’ Weaknesses (June 13, 2012)

Two recent breaches at the Utah Department of Health and Howard University Hospital in Washington, DC, indicate the weaknesses at some healthcare organizations, reports Chiropractic Economics. The breaches are a "wakeup call that simply complying with regulations that are not part of an overall security program can put the organization at serious risk," said Neil Roiter, research director at Corero Network Security. "The reported explanation on the part of the Utah officials that the stolen data wasn't encrypted--a basic security fundamental--because federal regulations don't require it, attests to this point," he said. Axis Technology's Joe Santangelo suggests organizations encrypt data, implement data leak detection and monitor network traffic, among other safeguards.
Full Story

BEHAVIORAL TARGETING

Online Ads To Match Your Emotions (June 13, 2012)

Microsoft has filed patents for tracking systems "to match online advertisements to moods," the Toronto Star reports. The systems would track emotions "including facial expressions captured in video conversations and Facebook status updates," the report states, and could result in, for example, "weight-loss ads matched with unhappy people--who are more likely to want to change their lifestyle--and electronic ads with happy people--who are more likely to spend." Privacy advocates are questioning such mood-tracking technology. "Definitely when you're talking about people's emotional states, you're getting closer to sensitive data that relates to their identity," said Tamir Israel of the Canadian Internet Policy & Public Interest Clinic.
Full Story

PRIVACY LAW—U.S.

Spokeo Settles with FTC for $800,000 (June 12, 2012)
Data broker Spokeo has agreed to pay an $800,000 fine to settle Federal Trade Commission (FTC) charges that it marketed detailed profiles on millions of consumers to companies in the human resources, background screening and recruiting industries without taking steps required to protect consumers under the Fair Credit Reporting Act (FCRA). The settlement also bars Spokeo from future FCRA violations and from misrepresenting its endorsements or connections with endorsers. The consumer information Spokeo allegedly marketed to recruiters included names, addresses, age ranges and e-mail addresses. The settlement is the first FTC case addressing the sale of consumers' online data for employment screening purposes.

PRIVACY LAW—EU

Article 29 Working Party Adopts Cookie Opinion (June 12, 2012)

The Article 29 Working Party has adopted an opinion on cookie consent exemption. The opinion explains how Article 5.3 in the revised e-Privacy Directive changes informed consent requirements for cookie use. It also describes which cookies are exempted from the changes, including those used "for the sole purpose of carrying out the transmission of a communication" or those "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to use the service." Meanwhile, European Union member states' privacy agencies are expected to release recommendations on how to apply cookie rules as early as this week.
Full Story

DATA LOSS—U.S.

University Server Breached Again (June 12, 2012)

SC Magazine reports that hackers have gained access to a University of North Florida (UNF) server containing confidential student information. The breach, which affects more than 23,000 students, marks the second time in two years that hackers have accessed a UNF database. The current breach includes names and Social Security numbers on housing contracts, the report states, while the 2010 hack involved a server containing "personal information of nearly 107,000 UNF students and others who have expressed interest in the college." UNF is offering one year of free credit monitoring to those affected by the most recent breach.
Full Story

PERSONAL PRIVACY—EU & UK

EDPS Calls for Limits on Smart Meter Data Use (June 12, 2012)

The European Data Protection Supervisor (EDPS) is calling for limits on the retention and use of customer data from smart meters, The Register reports. EDPS Peter Hustinx says while there are advantages to smart metering, the technology "will also enable massive collection of personal data, which can track what members of a household do within the privacy of their own homes." The UK Department of Energy and Climate Change says personal data won't be shared with third parties and security will be implemented to prevent its theft. The UK government has said it plans to require smart meter suppliers to ensure data security as a part of licensing agreements.
Full Story

HEALTHCARE PRIVACY—U.S.

Hospital Shares Patient Info with Fundraising Foundation (June 12, 2012)

Plans by the University of Iowa Hospitals to give patient names and specific treatment information to a fundraising organization is raising concerns among privacy advocates, The Des Moines Register reports. Officials say they have no ethical concerns with the campaign, the report states. The hospitals' sharing of patient data--including contact information, age, insurance status, occupation and scheduled visits for medical treatment--is legal under federal privacy laws, which allow hospitals to collect such data to target potential donors. The Association for Healthcare Philanthropy says it would like federal privacy laws relaxed in order to allow for "point-of-service information to do these kinds of solicitations."
Full Story

ONLINE PRIVACY—U.S.

W3C says Do Not Track Shouldn’t Be Default (June 12, 2012)

The World Wide Web Consortium (W3C) has said do-not-track controls should not be set by default, Out-Law.com reports. Instead, the controls should require user activation. Under W3C's proposals, users could opt out of being served personalized ad content. Only under certain circumstances, such as security concerns or fraud prevention, could first-party websites share user information with third parties. The W3C's proposal follows Microsoft's recent announcement that do-not-track would be the default setting in its newest version of Internet Explorer. In a recent MIT Technology Review article, Microsoft Chief Privacy Officer Brendon Lynch, CIPP/US, discusses the company's philosophy on user privacy.
Full Story

CHILDREN’S PRIVACY—U.S.

