Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

FINANCIAL PRIVACY—U.S.

Credit Bureau May Share Payroll Data (January 31, 2013)
NBC News reports on a company that has assembled a database containing approximately 190 million employment and salary records, representing nearly one-third of all U.S. adults. The Equifax-owned firm, The Work Number, with the aid of thousands of human resource departments, reportedly sells the sensitive data to debt collectors, financial service companies and other entities. One individual who runs an employment background company said, “It’s the biggest privacy breach in our time, and it’s legal, and no one knows it’s going on.” Weekly payroll stubs and human resource-related information are among the data collected. Equifax said it shares “employment data” in accordance with the Fair Credit Reporting Act. Privacy expert Larry Ponemon, CIPP/US, said, “This is unbelievably scary. I consider payroll information very sensitive and private.”

ONLINE PRIVACY—U.S.

eBay Executive Warns of Privacy “Clash” (January 31, 2013)

John Donahoe, chief executive of eBay, has said Internet companies must be proactive in protecting user privacy to avoid increased government regulation, The Economic Times reports. “There’s going to be, at some point in the next few years, a trigger point,” he said. “It’s going to be necessary for us to have some national dialogue on privacy so we don’t have a clash point and they overregulate and slow down innovation.” Donahoe added that eBay does not share user information, “but I think there are huge opportunities to use data, to personalize the experience, and if you choose to share with others, it can make the experience even better.”
Full Story

SURVEILLANCE—U.S.

As Drone Use Proliferates, Legislators File Bills (January 31, 2013)

TIME’s Lev Grossman reports on the proliferation of drones in the U.S. He writes that drones will “spy for anyone, and as they get cheaper and more powerful and easier to use, access to military-grade surveillance technology will get easier too. Voracious as they are for information, drones could take a serious chunk out of Americans’ already dwindling stock of personal privacy.” Meanwhile, two Oregon legislators have introduced bills aimed at restricting future use of drones by both law enforcement and the public. The bills, authored by Sen. Floyd Prozanski (D-Eugene) and Rep. John Huffman (R-The Dalles) would criminalize using drones for spying.
Full Story

DATA PROTECTION—CHINA & U.S.

Bureau Passwords Hacked; Sen. Releases Cybersecurity Report (January 31, 2013)

The New York Times reports that Chinese hackers infiltrated the news bureau’s computer systems and acquired passwords of reporters and other employees. Security experts found that over a four-month period, hackers stole the corporate passwords of every Times employee in order to access the personal computers of 53 specific employees, but no customer data was breached, the report states. Meanwhile, Sen. Jay Rockefeller (D-WV) has released a staff memorandum detailing the comments his office received from companies regarding cybersecurity practices. Of nearly 300 respondents, more than 80 percent came from Fortune 100 firms. The memorandum is expected to inform future cybersecurity legislation. Last week, Rockefeller introduced the Cybersecurity and American Cyber Competitiveness Act of 2013. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Lawmaker Introduces Mobile App Draft Bill (January 31, 2013)

A Georgia legislator has released a discussion draft of the Application Privacy, Protection and Security Act of 2013, which would regulate how mobile applications collect personal data, IVN reports. Before introducing the draft, Rep. Hank Johnson (D-GA) launched the online initiative AppRights to gain insight from the public on how they’d like to see mobile apps protect their information. The bill would require apps to provide a privacy policy and an opt-out option. Meanwhile, NPR reports on one expert’s research into teenagers' online behavior, which indicates they are “very aware of privacy issues.”
Full Story

PRIVACY LAW—U.S.

Data Breach Bill Passes State Senate (January 31, 2013)

Sen. Stuart Reid’s (R-Ogden) bill aimed at preventing data breaches passed through Utah’s senate this week, The Salt Lake Tribune reports. SB20 would require the State Department of Technology Services to follow industry best practices, determined by a to-be-established panel of experts. If budget constraints won’t allow for best practices, the state’s chief technology officer would be required to notify the state’s Senate and House of data breaches, the report states. Reid’s wife was among the victims of a Utah health security breach last year affecting 780,000 individuals. The bill will next move to the House.
Full Story

BIG DATA—U.S.

Obama Transfers Campaign Database to Advocacy Group (January 30, 2013)
The Obama administration has transferred its database comprised of millions of American supporters from the 2012 U.S. presidential campaign to a newly created advocacy group, NBC News reports. Organizing For Action (OFA) has acquired access to the database. The information gleaned from the database will be used to initiate an “army of the door-knockers” supporting the president’s agenda and to help raise money for “issue ads,” the report states. Electronic Privacy Information Center Associate Director Lillie Conley said the development is “extremely worrisome” and that supporters are probably unaware their personal information has been transferred. “I can’t think of anything that rivals this data,” Conley said. “The private sector would love to be able to do what the campaign was able to do.”

HEALTHCARE PRIVACY—U.S.

Will New Subcontractor Rules Limit Breaches? (January 30, 2013)

With the new HIPAA omnibus rule in place, HealthITSecurity reports on how organizations will vet business associate agreements (BAAs) and whether this will limit the number of data breaches. Mintz Levin Partner Dianne Bourque said liability concerns around a subcontractor’s mistakes could alter the BAA decision-making process by healthcare organizations. The Office for Civil Rights (OCR) states a high number of breaches are the result of noncompliance by business associates (BAs), Bourque said, adding, the OCR sees covered entities and BAs the “same way, no matter how far downstream the information is passed, the same obligations and liabilities apply.” The result, Bourque contends, is that organizations may “think twice about who they (or their BAs) hire as subcontractors.” Meanwhile, the Center for Democracy & Technology’s Deven McGraw highlights changes from the new rule. Editor’s Note: McGraw will join Wiley Rein Partner Kirk Nahra, CIPP/US, on the upcoming web conference, HIPAA Final Omnibus Rule Announced—Privacy, Security, Enforcement and Breach Notification Rules Modified, on February 7.
Full Story

CHILDREN’S PRIVACY—U.S.

Disney Defends New Tracking System (January 30, 2013)

A week after receiving a letter from a lawmaker expressing concern over children’s privacy, Walt Disney CEO Robert Iger defended his company’s new program, writing they “are offended by the ludicrous…assertion…that we would in any way haphazardly or recklessly introduce a program that manipulates children…” Disney said it has no plans to market to children under the age of 13 and will not collect their data without parents’ explicit consent, reports Forbes. Future of Privacy Forum Co-Chair Jules Polonetsky, CIPP/US, said, “Shoot first and ask questions later has become the unfortunate pattern on Capitol Hill when privacy questions arise,” adding, “Companies are assumed to be up to no good, even when their goal is using technology to improve services for customers.”
Full Story

DATA PROTECTION—EU

Reding and Shatter on the Importance of Pending Data Protection Rules (January 30, 2013)

In a blog for The Hill, EU Justice Minister Viviane Reding and Irish Justice Minister Alan Shatter discuss why reforms of EU data protection rules are essential to “protect both citizens’ rights and facilitate business in the digital age.” The reforms will cut costs and increase legal certainty, mitigate risks to companies’ financial success and reputation by requiring data protection safeguards and provide clarity for international transfers, Reding and Shatter write. “The message is clear, a uniform and modern data protection law for the European Union is exactly what we need to secure trust and generate growth in the digital single market.”
Full Story

DATA PROTECTION

A How-To on Kick-Starting Your Company’s Privacy Program (January 30, 2013)

It’s not enough for a business to create a privacy policy and place it on its website, says Bob Siegel, CIPP/US, CIPP/IT, founder of Privacy Ref. Businesses must also define policies and practices, verify employees are complying and confirm third-party service providers are practicing adequate data protection. In this exclusive for The Privacy Advisor, Siegel identifies 10 steps companies should follow when kick-starting their organization’s privacy program. Editor's Note: For more tips and tools from the pros, visit the IAPP's Resource Center.
Full Story

DATA LOSS—U.S.

Police Chief To Oversee Logs Following Breach (January 30, 2013)

Following a breach, a Massachusetts police chief says any local police logs to be posted online will have his personal stamp of approval on them, The Lowell Sun reports. Littleton Police Chief John Kelly says human error led to the release of data on more than 100 individuals earlier this month. The data included names, dates of birth, addresses and Social Security numbers of individuals who had been in contact with police during a six-day period. Those affected have been notified. Meanwhile, a recent survey has found that nearly two-thirds of data breaches are “due to lost paper files and portable memory devices.”
Full Story      

DATA LOSS—U.S.

FTC Settles With Blood Bank for Failure To Protect Data (January 29, 2013)
The Federal Trade Commission (FTC) has agreed to settle with a blood bank firm, alleging that CBR Systems made false and deceptive claims to its customers regarding “reasonable and appropriate” steps to protect their data. A company laptop, hard drive and unencrypted backup tapes containing Social Security numbers, credit card numbers and other sensitive personal data of nearly 300,000 individuals were stolen from an employee’s car in 2010, The Hill reports. CBR Systems has agreed to create an information security program and will undergo biannual audits for the next 20 years. FTC Commissioner Maureen Ohlhausen said the agency plans to focus on companies’ data security measures this year as well as its study of the data broker industry and continued attention to advances in facial recognition technology, the report states. Editor’s Note: Ohlhausen and Foley & Lardner Partner Andrew Serwin, CIPP/US, CIPP/E, CIPP/G, will share their expertise during the breakout session Conversations in Privacy: A Talk with Commissioner Ohlhausen at the IAPP Global Privacy Summit in Washington, DC.

MOBILE PRIVACY—CANADA & THE NETHERLANDS

Regulators Say App Violates International Law (January 29, 2013)

A joint report released by the Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority (DPA) states that WhatsApp—one of the world’s most popular mobile apps—violates international privacy law, Reuters reports. The instant-messaging application requires users to provide access to their complete address book, including users and non-users, the report states. Dutch DPA Chairman Jacob Kohnstamm said, “This lack of choice contravenes (Canadian and Dutch) privacy law. Both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp.” The OPC initiated an investigation of the company in January 2012 for potentially violating the nation’s federal privacy law. Bird & Bird Partner Gerrit-Jan Zwenne told the Daily Dashboard, “Clearly the Dutch DPA thinks it has extra-territorial powers. The implications are far-reaching, as this would be no different for other DPAs in the EU. If this interpretation of EU data protection law is right—many doubt that—all national DPAs could investigate any non-EU-based controller that provides apps to EU nationals."
Full Story 

SOCIAL NETWORKING

Facebook Unveils “Ask Our CPO” Feature (January 29, 2013)

As a replacement for its now defunct user voting policy and to “enable you to send us your questions, concerns and feedback about privacy,” Facebook has launched a new “Ask Our CPO” feature, TechCrunch reports. Facebook CPO Erin Egan answered three of the most common questions in a blog post. “We’ve built a comprehensive privacy program that helps us take a systematic approach to privacy,” she wrote in answer to whether the company thinks about privacy when designing new products. Egan also stated the company does not sell users’ private information to advertisers. “We use the things you do and share on Facebook, including demographics, likes and interests to show ads that are more relevant to you,” she wrote. Editor’s Note: As part of our Conversations in Privacy series, Egan will be joined by Facebook Associate General Counsel Edward Palmieri, CIPP/US, and Future of Privacy Forum Director Jules Polonetsky, CIPP/US, in the breakout session Facebook and Your Organization—What Every CPO Should Know at the IAPP Global Privacy Summit.
Full Story

ONLINE PRIVACY—U.S.

