Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

CHILDREN’S PRIVACY—U.S.

COPPA Rules May Be Strengthened (September 28, 2012)
The New York Times reports on expected changes to COPPA. Federal Trade Commission Advertising Practices Division Associate Director Mary K. Engle said, “Today, almost every child has a computer in his pocket, and it’s that much harder for parents to monitor what their kids are doing online, who they are interacting with and what information they are sharing…The concern is a lot of this may be going on without anybody’s knowledge.” The proposed changes could increase requirements for companies to gain parental consent, the report states. Interactive Advertising Bureau General Counsel Mike Zaneis questioned whether a “wholesale change of the law” is necessary, adding, “The answer is no. It is working very well.” (Registration may be required to access this story.)

PRIVACY LAW—U.S.

CA Signs Two Social Media Privacy Bills Into Law (September 28, 2012)

California Gov. Jerry Brown has signed two social media privacy bills, making it illegal for businesses and universities to ask for access to people’s social media and e-mail accounts, Mercury News reports. Brown said, “The Golden State is pioneering the social media revolution, and these laws will protect all Californians from unwarranted invasions of their personal social media accounts.” Assembly Bill 1844 prevents employers from requiring user names or passwords from employees or job applicants, and Senate Bill 1349 prevents public and private universities from requiring students to disclose their user names and passwords.
Full Story

BEHAVIORAL TARGETING

Groups Ask FTC To Investigate Facebook Tracking Partnership (September 28, 2012)

The Atlantic Wire reports on Facebook’s in-store tracking partnership with Datalogix, which aims to show advertisers whether their ads lead to sales. Facebook says the data collection doesn’t violate any FTC regulations because of an opt-out link on Datalogix’s website. The Electronic Privacy Information Center and the Center for Digital Democracy have asked the FTC to look into the partnership. Ryan Calo of the Center for Internet and Society says the opt-out link’s location isn’t best practices, and it is likely that Facebook consulted the FTC before unveiling the initiative. “That opt-out option isn’t easy to find nor is it on the Facebook website,” he said.
Full Story

PERSONAL PRIVACY—U.S.

Meeting Scheduled To Establish Voluntary Smart Grid Code of Conduct (September 28, 2012)

In response to workshops on smart grid privacy, a task force will develop a voluntary code of conduct for utilities and third parties providing consumer energy use services, Smartgrid.gov reports. The White House released “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation for the Global Digital Economy,” in February. The blueprint contains an outline for a multi-stakeholder process to develop a voluntary code in order to promote consumer confidence. As such, an initial multi-stakeholder meeting will take place December 6 in Washington, DC, and aims to develop the process and a timeline as well as to establish priorities. Editor's Note: To see an example of a Smart Grid Bill of Rights, visit the IAPP Resource Center.
Full Story 

ONLINE PRIVACY—U.S.

FTC Supports W3C’s Do-Not-Track Guidelines (September 28, 2012)

The Federal Trade Commission (FTC) says it supports the World Wide Web Consortium’s (W3C) efforts to develop voluntary guidelines for a do-not-track system, MediaPost reports. “The commission has repeatedly and forcefully called for industry—not government—to implement a do-not-track mechanism that would allow consumers to decide whether to have their online activity…collected,” said FTC Chairman Jon Leibowitz in a letter to Congress. Leibowitz was responding to an inquiry by nine Republican lawmakers on whether the FTC was “empowered to work with an international organization like the W3C,” the report states. Meanwhile, a Georgia man is currently working on an online registry with features similar to the W3C’s do-not-track.
Full Story

SURVEILLANCE—U.S.

Report Indicates “Massive Spike” in Tracking (September 28, 2012)

CNET News reports on documents indicating law enforcement’s “real-time surveillance targeting social networks and e-mail providers jumped 80 percent from 2010 to 2011.” The documents, obtained through a Freedom of Information Act suit by the American Civil Liberties Union (ACLU), also indicate “a massive spike in ‘non-content’ surveillance by federal law enforcement over the last two years, jumping 60 percent from 23,535 cases in 2009 to 37,616 in 2011.” The report suggests “police are using a 1986 law intended to tell police what phone numbers were dialed for far more invasive surveillance: monitoring of whom specific social network users communicate with, what Internet addresses they're connecting from” and other interactions.
Full Story

SURVEILLANCE—U.S.

Privacy Concerns Raised by Drones, Driverless Cars (September 28, 2012)

The Washington Post reports on a survey revealing that more than one-third of Americans think their privacy will be compromised if drones are used domestically by law enforcement to track criminals. According to an Associated Press-National Constitution Center poll, 36 percent of respondents either “strongly oppose” or “somewhat oppose” police use of drones. Meanwhile, new California legislation on driverless cars is raising concerns that the automated vehicles could track, collect and share an individual’s movements and disclose them to advertisers. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: Trust and Interoperability Needed (September 28, 2012)

A perspective piece from the Center for Democracy and Technology’s Deven McGraw in iHealthBeat examines the Office of the National Coordinator for Health IT’s announcement it is “dropping its plans to issue regulations setting voluntary ‘rules of the road’ for participation in the Nationwide Health Information Network.” McGraw suggests that plan removes a “potential tool for advancing a framework of standards and policies to enable digital health information exchange among providers and patients,” noting the HIPAA Privacy and Security rules are also “critical policy tools for advancing conditions of trust for nationwide health information exchange.” Wiley Rein’s Kirk Nahra, CIPP/US, writes in The Privacy Advisor on the “top 10 issues and unanswered questions” surrounding the still-unpublished final HIPAA/HITECH rules.
Full Story

CLOUD COMPUTING—EU & UK

EC Releases Cloud Strategy; ICO Releases Guidelines (September 27, 2012)
The European Commission (EC) has released a new strategy for “unleashing the potential of cloud computing in Europe.” Among the “key actions” in the strategy are “Cutting through the jungle of technical standards so that cloud users get interoperability, data portability and reversibility,” EU-wide certification schemes and a European Cloud Partnership with member states. EC Vice President Viviane Reding said the strategy “will enhance trust in innovative computing solutions and boost a competitive digital single market where Europeans feel safe,” adding, “That means swift adoption of the new data protection framework…” Meanwhile, the UK Information Commissioner’s Office has published guidelines on the responsible use of cloud computing. Editor’s Note: The IAPP will host the web conference EU Cloud Computing Privacy Guidance next Thursday, October 4 at 11 a.m. EDT.

PRIVACY LAW—U.S.

Court To Examine Legality of Warrantless DNA Samples (September 27, 2012)

The Supreme Court has decided to reexamine the constitutional privacy of an individual’s blood chemistry, reports National Constitution Center. In Missouri v. McNeely, the court will decide whether police can take a DNA sample from a criminal suspect without a judge’s approval, the report states. In Schmerber v. California in 1966, the court ruled that police could take a DNA sample without a warrant in an emergency case, such as drunk driving. In McNeely, the court will analyze that ruling after a police officer ordered a DNA sample from a drunk driving suspect, considering it an emergency as his blood-alcohol level would drop over time.
Full Story

PRIVACY LAW—U.S.

Barton: Web Cam Spying Settlement Indicates Need for Stronger Laws (September 27, 2012)

Following yesterday’s announcement that the FTC is settling charges with several rent-to-own companies that allegedly spied on customers via rented computers, Rep. Joe Barton (R-TX) says stronger privacy laws are needed, reports National Journal. “I was dumbfounded when I heard about this case,” Barton said. “How can any company believe that it is okay to secretly gather data such as medical records, keystrokes and even taking webcam pictures of unknowing customers inside their homes?” Barton said the case illustrates the need for stronger laws, and that “Everyone shoud have a say in how their personal information is used.”
Full Story

DATA LOSS

Breach Affects 100,000 IEEE Members (September 27, 2012)

The user names and passwords of approximately 100,000 members of the Institute of Electrical and Electronics Engineers (IEEE) have been compromised in an apparent breach, Help Net Security reports. The affected data was stored on an FTP server in unencrypted form. The IEEE has as many as 400,000 members worldwide, many of whom are security professionals. The incident was discovered by Romanian researcher Radu Dragusin.
Full Story

PRIVACY

Exploring Privacy’s Top Thinkers and Practitioners (September 27, 2012)

At the annual Privacy Law Scholars Conference held earlier this year, information privacy law scholars and other top thinkers met with practitioners from industry, advocacy and government to hash out privacy’s toughest and most pressing challenges. Law scholar Daniel Solove discusses the strong conduit that is forming between privacy scholarship and practice, and in three such examples, papers delving into Big Data, hiring discrimination in a Web 2.0 world and operationalizing Privacy by Design are explored in this exclusive for The Privacy Advisor. Editor’s Note: IAPP PLSC Award-winning authors will discuss current topics in privacy in breakout sessions at the upcoming IAPP Privacy Academy in San Jose, CA.
Full Story

DATA PROTECTION

Insurance Not A Stand-In for Safe Practices (September 27, 2012)

Though organizations are increasingly investing in cyber-breach insurance policies, they should be sure to “avoid the hazards of choosing a policy that may not pay out when the worst occurs,” Dark Reading reports. “These insurance policies can’t eliminate risk; they can only help you control and minimize it,” said one expert. “It’s really one arrow in the quiver of those dealing with today’s cyber risks and some of the liabilities that can spring from them.” Insurance should not be a “stand-in” for encrypting sensitive data, maintaining controls over access to databases and monitoring database activity, the report states.
Full Story

PRIVACY LAW—U.S.

FTC Says Companies Spied on Consumers Via Rent-To-Own Laptops (September 26, 2012)
Seven rent-to-own companies and a software maker are settling charges with the Federal Trade Commission (FTC) alleging they spied on consumers using rented computers. Without consumers’ knowledge or consent, the companies captured screenshots of confidential and personal information, logged keystrokes and in some cases took webcam pictures, WIRED reports. The proposed settlement bans the companies from using monitoring software and from using deceptive methods to gather information about consumers. It also forbids the companies from using geolocation tracking without consumer notice and consent and from “providing others with the means to commit illegal acts,” among other provisions.

ONLINE PRIVACY—CANADA

Commissioner: Websites Inappropriately Sharing Users’ Personal Information (September 26, 2012)

A report by Canada’s Office of the Privacy Commissioner says some leading Canadian websites are inappropriately sharing users’ personal information with third parties, reports the Canadian Press. Privacy Commissioner Jennifer Stoddart investigated 25 shopping, travel and media sites and found information—including names, e-mail addresses and postal codes—was being collected without consent. Stoddart has written to 11 of the sites, seeking explanations on how changes will be made to comply with Canadian privacy law, the report states. “Our research serves as a wake-up call to all online services to ensure they are complying with Canadian law—and respecting the privacy rights of people who use their sites,” Stoddart said.
Full Story

PRIVACY LAW—U.S.