Efforts To Update COPPA Continue (June 12, 2012)

A report from The Partnership for Public Service published in The Washington Post examines the work of Federal Trade Commission Senior Attorney Mamie Kresses to oversee efforts to update the Children's Online Privacy Protection Act (COPPA). "When we undertook the rule review, it was in recognition that online technologies have exploded with new devices like mobile phones and tablets since the law went into effect," Kresses notes, adding, the challenge with revising COPPA is to ensure it "continues to give parents knowledge and a say in what their children do online while at the same time encouraging innovation and interesting content for children." (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

Report: Apple To Release New Tracking Tool (June 11, 2012)
In what The Wall Street Journal reports is "the company's latest attempt to balance developers' appetite for targeting data with consumers' unease over how it is used," Apple will reportedly release a new tracking tool for mobile app developers. While Apple declined to comment, individuals briefed about the plan have indicated the tool aims to better protect user privacy. "How Apple's new technology works and what it will allow developers to track remains unclear," the report states. "One of the people briefed said that the new anonymous identifier is likely to rely on a sequence of numbers that isn't tied to a specific device." (Registration may be required to access this story.)

ONLINE PRIVACY—EU

EU Regulators To Issue Cookie Recommendations (June 11, 2012)

The Wall Street Journal reports on recommendations from European Union member states' privacy agencies on how to apply European data privacy rules governing cookies. The guidelines are expected to be released as early as this week and differentiate between innocuous cookies and those that should require user consent to be deployed, including those that are used to track users' Web browsing for targeted advertising. "There's absolutely no ambiguity that you need consent for those kinds of cookies," said a spokesperson from French data protection authority the CNIL. But a spokeswoman from IAB France said, "Right now, they have one position and we have another." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—UK

WiFi Service Conditions Changed (June 11, 2012)

PC Pro reports on Virgin Media's changes to the terms and conditions for its Tube WiFi services after privacy concerns were raised that the service "could snoop on user communications." The user agreement had read, "with your permission, we may monitor e-mail and Internet communications, including without limitation, any content or material transmitted over the services," which sparked complaints from MP Robert Halfon and privacy advocate Big Brother Watch. "The company said it had never intended to snoop on e-mails or other communications and had only included the wording to cover itself legally for blocking illegal content," the report states.
Full Story

FINANCIAL PRIVACY—U.S.

Payday Loan Data Auctioned Off (June 11, 2012)

As the businesses offering short-term, high-interest loans, known as payday loans, move online, applicants are offering personal data--including bank account numbers--to lead-generation companies that then auction the data off to potential lenders, reports Bloomberg. Richard Cordray, director of the Consumer Financial Protection Bureau, is concerned that the highest bidder may be "a fraudster that has enough of the consumer's sensitive financial information to make unauthorized withdrawals from their bank account." A spokesman from the parent company of MoneyMutual.com, a prominent lead-generation company, says the industry is regulating itself and government regulation is unnecessary, but the report states Sen. Jeff Merkley (D-OR) disagrees and is preparing a bill to outlaw online lead generation.
Full Story

DATA LOSS

Opinion: Without Regulation, Companies Lax on Security (June 11, 2012)

As hacking incidents continue, the recent breach at LinkedIn illustrates that companies with customer data continue to gamble on their own computer security, writes Nicole Perlroth for The New York Times. "If they had consulted with anyone that knows anything about password security, this would not have happened," said one expert, adding the reason companies continue to take risks is because they are not regulated on computer security. In The Washington Post, John Sileo offers tips for small business owners affected by breaches, such as changing passwords on social media sites, avoiding external e-mails promising help and guiding employees on future risks. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU

Regulatory Tweak Hampering Fisheries Research (June 11, 2012)

Skating on Stilts reports that sometimes the European Union's blanket privacy laws have unintended consequences, and the latest victims are fish. A 2009 change to the law means some fisheries records are now considered personally identifiable information and that data can be held for no more than three years. "This is now a serious problem for us. We're asked to give the best possible advice, and if you do not have highly detailed data, you end up having a problem," said a marine biologist at a UK university in the journal Fish and Fisheries.
Full Story

PRIVACY LAW—SWITZERLAND

Court Rules Street View Need Not Guarantee Total Anonymity (June 8, 2012)
A federal court has ruled that Google will not be required to ensure all images of faces and license plates are obscured, swissinfo.ch reports. However, people may ask the company to blur their images manually, the report states. The decision declares a lower court's earlier ruling--that the company blur the images because its commercial interests did not outweigh Swiss privacy law--went too far. The federal court ordered Google treat requests for blurring "without red tape" and that it offer a free contact service online and postal address for such requests. The federal data protection and information commissioner says he is "extremely satisfied with the judgement."

FINANCIAL PRIVACY—U.S.