Maryland Creates “Internet Privacy Unit” (January 29, 2013)

The Maryland Attorney General’s Office has announced the creation of a new unit aimed at addressing privacy online, including cybersecurity, cyberbullying, company privacy policies and the enforcement of the Children’s Online Privacy Protection Act, reports The Washington Post. While criminal activity is a problem, Attorney General Douglas Gansler said the Internet Privacy Unit isn’t “under a criminal rubric. This is about the information you’re putting online—to whom it’s being disseminated, to who your information is being sold to, for commercial gain.” (Registration may be required to access this information.)
Full Story

ONLINE PRIVACY

Google, Twitter Push Awareness of Gov’t Access (January 29, 2013)

Monday marked the fourth annual Data Privacy Day, and saw two major tech companies observing it by working to increase public awareness of the ease at which governments worldwide can access online data, reports CNN. Twitter released its latest transparency report outlining government requests for data, including more detail this year, and Google followed up on its report released last week with calls for more stringent protections for users’ data. Google’s chief legal officer said, “We want to be sure we’re taking our responsibilities really seriously,” adding, “we are going to make sure that governments around the world follow standards and do this in a reasonable way that strikes the balance.”
Full Story

ONLINE PRIVACY—U.S.

Study: Privacy Diminished by Social Media, Smart Devices (January 29, 2013)

A Ponemon Institute study has found that 59 percent of respondents believe their privacy rights are being diminished by social media, smart devices and geo-tracking, reports San Jose Mercury News. Of the 6,704 U.S. adults questioned, 49 percent had received at least one breach notification within the past two years, and 61 percent cited identity theft as their top privacy fear. The report also ranks businesses based on consumer trust, with American Express and HP coming in first and second, but notes the ratings may not “reflect the actual privacy practices” of companies and may be influenced by media coverage, products and advertising.
Full Story

PRIVACY LAW—EU & U.S.

U.S. Industry, Advocates, Gov’t Pushing Agendas in Brussels (January 28, 2013)
The U.S. Commerce Department and major American tech companies are lobbying the European Parliament against proposed amendments to EU data protection laws, while civil rights and privacy advocates are supporting the changes, The New York Times reports. “The rest of the world is looking to see who will prevail because the Asians, Latin Americans and Africans all need to do business with the U.S. and Europe,” said one privacy advocate. Meanwhile, reactions to MEP Jan Philip Albrecht’s more restrictive proposals continue. Eduardo Ustaran, CIPP/E, of Field Fisher Waterhouse asks in his blog post, “Is this proposal the only possible way of truly protecting our personal information or have the bolts been tightened too much?” (Registration may be required to access this story.)

ONLINE PRIVACY

Google Shares How it Handles Data Requests (January 28, 2013)

In the wake of its recent report on the number of requests it receives from governments around the world for private data, Google has posted its policies “for when it gives up users' information,” NPR reports, noting the move is “part of a broader company strategy to push for tougher privacy laws.” Google Senior Vice President and Chief Legal Officer David Drummond explained, “The new thing is that we're actually sort of saying in a granular way, product by product, how it is that we handle the requests,” adding that while “life becomes more digital, we want to make sure that people don't lose protections that they had in the analog world.”
Full Story

ONLINE PRIVACY—UK

ICO To Change Cookie Policy to Implied Consent (January 28, 2013)

The Information Commissioner’s Office (ICO) has announced it will alter its website’s cookie consent policy from “explicit consent” to “implied consent,” Out-Law.com reports. The ICO said it is making the change to “collect reliable information to make our website better.” Since the agency’s introduction of explicit consent for cookies in May 2011, “many more people are aware of cookies, both for users and website owners,” the ICO has written on its website, adding, “We now consider it’s appropriate for us to rely on a responsible implementation of implied consent, as indeed have many other websites.” The change is expected at “the end of January,” the report states.
Full Story 

SURVEILLANCE—CANADA

Prof. Offers Privacy-Compliant Camera Reward (January 28, 2013)

A professor is offering $100 to any person who can provide an example of a surveillance camera operated by a business that is compliant with Canadian privacy law, Metro News reports. University of Toronto Information Policy Research Program Prof. Andrew Clement said, “We thought this is something that calls for more attention, so we wanted to document the problem without having to do all the documentation ourselves.” Privacy laws differ between provinces and the public and private sectors, the report states, but guidelines have been provided by Canada’s federal privacy commissioner. Signs informing individuals they are being recorded, the purpose of the surveillance and who to contact should all be provided, according to the report.
Full Story

PRIVACY LAW—UK

12 File Online Tracking Suit (January 28, 2013)

A group of 12 Apple device users in the UK have filed a lawsuit claiming Google tracked their browsing habits without their knowledge, reports Belfast Telegraph. The claimants say that assurances given by Google and the default settings on their Safari browsers led them to believe that cookies would be blocked, and they are seeking damages. Big Brother Watch Director Nick Pickles said the case “could set a hugely important legal precedent and help consumers defend their privacy…"
Full Story

PRIVACY LAW—HONG KONG

Journalists Campaign Against Proposed Law (January 28, 2013)

A group of Hong Kong journalists have published a petition in five local newspapers against a proposed law that would limit access to information about company directors. The petition includes the signatures of 1,769 reporters, editors, media teachers and students. Hong Kong Journalists Association (HKJA) Chairwoman Mak Yin-ting warned if the bill becomes law, “the free flow of information will be suffocated.” The move to petition comes after the government said it would consult with the privacy commission over the proposed changes, according to South China Morning Post. In a full-page ad, the HKJA stated, “Allowing the public, including journalists, to examine the personal data of a director has long been a sound common practice, which has not been abused.”
Full Story

PRIVACY

Data Privacy Day Raises Awareness (January 28, 2013)

The National Cyber Security Alliance (NCSA) officially kicked off today’s Data Privacy Day events with a broadcast from George Washington University Law School featuring Federal Trade Commissioner Maureen Ohlhausen and privacy and security experts from industry and government. Observed in countries across the globe, “Data Privacy Day highlights a year-round effort for all of us to improve measures to protect our personal data,” said NCSA Executive Director Michael Kaiser, noting, “We want all digital citizens to feel like they have a choice in how their data is being collected, stored and consumed and that starts with being educated about the privacy policies of online companies and web properties. As society increasingly becomes more wired, it's imperative we understand how to best protect our data.”
Full Story

DATA PROTECTION—EU & U.S.

U.S. Officials Worried About Reg’s Effect on Industry; Committee Votes To Water It Down (January 25, 2013)
Privacy advocates hoping new EU regulations on data protection might lead to worldwide standards may be disappointed following reactions from U.S. industry groups and the Obama administration, The Washington Post reports. Officials from the U.S. Department of Commerce (DoC) and the U.S. Mission to the European Union have expressed concerns about the current EU proposal’s potential effect on industry and cross-border cooperation. “We need to have a global conversation. This is too important,” said Cameron Kerry, general counsel to the DoC, adding “We have to maintain the free flows of information.” Meanwhile, the European Parliament’s Committee on the Internal Market and Consumer Protection has voted in favor of relaxing the proposed regulation. (Registration may be required to access this story.)

PRIVACY LAW—U.S.

Lawmakers Seek Tougher Penalties for Breaches (January 25, 2013)

Legislators in Minnesota are seeking tougher legislation to prevent public employees from accessing private data without authorization and to require public agencies to notify the public of such breaches, the StarTribune reports. One week after the state’s Department of Natural Resources (DNR) revealed an employee had viewed thousands of driver’s license records without authorization, state Rep. Mary Liz Holberg (R-Lakeville), who has sponsored a bill on the matter, said the “time is ripe” for a law. Though the bill focuses on misuse of driver and vehicle data, it would cover breaches of any government database. Meanwhile, a man affected by the breach at the DNR has filed a lawsuit in federal court.
Full Story

PRIVACY—EU & IRELAND

Deputy DPC To Leave Post for Apple (January 25, 2013)

Ireland Deputy Data Protection Commissioner Gary Davis will be leaving the agency to take up a job as head of privacy for Apple in Europe, The Irish Times reports. The move, according to the report, “may be viewed as a sign of the tech giant’s commitment to preparing at an early stage for the planned changes in Europe’s data protection regime.” Davis has been deputy commissioner since 2006 and headed the department’s audit of Facebook’s privacy policies—the office’s biggest investigation to date. He is slated to take up his new role next month, the report states.
Full Story

CHILDREN’S PRIVACY—U.S.

Markey Probes Theme Park Bracelet System (January 25, 2013)

Rep. Ed Markey (D-MA) has written a letter to Disney Chairman and CEO Bob Iger expressing concern that the company’s new MyMagic+ system could violate children’s privacy, Adweek reports. Markey wrote, “Although kids should have the chance to meet Mickey Mouse, this memorable meeting should not be manipulated through surreptitious use of a child’s personal information.” Disney’s new system has not yet been rolled out, but according to its privacy policy, “no data is ever used to market to children,” the report states. The company has until February 14 to provide Markey with details on how data is collected, stored and shared and whether children will be served targeted ads.
Full Story

SOCIAL NETWORKING

Open Letter Seeks Skype Transparency (January 25, 2013)

A collection of privacy advocates, Internet activists, journalists and others have written an open letter asking for public disclosure of the privacy and security practices used by video communications service Skype, CNET News reports. The group—which includes the Electronic Frontier Foundation and Reporters Without Borders—is particularly concerned about government access to conversations, the report states. The letter asks Skype owner Microsoft to provide a “regularly updated Transparency Report.” Microsoft said it is reviewing the letter. Meanwhile, a newly introduced video-sharing service for Twitter experienced a privacy snag when it was discovered that users were logged in as the incorrect user. The service was temporarily taken down, and bugs have since been ironed out.
Full Story

DATA LOSS—UK

ICO Levies 250,000-GBP Fine (January 24, 2013)
The UK Information Commissioner’s Office (ICO) has issued a 250,000-GBP fine to Sony for a 2011 breach affecting approximately 77 million users, MSN Money UK reports. The ICO contends that the breach could have been prevented, the report states. “If you are responsible for so many payment card details and log-in details, then keeping personal data secure has to be your priority,” ICO Deputy Commissioner David Smith said, adding, “there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.” A company spokesman said, “Sony Computer Entertainment Europe strongly disagrees with the ICO’s ruling and is planning an appeal.”

