Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—U.S.

Senate Hearing Reviews 1974 Privacy Act Proposals (July 31, 2012)
The Senate Homeland Security and Government Affairs Subcommittee on Oversight of Government Management has convened to consider updating the 1974 Privacy Act, The Hill reports. Subcommittee Chairman Daniel Akaka (D-HI) is sponsoring S 1732 to implement privacy protections and require federal agencies to provide public notification after experiencing a data breach. Witnesses included Mary Ellen Callahan, CIPP/US, chief privacy officer of the Department of Homeland Security; Peter Swire, CIPP/US, professor at the Ohio State University, and Chris Calabrese, legislative counsel for the American Civil Liberties Union. In his final comments, Akaka said the hearing will “provide a blueprint for the next Congress” on issues that need to be addressed.

DATA RETENTION—U.S.

Netflix Alters Privacy Policy (July 31, 2012)

Movie-streaming company Netflix has agreed to change its privacy policy as part of a proposed class-action settlement, the Toronto Star reports. The company will reportedly de-identify rental histories of customers who have not used the service for a year. “Named plaintiffs” in the class-action lawsuit will each receive $5,000, and $6.75 million will go to nonprofit privacy organizations. Settlement money will also be used to educate consumers and regulators on privacy protection, the report states.
Full Story

PRIVACY LAW—U.S.

Senate To Debate Cybersecurity Bill (July 31, 2012)

The Senate is expected to debate and vote on cybersecurity legislation this week, The Hill reports. Senators have been parsing through Sen. Joe Lieberman’s (I-CT) Cybersecurity Act and Sen. John McCain’s (R-AZ) Secure IT Act to attempt to negotiate compromises within the bills, the report states. Sen. Patrick Leahy (D-VT) has filed a number of amendments to the Cybersecurity Act, saying, “In the information age, stronger privacy protections are also needed to safeguard Americans’ personal information and private communications in cyberspace.”
Full Story

SURVEILLANCE—CANADA & U.S.

Privacy Enforcer, Advocates Look at Plate Recognition Technology (July 31, 2012)

British Columbia’s privacy commissioner and U.S. privacy advocates are investigating law enforcement use of automated license-plate scanning. BC undertook a pilot project using the plate recognition technology in 2006 in order to combat auto theft and motor vehicle violations, The Globe and Mail reports. BC Privacy Commissioner Elizabeth Denham recently launched an investigation after several individuals wrote with concerns about the technology. A published report on the investigation will provide use guidance to law enforcement agencies. Meanwhile, the ACLU of Virginia sent requests to law enforcement agencies in the state on how they are using the technology, and 34 ACLU affiliates across the U.S. made similar requests.
Full Story

PRIVACY—EU & U.S.

Opinion: Reforms on Both Sides of the Atlantic (July 31, 2012)

In an op-ed for Concurring Opinions, Omer Tene of the Israeli College of Management School of Law reports on efforts within the U.S. and Europe to reform privacy frameworks. In the U.S., legislating Fair Information Practice Principles “remains crucial,” Tene writes, adding that without them, “the FTC cannot do much more than enforce promises made in corporate privacy policies, which are largely acknowledged to be vacuous.” When it comes to self-regulatory efforts, Tene notes many are skeptical about their success. In formalizing the EU’s draft regulation on data protection, policymakers “should keep in mind the desired balance between innovation, economic progress and regulation,” he writes.
Full Story

PRIVACY LAW—IRELAND

Commissioner’s Office To Conduct Second Facebook Audit (July 31, 2012)

The Office of the Data Protection Commissioner (DPC) has said he will determine by early October whether to take legal action against Facebook, RTE News reports. The DPC will soon conduct a second audit to ensure Facebook is complying with EU laws. Amidst reports it had cut ties with Europe v. Facebook—the Austrian group that has been working with the DPC and which has been successful in convincing Facebook to release information about the data it collects from users—the office said in a statement this week that “Europe v. Facebook performed a useful public service in highlighting the specific issues raised in its complaints.”
Full Story

CLOUD COMPUTING—UK

ICO: Onus Remains on Organizations, Not Cloud Providers (July 31, 2012)

The Information Commissioner’s Office (ICO) says while it welcomes a new online platform that allows prospective cloud computing users to view the providers’ security features, organizations cannot rely on that information to ensure their own compliance with UK data protection laws, Out-Law.com reports. Amazon is the latest cloud provider to post details of its data protection protocols to the Security, Trust & Assurance Registry, which is free to view and includes members such as Google and Microsoft. An ICO spokesperson said organizations “thinking of using cloud service providers must understand that they are still responsible for the safety of that data.”
Full Story

PRIVACY LAW—U.S.

Leahy Proposes To Make Hiding a Data Breach a Crime (July 30, 2012)
The Hill reports on an amendment by Sen. Patrick Leahy (D-VT) to the proposed Cybersecurity Act that seeks to “make it a crime for a company to hide a data breach from its customers.” The proposed amendment would make it possible for “anyone who purposefully conceals a data breach that causes financial damage” to face a five-year prison term. Leahy has also proposed other amendments to the act seeking to set a national breach notification standard and require companies to establish data protection programs if they store sensitive personal information, the report states. A debate on the Cybersecurity Act is expected in the Senate today.

PRIVACY LAW—EU

Member States Negotiate Flexibility Agreement (July 30, 2012)

During a meeting at the Council of Ministers in Cyprus, a number of EU member states have obtained an agreement that would allow the commission to change data protection laws in the future in order to respond to advancements in technology, Out-Law.com reports. “For us, it’s important that we have legislation that is, of course, detailed enough to give protection to citizens but that is also applicable for a longer period of time,” a Swedish official said. The General Data Protection Regulation would introduce a single data protection law across EU member states. Its draft was revised by the Council of Ministers in June.
Full Story

GEO PRIVACY—U.S.

Senator To Introduce GPS Tracking Amendment (July 30, 2012)

Sen. Ron Wyden (D-OR) plans to introduce an amendment to proposed cybersecurity legislation requiring law enforcement officials to obtain a warrant prior to accessing location data from an individual’s mobile device, The Hill reports. In addition to clarifying how much evidence officials need to track a suspect, the Geolocation Privacy and Surveillance Act also aims to specify when businesses need to respond to law enforcement data requests. Wyden contends the amendment fits well with Sen. Joe Lieberman’s (I-CT) Cybersecurity Act, saying it “will protect Americans’ location information from misuse.”
Full Story

PRIVACY LAW—U.S.

VPPA Revision Introduced for Netflix-Facebook Integration (July 30, 2012)

Video Privacy Protection Act (VPPA) author Sen. Patrick Leahy (D-VT) has proposed an amendment to the 24-year old legislation to allow consumers to consent to the disclosure of their movie rentals, MediaPost reports. The move would allow Netflix and Facebook to integrate services—something the VPPA has prevented thus far. The Leahy amendment would allow consumers to consent in advance to the disclosure of their rental histories and requires companies to allow consumers to withdraw consent. Leahy has submitted the proposal as an amendment to the Cybersecurity Act of 2012.
Full Story

PRIVACY LAW—IRELAND

Irish Authorities Seek Answers from Google (July 30, 2012)

Ireland’s deputy information commissioner is seeking answers from Google about its retention of data that was believed to have been deleted, the Associated Press reports. Google contacted regulators in the UK and Ireland last week to acknowledge it still possessed data collected during Street View surveys that it had agreed to delete in an undertaking with the UK’s Information Commissioner’s Office. Google’s global privacy counsel said last week that the company “apologizes for this error.”
Full Story

DATA RETENTION—AUSTRALIA

Hacker Group Publishes Consumer Data as Protest (July 30, 2012)

In an act of protest against a proposed Australian data retention law, hacktivist group Anonymous has started publishing consumer data allegedly gleaned from an Australian Internet service provider (ISP), GIZMODO reports. Meanwhile, in a ZDNet report, experts analyze what effect the group’s efforts may have on the proposed data retention bill. One expert says the attack was opportunistic and  not “an overly skilled exercise in attacking that system.” Another expert argues that no system is totally secure and the proposed bill would require too much effort and monetary expense for ISPs to handle.
Full Story

DATA PROTECTION—U.S.

Opinion: Protections Needed from Data Misuse (July 30, 2012)

In an op-ed for the Huffington Post, Karthika Muthukumaraswamy discusses technology capable of helping users delete themselves from the Internet. While users have thus far been responsible for monitoring for themselves what they post on the web, companies are increasingly mining for such information in order to market to consumers or monitor employees. This creates “more and more need to hold organizations accountable for their exploitation of such information,” Muthukumaraswamy writes, adding, what’s more important than the amount of data we’ve posted online about ourselves is the “right use of that data.”
Full Story

PRIVACY LAW—U.S.

U.S. Joins APEC Cross Border Privacy Rules (July 27, 2012)
Acting U.S. Commerce Secretary Rebecca Blank has announced the United States’ participation in the Asia-Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules. The rules aim to provide a framework to facilitate cross-border data flows by allowing for interoperability through various jurisdictions’ privacy regimes. Blank said U.S. participation “is a significant milestone in international data protection and is an important step in the implementation of the global privacy strategy outlined in the Obama administration’s February 2012 Data Privacy Blueprint,” adding, “We are committed to working with our trading partners in APEC to help maximize its implementation throughout the region.” APEC plans to launch the system within six months.

PRIVACY LAW—UK

ICO: Google In Breach of Undertaking (July 27, 2012)

The Information Commissioner’s Office (ICO) has ordered Google to hand over data collected from 30 countries during its Google Street View service surveys, BBC News reports. The ICO wants the data—which Google agreed to delete as part of a deal signed in November 2010—for forensic analysis. Google stated in December 2010 the data had been deleted, but Google’s global privacy counsel wrote to the ICO today, stating the company “still has in its possession a small portion of payload data collected by our Street View vehicles in the UK. Google apologizes for this error.” An ICO spokesperson said, “We are also in touch with other data protection authorities in the EU and elsewhere through the Article 29 Working Party and the GPEN network to coordinate the response to this development.”
Full Story

PRIVACY LAW—U.S.

Sens. Plan To Introduce Amendments to Cybersecurity Bill (July 27, 2012)

The Hill reports on plans by several lawmakers to offer amendments to Sen. Joe Lieberman’s (I-CT) cybersecurity bill. Sens. Al Franken (D-MN) and Richard Blumenthal (D-CT) both said they plan to increase the bill’s privacy provisions, while acknowledging that the current, revised version of the bill includes privacy safeguards. “Now, the bill is still not perfect from my point of view, but I can say with confidence that when it comes to protecting both our cybersecurity and our civil liberties, the Cybersecurity Act is the only game in town,” Franken said. A vote on the bill is scheduled for today.
Full Story

DATA PROTECTION—HONG KONG

Commissioner Reveals Drug Test Vulnerabilities (July 27, 2012)

Hong Kong Privacy Commissioner for Personal Data Allan Chiang has revealed a number of vulnerabilities in a school drug testing system in the territory of Tai Po, China Daily reports. Chiang said no privacy impact assessment (PIA) had been instituted prior to the system’s launch and noted the protocol did not set data retention standards. Chiang said that policies for the drug testing scheme “are not adequate” and has made a list of 15 suggestions for the system, including the initiation of a PIA. Editor's note: The Privacy Advisor recently caught up with Hong Kong Privacy Commissioner for Personal Data Allan Chiang for a Q&A.
Full Story

DATA LOSS—U.S.

Breach Has Cost Processor $85 Million Thus Far (July 27, 2012)

The Atlanta Journal-Constitution reports on the costs a payments processor has incurred since its data breach earlier this year, so far totaling nearly $85 million. Global Payments has completed its investigation into the breach, and its CEO says the company is working to once again become compliant with payment card industry standards. The company was dropped from Visa and MasterCard’s compliance list after a March breach affecting 1.5 million account numbers. An identity theft expert said the breach should serve as a wake-up call that more should be done to protect customer data. “Companies have got to be more proactive,” he said.
Full Story

PRIVACY LAW—EU & U.S.