Supreme Court To Hear Driver’s License Case (September 26, 2012)

The U.S. Supreme Court will hear a case involving whether lawyers can legally obtain personal data gleaned from driver’s license records to recruit individuals for lawsuits, the Associated Press reports. The appeal comes from three South Carolina residents who were solicited by lawyers to join a lawsuit against car dealers, the report states. The justices will determine whether the lawyers’ actions contravened federal privacy law pertaining to the protection of driver’s license records. The federal law does have a lawsuit exception. (Registration may be required to access this story.)
Full Story

CHILDREN’S PRIVACY—U.S.

Groups Disagree on Proposed COPPA Changes (September 26, 2012)

Privacy advocates are urging the Federal Trade Commission (FTC) to discard a proposal by the Walt Disney Company that would change how organizations meet COPPA obligations, NationalJournal reports. The company wants the FTC to alter its definition of websites “directed at children” and has proposed a “family-friendly” classification. The Center for Digital Democracy has said “children’s privacy would receive much less protection as a result” of the changes. Meanwhile, in its comments to the FTC, the Interactive Advertising Bureau has said new behavioral advertising limits “would restrict children’s access to online resources by undermining the prevailing business model.”
Full Story

PRIVACY LAW—EU

Reding: Overhaul Could Save €2.3 Billion in Costs (September 26, 2012)

EU Justice Commissioner Viviane Reding says an overhaul of EU data protection rules could save as much as €2.3 billion in administrative costs, Bloomberg reports. Reding has said a single set of data rules for the EU and a one-stop-shop for data protection will make Europe a more attractive place to do business. The proposed legislation will also provide better access to personal data, Reding and Irish Data Protection Commissioner Billy Hawkes wrote in a recent piece for the Irish Examiner. Ireland will play a key role in shaping the new rules, Reding says, as it is home to many firms handling personal data.
Full Story 

PRIVACY LAW—NEW ZEALAND

Commissioner Seeks Data Broker Enforcement Powers (September 26, 2012)

New Zealand’s privacy commissioner is seeking additional powers to monitor companies that collect and sell personal data, the Otago Daily Times reports. Assistant Privacy Commissioner Blair Stewart has said the current version of the Privacy Act clears the way for enforcement only after a complaint is filed, but many citizens do not know of the existence of data brokers. The privacy commissioner has supported a Law Commission recommendation to update the law, giving the commissioner powers to serve compliance notices on organizations. Stewart said, “People don’t tend to complain about certain practices, if the sort of practices go on in the background and they can’t see what’s happening.”
Full Story

PRIVACY LAW—U.S.

Bill Would Require Police To Obtain Warrants For E-mail, Location Data (September 26, 2012)

CNET News reports on a bill that would require police to acquire warrants before accessing U.S. citizens’ e-mail or tracking their cell phones. Introduced by Rep. Zoe Lofgren (D-CA) yesterday, the bill would require a search warrant for law enforcement access to cloud data or location information, the report states. The bill is backed by Digital Due Process, which comprises companies including Amazon.com, Apple, Google, Twitter and Microsoft. It’s anticipated that the U.S. Justice Department will combat the effort; it has previously warned that such protocols would hinder “the government’s ability to obtain important information in investigations of serious crimes,” the report states.
Full Story

DATA PROTECTION

Shareholder Proposal Asks Apple for Privacy Risk Report (September 25, 2012)
A group of Apple’s investors have filed a shareholder proposal seeking a report on how the company’s board of directors governs privacy and data security vulnerabilities, according to an OpenMIC press release. The proposal states that “Apple’s board has a fiduciary and social responsibility to protect company assets, which include the personal information of a variety of stakeholders.” The two groups co-filing the proposal cite a number of recent cybersecurity and privacy incidents affecting the company and refer to a Carnegie Mellon University Cylab study by Jody Westby that looked into how executives manage cyber risks. “My Cylab governance surveys indicate the governance by boards and senior management is not where it should be,” Westby told the Daily Dashboard, adding, “This type of shareholder inquiry cannot be ignored or passed down the line by senior management.”

SOCIAL NETWORKING

Confusion Over Facebook Wall Posts Leads to Privacy Scare (September 25, 2012)

Facebook representatives have said yesterday’s reports that private messages were appearing on users’ timelines were false, The Wall Street Journal reports. According to Facebook, “A small number of users raised concerns after what they mistakenly believed to be private messages appeared on their Timeline,” adding that an investigation revealed “that the messages were older wall posts that had always been visible on the users’ profile pages.” In response, France’s data protection authority—the CNIL—has been asked to investigate the issue. Meanwhile, the Electronic Privacy Information Center plans to ask the Federal Trade Commission to investigate the new Facebook-Datalogix deal and whether it contravenes a recent settlement. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Hospital Employee Sentenced to Six Months for Selling Data (September 25, 2012)

A former medical technician at Howard University Hospital has been sentenced to six months in a halfway house, ordered to perform 100 hours of community service and fined $2,100 for selling personal information about patients, PHIprivacy.net reports. Laurie Napper pled guilty to violating HIPAA by wrongfully disclosing individually identifiable health information. Napper obtained patients’ records on at least three occasions and sold their names, addresses, dates of birth and Medicare numbers to another person, the report states. Approximately 40 patients were affected. U.S. Attorney Ronald Machen said the felony conviction indicates patient information is “a trust to be protected.”
Full Story

PRIVACY LAW—U.S.

AvMed Ruling May Open the Door for Liability Cases (September 25, 2012)

The recent AvMed data breach case may open the door for plaintiffs to prove they are victims of identity theft as a result of a data breach, SC Magazine reports. The 11th U.S. Circuit Court of Appeals ruled earlier this month that plaintiffs in Curry v. AvMed sufficiently alleged liability against the health plan provider for the data breach affecting 1.2 million customers that led to identity theft and financial losses for some. “When a company doesn’t live up to the obligation that it’s supposed to…that person has a cause of action for that money he paid toward the protection of his personal information,” said the lawyer representing the plaintiffs.
Full Story

DATA PROTECTION

Report: Most Breaches Due to Employee Error (September 25, 2012)

COMPUTERWORLD reports Forrester Research has found that most data breaches are caused by events such as employees losing or misusing corporate assets or having them stolen. In the survey of more than 7,000 executives and employees in North America and Europe, 31 percent said theft or loss was the cause of data breaches, and 39 percent said data leaks on mobile devices are a concern. “Whether their actions are intentional or unintentional, insiders cause their fair share of breaches,” the report’s authors said, adding it’s not only a matter of appropriate tools and controls; only 56 percent of respondents said they were aware of their organization’s security policies.
Full Story

ONLINE PRIVACY

Twitter’s CEO: User Privacy Remains Priority (September 25, 2012)

In light of having to recently turn over an Occupy Wall Street protestor’s Twitter posts to a judge, Twitter Chief Executive Officer Dick Costolo said the company supports its users’ privacy, PC Pro reports. “We strongly believe it’s important for us to defend our users’ right to protest the forced publication of their private information,” said Costolo, adding the company was put “between a rock and a hard place” in the protester’s court case.
Full Story

BIOMETRICS

Facebook Halts Face ID Tech, For Now (September 24, 2012)
The New York Times reports on Facebook’s agreement with European regulators to stop using its facial recognition software and delete users’ facial identification data. “The development of these tools in the private sector directly affects civil liberties,” said University of California, Berkeley Law Prof. Chris Hoofnagle, adding, “The ultimate application is going to be—can we apply these patterns in video surveillance to automatically identify people for security purposes and maybe for marketing purposes as well?” Ireland Data Protection Commissioner Billy Hawkes has said he is satisfied with the company’s privacy upgrades, but some in Europe do not think they have gone far enough. Meanwhile, Financial Times reports the company is working to improve its ad tracking systems. (Registration may be required to access this story.)

PERSONAL PRIVACY—AUSTRALIA

Privacy Commissioner: Citizens Concerned About Smart Meter Data (September 24, 2012)

Australian Privacy Commissioner Timothy Pilgrim has said smart meter technology could threaten people’s privacy, The Age reports. “We are starting to see people voicing concern about the level of data that these meters can collect,” Pilgrim said. Customers with smart meters must consent to having their data shared with various third parties, the report states. Pilgrim said companies have an obligation to delete or de-identify personal information that is no longer necessary. An Origin Energy spokesman said its online energy-usage portal is fully compliant with Australian privacy legislation and that the company keeps personal data for tax and compliance purposes.
Full Story

PRIVACY LAW—EU

Ireland DPC: EU Overhaul Will Strengthen Personal Data Control (September 24, 2012)

Ireland Data Protection Commissioner Billy Hawkes has said new EU laws to be introduced in January will strengthen EU citizens’ control over their personal data. In a column for the Irish Examiner, Hawkes wrote that personal data should always be protected, even outside the EU. The proposed legislation will provide a single set of rules for data protection across the EU; better access to personal data; the “right to be forgotten”; data protection rules for companies—such as Google and Facebook—doing business in EU markets, and additional power to independent data protection authorities.
Full Story

ONLINE PRIVACY—U.S.

Do-Not-Track Talks Reach a Stalemate (September 24, 2012)

Privacy advocates wrote to the Federal Trade Commission last week asking it to intervene to help settle differences between some advertising industry representatives and privacy advocates on a do-not-track option online, National Journal reports. Web browsers such as Mozilla’s Firefox, Apple’s Safari and Microsoft’s Internet Explorer now include a do-not-track option, but websites’ compliance with the option is thus far voluntary. Talks convened by the World Wide Web Consortium (W3C) about the standard seemed to have reached stalemate, the report states. Two areas of contention appear to be on the use of “unique identifiers” and default settings for browsers with a do-not-track option. The W3C will hold the workshop “Do Not Track and Beyond” in Berkeley, CA, in November.
Full Story

PRIVACY LAW—U.S.

Hearing Scheduled for Sutter Health Breach (September 24, 2012)

A hearing will take place in California on September 27 for a class-action lawsuit against Sutter Health over its breach last year exposing data on 4.24 million patients, Sacramento Business Journal reports. The suit claims the company failed to properly protect patient data contained on a password-protected, unencrypted computer that was stolen and that Sutter Health did not notify affected patients in the required time allotment. A decision is pending on whether the 12 suits filed will be certified as a class-action. Lawyers must prove a common thread exists among them.
Full Story

PRIVACY LAW—U.S.