House Bill Would Reduce Bank Privacy Policy Mailings (June 8, 2012)

A bill has been introduced in the House of Representatives that aims to reduce the number of bank privacy policy mailings, Bankrate.com reports. Introduced by Rep. Blaine Leutkemeyer (R-MO), HR 5817 would eliminate a Gramm-Leach-Bliley Act provision requiring that financial institutions mail annual privacy policies when no policy practices have changed. Annual privacy policy disclosures would also be deemed unnecessary for state-licensed financial organizations that are subject to state privacy laws, the report states. Credit Union National Association CEO Bill Cheney said the bill "will reduce costs for credit unions and reduce confusion for credit union members."
Full Story

ONLINE PRIVACY—EU

Google Adds Model Clauses to Apps Sales Contracts (June 8, 2012)

Google says it will now include model clauses in its apps sales contracts to assure EU customers that it will protect information stored in Google data centres, IDG News Service reports. A company spokesman said this step "will provide our customers with an even wider palette of EU regulatory compliance options," noting in a blog post that the contracts are "an additional means of meeting the adequacy and security requirements of the European Commission's Data Protection Directive."
Full Story

PRIVACY LAW—EU & U.S.

EU Rules Reinforce Need for CIOs (June 8, 2012)

The Wall Street Journal reports on the growing importance of chief information officers (CIOs) within EU and U.S. companies because of EU-mandated laws for online tracking. The UK Information Commissioner's Office has sent letters to more than 70 companies during the last two weeks inquiring how they are reaching cookie compliance. An attorney at Duane Morris said the "CIO needs to be front-and-center" within companies on privacy compliance. CIOs are often the only figures who know of and have the authority over a company's blend of third-party vendors, customer-facing applications and online analytics tools, the report states. "The challenge for CIOs is they will have to ask very direct and tough questions of vendors," the attorney said. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

LinkedIn To Stop Calendar Data Collection (June 8, 2012)

CNET News reports that LinkedIn will stop collecting certain users' calendar entry data. After reports emerged about security researchers' findings that LinkedIn's mobile app transmitted iPhone and iPad calendar details to the company's servers, a company spokesperson said the company "use(s) information from the meeting data to match LinkedIn profile information about who you're meeting with so you have more information about that person." The company has since announced that it will discontinue this practice, the report states. 
Full Story

PRIVACY LAW—U.S.

Class-Action Status Sought in Suit (June 8, 2012)

A potential class-action lawsuit has been filed against Emory Healthcare for an April patient data breach, ATLAW reports. The suit seeks $1,000 and unspecified "exemplary" damages for each class member and individual damages for the costs related to credit monitoring. It alleges invasion of privacy, negligence and breach of implied contract and asks that a judge certify a class of every Georgia resident affected, which is estimated to be between 200,000 and 250,000. The breach involved the loss of 10 computer disks containing personal and health information--including Social Security numbers--of thousands of patients.
Full Story

PRIVACY LAW—U.S.

Suits Filed Against Cable Companies (June 8, 2012)

The Hollywood Reporter examines the launch of class-action lawsuits alleging violations of the Cable Communications Policy Act and the California Customer Records Act. The suits have been filed against Comcast and Time Warner Cable and allege "the companies collect Social Security numbers, credit card information and other information from customers and retain the data even after cable service is canceled," the report states. The complaint against Comcast also alleges "consumers are unaware that their personally identifiable information is retained indefinitely by Comcast, as Comcast fails to send annual privacy notices informing consumers that Comcast continues to retain their information."
Full Story

HEALTHCARE PRIVACY—U.S.

As Final HIPAA Rule Nears, Experts Discuss Its Worth (June 8, 2012)

Panelists at a health privacy event in Washington this week agreed the stakes are high when it comes to electronic records and healthcare privacy, Government Health IT reports. "Unfortunately, we have laws on the books that do not put the patient first," said one panelist. The Office of the National Coordinator for Health IT confirmed at the event that the final HIPAA omnibus rule will be released by summer's end. Meanwhile, Office for Civil Rights Director Leon Rodriguez says tolerance for noncompliance with HIPAA is "much, much lower" than it has been in the past, and a National Health Council study found federal privacy laws are hindering medical research, prompting questions about whether the rule goes too far.
Full Story

PRIVACY LAW—U.S.

FTC: Businesses Exposed Sensitive Consumer Data (June 7, 2012)

The Federal Trade Commission (FTC) has announced settlements with two businesses for "illegally exposing the sensitive personal information of thousands of consumers by allowing peer-to-peer file-sharing software to be installed on their corporate computer systems." The FTC alleged that Utah-based debt collector EPN, Inc., "failed to implement reasonable security measures for personal information on its computers and networks," allowing "sensitive information including Social Security numbers, health insurance numbers and medical diagnosis codes of 3,800 hospital patients to be made available to any computer connected to the P2P network." In a separate case, the FTC contended that Georgia-based Franklin's Budget Car Sales, Inc., "compromised consumers' personal information by allowing P2P software to be installed on its network, which resulted in sensitive financial information being uploaded to a P2P network." As part of the settlements, both companies are required to "establish and maintain comprehensive information security programs."
Full Story

PRIVACY LAW—U.S. & EU

Irish MEP Briefs DoC on EU Data Protection Rules (June 7, 2012)

Irish MEP Sean Kelly was set to have briefed the Obama administration yesterday on the EU's stance on online privacy and its proposals for updating data protection rules among member states, Silicon Republic reports. Kelly, who was selected to co-author the European Parliament's report on data protection regulation earlier this year, was to have met with the U.S. Commerce Department's Cameron Kerry on the topic, which he says is "perhaps the most important piece of legislation that will emerge from the European Union for quite some time." Kelly stressed that the legislative process is still in the early stages.
Full Story

FINANCIAL PRIVACY—GERMANY

Credit Bureau To Scan Social Networks (June 7, 2012)

The Local reports on plans by Germany's largest credit bureau to use social networks to determine if someone is credit-worthy. Schufa has established a research group to determine how to link social networking information to other details about a person's credit rating, the report states. It also plans to link personal characteristics with the ability or willingness of a person to pay off loans. The plan has raised concerns among consumer protection and data protection groups. "People who are on Facebook do not think that what they say there could one day be influential in their credit status. That crosses a line," said Edda Castelló, data protection commissioner in Hamburg.
Full Story

CHILDREN’S PRIVACY—U.S.