Weitzner: U.S. Plan Is Not Deregulation (July 27, 2012)

EUROPOLITICS reports on the EU and U.S. handling of online privacy, highlighting comments by the Obama administration’s deputy chief technology officer at a recent seminar hosted by an EU and a U.S. think tank. Speaking at the event, Daniel Weitzner said the U.S.-proposed multi-stakeholder process to encourage companies to develop codes of conduct “is not a code word for deregulation,” the report states. The report also touches on concerns about the EU-U.S. Safe Harbour Agreement, noting, “There is a growing realization that this agreement will need to be updated in light of the ongoing overhaul of the EU and U.S. privacy frameworks.” Weitzner recently announced that he will leave his White House position on 3 August to return to MIT.
Full Story

ONLINE PRIVACY—U.S.

No Agreement Yet on Internet Privacy (July 27, 2012)

Chicago Tribune reports on efforts toward increased Internet privacy, from plans for Internet Explorer 10 to contain default do-not-track (DNT) settings to industry’s efforts to reach consensus for an online privacy standard. “The marketplace needs to decide this, and we’re letting them,” said FTC Chairman Jon Leibowitz. “We have not proffered a proposal, other than calling for a ‘do-not-track’ option that would be an opt-out with limits on collection, with certain exceptions.” The Interactive Advertising Bureau’s Mike Zaneis said that right now, “DNT flags mean nothing because there’s no definition for what ‘do not track’ means.”
Full Story

CLOUD COMPUTING—UK

ICO Welcomes STAR Registry, Urges Caution (July 26, 2012)

The Information Commissioner’s Office (ICO) has welcomed a new online platform for prospective cloud computing users but cautions that organisations not simply rely upon provider suggestions, Out-Law.com reports. The Security, Trust & Assurance Registry (STAR), operated by the Cloud Security Alliance, allows providers to submit “self-assessment reports” to document their compliance with best practices. An ICO spokesman said because a provider may be registered with STAR “does not absolve the organisation who collected the data of the legal responsibilities.” The ICO is also developing guidance on legal requirements for organisations storing data in the cloud, the report states, and is reminding firms to notify the agency if they plan to process personal data.
Full Story

CLOUD COMPUTING—U.S.

Tech Industry: Non-U.S. Firms Marketing to Privacy Fears (July 26, 2012)
At a House Judiciary Committee hearing yesterday, representatives from U.S.-based technology groups warned that non-U.S. cloud computing services are attempting to exploit privacy concerns about the USA PATRIOT Act, COMPUTERWORLD reports. A representative from Rackspace testified that foreign vendors are spreading “fear, uncertainly and doubt” about U.S. privacy regulations, and a witness for the Information Technology and Innovation Foundation said, “Some countries are using unfair policies to intentionally disadvantage foreign competitors and grow their domestic cloud computing industry.” Rep. Zoe Lofgren (D-CA) said some nations have “legitimate concerns…about the lack of standards in American law,” adding, “We have a lot of work to do in this area.”

PRIVACY—U.S.

Weitzner Leaving White House, Returning to MIT (July 26, 2012)

White House Deputy Chief Technology Officer for Internet Policy Daniel Weitzner has announced he is departing from the administration next week and returning to the Massachusetts Institute of Technology (MIT), The Hill reports. Weitzner has been with the Obama administration since 2011, and has worked on cybersecurity and copyright protection issues, but is perhaps best known for his work on the White House’s online privacy whitepaper. According to the report, Weitzner will return to teaching and research at MIT and plans to leave the White House on August 3.
Full Story

CLOUD COMPUTING—EU

Commission To Release Cloud Strategy in September (July 26, 2012)

EuropeanVoice reports on the European Commission’s plans to publish its strategy for cloud computing. The commission is interested in the cloud’s economic benefits but “realizes that the development raises important questions about data protection and security,” the report states. The strategy is to be released in September and is not likely to recommend legislation but instead propose a plan of action for a legal framework. Mark Lange, senior policy counsel at Microsoft, said people will need to trust data security for the cloud to work. “Everybody needs to ask questions about transparency, security, privacy and to know that they are in control of their data,” he said. (Registration may be required to access this article.)
Full Story

PRIVACY LAW—BRAZIL

Court Upholds Terminated Nurse’s Breach of Privacy Claim (July 26, 2012)

Attorneys Ana Mesquita Barros and Carolina Spada of Mesquita Barros Advogados report on a case involving an intensive care unit (ICU) nurse who posted to her social networking page “inappropriate” photographs taken inside the ICU facility and elsewhere. Upon the nurse’s subsequent termination, she filed a lawsuit claiming breach of privacy because her termination was based on pictures obtained on a social network. The Labour Court ruled in her favor. “In all cases, a balance must be found between the employer’s right to conduct its activity and the employee’s right to protect his or her privacy and honor, with analysis being made on an individual basis,” the authors opine. (Registration may be required to access this article.)
Full Story

DATA LOSS—U.S.

In Two Incidents, State and University Data Breached (July 26, 2012)

Wisconsin Department of Revenue officials have said the Social Security and tax identification numbers of approximately 110,000 individuals and businesses were mistakenly included on a publicly available website for a three-month period, according to fdlreporter.com. The information was included in an annual sales report primarily used by real estate professionals. Officials said identity theft risk from the incident is “relatively small.” Meanwhile, law enforcement authorities are investigating a breach by an Oregon State University vendor who copied personal information of nearly 21,000 students and employees from the years 1996 to 2009. School officials have said they do not believe the vendor acted maliciously.
Full Story

DATA LOSS—UK

Council Data on 2,400 Residents Leaked Via Spreadsheets (July 26, 2012)

Responding to a Freedom of Information request, the Islington Borough Council inadvertently leaked personal data of 2,376 residents—including individuals’ names, marital status and sexuality, Information Age reports. The FOI request was filed by WhatDoTheyKnow.com, which publishes FOI requests on a publicly available website. The breach was identified by an employee of the organization that operates the website. The group then notified the council and the Information Commissioner’s Office. This is the second incident involving the Islington council this year.
Full Story

PRIVACY LAW—U.S.

Congressmen Launch Data Broker Investigation (July 25, 2012)
Eight members of Congress have opened an investigation into data brokers, a move that “could lay bare the inner workings of the consumer data industry,” The New York Times reports. Reps. Ed Markey (D-MA) and Joe Barton (R-TX) and six other lawmakers sent a letter yesterday to nine “leading industry players,” including Acxiom, Epsilon, Experian and Equifax, requesting information about how the companies “amass, refine, sell and share customer data.” Markey said, “We have gone from an era of data keepers to this new era where data reapers are able to create very complex profiles of every American,” adding he hopes the inquiry will “ratchet up” the transparency. (Registration may be required to access this story.)

PRIVACY LAW—EU

EU Ministers Delve Into EC’s Data Protection Reforms (July 25, 2012)

Meeting in Cyprus this week, European Union justice ministers discussed the European Commission’s proposals for a new data protection framework, focusing on three main issues EUROPOLITICS reports. Among the issues, ministers considered the treatment of small and medium-sized businesses; whether there should be exemptions for the public sector, and the usefulness of “delegated acts,” the report states. Lithuanian Justice Minister Remigijus Simasius voiced opposition to requiring businesses with more than 250 employees to appoint a data protection official, saying it would impose undue burdens on organizations. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—GERMANY

Customer Sues Mobile Phone Operator (July 25, 2012)

PCWorld reports on a customer suing mobile operator Vodafone for allegedly storing connection data unnecessarily. Lawyer Meinhard Starostik—a part of the Working Group on Data Retention—sent a cease-and-desist letter to Vodafone stating the “allegedly illegally stored traffic data was unnecessary for the billing process and should be deleted without delay,” the report states. The information Vodafone stores includes mobile phones’ unique identification numbers, SIM cards’ unique identification numbers and the relevant cell tower’s physical location. The data retention ranges from 30 to 92 days. Vodafone says the data is needed for billing services.
Full Story

PRIVACY LAW—UK

ICO Reminds Orgs To Obtain Processing Clearance (July 25, 2012)

The UK Information Commissioner’s Office (ICO) is reminding firms to notify the agency if they plan to process personal data, Out-Law.com reports. The nation’s Data Protection Act requires organizations to inform the ICO of such plans and include details for international data transfers. The ICO has provided a guide of requirements organizations must follow on an annual basis and has published a public register to inform users of what personal information data controllers process.
Full Story

PRIVACY LAW—U.S.

Reps Introduce Legislation on Employee Rights, Drone Usage (July 25, 2012)

Rep. Peter Welch (D-VT) has introduced legislation to prevent employers from requiring job applicants or employees to provide access to their social media accounts, VTDigger reports. The Password Protection Act of 2012 “would prohibit compelling or coercing employees to provide access to data stored in private accounts,” the report states. Welch said that employees “have a legitimate expectation of privacy when using Facebook or Twitter,” and the legislation would prevent “fishing expeditions into employees’ private lives.” Meanwhile, Rep. Ted Poe (R-TX) has proposed a bill that would prevent federal, state and local authorities from using drones to surveil Americans without a warrant.
Full Story

ONLINE PRIVACY

Analyzing the “MAC and IP Address as PI” Debate (July 25, 2012)

In light of a debate during a U.S. Federal Communications Commission event in May, datagovernancelaw.com analyzes whether Media Access Control (MAC) and Internet Protocol (IP) addresses are personal information. Some experts assert they are not, while others disagree. The column queries, “Who is right? Why is it that we are still debating this fundamental issue?” Though MAC and IP addresses will rarely be considered personal information in and of themselves, “they are rich gateways to the collection and the accumulation of data points that can transform them into personal information,” the report states.
Full Story

ONLINE PRIVACY—U.S.

Little Progress on Do-Not-Track Agreement (July 24, 2012)
Stakeholders involved in establishing an agreement on do-not-track standards, including government bodies, advocacy groups and Internet companies, are no closer to resolving the issue than they were when talks began 10 months ago, Reuters reports. The definition of "do not track" has not yet been agreed upon, with privacy advocates believing it means halting data collection so consumers can freely conduct web searches. But industry believes data collection could continue under do not track, as long as the data was not used to target ads. If no consensus can be reached by year’s end, legislation is likely, the report states.

PRIVACY LAW—EU

EC Opens Consultation on Cybersecurity Draft Laws (July 24, 2012)

The European Commission is seeking comment from governments, businesses and others in drafting new cybersecurity laws, Out-Law.com reports, and could include a provision requiring businesses to report “cyber incidents” affecting their “essential” systems. According to a statement, “The commission is considering the introduction of a requirement to adopt risk management practices and to report security breaches affecting networks and information systems that are critical to the provision of key economic and societal services; e.g. finance, energy, transport and health, and to the functioning of the Internet; e.g. e-commerce, social networking.”
Full Story

ONLINE PRIVACY—THE NETHERLANDS

Telecom Regulator Plans To Use Automated Cookie Monitor (July 24, 2012)

Dutch telecom regulator OPTA has said it plans to use automated supervision to assure companies are complying with its new cookie consent regime, Bird & Bird reports. Similar to web crawlers, the proposed cookie monitor, which is still in development, scans websites for cookie use and placement. An OPTA spokesman said, “Sites that place cookies without consent, which are hard to remove by the user, will be fined promptly,” adding, “sites that commit less serious offenses are likely to receive a warning first.” The potential result, according to the report, could be the rise in enforcement in the coming months.
Full Story

SURVEILLANCE—U.S.

Judge Describes Secret Surveillance Docket (July 24, 2012)

The New York Times reports on comments made by a federal judge who describes a secret docket of court orders allowing surveillance of cellphone and e-mail records. Magistrate Judge Stephen W. Smith said, “Courts do things in public…That’s the way we maintain our legitimacy. As citizens, we need to know how law enforcement is using this power,” adding, “The problem is that these surveillance orders remain secret long after the criminal investigations come to an end.” Last year, cellphone carriers received approximately 1.3 million requests for subscriber data. Smith’s description of the growing docket will be published in The Harvard Law and Policy Review. (Registration may be required to access story.)
Full Story

PRIVACY LAW—U.S.