Opinion: Cell Phone Ruling an Intrusion on Personal Privacy (September 24, 2012)

Last month’s ruling by the United States Court of Appeals for the Sixth Circuit did little to protect personal privacy in the digital age, according to a New York Times editorial. In the case, the government obtained data from a defendant’s cell phone with the help of his cell phone provider. The majority said the defendant’s rights weren’t violated because he “did not have a reasonable expectation of privacy in the data given off by his voluntarily procured pay-as-you-go cell phone.” Though the U.S. Supreme Court recently ruled against warrantless GPS tracking, this case involved no physical trespass, the appeals court reasoned. But carrying a cell phone “should not obliterate privacy rights…” the report states. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—IRELAND

DPC Releases Facebook Audit (September 21, 2012)
The Irish Data Protection Commissioner (DPC) has released its audit report of Facebook. The office conducted the audit to ensure Facebook is complying with EU laws and looked at whether the company implemented the DPC’s recommendations stemming from its first audit in 2011. “The company’s formal response to our recommendations…demonstrates the constructive approach adopted by the company,” the audit report states, adding that full implementation of some recommendations—such as new user education and minimizing ad targeting based on terms considered personal data—have yet to be made but are planned for a specific deadline.

PRIVACY LAW—U.S.

Senate Panel Delays Privacy Law Rehash (September 21, 2012)

The Senate Judiciary Committee will likely wait until after the presidential elections to overhaul the Video Privacy Protection Act and the Electronic Communications Privacy Act (ECPA), NationalJournal reports. Judiciary Chairman Patrick Leahy (D-VT) said panel members told him “they want further discussion” of the reforms. Earlier this week, several law enforcement groups wrote the committee saying, “Any effort to revise ECPA should involve detailed and careful consideration of the consequences of proposed changes on the ability of law enforcement investigators to conduct their work efficiently and effectively on behalf of American citizens.”
Full Story

PRIVACY—U.S.

Departing CA Senator Hopes Others Pick Up the Privacy Torch (September 21, 2012)

As Sen. Joe Simitian (D-Palo Alto) approaches his term limit in California’s State Senate this year, he notes some concern that privacy is becoming less of a legislative focus in California. “As I walk out the door, there are fewer members today than a few years ago who are spending significant time on privacy issues,” Simitian says in this exclusive for The Privacy Advisor. During his 12-year tenure, Simitian gained recognition among privacy advocates for passing bills on issues ranging from library records to electronic toll collection to malicious e-personation. But he was perhaps most notably responsible for AB 700, which would lay the foundation for data breach notification in almost every other state in the nation. Editor’s Note: Sen. Simitian will present a keynote address at the IAPP Privacy Academy in San Jose, CA, October 10-12.
Full Story

PRIVACY LAW—U.S.

Appeals Court Upholds $9.5 Million Class-Action (September 21, 2012)

The Ninth U.S. Circuit Court of Appeals has upheld a $9.5 million class-action lawsuit settlement over privacy rights violations stemming from Facebook’s now defunct “Beacon” service, Reuters reports. A subset of plaintiffs had objected to the settlement, but the court wrote, “we see nothing about this particular settlement that undermines the district court’s conclusion that it was substantial in this case.” Plaintiffs’ attorney Scott Kamber said he looked forward to the formation of the privacy rights group that will be created out of the settlement. The dissenting judge said the settlement “perverts the class-action into a device depriving victims of remedies…” Meanwhile, a new “Shared Activity” plug-in will reportedly give Facebook users more control over their activity sharing.
Full Story

PRIVACY LAW—U.S.

NJ Senate Committee Approves Applicant Privacy Bill (September 21, 2012)

In New Jersey, a bill to protect the privacy of job seekers has passed through a Senate committee and now moves to the full Senate for a vote, NJ 101.5 reports. S-1898 would prohibit employers from requiring applicants to provide passwords or access to private online accounts. “By no means should an employer be able to forcibly access such a broad scope of personal information against an applicant’s will,” said co-sponsor of S-1898 Sen. Kevin O’Toole (R-40). In June, the New Jersey Assembly passed a similar bill.
Full Story

DATA PROTECTION

Risk Report Finds “Sharp Increase” in Browser Exploits (September 21, 2012)

InfoSecurity reports that the results of the IBM X-Force 2012 Mid-Year Trend and Risk Report suggest “the landscape has seen a sharp increase in browser-related exploits…along with renewed concerns around social media password security and continued disparity in mobile devices and corporate bring-your-own-device (BYOD) programs.” The report notes an upward trend in vulnerabilities. “We’ve seen an increase in the number of sophisticated and targeted attacks,” said IBM’s Clinton McFadden, adding, "As long as these targets remain lucrative, the attacks will keep coming and in response, organizations should take proactive approaches to better protect their enterprises and data." Editor's Note: The IAPP's recent web conference The Implications of Bring Your Own Device (BYOD) offers additional insights into the issues surrounding BYOD.
Full Story

DATA LOSS—U.S.

Health Agency Notifies 2,500 Clients of Breach (September 20, 2012)
The Cabinet for Health and Family Services (CHFS) in Frankfort, KY, is notifying 2,500 clients that hackers may have accessed their names, addresses and ID codes in July after a Cabinet’s Department for Community Based Services employee responded to a phishing e-mail, HealthcareITNews reports. “We really are pretty confident that none of this data has been accessed,” said CHFS Assistant Communications Director Gwenda Bond. The director of the state’s Office of Administrative and Technology Services said the agencies involved take seriously their “role of safeguarding the personal information of those we serve…and have increased awareness activities for staff to help protect against future issues of this kind.”

BIG DATA

CSA Launches Big Data Working Group (September 20, 2012)

The Cloud Security Alliance (CSA) has initiated a Big Data Working Group to develop best practices for privacy and security solutions, particularly in government, healthcare and e-commerce sectors, Integration Developer News reports. The CSA’s charter document notes “traditional security mechanisms, which are tailored to securing small-scale static—as opposed to streaming—data are inadequate” for Big Data. In addition to developing Big Data security and privacy best practices, the group aims to help industry and government adopt best practices; create coordination efforts between organizations to develop standards; speed up efforts to research privacy and security solutions, and draft research proposals for joint government and industry funding, the report states.
Full Story

PRIVACY LAW—EU & U.S.

EU Proposal Would Complicate Workplace Evidence Gathering (September 20, 2012)

If the EU adopts its new data protection proposal, companies could have a difficult time conducting internal investigations that rely on collecting documents and e-mail from employees, Corporate Counsel reports. EU regulations already make it difficult for lawyers to gather information—including data stored on company computers and servers, the report states. But the new proposal “eliminates the most convenient way of gathering evidence for U.S. legal compliance purposes,” said DLA Piper’s Jim Halpert. He added that under current law, lawyers can gather information if given voluntary employee consent. But under the EU’s proposal, that consent, “even if freely given,” would be deemed “invalid.”
Full Story

BIOMETRICS

Airport Iris-Scanning May Be Wave of Future (September 20, 2012)

Ars Technica reports on iris-scanning technology being rolled out in select airports. Technology similar to AOptix’s InSight Duo iris scanner may become a standard security check at airports and border crossings around the globe, the report states, making the security experience more efficient. A company whitepaper states, “In an InSight-based eGate, a traveler would pass through border control by first scanning his biometric passport on the eGate and then authenticating his biometric record with InSight.” Privacy concerns loom, however, as researchers recently were able to reverse engineer iris code back into an iris image. Privacy expert Woodrow Hartzog said, “A significant enough breach could render an entire verification system unreliable.”
Full Story

PRIVACY LAW—U.S.

CA Court To Decide on Constitutionality of DNA Sample Upon Arrest (September 20, 2012)

The Washington Post reports on a Ninth U.S. Circuit Court of Appeals case that will determine whether a California law requiring suspects arrested in felony cases to provide genetic samples is constitutional. Three of the judges have made clear they find the law “distasteful,” the report states. “It’s that officer who is there and decides a felony has been committed,” and therefore decides to collect the data, Judge Harry Pregerson said. “That’s a terrible intrusion of privacy.” Deputy Attorney General Daniel Powell says the data collection is “vital to public safety.” The ACLU has asked the court to amend the law so only felony convicts provide DNA samples. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

HHS, VA Demonstrate PHI eTransfer (September 20, 2012)

The U.S. Department of Health and Human Services and the Veterans’ Administration have demonstrated how sensitive patient data can be transferred electronically while maintaining confidentiality, FierceEMR reports. Developed as part of the Data Segmentation for Privacy Initiative (DS4P), the demonstration showed how a patient could consent to a transfer and how data would be tagged according to sensitivity, requiring further authorization from the patient prior to additional disclosure. Office of the National Coordinator for Health IT Chief Privacy Officer Joy Pritts said, “This project helps demonstrate that with proper standards in place, existing privacy laws and policies can be implemented appropriately in an electronic environment.”
Full Story 

BIG DATA

Opinion: Give People Usable Data Access To Create Value (September 20, 2012)

In Concurring Opinions, Omer Tene of the Israeli College of Management School of Law discusses a forthcoming article in which he and the Future of Privacy Forum’s Jules Polonetsky, CIPP/US, aim to “reconcile the inherent tension between Big Data business models and individual privacy rights.” In the future, organizations should allow individuals easy access to the data stored about them and should be required to be transparent about data processing activities, Tene writes. While data analytics provides enormous value in terms of research and innovation, it also presents “formidable privacy concerns.” Therefore, Tene emphasizes the importance of granting individuals access to data in “usable format” to create value for them.
Full Story

ONLINE PRIVACY

Experts Explore Possibilities, Challenges of PbD (September 20, 2012)

“Can privacy be built into websites or smartphone apps, akin to the manner in which developers set up a backend database or ensure that their application code remains clean and secure against potential attacks?” Mat Schwartz asks in this Daily Dashboard exclusive interview with Ira Rubinstein and Nathan Good on Privacy by Design. Among their insights, Rubinstein suggests, “Privacy should be designed with the same usability expertise that companies bring to any other aspect of a feature or service,” but notes “there's some tension here, because companies may fear that if they make their privacy features too effective, it may undermine the amount of personal data they can collect and use.” Editor's Note: Adjunct NYU Law Professor Ira Rubinstein and Principal of Good Research Nathan Good will lead “The Future of Privacy by Design,” a discussion of existing practices with the goal of clearly identifying what Privacy by Design is, if it works and how it can be used effectively by organizations as part of the IAPP’s upcoming Navigate executive forum held in conjunction with the 2012 Privacy Academy in San Jose, CA.
Full Story

Experts explore the future of Privacy by Design (September 19, 2012)

Schwartz_MathewBy Mathew J. Schwartz

Can privacy be built into websites or smartphone apps, akin to the manner in which developers set up a backend database or ensure that their application code remains clean and secure against potential attacks?