ONLINE PRIVACY

Google Report: Increase in Gov’t Requests for Data (January 24, 2013)

Governments around the world continue to make requests for users’ private data at an ever-increasing rate, The Guardian reports. “User data requests of all kinds have increased by more than 70 percent since 2009,” said Richard Salgado, legal director at Google. Google’s latest transparency report shows U.S. government requests up 136 percent, and explains the U.S. legal process for gathering electronic information. The report says that under the Electronic Communications Privacy Act, 68 percent of U.S. data requests require no subpoena or warrant.
Full Story

DATA PROTECTION

Experts Discuss Threats, Anticipate Action (January 24, 2013)

A group of U.S. attorneys predict that U.S. regulators and states will enact privacy rules, despite failed attempts thus far to enact national privacy legislation. During a roundtable discussion on legal trends, Hunton & Williams’ Lisa Sotto, CIPP/US, Information Law Group’s David Navetta, CIPP/US, and Faruki Ireland & Cox’s Ronald Raether, CIPP/US, discussed today’s top privacy threats. Sotto said security vulnerabilities remain the biggest problem when it comes to protecting data. She not only mentioned perpetrators seeking to commit identity theft and account fraud but also the legitimate actors who may treat data in ways individuals find offensive. “We’re hearing a lot about online behavioral advertising or targeted marketing,” she said.
Full Story

BIG DATA—U.S.

The Personalization of Junk Mail (January 24, 2013)

The Wall Street Journal reports on the recent success in the junk mail industry due to database changes, increased computing power and better storage capability. Direct marketers can now more quickly and accurately filter public and private data sources to more targeted demographics. Traditionally, retailers have been able to use public sources of data—such as age and marital status—but now more data combinations are available. Electronic Frontier Foundation Sr. Staff Attorney Lee Tien said public awareness on the issue is lacking. “This industry has existed for a long time,” he said, “but it wasn’t a significant privacy issue—the technology changes have made it a more significant issue.” (Registration may be required to access this story.)
Full Story

EMPLOYEE PRIVACY—NEW ZEALAND

Commissioner: Drug Tests May Be Illegal (January 24, 2013)

New Zealand Privacy Commissioner Marie Shroff says proposed welfare rules that require beneficiaries to take drug tests are potentially illegal, reports Stuff.co.nz. Shroff says a provision contained in the Social Security (Benefit Categories and Work Focus) Amendment Bill that would require job candidates to take drug tests upon employers’ requests could violate employees’ privacy. Currently, job candidates can decline to take a test without penalty. Job candidates “are not likely to challenge the legality of a drug test, as refusing to give consent would leave them at risk of having their benefit cut,” Shroff said.
Full Story

DATA PROTECTION—U.S.

SEC Guidelines “A Potential Game-Changer” (January 24, 2013)

The Securities and Exchange Commission, in recognizing the reputational and financial risks to companies following a data breach, promulgated guidelines in 2011 on how cybersecurity risks should be disclosed by publicly traded companies. In this exclusive for The Privacy Advisor, Carlton Fields’ Rebecca Shwayri discusses steps such companies should take to properly protect themselves from the harmful effects of a breach. “Simply ignoring the impact that a cybersecurity incident may have on a company’s balance sheet is no longer a proper course of action,” she writes.
Full Story

ONLINE PRIVACY

Panel Discusses Consumer, Industry “Privacy Gap” (January 24, 2013)

A panel featuring representatives from government, industry and advocacy met to discuss the “privacy gap” between businesses and consumers, ZDNet reports. The president of the Application Developers Alliance noted “effective communication” between consumers and companies about what data is collected, how it’s shared and whether a firm has experienced a data breach contribute to filling in the gap, the report states. Microsoft Chief Privacy Officer Brendon Lynch, CIPP/US, promoted baking privacy into product and system design from the beginning, adding, “often it’s a matter of choosing better default settings on behalf of users.” Microsoft has also commissioned a survey on consumer privacy expectations.
Full Story

PRIVACY LAW—EU

EDPS Calls for Greater Power, Efficiency (January 23, 2013)
European Data Protection Supervisor (EDPS) Peter Hustinx has released a two-year strategy to make the EDPS more efficient and effective, EUobserver reports. The proposed guidelines are intended to help lawmakers craft legislation. Hustinx also foresees closer working relations with EU institutions with increased visits and inspections. Speaking in Brussels, Hustinx called for closer working relations with the European Council. “I issue a challenge to the council today,” said Hustinx, “to treat us as a grown-up institution and a trusted partner.” EU Justice Commissioner Viviane Reding supported the strategy and said the vision of creating a data protection culture “is our common goal, our common priority.”

PERSONAL PRIVACY—FRANCE

Gov’t Proposes Privacy Tax (January 23, 2013)

The French government has proposed a privacy tax—comparable to carbon taxes aimed at discouraging polluters—to protect consumer data, NBC News reports. The proposal is included in a recent report by the French Ministry of Finance and suggests companies that misuse or fail to protect consumer data would pay a tax with rates scaled to the severity of the infraction. The tax proposal would also incentivize protecting consumer data in ways that extend beyond current regulations, the report states. It has been met with mixed reactions. “It’s a very revolutionary and interesting proposal, but it would be difficult in France, let alone around the world, to implement,” one lawyer said.
Full Story

HEALTHCARE PRIVACY—U.S.

HIPAA Updates Hold BAs Accountable (January 23, 2013)

eWeek reports on updates to the Health Insurance Portability and Accountability Act (HIPAA) that could make IT companies more liable for health data breaches. The final omnibus rule holds business associates accountable for privacy and security standards to the same degree as hospitals and health insurance providers. One expert said the new rules will be a wake-up call. “The majority of business associates now are probably not meeting the letter of the law in terms of their security obligations,” he said. Meanwhile, Lucile Packard Children’s Hospital and the Stanford University School of Medicine have announced a health data breach affecting 57,000 patients after a laptop was stolen from a physician’s car.
Full Story

PRIVACY LAW—EU & U.S.

Experts Discuss Regs, Advocates Promote Privacy (January 23, 2013)

A group of lawmakers and privacy experts recently discussed the European Commission’s (EC) proposed data protection regulation. Representatives from the European Parliament, European Commission, the U.S. Federal Trade Commission and other data protection authorities as well as industry met in Brussels to discuss several key issues in the proposals, including de-identification, the definition of personal data, jurisdiction and applicable law and consent. Future of Privacy Forum (FPF) Founder and Co-Chair Christopher Wolf, and FPF Senior Fellow Omer Tene have released three whitepapers in conjunction with the discussion. Meanwhile, Wired reports that a group of U.S.-based privacy advocates has met in Brussels to promote the EC’s proposed regulation, and Big Brother Watch Director Nick Pickles writes why he believes “privacy and competition are intertwined as regulatory issues.”
Full Story

ONLINE PRIVACY—U.S.

New Subcommittee Leader Considers Action (January 23, 2013)

The new chairman of the House Subcommittee on Commerce, Manufacturing and Trade will examine whether the government should take action to increase privacy protections for Internet users, The Hill reports. Rep. Lee Terry (R-NE) is considering the formation of a bipartisan group of lawmakers to craft recommendations for the subcommittee. “We will continue the subcommittee’s work on privacy and data security,” Terry said. “Whether that comes to legislation or not, we don’t know.” He added the subcommittee will consider data breach notification legislation.
Full Story

ONLINE PRIVACY

Film Explores Evolution of Privacy Policies (January 23, 2013)

A new film exploring the changing legal and privacy rights of Internet users premiered at the Sundance Film Festival, CNET News reports. “Terms and Conditions May Apply” documents the evolution of online tech companies’ policies and how user anonymity has diminished as a result of government intervention—such as the USA PATRIOT Act—and advertisers, the report states. Film director Cullen Hoback argues that diminished online anonymity has put some users at greater risk, citing an example of a Facebook post that brought a SWAT team to a comedian’s house. Hoback also seeks out one firm’s original privacy policy, which reportedly included language promising anonymity to users. Now, Hoback says, privacy policies are “designed to be as uninviting as humanly possible.”
Full Story

DATA PROTECTION—U.S.

Ernst & Young Report Outlines 2013 Privacy Trends (January 23, 2013)

In a report issued January 17, Ernst & Young detailed privacy’s increasing effect on businesses in the new year. The report, titled “The Uphill Climb Continues,” highlights three primary categories that the firm predicts will shape the new privacy era: governance, technology and regulation. It also calls on organizations and regulators to work together to shape privacy within the digital landscape and to “appreciate the governance role they must play in safeguarding personal information.” Editor’s Note: For more on privacy trends in 2013, see “The 2013 Privacy Forecast” in the January/February edition of The Privacy Advisor.
Full Story

PRIVACY LAW—EU & U.S.

Proposed EU Regs Incite Wide Array of Reaction (January 22, 2013)
Spiegel Online, reports on the debate surrounding the EU’s proposed overhaul of the Data Protection Directive. With differing reactions from industry, advocates and others, the debate is heating up. Swedish MEP Anna Maria Corazza Bildt, together with several tech experts, warned that the proposals threaten Europe’s competitiveness. EU Justice Commissioner Viviane Reding said, “A modern and uniform set of data protection rules is good for growth.” According to TechCrunch, EDRi, Europe’s digital and civil rights association, has obtained a U.S. government lobbying document stating that the current regulation and directive “can have far-reaching negative effects…Economically, they could stifle innovation and inhibit growth.” Meanwhile, a coalition of privacy advocates has written a letter to the EU urging it to move forward with the proposed privacy regulations.

PRIVACY LAW—CHINA

Gov’t To Enforce Privacy Protection Guideline (January 22, 2013)

Xinhuanet reports that a new privacy protection standard for companies collecting consumer information in China will go into effect on February 1. Published in November and the first of its kind in the nation, the “non-obligatory guideline” states that data collectors should obtain consent prior to the collection and processing of an individual’s sensitive personal information, according to the Ministry of Industry and Information Technology. The guideline categorizes personal data as “general” or “sensitive” and permits general data collection if an individual does not object, the report states. Organizations should have specific and clear purposes for collecting data and delete the information once it is no longer needed. Editor’s Note: The breakout session Complex, Nuanced and Evolving—Privacy Developments in Asia will be part of the IAPP Global Privacy Summit in Washington, DC, this March.
Full Story

DATA PROTECTION—CANADA

Dept. Forbids Portable Data Devices Following Breaches (January 22, 2013)

Following two breaches at Human Resources and Skills Development Canada (HRSDC), the department has announced it is banning the use of portable data devices in its offices. HRSDC will begin using “data loss technology” to restrict data from being removed from its systems, and it has initiated reviews to determine the risks of portable data devices and whether proper safeguards exist. Staff will face disciplinary measures, including termination, for failing to adhere to privacy and security codes, HRSDC says. Its most recent data breach, involving a lost hard drive and affecting 583,000 Canadians’ records, prompted an investigation by Canada’s privacy commissioner and four class-action lawsuits.
Full Story

PRIVACY LAW—U.S.