Revised Cybersecurity Bill May Get Vote (July 24, 2012)

A revised version of the Cybersecurity Act of 2012 may get a vote before senators leave for the August recess, SC Magazine reports. Cosponsored by Sen. Joe Lieberman (I-CT), the bill would not require organizations to meet security standards but, through a voluntary program, would provide incentives for meeting best practices. Lieberman said “we are going to try carrots instead of sticks as we begin to improve our cyber defences.” The Electronic Frontier Foundation has said it is pleased with the bill’s privacy protections, while Stanford Law School’s Center for Internet and Society has raised additional privacy concerns. In an op-ed, President Barack Obama warned about potential cybersecurity attacks.
Full Story

DATA LOSS

U.S. Hospital Notifies 4,000; German Game Site User Data Posted Online (July 24, 2012)

Beth Israel Deaconess Medical Center in Boston, MA, is notifying nearly 4,000 patients that their protected health information may have been exposed due to the theft of a physician’s laptop computer, CMIO.net reports. “We take the incident extremely seriously and have now accelerated implementation of a program to assist employees with protecting devices they purchase personally,” said Dr. John Halamka, the hospital’s CIO. Police have arrested a suspect in the laptop theft case, according to the report. Meanwhile, ZDNet reports that data relating to 8.24 million customers of a German gaming site hacked in February has been posted to the Internet.
Full Story

BEHAVIORAL TARGETING—U.S.

Voters Dislike Campaign Targeting (July 24, 2012)

Voters are not interested in having political ads tailored to their interests, according to a new survey by professors at the Annenberg School for Communication at the University of Pennsylvania. As political campaigns increasingly target voters using information collected about them, such as charitable donations they’ve made or the type of credit card they use, 86 percent of those surveyed said they do not want such targeting. Nearly two-thirds said “the likelihood of their voting for a candidate would decrease if that candidate purchased information about them and their neighbors for the purpose of sending them different messages,” The New York Times reports. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—U.S.

Zuckerberg Gets Privacy Patent Approved (July 24, 2012)

The Washington Post reports Facebook CEO Mark Zuckerberg’s 2006 patent application governing certain privacy settings has been approved by the U.S. Patent and Trademark Office. “The patent is for ‘a system and method for dynamically generating a privacy summary,’” the report states, and cites Zuckerberg and former Facebook Chief Privacy Officer Chris Kelly as its inventors. “In terms of the ongoing Silicon Valley patent wars, particularly one recently resolved between Facebook and Yahoo, this will have little, if any, effect, on Facebook’s overall status in the high-stakes patent battlefield,” the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Europe Takes Lead in Tech Industry Regulation (July 23, 2012)
Regulators in the European Union are challenging the world’s largest technology firms, and according to The Washington Post, “they are winning.” U.S.-based tech companies are being scrutinized by European regulators “to the point that many experts say,” according to the report, “the legal landscape of the technology industry is being shaped more profoundly” in Europe than in the U.S. A professor from the University of Liege Law School in Belgium said, “The pipeline is packed with these cases.” Before Europe takes its summer break next week, regulators hope to have a settlement with Google, the report states.

PRIVACY LAW—CANADA

BC Commissioner Releases Annual Report (July 23, 2012)

In her annual report, BC Information and Privacy Commissioner Elizabeth Denham says information and privacy law is being undermined by the provincial government, reports The Victoria Times Colonist. Recently enacted legislation has eroded 20-year-old laws on privacy, Denham said, adding she is “very concerned.” Four bills that changed rules on animal health, ferries, emergency disclosure and PharmaCare worked their way “quickly through the legislature, and we had very little time to get our message to the ministries during confidential consultation; we are really concerned about that,” Denham said, adding this indicates perhaps “a lack of understanding throughout government in the principles and the legal basis of freedom of information and protection of privacy.”
Full Story

BIG DATA—U.S.

Consumer Data for Clients, Not Consumers (July 23, 2012)

In a column for The New York Times, Natasha Singer follows up on a report published last month about accessing personal data collected by database marketing companies. After filing a data request, Singer received a list of her previous residential addresses. “In other words,” she writes, “rather than learning the details about myself that marketers might use to profile and judge me, I received information I already knew.” Acxiom Chief Privacy Officer Jennifer Barrett Glasgow, CIPP/US, said the company keeps consumer information in separate databases and does not “have a search-by-name capability.” (Registration may be required to access this story.)
Full Story

BIG DATA—U.S.

Startup Helps Consumers Erase Personal Data (July 23, 2012)

The Boston Globe reports on a startup company that aims to help consumers delete personal information held about them by online websites and businesses. For an annual fee, Abine, Inc., analyzes at least 20 data sources—from sites containing basic data such as age and address to sites possessing information such as credit histories, divorce records or criminal histories—for the purpose of scrubbing the data off the Internet. Company analyst Sarah Downey said, “You’re never going to be able to completely delete yourself, but you can reduce your profile.”
Full Story

BIOMETRICS—U.S.

Security-Based Insoles Raise Tracking Concerns (July 23, 2012)

The Washington Post reports on privacy concerns surrounding the development of a biometric shoe. Carnegie Mellon University’s new Pedo-Biometrics Lab has partnered with Autonomous ID to work on shoe insoles capable of monitoring foot pressure and gait and using a microcomputer to compare the data with an individual’s master file. The shoe could be used to monitor workers at a nuclear power plant site or on special military bases. “If I put on yours, it would know almost instantly that I’m not you,” said Autonomous ID’s president. The Electronic Frontier Foundation says the bio-soles could be implanted into shoes secretly to track individuals. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—U.S.

Senior Official: Unlawful Collection Remedied (July 23, 2012)

A senior U.S. intelligence official has acknowledged that U.S. agencies collecting communications under the FISA Amendments Act at times violated Americans’ right to privacy, The Washington Post reports. In a letter from the Office of the Director of National Intelligence (ODNI) to Sen. Ron Wyden (D-OR), Director of Legislative Affairs Kathleen Turner said the office has remedied concerns by the Foreign Intelligence Surveillance Court that some collection carried out by the ODNI “was unreasonable under the Fourth Amendment.” The administration wants Congress to reauthorize the 2008 statute—to expire this year—that allows the government to collect Americans’ communications with foreign targets abroad. (Registration may be required to access this story.)
Full Story

PRIVACY—U.S.

Justice Dept. Announces Privacy Enforcement Unit (July 20, 2012)
California Attorney General Kamala Harris yesterday announced the creation of the Department of Justice Privacy Enforcement and Protection Unit. The unit “will focus on protecting consumer and individual privacy through civil prosecution of state and federal privacy laws” on data collection, retention, disclosure and destruction. “I call it California Privacy 2.0--now with accountability and enforcement added,” Joanne McNabb, CIPP/US, CIPP/G, CIPP/IT, told the Daily Dashboard. McNabb is co-chair of the IAPP’s government working group and will serve as the unit’s director of privacy education and policy. Harris said, “The privacy unit will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others.”

CLOUD COMPUTING—EU

EC Calls for Better Cloud Contracts (July 20, 2012)

The European Commission (EC) is calling for cloud computing firms to improve their customer contracts to avoid both privacy issues and “costly legal disputes” while boosting the cloud industry, Reuters reports. "The complexity and uncertainty of the legal framework for cloud services providers means that they often issue complex contracts...or agreements with extensive disclaimers," the EC writes in a policy paper expected to be released later this year. The EC has expressed its desire to help the cloud industry develop model agreements and “will also look into whether binding laws will be needed for cloud services,” the report states.
Full Story

PRIVACY LAW

Estonian Hacker Gets Seven Years Behind Bars (July 20, 2012)

An Estonian man has been sentenced to seven years in prison for his involvement in a global hacking operation that saw the theft of tens of millions of payment cards, SC Magazine reports. A Long Island federal court sentenced Aleksandr Suvorov, who had pleaded guilty to wire fraud conspiracy and admitted to selling 160,000 payment card numbers stolen from the Dave & Buster’s restaurant group to an undercover officer, according to the report. The ringleader of the operation, which resulted in breaches at large retailers including Hannaford Bros., TJX, BJ’s Wholesale Club and Heartland Payment Systems, was sentenced to 20 years in prison in 2010.
Full Story

ONLINE PRIVACY—U.S.

Twitter Appealing Court Order To Turn Over Tweets (July 20, 2012)

Twitter is appealing a judge’s ruling last month that the company turn over posts made by an Occupy Wall Street protester during a three-month stretch last fall. The company filed a notice of appeal in New York criminal court on July 17, Bloomberg reports. “At Twitter, we are committed to fighting for our users,” said Twitter’s legal counsel. “Accordingly, we are appealing this decision which, in our view, doesn’t strike the right balance between the rights of our users and the interests of law enforcement.” In ruling the company turn over the tweets, State Supreme Court Judge Matthew Sciarrino, Jr., said, “What you give to the public belongs to the public.”
Full Story

PRIVACY—U.S.

Lawmakers Call For Drone Safeguards (July 20, 2012)

House members at an oversight hearing this week said before civilian drones take to the skies, Congress should create safeguards to protect the public’s privacy and prevent hackers from taking control of the aircrafts. The Federal Aviation Administration predicts 10,000 civilian drones will be used in the U.S. within five years, the Associated Press reports. “This is an evolving field and we have thousands of these things that could be deployed up in the sky,” said Rep. Michael McCaul (R-TX), adding, “I think it’s incumbent on the Department of Homeland Security to come up with a policy…Local law enforcement does need that guidance.”
Full Story

DATA LOSS—U.S.

BYU, Maine DHHS Report Breaches (July 20, 2012)

Officials at Brigham Young University are warning current and former students that their personal information was exposed in a June data breach, the Daily Herald reports. A university spokesperson said, “Because Social Security numbers, birth dates, addresses may have been exposed, we decided to notify students.” Meanwhile, the state of Maine’s Department of Health and Human Services director is apologizing for that department’s mishandling of the sensitive data of public assistance applicants, the Kennebec Journal reports.
Full Story

HEALTHCARE PRIVACY—U.S.

Study Shows More Effective Reporting for Devices Needed (July 20, 2012)

Researchers from Beth Israel Deaconess Medical Center, Harvard Medical School and the University of Massachusetts Amherst are warning that current mechanisms for establishing medical device safety may not be adequate for protecting privacy. According to a press release, the members of the Strategic Healthcare IT Advanced Research Projects on Security studied decades-worth of Food and Drug Administration databases, prompting them to recommend a “more effective reporting system for medical device cybersecurity.” While wireless connectivity in medical devices improves patient care, the researchers say government should "rethink how to effectively and efficiently collect data on security and privacy problems in devices that increasingly depend on computing systems susceptible to malware."
Full Story

PERSONAL PRIVACY—U.S.

Survey: Despite Anecdotes, Americans Care About Their Privacy (July 20, 2012)

Despite the commonly heard phrase, “privacy is dead,” Americans care about their privacy and control over their information. That’s according to a recent PricewaterhouseCoopers survey indicating though individuals are willing to share their information with companies, “they draw the line when it gets too personal,” IT World reports. The survey questioned approximately 1,000 U.S. adults on their feelings about privacy, the report states, and found individuals want to know what companies are doing with their data. The survey found the information individuals are most concerned about protecting is their medical data, their web browsing history, data stored in the cloud and their mobile phone data.
Full Story

DATA LOSS—NEW ZEALAND

Health Provider Sorry for Breach (July 20, 2012)

HealthCare New Zealand is apologizing for a breach involving the personal information of dozens of patients, which was discovered on a Merivale street recently, The New Zealand Herald reports. The patient records had been stolen from an employee’s vehicle a few weeks prior. “We’re really sorry about the event,” said HealthCare NZ Community Services Manager Scott Arrol. “It’s not the sort of thing that happens to us.” Police are investigating.
Full Story

BIOMETRICS—U.S.