That's one provocative question posed by a recently released paper co-authored by Ira Rubinstein, a senior fellow and adjunct professor at New York University Law School, and Nathan Good, principal and chief scientist of Good Research. Titled "Privacy By Design: A Counterfactual Analysis Of Google And Facebook Privacy Incidents," the paper recently received the IAPP Privacy Law Scholars Award.

The paper reviews 10 recent privacy incidents involving Facebook and Google, and asks if "privacy engineering and usability principles" could have prevented them. In particular, could engineering "fair information practice" principles have been used in advance of the incidents to have removed the privacy problems entirely? Likewise, from a usability standpoint, could the relevant interfaces have been designed to provide the "just-in-time" context that a user needed to make an informed privacy decision?

To learn more about the possibilities and challenges associated with Privacy by Design in advance of a related talk at the IAPP's Navigate 2012 executive forum in Mountain View, CA, I spoke with Rubinstein and Good by phone.

The Privacy Advisor: What drove you to explore the concept of Privacy by Design?

Rubinstein: The starting point is the fact that so many regulators are bringing attention to Privacy by Design as a regulatory tool. It's long been pushed by Ontario Privacy Commissioner Ann Cavoukian in Canada, but lately the FTC has begun to emphasize design, and to make Privacy by Design—or something very much like it—part of their recent consent decrees with Facebook and Google. It's also gotten a lot of attention from European regulators, particularly in the new regulation that would replace the European Data Protection Directive.

But exactly what does Privacy by Design mean? Regulators talk about it a lot in general terms, without going into detail, and without giving guidelines to developers that would allow them to take actionable steps, because the developer needs to know what are the requirements for this software, and what are the specific features that might help meet those requirements? Unless Privacy by Design can be expressed in those requirements, it doesn't add up to anything for the developer; it's too abstract and vague....

PRIVACY LAW—EU

EDPS Calls for Harmonized “Illegal Content” Definition (September 19, 2012)
European Data Protection Supervisor (EDPS) Peter Hustinx has said the European Commission (EC) should define the term “illegal content” in order to provide clarity on content host responsibilities for removal of such information, Out-Law.com reports. Comments by the EDPS come after an EC consultation on reforming rules governing the removal of illegal material posted online. Examples of what the EC considered illegal include content infringing on intellectual property rights, inciting hate, relating to terrorism or invading privacy. Hustinx said he “is of the view that there is a need for a more pan-European harmonized definition of the notion of illegal content for which notice-and-action procedures would be applicable.”

PRIVACY LAW—U.S.

Court Rules in Favor of Plaintiffs’ ID Theft Case (September 19, 2012)

The 11th Circuit Court has ruled in a 2-1 opinion that the plaintiffs in a class-action lawsuit sufficiently alleged liability against a health plan provider for a data breach involving identity theft, reports Information Law Group. Two laptops containing unencrypted sensitive information— including Social Security numbers—on 1.2 million AvMed customers were stolen in 2009. In Curry v. AvMed, Inc., the plaintiffs said they carefully avoided sharing their sensitive information digitally but still became victims of identity theft and suffered financial losses. The ruling “gives crucial guidance to plaintiffs seeking damages for identity theft caused by a data breach and to defendants seeking to defend against such claims,” the report states.
Full Story

PRIVACY LAW—U.S.

Senators Call for Executive Order on Cybersecurity (September 19, 2012)

Two U. S. Senators are calling on President Barack Obama to issue an executive order aimed at protecting the nation from cyber attacks, The Hill reports. Sens. Chris Coons (D-DE) and Richard Blumenthal (D-CT) sent a letter this week urging the president to have Homeland Security Secretary Janet Napolitano form an inter-agency group to “develop, in close collaboration with the private sector, voluntary standards for digital safeguards for our nation’s critical infrastructure,” the report states. While Congress remains gridlocked on cybersecurity legislation, the senators said urgent action is critical. They note, however, that an executive order would not provide companies incentives for subscribing to such voluntary standards.
Full Story

SURVEILLANCE—U.S.

GAO Report on Drones Cites Growing Privacy Concerns (September 19, 2012)

A Government Accountability Office (GAO) report has said there are growing concerns about privacy and civil liberties as unmanned aircraft systems (UAS) are introduced to the public airspace, Security Management reports. The GAO reported, “Concerns include the potential for increased amounts of government surveillance using technologies placed on UAS, the collection and use of such data and potential violations of constitutional Fourth Amendment protections against unreasonable search and seizure.” The GAO report also revealed that no federal agency “has been statutorily designated with specific responsibility to regulate privacy matters relating to UAS for the entire federal government.”
Full Story

ONLINE PRIVACY—U.S.

Tech Companies Form Alliance To Lobby Washington (September 19, 2012)

Major Internet companies have formed a lobbying group to address regulatory and political issues in Washington, DC, Reuters reports. Google, Yahoo, LinkedIn, Amazon, eBay and Facebook are among those comprising The Internet Association. The group will lobby on privacy and cybersecurity issues, among others. The group’s president said it’s the Internet’s “decentralized and open model that has unleashed unprecedented entrepreneurialism. Policymakers must understand that the preservation of that freedom is essential to the vitality of the Internet itself and the resulting economic prosperity.”
Full Story

HEALTHCARE PRIVACY—U.S.

Report: Mobile Device Theft Tops Risk List (September 19, 2012)

A new report has revealed that the top healthcare privacy risk is the theft of mobile devices, according to American Medical News. Of the reported breach cases, 52 percent involved the theft of portable devices such as laptops, smartphones and tablets. Kaufman Rossin Director of Information Security and Compliance Jorge Rey—a co-author of the report—said there was a drop in reported breaches, indicating more organizations are complying with HIPAA, but the rise in mobile device theft “was concerning because physical security is usually your easiest area of risk to address.” Editor’s Note: The IAPP will host the preconference workshop on data breaches, Courtroom Showdown: The U.S. and UK vs. MegaCorp, at this year’s Privacy Academy in San Jose, CA.
Full Story

PERSONAL PRIVACY

Think Tank: Business Would Benefit by Upping Consumer Data Control (September 19, 2012)

Policy think tank Demos has said businesses would benefit if they granted consumers more control over how their personal data is used, reports Out-Law.com. Consumers are suffering a “crisis of confidence” when it comes to information sharing, Demos said. Businesses could overcome this if they have “open, transparent and clear information-sharing relationships with customers” and allow consumers to make an “informed choice” about the ways their personal information is used. “Regulators and businesses need to find a flexible, dynamic framework, which recognizes the diversity of views on the issue, and consider how people can customize and negotiate their relationship with organizations so that it is and feels mutually beneficial.”
Full Story

PRIVACY LAW—U.S.

Provider Settles HIPAA Case for $1.5 Million (September 18, 2012)
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc., (MEEI) has agreed to settle with the U.S. Department of Health and Human Services (HHS) for $1.5 million for potential violations of the HIPAA Security Rule. The HHS Office for Civil Rights conducted an investigation after MEEI reported that an unencrypted personal laptop containing sensitive health data was stolen. The investigation found MEEI “failed to take necessary steps to comply with certain requirements of the Security Rule.” In addition to the fine, MEEI will now review, revise and maintain policies and procedures to comply with the rule and will undergo independent compliance assessments for three years. Meanwhile, Lahey Clinic Hospital has alerted patients of a breach.

PRIVACY LAW—AUSTRALIA

Parliamentary Committee Endorses Fines for Breaches (September 18, 2012)

A parliamentary committee has recommended passing a bill that would allow for fines of up to $1.1 million for severe or repeated privacy breaches, The Australian reports. The suggested penalties were contained in a report tabled in the Lower House. A Senate committee is examining the bill as well and will report to Parliament this month. The bill responds to the Australian Law Reform Commission’s 2008 report, which aims to update privacy laws given technological advances. Privacy Commissioner Timothy Pilgrim says the fines would incentivize better data protection. Should the bill become law, the committee advises that the attorney general should conduct a review 12 months after implementation.
Full Story

MOBILE PRIVACY

PCI SSC Issues App Best Practice Guidelines (September 18, 2012)

The Payment Card Industry Security Standards Council (PCI SSC) has issued best practice guidelines for developers and manufacturers to provide direction in securing mobile device payment processes, SC Magazine reports. The recommendations include isolating sensitive functions and data in trusted environments; using secure code best practices; minimizing third-party access; developing remote payment-disabling functions, and creating suspicious activity monitoring tools. The guidelines also look at ways to prevent the interception of account data in transit. “We have a brand new group of developers that aren’t aware of their responsibility,” said PCI SSC’s chief technology officer. “They are designing good code but don’t know all it’s being used for.”
Full Story

DATA PROTECTION

Funding Among Reasons for App Security Breaches (September 18, 2012)

A recent survey has found that the majority of companies questioned experienced at least one web application security incident since last year, Network World reports. In the Forrester study, which questioned 240 North American and EU companies, 18 percent reported a breach had cost their organization $500,000 or more and indicated the incident had a negative impact on their brand. Among the reasons for the security failures were an inability to secure additional funding for technology and processes, a lack of tools for application security and pressure to quickly deliver new products and services. SQL injection was the leading cause of breaches at organizations that had experienced five to 10 incidents since 2011.
Full Story

ONLINE PRIVACY—AUSTRALIA

Project Founder: Data Subjects Should Take Some Profit (September 18, 2012)

The founder of a large-scale data project says individuals should receive a portion of the profits companies generate by capturing their personal data, reports The Sydney Morning Herald. The Human Face of Big Data aims to create a digital snapshot of the human race, the report states, by using a smartphone app to ask 10 million people for personal details about their lives. “Big Data is a new asset class, and yet the ones creating it seem to have no say in the process,” founder Rick Smolan said. “Why is it everyone is making money off our browser history except us?”
Full Story

DATA LOSS—UK

Stolen Laptop Contained Children’s Data (September 18, 2012)

The Information Commissioner’s Office (ICO) is investigating the theft of an Edinburgh Council laptop used by a fostering service consultant. The laptop reportedly contained sensitive details of dozens of cases, “including assessments of the prospective foster and adoptive parents, TechWeekEurope reports. Though it is believed thieves would have wiped the computer clean for resale, the council has contacted “the majority of those involved” and issued an apology. An ICO spokesman said, “We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”
Full Story

PRIVACY LAW—EU & U.S.