NJ Sues Mobile App Maker on Alleged COPPA Violations (June 7, 2012)

New Jersey's attorney general and Division of Consumer Affairs have filed suit against a mobile app developer for alleged violations of COPPA, NJToday.net reports. The suit claims that educational games maker 24x7digital, LLC, collects and transmits kids' information to a third-party without parental consent, the report states. The acting director of the NJ Division of Consumer Affairs said that "under no circumstances is it acceptable to transmit identifying information...without the informed consent of their parents." Attorney General Jeffrey Chiesa said his office is "proactively investigating mobile apps to ensure their compliance with privacy and consumer protection laws."
Full Story

HEALTHCARE PRIVACY—U.S.

Lawmakers Not Satisfied with TRICARE Response (June 7, 2012)

GovInfoSecurity reports on lawmakers' concerns about security measures at TRICARE in the wake of its September data breach. Legislators including Rep. Ed Markey (D-MA) sent a letter to the military health program in December inquiring about TRICARE's ability to protect military personnel's health privacy. The lawmakers say TRICARE's response to that inquiry "fails to address" many of their concerns. "We remain deeply concerned that TRICARE is not adequately safeguarding this sensitive information," a recent letter says, calling on TRICARE to implement "meaningful reforms." A spokesman said TRICARE will brief members of Congress this month, the report states.
Full Story

PRIVACY LAW—PHILIPPINES

Senate Ratifies Data Privacy Act Bicameral Report (June 7, 2012)

The Senate Wednesday ratified a bicameral committee report on the Data Protection Act, according to the Zambo Times. The legislation would mandate that each public- and private-sector entity "protect and preserve the integrity, security and confidentiality of personal data collected in its operations," the report states. Based on the EU Data Protection Directive 95/46/EC, the act would also establish a National Privacy Commission to implement and enforce the bill's provisions. Journalists have criticized portions of the legislation because of strong penalties around "leaked" information.
Full Story

PRIVACY LAW—SOUTH AFRICA

Expert: Widening Bill’s Consent Definition Concerning (June 7, 2012)

A South African lawyer says the proposed widening of the definition of consent in the nation's privacy bill will render privacy protections meaningless, ITWeb reports. Inkatha Freedom Party MP Mario Oriani-Ambrosini has proposed that the definition of consent be widened to include data subjects' failure to opt out of the processing of their personal data within a given time period. Attorney Paul Jacobson says the proposal makes opting in meaningless and can be harmful to children, the report states.
Full Story

PRIVACY LAW—AUSTRALIA

Commissioner Says Superannuation Fund Breached Act (June 7, 2012)

The First State Super Trustee Corporation (FSS) has been found to have breached the Privacy Act, ZDNet reports. The privacy commissioner opened an investigation after an incident in October where a security director discovered that information from FSS systems was vulnerable to snooping by other FSS customers. The investigation found personal information, including member names and addresses, details of account transactions, balances and members' ages, could be downloaded from FSS, the report states. The investigation also found FSS had the capacity to remedy the vulnerabilities before the security director's discovery and breached the act because of its inaction.
Full Story

DATA LOSS

LinkedIn Investigates Breach, Defends Calendar Syncing (June 7, 2012)
Business social network LinkedIn has launched an investigation into a breach of as many as six million user passwords that may have been published on a hacker's website. According to an official LinkedIn update, users will "benefit from the enhanced security we just recently put in place..." Ireland's data protection authority said it may investigate the incident, and U.S. lawmakers are calling for data security legislation. The University of Virginia and eHarmony also had systems breached this week. Meanwhile, The New York Times reports on findings by security researchers revealing that LinkedIn's mobile app may transmit iPhone and iPad calendar details back to company servers without user knowledge. The practice, the report states, may violate Apple's privacy guidelines. A LinkedIn spokeswoman said the "calendar sync feature is a clear 'opt-in' experience." (Registration may be required to access this story.)

PRIVACY LAW—CANADA

OPC Releases Annual Report (June 6, 2012)
The Canadian federal privacy commissioner has released an annual report to Parliament on private-sector privacy law, Postmedia News reports. The Office of the Privacy Commissioner's report highlights the growing privacy risks children face and calls on Parliament to review Canada's federal privacy law and grant the privacy commissioner additional powers. Privacy Commissioner Jennifer Stoddart said, "I am very, very disappointed that we're not moving ahead with privacy reform issues," adding, "They're long overdue." A proposal tabled last fall would have mandated breach reporting to the commissioner but has not moved beyond its first reading. "We have to have powers that will be respected by these huge multinational corporations that are doing business online," Stoddart said, "and you need a strong voice to be heard by them."