Senators Raise Concerns Over Facial Recognition (July 19, 2012)
At the Senate Judiciary Subcommittee on Privacy, Technology and the Law hearing Wednesday, lawmakers pressed Facebook and law enforcement officials for answers on the use of facial recognition, AFP reports. Sen. Al Franken (D-MN) called for opt-in consent, stating, "I'm worried about how Facebook handles the choices it does give users about this technology," and Sen. Richard Blumenthal (D-CT) urged Facebook not to use facial recognition on children under the age of 13. The FBI’s Jerome Pender said while the agency has a database of 12.8 million photos, it "is committed to ensuring appropriate privacy protections are in place," the report states, and the FTC’s Maneesha Mithal noted it is studying how to regulate the commercial use of facial recognition.

ONLINE PRIVACY

YouTube Releases Facial Blurring Tool (July 19, 2012)

YouTube has released a tool allowing people to obscure faces within videos uploaded to the site, The New York Times reports. The feature aims “to help protect dissidents using video to tell their stories in countries with repressive government regimes,” the report states. “Visual anonymity in video allows people to share personal footage more widely and to speak out when they otherwise may not,” said a YouTube spokeswoman, adding that “human rights footage, in particular, opens up new risks to the people posting videos and to those filmed.” YouTube said the feature would also help protect children’s identities. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Wall Street Jobseeker Site Hacked (July 19, 2012)

COMPUTERWORLD reports on a hacker who claims to have broken into ITWallStreet.com, a website for IT professionals seeking employment. The hack exposed information--including names, mailing addresses, e-mail addresses, usernames, hashed passwords and phone numbers--on thousands of jobseekers when as many as 12 data files were publicly posted. The information also included salary and bonus expectations, the report states. A spokesman for ITWallStreet.com said the company would respond to inquiries about the breach at a later date. The hacker who claimed responsibility for the breach says 50,000 accounts were compromised.
Full Story

PRIVACY LAW—U.S.

Court Dismisses Claims Against Countrywide (July 19, 2012)

Following class-action lawsuits filed against Countrywide Financial Corp. regarding a data breach, a court has dismissed data breach claims against the company. The 2008 breach involved a Countrywide employee’s theft of customer information that was then sold to third parties for $70,000. Affected customers were notified of the breach and offered two years of credit monitoring. Though subsequent class-action suits were settled, some members of the class objected to the settlement and filed a separate complaint. The court rejected the causes of action brought by the plaintiffs, essentially holding that “no out-of-pocket loss equals no recovery,” explains Venkat Balasubramani on the Technology & Marketing Law Blog.
Full Story

PRIVACY LAW—U.S.

Phone Company Fights National Security Letter in Court (July 19, 2012)

An unnamed phone company that received a National Security Letter (NSL) from the FBI last year is refusing to hand over the information requested in the letter, saying both the letter and the gag order associated with it are unconstitutional, reports The Wall Street Journal. “The legal clash represents a rare and significant test of an investigative tool strengthened by the USA PATRIOT Act,” the report states. The government in turn filed a civil suit, saying that in its refusal, the company interfered with U.S. “sovereign interests” in national security and, while it has agreed to a stay of the suit, is seeking the judge’s order to compel the company to turn over the data. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Report Recommends Legal Protections for Sharing Threat Info (July 19, 2012)

A report written by the Bipartisan Policy Center’s Homeland Security Project says many organizations do not share data with the government for fear of legal consequences, reports CNET News. The report recommends that Congress put in place protections for organizations sharing cybersecurity threat data, such as malicious IP addresses, with the government. It also recommends that state breach laws be unified into one federal law and punitive lawsuits be eliminated. The Electronic Privacy Information Center’s Marc Rotenberg opposed the report, saying it’s a step backwards in privacy law and creates immunities for companies that assist the government. “If companies don't like complying with privacy obligations, perhaps they should not collect so much personal information," he said.
Full Story

PRIVACY LAW—U.S.

Judge Dismisses Class Action Against LinkedIn (July 18, 2012)
A federal judge has dismissed a class-action lawsuit against LinkedIn for alleged violations of the Stored Communications Act (SCA), COMPUTERWORLD reports. District Judge Lucy Koh of the U.S. District Court for the Northern District of California rejected the allegations, saying the act creates liability only for remote computing services and electronic communication services. “LinkedIn is neither and therefore did not violate the SCA,” Koh wrote in her 27-page decision.

DATA PROTECTION—CHINA

State Council Releases Guide, May Help Fund Security (July 18, 2012)

The State Council has released guidelines aimed at helping government agencies, financial institutions and e-commerce companies protect consumers’ personal information, reports Global Times. The guide also suggested that the State Council would help fund the upgrade of security technologies that support digital signatures. “Since plenty of money has to be put into upgrading security systems…and the promotion of digital signature technology, I think that national financial support is necessary," said one analyst, adding that "digital signatures can provide a higher standard of protection” than passwords.
Full Story

BEHAVIORAL TARGETING—U.S.

TiVo To Buy Television Analytics Firm (July 18, 2012)

TiVo will acquire TRA, the research company that helps television advertisers understand more about viewers, The New York Times reports. TiVo President Tom Rogers said, “We believe television is at an inflection point. In the digital realm, you measure click by click and get increasingly granular information. This kind of metric has not developed well in the television space before now.” Rogers added that TRA data “gets away from the assumption of what broad demographics do and brings it down to the reality of what actual people do.” The $20 million deal will bring about an “extensive expansion of TRA’s operations,” according to the report. (Registration may be required to access this article.)
Full Story

MOBILE PRIVACY—U.S.

IAB To Extend Self-Regulation to Mobile Platform (July 18, 2012)

In a new filing with the Federal Communications Commission (FCC), the Interactive Advertising Bureau (IAB) says the online ad industry will extend privacy self-regulation to the mobile platform, MediaPost reports. The upcoming principles “will provide transparency and consumer control for precise location information, mobile multisite data and mobile cross-app data encompassing all parties in the mobile device ecosystem,” the IAB says. The filing comes in response to the FCC’s request for public comment on mobile privacy following revelations last year that a mobile analytics company was capable of logging users’ keystrokes, the report states.
Full Story

ONLINE PRIVACY—U.S.

Do We Need DNT? Will Self-Regulation Work? (July 18, 2012)

President and Senior Fellow of the Technology Policy Institute Thomas Lenard writes for The Hill’s “Congress Blog” about the ongoing debate over Do Not Track (DNT)—and whether self- or government-regulation is the way forward. While Senate Commerce Committee senior Democrats see a need for privacy legislation and the Federal Trade Commission has endorsed DNT as a concept, it is unknown what effect DNT would have on the Internet. “DNT would either prevent users’ online browsing information from being collected or prevent them from seeing ‘behavioral advertising’…Either way, DNT has the potential to strike at the heart of the Internet,” writes Lenard.
Full Story

PRIVACY LAW—U.S.

ACLU: Reasonable Suspicion Not Enough for Warrantless Searches (July 18, 2012)

In United States v. Robinson, the government says “reasonable suspicion” of wrongdoing justifies GPS tracking, an argument a federal magistrate judge recently upheld, Ars Technica reports. But the American Civil Liberties Union (ACLU) says the court should “adhere to the Supreme Court’s longstanding directive that warrantless searches are presumptively unreasonable.” The ACLU has filed an amicus brief pointing to Jones v. United States, in which nine justices agreed that Antoine Jones’s Fourth Amendment rights were violated when police placed a GPS on his Jeep without a warrant. The court did not decide at the time whether a warrant is always required for such tracking.
Full Story

PRIVACY LAW—U.S.

CFPB To Begin Supervision of Credit Reporting Firms (July 17, 2012)
The Consumer Financial Protection Bureau (CFPB) will soon begin supervising credit reporting agencies, The New York Times reports. CFPB Director Richard Cordray said this week that supervision activities—which will begin September 30—will include onsite examinations. Cordray said areas of concern for the CFPB include “the information sent to credit bureaus, the ways they assemble and hold information and ‘how difficult it is to get the errors resolved,’” the report states. Washington, DC, attorney Robert Belair told the Daily Dashboard, “The three national credit report systems are closely regulated by FCRA, which was the first comprehensive privacy statute in U.S. The FCRA reflects fair information practices and includes meaningful and comprehensive privacy protections. CFPB supervision…will not change that. The law doesn’t change. The privacy requirements don’t change. What this does is substitute the CFPB for the FTC.” (Registration may be required to access this article.)

ONLINE PRIVACY

Skype Looking Into Messaging Bug (July 17, 2012)

Skype is looking into a bug resulting in the voice-Internet service sending instant messages to unintended recipients, CNET News reports. Skype says “in rare circumstances” and stemming from an upgrade last month, users intending to send a message to one contact have found the message has been sent to another, which one user called “a serious breach of privacy.” Skype says it is investigating the matter and hopes to provide a solution soon. “We are rolling out a fix for this issue in the next few days and will notify our users to download an updated version of Skype,” a spokesperson said in an e-mailed statement.
Full Story

DATA LOSS—CANADA

Elections Ontario Reports Missing Memory Sticks (July 17, 2012)

Ontario’s Information and Privacy Commission (OIPC) has launched an investigation into the loss of personal data from the office of the province’s chief electoral officer, The Globe and Mail reports. Elections Ontario reported missing memory sticks containing as many as 2.4 million voters’ names, addresses, genders and dates of birth, among other information, to provincial police, party leaders and the OIPC. The data on the sticks is unencrypted. Ontarian Information and Privacy Commissioner Ann Cavoukian said she is “deeply disturbed” that a breach of this extent could happen at Elections Ontario and that data stored on mobile devices must be de-identified or encrypted.
Full Story

DATA THEFT—AUSTRALIA

Customer Passwords Stolen, Published (July 17, 2012)

Surfwear retailer Billabong says it is gathering information about a breach impacting customer passwords, iTNews reports. A company spokesperson said, “We view this attack as an extremely serious matter and have taken urgent action to contain the incident and prevent further attacks occurring.” Hackers published 21,485 stolen clear-text passwords and hashed passwords. “We will take further appropriate measures as new information comes to light,” the spokesperson said. Meanwhile, 3AW Radio reports that a company that went into administration earlier this year failed to protect sensitive data located in office equipment that is to be sold online.
Full Story

MOBILE PRIVACY—U.S.

Study: Consumers Don’t Yet Trust Mobile Targeting (July 17, 2012)

Direct Marketing News reports that as mobile targeting increases, consumers don’t yet trust it. That’s according to a recent online study by TRUSTe that polled more than 2,000 U.S. adult cell phone users to gain a better understanding of how consumers feel about mobile privacy policies. “Awareness of behavioral targeting has increased substantially since last year,” said TRUSTe’s vice president of mobile development, adding, “It was striking to learn that as consumers in the study became aware of behavioral targeting, over 70 percent of them did not like it and did not want to be a part of it.” Meanwhile, Forbes reports on ways wireless carriers can gain consumer trust.
Full Story

TRAVELER’S PRIVACY—U.S.

Gov’t Has Yet To Act On Scanner Regulations (July 17, 2012)

It’s been a year since a federal appeals court decision allowed the government to continue using certain body scanners at U.S. airports but required it “act promptly” to hold hearings and publicly adopt rules and regulations on scanner use. Wired reports the Transportation Security Administration (TSA) has yet to do so, despite motions from the Electronic Privacy Information Center to the appellate court to order the TSA to take action. Jim Harper, director of information policy studies at the Cato Institute, has started a White House petition to require the Obama administration to respond on where things stand.
Full Story

MOBILE PRIVACY—U.S.

Study Finds Consumers Consider Cell Phone Data Private (July 17, 2012)

Researchers at Berkeley Law have released a study on “Mobile Phones and Privacy.” In the survey of 1,200 households, Jennifer Urban, Chris Jay Hoofnagle and Su Li looked at mobile privacy issues to inform debate “and to better understand Americans’ attitudes towards privacy in data generated by or stored on mobile phones.” The study found that “Americans overwhelmingly consider information stored on their mobile phones to be private—at least as private as information stored on their home computers,” and that they “overwhelmingly reject several types of data collection and use drawn from current business practices.”
Full Story

CHILDREN’S PRIVACY—U.S.