Opinion: Region’s Privacy Approaches Run Parallel (September 18, 2012)

“For almost two decades, a myth has been circulating that the European Union’s approach to privacy and data protection is ‘stricter’ than the sectorial approach the U.S. employs,” writes Jenner & Block Partner Mary Ellen Callahan, CIPP/US. In a column for The Lawyer, Callahan notes “the two regions' approaches have more in common than the myth would suggest.” Both approaches are grounded in the Fair Information Practice Principles, she writes, adding, “Although differences in emphasis, interpretation and implementation exist, they provide an invaluable lens through which governments and companies can analyze whether they are employing appropriate privacy protections.”
Full Story

PRIVACY LAW—AUSTRALIA

Parliamentary Report Recommends Privacy Amendment Bill (September 17, 2012)
COMPUTERWORLD reports on a tabled parliamentary report that recommends the House of Representatives pass the Privacy Amendment Bill 2012. The bill would clarify the role and strengthen the powers of the privacy commissioner, address credit reporting arrangements and protect personal information. According to a statement, “The committee has examined the bill to ensure that an appropriate balance between privacy protection and the convenient flow of data has been achieved.” Attorney-General Nicola Roxon said, “Both consumers and governments have a role to play to protect privacy,” adding, “In introducing these changes, the Gillard government is doing its bit to protect the privacy of Australian families.”

PRIVACY LAW—U.S.

Twitter Gives Court Protester’s Posts (September 17, 2012)

After months of fighting a subpoena, Twitter has given a U.S. judge the online posts of Occupy Wall Street protester Malcolm Harris, Reuters reports. The tweets, which were handed over to Manhattan Criminal Court Judge Matthew Sciarrino, will remain under seal while a request for a stay by Harris is heard in a higher court, the report states. The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union have filed an amicus brief supporting Twitter’s appeal. EFF’s Marcia Hofmann called it a “canary-in-a-coal-mine case,” adding “companies will look at this case and say it’s not a good idea to push back against governments we think are overreaching.”
Full Story

DATA LOSS—CANADA

BC Health Ministry Fires Fifth Worker for Alleged Breach (September 17, 2012)

A fifth employee of British Columbia’s Health Ministry has been fired over an alleged privacy breach, The Victoria Times Colonist reports. The worker had been one of three who had been suspended, but according to the report, the 30-year government employee in charge of data access, research and stewardship has now been released. BC Health Minister Margaret MacDiarmid has said the issues in the ongoing investigation relate to inappropriate conduct, data management and “contracting-out allegations,” the report states. “It’s been incredibly complex and it continues to be,” MacDiarmid added.
Full Story

TRAVELERS’ PRIVACY—UK

Body Scanners Removed by Manchester Airport (September 17, 2012)

A UK airport is scrapping passenger body scanners after a three-year trial period ended without a decision from the European Commission, BBC News reports. The airport will replace the body scanners with “privacy friendly” scanners. Manchester Airport Group Chief Operating Officer Andrew Harrison expressed frustration “that Brussels has allowed this successful trial to end,” adding, “Our security surveys and those run by the Department for Transport show passengers regularly rate their experience at Manchester as one of the best security processes in the UK, if not Europe. There’s no doubt that body scanners play a big part in these results.”
Full Story

PRIVACY LAW—U.S.

ACLU Asks Court To Stop DNA Collections on Felony Arrests (September 17, 2012)

Through California’s DNA database of close to two million samples, more than 10,000 criminal suspects have been identified in the last five years, The Washington Post reports. But the American Civil Liberties Union (ACLU) will argue to the Ninth U.S. Circuit Court of Appeals that the state’s genetic data collection efforts have become “unconstitutionally aggressive…at the expense of civil liberties,” the report states. California’s Proposition 69 allows police to take a DNA sample of every suspect arrested on felony charges. The ACLU says the practice “comes too early in the criminal justice process,” and samples should be taken only from those convicted. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Do-Not-Track’s Effects Yet To Be Seen (September 17, 2012)

The New York Times reports on the potential effect do-not-track will have on online privacy. The option may help companies “gain traction with consumers who want to manage their Internet experience on their own devices” but could also have a negative effect on online marketing efforts, the report states. Mozilla introduced the feature last year and reports 11 percent of users have activated the feature. Microsoft announced earlier this year that do-not-track will be the default in its Internet Explorer 10. Recently, Google announced that its Chrome browser will offer do-not-track capabilities in versions available by year’s end. Websites’ compliance with do-not-track preferences is thus far voluntary. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

ICO To Increase Cookie Enforcement Efforts (September 14, 2012)
The Information Commissioner’s Office (ICO) has warned organizations to comply with regulations on cookie use or face “massive fines,” Computeractive reports. Unnamed operators now have a deadline for compliance, according to the ICO’s Dave Evans, following criticism that the office has not been strict enough on cookie enforcement. For those operators that do not meet a given deadline, formal enforcement action is likely, Evans said. “Failure to act on an enforcement notice is a criminal offense,” he added. The ICO gained the authority by law in May to fine organizations up to £500,000 for failure to comply with rules on cookies.

PERSONAL PRIVACY

Everyday Privacy Breaches (September 14, 2012)

In a column for The Globe and Mail, Tony Wilson writes about how a local car repair shop breaches the personal privacy of its customers with a convenient service. In the waiting room, a 52-inch screen lists appointment times with customers’ full names, car models and license plate numbers. Wilson said the service potentially would allow a stalker to locate an individual, adding, “The inadvertent display of a customer’s personal information can be caught by laws regulating its collection and use by businesses in Canada.” Editor’s Note: Read more about the potential for inadvertent privacy breaches in the recent Inside 1to1: PRIVACY article,The Masses As Data Controllers: What They Don’t Know Could Hurt You.”
Full Story

HEALTHCARE PRIVACY—U.S.

ONC Creates Training Game (September 14, 2012)

Modern Healthcare reports on the Office of the National Coordinator for Health Information Technology (ONC) and the Department of Health and Human Services’ Health Resources and Services Administration’s new videogame to help healthcare employees learn what their responsibilities are when it comes to privacy and security. “What we really tried to address is the baseline…for practices that have not used health information technology before,” said Laura Rosas of the ONC's privacy office. The game features examples of “real-world dilemmas,” such as the actions a healthcare worker should take when coming upon an unattended laptop in an exam room exposing one patient’s chart in the presence of another. (Registration may be requires to access this story.)
Full Story

SURVEILLANCE—U.S.

Low-Cost Technology, Old Laws Spur Legal Questions (September 14, 2012)

USA TODAY reports on a legal battle between a former couple involving secret surveillance. Joseph Zang tracked his wife’s movements inside their home for months, Catherine Zang believes, using hidden microphones in the living room and kitchen and software installed on the computer to copy her e-mails. Two lawsuits now play out in U.S. District Court. Experts say due to high quality, low-cost surveillance equipment, such spying is increasingly common and has proven troublesome for courts and judges to resolve. A spokeswoman for one prosecutor’s office said,  “The case law is in flux,” partly because wiretapping laws “are decades old and apply only to audio recordings.”
Full Story

DATA LOSS

Survey: Breach Numbers Down in 2012 (September 14, 2012)

A new survey indicates that the number of data breaches has dropped in 2012, but that could be because hackers are choosing targets more carefully, IT Business reports. Symantec’s August 2012 Intelligence Report compares January to August 2012 with the same period in 2011. This year, there has been an average of 14 data breaches per month, down from 16.5 per month last year. Additionally, “the average number of identities stolen during those incidents was cut in half from 2011 to 2012 during the months of January to August,” the report states. However, hackers may be avoiding larger breaches in favor of “smaller breaches that contain more sensitive information.”
Full Story

PRIVACY LAW—U.S.

House Passes FISA Renewal, Goes to Senate (September 13, 2012)
The U.S. House of Representatives voted Wednesday to renew the FISA Amendments Act for five years, The Washington Post reports. The White House supports the renewal, but civil libertarians and some lawmakers have expressed concerns the law allows intelligence agencies to spy on Americans without a warrant. Sen. Ron Wyden (D-OR) said, “The Congress never intended to authorize warrantless searches for the communications of specific Americans.” An Office of the Director of National Intelligence representative said, “The FISA Amendments Act is not a tool for spying on Americans.” The bill moves to the Senate, but will reportedly not be taken up until after the presidential elections. (Registration may be required to access this story.)

PRIVACY LAW—U.S.

Markey Introduces Mobile Device Privacy Act (September 13, 2012)

IDG News reports on a new bill proposed by Rep. Ed Markey (D-MA) to “require mobile phone makers, network providers and application developers to disclose to customers any monitoring software installed on their mobile devices.” The Mobile Device Privacy Act, which Markey introduced on Wednesday, would also require permission from customers before their mobile devices could be monitored. "Apps very commonly access our sensitive information—our location, our photos, web browsing, history. Apps often do this without prior notice and even when the app isn't actively being used," Markey said, adding reports of such tracking have created a "significant societal issue that has to be discussed." Software and technology groups, meanwhile, are saying legislation is not the answer, the report states.
Full Story

HEALTHCARE PRIVACY—U.S.

ONC Shelves Voluntary “Rules of the Road” Draft Regs (September 13, 2012)

The Office of the National Coordinator (ONC) for Health Information Technology has stepped away from plans to set voluntary “rules of the road” for health information exchanges—including guidelines for privacy and security, GovInfoSecurity reports. In a blog post about the shelving of a Nationwide Health Information Exchange Governance Rule, ONC head Farzad Mostashari wrote, “Based on what we heard and our analysis of alternatives, we’ve decided not to continue with the formal rulemaking process at this time and instead implement an approach that provides a means for defining and implementing nationwide trusted exchange with higher agility, and lower likelihood of regret.”
Full Story

DATA PROTECTION—U.S.

Cybersecurity Executive Order Draft (September 13, 2012)

A draft cybersecurity executive order has been viewed by Federal News Radio and includes a requirement for the development of a means for industry to disclose vulnerability and threat data to the government. According to the report, the executive order “closely follows” the second version of cybersecurity legislation that was introduced by Sens. Joe Lieberman (I-CT) and Susan Collins (R-ME) in July. A National Security Council spokesman said, “An executive order is one of a number of measures we’re considering as we look to implement the president’s direction to do absolutely everything we can to better protection our nation against today’s cyberthreats.”
Full Story

DATA LOSS—U.S.

Officials Alert Patients: Breached Data May Have Been Sold (September 13, 2012)

University of Miami officials are warning patients affected by a July breach that two university employees may have sold their data, Healthcare IT News reports. The employees accessed information including names, dates of birth, insurance policy numbers, partial Social Security numbers and some clinical information. In some cases, Social Security numbers may have been viewed in full. The university is providing two years of identity protection services, the report states. “We continue to review and refine our physical and electronic safeguards to enhance protection of all patient data,” university officials wrote in a letter.
Full Story

SURVEILLANCE—U.S.