Bills Focus on Social Media Accounts (January 22, 2013)

The Texas Tribune reports on bills introduced in the Texas legislature on social media privacy. State Rep. Helen Giddings (D-Dallas) has introduced a bill that would protect job applicants and employees from being asked or required to provide access to personal accounts via electronic communications devices. State Sen. Juan “Chuy” Hinojosa (D-McAllen) has introduced an identical bill. State Rep. Dawnna Dukes (D-Austin) has introduced a bill to protect students’ social media accounts. Meanwhile, a bill recently signed into law in California protects employees from disciplinary action for refusing to provide passwords to their social media accounts. Several states have passed similar laws.
Full Story

DATA PROTECTION—AUSTRALIA

Commissioner Concerned with Microsoft Proposals (January 22, 2013)

Responding to a Microsoft report proposing changes to data privacy rules, The Office of the Australian Privacy Commissioner has expressed concerns. The Microsoft Global Privacy Report was released in November and suggests changing the provision within the Organisation for Economic Co-operation and Development’s privacy guideline forbidding personal data use without consent to allow for data use as long as it is not “fraudulent, unlawful, deceptive or discriminatory,” the report states. Privacy Commissioner Timothy Pilgrim says such use would extend beyond the Privacy Act. Microsoft’s report also suggests relaxing rules on companies’ obligations to respond to personal data deletion requests.
Full Story

PRIVACY LAW—EU

Justice Ministers: Proposed Rules Could Hamper Innovation (January 21, 2013)
Meeting in Dublin last week, EU justice ministers voiced concerns about the effect proposed EU data protection rules could have on innovation, The New York Times reports. The ministers said the rules—which would empower consumers to delete data online businesses have collected about them, create limits on online tracking and grant fining powers to national regulators—must be “balanced and proportionate” and not stifle businesses. Irish Justice Minister Alan Shatter said while there is widespread understanding of a need for uniform regulations, “there is also a widespread understanding of the need to ensure that business can properly work under any new structure while ensuring the existence of certain protections.” (Registration may be required to access this story.)

SOCIAL NETWORKING

Expert: Graph Is “Watershed Moment” for Social Search (January 21, 2013)

Coming at a time when people are increasingly more cautious about posting information online, Facebook’s new search tool “Graph Search” has some experts wondering whether users will continue to share the information that will make it valuable, reports The New York Times. The tool mines users’ interests, photos, check-ins and “likes” and displays results ranked by the friends and brands that it thinks a user would trust the most. “This is a watershed moment,” said one University of Washington computer science professor, adding, “There have been other attempts at social search, but it’s the scale at which Facebook operates, especially once they fully index everything we’ve said or say or like.” (Registration may be required to access this story.)
Full Story

TRAVELERS’ PRIVACY—U.S.

TSA To Remove Privacy-Invasive Scanners (January 21, 2013)

The Transportation Security Administration says it will remove airport x-ray body scanners due to privacy concerns that to date cannot be resolved, the Associated Press reports. The 174 backscatter scanners at 30 U.S. airports will be removed by June, per a Congressional order, while the scanners that display a generic outline instead of an image of the subject will remain.
Full Story

PRIVACY LAW—U.S.

Markey Reacts To HIPAA Rules (January 21, 2013)

Rep. Edward J. Markey (D-MA), co-chairman of the Congressional Bi-Partisan Privacy Caucus, has issued comments on the release last week of a final HIPAA rule by the Department of Health and Human Services (HHS). “I appreciate the work that HHS has done in issuing this final rule, though areas for improvement remain—particularly when it comes to the sale of protected health information without a patient’s informed consent,” Markey said, adding, “I look forward to working with my colleagues, the administration and privacy advocates to ensure that our health data is truly private and secure.” The Washington Post says the new rules “should make life easier for consumers.”
Full Story

SURVEILLANCE

“Privacy Visor” Blocks Facial Recognition (January 21, 2013)

The integration of facial recognition into people’s lives, from surveillance cameras to social networks, has prompted Japanese researchers to develop a pair of high-tech glasses that block facial recognition cameras, reports Slate. The two professors set out to counter the “invasion of privacy caused by photographs taken in secret.” The prototype consists of a pair of goggles attached to a battery that use infrared light sources to create “noise” across key areas of the face. This is not the only recent invention aimed at thwarting surveillance technologies; a New York artist has come out with a line of “anti-surveillance” clothing.
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Issues Final HIPAA Omnibus Rule (January 18, 2013)
The U.S. Department of Health and Human Services (HHS) yesterday prepublished its highly anticipated modifications to the HIPAA Privacy and Security rules. HHS Secretary Kathleen Sebelius said, “The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age.” The rule specifies when data breaches must be reported to the Office for Civil Rights (OCR), sets new requirements for use of personal health information in marketing and fundraising and expands direct liability to “business associates” of HIPAA-covered entities. OCR Director Leon Rodriguez said the changes “enhance a patient’s privacy rights” and strengthen "the ability of my office to vigorously enforce” the HIPAA privacy and security rules. In this exclusive for The Privacy Advisor, George Washington Law School Prof. Daniel Solove and Center for Democracy & Technology Health Privacy Project Director Deven McGraw comment on the release.

BIOMETRICS—U.S.

Researcher IDs “Anonymous” Research Subjects and Their Families (January 18, 2013)

The New York Times reports on the inherent tension at play in protecting privacy when it comes to data used for medical research. One researcher recently illustrated the challenge of anonymization when he identified five people who had volunteered information to the 1,000 Genome Project, which collects genetic data from volunteers worldwide for research. The researcher used the subjects’ genetic information, ages and regions to identify them and their entire families. Amy McGuire of Baylor College of Medicine said, “To have the illusion you can fully protect privacy or make data anonymous is no longer a sustainable position.” (Registration may be required to access this story.)
Full Story

DATA LOSS—CANADA

Breach of 500,000 Spurs Class-Action Suits, Investigations (January 18, 2013)

A Human Resources and Skills Development Canada breach of 583,000 records—its second this month—has prompted investigations by the RCMP and the Office of the Privacy Commissioner (OPC) and two class-action lawsuits, reports the Canadian Press. A hard drive containing names, social insurance numbers, contact information, birth dates and balance amounts of Canada Student Loans Program borrowers went missing in November but was not reported to the OPC until more than a month later, resulting in some criticism for the delay. Assistant Privacy Commissioner Chantal Bernier says after this investigation, the OPC is considering conducting audits of government agencies that hold large volumes of sensitive data, and the human resources minister has requested all department employees participate in mandatory security training.
Full Story

GEO PRIVACY

Tech Allows Retailers To Track Consumers’ Locations (January 18, 2013)

Retail stores will soon be able to follow consumers around or outside of their stores thanks to the advent of new analytics technology, IT World reports. Using the WiFi antenna built into a consumer’s smartphone, an access point can record the phone’s wireless MAC address and log it to track when the consumer enters, departs or passes by the store. The technology’s manufacturer states in its privacy policy that data is collected anonymously and in aggregate and users can opt out at any time. But retailers haven’t yet determined how to obtain permission from consumers to track them, the report states, which may be one reason the technology hasn’t yet been widely deployed.
Full Story

DATA LOSS—HONG KONG

Breach Exposes Students’ Data on Public Sites (January 18, 2013)

Privacy Commissioner for Personal Data Allan Chiang says a recent breach involving the personal data of more than 8,505 students is indicative of widespread negligence among webmasters, China Daily reports. Nine schools were involved in the breach, which exposed the students’ names, phone numbers and e-mail addresses. The schools say technicians are at fault for having mistakenly published the data on public websites. The data has been removed from the sites.
Full Story

PRIVACY LAW—U.S.

Mobile Apps Privacy Bill Proposed (January 18, 2013)

A draft bill aimed at increasing mobile app users' privacy rights has been released, ADWEEK reports. Rep. Hank Johnson (D-GA) has proposed the Application Privacy, Protection and Security Act of 2013 in an effort to address “the public's growing concern with data collection on mobile devices.” The proposed legislation would require apps to provide consumers with advance notice about what data they collect and how it will be used, and “obtain consent for the collection terms,” the report states, noting, “It would also allow users to opt out of the service and delete personal data collected by the app.”
Full Story

DATA PROTECTION

Opinion: With Data, Think Obscurity Over Privacy (January 18, 2013)

In a column for The Atlantic, Woodrow Hartzog and Evan Selinger write that “‘privacy’ is an over-extended concept” that “grabs our attention easily, but is hard to pin down.” Obscurity, they write, “is the idea that when information is hard to obtain or understand, it is, to some degree, safe.” Though data may be deemed safe, it does not mean it is inaccessible, but “less committed folks,” they point out, “experience great effort as a deterrent.” Factors creating online obscurity include being invisible from search engines, using privacy settings and psuedonyms and disclosing information “in coded ways that only a limited audience will grasp.” Hartzog and Selinger opine, “Many contemporary privacy disputes are probably better classified as concern over losing obscurity.” Editor's Note: Read more about this concept in Hartzog's paper "The Case for Online Obscurity" in the IAPP Resource Center.
Full Story

PRIVACY LAW—EU

EC May Require Internet Firms To Disclose Breaches (January 17, 2013)
The New York Times reports on a proposal being drafted by EU Commissioner for the Digital Agenda Neelie Kroes that would require firms storing data on the Internet to disclose data breaches to the EU or face sanctions or fines. Telephone, transport and utility companies currently must disclose breaches, but the proposal would apply to “enablers of Internet services, e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, applications stores” and others, according to a copy of the plan seen by the International Herald Tribune. A representative from the Business Software Alliance said, “Harmonization of the notification requirements for security breaches is important and should be addressed,” adding, “More precise guidelines in the directive on the trigger and threshold procedures would make the system more workable.” (Registration may be required to access this story.)

MOBILE PRIVACY—U.S.

FTC Settlement Says App Violated FCRA, Study Shows Knowledge is Power (January 17, 2013)

The Federal Trade Commission (FTC) recently reached a settlement with a mobile app developer for violating the Fair Credit Reporting Act (FCRA). The app provided consumers with criminal background checks of individuals in several states. Hunton & Williams’ Privacy and Information Security Law Blog called the settlement “groundbreaking” as it’s the first time an FCRA enforcement action was taken by the FTC against a mobile app developer. Meanwhile, researchers at Carnegie Mellon University have released a study analyzing user perceptions and expectations about mobile app privacy and security. Their research shows that knowledge of what data is collected by an app “can have a significant impact on people’s comfort level and would enable them to make better-informed decisions,” one researcher said.
Full Story

SURVEILLANCE—U.S.

Leahy To Push for ECPA Reform, Raises Drone Concerns (January 17, 2013)

Senate Judiciary Committee Chairman Patrick Leahy (D-VT) said he plans to push to reform the Electronic Communications Privacy Act to require law enforcement to obtain a warrant prior to accessing individuals’ e-communications, CIO reports. Leahy noted, “I’ll keep pushing to update our privacy laws to address emerging technology and the Internet.” He also said that drones “could be a significant threat to the privacy and civil liberties of millions of Americans.” Rep. Ted Poe (R-TX) said that there may be “some kind of drone legislation during the Congress,” and Electronic Privacy Information Center Attorney Amie Stepanovich said, “The current state of the law is inadequate to address the threat…as drone technology becomes cheaper, the threat to privacy will become more substantial.”
Full Story

DATA LOSS—U.S.