Questions Persist Over 12-and-Under Social Networking (July 16, 2012)
ADWEEK reports on Facebook’s response to questions from Reps. Ed Markey (D-MA) and Joe Barton (R-TX) on how it “would handle child users or if it would target advertising to them.” Facebook’s Erin Egan wrote, “At this point, we have made no final decision whether to change our current approach of prohibiting children under 13 from joining Facebook.” The company’s nine-page response highlights its current practices and notes its “policies are in compliance with the Children's Online Privacy Protection Act,” the report states. Markey has responded, “Now is the time we put children's privacy laws on the books” to ensure online companies do not violate their privacy.

PRIVACY—U.S.

DHS Seeking Committee Members (July 16, 2012)

The Department of Homeland Security (DHS) Privacy Office is seeking applicants for its Data Privacy and Integrity Advisory Committee. The committee “provides advice at the request of the secretary and the DHS chief privacy officer on programmatic, policy, operational, administrative and technological issues within DHS that relate to personally identifiable information as well as data integrity and other privacy-related matters.” Members are chosen by the secretary of the DHS and serve a three-year term. Applications will be accepted through July 23.
Full Story

DATA LOSS—U.S.

NY Comptroller’s Office Sending Notifications (July 16, 2012)

The New York Comptroller’s Office is notifying hundreds of state lawmakers and their staff that their Social Security numbers were inadvertently released to a news organization, lohud.com reports. A spokesperson for Comptroller Thomas DiNapoli said, “In response to a request from a Gannett reporter, data was provided that erroneously contained protected personal information. When the error was identified, the office…immediately contacted Gannett,” which was “highly professional and cooperated fully with our office to protect this information.” The data was posted on the news organization’s website for less than a day, the report states.
Full Story

PRIVACY LAW—U.S.

Cell Phone Search, Rights Debated in Florida (July 16, 2012)

Two Florida court cases have ruled that police act within the law when they search arrestees’ cell phones without a warrant, but some civil rights groups say they should have to demonstrate probable cause to a judge in order to conduct such searches, reports Naples News. One police spokeswoman says this is “search, incident to arrest,” not a Fourth Amendment issue, adding that with the ability to erase data remotely, in the time it takes officers to obtain a warrant arrestees could delete relevant data. In one case, a Florida appeals court expressed concern over giving law enforcement “unbridled discretion” in cell phone searches. The case is headed to the Florida Supreme Court for review.
Full Story

MOBILE PRIVACY

If It Looks Like a Duck… (July 16, 2012)

In The New York Times, Peter Maass and Megha Rajagopalan suggest that nomenclature counts when it comes to devices. Discussing the sophistication of smartphones’ tracking abilities and the uses of the data gleaned from them, Maass and Rajagopalan say, “Let’s stop calling them phones.” This is not a semantic game, the authors say. “Names matter, quite a bit. In politics and advertising, framing is regarded as essential because what you call something influences what you think about it.” So, what should we call our phones? The authors suggest “trackers,” saying, “It’s a neutral term, because it covers positive activities…and problematic ones.”
Full Story

PRIVACY LAW—U.S.

Opinion: Surveillance Reports Show Need for ECPA Reform (July 16, 2012)

An editorial in The New York Times examines recent reports of widespread cellphone surveillance by law enforcement agencies in urging action to update electronic privacy laws. “Cellphones, e-mail and online social networking have come to rule daily life, but Congress has done nothing to update federal privacy laws to better protect digital communication,” the editorial states. The editors suggest a bill introduced by Sen. Patrick Leahy (D-VT) to amend the Electronic Communications Privacy Act would do so “in important, sensible ways” and then advocate putting it before the Senate Judiciary Committee so “debate on this critical issue” may begin. (Registration may be required to access this story.)
Full Story

DATA LOSS

This Year in Breaches: Study, Monthly Highlights (July 16, 2012)

A study released by the Identity Theft Resource Center suggests that 2012 will look similar to 2011 in terms of number of data breaches, reports The Boston Globe. The study found 213 data breaches affecting 8.5 million Americans through July 2 of this year. “Systems are under nonstop attack,” says one expert, and another points to a rise in “hacktivism” as the main cause. Meanwhile, a Network World report takes a month-by-month look at some of this year’s notable international incidents including the raiding of the Megaupload site, the exposure of 228,000 Social Security numbers by Utah state agencies and the hacking of Belgian credit provider Elantis.
Full Story

PRIVACY LAW—U.S.

Frustration, Progress at First Stakeholders’ Meeting (July 13, 2012)
Participants at yesterday’s Department of Commerce (DoC) meeting aimed at developing voluntary industry codes of conduct to improve online privacy say while progress was made, there’s much to be done. The meeting was the first of many in the Obama administration’s efforts to encourage stakeholders to work together to develop the codes. In this Daily Dashboard exclusive, Christopher Wolf of Hogan Lovells and the Future of Privacy Forum and Sidley Austin’s Alan Raul opine on the meeting and what should happen next. The DoC told the Daily Dashboard the meeting was successful and it will hold its next meeting in August.

DATA PROTECTION—UK

How To Avoid Expensive Data Privacy Mistakes (July 13, 2012)

In light of recent headline-making fines from the UK Information Commissioner’s Office (ICO), experts are looking at what needs to be done to keep organizations and businesses from making expensive data privacy mistakes. In this exclusive for The Privacy Advisor, McDermott Will & Emery’s Rohan Massey discusses the importance of training and compliance. It’s critical businesses undertake a “360-degree review of their data lifecycle to establish the types of data, different processing, storage, sharing and destruction of data that takes place,” Massey writes, adding the ICO has made it clear that having a data-handling policy in place is not enough. Rather, organizations must be sure employees are aware of their legal obligations.
Full Story

PRIVACY—FRANCE

CNIL Releases 2011 Annual Report (July 13, 2012)

The Commission Nationale de L’Informatique et des Libertés (CNIL) has released its annual report for 2011. The CNIL fielded 5,738 complaints in 2011, an increase of 19 percent from 2010, and the agency adopted 1,969 decisions and deliberations, an increase of 25 percent from 2010. Also during 2011, the CNIL issued 65 notices to comply, 13 warnings, five financial fines and two acquittals. In addition, among several other initiatives, the commission directed efforts toward raising the prestige of data protection officers (CILs) within their organisations, creating and distributing a “communication kit” and requesting the French national employment agency “to register the profession of CIL in the ‘Repertoire Operationnel des Metiers.’”
Full Story

DATA LOSS—U.S.

Yahoo Breach “Wake-Up Call,” Not a Threat (July 13, 2012)

The hacker group that exposed a file containing about 450,000 Yahoo user names and passwords this week says the move was intended “as a wake-up call and not as a threat,” reports The Wall Street Journal. Yahoo says it is investigating the breach and that the compromised information belongs to Yahoo Voices, a self-publishing service. Less than five percent of the affected accounts had still-active passwords, Yahoo said, adding that it is changing affected users’ passwords. The breach also affected Gmail, AOL, Hotmail, Comcast, MSN and Verizon accounts, among others. CNET News reports on the most commonly used passwords exposed in the breach. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Privacy Groups Would Benefit from Facebook Settlement (July 13, 2012)

Wired reports on reactions to a controversial Facebook settlement over its “Sponsored Stories” feature that would see a $10 million payout in total to various privacy and consumer groups. While some groups support it, others  say the settlement “does little for the privacy rights of Facebook’s 850 million users,” the report states. Jeff Chester of the Center for Digital Democracy says the settlement won’t be effective. “The proposed changes to the privacy agreement don’t serve the class,” he said. The Electronic Frontier Foundation, the Center for Democracy and Technology and the Stanford Law School Center for Internet and Society would all receive some of the settlement payout.
Full Story

DATA LOSS—U.S.

Closed Case, New Breach, Teenager Arrested (July 13, 2012)

As one breach investigation closes, others begin. Connecticut Attorney General George Jepsen has closed his office’s investigation of a breach impacting 93,500 patients, Record-Journal reports. He said the measures the hospital took to make amends prompted him to close the investigation without action. The California Department of Public Health continues to investigate the 2011 Queen of the Valley Medical Center breach. Meanwhile, Nvidia has begun investigating a breach of its developer forums, and a Kentucky restaurant is warning customers about the theft of credit card data. In Oregon, a 16-year-old has been arrested on one count of computer crime for allegedly hacking into the Eugene School District’s network.
Full Story

DATA PROTECTION—U.S.

Entreprenuer Developing “Untappable” Telco Infrastructure (July 13, 2012)

Slate reports on a New York entrepreneur’s plans for an encryption-based telecommunications provider designed to be “untappable.” Currently in development, the telecommunications infrastructure would inhibit mass surveillance by using end-to-end encryption for Web browsing and e-mail and a mobile phone service that would enable users to encrypt calls, the report states. Entrepreneur Nicholas Merrill crowd-funded almost $70,000 in donations and says he has held talks with interested venture capitalists and a few “really big companies” interested in partnering with him. In 2004, Merrill challenged the FBI when it demanded he hand over customer information from his Internet service. Merrill says privacy and cybersecurity can each be achieved with ubiquitous encryption.
Full Story

DATA THEFT

The Path of Data from Theft to Purchase (July 13, 2012)

An MSN Money report details the likely path stolen credit card information follows from hacking incident to financial loss. “There are three major types of hackers,” the report states: hactivists; those who hack for fun and recognition, and those who are criminals looking to make money. While the first two groups may put data at risk, the third will likely sell the data to third parties. "A lot (of card numbers) wind up being sold in Internet forums," says one security expert. John Harrison of Symantec says even the people buying data on these forums may not actually use it, “local organized crime groups or other career criminals will hire people to make purchases with the stolen data.”
Full Story

SURVEILLANCE

Opinion: Drone Code of Conduct Offers Little Reassurance (July 13, 2012)

Jaikumar Vijayan writes for COMPUTERWORLD that while the Association for Unmanned Vehicle Systems International’s code of conduct for drone use acknowledges the severity of concern over the use of drones, it offers little in the way of enforceable policies. The code comes after the passing of a bill to allow more government and private drone use, but, writes Vijayan, “if the document was meant to reassure people that the drone industry is taking privacy concerns seriously, it may well have the opposite effect.” According to Vijayan, the code includes “very broad” guidelines with no explanation of “how any of this will be enforced and by whom.”
Full Story

Frustration, Progress at First Stakeholders’ Meeting (July 13, 2012)

By Angelique Carson, CIPP/US

NationalJournal reports on yesterday’s Commerce Department meeting aimed at developing voluntary industry codes of conduct to improve online privacy. The livestreamed event focused on providing consumers with more transparency as the first part of the Obama administration’s effort to encourage stakeholders to work together to develop the codes.

The meeting had participants in attendance and dialed-in suggest focus-points for the code and then asked them to vote in order to rank priorities.

Some at the meeting expressed frustration that the event’s focus was too narrow, with the ACLU’s Chris Calabrese saying, “Discussion of mobile transparency is simply not sufficient.”

Christopher Wolf, leader of the privacy practice at Hogan Lovells and co-chair of the Future of Privacy Forum, told the Daily Dashboard that yesterday’s meeting was a great start in the process.

“Diverse views were aired and the stage was set for the real work to come. With this many interested and knowledgeable people of good will, the stage is set for progress.”

Sidley Austin’s Alan Raul said while the event was promising and the Commerce Department should be applauded, there was a “good deal of frustration as to what process will be followed to make progress,” and the National Telecommunications and Information Administration “would be well served to provide a set of expectations, a timetable and perhaps even a forum to facilitate progress.”