Gov’t Report Questions How Privacy Applies to Drones (September 13, 2012)

A report released by the Congressional Research Service last week questions government use of drones for surveillance, The Hill reports. The Federal Aviation Administration anticipates 30,000 commercial and government drones flying U.S. skies within the next 20 years. The Supreme Court has ruled police may gather surveillance by flying planes and helicopters over homes because the areas are in public view. But the researchers say courts could decide drones are more privacy invasive; their ability to hover and remain in the air longer “may sway a court’s determination of whether certain types of warrantless drone surveillance are compatible with the Fourth Amendment,” the report states. Several lawmakers have introduced drone bills.
Full Story

PRIVACY

The Open Data and Privacy Balancing Act (September 13, 2012)

The Wall Street Journal reports on the balance between open data and privacy and asks, “At some point is there not a risk that opening data is closing privacy? A Southampton University professor said, “A lot of people think there is an inevitability about” this loss of privacy. Deloitte representative Harvey Lewis said it’s important to differentiate between anonymity and privacy. “People don’t know what is being done with their data nor what the benefits are,” he said. “You cannot judge what the trade-off is between data collection and the potential harm unless you understand what the potential benefits could be.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

ICO: Cookie Compliance Deadline Set for Some Websites (September 12, 2012)
Out-law.com reports on comments made by Information Commissioner’s Office (ICO) Group Manager for Business and Industry Dave Evans. Businesses should now “know they have to respond to the law,” said Evans. The comments come after one web software firm taunted the ICO about cookie compliance. For noncompliant businesses, Evans said, “It might be a law they wish didn’t exist, but the simple fact is that it is here to stay,” adding, “for example, some sites have failed to engage with us at all, and they’re now being set a deadline to take steps towards compliance, with formal enforcement action likely if they fail to meet this deadline.” Editor's Note: For the latest on EU cookie consent implementation, see the Field Fisher Waterhouse chart, Cookie ‘consent’ rule: EU implementation, in the IAPP Resource Center.

ONLINE PRIVACY—U.S.

Next President, Congress Face Privacy Challenges (September 12, 2012)

ABC News reports on the top technology hurdles facing the next U.S. president and Congress, one being consumer privacy. With the FTC constrained in its regulatory power and given the nation’s “patchwork of inconsistent, sector-specific laws protecting certain categories of sensitive data…the opportunity for abuse of consumer privacy is growing every day,” the report states. Advances in technology including the increasing use of facial recognition, license plate scanners and drones all present privacy challenges. In the meantime, “Congress has been dragging its feet on a baseline consumer privacy law for over a decade.”
Full Story

PRIVACY LAW—EU

Working Party Releases Meeting Agenda (September 12, 2012)

The Article 29 Working Party has released a draft agenda ahead of its next meeting. The meeting will take place September 25 and 26 in Brussels. It will discuss “the draft application form and cooperation procedure for Binding Corporate Rules (BCR) for processors,” the draft opinion on purpose limitation and “developments on the draft data protection regulation and directive.”
Full Story

PRIVACY LAW—U.S.

FTC Finalizes Myspace Settlement (September 12, 2012)

The Federal Trade Commission (FTC) has finalized a settlement reached in May with Myspace, The Hill reports. The settlement requires the company to develop a data privacy program and undergo privacy audits for two decades, the report states. The FTC found that Myspace violated its privacy policy by sharing users’ personal information with third parties without first obtaining their consent.
Full Story

PRIVACY LAW—U.S.

Judge: Twitter Must Produce Posts or Face Fines (September 12, 2012)

A judge has ruled that Twitter must disclose an Occupy Wall Street protester’s tweets or face a fine. New York State Supreme Court Judge Matthew A. Sciarrino Jr. has said the company must either turn over the posts or provide its earning statements from the previous two quarters so the judge can assess a fine, Bloomberg reports. “I can’t put Twitter or the little blue bird in jail, so the only way to punish is monetarily,” Sciarrino said. In an exclusive for The Privacy Advisor, Mathew Schwartz asks, “Can service providers be held liable for what their users post, tweet or upload, including what others may deem to be offensive communications?”
Full Story

ONLINE PRIVACY

Microsoft: DNT Default Not an Antidote to Advertising (September 12, 2012)

In a piece for ADWEEK, Microsoft’s Rik van der Kooi discusses the company’s decision to make do-not-track the default in its latest version of Internet Explorer. The setting will alert websites by default that users do not wish to be tracked, unless users opt in. Though critics alleged the move pits Microsoft against advertisers’ success, van der Kooi says the company is “not retrenching on our commitment to build a leading advertising business” and argues consumers want more visibility into how their data is used. In doing that and building their trust, consumers will in fact be more willing to share valuable data about themselves, he says. Recently, Apache announced it will override the settings.
Full Story

PRIVACY LAW—SOUTH AFRICA

Personal Information Bill Referred Back to Parliament (September 12, 2012)

The Protection of Personal Information Bill has been referred back to Parliament for a second reading and further debate, reports Business Report. A portfolio committee on justice and constitutional development ruled unanimously in favor of the bill, which would provide a regulatory framework for the ways in which personal data may be processed. The bill is “expected to have a significant impact on the manner in which private and public bodies process personal or identifying information as it aims to protect the free flow of information” and information access while protecting privacy, the report states. One expert advised organizations to look at the bill’s various requirements and consider steps toward compliance.
Full Story

MOBILE PRIVACY—U.S.

NTIA Cancels Meeting To Allow for Fact Gathering (September 12, 2012)

Broadcasting & Cable reports that the National Telecommunications and Information Administration (NTIA) has cancelled its September 19 stakeholder meeting to allow stakeholders to meet with app developers for informal briefings first. One such briefing will occur September 19. At the NTIA’s August 29 meeting, the second of a series of three, participants said they needed more information on the mobile app sphere before making decisions. As a result, such briefings have been scheduled for September 13, 14, 19 and 28. The NTIA meetings aim to establish a code of conduct framework, called for under the Obama administration’s Privacy Bill of Rights.
Full Story

PRIVACY LAW—U.S.

Senate Judiciary Geared to Revamp ECPA, VPPA (September 12, 2012)

The Senate Judiciary Committee has said it will work on an update of the Video Privacy Protection Act and attach provisions to amend portions of the Electronic Communications Privacy Act, the NationalJournal reports. Judiciary Committee Chairman Patrick Leahy (D-VT) said in a statement, “When Congress first enacted these laws almost three decades ago, e-mail was still a novelty and most Americans viewed movies at home on VHS tapes rented at their local video store,” adding, “The explosion of cloud computing, social networking sites, video streaming and other new technologies in the years since require that Congress take action to bring our privacy laws into the digital age.”
Full Story

PRIVACY LAW—UK

Cookie Taunt Launched by Web Firm (September 11, 2012)
BBC News reports on a website created by web software firm Silktide that dares the Information Commissioner’s Office (ICO) to levy punishment for its use of cookies. Nocookielaw.com says the cookie rules are “ineffective.” An ICO spokesman said, “We welcome any opportunity to help us draw attention to this matter as a key part of our work in ensuring compliance with the cookie law has been making businesses aware of the regulations.” An ICO blog post notes education is “key to cookie law progress.” Meanwhile, research by TRUSTe reveals that 63 percent of top UK websites have made cookie compliance efforts.

DATA LOSS—U.S.

App Business Was Source of UDID Breach (September 11, 2012)

The source of last week’s leak of Apple UDIDs has been traced to a Florida-based app publisher and not the FBI as was earlier suspected, InformationWeek reports. Security researcher David Schuetz identified BlueToad as the source in a blog post. BlueToad’s CEO said, “We have fixed the vulnerability and are working around the clock to ensure that a security breach doesn’t happen again.” The Wall Street Journal reports the firm did not encrypt the data it collected. A spokeswoman for Apple said the company was aware of the source of the leak and that UDIDs will soon be banned from a new version of its mobile operating system.
Full Story 

DATA LOSS—UK

ICO Fines Council £250,000 (September 11, 2012)

The Information Commissioner’s Office (ICO) has fined Scottish Borders Council £250,000 for a breach involving the personal information of employees. “This is a classic case of an organization taking its eye off the ball when it came to outsourcing,” said ICO Assistant Commissioner for Scotland Ken Macdonald. The council had contracted an outside company to digitize pension records but failed to “seek appropriate guarantees on how the personal data would be kept secure,” according to an ICO press release. “If one positive can come out of this, it is that other organizations realize the importance of properly managing third parties who process personal data,” Macdonald said.
Full Story

PRIVACY—U.S.

Obama Nominates Joshua Wright to FTC (September 11, 2012)

President Obama yesterday announced the nomination of George Mason University School of Law Prof. Joshua Right to the Federal Trade Commission (FTC), The Hill reports. If confirmed, Wright will replace Commissioner J. Thomas Rosch. Wright served as the scholar-in-residence at the FTC’s Bureau of Competition from 2007 to 2008. Wright’s academic work has focused on antitrust law, economics, consumer protection, intellectual property and contracts, the report states. The post will now require Senate confirmation.
Full Story

PRIVACY LAW—ISRAEL

Israeli Court Upholds DPA Decision (September 11, 2012)

The Tel Aviv District Court recently upheld an instruction issued by the data protection authority restricting financial institutions from using information about third-party attachment of client accounts for the financial institution’s own purposes, reports Hunton & Williams’ Privacy and Information Security Law Blog. The 27-page decision includes instructions on outsourcing data processing, employee screening, requirements for user authentication for remote access to personal data and responsibility for databases between health insurers and primary healthcare providers, the report states, adding that the decision is “likely to have far-reaching effects on the validity and weight given to a series of detailed guidance documents from the Israeli Law, Information and Technology Authority.”
Full Story

ONLINE PRIVACY

Lawyer’s Site Scores Company Data Policies (September 11, 2012)

TIME reports on one lawyer’s analysis of how 25 major websites handle customer data. Andrew Nichol’s ClickWrapped.com evaluates sites on four categories, including how user data is used and when it can be disclosed. The evaluations are based on a 100-point scale, and points can be gained based on whether the site’s policy is consumer-friendly. Editor’s Note: Google Senior Vice President and General Counsel Kent Walker will discuss Big Data at the Navigate 2012 executive forum, to be held in conjunction with the IAPP Privacy Academy in San Jose, CA, this October.
Full Story

ONLINE PRIVACY

Privacy Concerns Cross Generations (September 11, 2012)

It’s often assumed that young people don’t care about their privacy online, Forbes reports, but 28-year-old Robert Leshner is the CEO and cofounder of Safeshepherd.com, a company that helps individuals remove their personal details from the web. The service launched a year ago and searches data broker websites to delete individuals’ names, addresses and other personal information. It’s generally used by baby boomers, according to Leshner, which he says is “a little bit frustrating. I would like there to be more concern and awareness.” But he notes that awareness seems to be growing among younger generations as their peers and the media increasingly note the repercussions of over-sharing online.
Full Story

PRIVACY LAW—U.S.