Utah Health USB Stick Lost; Breach Costs Processor $94 Million (January 17, 2013)

Utah’s Department of Health is sending notifications to individuals potentially affected by a recent data breach, Associated Press reports. The breach occurred when the employee of a contracted third-party data processor saved data on about 6,000 Utah Medicaid recipients to an unencrypted USB stick and lost it in transit. The information did not include Social Security numbers or financial data. The breach comes less than a year after hackers breached Utah Department of Health data on 780,000 individuals. Meanwhile, Global Payments, Inc., the payments processor that experienced a data breach affecting 1.5 million payment cards in North America last April, has said expenses associated with the breach totalled $93.9 million.
Full Story

DATA PROTECTION—EU

Expert Examines the Intersection of Business and Privacy (January 17, 2013)

Jim Sterne reports for ClickZ on what happens “when privacy and business collide.” Sterne advises those doing business internationally to be aware of individuals’ privacy rights guaranteed under the Charter of Fundamental Rights of the European Union and notes how European cookie laws have “made a shamble of European Union analytics data management” in their inconsistencies. Discussing the European Commission’s proposed data protection regulation, Sterne questions whether companies could comply with provisions such as the right to be forgotten, the right to edit data and the right to data portability. Meanwhile, the French data protection authority has said MEP Jan Philipp Albrecht’s draft report on the regulation “largely meets” its concerns.
Full Story

DATA PROTECTION

Experts Discuss Privilege Management Tool (January 17, 2013)

CSO reports on a technology some say can “trump human weaknesses,” making data breaches due to human error less likely. “Least privilege management” operates on a need-to-know basis but allows access privileges to applications instead of individuals; however, it hasn’t been widely deployed among organizations, the report states. One expert said, “It’s nigh impossible to account for all types of user interaction with a system. But in interactions that are fairly small or focused, properly implemented least privilege would be a solid and nigh unusurpable control.” Another expert said the problem isn’t “unwitting employees but malicious attackers.”
Full Story

BIG DATA—U.S.

The Goals and Obstacles of Mining EHRs (January 16, 2013)
The New York Times reports on the mining of electronic health records (EHRs) by researchers, which, according to some scientists, has “the potential to make every patient a participant in a vast, ongoing clinical trial, pinpointing treatments and side effects that would be hard to discern from anecdotal case reports or expensive clinical trials.” One expert said, “The sheer volume and the richness of the data will enable us to have insights that are beyond anything we could have had any other way.” The biggest challenge to the mining of EHRs is the de-identification of the records to protect patient privacy, and in many cases, de-identified EHRs exist in several databases, potentially complicating the accuracy of research, the report states. (Registration may be required to access this story.) Editor’s Note: The breakout session Big Data, Not Big Brother: Best Practices for Data Analytics will be part of the Global Privacy Summit in Washington, DC, this March.

SOCIAL NETWORKING—U.S.

Facebook Unveils New Data Mining Tool (January 16, 2013)

Facebook has unveiled a new search tool that will enable its users to search the social network for people, places, photos and things that interest them, The New York Times reports. “Graph search” populates the data users have shared on the site to conduct searches and presumes users need not venture outside of the site's virtual walls to access the information they seek. Facebook CEO Mark Zuckerberg has acknowledged privacy concerns but said users will see a warning message on how their information will be shared before they access the new tool. The American Civil Liberties Union has warned Facebook users to review their privacy settings. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—UK

Gov’t To Set Mandatory “Paperless” Deadline (January 16, 2013)

UK Health Secretary Jeremy Hunt is expected to require all hospitals to digitize patient records within the next 12 months so they can be shared among health professionals across the country, The Telegraph reports. Hunt said records would not be shared without patient consent and the digitized system will not be centrally located. “If banks can develop systems where people are confident about their money, it must be possible for the NHS to develop systems where people are confident about their privacy,” said Hunt. Recent patient privacy breaches have some concerned that the system could lead to compromised privacy, the report states.
Full Story

DATA PROTECTION—EU

Ministers Consider Warnings Ahead of Sanctions (January 16, 2013)

European justice ministers will consider a “two-strikes” rule for data breaches, reports IDG News Service. The Irish Presidency of the European Council published a paper on Monday asking the ministers to discuss making fines “optional or at least conditional upon a prior warning or reprimand,” the report states. The paper will be discussed at the Justice and Home Affairs Council in Dublin this week. Digital rights group EDRi says a two-strikes system wouldn’t protect citizens and would give companies and state authorities “carte blanche to breach our rights…In other words, do what you want; the worst that can happen is that you will receive a warning.”
Full Story

PERSONAL PRIVACY—U.S.

NY Gun Law Would Mean More Owner Privacy (January 16, 2013)

A gun control law that passed the New York Senate on Monday and was considered in the Assembly yesterday includes a provision that would make information about handgun permits confidential, reports Business Insider. Sen. Greg Ball (R-District 40) and Assemblyman Steve Katz (R-Yorktown) announced earlier this month that they wanted increased privacy for gun owners after a Westchester newspaper published a map revealing the names and addresses of handgun owners in Westchester and Rockland counties.
Full Story

DATA LOSS—U.S.

Franchise Announces Potential Breach (January 16, 2013)

A Georgia-based restaurant chain is warning customers about the potential for fraud after suspicious computer files were found at some of its locations, WYFF4 Greenville reports. The company says the malware files may have resulted in unauthorized access to credit and debit card information at more than 100 stores, the report states. The company has notified law enforcement and the three credit reporting agencies and is encouraging customers to closely monitor their financial accounts and obtain a credit report.
Full Story

PRIVACY LAW—EU

EDPS Takes Position on EP Reports (January 15, 2013)
Commissioner Giovanni Buttarelli, deputy European Data Protection Supervisor (EDPS), spoke last week on the EDPS’ first official position on the recent report from MEP Jan Philipp Albrecht on the European Commission’s proposed update to the 1995 Data Protection Directive. Noting that in the EDPS’ view, “the data protection package is a huge and necessary step forward for data protection in Europe,” Buttarelli explained, “We appreciate any further contribution aimed to ensure a full comprehensiveness of the two legal instruments—the regulation and the directive—to increase the level of protection ensured by the directive as well as solutions aimed to improve some provisions of both legal instruments which need to be adjusted, clarified or fine-tuned.” Buttarelli also noted in his talking points for last week’s LIBE meeting that “we are in an important phase where there is no room for mistakes. This is why at the EDPS we will continue to follow all further developments and contribute to the debate also through additional, formal contributions, where necessary.” Editor's Note: The upcoming IAPP web conference Draft Report on New EU Data Protection Regulation—Strict Requirements Proposed will offer expert analysis on the draft report.

DATA LOSS—CANADA

Ministry Says Breaches Affected Five Million (January 15, 2013)

The Huffington Post reports on breaches affecting five million British Columbians. In the most serious cases, the provincial government will contact those affected by letter, the report states. Health Minister Margaret MacDiarmid has announced three data breaches occurring between October 2010 and June 2012 involving health data saved on USB sticks and shared with researchers without the proper permissions. The USB sticks were not encrypted or password protected, despite ministry policies. “We don’t believe there is a great risk to individuals with this information because there is no evidence at all that the information has been used for anything other than health research,” MacDiarmid said. Editor’s Note: The preconference workshop Surviving a Data Breach in the Digital Age will be part of the Global Privacy Summit in Washington, DC, March 6.
Full Story

DATA PROTECTION

Insurance To Grow if Proposals Approved (January 15, 2013)

MEP Jan Philipp Albrecht’s recent report on the European Commission’s draft regulation suggests companies seeking to process data in countries outside of the European Economic Area that have not been designated as meeting EU standards should have to provide “financial indemnification” to individuals for data breaches, reports Out-Law.com. The need for insurance products “to transfer risk for the data processor or controller has grown,” said Pinsent Mason’s Ian Birdsey. “While a standard professional indemnity policy may have been considered adequate five years ago, both companies and insurers have appreciated the need for specialist insurance products dealing with the myriad data risks.”
Full Story

PRIVACY LAW—EU & UK

MOJ Wants DPO Requirement Scrapped (January 15, 2013)

The Ministry of Justice (MOJ) wants to scrap a measure within the European Commission’s (EC) data protection reforms, Out-Law.com reports. The EC has proposed a requirement that large companies heavily engaged in data processing hire data protection officers. But the MOJ has published a 22-page response to a report by the UK Parliament’s Justice Select Committee calling for the EC’s proposed requirement to be eliminated. “The government does not believe that the requirement to have a data protection officer is necessary in the proposed regulation, and we believe that there are other means of achieving the accountability principle,” the MOJ said.
Full Story

ONLINE PRIVACY—SWEDEN

Authority Seeks Legislation To Prevent Defamatory Posts (January 15, 2013)

The Swedish Data Protection Board is seeking tougher legislation to deter Internet bullying and prevent privacy violations, The Local reports. The board’s recommendation follows a government request for a review on freedom of speech and press laws. Websites operated by media companies are protected by free speech clauses in Sweden’s Constitution, but the board wants Sweden to adopt legislation that would criminalize posting offensive and insulting comments. “It shouldn’t make a difference whether serious insults and privacy violations take place within or outside of areas protected by the constitution,” said Göran Gräslund, the board’s leader. “A criminal penalty would help create a balance between freedom of speech and protecting people’s privacy.”
Full Story

PRIVACY LAW—U.S.

Opinion: Privacy on Steroids in 2013? (January 15, 2013)

In a column for The Huffington Post, Hemanshu Nigam opines that 2013 will be “The Year of Privacy on Steroids.” After attending last week’s International Consumer Electronics Show, Nigam writes, “With so many new sites, gadgets and technology offerings integrating social media into their core functionalities, legislators will be hungry to regulate and legislate.” With rapid growth in technology and the Internet, “we are seeing the introduction of new legislation that impacts our private lives.” The Video Privacy Protection Act was recently signed by President Obama, the Location Privacy Protection Act and amendments to the Electronic Communications Privacy Act have been approved by the Senate Judiciary Committee, Nigam notes.
Full Story

PRIVACY LAW—U.S.

Sen.’s Retirement Puts Privacy Legislation in Flux (January 14, 2013)
Sen. Jay Rockefeller’s (D-WV) announcement last week that he plans to retire in two years is the third potential personnel change in Congress that may affect privacy legislation in the near future, POLITICO reports. With Sen. John Kerry (D-MA) possibly becoming secretary of state and Rep. Ed Markey (D-MA) potentially running for Kerry’s seat, consumer privacy legislation,--“which was in many ways on target for a breakout year in 2013”--may be “somewhat up in the air,” the report states, querying, “Does the two-year timeframe fuel the fire among (Rockefeller) and his colleagues to pass an online privacy bill—or does it give opponents more resolve to run out the clock?”

DATA LOSS—CANADA

Commissioner Announces Investigation’s Launch (January 14, 2013)

The Office of the Privacy Commissioner of Canada (OPC) has announced its launch of an investigation into a breach at Human Resources and Skills Development Canada (HRSDC). The assistant commissioner has determined there are “reasonable grounds for a commissioner-initiated complaint against HRSDC” to determine whether the Privacy Act has been violated. The breach occurred when an HRSDC employee transported and lost an unencrypted USB stick containing the personal information of 5,000 Canadians. The USB stick went missing November 17 but was not reported to the OPC until December 21.
Full Story

CLOUD COMPUTING—EU & U.S.