Raul added that the stakeholders “should now step up to identify the core facts, problems and critical issues that should be addressed in a mobile privacy code of conduct; identify possible solutions and responses; assess the costs and benefits to consumers, innovation and on competition of taking different approaches and actions; task working groups to develop and draft language for consideration by the broader group; agree on a process to ensure full consideration by the broader stakeholders group, and then proceed to elaborate a plan for adoption and implementation of the code.”

John Verdi, director of Privacy Initiatives at the Department of Commerce, said the department “appreciated the participation from stakeholders and thought the meeting was very successful.  We expect to hold the next in-person meeting in August. Next week, we plan to publish the lists of discussion elements raised by the stakeholders, as well as the feedback from the non-binding polling.”...

PRIVACY LAW—U.S.

Franken To Hold Hearing on Facial Recognition (July 12, 2012)
Sen. Al Franken (D-MN) has announced a hearing to examine the privacy implications of facial recognition technology, The Hill reports. “What Facial Recognition Technology Means for Privacy and Civil Liberties” has been scheduled for Wednesday, July 18. “The dimensions of our faces are as unique to us as our fingerprints,” said Franken. “And right now, technology exists that gives the government and companies the ability to figure out your name and other personal information about you with nothing more than a photograph.” He added that the hearing will examine “what this new technology means for our privacy and if our current laws are doing enough to protect Americans.”

PRIVACY LAW—U.S.

Judge Cancels “Sponsored Stories” Settlement Hearing (July 12, 2012)

U.S. District Judge Lucy Koh has recused herself from overseeing the proposed settlement in a class-action filed over Facebook’s “Sponsored Stories” feature, canceling a hearing in which the social network was seeking the settlement’s final approval, Bloomberg reports. Under the proposed agreement, Facebook would pay $10 million to multiple advocacy groups and revise its terms of use to include options for users to limit the display of their content and actions with the Sponsored Stories. A Facebook spokesman declined to comment on Koh’s decision, and Koh has not given a reason for her recusal, the report states.
Full Story

PRIVACY LAW—U.S.

CA Healthcare Amendment Reaches Possible Compromise (July 12, 2012)

The executive director of the Consumer Federation of California says a compromise worked out at a Tuesday Senate committee hearing is sufficient for the organization to take a “neutral” stance on the bill, reports Modern Healthcare. The compromise would restore “judicial discretion in levying fines even in cases where an entity meets all of the statutory affirmative defenses” in California’s Confidentiality of Medical Information Act. The contested amendment would have given providers “affirmative defenses” against civil suits, such as proof they had taken steps to avoid future breaches, but that met resistance from eight groups claiming the amendment would “immunize healthcare corporations” from civil suits after a breach. (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

Study: 61 Percent of Apps Have Privacy Policies (July 12, 2012)

A study of mobile applications released yesterday by the Future of Privacy Forum (FPF) has shown that, in all categories and platforms studied, the prevalence of privacy policies has risen since last September--with the number of free apps through the iOS App Store with privacy policies doubling, reports AD WEEK. Today, the first meeting aimed at developing an enforceable privacy code of conduct based on the Commerce Department’s privacy report will take place, and FPF founder Jules Polonetsky, CIPP/US, hopes the study will factor into the conversation, the report states. "The saber-rattling by the regulators is driving a real response," Polonetsky said, adding, the study shows apps “are pretty nimble when they get the message."
Full Story

PRIVACY LAW—U.S.

Internet Service Looks To Settle Class-Action (July 12, 2012)

Attorneys in a class-action lawsuit against an Austin-based Internet service are working toward a settlement, the Austin American-Statesman reports. Last year, Stratfor, Inc., experienced a breach involving thousands of customer records including credit card numbers. The class-action lawsuit was filed in January in federal court in New York, the report states, and sought more than $50 million in damages on behalf of the more than 800,000 individuals potentially affected by the breach. Those affected have until August 15 to join the settlement class. In March, the Federal Bureau of Investigation arrested members of hacker group LulzSec, which it believes was responsible for the Stratfor hack.
Full Story

PRIVACY LAW—U.S.

Healthcare Law Trial Set for October (July 12, 2012)

A Mississippi federal judge has scheduled an October trial in a suit claiming the Obama administration's healthcare law “violates individual privacy rights by forcing citizens to buy insurance,” the Associated Press reports. While the U.S. Supreme Court issued a ruling last month that upheld most of the law, the report notes that the Mississippi suit, which was filed in 2010, claims privacy rights violations “because it would force citizens to disclose medical information to insurance companies when they are forced to purchase policies. Although a specific date has not been set for the October trial, a pretrial conference is scheduled for August 10.
Full Story

BIG DATA

Privacy, Economics and “Do Not Collect” (July 12, 2012)

Examining the difference between the low cost of paying a company to find someone online versus the higher costs associated with companies that help people “hide from the Internet,” a paidContent report questions whether the time has come for a “do not collect” law. While suggesting “the ‘pay for privacy’ approach doesn’t acknowledge the new economic imbalance in which personal data is cheap and anonymity is expensive,” the report also questions whether a “do not collect” system “would be enough to put the data genie back in the bottle.”
Full Story

SOCIAL NETWORKING

New Read Receipt Feature, “Useful” or “Sketchy”? (July 12, 2012)

Facebook is rolling out a new feature that alerts users to how many times their posts have been viewed and by whom, reports TechCrunch. Josh Constine writes that while in group communications this feature will be useful, if it were to show up in users’ news feeds, it “could make publishing feel like a contest.” Facebook says it is “not going to discuss what we might (or might not) do in the future.” But Constine recommends the network confine “read receipts” to “groups as a collaboration tool, not in the news feed as a sign of who’s most popular, and who’s quietly watching you.”
Full Story

PRIVACY LAW—U.S.

Hawaii Harmonizes Medical Records Laws (July 11, 2012)
Hawaii Gov. Neil Abercrombie has signed into law a bill that brings the state’s patient privacy laws into compliance with the federal Health Insurance Portability and Accountability Act, Pacific Business News reports. The new law harmonizes more than 50 existing state laws on the use of personal healthcare records, the report states. “This is an excellent legislative step to guarantee consistent protection for patient information and also to ensure that varying and often inconsistent state laws do not create confusion and unnecessary complications to the detriment of both patients and the healthcare industry,” said Wiley Rein’s Kirk Nahra, CIPP/US.

PRIVACY LAW—FRANCE

CNIL Says Google Report Due in September (July 11, 2012)

The French data protection authority (CNIL) says it will release a report to European regulators on Google’s changes to its privacy policies by early September, Bloomberg reports. CNIL’s Isabelle Falque-Pierrotin said Google’s responses to the authority’s inquiry came in about two weeks late, which is delaying the report, and added the company’s answers “weren’t entirely satisfactory.” The two entities have been “engaged in extremely close discussions,” Falque-Pierrotin said. Google Global Privacy Counsel Peter Fleischer said in his June 21 response to CNIL that the company’s “new simple, easy-to-read privacy policy” is “in compliance with European data protection principles.”
Full Story

ONLINE PRIVACY—U.S.

Study Shows Two-Thirds Against Data Sharing Plans (July 11, 2012)

Amidst government efforts toward more information sharing, a poll has found that 63 percent of respondents believe government and businesses should not share data, citing civil liberty and privacy concerns, reports National Journal. The Congressional Connection Poll, conducted by Princeton Survey Research Associates International, surveyed 1,004 adults and showed that most respondents think businesses should be able to set their own cybersecurity standards, with just 36 percent saying the government should be able to require businesses to meet certain security criteria. Meanwhile, Congress has passed the Cyber Intelligence Sharing and Protection Act and some Senate committees are pushing for the Cybersecurity Act of 2012, which would allow the Department of Homeland Security to set security standards for certain networks.
Full Story

PRIVACY—UK

MPs Question ICO on Employee’s Move to Google (July 11, 2012)

A freedom of information request has revealed that the former strategic liaison group manager for government and society at the Information Commissioner’s Office (ICO) is now a privacy policy manager at Google, causing Member of Parliament Robert Halfon to question the ICO’s legitimacy, reports The Inquirer. The ICO has been criticized for its Google Street View investigation, and the staffing change has Halfon urging “the government to consider whether the public can continue to have confidence in the ICO.” The ICO has said the employee played no part in the Google investigation and continues to be “legally bound by a confidentiality agreement…as part of the Data Protection Act.”
Full Story

DATA PROTECTION—UK

Study: British Public Skeptical of Companies’ Data Uses (July 11, 2012)

The Wall Street Journal reports the British public is “deeply skeptical of companies collecting personal data” and “does not trust companies to safeguard that data.” That’s according to the Data Nation 2012 study, which found that the number of people opposing data collection “overwhelmingly” outnumber those who support it. The report also found that 82 percent of those surveyed realize their data is being collected, but only 29 percent are confident companies won’t surreptitiously share their data with third parties. Respondents said the top two reasons why they’d stop using a service would be if the company failed to protect their data or sold anonymized data. (Registration may be required to access this story.)
Full Story

TRAVELER’S PRIVACY—UK

Reactions Mixed on Airline’s “Image Search” Plans (July 11, 2012)

British Airways has been facing a backlash from privacy campaigners following the unveiling of its “Know Me” program, which will search Google images to identify passengers as they exit plane terminals to provide “a more personal touch.” Big Brother Watch has said, “If British Airways wants more information about us, they can ask us for it rather than ignoring people’s privacy,” and a PCWorld report suggests a similar change to the plan. “A better way might be to let people opt in,” the report states, noting, “Using Google for image search is also a slippery slope that could lead to broader Internet data mining.”
Full Story

ONLINE PRIVACY—U.S.

Google Close To Settling with FTC (July 10, 2012)
The Wall Street Journal reports that Google is close to settling with the Federal Trade Commission (FTC) to the tune of $22.5 million on charges alleging it bypassed millions of Apple users’ privacy settings. The fine would be the largest ever handed down against a single company by the FTC. The charges involve Google’s use of cookies to track users’ online movements despite settings indicating they did not wish to be tracked. Google said the tracking was inadvertent and didn’t harm consumers. It has since removed the cookies. A group of state attorneys general continues to investigate the case. (Registration may be required to access this story.)

SOCIAL NETWORKING—IRELAND

DPC Officials Following Up on Audit (July 10, 2012)

The Irish Times reports on a visit from the Office of the Data Protection Commissioner (DPC) to Facebook’s headquarters in Dublin “in a follow-up to a major audit of the company’s privacy policies and use of customer data.” The DPC is holding a formal review following Facebook’s agreement to make changes to its privacy policy and the way it retains user data, the report states. Deputy Data Protection Commissioner Gary Davis described last year’s Facebook audit as “the most comprehensive and detailed” ever undertaken by the DPC. A Facebook spokesman said the company has been keeping the DPC “closely informed” as it implements the audit’s recommendations.
Full Story

EMPLOYEE PRIVACY—FRANCE

Company Fined 10,000 For Withholding Employee Data (July 10, 2012)

The French data protection agency (CNIL) has fined a regional water utility €10,000 for failing to hand over GPS tracking data to an employee who was attempting to prove that he had been the victim of a workplace accident, reports PCWorld. The man reported the company to the CNIL after waiting 11 weeks for a response; the CNIL then sent four requests over the next six months and a formal notice to hand over the data, to no avail. The CNIL’s ruling stated, "Through its stalling tactics, the company took the risk of depriving the plaintiff of the possibility of accessing data, the storage of which was only guaranteed for six months after its recording."
Full Story

HEALTHCARE PRIVACY—U.S.