Opinion: Businesses Should Be Proactive on Privacy (September 11, 2012)

A slew of privacy issues have been arising out of rapid technological advances—from online tracking to facial recognition—and “while no major legislation has come out of Capitol Hill, shine-the-light hearings on the privacy practices of various companies have been frequent in the House and Senate,” writes Future of Privacy Forum Co-Chair Christopher Wolf in a column for InsideCounsel. Noting “there is virtually no chance a comprehensive privacy law will come from Congress in the few remaining legislative days in this election year,” Wolf writes, “It would be a mistake for any business to assume that the demand for greater privacy protections will subside, even if a federal law is unlikely.”
Full Story

PRIVACY

Book Discusses the Relationship Between Class and Privacy (September 11, 2012)

In a book review for The New York Times, George Washington University Law Prof. Jeffery Rosen discusses Garret Keizer’s Privacy. The book looks at the relationship between economic class and privacy, arguing that the two are closely connected. Keizer writes that “the powerful have usually found ways to set themselves apart,” citing ship captains who dine in private cabins and bosses who work in private offices while their employees work in cubicles. Though Keizer suggests drastic measures to ensure privacy in the technology age, including turning mobile devices off, Rosen says there are more practical ways to do so, including for “citizens to rise up against shared indignities with shared indignation.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Web Software To Ignore DNT-By-Default Setting (September 10, 2012)
Apache has announced it will override Microsoft’s default do-not-track (DNT) setting, CNET News reports. One of the authors of the DNT standard, Roy Fielding, wrote a patch for Apache that will disable Microsoft’s DNT setting. As a result, web servers using Apache software—the most commonly used software to house websites—will ignore IE10 DNT settings, the report states. Fielding said, “The only reason DNT exists is to express a non-default option,” adding, “It does not protect anyone’s privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization.”

BIOMETRICS—U.S.

Devices Capture Increasing Amounts of Intimate Data (September 10, 2012)

The New York Times reports on the growing number of products capable of monitoring intimate biological data—devices like wireless health monitors and, soon, “stretchable electronics” capable of measuring heart rate, brain activity, body temperature and hydration levels. One company will soon pilot a “Digital Health Feedback System” that will capture biometric data using microchips embedded in a pill and using stomach fluids to emit signals to an external sensor. The ways companies may use or share the data collected by such devices is yet to be seen. One company says customers will own the data but requires customers to grant it permission to use data for “product development and the cultivation of its data sets,” the report states. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

94 Million Records Affected By Government Breaches, Sheriff Announces Breach (September 10, 2012)

The government sector reported 268 incidents of data breaches from January 2009 to May 2012, reports Help Net Security. The breaches exposed a combined total of more than 94 million records. According to research by Rapid7, the number of PII records exposed from 2010 to 2011 increased by almost 170 percent. The leading causes of such losses were unintended disclosure, loss and theft of portable devices, physical loss and hacking, the report states. Meanwhile, a Maine sheriff’s office is warning approximately 180 people who were recently arrested to monitor their personal accounts after their Social Security numbers were inadvertently made public last week for “a fairly limited period of time.”
Full Story

BIOMETRICS—U.S.

FBI Database Fuels Privacy Concerns (September 10, 2012)

A move by the Federal Bureau of Investigation (FBI) to upgrade its biometric database has a number of privacy and civil liberties groups raising red flags over potential privacy intrusions, CNET News reports. The Next Generation Identification program will update the FBI’s fingerprint database and will compile mugshots, DNA data, iris scans and voice recognition to help agents track down suspects. An FBI spokesman said the agency “is tentatively planning to host a meeting of federal law enforcement and national security agencies with privacy and civil liberties groups to discuss various aspects of federal government uses of facial recognition technology later this year.” Sen. Al Franken (D-MN) has expressed privacy concerns about the database.
Full Story

ONLINE PRIVACY

Study: File Sharers Heavily Monitored (September 10, 2012)

A study conducted by researchers at the University of Birmingham in the UK reveals that nearly all files shared via torrent sites are monitored by large Internet service companies that are possibly acting on behalf of copyright enforcers, CBC News reports. In their study, the researchers noticed that IP addresses of file sharers were being tracked by several monitors acting as file sharers, the report states. One of the researchers said, “In the EU, there are quite strong data protection laws, and people who store personal data have to fulfill a lot of criteria, and this could definitely be looked on as personal data about the people being monitored.”
Full Story

PRIVACY—U.S.

Law Firm’s Privacy Hire Follows Growing Trend (September 10, 2012)

The Washington Post reports on the latest law firm to establish a privacy and data protection group. Chicago-based Jenner & Block recently hired Mary Ellen Callahan, CIPP/US, to lead the group. Callahan joins the firm from her position as chief privacy officer at the Department of Homeland Security. “I’m looking to build a pretty robust practice,” Callahan said. “It’s probably a two- to five-year prospect to have this be to the caliber that I want it.” Jenner & Block’s decision to build a privacy practice follows a growing list of firms that have done the same, “including firms such as Venable, Hogan and Covington & Burling,” the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Feds: No Constitutional Protections for Location Data (September 7, 2012)
Wired reports on court arguments made Tuesday by the Obama administration claiming there is “no expectation of privacy” in cellphone location data, meaning law enforcement should not need to obtain a warrant to track a suspect’s movements. Citing a 1976 Supreme Court case, the administration said data such as bank records gleaned from cellphone providers are “third-party records.” The arguments come as the government prepares for a retrial in the United States v. Jones case. The administration’s court filing states, “When a cellphone user transmits a signal to a cell tower for his call to be connected, he thereby assumes the risk that the cellphone provider will create its own internal record.”

DATA PROTECTION

Companies Increasingly Hiring Privacy Counsel (September 7, 2012)

Corporate Counsel reports on Amazon’s announcement of its first in-house head of privacy. Former IAPP Chairwoman Nuala O’Connor, CIPP/US, CIPP/G, will fill the newly created role. Amazon’s decision to establish such a role follows a trend among major tech companies in recent years. Google, Apple and Facebook are among those that have made efforts to establish chief privacy officer roles. Future of Privacy Forum’s Jules Polonetsky, CIPP/US, recalls a time when it was believed privacy officer positions were a passing fad. But the turbulent landscape of privacy regulation has seen companies increasingly hiring counsel to protect themselves from media criticism, class-action lawsuits and Congressional inquiries.
Full Story

PRIVACY LAW—U.S.

White House Circulating Draft Cybersecurity Executive Order (September 7, 2012)

The Hill reports on a draft executive order on cybersecurity being circulated by the Obama administration. The draft has been sent to various federal agencies for feedback and would formulate a voluntary system for firms operating critical infrastructure to adhere to government-backed cybersecurity best practices and standards, the report states. The executive order builds off part of Sen. Joe Lieberman’s (I-CT) cybersecurity legislation from earlier this year. According to the report, the order is also subject to change, and it is not yet clear if it will get final approval from the president.
Full Story

EMPLOYEE PRIVACY—SWITZERLAND

Banks To Notify Employees of Data Transfers (September 7, 2012)

In the wake of concerns surrounding the transfer of bank data to other countries, World Radio Switzerland reports that Swiss banks have agreed to inform employees before data is sent to foreign tax investigators. Data Protection Commissioner Hanspeter Thür said five banks have “signed on to notify employees after Thür threatened to ask the Federal Administrative Court to force banks to protect employee data,” the report states, noting Thür met with bank officials to promote “a transparent process for employees” and that he has “doubts data handovers to the U.S. are legal.”
Full Story

DATA PROTECTION—U.S.

Research Paper Reexamines Reidentification (September 7, 2012)

Columbia University’s Daniel Barth-Jones has released a paper reexamining Latanya Sweeney’s 1997 analysis of reidentification vulnerabilities. With a “profound impact on the development of de-identification provisions” within HIPAA, Sweeney’s study has been “frequently cited as an example” of the “astonishing ease” with which medical data can be reidentified. According to Barth-Jones, this reexamination “exposes an important systemic barrier to accurate reidentification known as ‘the myth of the perfect population register.’” The author provides “recommendations for enhancements to existing HIPAA de-identification policy” and commentary on “balancing the competing goals of protection patient privacy and preserving the accuracy of scientific research and statistical analyses conducted with de-identified data.”
Full Story

PRIVACY LAW—EU & U.S.

UN Internet Debate Set; Advocates Urge Strong EU Privacy Regs (September 6, 2012)
Debate about how the United Nations (UN) may govern the Internet will commence in Denmark next week, and EuropeanVoice reports that regulators, industry representatives and advocates are set for a robust discussion. Proposed rule changes could affect the UN International Telecommunications Union’s powers to enforce data protection and cybersecurity, the report states. Meanwhile, a group of consumer and privacy groups have sent the European Parliament a letter urging the EU to press forward on tough privacy rules under the proposed data protection regulation, saying “that the promotion of stronger privacy standards in Europe will benefit consumers around the globe.” Editor’s note: For more on this topic, see the article “Privacy worries surround UN Internet regulations” in the September edition of the IAPP’s Privacy Advisor newsletter. (IAPP member login required.) (Registration may be required to access this story.)

BIOMETRICS—EU

EDPS Says Eurodac Proposal Is “Serious Intrusion” (September 6, 2012)

The European Data Protection Supervisor (EDPS) has said the European Commission’s adoption of a proposal to allow Member States’ law enforcement authorities access to the Eurodac database is “a serious intrusion into the rights of a vulnerable group of people in need of protection,” EurActiv reports. Designed to curb illegal immigration, Eurodac is a new fingerprint database for individuals seeking asylum in EU-based countries. The EDPS added, “To intrude upon the privacy of individuals and risk stigmatizing them requires strong justification, and the commission has simply not provided sufficient reason why asylum seekers should be singled out for such treatment.”
Full Story

PRIVACY LAW—U.S.

Judge Consolidates Four Breach Class Actions (September 6, 2012)

A U.S. District Court Judge yesterday consolidated four proposed class-action lawsuits against LinkedIn Corp., The Recorder reports. The suits were filed in California’s Northern District in response to a June security breach and claimed $5 million in damages after hackers stole 6.5 million user passwords from the site and posted them online, the report states. The suits claim that although LinkedIn’s privacy policy says it will protect user data with “industry standards and technology,” the company used “a weak encryption format that failed to comply with basic industry standards…without implementing other crucial security measures.” (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

Expert Offers Tips on EMRs (September 6, 2012)

Legislative incentives have prompted the majority of healthcare providers to begin using electronic medical records. Faced with decisions about how to host data while complying with HIPAA Privacy and Security Rules and the HITECH Act, questions about encryption, intrusion detection and disaster recovery often persist. In this exclusive for The Privacy Advisor, Chris Bowen, CIPP/US, CIPP/IT, offers advice on how to choose the best hosting vendor to keep personal healthcare records safe. “Cloud strategies are gaining significant traction as a solution to hosting data and as a means to easing the burden on healthcare providers as they migrate to EMR,” Bowen writes. (IAPP member login required for access.)
Full Story

DATA LOSS—U.S.