PRIVACY LAW—U.S.

Judge Says No Economic Harm, Allows Suit To Proceed (June 6, 2012)

A federal judge has narrowed a potential class-action privacy lawsuit against Amazon but has rejected the company's bid to completely dismiss the case, MediaPost reports. The lawsuit alleges Amazon circumvented Internet Explorer privacy filters. U.S. District Judge Robert Lasnik dismissed fraud charges in the case because the plaintiffs didn't claim Amazon caused economy injury. Addressing the plaintiffs' assertion that web-surfing data is worth something, Lasnik said, "raw information is not valuable." The judge allowed plaintiffs to continue with their claim that Amazon violated Washington state consumer protection law banning unfair or deceptive acts.
Full Story

SOCIAL NETWORKING—U.S.

Reps Write To Facebook On Plan To Let Kids Join Site (June 6, 2012)

Following announcements that Facebook may permit children younger than 13 to use the site, Reps. Ed Markey (D-MA) and Joe Barton (R-TX) sent a letter to the social networking site Monday asking executives whether information about younger users would be collected and shared and if targeted advertising would be employed, COMPUTERWORLD reports. "Permitting children under 13 to use the social networking site raises a number of important questions about how Facebook would comply with the Children's Online Privacy Protection Act," the letter said, adding, "We strongly believe that children and their personal information should not be viewed as a source of revenue."
Full Story

FINANCIAL PRIVACY

Third-Party Processors Increasingly At Risk (June 6, 2012)

Following a report criticizing its risk practices, a Florida company that helps 14,000 financial institutions process transactions and track customer accounts is increasing its security. The letter to Fidelity National Information Services (FIS) from the Federal Deposit Insurance Corp. (FDIC) followed an examination by the FDIC, the Federal Reserve Bank of Atlanta and the Office of the Comptroller of Currency on oversight issues at FIS after a 2011 breach that resulted in at least $12.7 million in fraud. FIS says since then it has hired three executives to handle security. Hackers are increasingly targeting third-party service providers such as FIS, reports The Wall Street Journal. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Delaware House Approves Social Media Privacy Bill (June 6, 2012)

The Delaware House has passed legislation prohibiting public and private schools from requiring students to share their social media login information with school officials, AP reports. The bill's chief sponsor, Rep. Darryl Scott (D-Dover), said, "With the number of kids who have social media sites and choose to share information with a select audience, I thought it was important to provide them some protection if they choose not to share that with the entire world."
Full Story

PRIVACY LAW—U.S.

Consumer Wants Data Broker Lawsuit Revived (June 6, 2012)

The consumer who brought a potential class-action lawsuit against data broker Spokeo is asking the court to revive his previously dismissed case. Virginia resident Thomas Robins alleged Spokeo violated the Fair Credit Reporting Act because false information on the site was hindering his job search, MediaPost reports. A U.S. district court judge dismissed the lawsuit last May, but Robins says his case should be revived even if he can't prove financial loss and claims he suffered harm "in the form of anxiety, stress and concern over Spokeo's maintenance and dissemination of inaccurate consumer reports." Critics allege Spokeo doesn't allow consumers to correct inaccuracies before it sells information about them.
Full Story

HEALTHCARE PRIVACY—U.S.

Expert To Unveil Updated Health Data Map (June 6, 2012)

Harvard University Data Privacy Lab founder Latanya Sweeney plans to unveil a new health data tracking project this week, Bloomberg reports. The DataMap aims to help doctors and patients better understand where electronic health records go, "encourage new uses of personal data, help innovators find new data sources and educate the public and inform policy makers on data sharing practices." Patient Privacy Rights Founder Deborah Peel said the project's "open nature" is a positive step and will help maintain an accurate health data map that uncovers the "chain of custody of our data."
Full Story

DATA LOSS—U.S.

Survey: Breaches Hurt Customer Relations (June 6, 2012)

Modern Healthcare reports on a Ponemon Institute survey revealing a growing awareness of the effects of a data breach. Comparing data with a similar survey conducted in 2005, the survey indicates that the number of respondents who have been contacted about a breach involving their personal data has more than doubled. Meanwhile, Healthcare IT News reports on 10 of the largest data breaches in 2012. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Opinion: When It Comes to Tracking, What Are We Worried About? (June 6, 2012)

In an opinion piece for MIT's Technology Review, Antonio Regalado discusses the impact of tracking technologies following Microsoft's recent announcement that Internet Explorer 10 will contain a do-not-track feature by default. Regalado notes recent suits alleging violations of federal wiretap laws and the circumvention of privacy settings and discusses regulators' claims that privacy-related harms need not be physical or economic, asking, "what are we really worried about?...Despite the hand-wringing, it's not so easy to find people who have been hurt by the collection of their personal data."
Full Story

MOBILE PRIVACY—U.S.