TRICARE Suits Consolidated (July 10, 2012)

The U.S. Judicial Panel for Multidistrict Litigation has consolidated eight civil lawsuits to the U.S. District Court for DC following a security breach of computer tapes, the Washington Business Journal reports. The June 27 decision combines five actions in DC and actions in the Northern District of California, the Southern District of California and the Western District of Texas. The actions were in response to the TRICARE breach of September 2011 in which computer tapes were stolen from an employee of Science Applications International Corp., which manages TRICARE military healthcare insurance.
Full Story

DATA RETENTION—AUSTRALIA

Gov’t Telecomm Inquiry Begins, Committee Seeks Public Opinion (July 10, 2012)

Following up on Attorney General (AG) Nicola Roxon’s request for a review of the Telecommunications (Interception and Access) Act 1979, the Joint Parliamentary Committee on Intelligence and Security has launched its investigation, reports ZDNet. The AG’s department published a discussion paper outlining the proposals put to the committee, which is currently seeking public opinion on data retention and whether the law should be amended to require telecommunication companies to hold certain consumer data for two years. “As Australia’s telecommunications landscape continues to evolve, it is appropriate and timely to consider how best to manage risks to the data carried and stored on our telecommunications infrastructure to secure its availability and integrity in the long term,” said the department.
Full Story

MOBILE PRIVACY—U.S.

Firm: Ads Most Prevalent Issue; New Ad Targeting Launched (July 10, 2012)

Mobile security firm LookOut says some advertising networks have started to “secretly collect app users' contacts or whereabouts and could now have access to 80 million smartphones globally,” Reuters reports. LookOut’s technology chief said aggressive ad networks are “much more prevalent than malicious applications” and the “most prevalent mobile privacy issue that exists.” Meanwhile, The Wall Street Journal reports on Facebook’s launch of a new type of mobile advertising targeting consumers based on which apps they use, suggesting the company is “pushing the limits of how companies track what people do on their phones.”
Full Story

PRIVACY LAW—GERMANY

German Gov’t Considers Amending Data Sharing Bill (July 9, 2012)
The German government is likely to change a controversial law that allows government offices to sell personal information to marketing companies, SPIEGEL reports. The government passed the bill last month, but a spokesman says it's likely Parliament will amend it following protests from data protection rights groups and politicians who are concerned with individuals' lack of privacy under the measure and the way in which it was passed. The bill allows individuals to opt out of having their information sold to third parties, but Schleswig-Holstein Data Protection Commissioner Thilo Weichert has called it "legal madness." If not overturned, the bill will go into effect in 2014.

PRIVACY LAW—EU

ENISA Says Proposal Could Have Negative Impact on Breach Prevention (July 9, 2012)

A new report from the European Network and Information Security Agency (ENISA) says proposed EU regulations that would require Internet firms to quickly report data breaches could lead companies to focus on "symptoms rather than causes of cybersecurity vulnerabilities if not augmented by other regulations," FierceGovernmentIT reports. In a June report, the Justice and Fundamental Rights Directorate General proposed updating existing regulations to require breaches be reported to government supervisory entities within 24 hours. But "like many other areas of regulatory intervention," the proposal "addresses the symptoms and not the cause of cybersecurity problems," ENISA says.
Full Story  

DATA THEFT—AUSTRALIA

Legitimately Collected Data Sold to Fraudsters (July 9, 2012)

The Australian Crime Commission (ACC) has released a report that estimates 2,600 Australians have been duped out of $113 million in the past five years by criminals buying data collected through legitimate methods, such as surveys or competitions, reports COMPUTERWORLD. "Armed with information such as income, superannuation, mortgage and investment details of individuals, organized criminal networks are able to identify those most susceptible to particular schemes," says the ACC report. The ACC also released a list of recommendations to avoid becoming a victim of this kind of crime, including checking the licensing of the company, seeking independent advice before investing money and hanging up on unsolicited calls offering overseas investments.
Full Story 

MOBILE PRIVACY—U.S.

Carriers: 1.3 Million Demands for Subscriber Data Received (July 9, 2012)

In response to a congressional inquiry, nine mobile phone carriers have indicated they responded to 1.3 million law enforcement demands for subscriber information, The New York Times reports. The carriers have stated they hand over "records thousands of times a day in response to police emergencies, court orders, law enforcement subpoenas and other requests," the report states. Rep. Edward Markey (D-MA), who requested the reports from the carriers, said, "I never expected it to be this massive." Meanwhile, the ACLU's Chris Calabrese cautioned, "The standards are really all over the place" when it comes to mobile phone surveillance. (Registration may be required to access this story.)
Full Story  

PRIVACY LAW—EU & INDIA

India Seeks “Secure” Status for Deal with EU (July 9, 2012)

The Economic Times reports on the EU's study of India's data protection laws in deciding on its commitment in the bilateral free trade agreement being negotiated between the two. The chief executive of the Data Security Council of India, Kamlesh Bajaj, says the country is "data secure" even if its data protection law is worded differently than the EU directive. The country amended its Information Technology Act to be compliant with EU standards four years ago. "If India is given a data secure status, not only will Indian firms save on costs, but EU companies will also have increased confidence in doing business here," Bajaj says.
Full Story  

TRAVELER’S PRIVACY

WiFi-Enabled Cars Can Connect Through Algorithm (July 9, 2012)

Researchers from the Massachusetts Institute of Technology, Georgetown University and the National University of Singapore have developed an algorithm allowing WiFi-connected cars to automatically share Internet connections and data, reports MediaPost. The algorithm would collect data from many cars through a few cars that would then upload it to the Internet--so, by design, data from one car will pass through a nearby car on its way to the Internet--causing the author to opine, "Privacy experts should have a field day with this one." The plan would save consumers money by sharing a 3G connection; however, the author warns of risks of viruses, corrupt data and theft.
Full Story 

PRIVACY LAW—U.S.

Judge Approves Netflix Class-Action Settlement (July 6, 2012)
A federal judge has given preliminary approval to a $9 million class-action lawsuit filed against Netflix, Reuters reports. U.S. District Judge Edward Davila said the accord that was reached last February "compares favorably" to other recent consumer privacy settlements. Davila also certified a class of current and former Netflix subscribers, which is estimated in the tens of millions, the report states. A hearing is set to be held on December 5 to consider final approval.

PRIVACY LAW—U.S.

Proposed Breach Bill Garners Support, Caution (July 6, 2012)

CSO reports on reaction to the recently proposed Senate breach notification bill. Introduced by Sen. Pat Toomey (R-PA) and co-sponsored by four additional senators, the Data Security and Breach Notification Act of 2012 would set a national standard for breach notification preempting the 46 existing state laws. A representative from InfosecStuff applauded the bill, saying it "will make compliance easier for most businesses." Taos consultant James Arlen said the standard is "absolutely" necessary but expressed trepidation because he said the bill lacks data protection and notification deadline specifics, adding, "I'd suggest that there be some regulation around what is acceptable for encryption."
Full Story 

MOBILE PRIVACY

Companies Remove Trojan Spamming App (July 6, 2012)

Apple and Google have removed the Find and Call app from stores after it was discovered by Kaspersky Lab the app would capture users' phone book contacts and use them as spam targets, CNET News reports. The app required users to register their e-mail addresses and phone numbers and offered to find friends from the users' contacts. Sent to a remote server, the users' contacts would then receive a text message appearing to come from the friend that would include links to download the malware. "In other words," Kaspersky Lab said, "people will receive an SMS spam message from a trusted source." Apple said the app was "a violation of App Store guidelines."
Full Story 

MOBILE PRIVACY—U.S.

NTIA To Accommodate Remote Stakeholders, Not Enough, Say Some (July 6, 2012)

After several advocacy groups expressed concern they would not be able to appropriately participate in stakeholder meetings on mobile privacy, the National Telecommunications and Information Administration (NTIA) has said it will have staffers act as proxies for groups not able to attend in person, Multichannel News reports. The American Civil Liberties Union, Center for Digital Democracy and Consumers Union say that is not enough, the report states. An NTIA spokesman said it is "working to ensure that all stakeholders...are able to participate meaningfully in the July 12" meeting, adding the NTIA will "continue to evaluate how to ensure robust participation by all stakeholders."
Full Story 

HEALTHCARE PRIVACY—U.S.

Hospital Asks Patients To Opt In (July 6, 2012)

The CIO at Beth Israel Deaconess Medical Center (BIDMC) in Massachusetts recently announced the center will have all of its 1,800 affiliated ambulatory care providers ask patients "to opt in for data sharing among the clinicians coordinating their care," InformationWeek reports. Massachusetts law requires opt-in consent for information exchange, but BIDMC has elected to use "opt in to disclosure," says CIO John Halamka. The opt in would allow data exchange within BIDMC but also with other providers, and patients who opt in now would be allowed to opt out later. The statewide health information exchange is moving in the same direction, Halamka says.
Full Story

ONLINE PRIVACY—U. S.

Felton: Privacy by Design Via Frequency Capping (July 6, 2012)

In his latest blog post, Federal Trade Commission Chief Technologist Ed Felton discusses Privacy by Design's principle of data minimization by demonstrating how it can be implemented in a common ad network practice. Frequency capping, the practice of tracking consumers by third parties in order to ensure consumers see targeted ads no more than a set number of times, is an approach that "works, but it gathers a lot of data." Felton offers two alternatives to minimize the data collected. One solution is to move information storage from company computers to clients' computers, while the other is to store information on the ad network's servers.
Full Story 

SURVEILLANCE

Body-Scanning Vans Spark Concerns (July 6, 2012)

American Science & Engineering has introduced Z Backscatter Vans (ZBVs) capable of scanning nearby cars for explosives, drugs and people, Mashable reports, questioning, “Is roving, body-scanning van a needed surveillance tool or a another step toward eroding personal privacy?” With more than 500 of the cans already sold to government agencies around the world, privacy advocates are raising concerns. When it comes to ZBVs, one privacy expert asserts that “from a privacy perspective, it’s one of the most intrusive technologies conceivable.”
Full Story

PRIVACY LAW—UK

ICO Levies £150,000 Fine Following Breach (July 5, 2012)

Out-Law.com reports on the Information Commissioner’s Office (ICO) fining Welcome Financial Services Limited (WFSL) £150,000--its highest penalty to date--following the loss of about half a million customer records. Customer names, addresses, phone numbers, dates of birth and loan account information “had been stored on two unencrypted backup tapes that the company used to log its daily business activity,” the report states, noting WFSL discovered the tapes were "unaccounted for" last November. The ICO reported receiving 26 formal complaints about the incident.
Full Story

PRIVACY LAW—EU

European Parliament Axes ACTA (July 5, 2012)
Members of the European Parliament (MEP) voted Wednesday to reject the Anti-Counterfeiting Trade Agreement (ACTA), COMPUTERWORLD reports. The vote, 478 against and 39 for ACTA, means the agreement cannot become law in the EU. After ACTA was signed in January, civil liberties and digital rights groups across the continent protested the law would allow Internet service providers to police users, breaching users' right to privacy and leading to censorship. The European Court of Justice will still review whether ACTA is compatible with EU law, "but this is now an academic exercise," the report states. One MEP said, "No emergency surgery, no transplant, no long period of recuperations is going to save ACTA."

DATA PROTECTION—UK

ICO Releases Annual Report (July 5, 2012)

As his office releases its annual report, Information Commissioner Christopher Graham warns that organizations are learning the hard way of the consequences of mishandling personal information, SC Magazine reports. The office says it has issued 21 civil monetary penalties since it was granted the power to do so. "Over the past year, the ICO has bared its teeth and has taken effective action to punish organizations, many of which have shown a cavalier attitude to looking after people's personal information," Graham said, adding he hopes the penalties "send a clear message."
Full Story
 

PRIVACY LAW—CHINA

Police Push For Personal Data Theft Law (July 5, 2012)

ZDNet reports on a push by China's police force for a more regulated and better defined law involving the theft of personal data. According to Ministry of Public Security Deputy Director of the Criminal Investigation Department Liao Jinrong, existing laws make it difficult for law enforcement to secure convictions because they lack specificity. Jinrong said the Ministry of Public Security is currently negotiating with the country's Supreme People's Procuratorate and Supreme People's Court for the new personal data legislation.
Full Story  

PRIVACY LAW—SOUTH KOREA

Gov’t May Take Action Against Search Engine (July 5, 2012)

South Korea's Personal Information Protection Commission says it will file further complaints against Google's Korean subsidiary unless it complies with the commission's request that it improve its privacy policy, The Korea Times reports. The commission can fine Google one percent of its annual proceeds or seek criminal charges, the report states, noting Google failed to comply with the commission's request last month to make three changes to its policy regarding combining users' personal information across 60 of its services, user consent for data storage and the length of data retention. Meanwhile, Forbes reports on "Google Now," a feature that combines user data across platforms to make suggestions.
Full Story  

PRIVACY LAW—U.S.