Study Warns U.S. Law Could Threaten EU Privacy (January 14, 2013)

A study backed by the European Union (EU) says that the U.S. Foreign Intelligence and Surveillance Amendments Act gives U.S. authorities access to European citizens’ data stored on U.S.-based Internet sites, Deutsche Welle reports. EU MEP Jan Phillip Albrecht said, “This study is absolutely not about generating panic…It’s a simple fact that the U.S. data protection law only applies to U.S. citizens.” Schleswig-Holstein Data Protection Commissioner Thilo Weichert said, “The long arm of U.S. law stretches as far as Europe,” and added, “You cannot even begin to figure out what happens to this data.” Albrecht suggested that EU citizens use EU-based cloud services. Editor’s Note: The breakout session Closing the Deal—Global Cloud Contracts and EU Requirements will be part of the IAPP Global Privacy Summit in Washington, DC, this March.
Full Story

DATA PROTECTION—EU

What Is the Legal Status of Search Engines? (January 14, 2013)

One of the complex questions the Court of Justice of the European Union (CJEU) must answer in 2013 relates to the legal status of search engines, Baker & McKenzie’s Yann Padova and Denise Lebeau-Marianna report for The Privacy Advisor. Using one case they describe as an example of a “burgeoning trend in Europe transforming regulations on data protection into an instrument used for removing information thought unfavorable or unsuitable by the data subjects, ” the authors examine the push-and-pull between the right to be forgotten and freedom of speech.
Full Story

HEALTHCARE PRIVACY—U.S.

Privacy Issues Raised with Rise of Tracking Sensors (January 14, 2013)

Ad Age reports on the rise of healthcare technology, particularly innovations that allow ubiquitous health tracking, giving rise to privacy concerns. According to the report, consumers will grapple with the question of whether such healthcare technology and its promise to aid in the health of users outweighs personal privacy. Users’ smartphones, the report states, “could start to know more about our individual health than we do.” Meanwhile, as part of its response to a data breach last year, Miami-based Jackson Health System has issued a system-wide program prohibiting volunteers from bringing smartphones into patient areas.
Full Story

PRIVACY LAW—U.S.

New Suit Filed Over Buzz Service (January 14, 2013)

Three Gmail users have filed a new potential class-action lawsuit accusing Google of violating their privacy, MediaPost News reports. The suit, filed in the Eastern District of New York, alleges Google violated the federal Stored Communications Law with the launch of its now-defunct Buzz service in 2010. Upon its launch, the service revealed information about Gmail users’ accounts by default. The company previously agreed to an $8.5 million settlement with the Federal Trade Commission over the service, but the three users object to it because the settlement “gave no benefit to any class member,” according to the users’ lawyer.
Full Story

PRIVACY LAW—U.S.

President Signs VPPA Amendment (January 11, 2013)
President Barack Obama has signed an amendment to the 1998 Video Privacy Protection Act (VPPA), CNET News reports. The signing of HR 6671 allows social media users to opt in to allow video rental companies to share information about their viewing preferences. Previously, the VPPA required consumers’ written consent or a police warrant before such data could be shared. Netflix, among other companies, had argued the law was dated. It was passed after a Supreme Court nominee’s video-rental history was published during his 1998 nomination process, inciting outrage from members of Congress.

PRIVACY LAW—EU

Schaar Welcomes Albrecht Proposal (January 11, 2013)

German Commissioner for Data Protection and Freedom of Information Peter Schaar has said MEP Jan Philipp Albrecht’s proposed amendments released earlier this week “would clearly improve the European Commission’s draft on the reform of European data protection law.” In a press release, Schaar added, “The European Parliament hopefully will approve the proposals, and I advise the federal government to actively advance the absolutely necessary improvements of European data protection law in council.”
Full Story

ONLINE PRIVACY—U.S.

Ad Groups Dislike AG’s Guidelines (January 11, 2013)

A coalition of advertising industry trade groups are expected to send a letter to California Attorney General Kamala Harris about her recently released guidelines for app developers, platforms and ad networks, Ad Age reports. The groups, including the Direct Marketing Association (DMA), Interactive Advertising Bureau and American Association of Advertising Agencies, say Harris’ “Privacy on the Go” recommendations—which suggest apps send special notices to consumers before collecting data—extend beyond California law and don’t consider the potential economic impact. Stu Ingis, privacy counsel to the DMA, said consumers “aren’t clamoring for some special notice” and such proposals would actually “be bad for the consumer experience.”
Full Story

RFID—U.S.

Student’s Challenge to Chipped Badge Continues (January 11, 2013)

Forbes reports on a Texas student’s challenge to her school district’s policy that students must wear RFID-chipped identification badges. Andrea Hernandez initially cited privacy concerns with the badges, which transmit a tracking signal at all times. The school offered Hernandez a chipless badge, a compromise she refused, arguing wearing such a badge would make it appear as though she supported the program. Judge Orlando Garcia said “The First Amendment does not protect such concerns.” The case will determine whether the school’s decision to allow the student to opt out via a chipless badge is a “reasonable accommodation,” the report states.
Full Story

ONLINE PRIVACY—CANADA

OPC Denies Reports on Bill C-30 Compromise (January 11, 2013)

The Office of the Privacy Commissioner (OPC) is refuting claims reported earlier this week that it was working on a compromise on legislation that would increase law enforcement’s surveillance powers over the Internet, MACLEANS.CA reports. “I reject the characterization of this as a compromise outright,” Assistant Privacy Commissioner Chantal Bernier said. “Privacy is a fundamental right. You don’t compromise on fundamental rights.” Bernier added that the OPC was “doing our homework. A legal and technical analysis. What we’re exploring is, if the warrant system is too cumbersome—which is unproven—is there then a way to preserve privacy under a new system?”
Full Story

ONLINE PRIVACY

Firm Says It Decrypts HTTPS, But Doesn’t Access It (January 11, 2013)

Nokia has confirmed reports by a security researcher that it decrypts HTTPS data flowing through its Xpress Browser—including banking sessions and encrypted e-mail—but the company says it does not access the decrypted information, GigaOm reports. Security Researcher Gaurang Pandya said, “From the tests that were performed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information, which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature.” Nokia said it has “implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.”
Full Story

MOBILE PRIVACY—U.S.

California AG Issues Mobile Recommendations (January 10, 2013)
California Attorney General Kamala Harris has released a recommended set of privacy best practices for app developers and advertising networks working in the mobile ecosystem, the San Jose Mercury News reports. Written after consulting a “broad spectrum of stakeholders,” including app developers, ad networks, privacy professionals and privacy advocates, “Privacy on the Go” urges those developing apps to consider building privacy protections in from the start and to display brief notices prior to taking actions such as data collection. In a quote provided to the Daily Dashboard, Harris said, “Californians want to know what information their apps collect, how it is used and with whom it is shared. To meet this need and keep pace with rapidly changing technology, these recommendations strike a responsible balance between protecting consumers’ personal information and fostering the continued growth of the innovative app economy.” Mozilla’s Alex Fowler said, “I think it’s preferable to have the attorney general being proactive in working with the industry, as opposed to going straight to some type of enforcement action.” Editor’s Note: The archived IAPP web conference Privacy on the Move in California, featuring insights from Joanne McNabb, CIPP/US, CIPP/G, CIPP/IT, and Alexandra Robert Gordon, both from the California Department of Justice, is now available for purchase.

PRIVACY LAW—EU

Industry Reacts to Albrecht Report (January 10, 2013)

WIRED reports on the “varying degrees of praise and criticism from all sides” in response to MEP Jan Philipp Albrecht’s draft report on the European Commission’s proposed update to the 1995 Data Protection Directive. Albrecht’s report recommends strengthening the current proposal by increasing individuals’ rights on provisions including the right to be forgotten, online tracking and data portability. The report also recommends expanding the role of consent and granting data protection authorities more powers. Industry is voicing significant concern. Kimon Zorbas of IAB Europe said the proposal’s “dramatic” recommendations would have “significant, damaging effects on industry.” Parliament is expected to vote on the proposal in April.
Full Story

PRIVACY LAW—U.S.

SCOTUS Weighs Warrantless Drunk-Driving Tests (January 10, 2013)

The New York Times reports on reactions from Supreme Court justices in a case involving whether law enforcement can obtain blood samples from suspected drunk drivers without a warrant. Prosecutors argued time is of the essence in such instances because of the natural dissipation of alcohol in the blood stream. According to the report, “There seemed little enthusiasm among the justices for that categorical approach,” but there was a “search for a middle ground that would take account of the practical realities of roadside stops, body chemistry and the administration of justice in the digital age.” Chief Justice John Roberts Jr. said government-backed intrusions into the human body with sharp needles would be a “pretty scary image,” and Justice Antonin Scalia called for a case-by-case approach, the report states. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

ONC Analyzes Patient Privacy Concerns (January 10, 2013)

A government office has initiated a pilot project delving into patient privacy concerns when considering participation in health information exchanges, ModernHealthcare.com reports. Sponsored by the U.S. Department of Health and Human Services’ Office of the National Coordinator (ONC), the eConsent Trial Project surveyed patients at four healthcare organizations to determine answers to questions such as, “What information do you need to decide whether healthcare providers may electronically access your medical information?” The ONC aims to finish the project by March and to publish results this spring. Meanwhile, a senior director at the Healthcare Information and Management Systems Society says that the biggest privacy concern surrounding mobile healthcare is lost or stolen cellphones containing unencrypted data. Editor’s Note: Lessons Learned from OCR Privacy and Security Audits will be one of several breakout sessions on healthcare privacy at this year’s Global Privacy Summit in Washington, DC.
Full Story

ONLINE PRIVACY

Changes Grant Data Access, Tech Giants Join Forces (January 10, 2013)

Foursquare users would be wise to study the application’s new privacy policy, effective January 28, ZDNet reports. The service will now show full names across its website instead of a mix of first name and last initial, and it will allow businesses to see an expanded list of users who have checked in. The window of time to access the list has also expanded. Meanwhile, Apple, Facebook and Microsoft have joined forces to launch ACT 4 Apps, an effort to educate app developers on privacy. The Association for Competitive Technology will facilitate the effort.
Full Story

ONLINE PRIVACY—U.S.

Young Adults Share Privacy Perspectives (January 10, 2013)

During a panel discussion at CES 2013 this week, a group of young adults shared their attitudes on social media policies and behavioral targeting, among other topics. The six panelists, ages 18 to 28, generally agreed that they were not averse to being served targeted ads if the content is interesting and the ads relevant, CNET News reports. “If ads are tailored to me, I’m totally fine with them,” said one panelist. Others indicated a heightened awareness of privacy risks, resulting in vigilant self-monitoring when it comes to online posts. “I have to filter myself,” said another panelist, voicing concern that employers and colleagues may view Facebook photos, tags and check-ins.
Full Story

PRIVACY LAW—EU

Albrecht Report Would Strengthen EC Proposal, Has Industry Concerned (January 9, 2013)
MEP Jan Philipp Albrecht has released a draft report on the European Commission’s proposed update to the 1995 Data Protection Directive supporting a robust framework and recommending more stringent measures, The New York Times reports, inciting mixed reactions from government and industry. The report, containing 350 proposed amendments to be discussed in plenary, would increase data subjects' rights—rewording the “right to be forgotten” as “a right to erasure and to be forgotten”—expand the proposal’s scope of non-EU-based controllers and expand the concept of “personal data.” The report suggests the “legitimate interest” provision—allowing companies to process personal data without consent if the reasons for doing so trump the individual’s right to privacy—should be used only in exceptional circumstances. While EU Justice Commissioner Viviane Reding welcomed the report, industry has reacted less favorably. Facebook’s head of EU Policy, Erika Mann, said that “some aspects of the report do not support a flourishing European Digital Single Market,” and the Industry Coalition for Data Protection said Albrecht’s report “missed an opportunity to reconcile effective privacy safeguards with rules protecting the conduct of business—both fundamental rights under the EU charter.” Monika Kuschewsky, CIPP/E, special counsel at Covington & Burling, told the Daily Dashboard those expecting a “conciliatory report searching for compromise and practical solutions will be disappointed” as the report’s amendments aim to strengthen individuals’ and authorities’ rights and “reinforce existing or impose additional obligations on companies.” Field Fisher Waterhouse’s Eduardo Ustaran, CIPP/E, expects “heated negotiations with the Council of the EU and other stakeholders.” (Registration may be required to access this story.) Editor’s Note: Look for more on this topic in an upcoming edition of The Privacy Advisor.