App Makers Circumvent Tracking Rules (June 5, 2012)
Mobile ad networks are using new techniques to track users after Apple's efforts to protect user privacy, The Wall Street Journal reports." After Apple said last summer it would stop allowing apps to track iPhone and iPad users as they moved from one app to another, ad networks started using a different identifier to continue tracking user details such as location and preferences. The Federal Trade Commission recently urged Congress to create regulations on the matter. Stanford researcher Jonathan Mayer says the situation is "emblematic of a culture problem in Silicon Valley that sees privacy control not as a customer protection but a technical barrier to be overcome." (Registration may be required to access this story.)

DATA LOSS—U.S. & CHINA

Food Chain, Online Retailer Suffer Breaches (June 5, 2012)

Penn Station, Inc., and some of its franchisees have experienced a potential breach affecting credit and debit card numbers, FastCasual.com reports. The unauthorized access reportedly occurred between the beginning of March and the end of April. Federal law enforcement is currently investigating and customers have been made aware of the issue, the report states. Meanwhile, Wal-Mart's online arm in China is investigating a potential security breach, The Wall Street Journal reports. A spokesman for Yihaodian did not offer details, but said, "We take the safety and security of customer data and customer accounts very seriously."
Full Story

PRIVACY—CANADA

Commissioner: Record Number of Complaints in 2011 (June 5, 2012)

Ontario Information and Privacy Commissioner Ann Cavoukian says a record number of complaints and freedom of information requests were made to her office last year. Releasing her annual report on Monday, the commissioner said 277 privacy complaints in 2011 set a new record, ITBusiness.ca reports. Calling the theme of the report "ever vigilant," the commissioner called for privacy activists to keep an eye out for legislation--or lack thereof--that could impact privacy. She also criticized Bill C-30 for the access it would give police to track data without a warrant. "This so-called 'lawful access' legislation represented one of the most invasive threats to or privacy and freedom that I have ever encountered in my 25 years," she said.
Full Story

BIG DATA

Applying Standards, Literacy to Data Science (June 5, 2012)

In The New York Times, Quentin Hardy writes about emerging aspects of big data. As it grows, "it is easy to miss how much remains to do before the industry has proven standards," he writes, adding, "There is essential work to be done training a core of people in very hard problems..." Additionally, a "broad-based literacy" should be applied to the use of big data, including better management and information-reading tools as well as "privacy safeguards for corporate and personal information." Researcher danah boyd said, "we have very low levels of computational literacy, data literacy, media literacy, and all of these are contributing" to fears of big data. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU & U.S.

Proposed Regs Could Cloud Transatlantic Data Sharing (June 5, 2012)

Financial Times reports on potential tensions as the EU and U.S. consider privacy regulations for businesses. EU reforms may be welcomed by individuals, but "they impose a cost on business and do not always sit easily alongside other legislation designed to protect the public," the report states. One such example is the friction between the EU and U.S. over the USA PATRIOT Act. A Deloitte representative said if there is a "clash" between the entities, "it will come down to whose stick is bigger, and that may be the U.S. government," adding, "It is only going to get worse with the new, wider-reaching EU regulations that are being drafted." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Advocates, Lawmakers React To Facebook Plans (June 5, 2012)

Advocates say Facebook will need to comply with COPPA laws and give parents the ability to block tracking of their children as it looks to allow kids under the age of 13 to join the social network, Bloomberg reports. Rep. Mary Bono Mack (R-CA) said Facebook should proceed "with an abundance of caution." Last year, a Consumer Reports study found 7.5 million children under 13 were already on the site, and 82 percent of parents of 12 year olds said they had helped their children sign up.
Full Story

ONLINE PRIVACY

Concerns About Microsoft’s Do-Not-Track Default (June 4, 2012)
MediaPost News reports on industry reaction to Microsoft's announcement last week that its newest version of Internet Explorer in its Windows 8 operating system will feature do not track as the default setting. The announcement has incited criticism from the Digital Advertising Alliance (DAA). Stu Ingis, DAA counsel, says he doubts ad networks will respect the do-not-track command if it hasn't been activated by users themselves. "It's hard for me to believe that anyone would follow the command when it's not really a consumer choice," he said. The Association of National Advertisers has urged Microsoft to rethink the decision. Microsoft's Chief Privacy Officer, Brendon Lynch, CIPP/US, said in a blog post, the move is "an important step in this process of establishing privacy by default, putting consumers in control and building trust online."

PRIVACY LAW—PHILIPPINES

Data Privacy Bill Set To Pass, Journalists Critical (June 4, 2012)

A bicameral conference committee is set to finalize Senate Bill 2965, or the Data Privacy Act, before presenting it to both houses for ratification later this week, Manila Standard Today reports. The legislation has been criticized by journalists because of a provision that would make it illegal for journalists to publish "leaked" information. Under the provision, a journalist could face up to a five-year jail sentence or a P2 million fine for "breach of confidentiality..." Sen. Edgardo Angara, the bill's sponsor, said the bill "will not curtail the public's right to information, especially on matters of public interest." According to a journalist union spokeswoman, Angara has pledged to remove the penalty clauses before ratification.
Full Story

PRIVACY LAW—EU

Data Protection Officer Role Will Be Key (June 4, 2012)

CIO reports on the role data protection officers (DPOs) will play in organizations operating in the EU. Proposed EU reforms mandate that organizations create a DPO role filled by a seasoned professional who reports directly to the board of directors. "With the potential for a land grab of qualified candidates," the article states, "organizations may want to begin defining their needs now." A security industry expert said, "There are a ton of very smart people who get IT security, but they don't have the ability to make it viral among the employee base," adding, "They have to be passionate about credentials and be good communicators that can work with" business and executive teams. The DPO will also be responsible for training staff.
Full Story

CONSUMER PRIVACY—U.S.