Acts Would Limit Debt Collector Data Access, Limit Patient Damage Awards (July 5, 2012)

Sen. Al Franken (D-MN) has introduced an act that would limit the access debt collectors can have to hospital patients while California lawmakers could soon weaken a privacy law on patient medical records. HealthLeadersMedia reports on Franken's bill, which follows hearings he held on the debt-collection practices of Accretive Health, Inc., and Minnesota Attorney General Lori Swanson's allegations that they violated patient privacy and debt collection laws. Meanwhile, California's AB 439 would "exempt healthcare corporations that commit significant privacy violations from damage awards if they can provide an 'affirmative defense' when sued by patients," California Healthline reports. Consumer privacy groups oppose the bill.
Full Story 

PRIVACY LAW—HONG KONG

A Q&A with Commissioner Allan Chiang (July 5, 2012)

In this exclusive for The Privacy Advisor, Hong Kong Privacy Commissioner for Personal Data Allan Chiang offers insight into the work of his office, the types of complaints received and the importance of enforcers having the ability to impose sanctions in the event of a breach. In the past year alone, Chiang's office has received nearly 1,500 personal data complaints, but Chiang adds that the existing provisions under the Personal Data (Privacy) Ordinance "are inadequate in safeguarding personal data protection." Chiang shares six amendments to the ordinance that "are expected to pass shortly" and discusses his office's consumer education initiatives. (Must be an IAPP member and logged in to view.)
Full Story 

ONLINE PRIVACY—U.S.

Declaration of Internet Freedom Draws Mixed Reactions (July 5, 2012)

An editorial in The Christian Science Monitor reports on a new "Declaration of Internet Freedom," endorsed by more than 20,000 groups or individuals thus far. Mozilla, Amnesty International, Reporters Without Borders, the Electronic Frontier Foundation and the American Civil Liberties Union support the document, which opposes Internet censorship, encourages universal access, openness and innovation and advocates for privacy, the report states, adding, a discussion on such topics is "badly needed." But Elie Mystal opines in Forbes that the document  fails to define key terms and therefore "is devoid of anything approaching a coherent articulation of the rights of 'the Internet' or anybody else."
Full Story  

PRIVACY LAW—U.S.

Court Orders Twitter To Release Protester’s Tweets (July 3, 2012)
A judge has ruled Twitter must turn over the posts made by an Occupy Wall Street protester during a three-month stretch last fall, the Associated Press reports. Manhattan Criminal Court Judge Matthew A. Sciarrino, Jr., also decided he would review the posts, providing only "relevant portions" to prosecutors. Twitter called the judgment disappointing and is considering its next move, adding, "We continue to have a steadfast commitment to our users and their rights." Meanwhile, Twitter released its first transparency report, which revealed that 80 percent of law enforcement requests for user data stem from American agencies. According to the company, "We've received more government requests in the first half of 2012...than in the entirety of 2011."

CLOUD COMPUTING—EU

Article 29 Working Party Releases Cloud Opinion (July 3, 2012)

The Article 29 Working Party has released an opinion on cloud computing that outlines data protection risks, particularly "a lack of control over personal data" and the "unavailability of a common global data portability framework." The opinion warns that "a lack of transparency in terms of the information a controller is able to provide to a data subject on how their personal data is processed is highlighted...as a matter of serious concern." For the group, "A key conclusion...is that businesses and administrations wishing to use cloud computing should conduct, as a first step, a comprehensive and thorough risk analysis" and a cloud client "should select a cloud provider that guarantees compliance with EU data protection legislation." Editor's note: Tools and templates for conducting risk assessments are available on the IAPP Resource Center.
Full Story 

PRIVACY—U.S.

The FTC and Its Enforcement Efforts (July 3, 2012)

Forbes reports on U.S. privacy protection efforts, which rest "on a stool with three enforcement legs"--class-action lawyers, the Federal Trade Commission and attorneys general, who are starting to think of themselves as the "Internet police," according to their national association's president, Doug Gansler. The FTC recently responded to a report criticizing the agency by stating on Twitter that it "has brought 39 cases on data security breaches," 16 alleging COPPA violations and more than 100 involving spam and spyware. Meanwhile, Network World reports on consumer data protection rights following the FTC's $800,000 fine against data broker Spokeo. Editor's note: The IAPP recently spoke with Attorney General Doug Gansler on AGs' role as privacy enforcers in this exclusive for The Privacy Advisor.
Full Story 

PRIVACY LAW—U.S.

Vermont Updates Breach Notification Law (July 3, 2012)

In this exclusive for The Privacy Advisor, Mintz Levin's Cynthia Larose, CIPP/US, and Amy Malone report on Vermont's updates to its data breach notification law, which became effective May 8. The biggest change is in the notification requirements, the report states, which now require consumers be notified of a breach incident no later than 45 days after its discovery and be informed of the date the breach occurred. The Vermont attorney general must be notified within 14 business days after a breach discovery or of consumer notice. Act 109 "also adopts the industry standard label of PII...and changes the definition of security breach," the report states. (Must be an IAPP member and logged in to view.)
Full Story 

SURVEILLANCE—U.S.

Drone Industry Group Releases Codes of Conduct (July 3, 2012)

The Associated Press reports on the release of the drone industry's first code of conduct. To quell growing privacy concerns, the Association for Unmanned Vehicle Systems International said its recommendations for "safe, non-intrusive operation" are signposts for operators and will "respect the privacy of individuals" while following all federal, state and local laws. The guidelines will also ensure that pilots are properly trained. The American Civil Liberties Union's Chris Calabrese credited the group for its codes but warned the guidelines are not legally binding. "I think Congress needs to step in," said Calabrese, adding the technology is "potentially incredibly invasive."
Full Story 

PRIVACY—U.S.

Groups Ask for More Accessible Stakeholder Meetings (July 3, 2012)

A dozen privacy and consumer advocate groups have written to the Commerce Department's National Telecommunications and Information Administration asking for greater access to meetings on designing new online privacy protections, National Journal reports. The groups say those who are not located in Washington, DC, may not have access to such meetings and ask that the meetings employ technology that would allow greater remote access. "For the multi-stakeholder process to have any chance of success, it must include meaningful remote participation based on robust, two-way communication. To do less is to deny a real voice in the process for civil society," the groups wrote.
Full Story

BIG DATA

The E-Book’s Two-Way Mirror (July 3, 2012)

The Wall Street Journal reports on the rise of big data analytics on consumers' e-reading habits by publishers, providing "a glimpse into the story behind the sales figures, revealing not only how many people buy particular books but how intensely they read them." Now that publishers are employing e-reader data analytics, the formerly private act of reading is becoming "something measurable and quasi-public," the report states. The U.S.-based Electronic Frontier Foundation argues that readers should have the right to opt out of being tracked by publishers, adding, "There's a societal ideal that what you read is nobody else's business." (Registration may be required to access this story.)
Full Story 

CLOUD COMPUTING—EU

Regulatory Group Set To Endorse Cloud Practices (July 2, 2012)
The New York Times reports the European Commission's Article 29 Working Party is set to endorse cloud computing as legal under the continent's privacy framework. According to the report, the group will recommend that large businesses and organizations police themselves to ensure that personal data is protected in remote locations. The Article 29 Working Party will also reportedly note that cloud computing will encourage innovation and promote economic efficiency, reflecting a new approach by European officials. A representative from a cloud service provider said he hopes the recommendations "will allow people to take advantage of the technology...in a controlled way." (Registration may be required to access this story.)

PRIVACY LAW—HONG KONG

Council Passes Data Privacy Bill (July 2, 2012)

The Hong Kong Legislative Council has passed the Personal Data (Privacy) Amendment Bill, Privacy Asia reports. The bill creates requirements for personal data in direct marketing as well as in its transfer and sale to third parties. The bill also empowers the privacy commissioner to "provide legal assistance to individuals to seek compensation from companies and organizations if there is a breach" of the data protection ordinance and "imposes heavier penalties for repeated contraventions of enforcement notices and a new penalty for repeated contravention of requirements under the Personal Data (Privacy) Ordinance where enforcement notices have been served," the report states.
Full Story

 

PRIVACY LAW—U.S.

Lawmakers Disagree on How To Legislate Cybersecurity (July 2, 2012)

Sen. Harry Reid (D-NV) has said cybersecurity legislation is critical and that he will push for a vote by July. But lawmakers continue to disagree on the government's role in legislating the Internet, The Hill reports. Although the House passed the Cyber Intelligence Sharing and Protect Act (CISPA) in April, the Obama administration and a group of senators have endorsed the Cybersecurity Act instead, arguing CISPA would undermine privacy. Privacy groups including the American Civil Liberties Union and the Center for Democracy and Technology are pushing for stronger privacy safeguards within the Cybersecurity Act while Senate Republicans are pushing their own Secure IT Act.
Full Story

Editor’s Note: This October, Global Privacy and Public Policy Officer of Acxiom Corporation Jennifer Barrett Glasgow, CIPP/US, will discuss how you can impact privacy legislation in the breakout session The CPO as Thought Leader, Influencing Legislation in the U.S. and Abroad at the IAPP Privacy Academy 2012 in San Jose, CA.

PRIVACY LAW—U.S.

Class-Action Suits Filed Over E-mail Concerns (July 2, 2012)

ABC News reports on two class-action lawsuits filed against Google and Yahoo in California alleging the companies illegally intercept communications from non G-mail and Yahoo e-mail users without their knowledge or consent. The plaintiffs' lawyer said his clients noticed that ads within their e-mail browsers correlated with their incoming messages. "The invasion of privacy by wiretapping or, in the alternative, eavesdropping, caused by...use of such devices seriously threatens the exercise of personal liberties," state the plaintiffs' lawyers. Meanwhile, Cisco Systems says a warning in its terms of service that caused privacy concerns was a mistake and it will change the language on its website.
Full Story

 

ONLINE PRIVACY—U.S.

State Removes Millions of Public Court Records (July 2, 2012)

The state of Pennsylvania has taken down millions of public records from a court system website prompting a debate over privacy and availability, the Associated Press reports. According to state officials, electronic copies are being treated like paper ones, which are destroyed after a set period of time. Removed records include minor violations such as traffic offenses, landlord-tenant disputes and small lawsuits, while serious crimes remain public. A state court representative said the removal is consistent with the Pennsylvania's Supreme Court guidelines. The key is protecting the privacy of individuals involved, he added. Others criticize the move, saying it makes finding public data more difficult.   
Full Story

 

TRAVELERS’ PRIVACY—CANADA & U.S.

OPC: Border Agreement Threatens Canadians’ Privacy (July 2, 2012)

Canadian Assistant Privacy Commissioner Chantal Bernier has said that the 12-point Canada-U.S. privacy charter contains some fundamental building blocks for privacy but falls short of the federal privacy commissioner's standards, The Globe and Mail reports. One main concern, according to Bernier, is that the principles are nonbinding. "We were hoping for greater control for Canada on the personal information it holds," she said. The border security agreement was struck last year between the Obama and Harper administrations.     
Full Story

 

PRIVACY LAW—U.S.

States Act On, Consider Social Media Laws (July 2, 2012)

Coming on the heels of Maryland's recent decision to enact a law restricting employers from asking employees or job applicants for social media passwords, a Pennsylvania legislator is calling for a similar law in that state. Meanwhile, the Associated Press reports that Delaware legislators "have given final approval to a bill prohibiting universities and colleges in Delaware from requiring that students or applicants for enrollment provide their social networking login information." The bill also prohibits "requesting that a student or applicant log onto a social networking site so that school officials can access the site profile or account."
Full Story