DATA PROTECTION—U.S.

Site’s Resistance To Self-Reg Scheme Hampers Sales (January 9, 2013)

Facebook’s resistance to adhering to the Digital Advertising Alliance’s self-regulatory privacy program stands in the way of a Facebook ad network, Ad Age reports. The company continues to operate its own internal ad privacy approach, resulting in brand advertisers’ apprehension about allocating significant funds toward advertising on the site, the report states.
Full Story

ONLINE PRIVACY—CANADA

Commissioner Seeks Compromise on Bill (January 9, 2013)

A blueprint solicited by Canada’s Office of the Privacy Commissioner has proposed a compromise to pending legislation increasing law enforcement’s surveillance powers on the Internet, The Canadian Press reports. Assistant Privacy Commissioner Chantal Bernier asked University of Montreal Law Prof. Karim Benyekhlef “to help find a middle ground between security and privacy” within the government’s approach to Bill C-30. The legislation would allow law enforcement to obtain Internet subscriber data without a warrant. Benyekhlef has proposed a five-step process, or a “warrant light” approach, to judicial authorization, the report states. A review by the privacy commissioner notes that the professor’s analysis is similar to existing powers for authorities seeking financial and commercial data.
Full Story

ONLINE PRIVACY

HTTPS Function Rolled Out by Yahoo (January 9, 2013)

A new option to enable HTTPS for full webmail sessions has been introduced by Yahoo, IDG News Service reports. Digital rights and privacy advocates have welcomed the new rollout. The Electronic Frontier Foundation, along with other advocates, sent a letter to Yahoo CEO Marissa Mayer last November asking for the secure function. The new interface features a “Turn on SSL” setting that users must manually switch on. In a blog post, AccessNow.org supported the decision and wrote, "Pending technical analysis of its implementation, we believe this decision by Yahoo responds to some of the concerns raised by civil society and security experts and signals a continuing strengthening of their services' privacy protections."
Full Story

CONSUMER PRIVACY—CHINA & U.S.

Firm Fined, Four Face Prison (January 9, 2013)

The Wall Street Journal reports that a Shanghai court has fined Dun & Bradstreet (D&B) Corp.’s Roadway Unit 1 million yaun ($160,648) and has sentenced four former employees for allegedly purchasing consumer data illegally. The New Jersey-based company has not contested the charges “in recognition of the fact that such consumer data collection practices contradict D&B’s core values regarding data integrity,” the company wrote in a statement. According to a China Central Television report last March, the company “improperly purchased data on more than 150 million Chinese citizens from insurance companies” and banks, among others. (Registration may be required to access this story.)
Full Story

RFID—U.S.

Theme Park To Introduce Interactive Bracelets (January 8, 2013)
The New York Times reports on plans by Disney to introduce a vacation management system at its theme parks with the intention of making the user experience more personalized and efficient. Included in the new system are bracelets built with radio frequency identification chips to track visitor behavior in detail. The collected data will be used to refine consumer deals and customize marketing communications. The wristbands will also function as room key, park pass and credit card and will be encoded with personal details so employees can offer personalized greetings. Guests will be able to opt in to the system and customize how much personal information they want to disclose. “We want to take experiences that are more passive and make them as interactive as possible,” said a Disney representative.

CONSUMER PRIVACY—U.S.

Industry Discusses Consumer Expectations (January 8, 2013)

Network World reports on an industry panel’s concerns about the effect government regulation could have on innovation. Speakers at a recent CES 2013 panel titled “The Smartphone-Tablet Economy: Apps, Devices, Commerce and the Consumer Obsession” also discussed consumer expectations—including whether young people care about privacy, online tracking and the negative impact the “bad players” have on industry as a whole. Meanwhile, a second panel discussed how to “make people feel safer about where their data is being stored” when it comes to the cloud, among other topics. Mozilla’s lead privacy engineer suggested introducing transparency and matching data privacy and management to user expectation, which he said may be difficult but is in industry’s “best interests.”
Full Story

PRIVACY LAW—UK

Graham: Proposals Would Hamper Journalism (January 8, 2013)

In an official response to Lord Justice Brian Leveson’s proposals for tougher data protection laws, UK Information Commissioner Christopher Graham has warned of a “chilling effect” on investigative journalism, The Guardian reports. The proposals would make the Information Commissioner’s Office a regulator of the mainstream press, Graham warned. “The significance of the proposed changes should not be underestimated,” he said, adding that the proposal will need “very careful consideration…and is ultimately a matter for Parliament.”
Full Story

DATA LOSS—U.S.

Firm, Doctors To Pay $140,000 for PHI Breach (January 8, 2013)

The former owners of a medical billing firm have agreed to a $140,000 settlement with the Massachusetts Attorney General’s Office for the improper disposal of medical records, The Boston Globe reports. The one-time owners of Goldthwait Associates, along with the doctors involved, allegedly mishandled medical records of 67,000 patients. The records in question included names, addresses, Social Security numbers and pathology reports. Attorney General Martha Coakley said, “We believe this data breach put thousands of patients at risk, and it is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again.”
Full Story

PRIVACY LAW—U.S.

SCOTUS To Hear Blood Test Privacy Case (January 8, 2013)

The Supreme Court of the United States is set to hear oral arguments Wednesday on whether police need a court order to procure a blood sample from a suspected drunk driver, SCOTUSblog reports. In Missouri v. McNeely, the defense has argued that taking the defendant’s blood sample without his consent or a warrant violated his Fourth Amendment rights. The court will now determine what “exigent circumstances” permit law enforcement to obtain a suspect’s blood sample without a court order.
Full Story

MOBILE PRIVACY—U.S.

Assessing the State of Location Privacy Legislation (January 7, 2013)
The New York Times reports on location tracking technology—particularly mobile apps—and whether Congress is poised to pass legislation curbing tracking without consent. The Senate Judiciary Committee approved a location privacy protection bill last year with the aim of requiring app developers to obtain consent from users prior to location data collection and to prohibit “stalking apps.” Sen. Al Franken (D-MN) plans to reintroduce the bill in the new Congress. According to the report, “the underlying issue is the future of consumer data property rights—the question of who actually owns the information generated by a person who uses a digital device and whether using that property without explicit authorization constitutes trespassing.” (Registration may be required to access this story.)

SOCIAL NETWORKING—GERMANY

German DPA Threatens To Fine Facebook (January 7, 2013)

Thilo Weichert, data protection commissioner of German state Schleswig-Holstein, has threatened to fine Facebook unless it allows German users to log in under a pseudonym, The Guardian reports. German law requires media services to offer users such a choice. Weichert said Facebook’s current rules violate the law by requiring Germans to provide their identities. “It is unacceptable that a U.S. portal like Facebook violates German data protection law, unopposed and with no prospect of an end,” he said. In 2011, Weichert’s office forbade local organizations and companies from using Facebook’s “like” button, stating the feature violated German law.
Full Story

DATA LOSS—U.S.

Breach Affected Additional Hospitals (January 7, 2013)

As details continue to emerge about a data breach at the University of Michigan Health System’s supply management system vendor, additional hospitals report they have been affected, HealthIT Security reports. The Omnicell breach, announced in December, involved the loss of unencrypted information on 4,000 patients after a device containing the data was stolen. Virginia’s Sentara Healthcare has alerted 56,000 patients treated at seven different Sentara hospitals and three outpatient care centers their information was included on the stolen device. South Jersey Healthcare has also alerted 8,500 patients that their information has been compromised.
Full Story

TRAVELERS’ PRIVACY—HONG KONG

Customs Officials: Body Scanners Are Not Intrusive (January 7, 2013)

Customs officials say new body scanners to be installed at a cruise terminal and an airport are not intrusive and should not incite privacy concerns, South China Morning Post reports. Passengers deemed a “high security risk” will be asked to go through the scanners, which use millimeter wave technology to detect discrepancies in temperature between a body and an object. The scanners will reduce the need for physical searches, officials say, and “will not display body features or anatomical details of the person being screened and hence trigger no privacy concern.” Civil liberties advocates raised concerns last week when officials announced they would trial the scanners this year, the report states.
Full Story

PRIVACY LAW—EU & UK

One Year Later: A Look at the EC’s Proposed Regulation (January 7, 2013)

Nearly a year after the European Commission (EC) first published a draft of its proposed data protection regulation, SC Magazine looks into the proposal’s key principles, exploring concerns that the draft is “overly prescriptive and out of touch with the rapid change in digital communications.” A UK Information Commissioner’s Office representative said the proposal “could create all sorts of problems in terms of stifling innovation and creating a market disadvantage.” However, European Commissioner for Justice Viviane Reding noted, “We are open to review the delegated acts one by one, together with the member states, and to limit them to only what is truly necessary to keep the regulation sufficiently open to future technological developments.”
Full Story

HEALTHCARE PRIVACY—U.S.

Organizations Prep For HIPAA Omnibus Rule (January 4, 2013)
In an interview with HealthcareInfoSecurity, Hunton & Williams’ Lisa Sotto, CIPP/US, discusses the ways healthcare organizations should prepare for the upcoming release of the HIPAA Omnibus Rule. The Department of Health and Human Services sent its final Omnibus Rule modifying the HIPAA Privacy, Security and Enforcement Rules to the White House Office of Management and Budget in March 2012, reports Hunton & Williams’ Privacy and Information Security Law Blog. “CISOs and CIOs should look at the HIPAA (modifications that are pending) as an opportunity to improve business associate security. It’s important for healthcare entities to focus their energies on seeking to prevent these sorts of incidents,” Sotto says.

CONSUMER PRIVACY—U.S.

“Cars of the Future” Raise Privacy Concerns (January 4, 2013)

New technology aimed at allowing vehicles to communicate with one another to increase driver safety is raising privacy concerns, COMPUTERWORLD reports. Digital short-range communications let vehicles receive data from each other within 1,247 feet (380 meters) to warn of hazards unseen by the driver. However, some fear the technology would also create privacy invasions such as geo-targeting by retailers and being ticketed by law enforcement. One expert was contacted “to identify aspects of the technology that would pose threats to users’ privacy.” She said, “For this program to be successful, it must be accepted by the public since the benefits are derived from others’ broadcasts.”
Full Story

CHILDREN’S PRIVACY—U.S.