Facebook Developing Under-13 Access Options (June 4, 2012)

The Wall Street Journal reports on Facebook's exploration of technology that would permit children under the age of 13 to use the social networking site. Various options currently being tested include tying children's accounts to their parents' and parental controls over "friending" and apps, the report states. A company representative said, "Recent reports have highlighted just how difficult it is to enforce age restrictions on the Internet, especially when parents want their children to access online content and services," adding, "We are in continuous dialogue with stakeholders, regulators and other policy makers about how best to help parents keep their kids safe in an evolving online environment." (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Police: Undergrad Responsible for Recent Breach (June 4, 2012)

According to law enforcement authorities, an undergraduate student is responsible for a recent data breach at the University of Nebraska. Police say the breach affecting more than 650,000 students, parents and employees was a "skilled attack." No arrest has been made, and the suspect has not been named, but police have seized a computer and other equipment from the suspect's dorm room after tracing the IP address of the computer used in the attack, COMPUTERWORLD reports. Meanwhile, the CEO of a company that has come under congressional scrutiny due to the practice of one of its service providers will not have his contract renewed.
Full Story

ONLINE PRIVACY—U.S.

Apps Start To Balance Privacy and Sharing (June 4, 2012)

In a piece for The New York Times, Jenna Wortham reports on a new mobile app intended for people in relationships to send messages and photos back and forth. Venture capitalists recently invested $4.2 million in Pair, the app Wortham says combines privacy and intimate sharing. "Entrepreneurs are experimenting with how to appeal to users who are privacy-conscious and benefit from that," says Prof. Andrea Matwyshyn of the University of Pennsylvania. Snapchat, for example, allows users to set a time limit on how long pictures are available online, and KickSend lets users share files privately with friends, the report states. (Registration may be required to access this story.)
Full Story

CONSUMER PRIVACY—U.S.

C-SPAN Talks Privacy with Ohlhausen and Brill (June 4, 2012)

In an interview with C-SPAN last week, Federal Trade Commissioners Maureen Ohlhausen and Julie Brill discussed the FTC's efforts on consumer privacy. Ohlhausen talked about the commission's call for general consumer privacy legislation, privacy by design and self-regulatory efforts; she met with the W3C recently to find out more about its technology-based self-regulation method. Commissioner Julie Brill discussed data collection for marketing and self-regulation, saying, "One of the things that I look for in any self-regulation context is whether or not it's robust--is it providing good protections for consumers--and is there an enforcement mechanism." (Ohlhausen privacy comments start at 5:19; Brill comes in at 16:16.)
Full Story

HEALTHCARE PRIVACY—U.S.

Breaches Demonstrate Risks as Records Go Electronic (June 4, 2012)

Kaiser Health News reports on the increased risk of health data breaches as patient records become electronic. The risks were recently exemplified in two breaches at Howard University Hospital, the report states, as well as recent breaches at the Utah Department of Health and TRICARE. However, many breaches were avoidable, says the Center for Democracy & Technology's Deven McGraw. "We have technology that can help save us when we're all too human," she says, adding cloud storage, password protection and encryption can help healthcare providers safeguard patient data. While risk can never be completely eliminated, "we can do a lot better than we have been doing," she says. 
Full Story

ONLINE PRIVACY

As Governments Work on User Privacy, Data Harvesting Continues (June 4, 2012)

While users wait for protective measures to become a reality, online information will continue to be harvested for profit, writes Christine Digangi in a report published by China Daily. Technology companies continue to establish do-not-track mechanisms, the U.S. Federal Trade Commission continues to monitor Internet companies' promises to users on privacy practices and the European Commission has proposed a law that would require Internet companies to obtain user permission on how their data may be used. But consumers' "insatiable appetite for information complicates data protection legislation," the report states. For now, users must embrace that their online actions will always be visible, spend energy crafting a public image or quit the Internet, Digangi writes.
Full Story

ONLINE PRIVACY

Microsoft Unveils Operating System with Default Do-Not-Track Browser (June 1, 2012)
Microsoft has announced another test version of its Windows 8 operating system containing an Internet browser with a do-not-track feature as the default, reports The Washington Post. "We believe that consumers should have more control over how information about their online behavior is tracked, shared and used," said Microsoft Chief Privacy Officer Brendon Lynch, CIPP/US. The company is the first to offer do not track as the default. U.S. Federal Trade Commission Chairman Jon Leibowitz called the browser "yet another step forward in giving consumers choice about their browsing data" and called on industry to offer solutions for consumer choice on all tracking--not just targeted ads--by year's end. (Registration may be required to access this story.)

MOBILE PRIVACY—U.S.