Apple Denies Providing UDIDs to FBI (September 6, 2012)

Apple says it did not provide a set of IDs tied to its devices to the Federal Bureau of Investigation (FBI), The Wall Street Journal reports. Hacking group AntiSec claims to have obtained millions of unique device identifiers (UDIDs) from an FBI agent’s laptop. “The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization,” said an Apple spokeswoman. The FBI has said it has “no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained the data.” (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY—U.S.

FTC Publishes Mobile App Tips, Survey Finds Users Want Privacy (September 6, 2012)

The Federal Trade Commission has published a guide to help mobile app developers “observe in-truth advertising and basic privacy principles when marketing new mobile apps.” Telling the truth about what your app can do, disclosing key information and offering easy-to-find-and-use choices are all tips within “Marketing Your Mobile App: Get It Right from the Start.” Meanwhile, a recent survey by the Pew Research Center’s Internet & American Life Project found that 54 percent of app users decided not to install an app when they realized the amount of personal information the app would collect, and 30 percent uninstalled an app when they realized the amount of personal information collected.
Full Story

PRIVACY LAW—U.S.

Survey: Data Privacy Greatest Obstacle To Investigations (September 6, 2012)

A recent study has found that data privacy “is the biggest challenge for lawyers and accountants conducting multinational investigations or cross-border litigation,” The Wall Street Journal reports. The study, which was conducted by FTI Consulting, Inc., and surveyed 114 legal and accounting professionals involved in e-discovery cases, found that 54 percent said data privacy was the greatest obstacle to such processes. Multinational investigations are costly and are expected to be increasingly so as data privacy requirements increase in coming years, the survey found. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CAYMAN ISLANDS

Draft Data Protection Bill Released (September 5, 2012)
A draft data protection bill aimed at regulating data collection and use by organizations in the public and private sectors has been released, Cayman News Service reports. The Data Protection Bill 2012 also would provide individuals with more rights to access and control their personal data. A representative of the Information and Communications Technology Authority said, “Data protection affects everyone and the working group seeks to present a comprehensive bill to Cabinet that suits the needs of the Cayman Islands while meeting international standards,” adding, “we are very interested in hearing from individuals and specific business sectors that expect any additional areas will be particularly challenging.”

PRIVACY

Getting Your Board on Board (September 5, 2012)

In this exclusive for The Privacy Advisor, three privacy pros offer insights on how to get board or executive-level support for building strong privacy programs. Norine Primeau-Menzies, CIPP/C, recommends generating a sense of urgency and making it “fun.” Michael Spadea, CIPP/US, CIPP/E, recommends having compelling evidence for your case and connecting emotionally. “Tell a meaningful story,” he advises, adding evidence should be displayed in a “vivid, graphic and easily understandable format.” Chris Pahl, CIPP/US, CIPP/G, recommends starting small, with periodic updates to the board to keep it engaged, and inviting stakeholders to be part of the decision-making process. (IAPP member login required for access).
Full Story

PRIVACY LAW—U.S.

Judge Throws Out Consumer Complaint (September 5, 2012)

MediaPost reports on a federal judge’s dismissal of a consumer lawsuit against 17 tech companies. U.S. District Court Judge Sam Sparks found the consumers’ written complaint is “too unwieldy” for the lawsuit to proceed, the report states. The suit was filed against the tech companies for allegedly collecting or storing users’ address books without their consent, the report states. Complaints are required to make allegations in a “short and plain statement.” Sparks said the consumers’ complaint was not “written with an eye toward this court’s busy docket” and is instead aimed at the “court of public opinion.” The consumers have until September 12 to amend the complaint.
Full Story

DATA LOSS—U.S.

FBI Denies Allegations, AntiSec Defends Actions (September 5, 2012)

The Associated Press reports the FBI has disputed claims by a computer hacker group that it stole millions of unique device identifiers (UDIDs) from an agents’ laptop. “FBI officials said the bureau never asked for and never possessed the database that the group, which calls itself AntiSec, is posting on a website,” the report states. AntiSec, meanwhile, is defending its release of just over one million of the numbers, “arguing the privacy questions they raise would have otherwise been ignored” and noting it removed personal details before publishing the UDIDs.
Full Story

FINANCIAL PRIVACY—ARGENTINA

Government Tracking Credit Card Purchases (September 5, 2012)

The Argentina government has begun mandating banks to report credit card purchases to national tax authorities and is adding a 15-percent surcharge on purchases made outside the country using Argentinian bank-issued credit cards, reports Forbes. The changes are an effort to combat tax evasion and close off ways for people to convert pesos to U.S. dollars at the official rate—which is lower than the black market rate. The author states this is an example of how a “cashless society… has actually advanced the cause of financial repression,” adding, they are “important lessons in why a cashless society should not strip everyone of their transactional and financial privacy.”
Full Story

PRIVACY LAW—EU & UK

Parliamentary Committee Hears Evidence on Proposed Framework (September 5, 2012)

The UK Parliament’s Justice Select Committee has held its first evidence session on the EU’s proposed data protection framework, reports Field Fisher Waterhouse’s Victoria Hordern. The Association of Chief Police Officers, the Federation of Small Businesses and the Information Commissioner’s Office were among those who provided their opinions. While many said the regulation brings welcome changes, “the overwhelming response was to criticize the overly-engineered text” of both the regulation and the Data Protection Directive, the report states, and a key “tension in the regulation exists between the drive toward harmonization and the consequent prescriptive practices and procedures that the commission’s version of harmonization requires.”
Full Story

BIG DATA—U.S.

Restaurants, Retailers and Data Collection (September 5, 2012)

The New York Times reports on the growing collection of consumer data by restaurants. To help engender “highly personalized hospitality,” many restaurants are constructing databases to identify consumer preferences and, in some cases, log data on potential diners or analyze an individual’s spending habits. With the aid of computer software and Internet services, restaurants can “amass a trove of data with ease,” something, the report states, that “may strike some diners as creepy or intrusive.” Meanwhile, Time reports on the future of retail in the age of Big Data. With increased use of video cameras and smartphone location data, Pam Dixon of the World Privacy Forum said “it’s absolutely crucial for these companies to…disclose what is happening.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—URUGUAY

Nation Declared Adequate by EU (September 4, 2012)
The European Union has confirmed that Uruguay has achieved adequacy for personal data protection, according to the website of the nation’s data protection authority. “It is a recognition to the work of the regulatory unit and control of personal data,” the website states, “and a confidence in Uruguay as a country capable of assuming the challenge of taking care of the adequate controls that are required in the use and treatment of the personal data that has been provided.”

DATA LOSS—U.S.

Hackers Access 12 Million UDIDs (September 4, 2012)

Hackers have accessed approximately 12 million unique device identifiers (UDIDs) from a Federal Bureau of Investigation (FBI) file and have published more than one million of them, ZDNet reports. The hackers allegedly accessed the laptop of an FBI agent by exploiting a vulnerability and accessed 12,367,232 UDIDs, some of which may have included user names, device types, zip codes, cellphone numbers and addresses, the report states. The hackers have questioned why the FBI has so much user data and said it was “the right moment” to release it, adding, the “hardware-coded IDs-for-devices concept should be eradicated from any device on the market in the future.” The group said it removed some of the identifiable information from the published list.
Full Story

DATA PROTECTION

Amazon Hires Nuala O’Connor as Privacy Lead (September 4, 2012)

Former IAPP chairwoman Nuala O’Connor, CIPP/US, CIPP/G, has been hired by Amazon to fill a newly created role as the firm’s top privacy counsel, The Wall Street Journal reports. O’Connor has been chief privacy leader at General Electric since 2005 and was previously chief privacy officer at the U.S. Department of Homeland Security (DHS). Prior to her work at DHS, O’Connor served as the first privacy counsel at DoubleClick and was part of a team that “would become among the first and most high-profile privacy pros in the country.” She will fill the position of vice president and associate general counsel, compliance and privacy. (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY—U.S.

Some Apps Track Users When Idle, Researchers Say (September 4, 2012)

Researchers at the Massachusetts Institute of Technology have revealed that various mobile apps collect and transmit user data even when they are not being used, The Boston Globe reports. Some of the apps tested by Frances Zhang and Fuming Shih gather and share information such as location, contacts and web browsing histories. Zhang and Shih aim to turn their work into an app privacy rating system, including an “intrusiveness score,” to help users quickly understand app privacy policies and how much personal data apps collect, the report states. Zhang said, “Over time, we hope to use this to motivate developers to be more careful about their privacy policies.”
Full Story

PRIVACY LAW—INDIA

Panel Makes Recommendations for Proposed Law (September 4, 2012)

A government panel has recommended jail terms of up to five years and monetary fines for snooping violations be included in India’s proposed privacy law, Hindustan Times reports. In its draft report on the law, the panel has also said “unauthorized sharing of personal information or interception of communication and its disclosure should be made a cognizable offence,” the report states, and it recommends a privacy commissioner with regional offices be established to register complaints and enforce the law. Additionally, government agencies and service providers should adhere to self-regulation, supervised by the privacy commissioner.
Full Story

HEALTHCARE PRIVACY—U.S.

Texas Law Takes Effect (September 4, 2012)

San Antonio Express-News reports on a new state privacy law in Texas that will place more stringent requirements on physicians and other entities using electronic health records (EHRs). HB 300 took effect September 1 and expands existing requirements under HIPAA. Changes include a broader definition of “covered entities” to anyone who handles protected health information, including business associates, schools and researchers. Covered entities must prominently display notices on authorized disclosures, and patient consent is required for certain other disclosures. The law also requires entities to comply with patient requests for their EHRs within 15 days.
Full Story

DATA LOSS—HONG KONG

Confidential Data Found in Boxes Near Recycling Firm (September 4, 2012)

The Privacy Commission is investigating the disposal of confidential documents found in boxes near a recycling firm’s offices, The Standard reports. More than 80 boxes were found containing details on hospital patients, application forms for a TV service and receipts from a clothing chain including credit card and mobile phone numbers, the report states. A hospital and a retailer associated with the discarded documents said they had hired the recycling firm to shred the data. The Personal Data (Privacy) Ordinance requires “all practicable steps” be taken to protect personal information on individuals.
Full Story