FTC Insights on COPPA Compliance (January 4, 2013)

In a post for the FTC Tech Blog, Steve Bellovin discusses the recently amended Children’s Online Privacy Protection Act (COPPA) Rule in terms of signaling—“the way that a website can signal its COPPA status to the operators of other sites who provide it with some of the content that users see.” Bellovin suggests, “If you run a simple website, complying with COPPA is reasonably straightforward.” For the many commercial websites that “contain content from multiple sources: ad networks, third-party plug-ins, etc.,” he questions, “Who should be responsible for their COPPA compliance?” His advice, citing the announcement of the amended rule, is, “If it’s on your site, you’re responsible—period.”
Full Story

PRIVACY

2012 Brought Advances, Setbacks (January 4, 2013)

CNET News reports on the “five reasons why 2012 mattered” when it comes to policy and privacy. The list includes citizen protests against the Stop Online Piracy Act, a less successful protest against the Cyber Intelligence Sharing and Protection Act and the U.S. Supreme Court’s curbing of increasingly pervasive GPS tracking of individuals without a warrant. Meanwhile, San Francisco Chronicle reports on the setbacks and advances in online privacy in 2012.
Full Story

HEALTHCARE PRIVACY—U.S.

Experts Discuss Patient Privacy in Digital Era (January 4, 2013)

In a Q&A with Government Health IT, Patient Privacy Rights Founder Deborah Peel discusses the importance of privacy in the age of Big Data, how healthcare organizations can foster patient trust and ways to improve information sharing through consent. Healthcare IT News queries whether the government is “doing enough to address and quell the privacy worries of the American people,” stating, “Depending on whom you ask, this notion of reform varies significantly.” One patient privacy rights specialist says patient consent should be the highest priority for the federal government. Meanwhile, an Indiana-based hospital has notified 29,000 patients of a data breach after a laptop containing sensitive health information was stolen.
Full Story

PRIVACY LAW—ITALY

Italian DPA Cooperates with International Regulators (January 3, 2013)

Rocco Panetta of Panetta & Associati reports that the Italian data protection authority (Garante) has established three resolutions in the field of international data processing and transfer. Panetta, who is the Garante’s former head of legal, notes cooperation between data protection authorities is increasing when it comes to enforcement profiles. In one case, a data subject made a claim against Italian company “Badoo” for publishing fake profiles by a third party on a UK social network.
Full Story

PRIVACY LAW—U.S.

First HIPAA Settlement for Breach Affecting Less Than 500 (January 3, 2013)
The Hospice of North Idaho has agreed to pay the U.S. Department of Health and Human Services (HHS) $50,000 to settle potential HIPAA violations, the first settlement for a breach affecting less than 500 individuals. Wiley Rein’s Kirk Nahra, CIPP/US, told the Daily Dashboard the settlement is significant in that it emphasizes how HHS’ Office for Civil Rights (OCR) is currently conducting its investigations. “Specifically, the facility had not conducted an appropriate HIPAA Security Rule ‘risk analysis’ as part of its overall compliance with the HIPAA Security Rule. Second, the facility had not implemented appropriate security controls for mobile devices,” he said, adding, the settlement is a reminder that “OCR’s current practice is to investigate a wide range of issues beyond the initial trigger for the investigation” and of “the importance of overall risk analysis, across a company’s operations with a focus on mobile devices.” Meanwhile, FierceHealthIT reports on recent health data breaches.

BEHAVIORAL TARGETING

Ad Industry Concerned With Firms’ Privacy Practices (January 3, 2013)

Ad Age reports on concerns within the advertising industry that Facebook and Amazon are not using the industry’s standardized ad privacy program while a majority of large media firms and ad networks comply or integrate with the Digital Advertising Alliance’s (DAA) Ad Choices program. Ad campaigns operated by Facebook and Amazon also raise privacy concerns, the report states. One industry executive said, “We need publishers to adopt the industry standard,” adding, “We cannot have everyone embrace it in their own flavor.” A TRUSTe representative said Facebook is “pushing the edge of what online advertising is doing” and added the two companies “may warrant a whole new category within the DAA’s program.”
Full Story

DATA LOSS—CANADA

Commissioner’s Office To Investigate Breach (January 3, 2013)

The Office of the Privacy Commissioner of Canada (OPC) will investigate a breach at Human Resources and Skills Development Canada (HRSDC), The London Free Press reports. The breach occurred when an HRSDC employee transported and lost an unencrypted USB stick containing the personal information of 5,000 Canadians. The USB stick went missing November 17 but was not reported to OPC until December 21, the report states. The office has received 100 calls and several complaints on the matter, prompting an investigation that will focus on “the application of the Privacy Act,” how the USB stick was misplaced and what data was stored on it, said OPC spokeswoman Anne-Marie Hayden.
Full Story

EMPLOYEE PRIVACY—U.S.

Password-Sharing Laws Now In Effect (January 3, 2013)

Employers can no longer demand social media passwords from employees or job applicants due to laws now in effect in five U.S. states, UPI reports. Maryland, New Jersey, Delaware, California and Illinois all have passed laws prohibiting the practice. California Assemblywoman Nora Campos said, “My legislation protects workers’ privacy. The legislation is necessary because there is a hole in existing law that prevents employers from intruding into an employee’s legal off-duty conduct.”
Full Story

PERSONAL PRIVACY—U.S.

Lawmaker To Introduce Gun Owner Privacy Bill (January 3, 2013)

Following a New York newspaper’s publication of the names and addresses of handgun permit-holders within its readership region, a Maryland state legislator plans to introduce a gun owner privacy bill in the state’s upcoming General Assembly session, Elkridge Patch reports. The Journal News of Westchester County published an interactive map allowing users to click on a dot to view the name and address of the permit-holder located there. Maryland Del. Pat McDonough, who represents Baltimore and Hartford counties, says he plans to introduce the bill in response to the newspaper’s decision to publish such details.
Full Story

SURVEILLANCE

Opinion: Cases for Better User Protection (January 3, 2013)

In an op-ed for Time Magazine, Adam Cohen discusses the lack of legal ground in the U.S. for e-mail privacy protection. He writes that many in government “like the idea of being able to read citizens’ private e-mail” and Internet users have “gotten good at pushing back against Facebook over privacy issues” while not putting pressure on lawmakers to “strengthen e-mail privacy.” Meanwhile, Financial Times opines, “The technology underlying the surveillance economy is evolving faster than the ability of social norms to adapt, or regulators to keep pace.” Four basic rights are called for: notice, anonymity, redress and data portability.
Full Story

ONLINE PRIVACY

New Year May Bring New Challenges for Tech Companies (January 2, 2013)
Industry fared well in 2012 in its efforts to lobby against federal consumer privacy legislation, but 2013 is likely to bring renewed regulatory efforts and intense negotiations with consumer advocates—particularly over online tracking, The New York Times reports. Industry’s recent success was due to its increased presence in Washington, DC, and record-setting lobbying budget, the report states. As privacy and security increasingly caught the attention of regulators, advocates and legislators, industry “realized it is important to be engaged,” said Intel’s David Hoffman, CIPP/US. Regime changes at the Federal Trade Commission and legislative overhauls in Europe are expected to impact the online landscape in 2013. (Registration may be required to access this story.)

PRIVACY LAW—ITALY

Court Overturns Executives’ Convictions (January 2, 2013)

An Italian court has overturned the 2010 convictions of three Google executives, including lead privacy counsel Peter Fleischer and ex-CFO George Reyes. The executives had been given suspended six-month sentences over alleged privacy offences, GigaOm reports, involving a video posted online of an autistic boy being bullied. “We’re very happy that the verdict has been reversed and our colleagues’ names have been cleared,” said a Google spokesperson. “Of course, while we are delighted with the appeal, our thoughts continue to be with the family who have been through the ordeal.”
Full Story

PRIVACY LAW—CHINA

China Adopts Online Privacy Rules (January 2, 2013)

Chinese lawmakers have approved rules to increase personal data protection online, China.org.cn reports. Adopted by officials on the Standing Committee of the National People’s Congress, the rules will reportedly help “promote social harmony and stability and safeguard national security.” One legislator said, "The decision uses the legal form to protect personal information security, set down the network identity management policy, clarify the duties of service providers and endow government watchdogs with necessary supervisory measures.” Some are concerned the identity management policy requiring Internet users to use their real names will hamper the anonymity of whistleblowers. Meanwhile, Baker & McKenzie analyzes Singapore’s recently passed Personal Data Protection Act.
Full Story

SOCIAL NETWORKING

Foursquare Changes Privacy Policy, Suit Filed Against Instagram (January 2, 2013)

Foursquare announced last week that it is changing its privacy policy effective January 28, PC Magazine reports. The service will now show full names across its website instead of a mix of first name and last initial, and it will allow businesses to see an expanded list of users who have checked in. A company e-mail stated, “This is great for helping store owners identify their customers and give them more personal service or offers.” Foursquare has also created “Privacy 101,” a stripped-down version of its privacy policy. Meanwhile, a class-action lawsuit has been filed against Instagram for its proposed privacy policy changes. According to the report, the lawsuit cites a breach of contract, among other claims.
Full Story

PERSONAL PRIVACY—U.S.

Newspaper Publishes Handgun Permits Map (January 2, 2013)

A New York newspaper published the names and addresses of handgun permit-holders within its readership region, setting off a public outcry, The New York Times reports. Using public records, The Journal News of Westchester County published an interactive map allowing users to click on a dot to view the name and address of the permit-holder located there. The newspaper’s publisher said the decision to publish the map was expected to be controversial but was thought to be important “in the aftermath of the Newtown shootings.” One permit-holder said, “I don’t understand why they’re publishing information with my name and address. That should not be.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Companies Face Class Action for Tracking Children (January 2, 2013)

The National Law Journal reports that attorneys have filed a proposed class-action lawsuit against Google and Viacom for allegedly tracking children online after they visited two Viacom websites. Filed in the Western District of Pennsylvania, K.T. v. Viacom argues the use of cookies on the sites violates the Video Privacy Protection Act and the Wiretap Act as well as intrusion upon seclusion and unjust enrichment, according to the report. The suit states Viacom knowingly lets Google track children on its sites and that both businesses profit from the practice. One expert said it appears “that the plaintiffs are trying to borrow from the concept of (COPPA) and apply it to laws that are completely different, such as wiretap laws and video privacy laws. It’s a novel approach.”
Full Story

HEALTHCARE PRIVACY—U.S.

Gaps Identified in Healthcare Sector (January 2, 2013)

The Washington Post reports on security gaps within the healthcare industry’s computer systems and medical devices that could expose patient records to identity theft or cyberattacks. The Department of Homeland Security has expressed concern about the security risks, and both researchers and government officials have noted healthcare security standards are not up to par with other industries. Meanwhile, the University of Michigan has alerted 4,000 patients their personal information may have been exposed; hackers have breached U.S. army databases storing 36,000 records including names, Social Security numbers and salaries, and the Rhode Island Department of Labor and Training has announced a privacy breach due to a glitch with its phone system. (Registration may be required to access this story.)
Full Story