FTC Chairman Calls for “Cereal Box” Style App Policies (June 1, 2012)

Federal Trade Commission (FTC) Chairman Jon Leibowitz has called for privacy policies on apps to be as simple as a nutrition guide on a box of cereal, reports the Los Angeles Times. Besides making the policies easy to find, apps should spell out exactly what they do with your data, Leibowitz said. At a recent tech conference, Leibowitz discussed the FTC's privacy cases against Google and Facebook as having "protected the privacy of more than a billion people around the world" and insisted that users, not websites, own their personal information. He added that more privacy on the Internet could bring industry higher revenue streams. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Advocates Join Fight Against Twitter Subpoena (June 1, 2012)

The American Civil Liberties Union, the Electronic Frontier Foundation (EFF) and Public Citizen, Inc., have issued a joint filing stating that Occupy Wall Street protestor Malcolm Harris should have grounds to bring both a First- and Fourth-Amendment challenge to a subpoena requesting his personal information and tweets throughout a period of more than three months in 2011, Reuters reports. This supports Twitter's request to overturn a ruling that mandated the site turn over the content contending it is owned by Harris, not Twitter. Meanwhile, a study conducted by EFF has given Twitter three and a half out of four stars for its commitment to protect users' data, with Sonic.net the only company receiving four stars.
Full Story

DATA LOSS—UK

Trust Appealing £325,000 Data Breach Fine (June 1, 2012)

An NHS trust will appeal a £325,000 fine issued by the Information Commissioner's Office (ICO) following a data breach. Brighton and Sussex University Hospitals NHS Trust was served the largest penalty to date after it sold hard drives that contained sensitive data on tens of thousands of patients and staff, Public Service reports. The trust does not accept the ICO's conclusions that it "failed significantly in its duty to its patients, and also to its staff," the report states. The trust says it "simply cannot afford to pay a £325,000 fine" and is therefore appealing to the information tribunal.
Full Story

PRIVACY LAW—EU

Commission Seeks Financial Penalties Against Germany (June 1, 2012)

The European Commission has referred Germany to the European Court of Justice requesting it impose financial penalties. The referral follows Germany's noncompliance in transposing the European Data Retention Directive into national law, which the commission says will have a negative effect "on the internal market for electronic communications and on the ability of police and justice authorities to detect, investigate and prosecute serious crime," according to a European Commission press release. The commission sent an opinion to Germany in October asking that it remedy the breach of EU law. However, the release states, German authorities have not indicated how and when they would bring the country into compliance.
Full Story

RFID—U.S.

Texas Schools To Chip Students (June 1, 2012)

A Texas school district will soon use RFID chips to track middle- and high-school students, Marketplace reports. The pilot program will outfit more than 6,000 students with the tracking devices, which will contain student names, pictures and ID numbers. The school district's spokesman said the chips will be used to help locate students who aren't where they are supposed to be at a given time and for emergency situations. One RFID privacy researcher said it's hard to predict the consequences of such data collection. "We don't know what it could be used for in the future," he said.
Full Story

DATA LOSS—U.S.

Senator Seeks Details on TSP Breach (June 1, 2012)

Sen. Susan Collins (R-ME) wants to know more about a data breach at the Thrift Savings Plan (TSP) that exposed the sensitive personal information of more than 123,000 accountholders, InfoSecurity reports. In a letter to the TSP, Collins asked questions about its handling of the incident, reported last week, saying, "I want to assess the process and timeframe whereby this attack was discovered and addressed."
Full Story

PRIVACY LAW—U.S.

Alan Westin To Be Honored (June 1, 2012)

Alan Westin, senior policy advisor of Arnall Golden Gregory LLP and 2005 IAPP Privacy Leadership Award winner, will receive the inaugural Louis D. Brandeis Hero of Privacy Award next week in Washington, DC. "In 1890, Harvard Law graduate Louis Brandeis...called for recognition of the tort of invasion of privacy," said Robert Belair of Arnall Golden Gregory. "Seventy-seven years later, another Harvard Law graduate, Alan Westin...wrote in his groundbreaking work, Privacy and Freedom, that there must be legal recognition for the concept of information privacy." Belair added, "Today, literally tens of thousands of statutes, court decisions, regulations and company best practice standards, throughout the globe, are based upon this principle." Editor's note: The nomination period for two of the IAPP's other annual awards is now open.
Full Story

PRIVACY LAW—EU

Committees Vote Down ACTA (June 1, 2012)

The European Parliament's civil liberties, legal and industry committees all voted against the international anti-piracy agreement ACTA on Thursday, reports PC World . The civil liberties committee cited concerns over Internet providers policing the web and a lack of protection for sensitive information, while the industry committee said ACTA fails to balance intellectual property and privacy rights with freedom of information. ACTA was signed by the European Commission (EC) and 22 member states in January, but most have suspended ratification after civil protests and Europe's Data Protection Supervisor warned the agreement may violate privacy law. The EC has asked Parliament to wait for an opinion from the European Court of Justice, but according to the report, that is unlikely.
Full Story

“I think they mean it.” The new medical records privacy law in Texas (June 1, 2012)
Revisions to the Texas Medical Records Privacy statute, which take effect on Sept. 1, expand existing requirements for those who have access to medical information pertaining to others. House Bill 300 (HB 300) provides that covered entities, as defined in the statute, must comply with expanded responsibilities pertaining to health information. The act imposes upon these covered entities additional duties beyond those that are dictated by the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).